If a tree falls in the woods and nobody is there to hear it, does it make a sound? If you don’t have an appropriate network and security monitoring solution operating 24 x 7 on your network, you are flying blind.
Network monitoring should monitor everything on your network, but only alert on anomalies to avoid operations teams from being overwhelmed with alarms. It is very important to not only monitor ports that you’re expecting servers to answer on, but also ports that you’re not expecting them to answer on. A server which suddenly starts answering on port 3309 that has no business doing so is more important to investigate than one which has stopped answering on an expected port, this is surely a sign of something you need to investigate.
Network monitoring should be done from more than one location. It should provide internal, external and privileged views of your network to ensure that you are completely aware of what is going on.
Monitoring is not just about ICMP packets and testing for open ports, it is also about watching logs and traffic. Security information and event management tools are great weapons that provide a very deep awareness of what is going on inside your network. These tools often provide early warnings of of issues you would otherwise be completely unaware of, allowing you to act before a compromise ever happens. They are not cheap, but there are some open source options out there.
I am a telco & internet entrepreneur, nerd wrangler and massive lover of bacon. I was involved in the investigation of and successful conviction of David Noel Cecil – “Evil, The NBN Hacker”.
This article is written from the experiences I had before, during and since the successful execution of Operation Damara. My experiences are from a telco perspective however they are just as applicable to corporate and government networks.
I currently work with several Australian Telco’s and IT businesses, developing Incident Response Plans and helping them ensure the ongoing continuity of their mission critical infrastructure.
If your organisation doesn’t have a strategy for dealing with internet security incidents, I would love to help you out!
Shoot me an email – firstname.lastname@example.org or grab me on Social Media for more information.