In this article, I want to look at common network security monitoring tools in cybersecurity. Follow me as we look at this together in this article. Common tools that are used for network security monitoring include:
Network protocol analyzers such as Wireshark and Tcpdump
NetFlow
Security Information and Event Management Systems (SIEM)
It is also common for security analysts to rely on log files and Simple Network Management Protocol (SNMP) for network behaviour discovery.
Practically all systems generate log files to record and communicate their operations. By closely monitoring log files, a security analyst can gather extremely valuable information.
SNMP allows analysts to request and receive information about the operation of network devices. It is another good tool for monitoring the behaviour of a network. Security analysts must be familiar with all of these tools.
The diagram lists three different network monitoring tools: Protocol analyzers, SIEM, and NetFlow.
Common Network Security Monitoring Tools
Network Protocol Analyzers
Network protocol analyzers (or “packet sniffer” applications) are programs used to capture traffic. Protocol analyzers show what is happening on the network, often through a graphical user interface. Analysts can use these applications to see network exchanges down to the packet level.
If a computer has been infected with malware and is currently attacking other computers in the network, the analyst can see that clearly by capturing real-time network traffic and analyzing the packets.
Not only are network protocol analyzers used for security analysis. They are also very useful for network troubleshooting, software and protocol development, and education. For instance, in security forensics, a security analyst may attempt to reconstruct an incident from relevant packet captures.
Wireshark, shown in the figure, is a very popular network protocol analyzer tool that is used in Windows, Linux, and Mac OS environments. Wireshark is free software that can be downloaded and used by anyone. It is a very useful tool for learning about network protocol communications. Network protocol analyzer skills are essential for cybersecurity analysts.
Frames that are captured by Wireshark are saved in a PCAP file. PCAP files contain the frame information, interface information, packet length, time stamps, and even entire binary files that are sent across the network.
Performing a long-term packet capture produces large PCAP files. Wireshark can also open files that contain captured traffic from other software such as the tcpdump utility. Popular among UNIX-like systems such as Linux, tcpdump is a powerful utility with numerous command-line options. The example in the command output displays a sample tcpdump capture of ping packets.
[root@secOps analyst]# tcpdump -i hl-eth0 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on hl-eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:42:19.841549 IP 10.0.0.12 > 10.0.0.11: ICMP echo request, id 2279, seq 5, length 64
10:42:19.841570 IP 10.0.0.11 > 10.0.0.12: ICMP echo reply, id 2279, seq 5, length 64
10:42:19.854287 IP 10.0.0.12 > 10.0.0.11: ICMP echo request, id 2279, seq 6, length 64
10:42:19.854304 IP 10.0.0.11 > 10.0.0.12: ICMP echo reply, id 2279, seq 6, length 64
10:42:19.867446 IP 10.0.0.12 > 10.0.0.11: ICMP echo request, id 2279, seq 7, length 64
10:42:19.867468 IP 10.0.0.11 > 10.0.0.12: ICMP echo reply, id 2279, seq 7, length 64
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
[root@secOps analyst]#
Note: windump is a Microsoft Windows variant of tcpdump. tshark is a Wireshark command-line tool that is similar to tcpdump.
NetFlow
NetFlow is a Cisco IOS technology that provides 24×7 statistics on packets that flow through a Cisco router or multilayer switch. NetFlow is the standard for collecting IP operational data in IP networks. NetFlow is now supported on non-Cisco platforms. IP Flow Information Export (IPFIX) is a version of NetFlow that is an IETF standard protocol.
NetFlow can be used for network and security monitoring, network planning, and traffic analysis. It provides a complete audit trail of basic information about every IP flow forwarded on a device.
This information includes the source and destination device IP information, the time of the communication, and the amount of data transferred. NetFlow does not capture the actual content on the flow. NetFlow functionality is often compared to a telephone bill. The bill identifies the destination number, the time and the duration of the call. However, it does not display the content of the telephone conversation.
Although NetFlow stores flow information in a local cache on the device, it should always be configured to forward data to a NetFlow collector which store the NetFlow data. There are a number of third-party tools for the analysis of NetFlow data.
For example, in the figure, PC1 connects to PC2 using an application such as HTTPS.
The image is a network diagram. From left to right there are two PCs connected to a switch, connected to a router labelled R1, which is connected to another switch and another PC. R1 is a NetFlow-enabled router. In the diagram, one of the PCs on the left is labelled NetFlow Collector and Analyzer Software.
NetFlow in the Network
NetFlow can monitor that application connection by tracking byte and packet counts for that individual application flow. It then pushes the statistics over to an external server called a NetFlow collector.
For example, Cisco Stealthwatch collects NetFlow statistics to perform advanced functions including:
Flow stitching – It groups individual entries into flows.
Flow deduplication – It filters duplicate incoming entries from multiple NetFlow clients.
NAT stitching – It simplifies flows with NAT entries.
There is a Cisco Stealthwatch channel on YouTube that provides many details about Stealthwatch and its uses.
SIEM and SOAR
Network security analysts must quickly and accurately assess the significance of any security event and answer the following critical questions:
Who is associated with this event?
Does the user have access to other sensitive resources?
Does this event represent a potential compliance issue?
Does the user have access to intellectual property or sensitive information?
To help answer these questions, security analysts use:
Security Information Event Management (SIEM)
Security orchestration, automation, and response (SOAR)
SOAR
Security Information Event Management (SIEM) is a technology used in enterprise organizations to provide real-time reporting and long-term analysis of security events. Network devices including firewall, IPSs, ESAs, WSAs, routers, switches, servers, and hosts are configured to send log events to the SIEM software. The SIEM software correlates the millions of events using machine learning and special analytics software to identify traffic that should be investigated. SIEM systems include the following essential functions:
Forensic analysis – The ability to search logs and event records from sources throughout the organization. It provides more complete information for forensic analysis.
Correlation – Examines logs and events from different systems or applications, speeding detection of and reaction to security threats.
Aggregation – Aggregation reduces the volume of event data by consolidating duplicate event records.
Reporting – Reporting presents the correlated and aggregated event data in real-time monitoring and long-term summaries.
SIEM provides details on the source of suspicious activity:
User information such as username, authentication status, location.
Device information such as manufacturer, model, OS version, MAC address, network connection method, and location.
Posture information such as whether the device is compliant with the security policy has up-to-date antivirus files and is updated with the latest OS patches.
SOAR
Security orchestration, automation, and response (SOAR) enhances SIEM. It helps security teams investigate security incidents and adds enhanced data gathering and a number of functionalities that aid in security incident response. SOAR solutions:
Provides case management tools that allow cybersecurity personnel to research and investigate incidents, frequently by integrating threat intelligence into the network security platform.
Use artificial intelligence to detect incidents and aid in incident analysis and response.
Automate complex incident response procedures and investigations, which are potentially labor intensive tasks that are performed security operations center (SOC ) staff by executing run books. These are playbooks that perform actions such as accessing and analyzing relevant data, taking steps to isolate compromised systems, and researching threats to validate alerts and execute an incident response.
Offers dashboards and reports to document incident response to improve SOC key performance indicators and can greatly enhance network security for organizations.
SIEM helps sound the alarm for malicious activity. Analysts will have to act on the threat. SOAR helps analysts respond to the threat.
SIEM Systems
Several SIEM systems exist. SolarWinds Security Event Manager and Splunk Enterprise Security are two of the more popular proprietary SIEM systems used by SOCs. Search the internet to learn more about these products. In this course, we will use an open-source product called Security Onion that includes the ELK suite for SIEM functionality. ELK is an acronym for three products from Elastic:
Search the internet to learn more about Elastic. co and its suite of products.
Action Point PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that because I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained include staff of Dangote Refinery, FCMB, Zenith Bank, and New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.
I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.
Fact Check Policy
CRMNIGERIA is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.
Adeniyi Salau is a highly dedicated and committed Blogger of repute. He likes sharing his IT knowledge with others. My desire is to impact as many lives as possible with my IT skills. You can download my mobile APP. Download the ICTLOAD APP on Google Playstore. Thanks.
Leave a Reply