Advanced threats are specifically made to bypass firewalls and intrusion detection systems, effectively killing defense in depth. So how do you battle these threats? Network Security Monitoring.
Several commercial and open source tools exist for Network Security Monitoring (NSM), so you will need to look around and find the one that works best for your needs. But nowadays you need a tool that records all the traffic coming in and out of your network and analyzes it for suspicious patterns or behaviors.
Security Onion is a great option for small to medium businesses (even home users) that need the power of NSM, but can’t afford a commercial solution. Security Onion comes pre-configured with a ton of intrusion and network security monitoring tools.
But for any NSM solution, you want one that:
- Records all your traffic
- Analyzes for suspicious behavior and patterns and warns you when they are detected
- Provides complete packet captures
- Provides an easy way to view and analyze captured packets
- Keeps complete logs of all intrusions and suspicious behavior
- Keeps a log of all websites visited, DNS lookups, ftp sessions, even chat and mail sessions.
Security Onion can do all of that and more. Plus you can have multiple sensors in multiple locations and have them all report back to a single Security Onion Install.
Why would you want multiple sensors? For any NSM install, you want to have a view of your network traffic at different locations in case the worst happens and you get compromised. You can place a sensor between your incoming data pipe and your main firewall. You can also place one between your firewall and Lan. That way you can see what was hitting your edge firewall and what made it through.
You can also place a sensor between the Lan switch and a single high priority machine. This way you can tell exactly what data was transferred to and from this machine in case of a breach. You need to analyze your network and see where the best places would be to institute monitoring.
Intruders will get in, it is just a fact of life now. The NSA came to this conclusion about network security in 2010. Debora Plunkett, NSA’s director of the U.S. Information Assurance Directorate said, “There’s no such thing as ‘secure’ any more. The most sophisticated adversaries are going to go unnoticed on our networks. We have to build our systems on the assumption that adversaries will get in. We have to, again, assume that all the components of our system are not safe, and make sure we’re adjusting accordingly.”
But you can monitor and hopefully catch them before the worse happens. Or in the event the worse happens, you will have a full forensics trail to follow to make sure that it doesn’t happen again.