What is Network Security monitoring?

Monitoring is an important aspect of network security. It lets your IT department discover attacks, intrusions, and other abnormal traffic quickly. This lets administrators stop threats before they can do much damage, or even before they can gain a foothold.

Keeping a network secure requires a multilayered strategy. Anti-malware software and firewalls should keep the large majority of threats from touching the network, but nothing is 100% effective. Monitoring helps to catch any threats that make it past their defenses and get into the network or threaten to.

How monitoring works

A monitoring service receives and analyzes information from the network it watches. It may be a cloud service or a dedicated system. It looks for suspicious traffic and reports it. The traffic might include data packets matching certain patterns, requests to known hostile servers, abnormal outgoing email, or strangely formatted requests.

Monitoring may use an agent or be agentless. An agent is a software component which resides inside the network and provides the monitor with information. Without an agent, the monitor is limited to observing what goes in and out on the Internet. On the positive side, agentless monitoring is simpler to set up and keep updated, and it doesn't risk interruption of service from an agent's failure.

Examples

Trend Micro includes monitoring as part of the Trend Micro Endpoint Sensor. It monitors network endpoints and analyzes files for signs of intrusion. It checks for registry modifications, malware files, unusual processes, and other indicators of attack.

Alert Logic's Intrusion Detection System includes monitoring of cloud, on-premises, and hybrid systems for signs of intrusion. It collects and analyzes network traffic using low-impact agents. If a high-severity incident is detected, a notification goes out within 15 minutes.

SonicWall's Global Management System uses security appliances plus a monitoring system that collects information from them and from other network devices. It's available as a software application, cloud service, or virtual appliance. GMS monitoring complements the other SonicWall tools to provide an integrated approach to security.

The benefits of security monitoring

Every network connected to the Internet is regularly attacked, and no single defense is 100% effective. Monitoring identifies problems that have slipped past the first layers of defense. Monitoring can:

• Discover lurking malware intrusions that are quietly running within the network.

• Detect zero-day threats by their behavior.

• Catch attacks in progress, such as high-volume login attempts.

• Discover vulnerable systems and software even before they're attacked.

• Report emergencies quickly, day and night.

• Give an overview of the network's security status.

Monitoring scenarios

What actually happens when monitoring systems are at work? Here are a couple of examples.

An employee opens a spam email message, clicks on a link, and allows an infection onto a workstation. The malware starts communicating with a command and control server in some distant country. The server sends it additional malware to download, so it can penetrate other systems on the network. The monitoring system intercepts the traffic and determines that it's highly suspicious activity. It alerts the system administrator about what is happening and where. The administrator quarantines the workstation before the intrusion can spread to other systems. That allows time to take further steps to remove the infection.

Another scenario: Monitoring scans the devices on the network and identifies one which isn't in its inventory. It recognizes the device as a Wi-Fi router that doesn't follow the standard configuration. It reports to the administrator that there is an unauthorized device on the network. The administrator does some hunting and eventually finds the shadow IT device which an employee connected up for personal convenience. The device is removed, and the employee gets a lecture on security practices.

Justifying the cost

Data breaches can be extremely expensive. They result in downtime and loss of customer data. The damage to a business's reputation can be serious, and in some cases, there are legal penalties as well. Monitoring catches problems before they become full-fledged breaches, preventing costly damage. It only has to stop one serious breach to justify its cost many times over.

It's better to catch security issues quickly than to let them lurk. Preventing the theft of confidential data or damage to it makes an organization and everyone it deals with much safer. Having fewer work disruptions means more productivity and a more successful business.