The importance of network traffic analysis 和 monitoring in your cybersecurity program
XDR & SIEM产品Network traffic analysis (NTA) is a method of monitoring network availability 和 activity to identify anomalies, 包括安全和操作问题. NTA的常见用例包括:
实现 可以持续监控网络流量的解决方案 gives you the insight you need to optimize network performance, minimize your 攻击表面,加强安全,改善对您的资源的管理.
然而,知道如何监控网络流量是不够的. It’s important to also consider the data sources for your network monitoring tool; two of the most common are flow data (acquired from devices like routers) 和 packet data (from SPAN, 镜像端口, 和网络水龙头).
加上“it 's not if”, 这是今天关于网络攻击的心态, it can feel overwhelming for security professionals to ensure that as much of an organization’s environment is covered as possible.
The network is a critical element of their 攻击表面; gaining visibility into their network data provides one more area they can detect attacks 和 stop them early.
A key step of setting up NTA is ensuring you’re collecting data from the right sources. Flow data is great if you are looking for traffic volumes 和 mapping the journey of a network packet from its origin to its destination. This level of information can help detect unauthorized WAN traffic 和 utilize network resources 和 performance, 但它可能缺乏深入研究网络安全问题的丰富细节和背景.
Packet data extracted from network packets can help network managers underst和 how users are implementing/operating applications, 跟踪广域网链路上的使用情况, 并监控可疑的恶意软件或其他安全事件. Deep packet inspection (DPI) tools provide 100% visibility over the network by transforming the raw metadata into a readable format 和 enabling network 和 security managers to drill down to the minutest detail.
密切关注您的网络边界始终是一种好做法. Even with strong firewalls in place, mistakes can happen 和 rogue traffic could get through. 用户还可以利用隧道等方法, 外部网管, 和vpn绕过防火墙规则.
此外,勒索软件的兴起 常见的攻击类型 近年来使得网络流量监控变得更加关键. A network monitoring 解决方案 should be able to detect activity indicative of ransomware攻击 通过不安全的协议. 采取WannaCry, 例如, 攻击者主动扫描TCP端口445打开的网络, 然后利用SMBv1中的漏洞访问网络文件共享.
远程桌面协议(RDP)是另一个常见的目标应用程序. 确保在防火墙上阻止任何入站连接尝试. 监视防火墙内部的流量允许您验证规则, 获得有价值的见解, 也可以用作基于网络流量的警报来源.
Watch out for any suspicious activity associated with management protocols such as 远程登录. 因为远程登录是一个未加密的协议, session traffic will reveal comm和 line interface (CLI) comm和 sequences appropriate for the make 和 model of the device. CLI字符串可以显示登录过程, 用户凭证的表示, 显示启动或运行配置的命令, 复制文件, 和更多的.
Be sure to check your network data for any devices running unencrypted management protocols, 如:
Many operational 和 security issues can be investigated by implementing network traffic analysis at both the network edge 和 the network core. 使用流量分析工具, 你可以发现大下载量之类的东西, 流或可疑的入站或出站流量. Make sure you start off by monitoring the internal interfaces of firewalls, which will allow you to track activity back to specific clients or users.
NTA also provides an organization with more visibility into threats on their networks, 在端点之外. 随着移动设备、物联网设备、智能电视等的兴起., you need something with more intelligence than just the logs from firewalls. 当网络受到攻击时,防火墙日志也会出现问题.
You may find that they are inaccessible due to resource load on the firewall or that they’ve been overwritten (or sometimes even modified by hackers), 导致重要的法医信息丢失.
Some of the use cases for analyzing 和 monitoring network traffic include:
并非所有用于监视网络流量的工具都是相同的. 一般, they can be broken down into two types: flow-based tools 和 deep packet inspection (DPI) tools. 在这些工具中,您可以选择软件代理, 存储历史数据, 以及入侵检测系统. When evaluating which 解决方案 is right for your organization, consider these five things:
Network traffic analysis is an essential way to monitor network availability 和 activity to identify anomalies, 最大化性能, 还要留意有没有袭击. 除了日志聚合之外, UEBA, 端点数据, network traffic is a core piece of the comprehensive visibility 和 security analysis to discover threats early 和 extinguish them fast.
在选择NTA解决方案时, 考虑一下当前网络上的盲点, 需要信息的数据源, 和 the critical points on the network where they converge for efficient monitoring. 与 NTA作为一个图层添加到你的 安全信息和事件管理(SIEM) 解决方案, you’ll gain visibility into even more of your environment 和 your users.