Familiarize and recognize behavior on your network — how?

“We really should be doing more with log and traffic analysis.. but there’s so many things we should be doing more.” — Many organizations have no idea exactly what is going on in the network.

Imagine being a Law Enforcement Officer and having no eyes or other sensses to know whether the traffic is organized — are people walking on the sidewalks, cycling on the bicycle paths and driving on the roads? Or is the traffic disorganized and dangerous? How long would people tolerate these officers before replacing them with more effective measures?

Well in the Information Technology field we have few good examples and millions of bad ones, and data analysis on network traffic and logs is only just taking off in the last few years. There certainly have been analysis and management solutions from various vendors but they rarely have been integrated well enough in the rest of the IT environment to make a big difference in general overview of your network risk and availability profile. How to get started smart?

Network and Log Analysis solutions

Thankfully, these days we live in a ‘Big Data’ era where we have various solutions that can receive network packets, system logs and customized alerts from other systems — and manage alerts and follow-up actions in your IT support system.

Some of these products are called Security Incident and Event Management (SIEM) solutions, like McAfee ESM and AlienVault. Those solutions are purpose-built for Security Operations Centres and have pre-built correlations on events that you can extend yourself with product specific tooling. With McAfee ESM you can define custom correlations and alerts for various combinations of inputs that should raise some hairs on the back of your neck.

Others are solutions that are more flexible and extensible like Splunk or Elastic’s famous ELK-stack that combines the products Elasticsearch, Logstash, Kibana and Beats. These are solutions that require much more planning and a larger implementation, but they have many advantages when it comes down to intelligence.

Getting started

But first, you need to identify what to look for in network traffic. But you can also turn it around. More experienced Network Engineers are likely to spot strange traffic patterns when plotted graphically in a pie chart.

I’ll give an example. The following pie chart contains a summary of the last hour of all traffic in your environment logged by all security devices in all offices. The different layers are TCP ports and IP addresses of the source or destination of this traffic. It looks really symmetric — what could it be?

This pie chart is a TCP scan from a botnet. Many many sources, lots of destinations, but it’s the same five TCP ports for all destinations.

When you think of symmetric patterns in network traffic on a larger scale, it is almost always very suspicious. It should be skewed in a way that suits your business. For instance, when you have a public web store, most visitors should be going in that direction with a certain number of ports (TCP/80, 443).

Strange visitors

No normal visitor is using many different IP addresses in different nations to try and connect to your environment. Normal visitors are also unlikely to send traffic on the public Internet that is usually confined within a LAN infrastructure (Telnet, SIP, MSSQL). Security Engineers see this a lot. When this type of scanning or attacking traffic — which occurs in some amount everywhere these days — is being reported on a pie chart, you can see much easier whether you’re under attack or being tested. Similarly, If you have more than 15% of UDP traffic or a relatively large portion ofon average in a few hours, you might be getting a resource attack. When you make pie charts or other graphical displays and make a prediction on what is the normal range, you can benchmark and compare it to the daily traffic logs and have much more insight and control.

Staying on top

There’s nothing preventing someone from sending packets to your network, but knowing the major trends in traffic patterns and knowing when special events happen (like a marketing email blowing up the number of visitors exponentially ) allows you to spot and identify issues and act accordingly. In future articles I will show more network traffic patterns and what makes them stand out.