Here’s a scenario: you’re asked to provide a report of unnecessary high bandwidth usage on your network. So you open your network monitoring tool and look for the top talkers. Maybe there are a couple of hosts that are consuming significantly more bandwidth than anyone else.
The problem is that you don’t have further context. There’s no way to identify whether those hosts are behaving normally or whether there’s a potential threat involved. What if the high bandwidth usage was due to a sales manager screen sharing on a call with a client? It wouldn’t do anyone any good to report him or her.
We live in a world of data; there’s not much we haven’t figured out how to measure and collect. It’s easy to operate under a mindset of “collect now, question later.” But from a network standpoint, a high volume of raw data does not automatically lead to faster response.
Actionable data
During a network event, time to resolution is critical—therefore, you need to find the root cause as fast as possible. If your traffic data is only telling you what you already know, supplying tangential information, or even contradicting what you know (ever had all green lights in your SNMP tool after receiving a user experience complaint?), it’s slowing down your investigation process. You need the right context—information that suggests a next action to reach resolution and mitigation.
Let’s say that you’re experiencing a massive network slowdown. You determine pretty quickly that it’s a DDoS attack. That answers the “what,” but not the “who,” “when,” “where,” or “how.” With the right context, you could determine that the machine with a certain MAC address on the second floor of your headquarters accessed a DDoS-for-hire site several days ago. And before placing blame on the owner of that workstation, you could even double-check who was logged in then.
How do I get that context?
I’m willing to bet that you already have access to a treasure trove of actionable data—you just need to turn it on. Many prominent vendors in the industry (Cisco, Palo Alto, Gigamon, Ixia, etc.) are producing networking devices that can collect and export information on every conversation happening on your network.
It all starts with flow data, because you need to know the source and destination of each conversation. But on top of that, the different metadata from the vendors you work with provides a ton of valuable context. This enables you to perform root cause analysis quickly.
After that, you just need a way to collect the flows and metadata and analyze it. We work with many vendors to make sure our network traffic analytics solution, Scrutinizer, is extremely flexible, no matter what your network looks like.
If you would like to check out the rich context your network already has available, we offer a free version of Scrutinizer here.
Related
What are insider threats? Challenges, indicators, & more explained
Insider threats bypass traditional security systems, which focus on the network perimeter. This is because, as the term suggests, the attack originates from behind
::
