A quick browse around the Internet shows that almost all traditional network monitoring vendors are now touting their expertise in cyber security. A large part of this of is course the relative size of the network performance monitoring and cyber security markets … there is simply more budget for cyber than there is for old-school network performance monitoring.
But perhaps there is more to this shift. Network performance monitoring data, whilst valuable in it’s own right with regards maintaining a high level of user experience, also provides the perfect adjunct for cyber security incident identification, triage and resolution. Let’s take a quick look at a how network performance monitoring data can complement cyber security in a real world situation …
It’s Monday morning and your intrusion detection system (IDS) triggers a critical event informing that a network trojan has been identified. The IDS gives good information about the origin of the attack, affected devices and operating systems, impact and even point to potential resolutions. All good so far, you have caught the attack and are able to resolve the immediate threat to the organisation. In short, the IDS has done exactly what you needed it to do.
But this alone is not enough to fully assess the potential ongoing threat. The IDS has identified the source of the attack, in this case an IP address emanating from Eastern Europe – wouldn’t it be great to also be able to identify which other devices within your network the malicious IP address has communicated with?
Enter network performance monitoring data!
Network performance monitoring data can quickly identify which hosts within your network have been touched by the malicious IP address, how often and at what times. In our example, the IDS triggers an alarm for just one internal host, but the network performance monitoring data has identified connections from the malicious IP to 5 other internal hosts over the last 7 days – albeit on different protocols.
But further still, apart from identifiying all affceted hosts, the network performance data can quickly examine each of these internal hosts to see who else they are communicating with (both internally and externally) to quickly and easily identify potential lateral movement of the trojan within the internal network.
Correlating cyber security information such as IDS events with network performance monitoring data provides the ideal tool for not only diagnosing immediate threats but to also determine seemingly unrelated down-stream side effects that may have significant impact to the security of your organisation.
Byte25 provides a fully integrated set of network performance monitoring and threat detection appliances in a single platform for this very purpose. Correlating network performance and cyber security data sets has never been simpler.