Collect logs, store data and analyze the data. These are the three major steps involved in network management .
However, the increasing amounts of data being handled by enterprises these days can easily confound many IT professionals and prevent them from determining where to start.
When it comes to log management, administrators and technicians should remember that they are looking for anomalies or patters that could indicate that something fishy is going on, according to a recent report from IT security publication Darkreading.com.
“In order to spot the irregularities, It professionals need to establish a baseline and collect data on what’s normal inside the company’s network, according to Ben Feinstein, director of operations and development for Dell SecureWork’s counter threat unit.
This involves monitoring logs from including data from virtual private networking appliances, Web proxies, firewalls and DNS servers. After that, establishing what is normal within the network is necessary. Then an analysis of the logs must be carried out to identify possible indicators of an attack.
The final step is the creation by the security group of a standard procedure for responding to incidents identified in the log analysis.
Here are five events that scream a network may have been compromised:
Access anomalies – Watch out for changes in permissions, users logging in remotely from unknown locations or users accessing one system and using that system to access another. This could be possible signs or malicious activity, according to Kathy lam, product manager of HP ArcSight. The Windows security log and records of the Active Directory domain controllers are good places to start looking.
Configuration changes – Companies typically conduct configuration changes within a specific window so as not the hamper operations. Any changes happening outside this window are likely unauthorized and may be part of an attack, said Sanjay Castelino, vice president of Texas-based network application developer SolarWinds Inc.
Patterns matching threat indicators – There are many available threat indicators. Companies need to match the data in their logs to these indicators to identify suspicious activity.
IT departments also need to monitor for strange database transactions and new devices signing into the network.
Find out more about detecting unfamiliar database communications and threats posed by bring-your-own-device users (BYOD), click here.