This is a guest blog post from Chris Tozzi, Senior Editor of content and a DevOps Analyst at Fixate IO. Chris Tozzi has worked as a journalist and Linux systems administrator. He has particular interests in open source, agile infrastructure, and networking. He is Senior Editor of content and a DevOps Analyst at Fixate IO. His latest book, For Fun and Profit: A History of the Free and Open Source Software Revolution, was published in 2017.
Cyber attacks come in many forms, but they almost always share one trait in common: they are carried out over the network. Although there are exceptions, the network is usually the entry point that attackers use to launch whichever exploits, data thefts, or other intrusions they aim to impose upon a business.
That means that by tracking network security analytics, IT teams and security engineers can gain centralized visibility into most of the cyber threats they face. They can also monitor their effectiveness in responding to threats.
To help minimize the risk of a successful cyberattack, then, as well as to mitigate the impact of those that do occur, teams should track a variety of network metrics. This blog offers a primer on the key types of metrics to monitor to help keep networks secure.
Network Metrics and Security
Before diving into metrics to track, let’s discuss the relationship between network metrics and security a bit more.
For most teams, the main reason to track network metrics is to manage network performance. Particularly in today’s world of highly complex, software-defined, multi-layered, multi-cloud network architectures, monitoring metrics like latency, packet loss, throughput, and bandwidth is essential for finding and analyzing network performance issues that can impact customers.
But data about network operations can also provide security insights. When attackers attempt to break into a network, anomalies in network metrics are often one of the earliest signs.
Thus, although security is not the only reason to monitor the network, defending against cyber attacks is an equally important use case for network monitoring as performance management.
Network Metrics to Monitor for Security
Which types of network metrics should teams monitor in order to detect and respond to security threats? The exact answer depends on the architecture of your network and the threats you face, of course. But in general, the following network metrics provide a good baseline for improving security analytics.
If a sudden spike in bandwidth usage occurs, there’s a chance that it’s the result of malicious activity such as efforts to download sensitive data or flood the network with bogus traffic as part of a DDoS attack.
By identifying unusual bandwidth patterns, then, teams can identify suspicious activity that they may not catch through other types of security monitoring.
Retransmission, which occurs when a packet fails to reach its destination and needs to be resent, could be a byproduct of an attack that overwhelms the network or takes legitimate endpoints offline. Along with bandwidth, unusual patterns in retransmission rates should be investigated as potential attacks.
While the total number of open connections (meaning the total number of endpoints that are active on the network) within a network may change rapidly for legitimate reasons, a network that typically has a relatively stable number of connections but suddenly sees a change in activity could be one that has suffered a breach. That’s especially true if connections have been added from endpoints that were previously unknown.
Tracking which ports are open on which endpoints as well as how port configurations change over time is another way to gain insight into possible attacks. A host that has been compromised may open ports that would not normally be open.
In addition, some endpoints may be secure but have insecure ports that were inadvertently left open. Finding and closing those ports is one way to secure the network proactively.
IP Address Conflicts
There is usually no valid reason for two endpoints to attempt to claim the same IP address. But this does happen, sometimes due to misconfigurations (like a host configured with a static IP that has already been assigned via DHCP to another host), and sometimes due to efforts by attackers to spoof an endpoint. Keeping track of IP address conflicts, then, is one way to spot potentially malicious activity.
Again, this isn’t an exhaustive list of network metrics that can support security analytics. It may also be helpful to look at data such as latency, which may also experience anomalous trends during an attack. And security teams may want to track metrics like Mean Time to Detect (MTTD) and Mean Time to Resolve (MTTR) cyber-attacks, although these aren’t network-specific metrics.
Either way, however, monitoring the network should be one pillar of any modern cybersecurity strategy.
Interested in learning more about modern cybersecurity trends? Check out the results of a global survey of industry leaders in Splunk’s State of Security for 2021.