<img height="1" width="1" src="https://www.facebook.com/tr?id=3212881575388825&amp;ev=PageView &amp;noscript=1">

To do their work protecting against criminal attacks, security teams need visibility into what’s happening in the network environment. This monitoring function is one of three components of a managed detection and response (MDR) service offering.

Two of the most useful monitoring tools are a SIEM device and a network traffic analyzer. We’ll take a brief look inside these tools. Along the way, you’ll get a better idea of what security teams are looking for as they go about the job of protecting your business.


SIEM: Logs, Logs and More Logs

SIEM is an acronym for security information and event management. That’s a broad descriptor but fundamentally, this type of tool aggregates and correlates information gathered from system logs. Many network-attached devices generate logs of different events that take place on the device, whether it’s a router, firewall, switch, wireless access point, server or workstation. As designed, the logs are resident on the individual devices. A SIEM tool gathers all the log information, ingests it, and presents it in a way that makes it easier to see the big picture of what’s happening in the network. In particular, it looks for abnormal behaviors and issues alerts when it spots them. These tools also typically integrate logs from cloud-based applications so the team has a view into the company’s instances of G Suite, Office 365, Salesforce and other programs.

A medium-sized business environment may see anywhere from 20 million to 40 million individual logged events every day. That scale and volume makes it impossible to process without a SIEM tool. The tool sorts it out so the security team can focus on what’s important.


Network Traffic Analyzer: All Things Coming and Going

This type of tool delivers visibility to all the data packets that come through a single point in the network. Typically, it’s attached to a firewall or switch at or near the network edge so it captures all the packets passed between the internal network and public internet. It then issues alerts on abnormal traffic. Some examples include traffic from IP addresses that are on a blacklist for known malicious behavior, large amounts of data moving at odd times, and uploads and downloads of executable files. Analyzers are beginning to apply artificial intelligence: they learn what normal traffic looks like on a network, and then alert when they encounter traffic that looks different.


Which to Use, and Where

Both of these tools monitor cybersecurity behavior, but they do it in different ways. Sometimes, one can see abnormal or potentially malicious behavior that the other can’t. And while there are some tools that try to do the job of both, they accomplish that with varying degrees of success. So we feel it’s best to have both.

For instance, if an individual has two logins to the system at the same time, is logged in from an unusual location, from a different system than usual, or has escalated their privileges, those are quickly and easily captured by the SIEM tool. Because it correlates multiple logs, it’s also very good at detecting when an intruder is moving laterally through the various systems, using access to one system to gain access to others.


On the other hand, unusual file movement such as uploads and downloads of files, files sent or received from strange locations, or attempts to scan the network for potentially vulnerable systems are more easily detected by a network traffic analyzer.

Both types of tools employ rules to define what constitutes unusual behavior and the degree of alerting appropriate to that behavior. Some are out-of-the-box rules that serve as the default for the device. But it’s important to tune the ruleset for the unique environment that the business presents.  A company with a large number of road warriors may commonly see logins from new or unknown locations, while in an environment where all the work is done on-premises, such a login could be a red flag. Businesses with high turnover see new logins all the time, while those with stable workforces would find an unexpected login to be worth investigating.


At SOCBOX, we include both of these monitoring tools in our cybersecurity tool stack. More important than the tools themselves is having experts on staff who know how to tune the rules for a given environment and provide 24x7 monitoring. Our teams also have hands-on experience with all the tools to determine when an alert is a one-time anomaly, and whether there are related signs indicating that a full-blown cybersecurity incident could be taking place.

Would you like the reassurance of having that kind of protection for your business? Then contact us today by emailing info@socbox.com or calling 877-284-7789.