Monitoring your network traffic is a proven method for detecting intrusions, as is monitoring host logs. Even with visibility into both dimensions, there remains an important gap between network traffic monitoring and host-based monitoring. It’s like being able to look beneath the surface of the ocean or above the surface, but not both at the same time.
Let’s expand upon that analogy. The next time you are snorkeling on a coral reef, take a moment to position your face so that the surface bisects your face mask and peruse another swimmer or boat both above and below the surface at the same time. It’s kind of neat. But being able to examine a given activity both on the network and inside the host at the same time is more than neat – it’s critical. Unfortunately, it doesn’t happen automatically because the correlation involved isn’t trivial.
When you observe a given packet – like an outbound connection from a workstation inside your network to some address on the Internet – what does that packet tell you? The IP address of both devices and the source and destination TCP ports. It doesn’t tell you the identity of the user or the process running inside that endpoint that initiated the connection. If that process is chrome.exe – that’s one thing; if it’s notepad.exe or powershell.exe – that’s another.
Figuring out the identity of the user might be as “simple” as comparing the IP address to your DHCP server logs, determining the host name of the computer leasing that address at that time and then looking up which employee is assigned that PC. But that doesn’t guarantee it was really that employee’s user account that ran the program that opened that connection because even workstations allow other users to log on to them.
To really know which user account is involved, and, more so, to determine which program opened the connection, you have to look at the logs on that host.
In this real training for free event, we’ll capture some packets from the network and show you how to correlate that data to the appropriate Windows system. Then, we’ll look at the logs from that system to figure out exactly who and what (program) sent that packet. I’ll show you how to do this both with Security Log events from Windows Firewall and with sysmon.
We have the perfect sponsor for this webinar with LogRhythm, a leader both in SIEM and network monitoring. In fact, you’ll get a chance to see LogRhtythm’s powerful NetMon tool in action. It even has a Freemium version, that you can use to follow along and for monitoring your own network.
Liam Mayron from LogRhythm, will join to discuss network monitoring and analysis, particularly alarms based on network traffic that can provide starting points for host attribution. Network traffic analysis can be the first sign of misuse or even compromised systems. We’ll have a look at how a network monitoring tool can be configured to alert on relevant events, particularly those that can correlate to host information for an investigation.
Please join us for this real training for free session.