Network packets: a particles’ journey
They are fast-paced and travel at nearly the speed of light through almost every computer system in the world. We are not talking about a newly discovered particle of physics, but of classical network packets. One thing we have to give theoretical physicists credit for: apart from the heisenberg uncertainty, physicists usually know very precisely which particles are on the way and what they look like.
But what about the network? Can you determine at any time exactly which data packets are moving in your company network? Do you know where they com from, where they go and what they contain? Do you know exactly what is happening in your switch? If you answer even one of those questions with “No” you are in the same position as many others are. Most companies do not know which communication connections are being set up. There is a lot of assumption or approximation involved.
No room for Heisenberg in the network
But how can network traffic be made visible and security enhanced by automatic rules? For example, a specially developed network monitor can be used. The network monitor evaluates all packets that pass through a switch, for example, and evaluates the contents of the packets using predefined rules or filters. It is possible to forward the evaluation results or the packets themselves to a SIEM (Security Information and Event Management) in order to create even more detailed rules and alarms. This analysis may lead to e.g. the detection of attacks, or indicate the activities of malware or botnet infections. Usually a SIEM can not only alert, but also provides methods for the implementation of automated defence mechanisms.
Regulations require transparency
If the data is stored, it is also possible to analyze the communication data of the past and to generate evaluations. These functions are required, for example, in order to be able to trace the infection path of malware back when indicators of compromise are discovered. This not only provides information on existing security gaps, which must be urgently closed. Crimes in cyberspace are still crimes. They should be prosecuted, supported by court-admissible evidence. In some cases this is a legal requirement: laws and regulations such as the GDPR (a summary can be found here) enforce this, especially in the business sector.
Conclusion: To be in control of the dataflow you should monitor packages
A network monitor in combination with a SIEM is one of the foundations of a modern security architecture. The concept should be supplemented by a modern endpoint protection (more about advanced endpoint protection here). By the way, monitoring data packets in the network is important – a packet-based firewall, on the other hand, is definitely a concept of the past and should soon be replaced by a next-generation firewall.