Using SIEM solutions, the companies usually monitor the security events correlated into the offenses with their indicated duration, severity, type, source and destination IPs, log sources etc. These details help security administrators and analysts to monitor both the internal, external threats and to detect a real user performing an attack. In this regard, an offense represents a successfully accomplished malicious activity by external attackers or malicious insiders, who found a loophole in the corporate network.
However, this traditional approach to SIEM doesn’t allow the companies to inspect the configuration of their network devices and understand if they contain critical vulnerabilities, which opens the doors to intruders. It is impossible either to look into the heart of an offense and define not only the fact of an intrusion itself but also its path and network points through which an attacker can access.
Why SIEM capabilities may be not enough
Let’s take an example to understand why a usual set of SIEM features may be insufficient for investigating the security incidents.
Some companies introduced a corporate security policy, which strictly prohibits the two-way communication for bad-reputation IPs. For this purpose, a system administrator configured the corporate firewall to block all the possible connections with insecure IPs. However, even with the necessary configurations made, a SIEM system periodically reports offenses triggered by the registered communication with the prohibited IPs.
With SIEM features enabled, this riddle would be very hard to solve since a SIEM system captures the violation without disclosing any conditions, which preceded it. This is the reason, why the security administrator wouldn’t be able to understand why this kind of an attack happened or how exactly it occurred, since there can be multiple offense scenarios. The firewall had an unknown vulnerability, or system administrators made a configuration error or a rogue system administrator intentionally enabled the connection to compromise the network.
When monitoring the network configuration is vital
The foregoing example proves that the data provided within a SIEM solution sometimes is not enough to find the initial cause of an offense. Due to this, a SIEM functionality has to be extended with the network configuration monitoring.
Prevent offenses made possible by network misconfiguration
IT networks aren’t static and unchangeable, as the system administrators regularly install a new software and hardware, launch updates, change system configuration etc. These changes can create vulnerabilities, which makes networks accessible for the potential intruders. Since it’s impossible to follow every step of the system administrators, it’s important to have a tool to monitor the configuration changes, detect risky ones and eliminate them before they attract an attacker.
The reality shows that a high number of attacks occur not because the intruders are highly skilled, but because the organizations leave unpatched vulnerabilities in very important network nodes. Thus, it is literally inviting the criminals to come in. The sooner a company detects a security loophole, the more chances they have to patch it before the real attackers start their malicious activities.
Enforce a security policy
In a corporate security policy, the companies usually determine all the allowed and prohibited communications within a corporate network. In reality, only a system administrator can guarantee the network compliance with the established policy. Without leaving it exclusively to the human consciousness, organizations can extend their SIEM capabilities with the dedicated tools to detect the security policy violations related to the network misconfiguration.
Visualize network connections
Provided with dedicated network monitoring tools, security specialists can automatically build their network topology and discover both the existing and possible connections between the network devices in order to immediately identify and close risky communications throughout the network.
Discover network configuration changes
Using network monitoring tools, security administrators can untangle the riddle of undesirable connections with bad-reputation IPs in just a minute, since the network monitoring is a direct way to get the detailed data on the network appliance configuration (e.g. firewalls, switches and IPSs) as well as to compare the device configuration against the different timeframes to detect changes along with those who make them.
Pinpoint vulnerabilities in network devices
Coupled with the vulnerability scanners, the network configuration monitoring tools allow us to identify the current vulnerabilities in all the network nodes. Thus, it lets a security department anticipate the potential attacks and patch the existing loopholes.
Test a network for policy compliance
Assisted by SIEM experts, a company can also extend their SIEM solutions with the dedicated features to assess their network compliance with the corporate security policy. This will also enable the investigation, if any policy rules have been already violated or can be violated because of the existing vulnerabilities or misconfigurations.
Simulate network attacks
Though companies usually turn to penetration testers to look for the security weaknesses, advanced network monitoring features can be used to carry out the recurrent simulations of the network attacks without involving the professional penetration testers. This capability will allow the security administrators to work in tandem with the system administrators and assess a possible impact of the network configuration changes before their real implementation.
Conclusion
Though a SIEM system is an irreplaceable source of data on the security events within a corporate network, sometimes traditional SIEM features aren’t enough to understand the nature of an offense, which makes it difficult to eliminate the root cause of such an offense and prevent its recurrence. To address this challenge, the companies can reinforce their SIEM solutions with the network configuration monitoring features, which allows them to constantly control the changes made to the network and to assess the risks of the potential intrusions.