Author: Marc Bilodeau – Director Program Management
One of the try-and-true indicators of network performance issues is identifying who or what is consuming resources on your network. This has been a go-to staple for many administrators to identify the culprit quickly and solve the problem. But is this approach still effective to manage today’s complex networks?
Top Talkers Being An Important Indicator
For those who can remember when networking and the internet started to become mainstream, the primary concerns for IT organizations were managing bandwidth consumption and keeping the network up and running.
In those days, IT deployed home-grown scripts and software solutions that ping an IP to ensure the network responded while using SNMP to monitor how much precious bandwidth was being consumed on the network. From that information alone, they could determine if their devices were up and what interfaces across the network were saturated, thereby slowing down productivity. How many NetOps teams closely watched their T1 lines to ensure your organization could access the network or a remote office?
As great as it was to know where the bottlenecks were. The NetOps teams wanted more insight. They wanted to know what was consuming their network resources? The introduction of Cisco’s NetFlow protocol in the mid-90s was a turning point for their switches and routers. This was a game-changer for NetFlow could collect IP network traffic information as it passed through network interfaces. This capability had NetOps teams rejoiced, for there was a solution of having a window into the network black box that could identify who or what was causing all that traffic.
Furthermore, solutions like Scrutinizer appeared that could quickly collect and report on data. A dashboard could show the top IPs, protocols, ports, interfaces, and more to give a snapshot of what was going on. Alarms could be triggered when certain thresholds were violated, allowing teams to identify and resolve the problem quickly. When people complained about the network, IT had a go-to tool to solve the mystery.
Where Top Talkers Breaks Down
While effective initially, the top talker strategy has limitations in today’s network environments. Networks and applications have become more sophisticated and monitoring them is more challenging. Reports often always show HTTPS, DNS, and certain IP addresses or subnets. Therefore, they are ignored because they should be top ranked. Well, assumptions are the root for some of the worst disasters.
Every organizations’ data has value, adversaries and malicious actors use advanced tools to access the network and acquire it. Unfortunately, this is where the top talkers’ strategy breaks down in a significant way.
NetOps and SecOps teams have a much bigger role today to protect their organization’s assets. Malicious actors use techniques such as social engineering to trick employees into giving them access to the network, bypassing advanced firewall and edge network investments. Once in the network, they lie low and probe at sources in the network while generating little traffic. Guess what isn’t going to see this behavior? That’s right, the top talkers.
Even after malicious actors find troves of data to steal from the organization, they do this quietly so that it goes under the top talkers’ radar. In fact, they slowly steal that data from the network by transferring it very slowly at speeds not seen since the 1980s. All this time, those top talkers’ reports aren’t showing anything unusual since these actors rank among the lowest talkers. Yikes!
Even worse, malicious actors could be insiders who already have legitimate access to the network. Top talkers may show more activity for a brief time from a legitimate source, but those top talkers’ reports can’t tell if this is legitimate traffic.
The list goes on as adversaries continue to attack organizations for their valuable data sources. Therefore, the effective approach to protect the organization must look well beyond the horizon of those top talkers.
Modern Problems Need Modern Solutions
Today’s sophisticated adversaries require defenses that go beyond highlighting talkative IPs, protocols, interfaces, and subnets. The right solution not only can identify the top talkers but can detect nuances in the network when something isn’t normal, it’s escalated to investigate.
For example, when a user logs in at a new location, at a different time of day, or does something that isn’t typical of what they normally do, it’s a cause for concern. Additionally, if data starts trickling to a new host somewhere on the network, or worse to an outside host, then it’s escalated to be investigated.
In fact, using advanced machine learning algorithms helps assess real threats, reduces the noise of false positives, and notify those managing the infrastructure of legitimate concerns, thus utilizing their time more efficiently.
In modern networks, those top talkers’ reports aren’t very helpful, even when looking at the traffic over time since it isn’t showing the complete story, that is, what’s happening with the rest of the network. In fact, those top talkers’ reports may be giving organizations a false sense of security because they look similar from day to day, and those subtle changes can be explained away as legitimate activity.
The Fix is Simple
Many legacy platforms have add-ons to collect flows across the network to summarize the activity into easily digestible top talker reports. However, that leaves a lot of risk on the table. Instead, invest in solutions that have features that meet the need to keep an eye on the entire network and treat all activity with the same scrutiny.
So, the next time you look at your top talkers’ dashboard and reports and think everything looks ok, is it really? Trusting a platform that’s comprehensive which does more than just provide top talker reports is paramount for keeping a watchful eye on the network.
Plixer One can provide everything you need and more to help you sleep easier and let you focus on your work instead of relying on the top talkers to reveal anomalous activity. Ready to revolutionize your network security? Visit the Plixer One Security page to learn more about how Plixer can provide comprehensive protection and innovative solutions for your network.