How to integrate network behavior anomaly detection into enterprise systems

Network behavior anomaly detection (NBAD) can be a valuable tool for financial firms. However, without proper integration, the tool is useless. In this tip, we lay out the steps required for a successful integration.

This Content Component encountered an error

To protect your financial data, you most likely put in firewalls, antivirus software, antidetection software and failover servers at strategic points of your global network. The reality is that is not enough.

Today's networks are getting more complex and harder to master due to an increase in configuration and topology complexity as well as in a number of hosts, locations, users, and services in the network. In addition, the number of potential new network attacks and viruses grow with this complexity.

For that reason, the computer network might operate in an unexpected way that could cause unplanned network downtimes and ultimately a system crash. This deviation from the normal state is a network behavior anomaly. To detect this anomaly, you need to supplement your anti-threat applications with a network behavior anomaly detection (NBAD) tool for unusual events.

An NBAD tool tracks critical network characteristics in real time, collects them and stores forensic data in databases and/or logs. It generates an alarm or alert if a strange event or trend is detected that could indicate the presence of a threat. Large-scale examples include traffic volume, bandwidth use and protocol use.

When implementing the NBAD tool, the ultimate goal is to quickly detect and analyze a network behavior anomaly at a central point. To achieve this, financial services firm should do the following steps.

First, conduct an economic feasibility study of installing and integrating the NBAD tool. The study should include system challenges, such as security, logistical, scalability, operational, IT, program management and education and training.

Second, conduct a site analysis to ensure the NBAD tool can collect all the required data on hosts, users, locations, servers, firewall and other elements of the network. The analysis should include the capacity, expandability and scalability of storage devices, storages or means to hold the data that the NBAD tool can collect. It should also include the capacity, expandability and scalability of failover servers and off-site backups to hold NBAD data.

Next, review your compliance policies to ensure the compliance regulations have been met and the storage of data has been retained for a specified period of time. Include in your review whether the storage capacity can be expanded. Review your backup policies and test periodically the restoration of backup media. Run backup tapes at off-production times to ensure they are in good condition.

Conduct a pilot study of integrating the NBAD tool into a sample portion of an enterprise system. This will help the integrators solve any potential problems before integrating the tool on a large scale basis, as well as determine what education and training the systems administrators will need to quickly solve unusual anomalies.

As part of the study, determine what features of your current networking tools are redundant with the NBAD tool. If they are not redundant, determine if they can be supplemented or integrated with the NBAD tool.

Run test applications to determine how well they are performing. If the applications are not performing well, revise or replace them, integrate all or some parts of them into better-performing enterprise system or simply discard them.

Finally, determine how centralized logging of the data collected by the NBAD should be set up. Assess which systems administrators can remotely view the centralized logs and automatically request data that pertain to their locations. This helps these administrators to contain infection and damage before they become widespread.

Implementing the NBAD tools can be a challenge for a financial services firm. Proper implementation techniques can make the job easier.

About the author:
Judith M. Myerson is a systems architect and engineer. Her areas of interest include middleware technologies, enterprise-wide system, database technologies, application development, network management, computer security, information assurance, financial, RFID technologies and project management.


This was first published in September 2008

Dig deeper on Network security devices for financial institutions

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSecurity

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

ComputerWeekly

Close