Skip to main content

Top 10 Network Security Mistakes - #6: Logging & Monitoring

December 31, 2013

Continuing along our journey through the Top 10 Network Security Mistakes, today we’ll take a look at logging and monitoring. 

Hopefully we can all agree that information is power. And many times, in the course of protecting or using powerful information, we can generate other powerful information. This is frequently referred to as metadata


If you have ever watched a show where the good guys try to find the bad guys after a crime, you know how this works. Whether it’s CSI: Miami, Monk or Matlock, they always do the same thing, right? They collect clues to reconstruct events of the past. 

While the TV shows would be pretty boring if they always had a video of the crime, our jobs would be much easier if we had abundant data available on demand.

That’s where logs and monitoring come in. 

Plentiful metadata can help define the difference between coming up with a quick explanation for an issue and having to offer an awkward shrug from the hot seat. 

I do not like shrugs in InfoSec. I do not like the looks they get. Not from spam, nor resident in RAM, I do not like InfoSec shrugs, Sam I Am

So, let us review a few ways to use logs and monitoring to avoid shrugs. 

Logs: A Revolver in the Study


Where do we get the best logs? Start with what you control. If you are in NetSec, then you may have access to a number of solutions such as:

  • Routers
  • Switches
  • Firewalls
  • VPNs
  • Remote Access Solutions
  • IPS
  • WAF
  • DLP
  • Proxies
  • Other Fun Stuff


Almost everything you manage can (should) generate logs for everything it does. Since Information is Power and disk is cheap, now is not the time to get stingy. 

If you are one of these people who turn off logging options to save disk or improve your signal-to-noise ratio, I urge you to change your approach. Let other solutions sift out your signal; you just make like a lumberjack (produce logs – get it? Wacka wacka!). 

Turn on logs for all access rules, administrative access, authentication events, requests, allows, denies, everything.  Grep, find and include will be your friends later when you need to quiet noisy log entries. 


Now that you have lots and lots of luxurious logs on the loose, let’s talk about wrangling them up. 

Central log consolidation is a great way to collect all the data in one place. This does several things for you:

  • Preserves integrity. Compromised devices may try to conceal naughty behavior. They can’t do this if the logs are sent off-host as soon as they are generated.
  • Saves local resources. You might have a lot of storage on your devices, but then again you might not. Log collectors can have as much capacity as your imagination and budget will allow, so let them do the heavy lifting.
  • Allows for correlation. This is big. So big, in fact, it gets its own section. 

Correlation = More Elation

Now that all your logs are in one place, you can see if any of them relate to each other. 

Did you see 325,121 denied login attempts to a user account, then a successful login, followed by a password reset? Hmm…where there is smoke, there may be a flare gun. 

Log correlation allows for extremely powerful data mining across all logs to look for potentially troublesome series of events across different systems. There are a number of SEM/SEIM solutions available, so it is more a matter of figuring out what the best fit is for your needs. 


Where logs generally tell a story of what has already happened, monitoring can tell a story about what is currently happening. 

There are many forms of monitoring.  Some are more involved that others, but they all yield additional information about your environment. This can range from simple ICMP pings to SNMP polls, to netflow, s-flow collection. These tools can help tell a story about system utilization or general traffic patterns which can help uncover deeply rooted issues. 

Network Based Anomaly Detection (NBAD) can help establish traffic baselines in your network and let you know when traffic deviates from its regular patterns.

Beyond that is Network Traffic Recording, which is like a packet DVR for your network – this allows you to look at the exact packets from any conversation at any point in time within your recorded window.  This is amazingly powerful in forensic situations. 


Some of these solutions are a bit advanced, but they can also add immeasurable value to your efforts to secure your network and reverse engineer events and incidents. The point is: you can only use the data you have available, so gather everything you can. This is no time to pack light. 

Additional Posts

Related Blogs

January 25, 2017

Escape and Evasion Egressing Restricted Networks

A command kill chain consists of payload delivery, code execution on a target system, and establishing a command and control (C2) channel outside of a...

See Details

February 06, 2018

What Is SSL Web Inspection and Where Should It Occur? (Part 3)

In parts one and two of this blog series, I provided an overview of SSL web inspection, and dove deeper into how SSL inspection solutions work and met...

See Details

January 29, 2018

What Is SSL Web Inspection and Where Should It Occur? (Part 2)

Hardware will vary between vendors and even different models within a vendor’s catalog. Some models/vendors will offload complex CPU tasks (decryption...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

October 06, 2017

Managed Security Services - Service Guide

Learn about our flexible and scalable services to improve your security capabilities.

See Details

February 26, 2013

Continuous Monitoring and the Federal Government

“Continuous monitoring” is the latest buzz word being used throughout the federal government. And depending on with whom you talk or what you read, th...

See Details

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.