What rules should be followed to keep your network monitoring setup up-to-date
It’s no secret that information threats appear in numbers nowadays. It may be time to refresh some typical rules, tested by years of practice worldwide, to make your monitoring setups as up-to-date as possible.
None of these rules are cast in iron; they are all flexible enough to adapt to any given environment. What matters is underlying idea; the implementation is what makes them suitable for custom needs.
1. Assume nothing
Although any monitoring is based on comparison of two or more states (previous one and current one), performance value shouldn’t be judged based upon previous experience only.
For example, if a file presence is monitored, file absence doesn’t necessarily mean something is broken; file (re)appearance doesn’t, similarly, means the problem is gone.
The simplest example: assume a maintenance is run for a Web site, with most of its files being updated. While file is being updated, it can be inaccessible by File monitor (in ideal situation, dependency may be used to avoid polling for file presence while another process is being run).
However, when file is available again, it can’t be assumed it’s in known state until the file is examined. Make a monitor calculating file checksum in such a case.
2. No redundancy can be in excess
This is simple one. Nothing really important may exist in single copy.
Make at least two monitoring setups; let’s the second one monitor the state of the first one. That way you won’t lose the entire control, if primary monitoring setup goes down.
Make at least two notification means. If primary Internet line is shut down, use either secondary one, or something like GSM modem to send important notifications.
Make at lest two checks for every important resource. If a file exists that may not be altered under normal circumstances, checking its size and/or timestamp isn’t enough. Check it checksum as well, otherwise a benign file may be replaced with a malicious one.
3. Everything changes
There’s nothing really static; everything is changed, updated, replaced. That concerns monitoring, as well.
Apart from applying updates to everything, from your system to monitoring piece of software, there might be new monitors, new external services or software pieces better matching your needs.
When one performs monitoring, it is essential to keep updated on every significant topic related to your network assets. That means you should check for new IPHost versions, as well. Using out-of-date software and/or reference manuals may suddenly render your monitoring setup incapable of monitoring resources.
4. Remain vigilant
Even a small changes in overall monitoring patterns may work as a side channel: it can indicate a possible threat that’s not, in fact, identified.
For example, if a HTTP(S) monitor starts displaying spikes in amount of concurrent HTTP(S) requests, it’s time to investigate the reasons of them.
If those are regular site visits, perhaps it’s time to check whether the site can handle higher load.
If non-existing pages are visited, perhaps you had, by mistake, removed some pages and it is worth checking that. Or perhaps those can be bot-generated attempts to exploit your Web site dynamic pages, thus it should be checked whether the site is immune against such attacks.
When anything happens out of pattern, it should always be treated as suspicious.
What rules of thumb do you use, differing from the one above? We are eager to know – contact us or post a comment in the form below.