It’s an ongoing struggle for small to medium sized enterprises (SMEs), balancing the solutions required to monitor and digest data on what’s going on within the network with the cost of full time highly skilled internally facing employees; all within a restricted budget. Often because of this, SMEs are limited to restricted number of full time team members – where at times alerts coming in become too much to deal with and issues may be missed. How can SMEs support their reduced team, empower them to respond appropriately, while at the same time without overspending on budget for solutions or team members?
Outsourcing duties
It would be foolish for an SME whose core competencies do not lay within incident response (IR) and cyber security threat intelligence to have a robust security operations centre (SOC) with these specialised skills, and filling it with experienced analysts combined with security software solutions; the cost of training alone could overwhelm the SME’s budget. However, it’s far too easy to drop responsibility and governance when outsourcing to a third party. Here in lies the problem, outsourcing parts of the SOC and IR responsibilities, without being completely hands off.
A SME may find a third party offering that provides help desk with a little incident validation, or even tier 1 SOC capabilities, but that is a far cry away from a holistic security specialised help desk, SOC, and IR services offering.
Once a vague contract has been signed off, the SME leaves the new third party to handle things, and may wipe their hands clean of any responsibility. Later, a major incident happens, and fingers are pointed in both directions – who’s ultimately responsible? To give you a hint, the first thing I end up doing when called in to investigate this, is to review the vague contract, and then measure the in-house and third party security capability and service maturity.
Whilst I do agree, there is a time and place for third party offerings, SMEs still need to own their security regardless. This includes:
Proper requirements gathering, and going to tender to find a third party able to provide these services and resources,
Appropriate, explicitly written contract, detailing roles & responsibilities, and
Assurance the SME has the skills and training to govern the third party security provider.
This also requires in-house documentation and SOPs, even if the in-house team doesn’t take a direct role in the tasks of incident response, they must know what the steps are required and what information needed. A SME is going to manage their own risk register, discuss, and prioritise with the third party. Consider making use of third party vendors in a hybrid approach, security function should never be completely hands off.
This hybrid approach at times means making use of some third party solutions, but also others covered in house by the reduced teams. Due to being a limited team and budget, SME’s typically look for solutions that cover a variety of areas – in this article we’re going to talk through three solutions I have either used or have interest in using as examples on what an SME might look for when monitoring their environment, adding in a bit of security perspective where possible.
TotalView by Path Solutions
What value does Path Solutions bring to your network? During the Security Field Day 3 session, my first thought was of an organisation who cares for their customers; from the online reviews I read, that’s an ongoing theme, they listen and care.
This solution also comes across as intuitive, as if a technical person was meant to understand it’s not only flashy diagrams and management reporting. It’s not a ‘single pane of glass’ solution, but it is a focused view of network traffic and connection analysis that a limited team is going to benefit from. It seems to cut down time and has the tools required to get the information needed for an investigation – in a cost-effective way. However, as noted below, TotalView incorporates a bit more than simply network monitoring but built-in security insights as well.
The budget conscious label stems from the reduced licensing fees, the reduced software solution/infrastructure and training to deploy the tool. As well, it’s designed so that within 30-minutes online it’s providing your team insight, not some long-term implementation project that take’s months to tune. As noted, comparing with PTRG, from the demo alone not hands-on experience, there were a few further investigation insights for security which would provide valuable information to the team.
Built into the solution is a threat intelligence/CVE database, which is updated from NIST every 24-hours. Additionally, there is monitoring in place for risky practices, such as identifying all services not using encryption (i.e. http, telnet), which can be put on an allow list (i.e. whitelisted) if identified as needed by the organisation. Another intelligence feature is the IP address linked to location database, which is also updated on a 24-hour cycle.
Whilst no metadata is available to add to assets at this time, it does provide a 5-minute frequency scan for new devices in order to provide a similar auto-discovery type approach to deployment. However, in the tool’s interface, these new devices provide a separate tab between network devices and end point devices. This can identify possible shadow IT and/or malicious actors deploying an unauthorised device.
TotalView also provides a built-in feature to create a network diagram, which is takes a workload off of a busy IT team. Looking to investigate a specific device, this solution can search for devices depending on the labelling, and will also highlight where these devices are plugged in. This contextual information will enhance both troubleshooting and incident investigations and reduce the need for additional systems such as asset management – therefore saving time.
You can also shutdown physical interfaces if required, it makes sure to protect against human error by not providing that capability for network ports which are trunk ports.There is cloud monitoring (i.e. making use of SalesForce) packet loss, latency, stability, graphs & monitoring but not a security compliance view. Built within C/C++ and making use of SQLlite, it is integrated with nmap and will interface with WMI.
Note: if you’re running mostly within an IPv6 network, you’re likely not going to get a ton of insight, according to PathSolutions this is due to vendors implementation. However, if you’re like most networks that’s not a massive issue for now. Additionally, they do not have 802.1x visibility.
Pros:
Paid within a range, per interface – discounted based on range it fits within
On-premises and cloud hosted – deployed on Windows
Offers both agent-based or collection devices
Rapid deployment (30-minutes from implementation to use)
Built in vulnerability scanner for devices, which includes CVE information[5] right there to investigate – can be seen within the individual asset, through all vulnerabilities, and exported to Excel for investigation
Cons:
No free tier
No metadata currently available to add to assets – however, it was noted during the demo they will be adding this
Cloud monitoring is limited to quality of connection for now
Documentation available here: https://www.pathsolutions.com/solutions/network-security-awareness
Online demo available here: https://www.pathsolutions.com/sandbox
PRTG by Paessler
Now, I’m a massive fan of PRTG for a variety of reasons. Firstly, they’re German, so along with being within the EU, Germany is known for very strict data protection requirements. Having used this solution in many different situations and speaking with their employees through support questions and saying hi at conference booths – overall, I have always felt they listen to their clients, and work hard to build an effective solution.
PRTG is a network monitoring solution that uses agentless sensors[1] to validate environment state like bandwidth usage. It supports SMEs by providing an auto-discover mode, that will generate a list of device assets. As with any environment, quick deployment and automation are truly welcome – PRTG covers these features with hierarchy and inherited object triggers. Meaning, you can configure what action to be taken for an alert, and every child sensor of this takes on that action. However, if unique actions needed, you can customise as required.
The deployment of PRTG monitoring is straight-forward, but if you do have questions the existing online documentation is well maintained. From my experience however, it’s the solutions that have a community behind them and their community site or forum it is what sets solutions apart. If there is a limited community, for an SME client, that would be a red flag – as limited online resources for investigations, diagnosis, and other’s experiences means likely expensive professional services to troubleshoot problems.
Another positive feature, especially for organisations that are still working through building their baseline or ‘normal’ for the business network - PRTG identifies statistically if something is unusual. Such as for this hour, traffic is above or below the normal and expected. This is regardless of the alerting thresholds.
Licensing is done by the sensor, with many capabilities built in, see available sensor types, but the difference is the free version of PRTG is limited to 100 sensors, whereas paid varies depending on your needs. For example, if you were monitoring 100 devices their documentation states typically that would make use of 1000 sensors. Whereas for Switches and Routers, if they want everything on every port, that would equal 1 sensor per interface. Or they are more focused on the uplink only, then you reduce the sensors. What organisations I have worked with found most useful, is deployment within the trial phase allows a full paid environment – so unlimited alerts, that then are tailored down to actually useful, and pricing is then easily calculated.
Data retention is always important, depending on your needs this can be customised – the default is raw data stored for 1 year. Estimations on space required are held here, again, based on the 1-year default.
Pros:
German based, high privacy regulations
30-day Trial (auto converts to free license once expired)
Free tier provides 100 sensors (Comparison free vs paid)
Paid tier is based on number of sensors, so discounts on larger deployments.
Built-in ticketing system, for SMEs that might not have their own solution
Simple to deploy, user friendly
Auto-discovery available
Unusual statistics monitoring on top of configured alerts
Online manual and community questions form
On-premises and Cloud hosted – deployed on Windows
Agent-less, monitoring through SNMP, Packet Sniffing, and Netflow options
Cons:
Limited to quality of connection/expected threshold, this wouldn’t be looking for signatures of attack unless you have trigger/alerts previously configured
No vulnerability scanning
Limited patch management[2]
Solution is focused on quality of connection, additional tooling for more security focused monitoring
Documentation available here: https://www.paessler.com/manuals/prtg
Solarwinds MSP RMM
Years ago, I owned a Managed Service Provider (MSP) which made use of this solution[6] for monitoring within my individual clients depending on their requirements. This included monitoring for patching and deployment features, scheduled and immediate. Along with providing remote technical support through the integrated TeamViewer.
As noted, both in the name, i.e. MSP, and my experience for owning an MSP and making use of this – it is not just for in-house deployments but also subscription-based deployments. Whilst not directly related to what we’ve been discussing, this solution also provides the ability to (with extra cost) track billable time, create invoices, and integrations with accounting software.
One thing I noted years ago and therefore could be different now, it wasn’t as intuitive as other solutions out there and is far more focused on endpoint management then network monitoring. From reading more recent reviews, others have echoed that opinion regarding less intuitive GUI, but I no longer have first-hand experience with this.
When it comes to SME solutions, the combined features in one platform is attractive because of the reduced licensing fees, operation teams training for the different solutions, and time saved between making use of these different solutions. Whilst we haven’t actually compared the cost of the different solutions, outside of free vs paid tiers, it is of value to note this solution also provides the following for end devices: cloud backup, remote support software, patch management, and the ability (at extra costs) to deploy anti-virus and web protection.
From a network management perspective RMM can grab basic information from SNMP but that’s about it, no analysis and trends and no network device management. It illustrates the need for both a network focused management tool and end-point management and I’ve not seen a solution that brings all of these requirements directly together.
Pros
14-day trial period
Licensed per asset
Centralised management of devices and monitoring
Patch management monitoring and deployment
Backup to the cloud, frequency and bandwidth restrictions available
Remote support built-in for devices, through TeamViewer
Built-in alerting system
Mobile app for management, including alerts and monitoring
Community form appears to be available (login required)
Cons
No free tier
Not as intuitive to use as others.
Agent based only – which might limit ability to make use of in some environments
No analysis / trends for network devices
No network device management
Whilst there are a variety of approaches, as we discussed above, it’s fair to say SME’s require this hybrid approach: in-house and third party integrations. SME’s also benefit from using solutions aimed at covering a variety of areas, i.e. the five cyber security areas in the above diagram by NIST, and reducing the time of an investigation by incorporating network devices and end user devices in a centralised view. Available customisation is brilliant, but solutions that work ‘right out of the box’, which can provide network insights quickly and flag unusual activities are going to enhance this reduced team.
Clearly, this list is nowhere near complete I have simply highlighted three resources I have used or am interested in, aimed at the mid-level market. For teams looking to investigation solutions that might work for their environment my thoughts are:
Clearly identify the environment’s requirements, team member’s skills, and any available training.
Provide a robust budget and deployment plan that will work for the business and team.
Discuss this requirements document with the vendors prior to booking demos, as you may be able to remove solutions from the list early on.
Then, when attending demos, ask informed questions based on these requirements, and make note of where responsibilities lie between the vendor, third party, and in-house teams.
Good luck and good hunting! Always remember, if you don’t investigate you’ve already failed. If you do put the time in to identify gaps and enhance your management and security foundations, then by default you are taking proactive steps needed to show you’re trying to do the right thing and from a compliance point of view – that adds weight to your argument if you ever find yourself in a security incident.
Footnotes:
[1] Sensor: purely software based, 1 aspect on 1 device you are monitoring (i.e. validating if Apache running, CPU usage, &c). [2] There is an ability to validate through PowerShell Time Since Last Update within Windows [3] Cloud monitoring is limited to quality of uplink vs security considerations/risks [4] TotalView built with C/C++, database is MySQL [5] CVE database updated every 24-hours [6] This was prior to Solarwinds MSP acquiring this solution #TFD #XFD3 #SME #TOM #Security #CyberSecurity