Most companies take it as a given that firewalls, antivirus, and backups are minimum security controls for the standard business. While it remains true that having a layer-7 aware firewall, solid endpoint protection and recoverable backups are controls every organization should have in place, there’s more to security than firewalls, endpoint protection and backups.
Central to any comprehensive security strategy is visibility of what is going on within the network. This comes in two forms: network monitoring systems and log aggregation and alerting systems. Network monitoring systems come in the form of SNMP monitoring systems and Flow monitoring software. Log aggregation and alerting systems are most typically referred to as security information and event management systems (a.k.a. SIEM).
Systems that provide SNMP and Flow monitoring of the network give visibility into the packets traversing the network on a port-by-port and application basis. Such information can be useful in identifying rogue PC’s on the network – such as those infected by a virus – or systems that are producing excessive volumes of traffic from one application type or another. At the end of the day, this visibility gives insight into what constitutes a “normal” day on your network.
SIEM’s are another class of software altogether, designed to collect logs from various systems, to analyze those logs for anomalous events and alert on those events. These alerts typically come in the form of emails or texts. The analysis that comes with those alerts is highly sophisticated to identify anomalies across all systems – not just the network, but across domain controllers, workstations, network appliances, switches, routers, antivirus solutions, data loss prevention systems, and any other variety of systems you send logs from to the SIEM. Such systems can be quite powerful and insightful.
So, while state-of-the-art firewalls, antivirus, and backups provide protection against the myriad of threats that the average network may face, they are not sufficient to protect your network from the totality of threats that your network faces on a day-to-day basis. To protect against the full range of attacks, you need security that extends beyond the firewall.