Monitoring security issues: quick start
Security incidents plague the majority of Internet resources. It is still possible to notice most security issues, both actual and possible, before any damage is caused. The list below gives general impression of how this could be done, for various types of security problems.
1. Web applications
Example 1. Nowadays, using HTTPS is a must; modern browsers visibly warn users when a site is served insecurely or when its certificate is invalid. Any public Web resource should have a valid TLS/SSL certificate; although certificate renewal is often automated, certificates can still expire or be deployed incorrectly.
To prevent that, set up monitors to check SSL certificate expiration. It is also useful to validate the HTTP response itself — not just availability, but also the expected response code and page content — so you are alerted if a login page, payment form, or application endpoint starts returning an unexpected result.
Example 2. A number of sites use hosting control panels or cloud management platforms. In many cases, each hosted application has limits such as bandwidth, disk space, or account quotas, and periodic notifications alone may not be enough to prevent a service interruption.
However, many hosting and infrastructure platforms expose HTTP(S)-based APIs that allow checking limits or triggering automation at any moment. By means of a custom monitor (“Script or Program” or “Python script”), one can retrieve the relevant values and notify the site owner before the resource is suspended. In addition, the “Send HTTP(S) request” simple action can be used to call external services or automation endpoints directly.
2. Windows systems
On Windows system, apart from checking for important event log entries (suitable for monitoring system resources, down to individual file changes), one could check for presence of certain processes and for pending (not yet installed) security updates, and whether system reboot is required to apply the update(s).
Event log monitor can also be used to detect security-type events (such as logon attempts, credentials change etc); the exact set of such monitors depends on what security-level events are considered important (for example, failed logon attempts under accounts with administrative rights).
There could be services and processes that should be automatically started at boot time and running under normal circumstances. In practice, this is especially useful for security-related services such as endpoint protection, backup, or log collection components: a Windows Service monitor can confirm that they are still running, while Event Log monitors can watch for security-relevant events in parallel. Windows service monitors can track their presence; for example, if an anti-malware service isn’t running, it can pose a security threat to the whole system. Note: since IPNetwork can’t monitor its own service, we recommend setting up a second IPNetwork installation which will only monitor the presence of your main IPNetwork monitoring service.
3. Linux systems
All the cases mentioned above for Windows systems, are in effect for Unix-like systems (including Linux), with its own specifics. You will most probably be using SSH-based monitors, to access remote Linux systems securely. In distributed environments, Linux Remote Network Agents can also be used to receive Syslog messages and SNMP traps inside remote networks, which makes it easier to monitor security-related events without exposing every monitored system directly.
In case of Unix-like systems, system log monitors allow getting notified in real time when corresponding event occurs. Compatible logging facilities, such as rsyslog, can be used to send a monitoring event for any type of system event (including access to individual files). Care should be taken to set up and test Syslog monitors, to ensure they all are handled in timely manner. That generic means to send real-time notifications should be used for events of critical nature (i.e., system resources getting scarce – RAM, free disk space, sockets and so on).
4. External monitoring data
Time series databases (TSDB, such as InfluxDB, ClickHouse, Graphite and others) are often used to collect miscellaneous data from many a source (to draw graphs, perform monitoring tasks, do analytics of various kinds etc).
IPNetwork can be used to interact with such database instances, to get the monitoring (performance) data from single source; in case the time series database instance is in the same network, it can significantly reduce time required to gather performance data.
Low overhead and quick response of such databases can be used to reduce monitoring latency (it would allow polling more frequently without overloading the actual performance data sources). Please contact us if you would need building a monitor capable of interacting with a TSDB.
External analytics services, such as Google Analytics, as well as on-premises services like Matomo (formerly Piwik), can provide data indirectly related to security issues with Web resources. Google Tag Manager can also be part of such setups, but as a tag management layer rather than the analytics system itself. For example, a sudden drop in visitors or conversions may be worth investigating as soon as possible.
Last but not least – results of anti-malware scans (such as Sophos, AI-Bolit), intrusion detection systems (IDS) scans – including Aide, logwatch, Snort, to name a few – can provide important information on possible breach attempts and attack vectors in general, to notify corresponding security-related personnel immediately.
Every report by every possible security-related service or software piece can be reported by IPNetwork – our product can serve as security notifications aggregator.
5. Network devices
Various network devices (network switches, routers, hardware firewall appliances, WiFi access points etc) are used, as out-of-the-box solutions for typical networking and security tasks.
It’s naturally required to control how such network devices are operating (that includes every aspect of their functions – traffic speed, available resources, certain ports and interfaces state etc). The majority of such devices provide SNMP interface, to get state variables and, optionally, to control the device.
IPNetwork supports all major SNMP versions (v1, v2c, v3), including SNMP value monitoring and SNMP trap receiver monitors. In addition to polling values, trap monitors can be used for near real-time device events, and trap payload / timeout logic can be tuned to reduce noisy or misleading alerts. Apart from that, in response to a monitoring event, IPNetwork can set SNMP variables of a remote device (example: enable a certain network interface of network device if another interface goes down).
Using SNMP-based monitors and simple actions might be a challenge; we would be glad to assist you in that.
Conclusion
When planning monitoring setup, enumerate all the vital types of services and resources that should be watched; IPNetwork is capable of using GSM modems to send SMS notifications (as emergency notification means), in case network it is installed within loses Internet connection.
By checking for presence of IPNetwork monitoring service (from another IPNetwork Monitor installation), you can efficiently create a monitoring setup without the single point of failure.