How closely do you monitor your network?
How closely do you monitor the outgoing traffic on your corporate network? The question sprang to my mind as I read about the story of how a Tor operator was raided over the allegation of child porn. In this case, one of seven Tor exit nodes operated by William Weber was apparently used to transfer the illegal images, culminating in his arrest and seizure of his computers by the authorities.
Innocent or not, the case does underscore the state of current logging techniques; security experts can trace data packets to a source IP address, but have no easy way to remotely determine if a particular node is simply a means to obfuscate a hacker's tracks.
On this front, compromised servers or workstations can be used as a relay to break into another network. Once done, the hacker takes time to delete the pertinent logs on the compromised host before withdrawing, never to be seen again. To further confuse investigators, a careful cyber criminal may up the ante by daisy chaining two or more such systems.
Another reason for monitoring a network for suspicious traffic would be to identify the presence of botnets. A malware which effectively grants control of a computer to a remote system, botnets are typically used to perform DDoS attacks on victims, or are configured to surreptitiously siphon off data such as usernames and passwords. The former wastes a company's bandwidth, while the latter can allow hackers to break into more corporate systems.
While network monitoring using an IDS or IPS does not magically protect your company from the above threats, they are the first step towards determining the presence of threats. I'm hence curious to hear about the steps taken by your company in monitoring the corporate network. Do you have any tips, tricks and advice to offer?