alphaspirit - Fotolia


Monitoring outbound traffic on your network: What to look for

Outbound network traffic remains a weakness for many enterprises and is a major attack vector. Expert Kevin Beaver explains how to spot irregular occurrences in your network.

In the wake of massive distributed denial-of-service attacks enabled by compromised routers and internet of things devices, many people have been advocating for better monitoring of outbound traffic. In addition to watching for potential data exfiltration, unauthorized uploads and internet access that violates company acceptable use policies, enterprises now have to consider systems and protocols involving their wireless hotspots, multifunction printers and other devices usually considered noncritical.

There's so much activity taking place on the typical network, it is likely that most people don't know what's happening right under their noses -- as evidenced by the innumerable confirmed incidents and breaches that have occurred. According to Skyhigh Networks Inc., there are over 1,400 cloud services in use in any given enterprise network. These are legitimate (although not necessarily approved or supported) applications.

There is also all the noise involving malware, hacking and security challenges created by unpatched or misconfigured systems to consider. This all amounts to an evolving reality that impacts everyone. In other words: you don't know what you don't know.

Further complicating the risk picture, Skyhigh Networks also found that 32% of IT professionals ignore security alerts because of the many false positives. How can business leaders expect information security to be managed effectively in their organization when their staff members don't know what's where, who's doing what and what level of business risk it is facilitating? Simply put, they can't.

Before enterprise security professionals begin digging into what's outbound from their network, they should consider if their methods could increase spending or lead to hiring more employees. A common test I perform as part of my internal security assessments and penetration tests is using OmniPeek to look for anomalous traffic going across internet ingress/egress points. It's rare to not find something odd taking place, especially in outbound traffic. I often find top talkers where they shouldn't be (i.e., user workstations) and communication to questionable foreign countries -- both of which suggest or lead to unauthorized network behavior and malware infections. This is a one-time test and proof of concept in my assessments. For larger scale network security monitoring, enterprises need tools and processes that can provide the ongoing insight necessary to minimize risks over the long haul.

Here are some examples of outbound traffic that can signal security trouble:

  • SSL/TLS or other encrypted connections -- especially those going to or coming from unknown systems.
  • Network errors and protocol anomalies, such as dropped packets, authentication errors and domain name system (DNS) or network time protocol traffic amplification.
  • Odd or unsupported protocols coming from network segments reserved for printers, guest wireless systems and other low-visibility systems.
  • Application-level threats, such as advanced persistent threat and zero-day attack traffic, involving DNS lookups to unknown servers, communication with foreign hosts and large amounts of traffic to and from a small number of hosts.

According to my experience performing firewall rule base analyses, many enterprise security and network teams are not blocking outbound traffic at the firewall. It's often considered too much trouble -- too many things break, leading to many complaints and calls directed at IT and security teams. Certain compensating controls beyond firewall rules, such as access control lists, proxies and routing configurations, can limit such traffic, but that's not a foolproof approach and, like firewall rules, can prove to be cumbersome.

Purpose-built technologies, such as web proxies, next-generation firewalls and cloud access security brokers, can monitor for anomalous outbound behavior. Network analyzers and forensic recorders can also be used.

Perhaps the smartest approach to this growing risk is to outsource this function to a managed security services provider. I'm not a big fan of IT and security professionals taking on new responsibilities because, the exact moment they do, they have to give up something else or end up doing both things less effectively.

Whatever you choose to use, the risk of outbound traffic needs to be on your radar. It not only needs to be monitored, but it also needs to be truly acknowledged and blocked where feasible. Outbound network traffic was one of the original weaknesses enterprises attempted to control in the early days of the web. Today, it's still one of the few frontiers of network security we've yet to master. Unless and until we do, criminals will continue exploiting this weak spot, and our current security challenges will grow into more difficult experiences.

Next Steps

Learn how to use traffic shaping and Network I/O Control to monitor and manage network traffic

Find out more about next-generation network monitoring tools

Discover the essential features to look for in a network monitoring system

Dig Deeper on Threat detection and response

Enterprise Desktop
Cloud Computing