Since Totem offers cybersecurity empowerment services to small to medium sized businesses (SMB), we strive to show that SMBs can supplement their existing cybersecurity tool suite with low-cost or free network monitoring solutions. Naturally, we were excited when we heard that LogRhythm provides a free version of its Network Monitor product: LogRhythm Network Monitor Freemium (NetMon Freemium). How could this tool could help small business' cybersecurity network security analysts, 'Hunters' as we call such individuals, quickly baseline network traffic, identify anomalies, and pursue further investigation?
During July 2017, we received permission from an SMB client of ours to prototype LogRhythm NetMon Freemium on their internal network, and investigate the features of the tool. We've captured the results of our investigation in a whitepaper, available for download at the bottom of the blog. The rest of this article is a synopsis of the whitepaper.
The SMB is a micro-business, with fewer than 20 employees and workstations, and less than 25 Mbps traffic. The network hosts typical office devices, including printers, proprietary internal application and database servers, and a local physical security system. Ultimately, we established LogRhythm NetMon Freemium's scope of visibility as presented in Figure 1:
Integration and Test
LogRhythm NetMon Freemium provides out-of-the-box browser-based interfaces that provide an immense amount of network traffic data for a Hunter, and allows the Hunter to adjust the graphical interface to suit his/her needs. The 'Analyze' user interface allows, for example:
- Ability to configure displayed data period over minutes, hours, days, weeks, and months
- Granular queries on available detected fields to filter captured traffic
- Metadata summaries of flow sessions which include application path, IPs, MACs, etc.
- Option to turn on packet capture for all analyzed traffic flows
- Ability to download captured file and packet streams in *.pcap format
- Replay functionality with *.pcap formatted streams
Alone, the ability to categorize and download pcaps of traffic of interest makes LogRhythm NetMon Freemium a valuable tool for the Hunter; other free (and not-so-free!) tools do not have this ability out of the box. Reducing a Hunter's analysis time on a forensic task, such as file carving from a TCP stream, for instance, is imperative for a SMB with limited time resources.
Next we investigated the usefulness of the visualizations and dashboards within LogRhythm NetMon Freemium for baselining network traffic to facilitate identification of anomalies. As a practical guide and ad hoc standard for baselining network traffic, we utilized the SANS™ Institute's SANS DFIR Network Forensics and Analysis Poster (DFIR-Network_v1_4-17, available here for download with SANS™ account). The explanations of analytical methods outlined in the 'Network Traffic Anomalies' (NTA) section of the poster clarified what data and information we needed to display in visualizations and dashboards (Figure 2).
Figure 3 shows an example of a successfully created LogRhythm NetMon Freemium dashboard based on NTA standards. In this case the dashboard contains visualizations to meet the 'HTTP GET vs POST Ratio' and 'HTTP Return Code Ratio' NTAs:
The table below outlines our ideas of how a Hunter would use the dashboard. The left-hand column describes baselining activities, and the right-hand column describes anomalies that would trigger a Hunter to investigate suspicious network activities.
|Over time, establish a baseline of:||Investigate further when:|
|Typical proportion(s) between HTTP GET and POST request methods||Observed ratio deviates from normal baseline|
|Typical proportion(s) among #00-series return codes||Observed frequency distribution displays one or multiple spikes in #00-series return codes|
 The table consists of text taken directly from the NTA section of the SANS™ DFIR poster
Results of Evaluation
In the matrix below we evaluated how LogRhythm NetMon Freemium could help a SMB Hunter analyze network traffic against each SANS™ NTA standard. We used three criteria for the evaluation:
1) Ease of Implementation—How difficult was the implementation process for the visualizations?
- Easy: Visualization exists out-of-the-box, only required simple re-configuration
- Moderate: Required some novel development and re-configuration
- Challenging: Could not create from the Visualize development environment, or may require significant development within the tool
2) Ease of Anomaly Detection—How quickly can the Hunter discover anomalies after establishing a baseline?
- At-a-glance: Deviations are immediately apparent within the visualizations, at-a-glance
- Deeper look: Deviations require cross-referencing with other organized information or more in-depth examination of visualizations and associated capture table to recognize oddities; for instance, a scroll through the chart legend may be required to spot deviations
3) Additional Tools Required?—Are additional software or network tools required to complete analysis?
- Yes: At least one other tool (Nmap, Wireshark, SIEM, Firewall logs, etc.) is required
- No: The out-of-the-box interfaces and drill down tools are sufficient
As the matrix shows, we are satisfied with the LogRhythm NetMon Freemium product as a low-cost addition to the cybersecurity toolkit for an SMB Hunter. Free software can be a boon (with obvious exceptions: laden with spyware, not supported, etc.), and the cost of the necessary hardware was reasonable for a typical SMB. The process to install and integrate the product into a SMB's network environment was painless.
The user interface and experience in LogRhythm NetMon Freemium is intuitive, and relatively easily configurable for most of the SANS™ Institute Network Traffic Anomalies standards we judged the tool against. We successfully created dashboards for 9.5 of the 11 Network Traffic Anomalies presented in the SANS™ poster. A couple of the anomaly standards were met by LogRhythm NetMon Freemium right out-of-the-box, and in short-order we were able to create novel dashboards that could help the SMB Hunter identify other anomalies. The ability to drill down into a packet, flow, or pcap within seconds of identifying an anomaly is of much value to a Hunter, and automatic packet capture of (all, if desired) traffic flows distinguishes LogRhythm NetMon Freemium from other tools. For several of the NTA standards, LogRhythm NetMon Freemium would be the only tool the Hunter would need to identify an anomaly and determine the root cause.
However, it would be a mistake for a Hunter to rely solely on LogRhythm NetMon Freemium for network traffic monitoring, as the tool has limitations in meeting several of the SANS™ standards, such as identifying external infrastructure attributes and usage attempts. The user interface needs improvements in some areas as well. For example, the main query interface has limitations, and users that are familiar with regular expression searches in scripting engines may become frustrated as they familiarize themselves with the Lucene regex syntax. HBA explored the Deep Packet Analysis Rules engine in the tool, which opened avenues for more in-depth analysis by a SMB Hunter; however, manipulating these Rules required a level of software programming or scripting expertise an average SMB Hunter may not possess.
Once the tool has been installed and configured for the SMB environment, we predict a SMB Hunter would spend ½ hour or so a day using the dashboards to establish baselines of normal network traffic. Once the Hunter is comfortable with the baselines, he or she should be able to quickly spot anomalies during that same ½ hour period, and then use the tool to plan and execute further investigations.
LogRhythm's NetMon Freemium is a valuable tool for someone hunting network traffic anomalies in a small business network, especially since the software is free. Although it has its front/backend limitations and should be one tool of several in a toolkit, it meets many industry standards for network traffic analysis. It can certainly help the Hunter baseline network traffic, identify anomalies, and pursue further investigation.
Again, you can download the full whitepaper describing our investigation here.
For more information on LogRhythm NetMon Freemium and to download it, see:
We found the very active NetMon Community extremely helpful with deployment: