Today I have been looking at my firewall logs through the lens of my security information and event management (SIEM) console. My staff usually does the day-to-day monitoring, and I have a third-party service that monitors the SIEM 24x7, but today I looked in on the situation with my own eyes, which I like to do every so often. I noticed some interesting things.
First of all, my network is constantly under attack. Every day, all day long, some kind of denial-of-service, port scanning, account/password guessing or direct exploit is being attempted. This seems to be the background noise of the Internet, most likely generated by automated systems under the control of malware, perhaps even large networks of botnets. Most of it doesn't seem to be directed at my network. It just seems to be crawling through the IP address spaces of the Internet in general.
I've noticed the same thing on my home network. I have a firewall at home that sits right behind my Internet router, and every once in a while I look at its logs, in much the same way I look at my company's firewall logs. At first I was surprised — it was kind of a shock to see actual exploit attempts targeted at my home computers, game consoles, DVRs and other Internet-connected devices. Of course I realize that malicious traffic is ubiquitous on the Internet, but knowing it is not the same thing as seeing it face-to-face. It's like looking down the barrel of a gun.
On my company's network, the firewall blocks all these attacks. Literally. The only successful security breaches I've had on my network have been from the inside — malware from email, malicious websites and tainted storage devices. Nothing has been able to hit me from outside through the firewall (knock on wood). I know this because I have sophisticated threat monitoring on my network and endpoint computers. So what I'm really looking at are firewall denies.
Still, despite the fact that none of the attacks are getting through, I wanted to do a deeper analysis. I started by separating the attacks into three categories.
The first category is the lowest level of concern, which is just information from the firewall logs about small amounts of bad traffic. Mostly this consists of a few bad connections or invalid network packets and connection timeouts. Nothing that can cause a lot of harm.
The second category is network traffic that is clearly malicious but doesn't pose an immediate threat. Obvious exploit attempts or vulnerability scans looking for security holes fall into this category, as long as my firewall is able to block it all.
Sign up for CIO Asia eNewsletters.