Last updated at Tue, 21 Apr 2020 19:50:42 GMT

One of the most common questions in IT is how to find out what users are doing on a network. The challenge is that users’ digital footprints are spread all over networks and include data sources like:

  • Server and application log files
  • Network traffic
  • Profile information on computers and laptops
  • Network device logs

When it comes to server and application logs, one of the most important pieces of data to capture is when users are logging onto a network. This data can be sourced from the directory services infrastructure; you just need to make sure you have logging enabled on services like Microsoft Active Directory. Logs like this will give you usernames, IP addresses, and date and time of logon. The username and IP address combination is very important because many other network systems will log data based on IP address, so you will need an inventory of what usernames are associated with these. Once you have stored user logon data in a central location, you can then look at capturing other network and application data.

After you start to log who is logging onto your network, you then need to identify what applications are in use and track activity associated with Internet use and file shares. Below is just a basic list—you may need to look at other data sources if you have compliance or regulatory standards to adhere to.

Monitoring internet usage

Monitoring internet usage can be a contentious issue. Some say it is an invasion of personal privacy, while others say it is necessary to keep a network running in an efficient and secure manner. Most network managers that I speak to adopt a fair use policy: They implement systems that can detect the top consumers of bandwidth and alert if zombies are detected on the network. When systems are infected with malware, you need to monitor what sites they are trying to connect to. You can start monitoring internet activity by setting up logging on your proxy, internet filtering server, or firewall. As with all logging, make sure you have enough system resources so it does not impact on performance.

This information can also be captured from network traffic if you have a Deep Packet Inspection (DPI) system that can extract HTTP header content and DNS query data from network traffic. Finally, make sure you are also monitoring your internet connection for any users who may have found a way to bypass your proxy or filtering system.

Application recognition by looking at network traffic

Application recognition is the art and science of identifying the applications that are in use on a network and understanding the impact of each application in terms of bandwidth usage, user behavior, security, and compliance. It has become vitally important for several reasons:

  • The growth in cloud computing and proliferation of OTT content has led to a huge increase in the number of applications that communicate over Layer 7 applications like HTTP. Effective monitoring of network activity requires looking deeper into Layer 7 traffic so that individual applications can be identified. The level of detail provided by net flow data—source address, destination address, and port number—is often no longer enough.
  • System administrators and network engineers are increasingly turning to random and non-standard ports to counteract threats that assume applications and protocols use standard port assignments. Monitoring tools that rely solely on port numbers typically report traffic on non-standard ports as “unknown.”
  • Many applications use more than one port. For example, web applications use port 80 for non-encrypted HTTP traffic and port 443 for encrypted HTTPS traffic.
  • Application developers do not always adhere to standard port assignments, and in some cases deliberately evade conventional security by using techniques such as port-hopping, SSL encryption, and tunnelling within commonly authorized protocols. Cyber-attackers attempting to infiltrate networks often use similar techniques.

The main thing you need for application recognition is a source of data and a SPAN or mirror port is ideal for this. Ideally, you would set this up at your network core for maximum visibility.

Monitoring file shares

There are a number of ways you can monitor what files and folders users are accessing on shared drives:

  1. Install software agents on the file servers or client systems.
  2. Enable auditing on servers which host file shares.
  3. Capture the information passively from network traffic.

The requirement to install software agents is often an unpopular option, as it is troublesome to manage. Users may find ways to uninstall or disable the agent, which will leave you without an audit trail. Logging on servers can also be problematic, as logs fill very quickly, so you need to be careful that you don’t overwrite the data you need when the logs reach capacity. The easiest way to capture file and folder activity is to use a Deep Packet Inspection system to capture the activity from network traffic. A quick test for any system is to see how long it takes you to find out when a file was deleted.

When it comes to monitoring what users are doing on your network, start off with the simple things, like keeping a log of who is logging on, and to what systems. You can then start to extend monitoring to include applications, file shares, and internet activity.