Break-ins and malware are constant threats to computer networks. It's no longer safe to assume that security software will keep all attackers out. An extra layer of defense is necessary, to catch threats that have started to take root and get rid of them as quickly as possible. It isn't unusual for hostile software to sit in a system for months before it's caught. While it's sitting there, it's using up network resources and landing its host on Internet blacklists. Network monitoring can catch abnormal activity and let administrators remove its source.
Zero-day attacks, ones put into play as soon as a weakness is identified, don't have known signatures and can get past software defenses. They'll still do the same kinds of things other malware will do, though. Monitoring can spot the activities of zero-day malware and alert the IT staff.
Malware usually takes hold first in user machines, including desktop and mobile devices. From there it tries to get into servers, where it can steal information or modify websites. Catching it early will prevent the most serious effects. Network monitoring should cover all machines, not just servers.
Abnormal types of traffic
The volume of traffic from a machine can be an indicator by itself. If it's sending out a lot of packets without a good reason, especially during non-working hours, that calls for investigation.
When a machine is infected, it often connects to a command-and-control server which gives directions to the malware. It could get instructions to send out spam email or to participate in a DDoS attack. Network monitoring can recognize this kind of traffic, so that staff can take the affected machine offline and remove the illegitimate software.
Unusual DNS traffic can be an indicator. If a machine looks up thousands of domains a day and they aren't well-known ones, that's a reason for suspicion. It could be hunting for targets to attack.
Attempts to access blacklisted IP addresses could mean either of two things, both bad. A phishing message might have duped an employee into accessing an untrustworthy website, or a system might be compromised. If the volume is high, that calls for immediate attention.
Malware may use TCP/IP ports that aren't normally used. Most legitimate traffic goes through standard port numbers. Unusual port numbers aren't proof of nefarious activity by themselves, but they can be a reason to look more closely.
Detection and response
The first step when suspicious traffic shows up is to investigate it more closely. It will often prove to be legitimate and harmless, so don't over-react.
If the activity looks suspicious, the next step depends on the situation. If it's a user's machine, it's best to quarantine it while locating the problem. Quarantining a company's main server, though, would be a drastic action, and it will usually be necessary to fix the problem while staying online.
After fixing the problem, IT staff should pay close attention to the network monitor data to see whether the problem is fixed or recurs. If the abnormal traffic immediately resumes, more work is needed.
If abnormal traffic stops, though, don't assume the problem has gone away. Some kinds of malware go quiet for long periods of time in order to avoid detection. It may stop running when it detects a removal attempt, then start up later on. Intermittent abnormal activity needs attention too.
Cloud-based monitoring can often do a better job of catching malware than on-premises monitoring. The malware can't stop it from running, and it will have a harder time noticing that it's being monitored.
Malware that goes uncaught can steal your business's secrets, cause search engines and browsers to blacklist your site, and degrade your systems' performance. Network monitoring will spot abnormal traffic and let you get rid of its cause promptly.