Information loss or leakage 6min de Leitura - 27 de June de 2017

Reports and charts that cannot be missing from a UTM firewall

Gráficos apresentados em tablet e em uma folha

This post is also available in: Português English Español

Information security management goes far beyond creating policies, aligning control and audit rules. A fundamental aspect of management should be the evaluation of the behavior of the infrastructure in order to check the evolution of the model implanted in the company.

Information security is a dynamic business in the direction of new services and accesses. Organizations are living organisms that also change over time and, depending on the type, alignment with safety is a prerequisite for any movement. In this sense, it is important to report that this is not the reality of most companies; however, having visibility on items associated with security brings support to the decision-making process.

There is a large set of reports that go along with UTM firewallsolutions; some are operational and targeted to technical teams of security and networks, while others are managerial and even compliance. The requirement varies according to the market segment and the maturity of the company in the topic.

Regardless of the business, however, some operational and managerial reports and charts are critical in any environment. Their retention time should be considered since it is common for these devices to have little local storage capacity.

In this post we will highlight some groups of information, be it reports or graphics (this depends very much on how the manufacturer positions the feature), which are essential for an UTM firewall.


Dashboards are important because, in general, they summarize the solution, allowing for the identification of abnormalities that can evolve to a greater depth in the structure of the organization.

It is common for dashboards to summarize the operation status of the solution, and report network operations (consumption, online traffic), main websites accessed, employee consumption or equipment, remote access (VPN), threats (IPS/IDS), among others.

This information can generate a point of attention for a particular item to be analyzed. For example, if there is excessive or unusual consumption of the network, it is worthwhile for the administrator to delve deeper and identify whether the cause is natural or an incident to be addressed.

Availability and consumption of links

Having availability history of network links (internet, private networks, etc.) is necessary not only for service level agreement (SLA) records, but to identify behaviors to be avoided in the environment.

In the same way, the historical record for the consumption of these links, usually represented by charts, allows it to search in real time or in a retroactive way, certain situations of saturation of the circuit that justifies some internal report.

Generally, these reports are used in a way to provide subsidy for the root cause determination of a given event. As for example, a user informs that it was not possible to send a certain content to the 1:00 PM because the access to the Internet was very slow.

With this type of access, it is possible to verify if there was consumption outside of the patterns in the period informed, and from there, to investigate through other reports what was actually consuming the internet resource. On the other hand, to inform the user that there was no recorded consumption, showing that probably the problem was at the remote point.

These simple online information, and also recorded over time, can help elucidate various situations in a network environment.

Internet use

The use of the Internet is essential not only related to the technology or security sector, especially to decentralize it to other sectors, especially managers, directors and business owners.

With reports, you can monitor compliance with company policy, as well as evaluate the productivity of sectors and employees in certain situations. For example, certain employee did not deliver the requested report and it was noticed that on that day, he spent 6 hours browsing various websites.

The amount of possibilities to be worked with access to the use of the Internet is very large and varies according to each business. In general, it is important to keep track of access to websites, and other applications, knowing the traffic generated and the length of time.

With this information, sky is the limit; for some organizations, this data may be irrelevant, for others, taken seriously. Many queries, reports and charts can be made, depending on the solution used.

Some solutions are more technical and therefore offer information that is more specific. Others abstract the complexity of information and seek to bring more readable things, which facilitate understanding, especially of non-technical users, which increases the engagement with managers from other areas.

Remote connections

Remote connections to the company is essential but, after all, this can pose a threat. Nowadays, when mobility is so present for companies and individuals, it is common for home office activities or users in transit, since access to the company is necessary.

Tracking the use of VPNs or even port forwarding/publishing services is critical, not only for employees but also for vendors and partners in general.

Access to an online report or consumption of VPN resources may not seem so important if analyzed in isolation, but in the same way as other reports can elucidate an investigation.

For example, a certain data was removed from a server and the address made the last access to the server was recorded, led to a VPN address, which made it possible to identify the user who received the address at the time of connection.

Threat Visibility

It is common for many attacks to occur on a daily basis to a variety of companies, not necessarily targeted attacks. Knowing what is happening, from the inside out, to the contrary, is critical to a security strategy.

Sensors in an intrusion detection or prevention system can log network events that have clear signs and behaviors of an attack, and based on that make a decision, in addition to recording the event.

The greater the use of applications within an environment, the greater the exposure the company has. But by offering public services to the internet, the environment is also exposed to external attacks.

Having visibility of what is happening is a fundamental step to justify investments in security. Most managers are surprised to have access to this type of information.

Connections blocked

Blocked connections assist in assessing the amount of unauthorized access attempts to enterprise environments, especially over the internet. In addition, it is a tool to be very well used to verify that a legitimate connection could not be performed by some UTM firewall policy.

In this way, it is easy for the administrator, based on this information, to create a rule for access to be allowed and the application released for future use.

In addition, the blocked connections allow you to identify the incidence of certain attacks or anomalies in the network environment, in an online or historical way.

Real-time connections

In addition to history through charts and reports, being able to track the table of real-time connections is fantastic. This is because, in the face of some exaggerated consumption caused intentionally or accidentally by a device, it is possible to identify and contour fast, avoiding risking the business.

There is another important information in real time, in summary associated with consumption, which market generally calls top talkers. These reports usually bring the highest consumption per port, application, source, and destination, a well-summarized view of the features that most consume the network.

Visibility of detailed connection depends much on the solution, being able to be based on addresses and ports, or more deeply on the level of websites accessed, as well as applications (Dropbox, WhatsApp, Facebook, etc.)

Hardware performance

Not less important, having historical records of hardware consumption (especially processor and memory) is critical if the security features are to be properly employed without degrading the environment.

It is common that the more security features are added to a solution, the more consumption it will have. There is a healthy limit between requiring the maximum amount of resources without compromising the hardware, and hence the user experience. Therefore, this kind of information, sometimes forgotten, is also very important.

Automatic reports

Nowadays dynamics require adaptation of the security solutions, aiming to facilitate the day to day of operators and administrators. Automatic reports are part of this adaptation, adding value and facilitating the process of monitoring resources.

Therefore, the more the solution allows reports generated by it to be sent by e-mail or other platforms, with the granularity of who can receive what, the greater the usefulness of the product within the organization.

There is no list of reports recommended; each solution will provide these and other information in different ways, more or less accessible, with the possibility of integration with external platforms, which broadens the universe of data analysis.

What is important is that there are alternatives that facilitate the identification and control of the environment, enabling quick responses through the occurrence of claims in the structure of the company.

Keep reading

[latest_post type=’boxes’ number_of_posts=’3′ number_of_colums=’3′ order_by=’date’ order=’ASC’ category=’problem-recognition’ text_length=’100′ title_tag=’h4′ display_category=’0′ display_time=’0′ display_comments=’0′ display_like=’0′ display_share=’0′]

This post is also available in: Português English Español