One of the best moves you can make to detect security threats is to monitor unusual network traffic connections.
Not every server needs to connect to every other server or even every workstation. Most workstations don’t connect to other workstations — or to every server. In a perfect world, every server and workstation would be able to connect to the computers they’re supposed to connect to, period. Anything else would be flagged as abnormal.
Those who launch APTs (advanced persistent threats) and other malicious hacks usually don’t know what these normal network flows are. They connect from the first compromised workstation or server to the next jumping-off point, regardless of normal or authorized traffic flows. Want to “detect the undetectable”? Then detect new, unauthorized traffic flows.
Unfortunately, this is a difficult task. Most companies lack a good understanding — any understanding at all, for that matter — of what should be connected to what. If you don’t understand what should be allowed, it’s hard to detect what’s abnormal. At the very least, you should create a diagram or spreadsheet documenting what should be allowed — and include examples of connections that shouldn’t happen.
The other problem is that perfect monitoring tool for network traffic flows — to my knowledge — doesn’t exist. My perfect tool would:

Monitor and document existing network traffic flows between all endpoints
Put them in an understandable screen of information for review
Let network admins define which network traffic flows are or aren’t legitimate (this step would take a lot of research in most organizations)
Let admins define alerts for unauthorized or new information
Assign criticality to different network domains or connection types

Read more...