Sage Advice - Cybersecurity Blog

Video: How Firewall Log Analysis Differs from Firewall Monitoring

It’s no secret that managing your firewall is an essential component of defending your network. Keeping up with the latest threats, plus deploying, upgrading, patching is no small or easy task. That’s why some organizations choose to contract with a third-party to manage, and monitor, their firewall.

Monitoring typically consists of using one or more automated technologies to detect known threats or unauthorized activity. But just because your firewall is denying traffic, doesn’t mean your network is secure. Here’s an example of how Tyler Detect log analysis service was able to detect a potential threat that went unnoticed by their firewall management vendor.


The common misconception is what [Tyler Detect does] is the same as what a firewall management vendor does… what they call firewall monitoring or traffic monitoring. We dig a lot deeper in looking at network traffic.

Perfect example… because this wasn’t really network traffic since firewall wasn’t allowing it. There was a client that we had that hadn’t been doing firewall log analysis with us. They had an incident – that affected about 1/3 of their PC install base. They had recovered from the incident. Everything appeared to be fine. Then a few months later they decided to evaluate our firewall log analysis portion of Tyler Detect.

Day one… right of the bat, we again saw that 1/3 of their PC install base was infected with this malware. We had no idea that they had any type of incident in the past. We notified them.

The [Command & Control] traffic was basically being denied by the firewall. So when you’re doing traffic monitoring, you’re not going to see that because it’s not actually going through the firewall.

So besides us looking at what actually is happening – what is going through the firewall – we’re also looking at what is potentially going through the firewall.

At that point we notified them, they started doing the clean-up. If we hadn’t detected that – and let’s say that had a few laptops as part of the infection base. When a laptop is behind a firewall, it’s totally secured by that firewall. (Although keep in mind you’re just one fat finger misconfiguration away of allowing that Command & Control traffic getting out). But as soon as the user takes that laptop off the network and puts it on their home network or wherever… BOOM! They are out on the internet and the Command & Control traffic can occur again.

When you’re talking Command & Control, the malware can be just that one device that’s getting updated. Hackers can write their malware to talk peer-to-peer, so it can talk to other infected devices on the system. So, you’re not really taking the chance that that one device may connect out, you’re taking the chance that it may have already collected information from other devices in the peer-to-peer mode and then data goes out the window and you have no idea that it happened because it’s not happening on your network.

Denied traffic can be an important source of threat detection intelligence.Tyler Detect analysts consistently find threats that are missed by simple firewall monitoring techniques.


As cyberattacks continue to soar, it's time to get proactive when protecting your network. You can’t simply sit back and wait for an automated alert to let you know you’ve been breached. You need to actively seek out potentially malicious behavior on your network. That’s why we’re seeing a shift to a more proactive approach... Cyber Threat Hunting. Learn how to defend your network. Learn more in theTyler Advice Guide to Cyber Threat Hunting.


Topics: Log Analysis, Threat Detection Tips

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More