Trends Over Time
The business goal of Critical Security Control #9: Limitation and Control of Network Ports is “To limit potential vulnerabilities on systems by limiting unauthorized ports, protocols, & services on systems”. Sounds totally reasonable and something everyone should systematically monitor in their respective environments. How can this be accomplished, especially if this has not been an area of focus?
One strategy is capturing data about the network traffic in order to develop and maintain a rolling trend over time. A specific area to focus on is the Top Ports that were targeted on a daily basis. This data will readily highlight trends that can be investigated and help detect changes in traffic that may or many not be “normal". This daily baseline, when added to the last 30 days worth of the same data can easily be to highlight and compare traffic patterns. What could this look like for your network? As a practical example, below is a visualization of data that has been sent to the Internet Storm Center.
What have you found effective in your quest to actively monitor the Trends over Time in your environment? Please leave what works for you in our comments section below.
Russell Eubanks
Performing A Cybersecurity Risk Assessment | New Orleans | Feb 17th - Feb 18th 2025 |
Comments
DPT count
23 448
123 178
1433 124
22 104
5060 65
8080 37
2323 33
3389 31
53 20
161 14
81 12
33436 11
443 9
7547 8
21 7
2222 7
111 6
3306 6
3390 6
3392 6
Looking through CIS Control #9, well, the concepts there are something I've been working with for a long time. Providing publically accessible services is challenging when done correctly. There must be established processes for monitoring and maintenance. Creating a service and not paying any attention to it once has been published is irresponsible behavior.
There are many, many factors involved in maintaining public services. Looking at the increased inbound traffic is one component that might be used to establish potentially malicious activity, but it only one of the indicators that should be analyzed.
I've started writing where I was heading off in several different tangents, on which I could drone on forever. This is a topic that expands in many different directions.
Anonymous
Jul 25th 2017
7 years ago
I agree with you that it is so easy to set things up and then forget about them, deciding to focus on the next “new thing”. The priority has to be on creating and then diligently monitoring our networks. Not every change is bad, however every change must be analyzed.
Thanks for supporting the ISC!
Russell
Anonymous
Jul 25th 2017
7 years ago
Using some flavor of an IDS/IPS (or some of the heuristic variants that integrate their own intelligence gathered from ?) can help. I'm not convinced the heuristic solutions are really any better than the signature based models. They seem to compliment one another well, but it takes deep pockets to acquire both, or even one depending on your flavor.
There are the SIEMs that provide all sorts of analytics, such as Splunk's Enterprise Security -- this magical super solution that you just plug in! Uhh...no, they're designed to take huge amounts of setup (or at least in my experience), which translates to big consulting hours. They're all like that. I'm mentioning Splunk as that's the one with which I have the most experience.
I suppose I'm a bit jaded by dealing with the vendors.
As far as SIEMs go, I hope that market provides a better solution sometime in the future, because I'm not terribly impressed with what I've seen up to this point.
Read a bit about Apache Metron within the last year or so. Seemed to have potential. Too many projects presently.
I liked the idea of Arcsight's CEF standard. Seems any vendor can puke out whatever they want in a log and you have to figure out how to sed/regex (fun!) it into something useful. A standard would be good, but that'll never happen.
Anyhow, proper information security is expensive. The people providing it are expensive, and the tools are expensive as well.
Anonymous
Jul 25th 2017
7 years ago
Anonymous
Jul 25th 2017
7 years ago
Anonymous
Jul 25th 2017
7 years ago
The flows are classified by DST port
and by SRC port (to catch backscatter from DoS
with spoofed adresses from us)
Anonymous
Jul 26th 2017
7 years ago
Sweet dreams and thanks for supporting the ISC!
Russell
Anonymous
Jul 26th 2017
7 years ago
Like you, I have always been a fan of monitoring flow data to show these trends as well.
Thanks for supporting the ISC!
Russell
Anonymous
Jul 26th 2017
7 years ago