NETWORK & SEVER PROFILING: THE SECRET WEAPON TO PREVENT CYBERATTACKS.
David Knauer
Managed Data Services and Managed Security Services fitting to your Organisation. Data-centric Cybersecurity with a very human-centric Service. #NewSchoolOfSecurity
NETWORK PROFILING: THE SECRET WEAPON TO PREVENT CYBERATTACKS.
Network profiling is the process of understanding and characterizing normal network behavior. This information can then be used to detect anomalies and identify potential security incidents. Network profiling is an essential tool for any organization that wants to protect its network from cyberattacks.
Here are some of the benefits of network profiling:
If you don't have a network profiling solution in place, now is the time to invest in one. It's one of the best ways to protect your organization from cyberattacks.
TOOLS AND ELEMENTS OF NETWORK PROFILING
NetFlow and Wireshark are tools that can be used to understand the normal behavior of network traffic.
Because organizations use their networks differently at different times of day and on different days of the year, it is important to collect data over a long period of time to get a good baseline.
The figure shows some questions to ask when creating a network baseline, and the table lists important elements of the network profile.
In other words, these tools can help you understand how your network normally operates, so that you can identify any unusual activity that may indicate a problem.
The table lists important elements of the network profile.
SPOT MALWARE AND NETWORK ATTACKS WITH NETWORK PROFILING.
Malware can use unusual ports to communicate, so it is important to know which ports are normally used for traffic on your network. If you see traffic on unusual ports, it could be a sign of malware infection.
Another important metric to track is host-to-host traffic. This is traffic between two devices on the same network. If you see a sudden increase in host-to-host traffic, it could be a sign that malware is spreading laterally through your network.
Finally, it is important to monitor changes in user behavior. This can be done by looking at AAA logs, server logs, or a user profiling system like Cisco ISE. If you see a user suddenly logging in to the network at strange times or from a remote location, it could be a sign that their account has been compromised.
Here is a summary:
SERVER PROFILING: DO YOU KNOW WHATS UP IN YOUR HOUSE?
Server profiling is the process of creating a baseline for a server. This baseline includes information about the server's normal operating state, such as the network connections it makes, the users who access it, and the applications it runs.
领英推荐
To create a server profile, you need to understand what the server is used for. Once you know this, you can start to define and document the server's normal operating parameters.
Here are some of the elements of a server profile:Network connections:?Which other devices on the network does the server communicate with?Users:?Who has access to the server?
Once you have created a server profile, you can use it to monitor the server for anomalies. If the server's behavior deviates from its baseline, it could be a sign of a security breach or other problem.
Here is an analogy that may help you understand server profiling:
Imagine you have a new car. You want to know what the car's normal operating state is, so you can identify any problems that may arise. To do this, you create a car profile. This profile includes information such as the car's fuel consumption, oil pressure, and tire pressure.
Once you have the car profile, you can use it to monitor the car for problems. If the car's behavior deviates from its baseline, it could be a sign of a problem, such as a flat tire or a low oil level.
Server profiling works in a similar way. By creating a baseline for a server, you can identify any problems that may arise and take corrective action.
NETWORK BEHAVIOR ANALYSIS: SPOTTING ATTACKS BEFORE THEY STRIKE.
Network behavior analysis (NBA) is a technique that uses big data analytics to analyze network traffic for signs of attacks. NBA works by comparing current network traffic to a baseline of normal traffic. If there are significant deviations from the baseline, it could be a sign of an attack.
NBA can also be used to detect known attack patterns. For example, NBA can be used to identify network traffic caused by worms or infected hosts that are scanning for other vulnerable hosts.
NBA is a valuable tool for organizations of all sizes, as it can help them to detect and respond to attacks quickly and effectively.
Here is a simple analogy to help you understand NBA:
Imagine you have a security camera that monitors your front door. Every day, the camera records the same people and vehicles coming and going. This is your baseline of normal activity.
One day, the camera records a person you don't recognize at your front door. This is a deviation from the baseline, and it could be a sign that someone is trying to break into your house.
NBA works in a similar way. It monitors network traffic and compares it to a baseline of normal traffic. If there are any deviations from the baseline, it could be a sign of an attack.
???? I am David.
???My passion is developing the New School of Security.
?? Sharing is caring.
?? Join the New School of Security newsletter: https://t1p.de/jfgks
Sicher digitalisieren - Für Menschen und Unternehmen
1 年Great, forgotten knowledge rediscovered and relabeled! We used to call this discipline "intrusion detection". In order not to have to use netflow or wireshark for "network profiling", there are even sophisticated tools that take over anomaly detection! Since there are well-known open source projects, anyone can try it out for themselves. Open-source tools for "profiling" in networks are #snort or #zeek, and meanwhile some other monitoring tools also have corresponding features. Of course, there are also ready-made opensource tools for server profiling. These are, for example, #tripwire, #OSSEC and #AIDE.