Cyber Vault Discovery Part 1 — Dashboard

Cyber Vault Discovery is the company’s first network monitoring tool. It allows IT administrators to efficiently detect anomalies across the network infrastructure. It is comprised of two technologies that together enable a detailed and comprehensive view of the IT network.

Discovery Sensor

First is the discovery sensor which collects data from the network. It is a highly efficient and scalable, patent-pending technology that allows even the largest networks to be mapped and monitored in near real-time. It supports all operating systems and can be deployed as a native application, Virtual Machine, or Docker Container. The discovery sensor sends all of the network data over a secure connection to Cyber Vault Cloud where deep analysis is started. Using machine learning and artificial intelligence algorithms Cyber Vault can then detect a wide range of anomalies.

The results of the Cyber Vault advanced analytics are displayed in the Discovery Dashboard.

Subnets that are monitored by the discovery sensor can be selected in the subnet dropdown. The first subnet is the ‘All’ subnet and it is special. It represents an aggregated view of all subnets. When selected, the network map displays a summation of all live hosts and open TCP and UDP ports in 30-minute time intervals. This way you can observe your entire network as it changes over time in a single view. The tooltip on the network map displays the aggregated stats over time.

If you select a specific subnet then the network map displays only that subnet’s data. A convenient way to think about the Dashboard interface is as an aggregate view of the entire network map. It includes all distinct hosts, ports, and concerns in the selected timespan in a single view. On the other hand, the Explorer interface displays the stats of a single point in time selected on the network map. The two interfaces look similar but represent different data. The dashboard is used to get a summary overview of everything that happened in the selected time span, while the Explorer is used to observe an exact point in time.

The timeframe dropdown controls how far back in history the analysis should go. By default, it is set to the Past 24 Hours. The selection will be reflected immediately through the rest of the dashboard.

The two dropdowns together help answer the questions:

This helps you get a complete and immediate understanding of the state of your network and the concerns that need to be addressed.

In other words, Cyber Vault gives you the ability to: Know Your Network

In the Dashboard, we can see that the discovery sensors conducted 288 scans from which we found 17 live hosts and 62 open ports. All of this data is aggregated on the network map.

Network Map

The network map graph is interactive. The default selected tool is the zoom selection. By selecting a region on the graph you’ll zoom into it. In order to return to the original view, you can click on the home icon. In order to zoom in and out, you can use the + and — buttons. The hand icon allows you to move in a zoomed-in graph. Finally, the graph menu allows you to export the graph as an image or CSV file.

The most important result of the network analysis is the concerns that were discovered in the network. The concerns range between high, medium, and low depending on how likely they are to be exploited by an attacker. The top concerns are definitely going to be exploited. The medium concerns are most likely going to be exploited and the low concerns are less likely to be identified and exploited. Nevertheless, all concerns should be carefully reviewed and mitigated if possible.

Remember that an attacker needs to find only one hole in your defenses in order to compromise your network. And as a defender, you need to protect all holes in your network so that attackers have a difficult time breaching your perimeter. This asymmetry makes it very hard for IT administrators to stay on top of their networks. As you can see with Cyber Vault’s Discovery you can immediately identify top-level concerns across all your subnets and help you stay one step ahead of potential attackers. If you proactively work on addressing every identified concern you’ll be on your way to having a very secure infrastructure.

The concerns ranks are taken from the most frequently scanned ports list provided by NMAP.

NMAP is an industry-standard network reconnaissance tool. If the NMAP’s port frequency rank is between 1 and 100 we classify the concern as High. If the rank is between 100 and 1000 we classify it as a medium. And if the rank is over 1000 we classify it as low. Normally an attacker will use NMAP to quickly discover your network and identify potential targets. By default, NMAP will scan only the top 1000 ports. By classifying the open ports using NMAP’s ranking order Cyber Vault looks at the network from an attacker’s point of view. Every port that is opened is a potential target and therefore a concern.

Discovery Sensor

Cyber Vault’s discovery sensor scans the entire range of open ports from 1 to 65,535. This allows it to observe open ports even outside the range of NMAP’s default scan. The discovery sensor delivers a highly optimized network reconnaissance that avoids the shortcomings of NMAP. One of NMAP’s biggest limitations is the slow scan speeds that make mapping the network in real-time impossible. Cyber Vault’s advanced discovery sensor technology can deliver over 100K parallel probes a second making it the fastest network scanner on the market. This innovation allows Cyber Vault to deliver a nearly real-time view of even the largest networks.

Port Summary

Next in the Dashboard is the TCP Port Summary where all open TCP Ports in the Past 24 Hours are displayed. They are ordered by concern level with the highest concerns at the top. The table shows the port number and the service name running behind the port. It also shows you how many hosts have this port open. The summary table can be used to answer the question — what are the top open ports in my network. Or in other words what ports are open by the most hosts. This can help you identify suspicious services running in your network and quickly see what hosts are running them. You can sort the table by the number of hosts that have the port open. You can also filter the table by any of the columns — port number, service name, description, or hosts IP addresses.

The UDP Port Summary table presents the same view for UDP ports.

Host Summary

The last table is the Host Summary table. Here you’ll get more details about the hosts in your network. Including some network performance statistics such as Minimum, Average, and Maximum Round Trip Time for the ping sweep performed by the discovery sensor and the standard deviation and packet loss if any. Next, you can see all open ports for this host. If you hover over the port you can get a more detailed description. The ports are sorted by their number.

The host's table can also be displayed on full screen. This helps to better see all of the columns. Additionally, you can toggle the display of columns on and off. This way you can customize your view and see only the relevant information you care about.

The host's table immediately answers a different question — what is the host with the most open ports. Or in other words what is my top host with the most open ports. The more open ports a host has the more vulnerable it is likely to be because there are many more open doors for an attack.

The Port summary tables on the other hand answer the question what are my top ports identified by how many hosts have a particular port open. You can see that both tables present the same information differently so that you can get immediately understand what hosts need the most care and what ports are the most common in your network.

With Cyber Vault discovery you are able to immediately answer the questions:

Armed with this information you can take proactive steps to secure your network. The first rule of thumb is to close any open port that you don’t need or recognize. Make sure that only the absolutely necessary ports are opened in your network. Everything else should be closed. If a port needs to stay open you need to make sure that the service running behind it is secured. This means keeping the service up to date including the operating system on the host. Also, the service configuration needs to be hardened. If you harden the security configuration of the running service and keep it up to date you will drastically decrease the probability of a successful attack against it.

Cyber Vault can immediately shine a light on what needs to be protected. We can also help you secure the services running behind the open ports using our consulting services.

You can clearly see how Cyber Vault’s comprehensive dashboard analytics help you stay proactive in your network security.

Originally published at https://www.cybervault.app on March 18, 2022.