top of page

Endpoint Vulnerability Assessment 

In order to detect serious security incidents, it is important to understand, characterize, and analyze information about normal network functioning. Networks, servers, and hosts all exhibit typical behavior for a given point in time. Network and device profiling can provide a statistical baseline that serves as a reference point. Unexplained deviations from the baseline may indicate a compromise.

 

 

Care must be taken when capturing baseline data so that all normal network operations are included in the baseline. In addition, it is important that the baseline is current. It should not include network performance data that is no longer part of normal functioning.

 

For example, rises in network utilization during periodic server backup operations is part of normal network functioning and should be part of the baseline data.

 

However, measurement of traffic that corresponds to outside access to an internal server that has been moved to the cloud would not be. A means of capturing just the right period for baseline measurement is known as sliding window anomaly detection. It defines a window that is most representative of network operation and deletes data that is out of date.

 

This process continues with repeated baseline measurements to ensure that baseline measurement statistics depict network operation with maximum accuracy.

 

 

Increased utilization of WAN links at unusual times can indicate a network breach and exfiltration of data. Hosts that begin to access obscure internet servers, resolve domains that are obtained through dynamic DNS, or use protocols or services that are not needed by the system user can also indicate compromise. Deviations in network behavior are difficult to detect if normal behavior is not known.

 

 

Tools like NetFlow and Wireshark can be used to characterize normal network traffic characteristics. Because organizations can make different demands on their networks depending on the time of day or day of the year, network baselining should be carried out over an extended period. The figure displays some questions to ask when establishing a network baseline.

The table lists important elements of the network profile.

Server profiling is used to establish the accepted operating state of servers. A server profile is a security baseline for a given server. It establishes the network, user, and application parameters that are accepted for a specific server.

 

 

In order to establish a server profile, it is important to understand the function that a server is intended to perform in a network. From there, various operating and usage parameters can be defined and documented.

The table lists elements of a server profile.

bottom of page