PVS Network Trending

by Cody Dumont
November 5, 2013

Deploying SecurityCenter, LCE, and PVS together can generate some amazing features.  One of those features is the ability to show normalized network traffic trending.   When PVS sends logs to LCE, the LCE normalizes the logs and creates a series of events with the prefix "PVS".  This dashboard brings into focus the network event types in 16 easy-to-read trending components.  

While monitoring network traffic, PVS decodes applications to find vulnerabilities in protocols such as RDP, SSL, Telnet or SSH.  Real-time logs are also created to provide a forensic trail of the activity.  If you are not able to collect logs from all systems, PVS has the ability to provide a view into administration activities and potential abuse.

In large enterprise organizations, logging may only be enabled on mission critical systems, and not others.  For example the Windows event logs may be collected centrally,  but the use of VNC or cloud-based services may not be logged.  Using PVS to log outbound sessions is also of great value since these sessions can then be easily audited for abuse and anomalies.

PVS has the ability to detect network protocols that are using non-standard ports, for example  traffic using port 80 that is non HTTP protocol, and non FTP traffic over port 21.  Collecting the logs for such traffic can be critical during a network compromise and aids in the ability to forensically track the monitored traffic.  For example, attackers often compromise a system using a known exploit, then install VNC to pivot and attack other systems.

Each of the components display the normalized event in the following three traffic flows:

  • Inbound – Traffic from IP addresses considered external to your network, going to addresses that are internal to your network
  • Outbound – Traffic from IP addresses considered internal to your network, going to addresses that are external to your network
  • Internal - Traffic between IP addresses that are considered internal

 The dashboard and its components are available in the SecurityCenter 4.7 Dashboard app feed, an app store of dashboards, reports, and assets.
The dashboard requirements are:

  • SecurityCenter 4.7
  • LCE 4.2.1
  • PVS 4.0

Listed below are the included components:

  • PVS Network Trending – SSH Traffic : The LCE provides a trending view of the SSH traffic discovered by the PVS nodes on the network.  
  • PVS Network Trending – SSL Traffic : The LCE provides a trending view of the SSL traffic discovered by the PVS nodes on the network.  
  • PVS Network Trending – VNC Traffic : The LCE provides a trending view of the VNC traffic discovered by the PVS nodes on the network.  
  • PVS Network Trending – RDP Traffic : LCE provides a trending view of the RDP traffic discovered by the PVS nodes on the network.
  • PVS Network Trending – VoIP Session : LCE provides a trending view of the VoIP traffic discovered by the PVS nodes on the network.
  • PVS Network Trending – Telnet Account Detected : The LCE provides a trending view Telnet traffic by discovering clear text credentials traversing the network. 
  •  PVS Network Trending – Non HTTP Port 80 Traffic : The LCE provides a trending view of the Non HTTP Port 80 traffic discovered by the PVS nodes on the network.
  • PVS Network Trending – BitTorrent Traffic : LCE provides a trending view of the BitTorrent traffic discovered by the PVS nodes on the network.
  • PVS Network Trending – FTP Client Traffic : The LCE provides a trending view of the FTP Client traffic discovered by the PVS nodes on the network.
  • PVS Network Trending – FTP Non Standard Port Traffic : The LCE provides a trending view of the FTP Non Standard Port traffic discovered by the PVS nodes on the network.
  • PVS Network Trending – FTP Server Traffic : LCE provides a trending view of the FTP Server traffic discovered by the PVS nodes on the network.
  • PVS Network Trending – POP Traffic : The LCE provides a trending view of the POP traffic discovered by the PVS nodes on the network.
  • PVS Network Trending - Cloud Data : LCE provides a trending view of the SSL traffic from clients to services that have been associated with a cloud file storage service.  
  • PVS Network Trending – IP Protocol Tracking : LCE provides a trending view of the IP Protocol Tracking discovered by the PVS nodes on the network.  
  • PVS Network Trending – MAC Addition : LCE provides a trending view of MAC address detection discovered by the PVS nodes on the network.  
  • PVS Network Trending – DNS Tunnel Activity : The LCE provides a trending view of the DNS Tunnel activity discovered by the PVS nodes on the network.