Deploying SecurityCenter, LCE, and PVS together can generate some amazing features. One of those features is the ability to show normalized network traffic trending. When PVS sends logs to LCE, the LCE normalizes the logs and creates a series of events with the prefix "PVS". This dashboard brings into focus the network event types in 16 easy-to-read trending components.
While monitoring network traffic, PVS decodes applications to find vulnerabilities in protocols such as RDP, SSL, Telnet or SSH. Real-time logs are also created to provide a forensic trail of the activity. If you are not able to collect logs from all systems, PVS has the ability to provide a view into administration activities and potential abuse.
In large enterprise organizations, logging may only be enabled on mission critical systems, and not others. For example the Windows event logs may be collected centrally, but the use of VNC or cloud-based services may not be logged. Using PVS to log outbound sessions is also of great value since these sessions can then be easily audited for abuse and anomalies.
PVS has the ability to detect network protocols that are using non-standard ports, for example traffic using port 80 that is non HTTP protocol, and non FTP traffic over port 21. Collecting the logs for such traffic can be critical during a network compromise and aids in the ability to forensically track the monitored traffic. For example, attackers often compromise a system using a known exploit, then install VNC to pivot and attack other systems.
Each of the components display the normalized event in the following three traffic flows:
- Inbound – Traffic from IP addresses considered external to your network, going to addresses that are internal to your network
- Outbound – Traffic from IP addresses considered internal to your network, going to addresses that are external to your network
- Internal - Traffic between IP addresses that are considered internal
The dashboard and its components are available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Monitoring.
The dashboard requirements are:
- SecurityCenter 4.7
- LCE 4.2.1
- PVS 4.0
Listed below are the included components: