Home

Welcome to Netdelta

Regular port scans - alert on changes in networks and/or hosted services

If your network perimeter changes unexpectedly, that's probably bad! Unauthorised change? Steve in networking misconfigured a firewall? Hacker's shell? Shadow IT? Rogue device? Post-M&A networking headaches? ...

Explore More Sign me up!

About Netdelta

A quarter of a century of defence has been based heavily on specific known threats. However these days there are too many to keep up with. As an example - AV based on known signatures has been shown to be easy to bypass repeatedly. Likewise Vulnerability Assessment based on CIS benchmarks cannot take into account 0day issues, for which the economics of 0days dictate that plenty of them are in circulation.

So the concept of deltas wherein "something changed in my environment that i didn't expect - lets investigate" is a more foolproof means of threat detection - however a whole core network (think IDS deltas), or a whole operating system, is a threat space that is too complex and wide - there will be lots of noise in the form of false positives.

So then how about we focus on smaller targets that are less complex? Netdelta is based on deltas over groups of IP addresses, where changes in host availability, or service configuration, result in an alert being raised.

  • Maintains scan history in a backend database and provides analytics.
  • If there's an unexpected change, it could be the result of unauthorised activity: hacking, malware, unauthorised change, shadow IT, etc.
  • Netdelta maintains a history of past scans and deltas and grades (red, amber, green) on the likelihood that the delta is a false positive.
  • The changes alerted - host up, host down, new group member, new host appears (maybe a rogue host, unauthorised change, firewall misconfig), service(s) added, service(s) removed
  • User-configurable email alerts.
  • Schedule scans, or run instant scans against any configured group.
  • User-configurable scan options.

Home
Home

Frequently Asked Questions

Can't I do the same thing with ndiff?

  • With ndiff false positives are a problem: whenever a host or service times out, ndiff will flag what is probably a false positive. Host and service time outs happen a lot, even on a gigabit LAN - this makes something like a scripted solution impractical.

    Netdelta maintains a database of service and host availability, and makes a call on how likely a service time out is a false positive (red, amber, green - see the screen sample on the right). When Netdelta sees a change, it checks first on the scan history of that host, and makes a call on how likely what you're seeing is just a time-out. Netdelta will stay quiet unless its sure its seeing a genuine delta.

  • Ndiff is based on a history of one previous scan XML file. Netdelta records in a database, which enable reporting and analytics, as well as the above-mentioned false positives checking. The user can configure a scan history of up to 100 previous scans.
  • Moreover, for the price of Netdelta, why devote resources to an in-house scripted effort, with poor support and documentation?

Isn't the same thing offered with Tufin?

  • No. Tufin reports on changes in firewall rules. Your perimeter port scan results are your shop window. Changes in firewall rules don't necessarily reflect the view from the street of your shop window and its also what BOTs and hackers see when they are evaluating the "attackability" of your organisation. There can be an unauthorised change in firewall rules - that's bad, but it may or may not result in a change in your advertised perimeter services. Your port scan results for your shop window represent the absolute view.
  • There's also a slight difference in pricing between Tufin and Netdelta.
Home
Action

On-boarding

Your one month trial starts here...

  • Pass us subnet CIDRs or individual addresses (we can work with text files, expand CIDRs, or just manually enter addresses) - we will validate.
  • We register a new subdomain for your site under netdelta.io - this takes 24 hours to propagate.
  • Email addresses for alerts.
  • We provision your user accounts on your web portal.
  • We setup a scheduled scan job to run in the early hours (in your local time zone), to run every 24 hours.

Once this is all done (2 business days), you can then login and check port scans results, and perform further investigations on discovered deltas.

Contact Us