Detect perimeter changes before hackers detect them!

Internet-facing hosts will be scanned at least 6 times per hour in the search for services to attack

Netdelta: Periodic port scans - no false positives - analytics removes false deltas

If your network perimeter changes unexpectedly, that's probably bad! Unauthorised change? Rogue cloud API? Steve in networking misconfigured a firewall? Hacker's shell? Shadow IT? Rogue device? Post-M&A networking headaches? ...aka Attack Surface Management (ASM) headaches

Explore More Sign me up!

About Netdelta

Flagging port scan deltas should be easy right?

Flagging port scan deltas should be easy right? Just download ndiff and use that? Ndiff can work for a one-off differential scan where an accurate, longer term, consistent, scheduled scanning requirement with reliable results, is not required. The ndiff option doesn't work. Why?...false positives of course. False positives in differential port scanning render the whole exercise useless. They come in a number of forms:

  • Most common is the host time out - scanner detects from one scan to another that a host is missing, it will flag a delta, but the host is actually up. This is a false delta. Netdelta retries the host over a user-configurable interval.
  • Service time out. Also common is the service time out, where from one scan to the next, a service becomes unavailable, even if the host is available. Netdelta keeps a history of past scan results and calls out red, amber, green on the likelihood that the service delta is a false positive, based on the scan history and any previous occasions where the same delta was flagged.
  • Service discovery scan time out. Discovery scans are set to run by default with Netdelta. This has the equivalent effect as with using the "-sV" option with nmap. Sometimes they time out, and nmap uses the port number alone to deduce the application layer service e.g. a port 443 TCP was previously a "http" port from its banner (surprisingly common), but then becomes "https" from nmap's guessed service name. Therein a false delta is reported. Netdelta deals with this by performing another analysis filter pass on the port scan data.
  • tcp_wrapped services. This can occur for a variety of reasons (IDS can cause this for example), but either way, it causes a false delta to be raised. Netdelta allows the user to ignore these issues with an admin setting.
  • Proxy time-out. Sometimes, with a reverse proxy in front of advertised services, a time-out in the connection can occur.
  • Netdelta caters for various other factors that can lead to a false delta.

Netdelta ...

  • Maintains scan history in a backend database and provides analytics.
  • Provides a RESTful API for consumption of data around port scans and deltas - more info is available on request.
  • A webhook is available for triggering a vulnerability scan in response to a delta being discovered.
  • If there's an unexpected change, it could be the result of unauthorised activity: hacking, malware, unauthorised change, shadow IT, etc.
  • Netdelta maintains a history of past scans and deltas and grades (red, amber, green) on the likelihood that the delta is a false positive.
  • The changes alerted - host up, host down, new group member, new host appears (maybe a rogue host, unauthorised change, firewall misconfig), service(s) added, service(s) removed
  • User-configurable email alerts.
  • Schedule scans, or run instant scans against any configured group.
  • User-configurable scan options.


Frequently Asked Questions

Can't I do the same thing with ndiff?

  • With ndiff false positives are a problem: whenever a host or service times out, ndiff will flag what is probably a false positive. Host and service time-outs happen a lot, even on a gigabit LAN - this makes something like a scripted solution impractical.

    Netdelta maintains a database of service and host availability, and makes a call on how likely a service time out is a false positive (red, amber, green - see the screen sample on the right). When Netdelta sees a change, it checks first on the scan history of that host, and makes a call on how likely what you're seeing is just a time-out. Netdelta will stay quiet unless its sure its seeing a genuine delta.

  • Ndiff is based on a history of one previous scan XML file. Netdelta records in a database, which enable reporting and analytics, as well as the above-mentioned false positives checking. The user can configure a scan history of up to 100 previous scans.
  • Moreover, for the price of Netdelta, why devote resources to an in-house scripted effort, with poor support and documentation?

Isn't the same thing offered with Tufin?

  • No. Tufin reports on changes in firewall rules. Your perimeter port scan results are your shop window. Changes in firewall rules don't necessarily reflect the view from the street of your shop window and its also what BOTs and hackers see when they are evaluating the "attackability" of your organisation. There can be an unauthorised change in firewall rules - that's bad, but it may or may not result in a change in your advertised perimeter services. Your port scan results for your shop window represent the absolute view.
  • There's also a slight difference in pricing between Tufin and Netdelta.

How does Netdelta compare with typical VA scanners?

  • VA scanners like Tenable.io, OpenVAS, Nessus etc, mostly work on the basis of grabbing an application layer banner (which can indicate a product name and version e.g. "Apache 2.4.9"), and then correlating against a database of CVEs. Netdelta focusses on change - specifically changes in the ports and services that a host advertises to the world. A VA scanner that is scheduled to run periodically, does not highlight the fact that a new port has opened (for example), and only reports on vulnerability for the new port (only if it reports an application layer banner). Often, a promptly reported 'new service alert,' being more generic, serves as a more effective signal for attention-needing issues.

What will Netdelta cost me?

  • Netdelta's costing depends on several factors: number of targets, and frequency of scans being the 2 main factors. But generally, a fair indicator is that the pricing is roughly between 30 to 60% of the same pricing that commercial customers would pay for an online VA service. Note that this does include some base level of support - we will interpret deltas that pop up, and help the user through the journey of understanding the deltas that occur. Feel free to contact us for a pricing quotation.

Will Netdelta assist with regulatory/compliance objectives?

  • Yes. For example, PCI-DSS 4 - in particular requirement 6.5 and therein 6.5.1: various metrics are required to show that changes to all system components are managed securely, including firewalls.
  • Netdelta maintains a history of deltas for groups of devices. This trail of events can be correlated with e.g. ServiceNow tickets, to show that the firewall change that led to the delta, was a controlled and approved change.


Your one month trial starts here...

  • Pass us subnet CIDRs or individual addresses (we can work with text files, expand CIDRs, or just manually enter addresses) - we will validate.
  • Email addresses for alerts.
  • Your netdelta is provisioned and active in 10 minutes.
  • We provision your user accounts on your web portal.
  • We setup a scheduled scan job to run in the early hours (in your local time zone), to run every 24 hours, unless you prefer another schedule.

Boom! You're good to go! Login and check port scans results, and perform further investigations on discovered deltas.

Contact Us