NetDelta

Detect perimeter changes before hackers detect them!

Periodic port scans - no false positives - analytics removes ndiff type noise

If your network perimeter changes unexpectedly, that's probably bad! Unauthorised change? Rogue cloud API? Steve in networking misconfigured a firewall? Hacker's shell? Shadow IT? Rogue device? Post-M&A networking headaches? ...aka Attack Surface Management (ASM) headaches

Explore More

Sign me up!

About Netdelta

Flagging port scan deltas should be easy right?

Flagging port scan deltas should be easy right? Just download ndiff and use that? Ndiff can work for a one-off differential scan where an accurate, longer term, consistent, scheduled scanning requirement with reliable results, is not required. The ndiff option doesn't work. Why?...false positives of course. False positives in differential port scanning render the whole exercise useless. They come in a number of forms:

Most common is the host time out - scanner detects from one scan to another that a host is missing, it will flag a delta, but the host is actually up. This is a false delta. Netdelta retries the host over a user-configurable interval.

Service time out. Also common is the service time out, where from one scan to the next, a service becomes unavailable, even if the host is available. Netdelta keeps a history of past scan results and calls out red, amber, green on the likelihood that the service delta is a false positive, based on the scan history and any previous occasions where the same delta was flagged.

Service discovery scan time out. Discovery scans are set to run by default with Netdelta. This has the equivalent effect as with using the "-sV" option with nmap. Sometimes they time out, and nmap uses the port number alone to deduce the application layer service e.g. a port 443 TCP was previously a "http" port from its banner (surprisingly common), but then becomes "https" from nmap's guessed service name. Therein a false delta is reported. Netdelta deals with this by performing another analysis filter pass on the port scan data.

tcp_wrapped services. This can occur for a variety of reasons (IDS can cause this for example), but either way, it causes a false delta to be raised. Netdelta allows the user to ignore these issues with an admin setting.

Proxy time-out. Sometimes, with a reverse proxy in front of advertised services, a time-out in the connection can occur.

Netdelta caters for various other factors can lead to a false delta.

Netdelta ...

Maintains scan history in a backend database and provides analytics.
Provides a RESTful API for consumption of data around port scans and deltas - more info is available on request.
A webhook is available for triggering a vulnerability scan in response to a delta being discovered.
If there's an unexpected change, it could be the result of unauthorised activity: hacking, malware, unauthorised change, shadow IT, etc.
Netdelta maintains a history of past scans and deltas and grades (red, amber, green) on the likelihood that the delta is a false positive.
The changes alerted - host up, host down, new group member, new host appears (maybe a rogue host, unauthorised change, firewall misconfig), service(s) added, service(s) removed
User-configurable email alerts.
Schedule scans, or run instant scans against any configured group.
User-configurable scan options.

Frequently Asked Questions

Can't I do the same thing with ndiff?

With ndiff false positives are a problem: whenever a host or service times out, ndiff will flag what is probably a false positive. Host and service time-outs happen a lot, even on a gigabit LAN - this makes something like a scripted solution impractical.

Netdelta maintains a database of service and host availability, and makes a call on how likely a service time out is a false positive (red, amber, green - see the screen sample on the right). When Netdelta sees a change, it checks first on the scan history of that host, and makes a call on how likely what you're seeing is just a time-out. Netdelta will stay quiet unless its sure its seeing a genuine delta.
Ndiff is based on a history of one previous scan XML file. Netdelta records in a database, which enable reporting and analytics, as well as the above-mentioned false positives checking. The user can configure a scan history of up to 100 previous scans.
Moreover, for the price of Netdelta, why devote resources to an in-house scripted effort, with poor support and documentation?

Isn't the same thing offered with Tufin?

No. Tufin reports on changes in firewall rules. Your perimeter port scan results are your shop window. Changes in firewall rules don't necessarily reflect the view from the street of your shop window and its also what BOTs and hackers see when they are evaluating the "attackability" of your organisation. There can be an unauthorised change in firewall rules - that's bad, but it may or may not result in a change in your advertised perimeter services. Your port scan results for your shop window represent the absolute view.
There's also a slight difference in pricing between Tufin and Netdelta.

On-boarding

Your one month trial starts here...

Pass us subnet CIDRs or individual addresses (we can work with text files, expand CIDRs, or just manually enter addresses) - we will validate.

Email addresses for alerts.

Your netdelta is provisioned and active in 10 minutes.

We provision your user accounts on your web portal.

We setup a scheduled scan job to run in the early hours (in your local time zone), to run every 24 hours, unless you prefer another schedule.

Boom! You're good to go! Login and check port scans results, and perform further investigations on discovered deltas.