Network Monitoring Powered by BluVector

Network Monitoring Powered by BluVector

Threat Overview with Severity Breakdown

The Threat Overview with Severity Breakdown widget provides a comprehensive visualization of security events categorized by severity levels over a specified time period. This dual-component dashboard displays both aggregate metrics and daily trends, enabling security teams to quickly assess the current threat landscape and identify patterns requiring attention. The widget also includes a detailed findings table that shows individual security events with timestamps and contextual information.

Data Source

This widget aggregates and displays security alerts generated by Suricata, an open-source intrusion detection and prevention system. The data is collected, categorized by severity, and presented in both summary and detailed formats.

Use Cases

• Obtain a rapid assessment of the overall security posture through severity distribution

• Monitor day-to-day changes in threat volumes to identify unusual spikes or patterns

• Investigate specific security events through the detailed findings table

• Prioritize security response efforts based on severity classifications

• Generate reports for management showing security event trends and volumes

• Validate the effectiveness of security controls by monitoring event categories

PCI DSS 4.0 Compliance Support

This widget supports the following PCI DSS 4.0 requirements:

• Requirement 10.2.1.1: Assists with implementing automated audit trails for all system components by aggregating and displaying security events, enabling verification that logging mechanisms are functioning properly.

• Requirement 10.4.1: Supports the review of security event logs by providing a consolidated view of events, facilitating the timely identification of anomalies or suspicious activities.

• Requirement 10.4.2: Helps fulfill the requirement to follow up on exceptions and anomalies identified during the review process by categorizing events by severity.

• Requirement 11.3.1.1: Supports the requirement to maintain processes to identify and assign risk rankings to vulnerabilities through its severity classification system.

• Requirement 11.6.1: Facilitates continuous monitoring by providing real-time visibility into detected security events, supporting the requirement to monitor for critical security control failures.

• Requirement 12.10.5: Assists with incident response preparations by enabling the team to identify and classify potential security incidents according to their severity levels.

Top Threat Categories

The Top Threat Categories widget provides a visual breakdown of security threats detected in your environment, displayed as an intuitive pie chart. This at-a-glance visualization helps security teams quickly identify the most prevalent threat types requiring attention.

Data Source

This widget aggregates and categorizes alerts generated from Suricata signatures. The system analyzes signature data and classifies each alert into the appropriate threat category.

Use Cases

• Quickly identify the most common threat types targeting your environment

• Prioritize security resources based on prevalent attack vectors

• Track changes in threat patterns over time to adjust security strategies

• Support reporting to management and stakeholders on security posture

PCI DSS 4.0 Compliance Support

This widget directly supports the following PCI DSS 4.0 requirements:

• Requirement 11.3.1: Supports detection of vulnerabilities and potential threats by categorizing security events, helping to identify high-priority threats that could compromise payment card data.

• Requirement 10.4.1: Aids in the review of security events by providing visual representations of security alerts, facilitating detection of suspicious activity patterns related to cardholder data access.

• Requirement 12.10.4: Assists security personnel in responding to detected security alerts by prioritizing incidents based on threat category and prevalence.

• Requirement 9.4.5: Helps identify potential unauthorized access attempts targeting systems containing cardholder data.

• Requirement 11.6.1: Supports continuous monitoring and detection of security control failures by visualizing threat trends that may indicate protection gaps.

Rare Ports

The Rare Ports widget is a scatter plot visualization designed to highlight network traffic occurring on non-standard TCP/UDP ports. The widget distinguishes between ports that have triggered security alerts (Alerted Ports) and those that haven't yet raised concerns (Non-Alerted Ports). By focusing on uncommon port usage, security teams can quickly identify potential security issues such as covert communication channels, unauthorized services, or malware command and control infrastructure.

Data Source

This widget correlates data from two primary sources:

1. Zeek Network connection logs capturing details about TCP/UDP sessions, including source/destination ports, IP addresses, and connection metadata

2. Suricata Detection Findings: Alert data from the Suricata IDS/IPS system, used to identify which rare ports have associated security alerts

The visualization specifically filters for connections on non-standard ports, excluding common services like HTTP (80/443), DNS (53), SSH (22), etc., to focus security analysis on potentially suspicious communication channels.

Use Cases

• Detecting Command & Control (C2) Infrastructure: Identify malware using uncommon ports for communication

• Discovering Shadow IT: Locate unauthorized services running within the network

• Identifying Policy Violations: Detect applications bypassing standard ports to evade security controls

• Threat Hunting: Investigate unusual network behavior patterns on rare ports

• Incident Response: Rapidly assess the scope of potentially malicious communications

• Security Baseline Development: Establish normal port usage patterns specific to the environment

PCI DSS 4.0 Compliance Support

This widget supports several key PCI DSS 4.0 requirements:

• Requirement 1.4.1: Helps identify and restrict unauthorized network traffic by highlighting communications on non-standard ports that may bypass intended network security controls.

• Requirement 1.5.1: Supports documentation of business justification for use of all services, protocols, and ports by revealing unusual port usage that requires verification or remediation.

• Requirement 11.4.5: Assists with detecting changes to critical system files, ports, and configurations by identifying new or changed services communicating on previously unused ports.

• Requirement 11.6.1: Facilitates continuous monitoring of critical security control systems by visualizing potential security control failures that allow suspicious port usage.

• Requirement 12.5.2: Supports the monitoring and alerting on anomalies or suspicious activities occurring on uncommon ports that could indicate security incidents.

• Requirement 11.3.1.1: Helps identify vulnerabilities through the discovery of services running on non-standard ports that may represent unpatched or misconfigured systems.

Protocol Breakdown

The Protocol Breakdown widget provides a comprehensive visualization of network traffic categorized by protocol type across a specified time period. This stacked bar chart displays the distribution and volume of connections for different protocols, enabling security teams to understand normal traffic patterns, identify anomalies, and monitor network usage trends throughout the day. When users hover over specific time periods, a detailed tooltip displays the exact connection counts for each protocol, providing deeper insight into network activity.

Data Source

This widget aggregates and analyzes data from Zeek network monitoring logs. Zeek's protocol analyzers identify and categorize network traffic by protocol type, providing rich metadata about each connection. The visualization specifically leverages Zeek connection log files:

Use Cases

• Baseline Establishment: Understand normal protocol distribution patterns throughout the day

• Anomaly Detection: Identify unusual spikes or drops in specific protocol usage

• Security Monitoring: Detect unexpected protocol activity during off-hours

• Capacity Planning: Track network usage patterns to plan for infrastructure needs

• Incident Investigation: Analyze protocol usage during specific timeframes related to security events

• Policy Compliance: Ensure protocols in use align with organizational security policies

• Attack Surface Reduction: Identify unnecessary protocols that could be disabled

PCI DSS 4.0 Compliance Support

This widget supports several key PCI DSS 4.0 requirements:

• Requirement 1.4.1: Helps identify network connections that might indicate unauthorized traffic by highlighting protocol usage patterns and potential anomalies.

• Requirement 1.5.1: Supports documentation of business justification for protocols in use by providing visibility into all active protocols within the cardholder data environment.

• Requirement 2.2.7: Assists with implementing only necessary protocols by identifying which protocols are actively being used and when, supporting the principle of least functionality.

• Requirement 11.3.1.3: Helps with vulnerability management by identifying potentially insecure or unnecessary protocols that could represent security vulnerabilities.

• Requirement 11.6.1: Facilitates continuous monitoring of critical security control systems by visualizing protocol usage patterns that might indicate security control failures.

• Requirement 12.4.1: Supports security policy enforcement by providing evidence of adherence to protocol usage policies throughout the network.

• Requirement 12.10.5: Assists with incident response by enabling rapid analysis of protocol activity during suspected security incidents.

Top Files Transferred

The Top Files Transferred widget displays a comprehensive table of files being transmitted across your network, with enhanced security context. This widget focuses on potentially high-risk file transfers by presenting file metadata alongside malware detection results. Security teams can quickly identify malicious files moving through the network, track file transfer patterns, and prioritize investigation of suspicious content. The table format enables efficient scanning and sorting to identify the most critical file-based threats.

Data Source

Suricata Alerts: Security detection engine data that identifies known malicious files by:

• Matching file hashes against threat intelligence feeds

• Detecting suspicious file characteristics

• Identifying malware signatures and patterns

• Classifying malware by type (Trojan, Ransomware, etc.)

Use Cases

• Threat Detection: Quickly identify malicious files traversing the network

• Incident Response: Investigate file-based attacks by examining file details and context

• Data Loss Prevention: Monitor sensitive files leaving the organization

• File Transfer Audit: Track what types of files are being transferred and their sizes

• Malware Analysis: Identify patterns in malicious file distributions

• Policy Enforcement: Verify compliance with acceptable file transfer policies

• Evidence Collection: Gather forensic data about file-based attacks for investigations

PCI DSS 4.0 Compliance Support

This widget directly supports several key PCI DSS 4.0 requirements:

• Requirement 5.2.3: Assists with detecting malicious software by identifying and flagging known malware files traversing the network, supporting anti-malware mechanisms.

• Requirement 10.2.1.5: Helps track and monitor all access to network resources by showing file transfers across the network, supporting audit trail implementation.

• Requirement 11.3.2: Supports identifying high-risk vulnerabilities by highlighting potentially malicious files that could compromise system security.

• Requirement 11.6.1: Facilitates continuous monitoring of critical security control systems by providing visibility into file-based threats that could indicate security control failures.

• Requirement 12.10.1: Assists with incident response procedures by providing detailed information about malicious files for security incident identification and handling.

• Requirement 12.10.4: Supports detection and alerting of critical security control failures by prominently highlighting files identified as malware.

• Requirement 12.10.5: Aids in preparing personnel to respond to suspicious events by showing clear malware classifications that can guide appropriate response actions.