Many organizations operate where they trust outbound communications from clients because they are being initiated from presumed "secured" clients.
The problem is with the presumption that the clients are secured—if even a single client starts to communicate with a server located in a questionable country, security may be compromised as data may be exfiltrated without knowledge, or a bot might be added through a browser vulnerability.
How do you track these sorts of communications easily?
If you track NetFlows through the network, and perform lookups of the city, state, and country where an external IP address resides, you can know where your data is flowing to/from.
In an ideal world, you would want to know if an IP address is flagged by ISPs as suspicious, used for Tor servers on the Dark Web, or a hack source.
If you have a NetFlow collector, you can review the IP addresses of remote public endpoints to learn a lot about the server or service that is being communicated with.
Here are information services that you can use to collect intelligence relating to an IP address:
TotalView wraps all of the above capabilities into a single solution that will show you the flows that a desktop or server has communicated with, and the location and security risk for each external flow.
For example, it is easy to see in the report below that a flow is communicating with a server in North Korea, and the event is flagged in red as a hack source with a high risk threat level:
Awareness of your network devices' communications and their destinations is crucial to tracking where data is going, and who is getting control of it
Network security and awareness problems can be prevented if the right information is brought to bear about your network's operations.
Contact us with questions about how PathSolutions TotalView can make understanding your network easier.
See Also
Sources