Application and Risk Analysis

Report Date: September 3, 2018 03:07

Data Range: 2018-08-01 00:00 2018-08-31 23:59 ICT (FAZ local)

Fortinet Inc. All rights reserved. Created on: September 3, 2018 03:07
 Table of Contents

Application Control and Assessing Risks 3

Application Visibility is Critical 3
Complete Content Protection 3
Backed by FortiGuard 3

Top Application Users By Bandwidth 5

Top Users By Bandwidth 5

Top Application Users By Sessions 6

Top User Sources By Sessions 6

Client Reputation 7
Top Users By Reputation Scores 7
Top Devices By Reputation Scores 7

Application Usage By Category 8

Top 10 Application Categories By Bandwidth Usage 8
Application Categories By Bandwidth Usage 8

Applications Detected by Risk Behavior 9

Breakdown of Risk Applications 9
Number of Applications by Risk Behavior 9
High Risk Applications 9

Key Applications Crossing The Network 10

Key Applications Crossing The Network 10

Applications Running Over HTTP 11

Top Applications Running Over HTTP 11

Top Web Categories Visited By Network Users 12

Top Web Categories By Sessions 12
Top Web Categories By Sessions/Bandwidth 12

Top Web Sites Visited By Network Users 13

Top Web Domains By Visits 13

Top Destination Countries By Browsing Time 14

Top Destination Countries By Browsing Time 14

Top Web Sites By Browsing Time 14

Top Web Sites By Browsing Time 14

Top Threats Crossing The Network 15

Top Threats Crossing The Network 15
Top Critical Threats Crossing The Network 15
Top High Threats Crossing The Network 15
Top Medium Threats Crossing The Network 16
Top Low Threats Crossing The Network 16
Top Info Threats Crossing The Network 16

Top 20 Viruses Crossing The Network 17

Application and Risk Analysis - FortiAnalyzer Host Name: BNPB_ANALYZER page 1 of 20

 Top 20 Viruses Crossing The Network
Top Viruses By Name 17

Top Virus Victims 18

Top Virus Victims 18
Malwares Discovered 18
Application Vulnerabilities Discovered 18

Data Loss Prevention Events 19

Top Data Loss Prevention Events 19

Appendix A 20
Devices 20

Application and Risk Analysis - FortiAnalyzer Host Name: BNPB_ANALYZER page 2 of 20

Application Control and Assessing Risks

Application Visibility is Critical

Application control provides granular policy
enforcement of application traffic, even with
the multitude of traffic using HTTP, which
traditional firewalls and security gateways
cannot distinguish. It includes the ability to
identify more applications than any other
vendor in the market, and to selectively block
application behavior to minimize the risk of
data loss or network compromise.

Complete Content Protection

Assessing network risks requires complete
content protection, which is more than simply
identifying applications and allowing or
denying traffic. It is application control
coupled with identity-based policy
enforcement of all content. It enables
organizations to utilize all the security and
networking technologies included in the
FortiGate platforms, such as access control,
traffic shaping, IPS, DLP, and
antivirus/antispyware. Complete content
protection continuously protects networks
against malicious content hidden within
applications and data, even from trusted
applications from trusted sources.

Backed by FortiGuard

Application and Risk Analysis - FortiAnalyzer Host Name: BNPB_ANALYZER page 3 of 20

Fortinet has been giving its customers the
ability to deploy application-based security
since FortiOS 3.0, enabling them to detect and
manage applications independent of port or
protocol. FortiGuard is the culmination of
years worth of security research. New
applications and potential threats are
identified daily to keep your network up to
speed.

Application and Risk Analysis - FortiAnalyzer Host Name: BNPB_ANALYZER page 4 of 20

Top Application Users By Bandwidth
This chart provides information about the users who are creating the most network traffic in
terms of bandwidth usage. It helps the network manager to identify users that are potentially
abusing network usage or creating traffic that does not comply with internal security policies.
The following chart displays the top 20 users by bandwidth usage.

Top Users By Bandwidth

# User (or IP) Source IP Bandwidth Sent Received
1 192.168.254.165 192.168.254.165 534.25 GB
2 192.168.254.169 192.168.254.169 479.99 GB
3 192.168.254.168 192.168.254.168 243.80 GB
4 192.168.254.155 192.168.254.155 227.58 GB
5 192.168.50.216 192.168.50.216 219.28 GB
6 192.168.254.170 192.168.254.170 175.55 GB
7 192.168.50.48 192.168.50.48 171.91 GB
8 192.168.53.161 192.168.53.161 171.09 GB
9 192.168.254.164 192.168.254.164 138.22 GB
10 192.168.254.162 192.168.254.162 138.03 GB
11 192.168.56.77 192.168.56.77 133.46 GB
12 192.168.50.162 192.168.50.162 119.29 GB
13 192.168.254.158 192.168.254.158 119.23 GB
14 192.168.253.152 192.168.253.152 117.10 GB
15 192.168.50.218 192.168.50.218 115.17 GB
16 192.168.50.253 192.168.50.253 101.83 GB
17 192.168.80.46 192.168.80.46 97.23 GB
18 192.168.254.159 192.168.254.159 96.47 GB
19 192.168.254.154 192.168.254.154 95.02 GB
20 192.168.253.192 192.168.253.192 94.78 GB

Application and Risk Analysis - FortiAnalyzer Host Name: BNPB_ANALYZER page 5 of 20

Top Application Users By Sessions
The Top Users In Terms of Sessions section illustrates the quantity of network users who are
opening the highest number of connections. This is a critical value because some users could
open much more sessions than they are suppose to. Statistics on the amount of sessions a
user has opened and the memory space used by these sessions is recorded in the FortiGate.
The following chart displays the top 20 users by the number of sessions.

Top User Sources By Sessions

# User (or IP) Source IP Sessions
1 192.168.253.151 192.168.253.151 48,667,636
2 192.168.253.152 192.168.253.152 39,429,588
3 192.168.83.99 192.168.83.99 20,792,152
4 192.168.207.25 192.168.207.25 10,032,384
5 192.168.253.153 192.168.253.153 9,075,370
6 192.168.56.205 192.168.56.205 8,562,931
7 192.168.109.57 192.168.109.57 8,036,720
8 192.168.74.132 192.168.74.132 7,385,343
9 192.168.253.251 192.168.253.251 5,849,628
10 192.168.74.42 192.168.74.42 5,320,422
11 192.168.74.50 192.168.74.50 5,111,450
12 192.168.56.41 192.168.56.41 4,941,555
13 192.168.254.10 192.168.254.10 4,744,905
14 36.89.155.161 36.89.155.161 4,556,179
15 192.168.56.119 192.168.56.119 3,622,505
16 12.12.12.1 12.12.12.1 3,485,572
17 192.168.110.56 192.168.110.56 3,344,512
18 192.168.251.13 192.168.251.13 3,295,960
19 192.168.50.216 192.168.50.216 3,106,009
20 192.168.111.86 192.168.111.86 2,048,685

Application and Risk Analysis - FortiAnalyzer Host Name: BNPB_ANALYZER page 6 of 20

Client Reputation
The Security scan types available on FortiGate units are varied and tailored to detect specific
attacks. However, sometimes user/client behavior can increase the risk of attack or infection.
For example, if one of your network clients receives email viruses on a daily basis while no
other clients receive these attachments, extra measures may be required to protect the client,
or a discussion with the user about this issue may be worthwhile. Before you can decide on a
course of action, you need to know the problem is occurring. Client reputation can provide this
information by tracking client behavior and reporting on activities that you determine are risky
or otherwise noteworthy.

Top Users By Reputation Scores

# User (or IP) Scores
1 192.168.253.151 1,911,810,960
2 192.168.253.152 657,735,960
3 192.168.83.99 151,804,540
4 192.168.253.153 146,469,915
5 192.168.254.10 142,038,170
6 192.168.109.57 73,394,490
7 192.168.56.205 64,456,630
8 192.168.74.132 55,439,640
9 192.168.251.13 49,562,990
10 192.168.56.41 39,941,790

Top Devices By Reputation Scores

# Device Scores
1 192.168.253.151 1,911,810,960
2 192.168.253.152 657,735,960
3 192.168.83.99 151,804,540
4 192.168.253.153 146,469,915
5 192.168.254.10 142,038,170
6 192.168.109.57 73,394,490
7 192.168.56.205 64,456,630
8 192.168.74.132 55,439,640
9 192.168.251.13 49,562,990
10 192.168.56.41 39,941,790

Application and Risk Analysis - FortiAnalyzer Host Name: BNPB_ANALYZER page 7 of 20

Application Usage By Category
As part of the traffic classification process, the
FortiGate identifies and categorizes the
applications crossing the network into
different categories based on the number of Top 10 Application Categories By Bandwidth
Usage
sessions and bandwidth. This data
complements the granular application threat
No matching log data for this report
data and provides a more complete summary
of the types of applications in use on the
network.

Application Categories By Bandwidth Usage

No matching log data for this report

Application and Risk Analysis - FortiAnalyzer Host Name: BNPB_ANALYZER page 8 of 20

Applications Detected by Risk Behavior
Modern security organizations need
increasingly complex security processes in
place to handle the myriad applications in use
on the network and in the data center. The
problem is determining which applications in
your environment are most likely to cause Breakdown of Risk Applications
harm. The following charts provide a
breakdown of the high risk applications No matching log data for this report

identified on the network. It has been

determined by FortiGuard Labs that these
applications represent possible vectors for
data compromise, network intrusion, or a
reduction in network performance.

Number of Applications by Risk Behavior

No matching log data for this report

High Risk Applications

No matching log data for this report

Application and Risk Analysis - FortiAnalyzer Host Name: BNPB_ANALYZER page 9 of 20

Key Applications Crossing The Network
This part of the PoC Security Report offers a summary of the key applications crossing the
network based on the amount of bandwidth they are using and then sorted into different
application types. It provides a high level view of the types of application that are used most
commonly across the network.

Key Applications Crossing The Network

No matching log data for this report

Application and Risk Analysis - FortiAnalyzer Host Name: BNPB_ANALYZER page 10 of 20

Applications Running Over HTTP
This section provides an overview of applications crossing the network that use HTTP. Software
updates, error reporting or help guides are used by different business applications as a means
of improving the overall user experience. Social networks, streaming video or audio, file sharing
are among the most common non-business applications that use HTTP. Assessing the number
and type of applications that use HTTP provides a critical part of developing an efficient
network security strategy.

Top Applications Running Over HTTP

No matching log data for this report

Application and Risk Analysis - FortiAnalyzer Host Name: BNPB_ANALYZER page 11 of 20

Top Web Categories Visited By Network
Users
User browsing habits can not only be
indicative of inefficient use of corporate
resources, but can also indicate an inefficient
optimization of web filtering policies. It can
also give some insight into the general web Top Web Categories By Sessions
browsing habits of corporate users and assist
in defining corporate compliance guidelines. No matching log data for this report
This chart details web categories by the
number of times URLs within those categories
were requested and by the number of
bandwidth used.

Top Web Categories By Sessions/Bandwidth

No matching log data for this report

Application and Risk Analysis - FortiAnalyzer Host Name: BNPB_ANALYZER page 12 of 20

Top Web Sites Visited By Network Users
Identifying and managing the top URLs visited by network users provides greater visibility and
control, and subsequently, better network security. By leveraging Fortinet threat prevention,
application control and URL filter technologies, the volume of web sites by category can be
reviewed and strategies put in place to prevent users accessing sites considered to be a risk to
overall network security.

Top Web Domains By Visits

No matching log data for this report

Application and Risk Analysis - FortiAnalyzer Host Name: BNPB_ANALYZER page 13 of 20

Top Destination Countries By Browsing Time
The following chart shows the distribution of web traffic according to the destination country.
This chart offers the possibility to the network administrator to analyze which countries web
sites are visited for longer time. The administrator can then decide to create security policy
based on Geo-location.

Top Destination Countries By Browsing Time

No matching log data for this report

Top Web Sites By Browsing Time

The following chart shows the web sites that users visit for longer time. The administrator can
then decide to create security policy to mitigate or block web sites access, accordingly to
internal corporate policy.

Top Web Sites By Browsing Time

No matching log data for this report

Application and Risk Analysis - FortiAnalyzer Host Name: BNPB_ANALYZER page 14 of 20

Top Threats Crossing The Network
By individually reviewing both the applications
and traffic flows crossing the network, threat
vector identification and prevention becomes
Top Threats Crossing The Network
easier. Threat prevention technologies filter
the total number of applications and traffic
high 99.91% (58,541,458 )
crossing the network down to those low 0.05% (31,700 )
applications or packets that pose a potential Critical 0.03% (20,171 )
medium 0.00% (595 )
risk, picking up threat vectors such as
spyware, application vulnerabilities or viruses.
The result is improved overall network
performance and lower network latency.

Top Critical Threats Crossing The Network

# Attack Name Reference Total Num
1 Netcore.Netis.Devices.Hardcoded.Password.Security.Bypass http://www.fortinet.com/ids/VID42781 18,947
2 MS.IIS.WebDAV.PROPFIND.ScStoragePathFromUrl.Buffer.Overfl http://www.fortinet.com/ids/VID43844 445
ow
3 MS.SMB.Server.SMB1.Trans2.Secondary.Handling.Code.Executi http://www.fortinet.com/ids/VID43796 271
on
4 Apache.Struts.2.Jakarta.Multipart.Parser.Code.Execution http://www.fortinet.com/ids/VID43745 158
5 Bash.Function.Definitions.Remote.Code.Execution http://www.fortinet.com/ids/VID39294 82
6 OpenSSL.Heartbleed.Attack http://www.fortinet.com/ids/VID38315 74
7 tcp_port_scan http://www.fortinet.com/ids/VID100663398 57
8 Joomla.Core.Session.Remote.Code.Execution http://www.fortinet.com/ids/VID41851 22
9 Apache.Struts.2.REST.Plugin.Remote.Code.Execution http://www.fortinet.com/ids/VID42636 21
10 Apache.Struts.2.DefaultActionMapper.Remote.Command.Execu http://www.fortinet.com/ids/VID36453 18
tion

Top High Threats Crossing The Network

# Attack Name Reference Total Num
1 SSH.Connection.Brute.Force http://www.fortinet.com/ids/VID35662 58,366,400
2 MS.SMB.Server.Trans.Peeking.Data.Information.Disclosure http://www.fortinet.com/ids/VID43799 158,411
3 MySQL.Login.Brute.Force http://www.fortinet.com/ids/VID20954 12,566
4 HTTP.URI.SQL.Injection http://www.fortinet.com/ids/VID15621 3,233
5 Java.Debug.Wire.Protocol.Insecure.Configuration http://www.fortinet.com/ids/VID44187 177
6 PHP.Malicious.Shell http://www.fortinet.com/ids/VID44580 76
7 PHP.CGI.Argument.Injection http://www.fortinet.com/ids/VID31752 56
8 HTTP.Header.SQL.Injection http://www.fortinet.com/ids/VID41512 54
9 China.Chopper.Web.Shell.Client.Connection http://www.fortinet.com/ids/VID37268 41
10 Exim.And.Dovecot.Insecure.Configuration.Command.Injection http://www.fortinet.com/ids/VID35877 37

Application and Risk Analysis - FortiAnalyzer Host Name: BNPB_ANALYZER page 15 of 20

Top Medium Threats Crossing The Network
# Attack Name Reference Total Num
1 Web.Server.Password.Files.Access http://www.fortinet.com/ids/VID43336 407
2 HTTP.Referer.Header.SQL.Injection http://www.fortinet.com/ids/VID15584 52
3 Dahua.IP.Camera.Unauthorized.File.Access.Information.Disclos http://www.fortinet.com/ids/VID43956 23
ure
4 WordPress.Slider.Revolution.File.Inclusion http://www.fortinet.com/ids/VID39136 18
5 WordPress.xmlrpc.Pingback.DoS http://www.fortinet.com/ids/VID38257 10
6 TCP.Split.Handshake http://www.fortinet.com/ids/VID26339 9
7 PostgreSQL.Database.Name.DoS http://www.fortinet.com/ids/VID35144 7
8 Apache.Roller.OGNL.Injection.Remote.Code.Execution http://www.fortinet.com/ids/VID39031 5
9 Sflog.CMS.Default.Admin.Account.Access http://www.fortinet.com/ids/VID33221 5
10 WebTester.V5.Install2.Command.Injection http://www.fortinet.com/ids/VID37375 4

Top Low Threats Crossing The Network

# Attack Name Reference Total Num
1 SIPVicious.SIP.Scanner http://www.fortinet.com/ids/VID40674 28,706
2 Muieblackcat.Scanner http://www.fortinet.com/ids/VID40582 894
3 ZmEu.Vulnerability.Scanner http://www.fortinet.com/ids/VID30024 689
4 Acunetix.Web.Vulnerability.Scanner http://www.fortinet.com/ids/VID39769 621
5 VxWorks.WDB.Debug.Service.Version.Number.Scanner http://www.fortinet.com/ids/VID44135 371
6 Masscan.Scanner http://www.fortinet.com/ids/VID44778 312
7 IKE.Exchange.DoS.Version http://www.fortinet.com/ids/VID13129 87
8 Nikto.Web.Scanner http://www.fortinet.com/ids/VID44780 17
9 vBulletin.misc.Arbitrary.PHP.Code.Execution http://www.fortinet.com/ids/VID12283 3

Top Info Threats Crossing The Network

No matching log data for this report

Application and Risk Analysis - FortiAnalyzer Host Name: BNPB_ANALYZER page 16 of 20

Top 20 Viruses Crossing The Network
As the FortiGate scans the network, it provides information about the viruses that are crossing
the network. The Fortigate is able to apply different strategies in order to detect malware: -
Signatures: Fortinet's Compact Pattern Recognition Language (CPRL) - Heuristics: These are
applied to: * file structure; * API call. The FortiGate's antivirus engine provides two main
capabilities: Decompression allows embedded files to be extracted; Emulation allows the
hidden layers of malicious file of be extracted.

Top Viruses By Name

# Virus Name Occurrences
1 PHP/Flooder.NAB!tr 6
2 PHP/PBot.G!tr.bdr 1

Application and Risk Analysis - FortiAnalyzer Host Name: BNPB_ANALYZER page 17 of 20

Top Virus Victims
This counter provides information about which network users are more prone to infection
from viruses. This enables direct identification of the host(s) that are creating sources of
malicious traffic on the network. The following chart displays the counter of the number of
viruses per end user.

Top Virus Victims

# Virus Victims Occurrences
1 198.50.141.13 6
2 185.62.204.168 1

Malwares Discovered
# Day Malware
1 2018-08-24 4
2 2018-08-25 2
3 2018-08-06 1

Application Vulnerabilities Discovered

No matching log data for this report

Application and Risk Analysis - FortiAnalyzer Host Name: BNPB_ANALYZER page 18 of 20

Data Loss Prevention Events
Fortinet Data Loss Prevention solution uses sophisticated pattern matching techniques and
user identity to detect and prevent unauthorized communication of sensitive information and
files through the network perimeter. Fortinet DLP features include fingerprinting of document
files and document file sources, multiple inspection modes (proxy and flow-based), enhanced
pattern matching and data archiving. Let's remember that data loss events continue to
increase every year, resulting in fines, penalties and loss of revenue for companies worldwide.
Many data loss events are caused by trusted employees who frequently send sensitive data
into untrusted zones, either intentionally or by accident.

Top Data Loss Prevention Events

No matching log data for this report

Application and Risk Analysis - FortiAnalyzer Host Name: BNPB_ANALYZER page 19 of 20

Appendix A
Devices
FW_EXTERNAL
FW_INTERNAL

Application and Risk Analysis - FortiAnalyzer Host Name: BNPB_ANALYZER page 20 of 20