Post on 04-Apr-2018
Roman Cupka, Regional Country Manager SEE
Flowmon Solution
roman.cupka@flowmon.com
Your Network Under Control
• Founded in 2007 as a University Startup
• Now Global Network & Security Monitoring Technology Vendor
• Gartner MQ for NPMD 2016
• Alliance partner of the premium technology vendors
Company Introduction
What We Do...
Network Visibility
IT Operations Security
NetworkPerformance
Monitoring andDiagnostics
ApplicationPerformanceMonitoring
NetworkBehavior Analysis
DDoS Detection& Mitigation
NPMD APM NBA
Security
Challenges
• Malware
• Ransomware
• Vulnerabilities
• Payment systems - digital transactions
• Attacks through employee systems • Internet of Things
• Cyber Espionage
TOP of security threats in 2016
Motives behind cyber attacks
Source:
GLOBAL APPLICATION & NETWORK SECURITY REPORT 2015-2016 (Radware)
Most Pressing Concerns
Source:
GLOBAL APPLICATION & NETWORK SECURITY REPORT 2015-2016 (Radware)
IoT security weakness
• Shodan – search engine for IoT
https://www.shodan.io
Attackers tools
Next Generation Network Security -Behavior Analysis & Anomaly Detection
Detects and alerts on abnormal behaviors
Reports anomalies and advanced persistent threats
Detect intrusions and attacks not visible by standard signature based tools
Flowmon Value Proposition – NBA
Paul E. Proctor, VP at Gartner: “Network behavior analysis is about higher visibility in
the behavior of your network to cover gaps left by signature based mechanism.”
Out of path Detection and Mitigation of volumetric DoS/DDoS attacks
Average cost of one minute downtime is $22.000
Suitable for Telco / MSSP / Internet Service Providers
Protect business & client satisfaction
Easy, flexible and cost efficient way of DDoS Protection
Flowmon Value Proposition – DDoS
In-line DDoS protection doesn’t fit the needs of service providers. Let’s benefit from fast flow-
based DDoS detection with out-of-path or cloud mitigation.
Gartner Recommendation
Neil MacDonaldVP Distinguished AnalystGartner Security & Risk Management Summit
• Detection and response are more important than blocking and prevention.
• Monitoring and analysis should be at the core of all next-generation security platforms.
IT Operations
3 Devastating outages of major online services
Bank of America Online Banking Down Across U.S.Duration: 6 daysImpact: Affected 29 mil online customers
Amazon EC2 Goes Dark in Morning Cloud OutageDuration: 4 daysImpact: “stuck” instances of EBS
Google Suffers First Gmail OutageDuration: 2 daysImpact: 120 000 users affected
Source: http://www.evolven.com/blog/2011-devastating-outages-major-brands.html
Service outage is expensive
Gartner’s industrysurveys estimate the cost of operational downtime to $5,600/min.
Application downtime and slowness always leads to a financial loss:
• Customer loss• Company productivity loss
❓
Downtime is expensive
Network Performance Monitoring and Diagnostics
Provides visibility – “eyes” into the network traffic (based on NetFlow/IPFIX)
Provides “into-packet” visibility
Reduces mean-time to resolve, builds up efficiency
Enables to reduce operational costs
Reduces downtimes, ensures company productivity
Flowmom Value Proposition – Network
Gartner states that flow analysis should be one 80% of operational issues and that packet
capture with probes should be done 20% of the time.
Application Performance Monitoring
Agentless measurement of user experience
Fast application delays and error troubleshooting
Ensures clients and employee satisfaction
Minimizes SLA breach
Flowmon Value Proposition – Applications
Network-based APM is a cost-effective alternative for customers requiring an easy-to-deploy solution to distinguish between network, application and
database delay when monitoring user experience.
How is it working?
Flow data collection, reporting, analysis
Flow data export + app layer
monitoring
Flow data export from already deployed devices
Flowmon modules for advanced flow data analysis
SPAN/Mirror port or TAP
Security Use Case
ICS/SCADA
What is inside?
• Specialized devices with JeOS operating system
Without the password or with default passwords
"Industrial" computers with OS Windows / Linux
Obsolete
Not updated
Insecure
• Endpoints security can not be ensured
• Exhibited modern threats such as conventional IT
• Additionally, exposed and long forgotten threats
• THC-Hydra
a password-cracking tool
https://www.thc.org/thc-hydra/
• SCADA Strangelove project
identified more than 150 zero-day vulnerabilities in SCADA, ICS and PLCs
five percent of those being “dangerous remote code execution holes”
http://scadastrangelove.blogspot.cz/
• Pretty Shiny Sparkly ICS/SCADA/PLC Cheat Sheet
identifying almost 600 ICS, PLC and SCADA systems
http://www.slideshare.net/qqlan/internet-connected-icsscadaplc
Attackers tools
Typical OT network attack process
ICS have passed through a significant transformation from proprietary, isolated systems to open architectures and standard technologies highly interconnected with other corporate networks and the Internet. Today ICS products are mostly based on standard embedded systems platforms, applied in various devices, such as routers or cable modems, and they often use commercial off-the shelf software. All this has resulted in reduction of costs, ease of use and enabled the remote control and monitoring from various locations. However, an important drawback derived from the connection to intranets and communication networks, is the increased vulnerability to computer network-based attacks.
SCADA network
OPC ServerApplication / File Server
Router
Engineering Station
HMI Stations
Database Server
RTU/PLC RTU/PLC
Enterprise / Outside world
Wired or Wireless Link
Current Sensor RelayVoltage Sensor Presure Sensor Level SensorPump
OT Firewall
Ransomware ?
Attacker
Botnet Infection
Attacker
! Data Upload...(Devices under attacker control)
Botnet Infection
Botnet Infection
FM Probe
Netflow Data Collection
Learning Baselines
FlowMon Collector
FM Probe
Netflow Data Collection
Learning Baselines
Diagnostics of NetFlow data
! Alert or
notification sended
Admin
Segmentation (DMZ, WiFi, PCN...)
Security Gap Patching & Media
(USB etc.) & no NAC...Missing deep network
visibility!!Missing in security design!!
❓
Advantage:Stable flows in
SCADA Network!
AdminALERT!
Malware infection!File share anomaly!
Data upload!
ICS/SCADA Security issue
Critical Infrastructure (Utility)
• Detected by security team of ÚVT MU in Dec 2009
• Detected by monitoring and analyses data of network traffic
• Attacks SOHO routers and modems
Architecturally similar devices like „smart meter“ devices (IoT)
• Can not in principle be detected by standard anti- * solutions
• Infected devices are permanently connected to the network
• They can manipulate all traffic to / from the device• Attack to gain remote access
Using the default password
Known combinationsof passwords
Ordinary dictionary attack
• More informationČELEDA, Pavel, Radek KREJČÍ a Josef KADERKA. Na stopě Chucka Norrise. Data Security Management, Praha: TATE International, s.r.o., 2010, roč. 14, č. 2, s. 30-33. ISSN 1211-8737.
Example – botnet Chuck Norris discovered
IT Operations Use Case
Online Service Outage
Client Service Center Communicaiton
ClientCalling to Client Service Center:“I have tried access my account
information for whole day on your web page. It is very
important...please check it out!”
Client Service Center Employee“Well... It seems like any IT problem with
your account... let me check it....”
Client“Really? It is second time during half of year and I
was waiting 4 days last time!!It really affects my daily work… I am very angry and I am going to leave your services and your
company as a client probably...”
“Ohm...I am really sorry, I can’t identify problem... we will call you back.”
Firewall
Service Provider Core
DATACENTER
FlowMon Collector
Applicationperformance/Operational issue
TCP reasemblyTransport time, Server response
time, Error codes...
Diagnostics of L7 layer data/NetFlow data
! Alert or notification
sended
Using of any Application by
client
Application have any problem withResponse Time
Manager is contacting techsupport about
internet
connection/applicati on problem
FM Probe
FM Probe
Netflow Data CollectionLearning Baselines and
Packet Capturing
Network Admin
10 minutes later...Internet line saturated? Windows update from
un-known WSUS...
Manager of Client Service Center
Whats going on?IS is not working
well!!!
❓
Application Admin
10 minutes later...Error codes, longresponse time?
The invoice part of IS need to be fixed!
Service Outage / Application Downtime
Network is running well, no
other issues reported. Problem
has to be in the application…
Application seems to run OK, it should be problem in the
network…
Benefits
Outstanding user-friendlinessagentless, non-intrusive, easy and quick deployment, intuitive GUI, great time-to-
value
All-in-one packageforensics, detection, reporting,
added value across all IT operations
Ultimate scalability and performance
deployments in networks from 50 to 50 million users, world’s first 100G probes,
the most powerful collectors
Transparent licensing and effective pricing
perpetual and subscription licensing per appliance capacity
Client Landscape
Retail, utilities, cities, online, healthcare, universities and manufacturers all rely on Flowmon
“Ensuring of IT security is now easier and more affordable for our
customers. ” Jiri Sedlak, MSc, Director of SEC at
O2 IT ServicesISP/
Telc
oEn
terp
rise
Pu
blic
SMB
"We can identify the causes of network issues easier than ever
before."Masahiro Sato, Operations Network
Engineer at SEGA
Flowmon Networks a.s. U Vodárny 2965/2616 00 Brno, Czech Republicwww.flowmon.com
Roman Cupkaroman.cupka@flowmon.com
+421 948 464 123
© Flowmon Networks 2016