NetBrain Technologies

15 Network Drive

Burlington, MA 01803

+1 800.605.7964

info@netbraintech.com

www.netbraintech.com

Network Automation in

Support of Cyber DefenseRick Larkin

Senior Network Engineer

NetBrain Technologies, Inc

23 June 2016

o DoD Cyber Defense Challenges

Real-time network visibility

Flexible network automation

o Adaptive Network Automation Framework

o Adaptive Network Automation Applied to Cyber Defense

Before

During

After

Agenda

Addressing network visibility and automation

DoD

Cyber Defense Challenges

“DISA is a case in point. With 4.5 million users and 11 core data centers, its

infrastructure generates about 10 million alarms per day…

Approximately 2,000 of those become trouble tickets…

…Then there’s hacking: DISA logs 800 billion security events per day…

…Between countermeasures, configuration fixes, and the rest, DISA makes

about 22,000 changes to its infrastructure every day…”

MG Zabel, Vice Director, DISA

http://www.cio.com/article/3068663/networks-need-automation-just-ask-the-us-military.html

𝑇𝑜𝑑𝑎𝑦′𝑠 𝑇ℎ𝑟𝑒𝑎𝑡 =

1986

2016

𝐼𝑇 𝐶ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒𝑠 𝑥 10

Cyber Defense Challenges

DoD Cyber Defense Challenges

NIST RMF DIACAP

8500s ATC/ATT/ATOCNDSP

ASIs

POND

POA&M

CCRIs IAVAs

OPREP/SITREP/CASREPs

AARsSTIGsJIE JRSS

o Cyber Threats evolving rapidly, requirements increasing, resources strained

o Network Automation is a key force multiplier!

Two Unsolved Challenges

o Lack of Real-Time Network Visibility

» Traditional methods don’t work. Example: Static Network Maps.

» Need “real-time” network visualization, end to end

o Limited Network Automation

» Current network automation has limited functional scope, need to write complex regular expressions, not portable, etc.

» Need for Network Automation 2.0, that is,

o Data-driven

o Dynamically created

o Simplified

3 Generations of Network Visibility

o Generation 1:

» Discover the Network with SNMP

» Generate Asset and Inventory Reports

Discovery Inventory

3 Generations of Network Visibility

Discovery Inventory Static mapo Generation 2:

» Added Static Map generation

3 Generations of Network Visibility

o Generation 3:

» Network model based (configuration, SNMP, NETFLOW, network tables, etc)

» Real-time, up-to-date, adaptive, dynamic solution

DiscoveryComprehensive

Data ModelDynamic, Data

Driven map

Network Visibility & Management Today

• NetOps• CyberOps• CPTs• NOC• IA/ISSM• Architecture• Design

• IDS• IPS• Firewall• NetFlow Data• SIEM• Big Data Analytics

Download Executable Intelligence

Run Adaptive Network Automation

Adaptive Network Automation Framework

Comprehensive Data Model

• Topology• Design• History

Define Automation Task via Dynamic Map

• NetOps• CyberOps• CPTs• NOC• IA/ISSM• Architecture• Design

• IDS• IPS• Firewall• NetFlow Data• SIEM• Big Data Analytics

Applying Adaptive

Network AutomationBefore, during, and after a cyber event

Map as the Single Pane of Glass

» Automated Analysis – Fully Customizable

» Execute manual tasks in seconds

» Initiated by operators or automatically from integrated

systems like IDS/IPS, Trouble Tickets, SIEM or CMDB.

Before – Discovery & Asset Identification

o Deep Network discovery

» Accurate, Fast

o Inventory Report

» Derived from comprehensive data model

o Dynamic network documentation, updated daily and on demand

» Supports ATO development, CCRI preparation and supports operations

o Automated Compliance validation & verification

» NIST RMF, DISA/NSA STIGs, IAVAs, CC/S/A specific

o Proactive NetOps & CyberOps

» Automation technology can help CPTs, as well as on-site Network & IA staff

Before – Vulnerability Assessment

Triggered by human intervention or backend systems (IDS/IPS, Logs, CMDB, …)

» Map the threat (e.g. an attack path to a server)

» Run diagnosis and health analysis on the map

» Identify network changes

During – Threat Identification

Apply network changes and patches with automation:

» Configure policies (ACL/QoS/etc.)

» Redirect traffic (honeypot)

» Disable ports

During – Attack Mitigation

Apply lessons-learned from attack:

o Forensics/analysis

o Enhance executable intelligence

o Update network data model automatically

After – Strengthen Cyber Defense w/ Automation

o Cyber Event Management – Automation can significantly reduce response time

o Allows for collaboration between NetOps & CyberOps, as well as Tiered Teams.

o Runbooks allow process chaining in response to Asymmetric Cyber threats.

NetOps CyberOps

VendorManagement

Collaboration & Escalation of issues

Summary

Adaptive Network Automation Framework in support of Cyber Defense

o Before

» Maintain accurate, up to date documentation – ATOs, CCRI, best practice

» Verify & Validate compliance – NIST RMF, STIGs, IAVAs, CC/S/A specific

o During

» Identify and isolate impacted data, systems & networks

» Triage environments, and support rapid remediation

o After

» Based on new discovered threat(s), apply new configurations and update

documentation

» Leverage historical information for AARs and forensics

o Founded in 2004, NetBrain is the first software provider to apply the

concept of CAD automation to network management.

» Awarded multiple patents in Computer Aided Network Engineering (C.A.N.E)

o Customer overview

» 1,300+ customers worldwide

» Multiple sectors

Adaptive Automation – Here and Now