Roman Cupka, Regional Country Manager SEE

Flowmon Solution

roman.cupka@flowmon.com

Your Network Under Control

• Founded in 2007 as a University Startup

• Now Global Network & Security Monitoring Technology Vendor

• Gartner MQ for NPMD 2016

• Alliance partner of the premium technology vendors

Company Introduction

What We Do...

Network Visibility

IT Operations Security

NetworkPerformance

Monitoring andDiagnostics

ApplicationPerformanceMonitoring

NetworkBehavior Analysis

DDoS Detection& Mitigation

NPMD APM NBA

Security

Challenges

• Malware

• Ransomware

• Vulnerabilities

• Payment systems - digital transactions

• Attacks through employee systems • Internet of Things

• Cyber Espionage

TOP of security threats in 2016

Motives behind cyber attacks

Source:

GLOBAL APPLICATION & NETWORK SECURITY REPORT 2015-2016 (Radware)

Most Pressing Concerns

Source:

GLOBAL APPLICATION & NETWORK SECURITY REPORT 2015-2016 (Radware)

IoT security weakness

• Shodan – search engine for IoT

https://www.shodan.io

Attackers tools

Next Generation Network Security -Behavior Analysis & Anomaly Detection

Detects and alerts on abnormal behaviors

Reports anomalies and advanced persistent threats

Detect intrusions and attacks not visible by standard signature based tools

Flowmon Value Proposition – NBA

Paul E. Proctor, VP at Gartner: “Network behavior analysis is about higher visibility in

the behavior of your network to cover gaps left by signature based mechanism.”

Out of path Detection and Mitigation of volumetric DoS/DDoS attacks

Average cost of one minute downtime is $22.000

Suitable for Telco / MSSP / Internet Service Providers

Protect business & client satisfaction

Easy, flexible and cost efficient way of DDoS Protection

Flowmon Value Proposition – DDoS

In-line DDoS protection doesn’t fit the needs of service providers. Let’s benefit from fast flow-

based DDoS detection with out-of-path or cloud mitigation.

Gartner Recommendation

Neil MacDonaldVP Distinguished AnalystGartner Security & Risk Management Summit

• Detection and response are more important than blocking and prevention.

• Monitoring and analysis should be at the core of all next-generation security platforms.

IT Operations

3 Devastating outages of major online services

Bank of America Online Banking Down Across U.S.Duration: 6 daysImpact: Affected 29 mil online customers

Amazon EC2 Goes Dark in Morning Cloud OutageDuration: 4 daysImpact: “stuck” instances of EBS

Google Suffers First Gmail OutageDuration: 2 daysImpact: 120 000 users affected

Source: http://www.evolven.com/blog/2011-devastating-outages-major-brands.html

Service outage is expensive

Gartner’s industrysurveys estimate the cost of operational downtime to $5,600/min.

Application downtime and slowness always leads to a financial loss:

• Customer loss• Company productivity loss

❓

Downtime is expensive

Network Performance Monitoring and Diagnostics

Provides visibility – “eyes” into the network traffic (based on NetFlow/IPFIX)

Provides “into-packet” visibility

Reduces mean-time to resolve, builds up efficiency

Enables to reduce operational costs

Reduces downtimes, ensures company productivity

Flowmom Value Proposition – Network

Gartner states that flow analysis should be one 80% of operational issues and that packet

capture with probes should be done 20% of the time.

Application Performance Monitoring

Agentless measurement of user experience

Fast application delays and error troubleshooting

Ensures clients and employee satisfaction

Minimizes SLA breach

Flowmon Value Proposition – Applications

Network-based APM is a cost-effective alternative for customers requiring an easy-to-deploy solution to distinguish between network, application and

database delay when monitoring user experience.

How is it working?

Flow data collection, reporting, analysis

Flow data export + app layer

monitoring

Flow data export from already deployed devices

Flowmon modules for advanced flow data analysis

SPAN/Mirror port or TAP

Security Use Case

ICS/SCADA

What is inside?

• Specialized devices with JeOS operating system

Without the password or with default passwords

"Industrial" computers with OS Windows / Linux

Obsolete

Not updated

Insecure

• Endpoints security can not be ensured

• Exhibited modern threats such as conventional IT

• Additionally, exposed and long forgotten threats

• THC-Hydra

a password-cracking tool

https://www.thc.org/thc-hydra/

• SCADA Strangelove project

identified more than 150 zero-day vulnerabilities in SCADA, ICS and PLCs

five percent of those being “dangerous remote code execution holes”

http://scadastrangelove.blogspot.cz/

• Pretty Shiny Sparkly ICS/SCADA/PLC Cheat Sheet

identifying almost 600 ICS, PLC and SCADA systems

http://www.slideshare.net/qqlan/internet-connected-icsscadaplc

Attackers tools

Typical OT network attack process

ICS have passed through a significant transformation from proprietary, isolated systems to open architectures and standard technologies highly interconnected with other corporate networks and the Internet. Today ICS products are mostly based on standard embedded systems platforms, applied in various devices, such as routers or cable modems, and they often use commercial off-the shelf software. All this has resulted in reduction of costs, ease of use and enabled the remote control and monitoring from various locations. However, an important drawback derived from the connection to intranets and communication networks, is the increased vulnerability to computer network-based attacks.

SCADA network

OPC ServerApplication / File Server

Router

Engineering Station

HMI Stations

Database Server

RTU/PLC RTU/PLC

Enterprise / Outside world

Wired or Wireless Link

Current Sensor RelayVoltage Sensor Presure Sensor Level SensorPump

OT Firewall

Ransomware ?

Attacker

Botnet Infection

Attacker

! Data Upload...(Devices under attacker control)

Botnet Infection

Botnet Infection

FM Probe

Netflow Data Collection

Learning Baselines

FlowMon Collector

FM Probe

Netflow Data Collection

Learning Baselines

Diagnostics of NetFlow data

! Alert or

notification sended

Admin

Segmentation (DMZ, WiFi, PCN...)

Security Gap Patching & Media

(USB etc.) & no NAC...Missing deep network

visibility!!Missing in security design!!

❓

Advantage:Stable flows in

SCADA Network!

AdminALERT!

Malware infection!File share anomaly!

Data upload!

ICS/SCADA Security issue

Critical Infrastructure (Utility)

• Detected by security team of ÚVT MU in Dec 2009

• Detected by monitoring and analyses data of network traffic

• Attacks SOHO routers and modems

Architecturally similar devices like „smart meter“ devices (IoT)

• Can not in principle be detected by standard anti- * solutions

• Infected devices are permanently connected to the network

• They can manipulate all traffic to / from the device• Attack to gain remote access

Using the default password

Known combinationsof passwords

Ordinary dictionary attack

• More informationČELEDA, Pavel, Radek KREJČÍ a Josef KADERKA. Na stopě Chucka Norrise. Data Security Management, Praha: TATE International, s.r.o., 2010, roč. 14, č. 2, s. 30-33. ISSN 1211-8737.

Example – botnet Chuck Norris discovered

IT Operations Use Case

Online Service Outage

Client Service Center Communicaiton

ClientCalling to Client Service Center:“I have tried access my account

information for whole day on your web page. It is very

important...please check it out!”

Client Service Center Employee“Well... It seems like any IT problem with

your account... let me check it....”

Client“Really? It is second time during half of year and I

was waiting 4 days last time!!It really affects my daily work… I am very angry and I am going to leave your services and your

company as a client probably...”

“Ohm...I am really sorry, I can’t identify problem... we will call you back.”

Firewall

Service Provider Core

DATACENTER

FlowMon Collector

Applicationperformance/Operational issue

TCP reasemblyTransport time, Server response

time, Error codes...

Diagnostics of L7 layer data/NetFlow data

! Alert or notification

sended

Using of any Application by

client

Application have any problem withResponse Time

Manager is contacting techsupport about

internet

connection/applicati on problem

FM Probe

FM Probe

Netflow Data CollectionLearning Baselines and

Packet Capturing

Network Admin

10 minutes later...Internet line saturated? Windows update from

un-known WSUS...

Manager of Client Service Center

Whats going on?IS is not working

well!!!

❓

Application Admin

10 minutes later...Error codes, longresponse time?

The invoice part of IS need to be fixed!

Service Outage / Application Downtime

Network is running well, no

other issues reported. Problem

has to be in the application…

Application seems to run OK, it should be problem in the

network…

Benefits

Outstanding user-friendlinessagentless, non-intrusive, easy and quick deployment, intuitive GUI, great time-to-

value

All-in-one packageforensics, detection, reporting,

added value across all IT operations

Ultimate scalability and performance

deployments in networks from 50 to 50 million users, world’s first 100G probes,

the most powerful collectors

Transparent licensing and effective pricing

perpetual and subscription licensing per appliance capacity

Client Landscape

Retail, utilities, cities, online, healthcare, universities and manufacturers all rely on Flowmon

“Ensuring of IT security is now easier and more affordable for our

customers. ” Jiri Sedlak, MSc, Director of SEC at

O2 IT ServicesISP/

Telc

oEn

terp

rise

Pu

blic

SMB

"We can identify the causes of network issues easier than ever

before."Masahiro Sato, Operations Network

Engineer at SEGA

Flowmon Networks a.s. U Vodárny 2965/2616 00 Brno, Czech Republicwww.flowmon.com

Roman Cupkaroman.cupka@flowmon.com

+421 948 464 123

© Flowmon Networks 2016