Harnessing the Power of Metadata for Security
-
Upload
john-pollack -
Category
Technology
-
view
122 -
download
0
Transcript of Harnessing the Power of Metadata for Security
1© 2016 Gigamon. All rights reserved.
A Story about Metadata…......
2© 2016 Gigamon. All rights reserved.
Harnessing the Power of Metadata for Security
John PollackSenior Sales Engineer, Gigamon
3© 2016 Gigamon. All rights reserved.
First Some Context
4© 2016 Gigamon. All rights reserved.
Consider First: There’s Too Much Data
4
Network Speed
% of Data Consumable by Tools
Signature- and Policy-Based Advanced AnalyticsSecurity Tools
1Gb 10Gb 40Gb 100GbNetwork &
Applications Infrastructure
Lack ofSituationalAwareness
This is the BIG DATA problem: Volume of data accelerating faster than the ability of
the tools to consume it
5© 2016 Gigamon. All rights reserved.
Growth in the “Speed” of Data
Time to process a single Ethernet frame on a 100Gbs link with minimum size packets
5©2016 Gigamon. All rights reserved.
6© 2016 Gigamon. All rights reserved.
Real-time Threat Prevention Is Getting HarderPARTICULARLY FOR UNKNOWN THREATS
Democratization of cyber threats!
• 67.2 ns between packets at 10G• For unknown threats, just not
enough time, knowledge, or context to make determination
Too Little Time• Large established ecosystem of
distributors for malware• Sophisticated kits &tools for rent • Front end, back end, and support
infrastructure
Too Many Bad Guys
7© 2016 Gigamon. All rights reserved.
What Can Be Done?
8© 2016 Gigamon. All rights reserved.
Remember The Attacker Lifecycle?GOAL IS TO BREAK THE CHAIN – NOT JUST TRY TO PREVENT IT
65432Phishing & zero
day attack Back door Lateralmovement
Datagathering Exfiltrate
1Reconnaissance
9© 2016 Gigamon. All rights reserved.
What Does It Take?TRIANGULATION THROUGH BIG DATA AND PREDICTIVE ANALYTICS
• Specific to each organization
• Requires data from across the entire organization
Normal-ish Bad-ish
Need to establish“Context”
Need to understand“Intent”
• Built from previous bad behavior, sandboxing, threat information feeds
• Build out predictive models
Triangulationagainst both
Constantfeedback loop
Triangulationagainst both
10© 2016 Gigamon. All rights reserved.
BUT Context Is Hard To DeriveA LABORIOUS AND INEFFICIENT EFFORT IN TODAY’S ENVIRONMENTS
Slows Down Analysis, Slows Down Response, Slows Down The Feedback Cycle
Consequences
• Massive inefficiencies• Too much data• Less control• Performance impact
Challenges
• Different departments• Different access rights• Different formats• Agent requirements
Sources
• Endpoints and servers• Applications• Switches, routers• Network appliances
11© 2016 Gigamon. All rights reserved.
Leverage Network “Metadata”!CONTEXT AND ULTIMATELY FASTER TRIANGULATION
User
Device
ApplicationCloud
Virtual
Physical
The Network Is The Single Most Content Rich Source of Truth!
12© 2016 Gigamon. All rights reserved.
Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and subject to change.
The Case for Metadata
Better SecurityEfficacy
• Reduce massive volumes of data • Extract essential information for security tools to consume
Faster Timeto Detect
• Analyze metadata versus raw packet streams over time• Discover suspicious threats and anomalous behavior
OvercomeLimited Reach
• Security tools do not have access to valuable information in network• E.g.: access to AD server, authoritative DNS requests & responses
Separate Signalfrom Noise
• Security tools unable to decipher signal to noise in Big Data• Detect threats more efficiently
13© 2016 Gigamon. All rights reserved.
How Can It Be Accomplished?
14© 2016 Gigamon. All rights reserved.
The World of Network MetaData
DNS query and response
information
User flow records and
session information Kerberos and
user login information
Server, application connectivity information
SSL certificate information
HTTP request, response
informationDHCP query and response
information
URL access information
15© 2016 Gigamon. All rights reserved.
Necessary and Sufficient?
MetadataFor Fast Approximation
16© 2016 Gigamon. All rights reserved.
Necessary And Sufficient?
Full Packet StreamFor Homing In On Threats
17© 2016 Gigamon. All rights reserved. Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and subject to change.
GigaSECURE’s Metadata EngineSPEEDING UP TRIANGULATION -> FASTER ANALYTICS
IntrusionDetectionSystem
Data Loss Prevention
Email Threat Detection
IPS(Inline)
Anti-Malware(Inline)
Forensics
GigaVUE-VM andGIgaVUE® Nodes
ApplicationSession Filtering
SSLDecryption
InlineBypass
Context and Intent-basedBig Data Analytics
NetFlow / IPFIXGeneration
Metadata Engine
DNS query andresponse information
DHCP query and response information
URL access Information
HTTP request,response information
SSL certificate information
Kerberos and userlogin information
Server, application connectivity information
User flow recordsand session information
18© 2016 Gigamon. All rights reserved.
Consumers of MetadataNetFlow / IPFIX
Generation
CurrentlyAvailable
CurrentlyAvailable
Inprogress
Inprogress
Inprogress
Inprogress
19© 2016 Gigamon. All rights reserved.
Key Takeaways
• Security will increasingly rely on building Context and Intent
• Network based metadata followed by programmable packet data streams
will become the simplest and most comprehensive approach to security
analytics
• Gigamon with its GigaSECURE® SDP is uniquely positioned to be the
single, best source of both content rich metadata and programmable
streams of packet data
20© 2016 Gigamon. All rights reserved.
For More Information
• GigaSECURE Security Delivery Platform -
https://www.gigamon.com/products/technology/gigasecure
• Metadata whitepaper – https://
www.gigamon.com/sites/default/files/resources/whitepaper/wp-harnessing-the-power-of-metadata-for-security-4068.pdf