Harnessing the Power of Metadata for Security

1© 2016 Gigamon. All rights reserved.

A Story about Metadata…......


Harnessing the Power of Metadata for Security

John PollackSenior Sales Engineer, Gigamon


First Some Context


Consider First: There’s Too Much Data

4

Network Speed

% of Data Consumable by Tools

Signature- and Policy-Based Advanced AnalyticsSecurity Tools

1Gb 10Gb 40Gb 100GbNetwork &

Applications Infrastructure

Lack ofSituationalAwareness

This is the BIG DATA problem: Volume of data accelerating faster than the ability of

the tools to consume it


Growth in the “Speed” of Data

Time to process a single Ethernet frame on a 100Gbs link with minimum size packets

5©2016 Gigamon. All rights reserved.


Real-time Threat Prevention Is Getting HarderPARTICULARLY FOR UNKNOWN THREATS

Democratization of cyber threats!

• 67.2 ns between packets at 10G• For unknown threats, just not

enough time, knowledge, or context to make determination

Too Little Time• Large established ecosystem of

distributors for malware• Sophisticated kits &tools for rent • Front end, back end, and support

infrastructure

Too Many Bad Guys


What Can Be Done?


Remember The Attacker Lifecycle?GOAL IS TO BREAK THE CHAIN – NOT JUST TRY TO PREVENT IT

65432Phishing & zero

day attack Back door Lateralmovement

Datagathering Exfiltrate

1Reconnaissance


What Does It Take?TRIANGULATION THROUGH BIG DATA AND PREDICTIVE ANALYTICS

• Specific to each organization

• Requires data from across the entire organization

Normal-ish Bad-ish

Need to establish“Context”

Need to understand“Intent”

• Built from previous bad behavior, sandboxing, threat information feeds

• Build out predictive models

Triangulationagainst both

Constantfeedback loop

Triangulationagainst both


BUT Context Is Hard To DeriveA LABORIOUS AND INEFFICIENT EFFORT IN TODAY’S ENVIRONMENTS

Slows Down Analysis, Slows Down Response, Slows Down The Feedback Cycle

Consequences

• Massive inefficiencies• Too much data• Less control• Performance impact

Challenges

• Different departments• Different access rights• Different formats• Agent requirements

Sources

• Endpoints and servers• Applications• Switches, routers• Network appliances


Leverage Network “Metadata”!CONTEXT AND ULTIMATELY FASTER TRIANGULATION

User

Device

ApplicationCloud

Virtual

Physical

The Network Is The Single Most Content Rich Source of Truth!


Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and subject to change.

The Case for Metadata

Better SecurityEfficacy

• Reduce massive volumes of data • Extract essential information for security tools to consume

Faster Timeto Detect

• Analyze metadata versus raw packet streams over time• Discover suspicious threats and anomalous behavior

OvercomeLimited Reach

• Security tools do not have access to valuable information in network• E.g.: access to AD server, authoritative DNS requests & responses

Separate Signalfrom Noise

• Security tools unable to decipher signal to noise in Big Data• Detect threats more efficiently


How Can It Be Accomplished?


The World of Network MetaData

DNS query and response

information

User flow records and

session information Kerberos and

user login information

Server, application connectivity information

SSL certificate information

HTTP request, response

informationDHCP query and response

information

URL access information


Necessary and Sufficient?

MetadataFor Fast Approximation


Necessary And Sufficient?

Full Packet StreamFor Homing In On Threats

17© 2016 Gigamon. All rights reserved. Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and subject to change.

GigaSECURE’s Metadata EngineSPEEDING UP TRIANGULATION -> FASTER ANALYTICS

IntrusionDetectionSystem

Data Loss Prevention

Email Threat Detection

IPS(Inline)

Anti-Malware(Inline)

Forensics

GigaVUE-VM andGIgaVUE® Nodes

ApplicationSession Filtering

SSLDecryption

InlineBypass

Context and Intent-basedBig Data Analytics

NetFlow / IPFIXGeneration

Metadata Engine

DNS query andresponse information

DHCP query and response information

URL access Information

HTTP request,response information

SSL certificate information

Kerberos and userlogin information

Server, application connectivity information

User flow recordsand session information


Consumers of MetadataNetFlow / IPFIX

Generation

CurrentlyAvailable

CurrentlyAvailable

Inprogress

Inprogress

Inprogress

Inprogress


Key Takeaways

• Security will increasingly rely on building Context and Intent

• Network based metadata followed by programmable packet data streams

will become the simplest and most comprehensive approach to security

analytics

• Gigamon with its GigaSECURE® SDP is uniquely positioned to be the

single, best source of both content rich metadata and programmable

streams of packet data


For More Information

• GigaSECURE Security Delivery Platform -

https://www.gigamon.com/products/technology/gigasecure

• Metadata whitepaper – https://

www.gigamon.com/sites/default/files/resources/whitepaper/wp-harnessing-the-power-of-metadata-for-security-4068.pdf

https://www.gigamon.com/products/technology/gigasecure

https://www.gigamon.com/sites/default/files/resources/whitepaper/wp-harnessing-the-power-of-metadata-for-security-4068.pdf



Harnessing the Power of Metadata for Security

Technology

Transcript of Harnessing the Power of Metadata for Security