Mata Garuda - FIRST · Mata Garuda: An advanced Network Monitoring System The S.L.A.DNetwork...

25
1 Mata Garuda An advanced Network Monitoring System The S.L.A.D Network Security Framework FIRST Conference Berlin, 19 June 2015

Transcript of Mata Garuda - FIRST · Mata Garuda: An advanced Network Monitoring System The S.L.A.DNetwork...

Page 1: Mata Garuda - FIRST · Mata Garuda: An advanced Network Monitoring System The S.L.A.DNetwork Security Framework FIRST Conference Berlin, 19 June 2015 2 Security in Real Life 3 Network

1

:Mata GarudaAn advanced Network Monitoring SystemThe S.L.A.D Network Security Framework

FIRST ConferenceBerlin, 19 June 2015

Page 2: Mata Garuda - FIRST · Mata Garuda: An advanced Network Monitoring System The S.L.A.DNetwork Security Framework FIRST Conference Berlin, 19 June 2015 2 Security in Real Life 3 Network

2

Security in Real Life

Page 3: Mata Garuda - FIRST · Mata Garuda: An advanced Network Monitoring System The S.L.A.DNetwork Security Framework FIRST Conference Berlin, 19 June 2015 2 Security in Real Life 3 Network

3

Page 4: Mata Garuda - FIRST · Mata Garuda: An advanced Network Monitoring System The S.L.A.DNetwork Security Framework FIRST Conference Berlin, 19 June 2015 2 Security in Real Life 3 Network

Network Security Alarms

4

Car Alarms

Page 5: Mata Garuda - FIRST · Mata Garuda: An advanced Network Monitoring System The S.L.A.DNetwork Security Framework FIRST Conference Berlin, 19 June 2015 2 Security in Real Life 3 Network

Our responsibility : Indonesia CERT/CC

5

Vision

Build Indonesia Internet within safe, comfortable

and conducive environment

Mission

Improves the Nation’s cyber security posture, and

proactively manages cyber risks to the Nation’s

cyberspace.

40 Network Access Providers

300 Internet Service Providers

75 Million Internet User

12 Telco’s with 110.000 BTS 3G/4G

23 Million ICT readycompanies

Page 6: Mata Garuda - FIRST · Mata Garuda: An advanced Network Monitoring System The S.L.A.DNetwork Security Framework FIRST Conference Berlin, 19 June 2015 2 Security in Real Life 3 Network

Worldwide Security Service Spending

6

• Estimated

Source: Gartner

In Million $

- 5,000 10,000 15,000 20,000 25,000 30,000 35,000 40,000 45,000 50,000

2010

2011

2012

2015*

Consulting

Development

IT Management

SW Support

HW Suport

Total: 49,140

Total: 38,269

Total: 35,117

Total: 31,129

Page 7: Mata Garuda - FIRST · Mata Garuda: An advanced Network Monitoring System The S.L.A.DNetwork Security Framework FIRST Conference Berlin, 19 June 2015 2 Security in Real Life 3 Network

7

TechnologyCommon

Detection Engine

Packet Decoder

Database of signatures ofknown threats(supplied by vendor)

Message/Alert

Attack packet

Message/Alert

Page 8: Mata Garuda - FIRST · Mata Garuda: An advanced Network Monitoring System The S.L.A.DNetwork Security Framework FIRST Conference Berlin, 19 June 2015 2 Security in Real Life 3 Network

8

Everything i$ OK

$$$

$

$

True Positive

Bad packet

NAP

Page 9: Mata Garuda - FIRST · Mata Garuda: An advanced Network Monitoring System The S.L.A.DNetwork Security Framework FIRST Conference Berlin, 19 June 2015 2 Security in Real Life 3 Network

9

Everything i$ OK

$$$

Good packet

$

$

NAP

False Positive

Page 10: Mata Garuda - FIRST · Mata Garuda: An advanced Network Monitoring System The S.L.A.DNetwork Security Framework FIRST Conference Berlin, 19 June 2015 2 Security in Real Life 3 Network

10

Valuable Net Activity get Lo$t

True NegativeGood packet

Page 11: Mata Garuda - FIRST · Mata Garuda: An advanced Network Monitoring System The S.L.A.DNetwork Security Framework FIRST Conference Berlin, 19 June 2015 2 Security in Real Life 3 Network

11

Data Lo$t

Money Lo$t

Privacy Lo$tAttack packet

NAP

False Negative

Page 12: Mata Garuda - FIRST · Mata Garuda: An advanced Network Monitoring System The S.L.A.DNetwork Security Framework FIRST Conference Berlin, 19 June 2015 2 Security in Real Life 3 Network

Detection State of IDS

True positive

False Positive

True Negative

False Negative

12

Alarms are generated,But no attacks have taken place

No attack has taken place and no alarm is raised

A legitimate attacks which trigger alarms

A failure of an IDS to detect actual attacks

False Positive

False Negative

Page 13: Mata Garuda - FIRST · Mata Garuda: An advanced Network Monitoring System The S.L.A.DNetwork Security Framework FIRST Conference Berlin, 19 June 2015 2 Security in Real Life 3 Network

Threats change –Common IDS Technology Have not

13

Page 14: Mata Garuda - FIRST · Mata Garuda: An advanced Network Monitoring System The S.L.A.DNetwork Security Framework FIRST Conference Berlin, 19 June 2015 2 Security in Real Life 3 Network

What the Cyber Security Needs is ….

14

See

Learn

Adapt

Decide

…a continuous process to responds to continuous change

Page 15: Mata Garuda - FIRST · Mata Garuda: An advanced Network Monitoring System The S.L.A.DNetwork Security Framework FIRST Conference Berlin, 19 June 2015 2 Security in Real Life 3 Network

• See everything in one place – depth seeing

• Learn - Gain insight into your local traffic characteristic by Intelligent engine

• Adapt - Change is constant : leverage open architecture

• Decide - Reduce the “false noise” to make better decision

15

Page 16: Mata Garuda - FIRST · Mata Garuda: An advanced Network Monitoring System The S.L.A.DNetwork Security Framework FIRST Conference Berlin, 19 June 2015 2 Security in Real Life 3 Network

16

Mata Garuda Network Monitoring Solutions

Common IDS Technology

Technology

Closed / blind

Intelligence about Local traffic with machine learning tech.

LEARN

SEE See not only the attacking phase

Black box / inflexible

Fixed analysis tools

Many “false alarms”

ADAPT Modularity analysis tools

DECIDE Reducing false alarms with intelligence technology

Page 17: Mata Garuda - FIRST · Mata Garuda: An advanced Network Monitoring System The S.L.A.DNetwork Security Framework FIRST Conference Berlin, 19 June 2015 2 Security in Real Life 3 Network

How it works?

17

Packet Decoder

Detection Engine

Database of signaturesof known threats

Detection Engine

Collection Classifiersby Intelligent engine*

Network Situational Awareness Application

Base Module

1st Module

2nd Module

Alerts

Alerts

Reports

nth Module

SLAD

Page 18: Mata Garuda - FIRST · Mata Garuda: An advanced Network Monitoring System The S.L.A.DNetwork Security Framework FIRST Conference Berlin, 19 June 2015 2 Security in Real Life 3 Network

Value to Government, Public and Private Sectors

18

Page 19: Mata Garuda - FIRST · Mata Garuda: An advanced Network Monitoring System The S.L.A.DNetwork Security Framework FIRST Conference Berlin, 19 June 2015 2 Security in Real Life 3 Network

Community vs. CommercialServices

19

Incident Handling

DeepAnalysis

Advance Monitoring

Basic Monitoring

CommunityServices

CommercialServices

40 NAPs

300 ISPs

12 Telco’s

23 Millioncompanies

Page 20: Mata Garuda - FIRST · Mata Garuda: An advanced Network Monitoring System The S.L.A.DNetwork Security Framework FIRST Conference Berlin, 19 June 2015 2 Security in Real Life 3 Network

Intelligence detection engine based on Machine Learning tech

• Machine Learning as second classification engine

• It is based on Support Vector Machine (SVM)

– It has been proven to be one of the best classification method

– We have done benchmarking by using data from DARPA (Defense Advanced Research Projects Agency). By using 8 features It can give 99% detection rate

20

Page 21: Mata Garuda - FIRST · Mata Garuda: An advanced Network Monitoring System The S.L.A.DNetwork Security Framework FIRST Conference Berlin, 19 June 2015 2 Security in Real Life 3 Network

21

SVMa1

sampling

Train data setfrom local traffic – packet without payload

Detection engine

SVMa2

SVMb1

sampling

Detection engine

SVMb2

Train data setfrom local traffic – packet with payload

Incoming packets

No Alert

•DDoS•Probe

•R2L•U2R

Page 22: Mata Garuda - FIRST · Mata Garuda: An advanced Network Monitoring System The S.L.A.DNetwork Security Framework FIRST Conference Berlin, 19 June 2015 2 Security in Real Life 3 Network

See not only the attacking phase – log of packet header

22

Page 23: Mata Garuda - FIRST · Mata Garuda: An advanced Network Monitoring System The S.L.A.DNetwork Security Framework FIRST Conference Berlin, 19 June 2015 2 Security in Real Life 3 Network

Cyber Situational Awareness System

-Where was I ?

- What happened ?

past

- Where am I ?

-What is happening ?

present

- Where am I going to?

- What could

happened

future

23

• Packet Header Forensic :

– Before

– Current Attacking Phase

– After

Page 24: Mata Garuda - FIRST · Mata Garuda: An advanced Network Monitoring System The S.L.A.DNetwork Security Framework FIRST Conference Berlin, 19 June 2015 2 Security in Real Life 3 Network

The Topology

24

TapperSensor

(PC )

Switch

TapperSensor

(PC )

TapperSensor

(PC )

TapperSensor

(PC )

TapperSensor

(PC )

TapperSensor

(PC )

TapperSensor

(PC )

Defense Center

Network Situational Awareness back-end storage

Tier 1Sniffer’s Networks

Tier 2Sensors Networks

Tier 3Administrator’s Networks

To administrator’snetworks

To administrator’snetworks

SVM

Page 25: Mata Garuda - FIRST · Mata Garuda: An advanced Network Monitoring System The S.L.A.DNetwork Security Framework FIRST Conference Berlin, 19 June 2015 2 Security in Real Life 3 Network

Thank You

Id-SIRTII/CCRavindo Tower 17th Floor

Jalan Kebon Sirih Kav. 75

Central Jakarta, 10340

Phone +62 21 3192 5551

Fax +62 21 3193 5556

Email [email protected]

Website http://www.idsirtii.or.id