Ntxissacsc5 gold 4 beyond detection and prevension remediation

The Importance of

Packets in Security

Forensics

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 2

Today’s Speaker

Speaker

Rick Kingsley, Sr. Solutions SpecialistViavi Solutions

• At Viavi Solutions for 11 years.

• Troubleshooting networks and apps at the packet level

for 25 plus years.

• Experience working with 100s of organizations in both

pre- and post-sale engagements

• Approach solutions with both technical and business

value considerations

Network Security Forensics

Packets don’t lie.

4© 2016 Viavi Solutions Inc.www.viavisolutions.com

Packets don’t lie – the ultimate source of network truth & visibility

• >50% MTTR Savings

• Full event replay

• Live Dependency Maps

• Layer4 & Layer5-7 APM

http://www.viavisolutions.com/


Why Enterprise is Concerned about Security

▪Today - Cybercrimes will cost the global economy $445

billion this year (CNBC 2016)

▪Cyberattacks take up to 256 days to identify & cost

companies $3.8 million per attack (Ponemon Institute, May

2015)

▪ IT threats continue to escalate in frequency, type and malice

• Security perimeter breaches (must be ) assume a given

• Inside jobs are also on the rise

• Security teams under staffed and overwhelmed

▪Negative financial stake holder implications

• Breaches can lead to lost revenue, a tarnished brand


Security Operations Needs to Leverage Insight

Into the Packet

When a breach occurs, an IT organization must be

prepared to deliver quick answers to some of these

questions:

1) What was compromised, and what data was

exposed?

2) Who was responsible for the vulnerability?

3) Who was responsible for the attack itself?

4) Has the breach been resolved?

5) Can the resolution be validated?


APM Security Forensics The Backstop to Your Security Efforts

▪ The right Application Performance Management (APM) solution can help IT

operations deliver superior performance for users. When incorporated into your IT

security initiatives, deep packet inspection can strengthen your existing antivirus

software, Intrusion Detection System (IDS), and Data Loss Prevention (DLP)

solutions.


Security Challenges – The Network Team

▪Viavi Solutions State of the Network highlights:

▫ 85% are involved with security investigations

▫ Engaged in multiple facets of security▪ 65% implementing preventative measures

▪ 58% investigating attacks

▪ 50% validating security tool configurations

▫ 50% indicated correlating security issues with network performance to be

their top challenge

▫ 44% cited the inability to replay anomalous security issues

▪Hacking and malware cause nearly 1/3 of all data loss events*

* VERIS Community Database

http://public.tableausoftware.com/profile/#!/vizhome/vcdb/Overview


Solution: Benefits (IT Execs)

▪Maximize IT resources and personnel facilitating network team

cooperation with security on investigations and clean up

• “Two-for-one” deal (NPMD + security) maximizes IT spend

▪Confirm every aspect of attack and identify what assets have

been compromised

▪More effectively spend security dollars by understanding what

attacks are getting through defenses


▪Gain full attack context to confirm attack path and identify compromised assets

▪Quickly investigate and isolate attacks with post-event filtering and expert analysis

▪Gain advanced notice of potential attacks via alarming

• Validate security tool effectiveness

• What attacks have gotten through?

• Integrate traffic access into existing security workflows

with Rest APIs

Packet-Based Security Forensics:

A Next-Generation Approach to Attack Remediation


Vital NPMD Security Features

• High-speed (10 Gb and 40 Gb) data center traffic capture

• Write to disk speeds at 40Gbps+

• Automate extractions with Security monitoring solutions

like Firepower

• Trigger packet capture extractions with Firewall events

• Event replay and session reconstruction

• Capacity to store petabytes of traffic data for post-event

analysis and long-term incident retention


• Where the attack came from

• Which users (if any) were involved

• Which internal assets communicated with the malicious

activity

• What data was accessed in the attack

• Whether (and how) the attack spread laterally through the

network

Packet-Based Security Forensics Cont:

A Next-Generation Approach to Attack Remediation

Network Security ForensicsFive Steps to Threat Resolution


# 1 - Capture Everything on Your Network

Monitor from the core to the

edge

Don’t miss a single

packet


# 2 – Detect /Alert on Suspicious / Anomalous Behavior


# 3 – Turn Back the Clock

Using back-in-time functionality

Start Investigation at the time or leading up to the possible incident and not after the evidence is gone


Apply advanced Analyzer filtering for zero-day events or

Snort rules for known threats

# 4 – Identify Security Threats


# 4 – Identify Security Threats

The result: A comprehensive identification of detected

threats within the time window specified


Automated Event to Packet Integration Workflow

1. Event triggered in FirePOWER

Management Console2. Launch GigaStor web interface from

FirePOWER. Pre-populated fields

to download selected traffic

3. Investigate network and application flows

in Observer, or analyze with

third-party tools


# 5 – View Illicit Behavior In/Out of the Network

Rebuild conversations to witness the event unfold just like sports

“instant replay”



…even if encrypted


Encryption impacts your business

OF ATTACKS WILL USE SSL/TLS

Gartner estimates that by 2017,

more than 50% of network

attacks will use SSL/TLS1

50%INTERNET TRAFFIC IS

ENCRYPTEDSandvine Research

70%AVG COST OF A DATA

BREACHIBM sponsored study by

Ponemon Institute

$4m


Packet Broker - Active SSL DECRYPTION

Active SSL Decryption via a high-

performance Application Module

with dedicated cryptographic

processor

▪ Offloads the processing burden from

firewalls, intrusion prevention systems

(IPSs), and other security tools

Full visibility into encrypted sessions


Switch Internal SwitchInternet

Security Tools

Most advanced NPB for security deployments

Powerful encryption + flexible traffic handling + advanced services

Powerful SSL✓ Up to 10Gb SSL✓ Decrypt once, inspect

many✓ Offload decryption from

multiple tools✓ No impact on other

services

Advanced inline support✓ Heartbeat✓ Service Chaining✓ Load Balancing / HA✓ Active/Active resiliency

Vision ONE core features

✓ Rich Netflow✓ Data Masking✓ App ID / filtering✓ 1/10/40Gb interfaces✓ Filter compiler / best UI



Reconstruct HTTP streams to see exactly what was

requested and received…


Case Study: Financial Service Company

▪ Network group reports attack that appeared to be network slowdown

▪ Intel and IDS/IPS groups begin investigation

▪ Packet captures are evaluated for patterns

▪ Attackers are identified from TCP payload data

Download the full Case Study –

https://comms.viavisolutions.com/lp-

cmp?cp=vi79677&th=wpp&lang=en&_ga=2.251997065.1428566310.1510067591-

311843217.1476392097&brw=pushsafari

https://comms.viavisolutions.com/lp-cmp?cp=vi79677&th=wpp&lang=en&_ga=2.251997065.1428566310.1510067591-311843217.1476392097&brw=pushsafari


Network Security Forensics in Practice

What began as three benign sounding user complaints regarding slow network and

application response time quickly escalated into a potentially serious threat to

security. The network engineer used a specialized probe appliance to perform

deep-packet forensic analysis of traffic generated by one of the user’s

workstations. She discovered it was sending a packet to every device on the

network; each of these destinations responded in a similar fashion. This activity

quickly saturated the network.

Desktop support and the security team were notified because

an ongoing attack compromising nearly 100 users’ machines

appeared to be underway.


Key Takeaways - Network Security Forensics

• Understanding of :

• Network

• Application

• Traffic Patterns

• Organizations need a retrospective, network-centric method to backstop other

security measures and identify and clean compromised IT assets

• Firewalls, anti-virus software, IDS and DLP systems are vital but no longer

sufficient to achieve the most robust protection or generate the paper trail for

complete resolution and documentation of breaches.

• Packet-based network monitoring solutions, which evolved from performance

monitoring and troubleshooting tools for network operations, are ideal for

forensic analysis of security incidents. As a result, both network operations and

security operations are finding value in sharing access to these tools.


Viavi GigaStor – Investigate & Analyze


The recent Network Outlaws webinar helped IT teams understand and effectively

utilize network data sources like syslogs, packet capture, and metadata, in security

investigations.

Request the webinar recording to learn how to:

▪ Understand and use the right source data

▪ Leverage traffic-capture strategies that work

▪ Protect yourself before, during, and after a breach

▪ You will also receive the complimentary white paper, Source Data for Network

Security Investigations.

http://app.comms.viavisolutions.com/e/er?s=1693005530&lid=2551&elqTrackId=3E6BE88A918F5C5A7F7605A638941E02&elq=1dd75356844042b2943d20be7b67d5d4&elqaid=1302&elqat=1

Ntxissacsc5 gold 4 beyond detection and prevension remediation

Internet

Transcript of Ntxissacsc5 gold 4 beyond detection and prevension remediation