Using NetFlow to Streamline Security Analysis and Response to Cyber Threats

© 2013 Emulex Corporation

Using NetFlow to Streamline Security Analysis and Response

to Cyber-Threats

Richard Trujillo, Product Marketing Manager, EmulexJoe Yeager, Director of Product Management, LancopeLee Doyle, Principal Analyst, Doyle Research

The Importance of Network Visibility

2013

2013

Doyle Research, 2013 2

Leading Trends Impacting the Network

VDI

Cloud

Mobile

Big DataBYOD

3Doyle Research, 2013

Networks are Critical to the Business

Networks deliver applications and information throughout the organization

Networks must be high performance, low latency, reliable, and secure

Traffic patterns are changing: more east-west, less north-south

Network/data center downtime is expensive

Managing/Securing the network remains challenging and costly (OPEX)


Network Complexity and Value are Increasing

Cus

tom

er V

alue


Network Complexity

Data Center

Server virtualization

VM mobility Network/Storage

Convergence

Bandwidth Growth

Wide spread adoption of 10GB

Cloud

Video

Mobility

SDN Adoption

Separation of Control and Data Plane

Network Programmability

Centralized Intelligence

Network Slicing

Network Visibility Benefits

Tools help IT/network staff with routine monitoring tasks

Automation

Better understand and tune the network; respond to dynamic traffic patterns

Monitor All Traffic

Supports off load of traffic analysis from production switches

Performance

Improved network management and reduced operational costs

Improved OPEX

Identify and isolate “bad” traffic, ability to handle DDOS attacks

Security


Product Requirements Improved performance monitoring = visibility at scale

Secure networks – leveraging behavior analysis to detect traffic anomalies

Monitoring solution must support complete analysis of 10GB traffic flow (high performance)

Move from reactive to proactive management with new tools – software defined applications

Ease of installation, ease of operation, cost effective

Support for standards and 3rd party applications


8©2013 Lancope , Inc. All Rights Reserved.

Joe YeagerDirector of Product Mgmt

StealthWatch for Security Analysis and Response to Cyber-Threats

Who is Lancope?

Company Profile• 600+ enterprise clients -- Global 2000• HQ in Atlanta, offices all around the world• 4 years profitability; 160+ employees

Technology Leadership• StealthWatch Labs Research Team• Patented behavioral analysis techniques• 150+ algorithms• Scalable flow analysis

9

Management Team• Experienced senior leadership from IBM,

nCircle, ISS, DELL SecureWorks, HP, and Motorola/AirDefense

• Over 100 years combined experience

©2013 Lancope , Inc. All Rights Reserved.

Available on Cisco’s Global

Price List

Cyber Threat Problem

Cyber Threat Solution

DDoS Case Study

10

Big Data Center Focus Areas




DDoS Case Study

11



• Records stolen174M• Incidents855• Involve external threat actors98%• Before attackers discovered by a 3rd party416 days• Valid credentials used100%

Threat Landscape of TodayAPT and Insider Threats Top of Mind

Sources: Verizon 2013 Data Breach Investigations Report, Mandiant M Trends


Visibility Throughout the Kill Chain

Strategy for APT and Insider Threats

• This is the Kill Chain concept introduced by Mike Cloppert at Lockheed.• Each step in the chain is important to look at individually to develop a

security strategy across both tools and departments.• Many of these can be covered by a NetFlow solution that has both

analytics and incident response capabilities.

13

Recon Exploitation Initial Infection

Command & Control

Internal Pivot

Data Preparation

Data Exfiltration


1:06:15 PM: Internal Host Visits

Malicious Web Site

1:06:30 PM: Malware Infection

Complete, Accesses Internet Command and

Control

1:06:35 PM:Malware begins

scanning internal network

1:13:59 PM:Multiple internal

infected hosts

1:07:00 PM: Gateway malware analysis identifies the transaction

as malicious

1:14:00 PM: Administrators

manually disconnect the initial infected host

Do you know what happened while you were responding?

14©2013 Lancope , Inc. All Rights Reserved.

APT Timeline Example



DDoS Case Study

15



• NetFlow is a record of every conversation on your network from a “trusted 3rd party” – i.e. it is not affected by trustworthiness of hosts Perfect audit trail Provides ability to baseline what is normal

• NetFlow is very lightweight and compresses very well Typically can store for 45-90 days with StealthWatch

Why Use NetFlow?Complete Network Visibility


Phone Bill (CDR)

NetFlow

16

Cyber Threat SolutionGoal: Knowledge as Focus instead of Data


Visibility

Data

Analysis

Information

Cyber Threat

Intelligence

Knowledge

Cont

ext

Mea

ning

17

Big Data Collection + Big Analytics + Big Incident Response

©2013 Lancope , Inc. All Rights Reserved. 18

Big Data CollectionWhat Constitutes “Big”?

Big AnalyticsReal-time Detection of Indicators of Compromise


Collect VastAmount of Data

Correlate Metadata for

Context

Baseline Normal Activity

Identify Deviations from Norm

Alert on Indicators of Compromise

19

• Who did this?– Usernames, IP Addresses, Devices,

Country, ISP• What did they do?

– What behavior did they engage in? What else did they do?

• Where did they go?– What hosts on my network were

accessed?• When?

– Have we investigated the full intrusion timeline?

• Why? – What is their objective?

20© 2013 Lancope, Inc. All rights reserved.

Big Incident ResponsePowerful Investigation Capabilities



DDoS Case Study

21



• Alert on attack, citing individual target of attack

• Fast investigative workflow for impact & root cause analysis

• Monitor mitigation success

DDoS – a Big Problem!Sec Ops & Net Ops

StealthWatch’s Focus:

© 2013 Lancope, Inc. All rights reserved. 22

DDoSSometimes DDoS Attacks Are Obvious…


DDoSAnd Sometimes They Are Not So Obvious…

Strange Short Bursts in Traffic

Increase in Malformed Fragment Alarms


- 1.5 Gbps of DNS Traffic and 1.5 Gbps of Undefined UDP Traffic- Total of 107.25 GB of data sent between these two services

- Right-click drill down to identify Top DNS Hosts- Top 3 Hosts have over 96,000 peers and over 190,000 flows EACH

DDoSQuick Investigation Workflow


Conclusion: This is a DNS amplification attack and these type of packets need to be blocked.

DDoSQuick Investigation Workflow

Each DNS response contains the same domain: “pkts.asia”


Emulex Confidential - © 2013 Emulex Corporation

Network Visibility Solution:EndaceFlow 3040 & StealthWatch FlowCollector

Richard Trujillo – Marketing Manager, Emulex

28 © 2013 Emulex Corporation

Our Approach to NPM/APM/SEM – Best of Breed

Our approach enables tailored best-of-breed solutions– All tools share data from same secure location in datacenter

– Automated workflow, “pivot to packets” speeds up issue resolution

Lower Investment While Increasing ROI– Only buy what you need

– Plan and train staff on the tools that fit your situation best

APM App

NPM App

IDS App

HFT App

Endace Network Visibility Products10/40/100GbE

EndaceVision Network Search Engine with Fusion

Connectors


How Much Network Visibility Do You Need?

Just as in the video world, there is a big difference between low-def network visibility and high-def network visibility

– Low-def shows you the overall trends – great for long-term traffic planning and identifying large deviations from the norm

– High-def lets you see the action (microbursts, dropped packets, protocol errors) that underlie the most difficult application performance issues

Sampled data cannot provide the detail you need to resolve difficult security breaches or application performance issues

The visibility most tools provide

The visibility Emulex tools provide

• See microbursts• Know exactly what data has been

compromised• Identify issues impacting

application performance


EndaceFlow™ 3040– NetFlow Generation

Extreme Performance– The EndaceFlow 3040 provides complete flow visibility at

10Gbps (4x10GbE) – 30Gbps of flow generation and a total of 64M active flows.

Custom Filtering– Customize exports to gain visibility of specific networks within

the datacenter.– Load balance flow records across multiple collectors– The EndaceFlow 3040 supports up to 120 filters across 4

collectors for load balancing flow records across multiple collectors

Advanced Hash Load Balancing– The advanced HLB feature minimizes manual configuration

with flow safe load balancing, reducing operational expenditures (OPEX).

Ease of Integration– Supports V5, V9 and IPFIX flow formats and a broad range of

fields, allows seamless integration with any NetFlow collector in the market.

High-speed NetFlow generation

4x10GbE ports

EndaceFlow 3040


`

Access Layer

Tap or SPAN

Tap or SPAN

Edge Firewall

Core Switch

DMZ

Edge Router

`

`

Internet

Tap or SPAN

EndpointSecurity

RackServers

Security Operations Center

EndaceManagement

Server

EndaceProbe Packet Capture

EndaceFlowNetFlow Generation

StealthWatch

Lancope StealthWatchFlowCollector

EndaceVision

Forensics

NBAD

SIEM

Pa

ck

ets

Pa

ck

ets

Pa

ck

ets

Pa

ck

ets

Pa

ck

ets

Pa

ck

ets

Ne

tFlo

w

Ne

tFlo

w

Ne

tFlo

wN

etF

low

Ne

tFlo

w

Ne

tFlo

w

NetFlowPackets

Data Center Deployment Topology

SecOps deployment monitoring both sides of the DMZ; record attacks, ID compromised data

1. Alarm triggers event. Analyst

investigates using the EM interface

2. Analyst pivots to forensics tool for deep

dive into packets enabling rapid resolution

3. Analyst closes event and makes changes to

prevention rules if appropriate


Use Case: Security Operations

Consumer Electronics/Content Provider Uses Lancope and EndaceFlow to Improve Security Incident Response Times

Business problem: As the customer increased deployment of 10GbE in their data centers, they needed to improve their security monitoring capabilities and significantly reduce their incident response time and costs. The customer considered integrated solutions, but found that the poor performance and high costs impacted the amount of monitoring they could deploy. They also found that the sampled nature of the data hindered the response teams ability to resolve issues quickly.

Products deployed:– EndaceFlow 3040 NetFlow Generator Appliances– Lancope StealthWatch™ FlowCollector

Competitors– Cisco NGA


Why did we win?

Ability to generate 100% unsampled netflows on multiple 10GbE links

Ability of our overall solution to handle up to 60Gb/s of traffic

Advanced filtering and load balancing enabled overall system success

Business benefits:– Reduced response time for critical security incidents from 30-50 hours to a

couple of hours (average)

– Reduced the time required per team member per incident by 12 man-hours

– Provided future expansion room for customer to run traffic up to 100Gb/s

Use Case: Security Operations (cont’d)

Dock VMNetFlow

Collector Collector Collector Collector Collector Collector Collector Collector

Dock VMNetFlow

Collector Collector Collector Collector Collector Collector Collector Collector

Network Packet Broker

Director X Stream

2017 18 19 2421 22 23129 10 11 1613 14 1541 2 3 85 6 7

Management

Console

PWR1

PWR2

V

HTTPS 45-60 Gbps

Misc 15-20 Gbps

Network

100K Flows/sec

100K Flows/sec

Misc 8-10 GbpsHTTPS

12-20 Gbps


Complete, real-time and end-to-end visibility

Endace and Lancope provides a highly scalable solution

Reduces cost and helps eliminate downtime

…. How can we help you with visibility into your network?

Conclusions

Using NetFlow to Streamline Security Analysis and Response to Cyber Threats

Technology

Transcript of Using NetFlow to Streamline Security Analysis and Response to Cyber Threats