© 2007 property of lancope. proprietary and confidential. enterprise situational awareness and...

© 2007 Property of Lancope. Proprietary and Confidential.

Enterprise Situational Awareness and Monitoring through Network Behavior Analysis

Mark McDaniel, Systems Engineering Team Leader, Lancope


Agenda

•What is Network Behavior Analysis?

•How Does NBA Work?

•NetFlow - A Brief Overview

•Current Organizational Security and Operational Challenges

•Traditional Security Framework

•NBA's Role in the Security Environment

•Traditional Network Operations Framework

•NBA's Role in the Network Operations Environment

•Traditional Compliance and Policy Monitoring Framework

•NBA for Compliance and Policy Monitoring

•NBA's Future


What is Network Behavior Analysis?

Put simply, Network Behavior Analysis is the monitoring and analysis of network flows to understand host behavior.

NBA systems monitor the network through a variety of methods to gain visibility into the behavior of hosts and their relationships with one another.

NBA systems profile the behavior of a number of different factors (data points) for every host on the network to create an observed baseline of what constitutes “normal” activity for that host.

NBA systems continuously monitor the network to ensure compliance with the established baseline for each behavioral data point for every active host, alarming when thresholds or other variables are exceeded.

NBA systems allow administrators to divide the network into logical segments to improve the granularity of reporting and to define policies based on a number of different factors.

NBA systems also provide information into the health of the network infrastructure and a wealth of other information.


How Does NBA Work?NBA systems monitor the network via SPAN or mirror ports or inline taps to capture traffic for analysis. In addition, and much more commonly, NBA systems monitor flow records generate by the network infrastructure; NetFlow for Cisco devices, sFlow for many other hardware vendors.

There are pros and cons to each monitoring approach:• SPAN/Mirror/Tap Systems are segment based with limited visibility but

offer packet payload analysis.• NetFlow monitoring can deliver visibility for the entire network

provide the hardware infrastructure supports it but doesn’t offer payload.

• sFlow also can deliver enterprise wide visibility AND offer some payload analysis but is a sampled technology analyzing every 1:X packets.

Once packets or flows are captured for analysis, tables are built within the system to create a session record.

Next, a series of algorithms is performed on the session record to detect malicious activity, threshold violations and policy exceptions.NBA systems using NetFlow or sFlow also report on the traffic transiting the interfaces of flow export capable hardware and deliver information regarding their health.


NetFlow - A Brief Introduction, Terminology

As with any self-respecting technology, NetFlow has a number of unique terms:

•Exporter - Any network hardware device capable of collecting and exporting NetFlow.

•Collector - The device to which flows are exported and analyzed.

•NetFlow Cache - Where the flow records are kept prior to being exported

•Cache Timers - Specify flow record export in minutes and seconds.

•Inactive Timeout - The timer for flows representing completed sessions.

•Active Timeout - The time for flows representing sessions still continuing.


NetFlow - A Brief Introduction, Part 1 Monitoring

IP data

StealthWatchFlow Collector

NetFlow


NetFlow - A Brief Overview, Part 2 Record Creation

router

NetFlow is “uni-directional”

Flows stats are counted inbound on the router interface

Flows are stored on the router in a “flow cache”


NetFlow - A Brief Overview, Part 3, Creating Flow Records

Inspect Packet

Key Fields Packet 1

Source IP 1.1.1.1

Destination IP 2.2.2.2

Source port 23

Destination port 22078

Layer 3 Protocol TCP - 6

TOS Byte 0

Input Interface Ethernet 0

Source IP Dest. IP Dest. I/F Protocol TOS … Pkts

1.1.1.1 2.2.2.2 E1 6 0 … 11000

1. Inspect packet for key field values

2. Compare set of values to NetFlow cache

3. If the set of values are unique create a flow in cache

4. Inspect the next packet

Inspect Packet

Key Fields Packet 2

Source IP 3.3.3.3

Destination IP 2.2.2.2

Source port 23

Destination port 22078

Layer 3 Protocol TCP - 6

TOS Byte 0

Input Interface Ethernet 0

Source IP Dest. IP Dest. I/F Protocol TOS … Pkts

3.3.3.3 2.2.2.2 E1 6 0 … 11000

1.1.1.1 2.2.2.2 E1 6 0 … 11000

Example 1 Example 27 pre-defined Key fields


NetFlow - A Brief Overview, Part 4 Flow Record Export

1500 byte UDP PDU30 NetFlow Records per PDU


NetFlow - A Brief Overview, Part 5 Flow De-Duplication


NetFlow - A Brief Overview, Part 6 Flow Analysis Overview


1. Flows are collected and exported

2. Collected flows are put into a state table for algorithmic analysis to check for threshold and policy violations.

3. Alarms are triggered and propagated.

NetFlow - A Brief Overview, Part 7 Scanning Host Example


Current Organizational Security Challenges

Existing Security Technologies Do Their Jobs Well but Present Challenges:

•Security Devices Are Segment Based, Unable to Monitor the Entire Network.

•Security Devices Can Only Detect “The Known Bad” Through Signatures.

•Security Devices Lack Contextual Awareness of the Hosts, Applications and Services.

•HIDS/Anti-Virus/Anti-Malware Can Be Difficult to Manage Requiring Agent Installation.

•NAC Only Defines Pre-Admission Control and Offers Little to No Monitoring After a Host is Authenticated

•SEIMs Are “Data Haystacks” Requiring Complex Rule Writing and Configuration While Not Being Effective for Real-time Analysis

•Continuous, Real-time Policy Monitoring is Practically Impossible with Segment by Segment Visibility.

•ACLs and Firewalls Lack Continuous Monitoring Mechanism Resulting in a Plug and Pray Policy.

•The Tools Aren’t Integrated in Any Meaningful Way With Net Ops Tools Creating Points of Contention Between the Two Teams if Their Tools are Generating Conflicting Information.

•None of These Technologies Deliver Global, Real-time Situational Awareness.


The Traditional Security Framework - The Core is Highly Secure

Packet Filter

Packet Inspector

Core Switchw/ACLs

Business Critical Assets

SIEM

Midsized Branch OfficeSmall Branch Office

Branch Edge Router HQ Edge Router

End User Switch

Packet Filter

Internet

VPN Concentrator

End User Systemw/HIDS,AV,NACEtc.

RemoteUser

HighlyProtectedNetworkCore

ProtectedRemoteSite

LightlyProtectedRemoteSite


How NBA Helps Solve Many Current Security Challenges

NBA Compliments the Existing Security Infrastructure Delivering:

•Enterprise-Wide Visibility Through NetFlow and sFlow Enabling the Entire Network as a Sensor Grid.

•Analysis of Host Behaviors Rather Than Pattern Matching to Detect Zero-Day Attacks.

•NBA is Based on Relationship Modeling and Awareness Delivering Excellent Context.

•NBA Systems Are Agentless and Reside on the Network Like Any Other Host for Ease of Management.

•NBA Compliments NAC for Compliance Monitoring and Post-Admission Control.

•NBA Uses a Limited Number of Data Feeds for Continuous Real-time Analysis Not Requiring Complex Rule Writing and Becoming Overloaded with Massive Amounts of Data for Analysis.

•NBA Monitors the Entire Network Detailing Host-to-Host Relationships as well as Applications, Services and Protocols in Use, Delivering Continuous Policy Monitoring.

•NBA is Configured with Policies to Continuously Monitor and Audit ACLs and Firewall Rule Sets.

•NBA, Through Its Host, Traffic and Behavioral Profiling as well as NetFlow Analysis and Exporter Interface Information, is an Excellent Complimentary Net Ops Tool to the Existing SNMP and Sniffer Based Systems.

•NBA’s Primary Function is to Deliver Real-time Situational Awareness Through a Combination of Behavioral Analysis, Configured Policy and Host-to-Host Relationship Modeling.


NBA’s Role in the Security Infrastructure - Continuous, Global Visibility

Packet Filter

Packet Inspector

Core Switchw/ACLs


SIEM


Branch Edge RouterHQ Edge Router

End User Switch

Packet Filter

Internet

VPN Concentrator


RemoteUser


Current Organizational Network Operations Challenges

Existing Net Ops Technologies Do Their Jobs Fairly Well but Also Present Challenges:

•Most Net Ops Monitoring Tools are SNMP Based “Noise Generators” Reporting an Event Occurred but Not Why The Event Occurred.

•Sniffer Type Devices Are Expensive, Difficult to Deploy and Not Real-Time.

•Almost All Net Ops Products Lack Contextual Awareness of the Network and Hosts.

•Determining Root Cause of Most Events Requires Access to Multiple Consoles and Network Hardware CLI.

•Sniffer Type Devices Require a Strong Level of Knowledge to Operate Correctly.

•EMS/NMS and MoMs Are “Data Haystacks” Requiring Complex Rule Writing and Configuration While Not Being Effective for Real-time Analysis.

•Continuous, Real-time Policy Monitoring is Practically Impossible Because of Technology Limitations.

•Most Appliance Based Net Ops Tools are Segment-Based Not Delivering Global Visibility. NetFlow Offerings to Date are Extremely Limited.

•The Tools Aren’t Integrated in Any Meaningful Way With Security Ops Tools Creating Points of Contention Between the Two Teams if Their Tools are Generating Conflicting Information.

•None of These Technologies Deliver Global, Real-time Operational Awareness.


The Traditional Network Ops Framework - SNMP and Sniffers

Packet Filter

Packet Inspector

Core Switchw/ACLs


EMS/NMS/MoM



End User Switch

Packet Filter

Internet

VPN Concentrator


RemoteUser

Sniffer


How NBA Helps Solve Many Current Net Ops Challenges

NBA Compliments the Existing Net Ops Infrastructure Delivering:

•Enterprise-Wide Visibility Through NetFlow and sFlow Enabling the Entire Network as a Sensor Grid.

•NBA Systems Deliver Rich, Contextual Information Surrounding Events Explaining WHY They Occurred.

•NetFlow is Everywhere and Able to Deliver Meaningful Insight Into Host and Application Performance Throughout the Enterprise.

•NBA Systems Deliver Rich and Meaningful Data About the Applications and Hosts as well as Host-to-Host Relationships, Group-to-Group Relationships, Service Distribution and Consumption and Detailed Network Interface Utilization both at a Point-In-Time as well as Long Term Trending.

•Root Cause Analysis is Performed on the NBA System not Multiple Consoles.

•The Intelligence of NBA System is Built-In Requiring Much Less Training to Deliver Useful Information.

•NBA Uses a Limited Number of Data Feeds for Continuous Real-time Analysis Not Requiring Complex Rule Writing and Becoming Overloaded with Massive Amounts of Data for Analysis.

•NBA is Configured with Policies to Continuously Monitor Compliance to AUP and Change Control.

•NBA, Through Its Host, Traffic and Behavioral Profiling as well as NetFlow Analysis and Exporter Interface Information, is an Excellent Complimentary Security Tool to the Existing Infrastructure.


NBA’s Role in the Network Ops Infrastructure - Contextual Visibility

Packet Filter

Packet Inspector

Core Switchw/ACLs


EMS/NMS/MoM



End User Switch

Packet Filter

Internet

VPN Concentrator


RemoteUser


Current Organizational AUP Policy Monitoring Challenges

Existing Policy Monitoring Technologies Do Their Jobs in a Mediocre Manner and Also Present Major Challenges:

•Policy Monitoring and Enforcement is a Point by Point Proposition with Almost No Holistic Visibility Therefore Not Delivering Global, Real-time Compliance Monitoring.

•Policy Definitions Are Configured on Different Devices with Different Capabilities and are Difficult to Deploy and Manage.

•Almost All Policy Monitoring Products Are Myopic and Lack Contextual Awareness of the Network and Hosts.

•Determining Root Cause of Most Policy Events Requires Access to Multiple Consoles for Multiple Products with Hugely Different Capabilities.

•Maintaining AUP is Extremely Complex Because of the Constantly Evolving Nature of Networks and the Multitude and Variety of Policy Monitoring Products and Capabilities.

•Policy Monitoring Tools are Still Very Immature and Limited in Scope. Deployment Creates Yet Another Monitoring Console and Touch Point.

•Continuous, Real-time Policy Monitoring is Practically Impossible Because of Inherent Technology Limitations.

•The Tools Aren’t Integrated in Any Meaningful Way With Security Ops OR Net Ops Tools Creating Points of Contention Between the Three Teams if Their Tools are Generating Conflicting Information.


The Traditional AUP Monitoring Framework - Unique Points

Packet Filter

Packet Inspector

Core Switchw/ACLs


Policy Monitoring Tool



End User Switch

Packet Filter

Internet

VPN Concentrator


RemoteUser


NBA’s Role in Policy Management and Monitoring - Global Configuration Management and Monitoring

Existing Policy Monitoring Technologies Do Their Jobs in an Inconsistent Manner and Also Present Major Challenges:

•Policy Monitoring and Enforcement is a Point by Point Proposition with Almost No Holistic Visibility Therefore Not Delivering Global, Real-time Compliance Monitoring.

•Policy Definitions Are Configured on Different Devices with Different Capabilities and are Difficult to Deploy and Manage.

•Almost All Policy Monitoring Products Are Myopic and Lack Contextual Awareness of the Network and Hosts.

•Determining Root Cause of Most Policy Events Requires Access to Multiple Consoles for Multiple Products with Hugely Different Capabilities.

•Maintaining AUP is Extremely Complex Because of the Constantly Evolving Nature of Networks and the Multitude and Variety of Policy Monitoring Products and Capabilities.

•Policy Monitoring Tools are Still Very Immature and Limited in Scope. Deployment Creates Yet Another Monitoring Console and Touch Point.

•Continuous, Real-time Policy Monitoring is Practically Impossible Because of Inherent Technology Limitations.

•The Tools Aren’t Integrated in Any Meaningful Way With Security Ops OR Net Ops Tools Creating Points of Contention Between the Three Teams if Their Tools are Generating Conflicting Information.


NBA’s Role in the AUP Monitoring Framework - Global Configuration Management and Monitoring

Packet Filter

Packet Inspector

Core Switchw/ACLs


NetFlow Collector



End User Switch

Packet Filter

Internet

VPN Concentrator


RemoteUser


OR!!! - Highly Granular Configuration Management and Monitoring - Users, Groups, Applications

Packet Filter

Packet Inspector

Core Switchw/ACLs


NetFlow Collector



End User Switch

Packet Filter

Internet

VPN Concentrator


RemoteUser


NBA - What Other Benefits Does It Deliver?

NBA Systems Offer a Large Variety of Other Beneficial Features:

•Management Reporting for Alarms and Events, Host Behaviors Over Time, Service and Traffic Patterns, Etc.

•User to IP Correlation Reporting for a More Complete Picture of Host and User Activity as well as Decreasing Event Remediation Time.

•DHCP and MAC Correlation Reporting to Reduce Event Remediation Time and Add Additional Data Points to Profiled Hosts.

•Closest Router Interface for Improved Troubleshooting and Remediation.

•Other Associated Router Interfaces for Improved Troubleshooting and Remediation.

•QoS Utilization Reporting using DiffServ from the NetFlow Record.

•Trending for Capacity Planning by Application, Host, Segment, Location and Network.

•802.1Q VLAN Tag Correlation for Improved Traffic Analysis.

•MPLS Label Correlation for Improved Traffic Analysis.

•BPG Traffic Reporting for Improved Understanding of External Traffic Origination and Destination.

•Flexible and Extensible Flow Reporting for Additional, Easy to Add Features.


NBA - In the Future

NBA Systems Will Continue to Expand Their Features to Leverage Improvements in Flow Data Export:

•Network Hardware Vendors will Seek to Leverage Flow Reporting to Include Much More Network Telemetry Data.

•IP-SLA for Detailed Quality of Service Reporting.

•NBAR for Deep Packet Inspection and Flow Application Tagging.

•Flexible Packet Matching for Traffic Shaping.

•Packet Payload Capture for Analysis by both NBA and Other Signature Based Tools.

•Using NetFlow v9 to Export Data traditionally sent by other protocols - syslog, etc.

•Using Flow Reporting Information to Improve Security and Remediation Through Other Protocols - ACT/TIDP/TMS


That’s All Folks!

Questions?

Comments?


The End

Thank You

Mark [email protected]

© 2007 property of lancope. proprietary and confidential. enterprise situational awareness and...

Documents

nba systems

analysis of network

entire network

network infrastructure

nba work

netflow monitoring

host behavior

spanmirrortap systems