extending network visibility: down to the endpoint
TRANSCRIPT
© 2015 Lancope, Inc. All rights reserved.
Extending Network Visibility: Down to the Endpoint
Peter Johnson, Technical Alliances Engineer (Lancope)
Josh Applebaum, Director of Product Marketing (Ziften)
Matthew Frederickson, Director of Information Technology (CRSD)
© 2015 Lancope, Inc. All rights reserved. 2
Good vs. Evil: The Other Side is Always Innovating
Evolution of conflict/threatsRequires constant innovation from practitioners and vendors to combat this
© 2015 Lancope, Inc. All rights reserved. 3
The Evolution of Cyber Threats
Viruses (1990s)
Worms (2000s)
Defense: Reputation, DLP, App.-aware Firewalls
Botnets (late 2000s to current)
Strategy: Visibility and Context
Directed Attacks (APTs) (today)
I LOVE YOUMelissaAnna Kournikova
NimdaSQL SlammerConficker
TedrooRustockConficker
AuroraShady RatDuquHeartbleedCryptolocker
Defense: Anti-Virus, Firewalls
Defense: Intrusion Detection & Prevention
© 2015 Lancope, Inc. All rights reserved. 4
The Problems Customers Face
FW
IPS
IDS
James Comey, FBI Director: “There are two kinds of big companies in the United States. There are those who’ve been hacked…and those who don’t know they’ve been hacked.”
209 days before attackers were discovered
783 incidents & hundreds of millions of compromised records
$3.5M is the average lost business cost of a breach
Customer Impact
External Internal
© 2015 Lancope, Inc. All rights reserved. 5
Flow Data - A Light in the Darkness
• Low cost monitoring solution• Uses outputs from existing
infrastructure• Single or small number of regional
collectors support an infrastructure
• Easy to configure • Enabled on the devices • No hardware to insert
• Broad presence already in the networks• Routers• Switches • Firewalls, etc…
• Accounting data stores well • Fractions of a percentage of storage
needed for Packet Capture• Common format means it’s easy to
write to tables for analysis
© 2015 Lancope, Inc. All rights reserved. 6
Detailed VisibilityDrilling into a single flow provides a
wealth of information
© 2015 Lancope, Inc. All rights reserved. 8
Two Halves of the PuzzleReal Time Detection:
StealthWatch consumes data from devices all over the network and through a mix of policy and behavioral knowledge identifies threats that move past the traditional methods of detection.
Incident Response:
StealthWatch allows operators to move quickly from a singular event to understanding the full context of what is known about network activity from that host. How they communicated and with whom, while quickly detailing any additional points of concern.
© 2015 Lancope, Inc. All rights reserved. 9
Stop Problems Before They Are Crisis
Impa
ct to
the
Busi
ness
($)
credit card data compromised
attack identified
vulnerability closed
CRISIS REGION
attackthwarted
early warning
attackidentified vulnerability
closed
attackonset
STEALTHWATCHREDUCES MTTK
Company with StealthWatch
Company with Legacy Monitoring
Tools
~70% of Incident Response is spent on MTTK
“Worm outbreaks impact revenue by up to $250k / hour. StealthWatch pays for itself in 30 minutes.”
F500 Media Conglomerate
259% ROI
MTTK
Time
© 2015 Lancope, Inc. All rights reserved.
Council Rock School District
Matthew Frederickson, Director of Information Technology
© 2015 Lancope, Inc. All rights reserved.
Overview
11,200 students1,300 staff12th largest out of 500 in Pennsylvania2 High Schools (grades 9 through 12)3 Middle Schools (grades 7 and 8)10 Elementary Schools (Kindergarten through 6) 72 square miles10 person IT department
© 2015 Lancope, Inc. All rights reserved.
Network Infrastructure
Microsoft Active DirectoryWindows PC/Laptops (5,386)1 GB Fiber between buildings300 MB Fiber to InternetCisco ASA Cisco 6513 Core SwitchLightspeed Rocket Content Filter
© 2015 Lancope, Inc. All rights reserved.
Security Concerns
2014 Verizon Databreach Investigations Report
© 2015 Lancope, Inc. All rights reserved.
Integrated Approach
SANS 20 Critical ControlsNow Version 5.1, Council on Cyber Security
Understand WHAT is happening on the networkLancope StealthWatch – Netflow from BOTH 6513 and ASA
Understand WHY it’s happeningZiften Desktops – Dashboard, SplunkInfoblox DDI
Understand BaselineHS – Alienvault UMSCisco IDS
Active Directory NetwrixSplunk
© 2015 Lancope, Inc. All rights reserved.
Real World Example
Infoblox DNS FirewallTop RPZ Hits – 192.168.x.x IP
StealthWatch IP Look192.168.x.x – 10.12.2.134
Ziften10.12.2.134Running Malware Botnet
© 2015 Lancope, Inc. All rights reserved. 18
StealthWatch Use Cases
Context-Aware Visibility
• Network, application and user activity
• East-West traffic monitoring
• Advanced Persistent Threats
• Insider Threat
• DDoS
• Data Exfiltration
• In-depth, flow-based forensic analysis of suspicious incidents
• Scalable repository of security information
• Application Awareness
• Capacity Planning
• Performance Monitoring
• Troubleshooting
• Cisco ISE
• Monitor privileged access
• Policy enforcement
Threat Detection
Incident Response
Network Diagnostics
User Monitoring
© 2015 Lancope, Inc. All rights reserved. 19
Ziften Use Cases
Continuous Monitoring
• Endpoint activity
• User activity
• Network attribution
• Indicators of compromise (IOCs)
• Custom threat intelligence
• Who is patient-zero?
• What has changed?
• Is there lateral movement?
• Endpoint network quarantine
• Threat termination
• Remediation
• Is antivirus running?
• OS and application vulnerabilities
• Hard drive encryption
Real-Time Detection
Rapid Forensic Investigation
Incident Response Compliance