extending network visibility: down to the endpoint

© 2015 Lancope, Inc. All rights reserved.

Extending Network Visibility: Down to the Endpoint

Peter Johnson, Technical Alliances Engineer (Lancope)

Josh Applebaum, Director of Product Marketing (Ziften)

Matthew Frederickson, Director of Information Technology (CRSD)

© 2015 Lancope, Inc. All rights reserved. 2

Good vs. Evil: The Other Side is Always Innovating

Evolution of conflict/threatsRequires constant innovation from practitioners and vendors to combat this


The Evolution of Cyber Threats

Viruses (1990s)

Worms (2000s)

Defense: Reputation, DLP, App.-aware Firewalls

Botnets (late 2000s to current)

Strategy: Visibility and Context

Directed Attacks (APTs) (today)

I LOVE YOUMelissaAnna Kournikova

NimdaSQL SlammerConficker

TedrooRustockConficker

AuroraShady RatDuquHeartbleedCryptolocker

Defense: Anti-Virus, Firewalls

Defense: Intrusion Detection & Prevention


The Problems Customers Face

FW

IPS

IDS

James Comey, FBI Director: “There are two kinds of big companies in the United States. There are those who’ve been hacked…and those who don’t know they’ve been hacked.”

209 days before attackers were discovered

783 incidents & hundreds of millions of compromised records

$3.5M is the average lost business cost of a breach

Customer Impact

External Internal


Flow Data - A Light in the Darkness

• Low cost monitoring solution• Uses outputs from existing

infrastructure• Single or small number of regional

collectors support an infrastructure

• Easy to configure • Enabled on the devices • No hardware to insert

• Broad presence already in the networks• Routers• Switches • Firewalls, etc…

• Accounting data stores well • Fractions of a percentage of storage

needed for Packet Capture• Common format means it’s easy to

write to tables for analysis


Detailed VisibilityDrilling into a single flow provides a

wealth of information


Behavior Analysis


Two Halves of the PuzzleReal Time Detection:

StealthWatch consumes data from devices all over the network and through a mix of policy and behavioral knowledge identifies threats that move past the traditional methods of detection.

Incident Response:

StealthWatch allows operators to move quickly from a singular event to understanding the full context of what is known about network activity from that host. How they communicated and with whom, while quickly detailing any additional points of concern.


Stop Problems Before They Are Crisis

Impa

ct to

the

Busi

ness

($)

credit card data compromised

attack identified

vulnerability closed

CRISIS REGION

attackthwarted

early warning

attackidentified vulnerability

closed

attackonset

STEALTHWATCHREDUCES MTTK

Company with StealthWatch

Company with Legacy Monitoring

Tools

~70% of Incident Response is spent on MTTK

“Worm outbreaks impact revenue by up to $250k / hour. StealthWatch pays for itself in 30 minutes.”

F500 Media Conglomerate

259% ROI

MTTK

Time


StealthWatch 6.7 Pivot to Ziften


Continuous Endpoint Visibility


Council Rock School District

Matthew Frederickson, Director of Information Technology


Overview

11,200 students1,300 staff12th largest out of 500 in Pennsylvania2 High Schools (grades 9 through 12)3 Middle Schools (grades 7 and 8)10 Elementary Schools (Kindergarten through 6) 72 square miles10 person IT department


Network Infrastructure

Microsoft Active DirectoryWindows PC/Laptops (5,386)1 GB Fiber between buildings300 MB Fiber to InternetCisco ASA Cisco 6513 Core SwitchLightspeed Rocket Content Filter


Security Concerns

2014 Verizon Databreach Investigations Report


Integrated Approach

SANS 20 Critical ControlsNow Version 5.1, Council on Cyber Security

Understand WHAT is happening on the networkLancope StealthWatch – Netflow from BOTH 6513 and ASA

Understand WHY it’s happeningZiften Desktops – Dashboard, SplunkInfoblox DDI

Understand BaselineHS – Alienvault UMSCisco IDS

Active Directory NetwrixSplunk


Real World Example

Infoblox DNS FirewallTop RPZ Hits – 192.168.x.x IP

StealthWatch IP Look192.168.x.x – 10.12.2.134

Ziften10.12.2.134Running Malware Botnet


StealthWatch Use Cases

Context-Aware Visibility

• Network, application and user activity

• East-West traffic monitoring

• Advanced Persistent Threats

• Insider Threat

• DDoS

• Data Exfiltration

• In-depth, flow-based forensic analysis of suspicious incidents

• Scalable repository of security information

• Application Awareness

• Capacity Planning

• Performance Monitoring

• Troubleshooting

• Cisco ISE

• Monitor privileged access

• Policy enforcement

Threat Detection

Incident Response

Network Diagnostics

User Monitoring


Ziften Use Cases

Continuous Monitoring

• Endpoint activity

• User activity

• Network attribution

• Indicators of compromise (IOCs)

• Custom threat intelligence

• Who is patient-zero?

• What has changed?

• Is there lateral movement?

• Endpoint network quarantine

• Threat termination

• Remediation

• Is antivirus running?

• OS and application vulnerabilities

• Hard drive encryption

Real-Time Detection

Rapid Forensic Investigation

Incident Response Compliance


Questions?


Thank You!

Contact Us:[email protected]@ziften.com

mailto:[email protected]

mailto:[email protected]

extending network visibility: down to the endpoint

Documents