ntxissacsc5 gold 4 beyond detection and prevension remediation
TRANSCRIPT
The Importance of
Packets in Security
Forensics
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 2
Today’s Speaker
Speaker
Rick Kingsley, Sr. Solutions SpecialistViavi Solutions
• At Viavi Solutions for 11 years.
• Troubleshooting networks and apps at the packet level
for 25 plus years.
• Experience working with 100s of organizations in both
pre- and post-sale engagements
• Approach solutions with both technical and business
value considerations
Network Security Forensics
Packets don’t lie.
4© 2016 Viavi Solutions Inc.www.viavisolutions.com
Packets don’t lie – the ultimate source of network truth & visibility
• >50% MTTR Savings
• Full event replay
• Live Dependency Maps
• Layer4 & Layer5-7 APM
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 5
Why Enterprise is Concerned about Security
▪Today - Cybercrimes will cost the global economy $445
billion this year (CNBC 2016)
▪Cyberattacks take up to 256 days to identify & cost
companies $3.8 million per attack (Ponemon Institute, May
2015)
▪ IT threats continue to escalate in frequency, type and malice
• Security perimeter breaches (must be ) assume a given
• Inside jobs are also on the rise
• Security teams under staffed and overwhelmed
▪Negative financial stake holder implications
• Breaches can lead to lost revenue, a tarnished brand
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 6
Security Operations Needs to Leverage Insight
Into the Packet
When a breach occurs, an IT organization must be
prepared to deliver quick answers to some of these
questions:
1) What was compromised, and what data was
exposed?
2) Who was responsible for the vulnerability?
3) Who was responsible for the attack itself?
4) Has the breach been resolved?
5) Can the resolution be validated?
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 7
APM Security Forensics The Backstop to Your Security Efforts
▪ The right Application Performance Management (APM) solution can help IT
operations deliver superior performance for users. When incorporated into your IT
security initiatives, deep packet inspection can strengthen your existing antivirus
software, Intrusion Detection System (IDS), and Data Loss Prevention (DLP)
solutions.
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 8
Security Challenges – The Network Team
▪Viavi Solutions State of the Network highlights:
▫ 85% are involved with security investigations
▫ Engaged in multiple facets of security▪ 65% implementing preventative measures
▪ 58% investigating attacks
▪ 50% validating security tool configurations
▫ 50% indicated correlating security issues with network performance to be
their top challenge
▫ 44% cited the inability to replay anomalous security issues
▪Hacking and malware cause nearly 1/3 of all data loss events*
* VERIS Community Database
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 9
Solution: Benefits (IT Execs)
▪Maximize IT resources and personnel facilitating network team
cooperation with security on investigations and clean up
• “Two-for-one” deal (NPMD + security) maximizes IT spend
▪Confirm every aspect of attack and identify what assets have
been compromised
▪More effectively spend security dollars by understanding what
attacks are getting through defenses
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 10
▪Gain full attack context to confirm attack path and identify compromised assets
▪Quickly investigate and isolate attacks with post-event filtering and expert analysis
▪Gain advanced notice of potential attacks via alarming
• Validate security tool effectiveness
• What attacks have gotten through?
• Integrate traffic access into existing security workflows
with Rest APIs
Packet-Based Security Forensics:
A Next-Generation Approach to Attack Remediation
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 11
Vital NPMD Security Features
• High-speed (10 Gb and 40 Gb) data center traffic capture
• Write to disk speeds at 40Gbps+
• Automate extractions with Security monitoring solutions
like Firepower
• Trigger packet capture extractions with Firewall events
• Event replay and session reconstruction
• Capacity to store petabytes of traffic data for post-event
analysis and long-term incident retention
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 12
• Where the attack came from
• Which users (if any) were involved
• Which internal assets communicated with the malicious
activity
• What data was accessed in the attack
• Whether (and how) the attack spread laterally through the
network
Packet-Based Security Forensics Cont:
A Next-Generation Approach to Attack Remediation
Network Security ForensicsFive Steps to Threat Resolution
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 14
# 1 - Capture Everything on Your Network
Monitor from the core to the
edge
Don’t miss a single
packet
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 15
# 2 – Detect /Alert on Suspicious / Anomalous Behavior
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 16
# 3 – Turn Back the Clock
Using back-in-time functionality
Start Investigation at the time or leading up to the possible incident and not after the evidence is gone
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 17
Apply advanced Analyzer filtering for zero-day events or
Snort rules for known threats
# 4 – Identify Security Threats
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 18
# 4 – Identify Security Threats
The result: A comprehensive identification of detected
threats within the time window specified
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 19
Automated Event to Packet Integration Workflow
1. Event triggered in FirePOWER
Management Console2. Launch GigaStor web interface from
FirePOWER. Pre-populated fields
to download selected traffic
3. Investigate network and application flows
in Observer, or analyze with
third-party tools
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 20
# 5 – View Illicit Behavior In/Out of the Network
Rebuild conversations to witness the event unfold just like sports
“instant replay”
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 21
# 5 – View Illicit Behavior In/Out of the Network
…even if encrypted
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 22
Encryption impacts your business
OF ATTACKS WILL USE SSL/TLS
Gartner estimates that by 2017,
more than 50% of network
attacks will use SSL/TLS1
50%INTERNET TRAFFIC IS
ENCRYPTEDSandvine Research
70%AVG COST OF A DATA
BREACHIBM sponsored study by
Ponemon Institute
$4m
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 23
Packet Broker - Active SSL DECRYPTION
Active SSL Decryption via a high-
performance Application Module
with dedicated cryptographic
processor
▪ Offloads the processing burden from
firewalls, intrusion prevention systems
(IPSs), and other security tools
Full visibility into encrypted sessions
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 24
Switch Internal SwitchInternet
Security Tools
Most advanced NPB for security deployments
Powerful encryption + flexible traffic handling + advanced services
Powerful SSL✓ Up to 10Gb SSL✓ Decrypt once, inspect
many✓ Offload decryption from
multiple tools✓ No impact on other
services
Advanced inline support✓ Heartbeat✓ Service Chaining✓ Load Balancing / HA✓ Active/Active resiliency
Vision ONE core features
✓ Rich Netflow✓ Data Masking✓ App ID / filtering✓ 1/10/40Gb interfaces✓ Filter compiler / best UI
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 25
# 5 – View Illicit Behavior In/Out of the Network
Reconstruct HTTP streams to see exactly what was
requested and received…
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 26
Case Study: Financial Service Company
▪ Network group reports attack that appeared to be network slowdown
▪ Intel and IDS/IPS groups begin investigation
▪ Packet captures are evaluated for patterns
▪ Attackers are identified from TCP payload data
Download the full Case Study –
https://comms.viavisolutions.com/lp-
cmp?cp=vi79677&th=wpp&lang=en&_ga=2.251997065.1428566310.1510067591-
311843217.1476392097&brw=pushsafari
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 27
Network Security Forensics in Practice
What began as three benign sounding user complaints regarding slow network and
application response time quickly escalated into a potentially serious threat to
security. The network engineer used a specialized probe appliance to perform
deep-packet forensic analysis of traffic generated by one of the user’s
workstations. She discovered it was sending a packet to every device on the
network; each of these destinations responded in a similar fashion. This activity
quickly saturated the network.
Desktop support and the security team were notified because
an ongoing attack compromising nearly 100 users’ machines
appeared to be underway.
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 28
Key Takeaways - Network Security Forensics
• Understanding of :
• Network
• Application
• Traffic Patterns
• Organizations need a retrospective, network-centric method to backstop other
security measures and identify and clean compromised IT assets
• Firewalls, anti-virus software, IDS and DLP systems are vital but no longer
sufficient to achieve the most robust protection or generate the paper trail for
complete resolution and documentation of breaches.
• Packet-based network monitoring solutions, which evolved from performance
monitoring and troubleshooting tools for network operations, are ideal for
forensic analysis of security incidents. As a result, both network operations and
security operations are finding value in sharing access to these tools.
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 29
Viavi GigaStor – Investigate & Analyze
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 30
The recent Network Outlaws webinar helped IT teams understand and effectively
utilize network data sources like syslogs, packet capture, and metadata, in security
investigations.
Request the webinar recording to learn how to:
▪ Understand and use the right source data
▪ Leverage traffic-capture strategies that work
▪ Protect yourself before, during, and after a breach
▪ You will also receive the complimentary white paper, Source Data for Network
Security Investigations.