The Power of Lossless Packet Capture & Real-time Netflow

SANS Tool Talk

Boni Bruno, CISSP, CISM, CGEITTechnical Director

2 Copyright © 2013

You Just Suffered a Major Security Breach!

What Happened?!

Who Was Affected?!

When Will It Be Fixed?!

3 Questions Your IT Staff Better Answer in the First 8 Hours!!

Could Your Current SEM/SIEM Tools Cover You for this Security Breach?

Visibility & recording infrastructure for high-speed networks

Endace provides 100% accurate network recording at 1Gbps to 100Gbps!!!

4 Copyright © 2013

Next-Generation EndaceDAG Overview

Multiple Network Monitoring Interfaces-TDM/PDH T1/E1-DS3/E3- 10/100/1000/10G Ethernet- SONET/SDH OC-3 to OC-768c- Infiniband x4 SDR and DDR

Premium-Telco, high-end gov’t users and appliance OEMs

Standard-HFT, market, appliance OEMs

Basic- Low-end gov’t users, analytics

Dual-Port 10GbE-Basic and standard

Dual and quad port 10GbE-Standard and premium

Single-Port 40GbE-Future/upgrade to quad port

Designed for data capture applications

requiring 100% network data capture

Three “Feature Bundles”

Three ProductConfigurations

Low Overhead

Zero Loss Capture

Hardware Time Stamps

Global Clock Synch

In-Band Metadata

Classification/filtering

Load Balancing

5 Copyright © 2013

Endace Network Visibility Infrastructure

Network Visibility Headend

Allows EndaceProbe INRs/ODE to scale to 40 and

100GbE

EndaceAccess™Network Visibility

Headend

Endace OpenHosting Platform

(ODE)

High Performance Intelligent Network Recording

Up to 64 TB storageMix of 1 and 10GbE ports

EndaceProbe™ Intelligent Network

Recorder

EndaceFlow™ NetFlow Generator

Appliance (NGA)

Hosting Platform for Monitoring Applications

8x1GbE or 4x10GbE PortsUp to 16 TB internal storage;

Fibre Channel support for SAN

High-Speed NetFlow Generation for 10GbE

Networks

4x10GbE Ports

EndaceProbe: Provides 100% packet

capture on 10Gb Ethernet links

NetFlow Generator: Generate unsampled

netflows from 1GbE/10GbE links

EndaceAccess: Load-balances

40Gb/100Gb links across multiple INRs

Endace ODE: Provide packets for

hosted 3rd party applications

6 Copyright © 2013

The Endace Probe Solution

7 Copyright © 2013

Monitoring and Recording Fabrics

8 Copyright © 2013

100% Packet Capture means 100% Network Visibility

9 Copyright © 2013

Can you Pinpoint Microbursts Occurring on your Network?

10 Copyright © 2013

Can you Identify Applications Running on your Network?

11 Copyright © 2013

Can you Identify Traffic Changes Over Time?

12 Copyright © 2013

Can you see Conversations on the Network?

13 Copyright © 2013

See Packets in a Browser!

14 Copyright © 2013

100Gbps Packet Capture…

15 Copyright © 2013

Time Synchronization

16 Copyright © 2013

Security Architecture

Full ContentRepository

Current SecurityInfrastructure:

• Firewall

• IDS/IPS

• DLP

End Point Security

Events

pcaps

Event-driven “snippets”and/or

ALL traffic recorded into a rolling buffer

Alarm

Search &Analysis

Event / LogRepository

Packet Storage

SIEM (Security Info & Event Mgmt)

Packet Capture

17 Copyright © 2013

SIEM Integration via RESTful API

19 Copyright © 2013

Netflow – The New Way!!!

20 Copyright © 2013

Netflow – The New Way!!!

21 Copyright © 2013

Suspect

Identify

Mitigate

Impact

Tools Fixed

Permanent Protection

Security Incident Lifecycle

22 Copyright © 2013

Security Incident Lifecycle

Unique EventCan lead to repetitive events if not correctly identified…

23 Copyright © 2013

Security Incident Lifecycle

24 Copyright © 2013

Security Incident Lifecycle

Reduced Frequency

Minimize Scope of Impact

FasterRemediation

ID Root Cause

25 Copyright © 2013

26 Copyright © 2013