using netflow to streamline security analysis and response to cyber threats
DESCRIPTION
Data centers move exabytes of data through their networks. This explosive growth in network traffic has put demands on data centers to adapt and add new technologies and standards to keep pace and make information easily accessible. Our personal information, company IP assets and sensitive data run across these networks that are constantly under persistent and malicious cyber attacks to look for vulnerabilities in their networks. IT security teams have to protect complex networks that are growing in size and complexity. They call for a new approach to gaining full – rather than partial – visibility into network behavior to stop downtime losses and data leaks. By providing 1 to 1 NetFlow generation then collecting the data and analyzing the flow records is essential in time-to-resolution (TTR). To help you take full advantage of valuable NetFlow data for use in network security management, Emulex and Lancope have created a best-in-class network and security solution that allows you to quickly and continuously monitor the makeup of the traffic traversing your network. In this webinar, we’ll explore why network security management is crucial in managing functionality and visibility of an organization’s network infrastructure and how Emulex helps address these deployment requirements. We'll also explore what matters most when network security is breached, and share some best practice insights gleaned from working with customers that run some of the largest and most critical data networks on the planet.TRANSCRIPT
© 2013 Emulex Corporation
Using NetFlow to Streamline Security Analysis and Response
to Cyber-Threats
Richard Trujillo, Product Marketing Manager, EmulexJoe Yeager, Director of Product Management, LancopeLee Doyle, Principal Analyst, Doyle Research
The Importance of Network Visibility
2013
2013
Doyle Research, 2013 2
Leading Trends Impacting the Network
VDI
Cloud
Mobile
Big DataBYOD
3Doyle Research, 2013
Networks are Critical to the Business
Networks deliver applications and information throughout the organization
Networks must be high performance, low latency, reliable, and secure
Traffic patterns are changing: more east-west, less north-south
Network/data center downtime is expensive
Managing/Securing the network remains challenging and costly (OPEX)
4Doyle Research, 2013
Network Complexity and Value are Increasing
Cus
tom
er V
alue
5Doyle Research, 2013
Network Complexity
Data Center
Server virtualization
VM mobility Network/Storage
Convergence
Bandwidth Growth
Wide spread adoption of 10GB
Cloud
Video
Mobility
SDN Adoption
Separation of Control and Data Plane
Network Programmability
Centralized Intelligence
Network Slicing
Network Visibility Benefits
Tools help IT/network staff with routine monitoring tasks
Automation
Better understand and tune the network; respond to dynamic traffic patterns
Monitor All Traffic
Supports off load of traffic analysis from production switches
Performance
Improved network management and reduced operational costs
Improved OPEX
Identify and isolate “bad” traffic, ability to handle DDOS attacks
Security
6Doyle Research, 2013
Product Requirements Improved performance monitoring = visibility at scale
Secure networks – leveraging behavior analysis to detect traffic anomalies
Monitoring solution must support complete analysis of 10GB traffic flow (high performance)
Move from reactive to proactive management with new tools – software defined applications
Ease of installation, ease of operation, cost effective
Support for standards and 3rd party applications
7Doyle Research, 2013
8©2013 Lancope , Inc. All Rights Reserved.
Joe YeagerDirector of Product Mgmt
StealthWatch for Security Analysis and Response to Cyber-Threats
Who is Lancope?
Company Profile• 600+ enterprise clients -- Global 2000• HQ in Atlanta, offices all around the world• 4 years profitability; 160+ employees
Technology Leadership• StealthWatch Labs Research Team• Patented behavioral analysis techniques• 150+ algorithms• Scalable flow analysis
9
Management Team• Experienced senior leadership from IBM,
nCircle, ISS, DELL SecureWorks, HP, and Motorola/AirDefense
• Over 100 years combined experience
©2013 Lancope , Inc. All Rights Reserved.
Available on Cisco’s Global
Price List
Cyber Threat Problem
Cyber Threat Solution
DDoS Case Study
10
Big Data Center Focus Areas
©2013 Lancope , Inc. All Rights Reserved.
Cyber Threat Problem
Cyber Threat Solution
DDoS Case Study
11
Big Data Center Focus Areas
©2013 Lancope , Inc. All Rights Reserved.
• Records stolen174M• Incidents855• Involve external threat actors98%• Before attackers discovered by a 3rd party416 days• Valid credentials used100%
Threat Landscape of TodayAPT and Insider Threats Top of Mind
Sources: Verizon 2013 Data Breach Investigations Report, Mandiant M Trends
©2013 Lancope , Inc. All Rights Reserved.
Visibility Throughout the Kill Chain
Strategy for APT and Insider Threats
• This is the Kill Chain concept introduced by Mike Cloppert at Lockheed.• Each step in the chain is important to look at individually to develop a
security strategy across both tools and departments.• Many of these can be covered by a NetFlow solution that has both
analytics and incident response capabilities.
13
Recon Exploitation Initial Infection
Command & Control
Internal Pivot
Data Preparation
Data Exfiltration
©2013 Lancope , Inc. All Rights Reserved.
1:06:15 PM: Internal Host Visits
Malicious Web Site
1:06:30 PM: Malware Infection
Complete, Accesses Internet Command and
Control
1:06:35 PM:Malware begins
scanning internal network
1:13:59 PM:Multiple internal
infected hosts
1:07:00 PM: Gateway malware analysis identifies the transaction
as malicious
1:14:00 PM: Administrators
manually disconnect the initial infected host
Do you know what happened while you were responding?
14©2013 Lancope , Inc. All Rights Reserved.
APT Timeline Example
Cyber Threat Problem
Cyber Threat Solution
DDoS Case Study
15
Big Data Center Focus Areas
©2013 Lancope , Inc. All Rights Reserved.
• NetFlow is a record of every conversation on your network from a “trusted 3rd party” – i.e. it is not affected by trustworthiness of hosts Perfect audit trail Provides ability to baseline what is normal
• NetFlow is very lightweight and compresses very well Typically can store for 45-90 days with StealthWatch
Why Use NetFlow?Complete Network Visibility
©2013 Lancope , Inc. All Rights Reserved.
Phone Bill (CDR)
NetFlow
16
Cyber Threat SolutionGoal: Knowledge as Focus instead of Data
©2013 Lancope , Inc. All Rights Reserved.
Visibility
Data
Analysis
Information
Cyber Threat
Intelligence
Knowledge
Cont
ext
Mea
ning
17
Big Data Collection + Big Analytics + Big Incident Response
©2013 Lancope , Inc. All Rights Reserved. 18
Big Data CollectionWhat Constitutes “Big”?
Big AnalyticsReal-time Detection of Indicators of Compromise
©2013 Lancope , Inc. All Rights Reserved.
Collect VastAmount of Data
Correlate Metadata for
Context
Baseline Normal Activity
Identify Deviations from Norm
Alert on Indicators of Compromise
19
• Who did this?– Usernames, IP Addresses, Devices,
Country, ISP• What did they do?
– What behavior did they engage in? What else did they do?
• Where did they go?– What hosts on my network were
accessed?• When?
– Have we investigated the full intrusion timeline?
• Why? – What is their objective?
20© 2013 Lancope, Inc. All rights reserved.
Big Incident ResponsePowerful Investigation Capabilities
Cyber Threat Problem
Cyber Threat Solution
DDoS Case Study
21
Big Data Center Focus Areas
©2013 Lancope , Inc. All Rights Reserved.
• Alert on attack, citing individual target of attack
• Fast investigative workflow for impact & root cause analysis
• Monitor mitigation success
DDoS – a Big Problem!Sec Ops & Net Ops
StealthWatch’s Focus:
© 2013 Lancope, Inc. All rights reserved. 22
DDoSSometimes DDoS Attacks Are Obvious…
© 2013 Lancope, Inc. All rights reserved. 23
DDoSAnd Sometimes They Are Not So Obvious…
Strange Short Bursts in Traffic
Increase in Malformed Fragment Alarms
© 2013 Lancope, Inc. All rights reserved. 24
- 1.5 Gbps of DNS Traffic and 1.5 Gbps of Undefined UDP Traffic- Total of 107.25 GB of data sent between these two services
- Right-click drill down to identify Top DNS Hosts- Top 3 Hosts have over 96,000 peers and over 190,000 flows EACH
DDoSQuick Investigation Workflow
© 2013 Lancope, Inc. All rights reserved. 25
Conclusion: This is a DNS amplification attack and these type of packets need to be blocked.
DDoSQuick Investigation Workflow
Each DNS response contains the same domain: “pkts.asia”
© 2013 Lancope, Inc. All rights reserved. 26
Emulex Confidential - © 2013 Emulex Corporation
Network Visibility Solution:EndaceFlow 3040 & StealthWatch FlowCollector
Richard Trujillo – Marketing Manager, Emulex
28 © 2013 Emulex Corporation
Our Approach to NPM/APM/SEM – Best of Breed
Our approach enables tailored best-of-breed solutions– All tools share data from same secure location in datacenter
– Automated workflow, “pivot to packets” speeds up issue resolution
Lower Investment While Increasing ROI– Only buy what you need
– Plan and train staff on the tools that fit your situation best
APM App
NPM App
IDS App
HFT App
Endace Network Visibility Products10/40/100GbE
EndaceVision Network Search Engine with Fusion
Connectors
29 © 2013 Emulex Corporation
How Much Network Visibility Do You Need?
Just as in the video world, there is a big difference between low-def network visibility and high-def network visibility
– Low-def shows you the overall trends – great for long-term traffic planning and identifying large deviations from the norm
– High-def lets you see the action (microbursts, dropped packets, protocol errors) that underlie the most difficult application performance issues
Sampled data cannot provide the detail you need to resolve difficult security breaches or application performance issues
The visibility most tools provide
The visibility Emulex tools provide
• See microbursts• Know exactly what data has been
compromised• Identify issues impacting
application performance
30 © 2013 Emulex Corporation
EndaceFlow™ 3040– NetFlow Generation
Extreme Performance– The EndaceFlow 3040 provides complete flow visibility at
10Gbps (4x10GbE) – 30Gbps of flow generation and a total of 64M active flows.
Custom Filtering– Customize exports to gain visibility of specific networks within
the datacenter.– Load balance flow records across multiple collectors– The EndaceFlow 3040 supports up to 120 filters across 4
collectors for load balancing flow records across multiple collectors
Advanced Hash Load Balancing– The advanced HLB feature minimizes manual configuration
with flow safe load balancing, reducing operational expenditures (OPEX).
Ease of Integration– Supports V5, V9 and IPFIX flow formats and a broad range of
fields, allows seamless integration with any NetFlow collector in the market.
High-speed NetFlow generation
4x10GbE ports
EndaceFlow 3040
31 © 2013 Emulex Corporation
`
Access Layer
Tap or SPAN
Tap or SPAN
Edge Firewall
Core Switch
DMZ
Edge Router
`
`
Internet
Tap or SPAN
EndpointSecurity
RackServers
Security Operations Center
EndaceManagement
Server
EndaceProbe Packet Capture
EndaceFlowNetFlow Generation
StealthWatch
Lancope StealthWatchFlowCollector
EndaceVision
Forensics
NBAD
SIEM
Pa
ck
ets
Pa
ck
ets
Pa
ck
ets
Pa
ck
ets
Pa
ck
ets
Pa
ck
ets
Ne
tFlo
w
Ne
tFlo
w
Ne
tFlo
wN
etF
low
Ne
tFlo
w
Ne
tFlo
w
NetFlowPackets
Data Center Deployment Topology
SecOps deployment monitoring both sides of the DMZ; record attacks, ID compromised data
1. Alarm triggers event. Analyst
investigates using the EM interface
2. Analyst pivots to forensics tool for deep
dive into packets enabling rapid resolution
3. Analyst closes event and makes changes to
prevention rules if appropriate
32 © 2013 Emulex Corporation
Use Case: Security Operations
Consumer Electronics/Content Provider Uses Lancope and EndaceFlow to Improve Security Incident Response Times
Business problem: As the customer increased deployment of 10GbE in their data centers, they needed to improve their security monitoring capabilities and significantly reduce their incident response time and costs. The customer considered integrated solutions, but found that the poor performance and high costs impacted the amount of monitoring they could deploy. They also found that the sampled nature of the data hindered the response teams ability to resolve issues quickly.
Products deployed:– EndaceFlow 3040 NetFlow Generator Appliances– Lancope StealthWatch™ FlowCollector
Competitors– Cisco NGA
33 © 2013 Emulex Corporation
Why did we win?
Ability to generate 100% unsampled netflows on multiple 10GbE links
Ability of our overall solution to handle up to 60Gb/s of traffic
Advanced filtering and load balancing enabled overall system success
Business benefits:– Reduced response time for critical security incidents from 30-50 hours to a
couple of hours (average)
– Reduced the time required per team member per incident by 12 man-hours
– Provided future expansion room for customer to run traffic up to 100Gb/s
Use Case: Security Operations (cont’d)
Dock VMNetFlow
Collector Collector Collector Collector Collector Collector Collector Collector
Dock VMNetFlow
Collector Collector Collector Collector Collector Collector Collector Collector
Network Packet Broker
Director X Stream
2017 18 19 2421 22 23129 10 11 1613 14 1541 2 3 85 6 7
Management
Console
PWR1
PWR2
V
HTTPS 45-60 Gbps
Misc 15-20 Gbps
Network
100K Flows/sec
100K Flows/sec
Misc 8-10 GbpsHTTPS
12-20 Gbps
34 © 2013 Emulex Corporation
Complete, real-time and end-to-end visibility
Endace and Lancope provides a highly scalable solution
Reduces cost and helps eliminate downtime
…. How can we help you with visibility into your network?
Conclusions
35 © 2013 Emulex Corporation