network automation in support of cyber defense
TRANSCRIPT
NetBrain Technologies
15 Network Drive
Burlington, MA 01803
+1 800.605.7964
www.netbraintech.com
Network Automation in
Support of Cyber DefenseRick Larkin
Senior Network Engineer
NetBrain Technologies, Inc
23 June 2016
o DoD Cyber Defense Challenges
Real-time network visibility
Flexible network automation
o Adaptive Network Automation Framework
o Adaptive Network Automation Applied to Cyber Defense
Before
During
After
Agenda
Addressing network visibility and automation
DoD
Cyber Defense Challenges
“DISA is a case in point. With 4.5 million users and 11 core data centers, its
infrastructure generates about 10 million alarms per day…
Approximately 2,000 of those become trouble tickets…
…Then there’s hacking: DISA logs 800 billion security events per day…
…Between countermeasures, configuration fixes, and the rest, DISA makes
about 22,000 changes to its infrastructure every day…”
MG Zabel, Vice Director, DISA
http://www.cio.com/article/3068663/networks-need-automation-just-ask-the-us-military.html
𝑇𝑜𝑑𝑎𝑦′𝑠 𝑇ℎ𝑟𝑒𝑎𝑡 =
1986
2016
𝐼𝑇 𝐶ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒𝑠 𝑥 10
Cyber Defense Challenges
DoD Cyber Defense Challenges
NIST RMF DIACAP
8500s ATC/ATT/ATOCNDSP
ASIs
POND
POA&M
CCRIs IAVAs
OPREP/SITREP/CASREPs
AARsSTIGsJIE JRSS
o Cyber Threats evolving rapidly, requirements increasing, resources strained
o Network Automation is a key force multiplier!
Two Unsolved Challenges
o Lack of Real-Time Network Visibility
» Traditional methods don’t work. Example: Static Network Maps.
» Need “real-time” network visualization, end to end
o Limited Network Automation
» Current network automation has limited functional scope, need to write complex regular expressions, not portable, etc.
» Need for Network Automation 2.0, that is,
o Data-driven
o Dynamically created
o Simplified
3 Generations of Network Visibility
o Generation 1:
» Discover the Network with SNMP
» Generate Asset and Inventory Reports
Discovery Inventory
3 Generations of Network Visibility
Discovery Inventory Static mapo Generation 2:
» Added Static Map generation
3 Generations of Network Visibility
o Generation 3:
» Network model based (configuration, SNMP, NETFLOW, network tables, etc)
» Real-time, up-to-date, adaptive, dynamic solution
DiscoveryComprehensive
Data ModelDynamic, Data
Driven map
Network Visibility & Management Today
• NetOps• CyberOps• CPTs• NOC• IA/ISSM• Architecture• Design
• IDS• IPS• Firewall• NetFlow Data• SIEM• Big Data Analytics
Download Executable Intelligence
Run Adaptive Network Automation
Adaptive Network Automation Framework
Comprehensive Data Model
• Topology• Design• History
Define Automation Task via Dynamic Map
• NetOps• CyberOps• CPTs• NOC• IA/ISSM• Architecture• Design
• IDS• IPS• Firewall• NetFlow Data• SIEM• Big Data Analytics
Applying Adaptive
Network AutomationBefore, during, and after a cyber event
Map as the Single Pane of Glass
» Automated Analysis – Fully Customizable
» Execute manual tasks in seconds
» Initiated by operators or automatically from integrated
systems like IDS/IPS, Trouble Tickets, SIEM or CMDB.
Before – Discovery & Asset Identification
o Deep Network discovery
» Accurate, Fast
o Inventory Report
» Derived from comprehensive data model
o Dynamic network documentation, updated daily and on demand
» Supports ATO development, CCRI preparation and supports operations
o Automated Compliance validation & verification
» NIST RMF, DISA/NSA STIGs, IAVAs, CC/S/A specific
o Proactive NetOps & CyberOps
» Automation technology can help CPTs, as well as on-site Network & IA staff
Before – Vulnerability Assessment
Triggered by human intervention or backend systems (IDS/IPS, Logs, CMDB, …)
» Map the threat (e.g. an attack path to a server)
» Run diagnosis and health analysis on the map
» Identify network changes
During – Threat Identification
Apply network changes and patches with automation:
» Configure policies (ACL/QoS/etc.)
» Redirect traffic (honeypot)
» Disable ports
During – Attack Mitigation
Apply lessons-learned from attack:
o Forensics/analysis
o Enhance executable intelligence
o Update network data model automatically
After – Strengthen Cyber Defense w/ Automation
o Cyber Event Management – Automation can significantly reduce response time
o Allows for collaboration between NetOps & CyberOps, as well as Tiered Teams.
o Runbooks allow process chaining in response to Asymmetric Cyber threats.
NetOps CyberOps
VendorManagement
Collaboration & Escalation of issues
Summary
Adaptive Network Automation Framework in support of Cyber Defense
o Before
» Maintain accurate, up to date documentation – ATOs, CCRI, best practice
» Verify & Validate compliance – NIST RMF, STIGs, IAVAs, CC/S/A specific
o During
» Identify and isolate impacted data, systems & networks
» Triage environments, and support rapid remediation
o After
» Based on new discovered threat(s), apply new configurations and update
documentation
» Leverage historical information for AARs and forensics
o Founded in 2004, NetBrain is the first software provider to apply the
concept of CAD automation to network management.
» Awarded multiple patents in Computer Aided Network Engineering (C.A.N.E)
o Customer overview
» 1,300+ customers worldwide
» Multiple sectors
Adaptive Automation – Here and Now