Network security analytics today …and tomorrow
Post on 23-Mar-2016
Embed Size (px)
DESCRIPTIONNetwork security analytics today and tomorrow. Aubrey Merchant-dest. Director, Security Strategies OCT). June, 2014. Brief history of network analysis. Before NetFlow Sniffers Troubleshooting network applications Very expense! Then came Ethereal/ Wireshark SNMP Capacity Planning - PowerPoint PPT Presentation
Network security analytics today and tomorrow
Network security analytics todayand tomorrowAubrey Merchant-destDirector, Security Strategies OCT)June, 2014#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Brief history of network analysisBefore NetFlowSniffersTroubleshooting network applicationsVery expense!Then came Ethereal/WiresharkSNMPCapacity PlanningEnsuring business continuityAdequate QOS for service levelsLittle traffic characterizationNo granular understanding of network bandwidthThis is how we did troubleshooting back in the dayStill useful nowadays (Wireshark)
#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.enter netflowNetFlow appearsDeveloped by Cisco in 1995ASIC basedCatalyst Operating SystemAnswered useful questionsWhat, when, where and howBecame primary network accounting and anomaly-detection toolAddressed the following:Network utilizationQOS/COS ValidationHost communicationsTraffic anomaly detection via threshold triggeringGenerally statistical reportingNo 1:1 unless dedicated device presentStatistical reporting highly accurate butNot extensible
#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Representative netflow interface(plixer)
Note: Based on well-known ports#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.ipfix offers advancementsIETF Chooses NetFlow v9 as standard in 2003IPFIX is born (Flexible NetFlow):Flexible, customizable templatesNew data fieldsUnidirectional protocol for exportExporter -> CollectorData format for efficient collection record collectionSimilar format/structureSelf-describingUses templatesPurposeCollector analyzes flow recordsConversations, volumes, AS, and hundreds of other information elementsA sensor in each switch or routerGreat visibility, even in flat networksScales great
#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Network flow reporting (threshold alarms)Useful forProfiling your networkWhat and how muchWhos talking to whomTop or bottom n talkersUnderstand application utilizationProtocol distributionPerformance of QOS policyTroubleshootingCapacity PlanningNetwork SecurityA useful source of analytics over time#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Why the primer on flow data?Todays Typical EnterpriseIs under attack from multiple sources, varying motivationsEither has or is budgeting for current technologyManaging GRCFocused on passing audits and protecting assetsHas one or more individuals focused on securitySupporting multiple OSes and compute surfacesWe need more context to stay in this fight!!!Nation StatesCybercriminalsInside ThreatsHacktivistsIPSEmail Security
Web GatewayHost FirewallAntiSpamNACSIEMVPNEncryptionDLPNext Gen FirewallURL FilteringIntegrityConfidentialityAvailabilityAdv. Threat ProtectionTodays Security GapVisibilityContext#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.NGFWIDS / IPSHost AVWeb Gateway SIEMEmail GatewayDLPWeb Application FirewallPost-prevention security gapAdvanced Threat ProtectionContentDetectionAnalyticsContextVisibilityAnalysisIntelligenceSignature-based Defense-in-Depth ToolsNation StatesCybercriminalsHactivistsInsider-ThreatsThreatActorsKnown ThreatsKnown MalwareKnown FilesKnown IPs/URLsTraditionalThreatsNovel MalwareZero-Day ThreatsTargeted AttacksModern Tactics & TechniquesAdvancedThreatsSSL#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.So, weve talked about the threat actors and some of the advanced threats they pose and the attack methods they use. For years we have been trying to stop those threats with the next new technologies. We use next generation firewalls, hosted AV, SIEM, email gateways and many other point solutions to detect and block these threats. They can be effective in what they are designed to do, but unfortunately, they can only prevent what they know to stop and many threats today do get by and even using encryption to evade detection. What we need today is an Advanced Threat Protection solution that gives us the context, content, visibility, detection, analysis and real-time, evolving intelligence we need to have a fighting chance against todays threats.
8Initial Attack to CompromiseCompromised in Days or Less 90%Time and the Windowof OpportunityInitial Compromiseto DiscoveryDiscovered in Days or Less 25%Verizon 2014 Breach Investigation Reportbad guys seldom need days to get their job done, while the good guys rarely manage to get the theirs done in a month of Sundays.#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Why is a modern approach so important? Well, heres an interesting perspective from the latest Verizon Data Breach Investigation Report on the time of the initial attack, relative to the discovery of the attack. On one hand, 90 percent of the attacks took days or less to successfully compromise their targets. They're very fast. They are successful. They are penetrating your network and you are compromised before you know it.
On the other side of it, only 25% of the attacks were discovered in days or less. It could take much longerweeks, monthsor as weve seen in some prominent attacks, even longer before they are uncovered. And so, we see a lot of breaches in the news today that have gone undetected for some time. The response we see is often "Well, we're not sure we were breached. We think we were. We dont have the details, we are looking into it, but cant tell you any more at this time."That's kind of code for, Its badwe've definitely been breached, but we dont know how bad, and we dont know what to do." And oftentimes you hear things like, "Well, the threat and the attackers were in the network for four months, six months, a year. This is definitely an issue. We need to be able to see these attacks early, theres no reason that today we cant have full visibility into an attack.
It smacks us with the fact that the bad guys seldom need days to get their job done, while the good guys rarely manage to get the theirs done in a month of Sundays.
960%Post-prevention security gapPercentage of Enterprise IT Security Budgets Allocated to Rapid Response Approachesby 2020. Gartner 2014#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.A recent report from Gartner indicated that 60% of Enterprise IT security budgets will be devoted to rapid response approaches. Its clear that protecting the organizations critical digital assets will come by way of swift incident response, not merely blocking what we can already identify.10
Gartner: adaptive security architecture
Source: Gartner (February 2014)#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Gartner proposes that Advanced Threat Protection is achieved through an adaptive security architecture. One where the end goal is that different capabilities integrate and share information to build a security protection system can adjust to threats and and is more intelligent overall. It addresses the entire lifecycle of a threat.11DPI and protocol parsingDeep Packet InspectionComes in at least two flavorsShallow packet inspectionLimited flow inspection (i.e., GET)MagicByte value @ offsetProvides improved classificationMay or may not use port numbers for some classificationDeep Flow Inspection (DPI+++)Interrogates network-based conversationsNo usage of port numbers for classificationState-transitioned classificationSupports re-classificationTreats applications as protocols! (wire-view)Implements parsing mechanismPerforms reconstruction (post-process or NRT)Allows extraction of artifacts (files, images, etc.)
#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Benefits of advanced parsersRe-entrantProtocols in protocolsState-transitioningEfficient decodingLook for metadata only where it should beConversation-based classificationInterrogate request and responseExtractionNRT or post-process artifact reconstructionPolicy-based rules#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Correlationtemporal & flow_idAny to AnyRelationship(From any one to any/every other)#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Deep Context via extracted metadataWhat we have at our disposalPrecise application classificationClassified or UnknownUnknown is interesting, too!MetadataFlow-basedInter-relational
#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Drill-down on ContextWhat we have at our disposalPrecise application classificationClassified or UnknownUnknown is interesting, too!MetadataFlow-basedInter-relational
#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Correlated ContextWhat we have at our disposalPrecise application classificationClassified or UnknownUnknown is interesting, too!MetadataFlow-basedInter-relational
#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Example flow record6/2/149:40:23.000PM timestamp=Jun 02 2014 21:40:23PM, dns=gpnouarwexr.www.qianyaso.net,gpnouarwexr.www.qianyaso.net , application_id=udp , application_id_2=dns , connection_flags=unknown , first_slot_id=23063 , flow_id=20495454 , initiator_country=Azerbaijan , src_ip=188.8.131.52 , src_port=46614 , interface=eth3 , ip_bad_csums=0 , ip_fragments=0 , network_layer=ipv4 , transport_layer=udp , packet_count=2 , protocol_family=Network Service , responder_country=N/A , dst_ip=10.50.165.3 , dst_port=53 , start_time=1401766596:327447386 , stop_time=1401766611:597447252 , total_bytes=176
#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Full-state DPI parsers drive analyticsNRT and Post Process Reconstruction BenefitsHashesFuzzyMD5SHAAutomated reputationVirusTotalOther detailsDomain ageWHOISSORBSSANS3rd Party pluginsAutomated deliveryPolicy-based reconstruction and deliverySandboxAdditional processing w/ other tools
#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.investigationMalicious ZIP file is detecte