Network security analytics today …and tomorrow

Download Network security analytics today …and tomorrow

Post on 23-Feb-2016

38 views

Category:

Documents

0 download

DESCRIPTION

Network security analytics today and tomorrow. Aubrey Merchant-dest. Director, Security Strategies OCT). June, 2014. Brief history of network analysis. Before NetFlow Sniffers Troubleshooting network applications Very expense! Then came Ethereal/ Wireshark SNMP Capacity Planning - PowerPoint PPT Presentation

TRANSCRIPT

Network security analytics today and tomorrow

Network security analytics todayand tomorrowAubrey Merchant-destDirector, Security Strategies OCT)June, 2014#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Brief history of network analysisBefore NetFlowSniffersTroubleshooting network applicationsVery expense!Then came Ethereal/WiresharkSNMPCapacity PlanningEnsuring business continuityAdequate QOS for service levelsLittle traffic characterizationNo granular understanding of network bandwidthThis is how we did troubleshooting back in the dayStill useful nowadays (Wireshark)

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.enter netflowNetFlow appearsDeveloped by Cisco in 1995ASIC basedCatalyst Operating SystemAnswered useful questionsWhat, when, where and howBecame primary network accounting and anomaly-detection toolAddressed the following:Network utilizationQOS/COS ValidationHost communicationsTraffic anomaly detection via threshold triggeringGenerally statistical reportingNo 1:1 unless dedicated device presentStatistical reporting highly accurate butNot extensible

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Representative netflow interface(plixer)

Note: Based on well-known ports#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.ipfix offers advancementsIETF Chooses NetFlow v9 as standard in 2003IPFIX is born (Flexible NetFlow):Flexible, customizable templatesNew data fieldsUnidirectional protocol for exportExporter -> CollectorData format for efficient collection record collectionSimilar format/structureSelf-describingUses templatesPurposeCollector analyzes flow recordsConversations, volumes, AS, and hundreds of other information elementsA sensor in each switch or routerGreat visibility, even in flat networksScales great

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Network flow reporting (threshold alarms)Useful forProfiling your networkWhat and how muchWhos talking to whomTop or bottom n talkersUnderstand application utilizationProtocol distributionPerformance of QOS policyTroubleshootingCapacity PlanningNetwork SecurityA useful source of analytics over time#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Why the primer on flow data?Todays Typical EnterpriseIs under attack from multiple sources, varying motivationsEither has or is budgeting for current technologyManaging GRCFocused on passing audits and protecting assetsHas one or more individuals focused on securitySupporting multiple OSes and compute surfacesWe need more context to stay in this fight!!!Nation StatesCybercriminalsInside ThreatsHacktivistsIPSEmail Security

Web GatewayHost FirewallAntiSpamNACSIEMVPNEncryptionDLPNext Gen FirewallURL FilteringIntegrityConfidentialityAvailabilityAdv. Threat ProtectionTodays Security GapVisibilityContext#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.NGFWIDS / IPSHost AVWeb Gateway SIEMEmail GatewayDLPWeb Application FirewallPost-prevention security gapAdvanced Threat ProtectionContentDetectionAnalyticsContextVisibilityAnalysisIntelligenceSignature-based Defense-in-Depth ToolsNation StatesCybercriminalsHactivistsInsider-ThreatsThreatActorsKnown ThreatsKnown MalwareKnown FilesKnown IPs/URLsTraditionalThreatsNovel MalwareZero-Day ThreatsTargeted AttacksModern Tactics & TechniquesAdvancedThreatsSSL#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.So, weve talked about the threat actors and some of the advanced threats they pose and the attack methods they use. For years we have been trying to stop those threats with the next new technologies. We use next generation firewalls, hosted AV, SIEM, email gateways and many other point solutions to detect and block these threats. They can be effective in what they are designed to do, but unfortunately, they can only prevent what they know to stop and many threats today do get by and even using encryption to evade detection. What we need today is an Advanced Threat Protection solution that gives us the context, content, visibility, detection, analysis and real-time, evolving intelligence we need to have a fighting chance against todays threats.

8Initial Attack to CompromiseCompromised in Days or Less 90%Time and the Windowof OpportunityInitial Compromiseto DiscoveryDiscovered in Days or Less 25%Verizon 2014 Breach Investigation Reportbad guys seldom need days to get their job done, while the good guys rarely manage to get the theirs done in a month of Sundays.#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Why is a modern approach so important? Well, heres an interesting perspective from the latest Verizon Data Breach Investigation Report on the time of the initial attack, relative to the discovery of the attack. On one hand, 90 percent of the attacks took days or less to successfully compromise their targets. They're very fast. They are successful. They are penetrating your network and you are compromised before you know it.

On the other side of it, only 25% of the attacks were discovered in days or less. It could take much longerweeks, monthsor as weve seen in some prominent attacks, even longer before they are uncovered. And so, we see a lot of breaches in the news today that have gone undetected for some time. The response we see is often "Well, we're not sure we were breached. We think we were. We dont have the details, we are looking into it, but cant tell you any more at this time."That's kind of code for, Its badwe've definitely been breached, but we dont know how bad, and we dont know what to do." And oftentimes you hear things like, "Well, the threat and the attackers were in the network for four months, six months, a year. This is definitely an issue. We need to be able to see these attacks early, theres no reason that today we cant have full visibility into an attack.

It smacks us with the fact that the bad guys seldom need days to get their job done, while the good guys rarely manage to get the theirs done in a month of Sundays.

960%Post-prevention security gapPercentage of Enterprise IT Security Budgets Allocated to Rapid Response Approachesby 2020. Gartner 2014#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.A recent report from Gartner indicated that 60% of Enterprise IT security budgets will be devoted to rapid response approaches. Its clear that protecting the organizations critical digital assets will come by way of swift incident response, not merely blocking what we can already identify.10

Gartner: adaptive security architecture

Source: Gartner (February 2014)#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Gartner proposes that Advanced Threat Protection is achieved through an adaptive security architecture. One where the end goal is that different capabilities integrate and share information to build a security protection system can adjust to threats and and is more intelligent overall. It addresses the entire lifecycle of a threat.11DPI and protocol parsingDeep Packet InspectionComes in at least two flavorsShallow packet inspectionLimited flow inspection (i.e., GET)MagicByte value @ offsetProvides improved classificationMay or may not use port numbers for some classificationDeep Flow Inspection (DPI+++)Interrogates network-based conversationsNo usage of port numbers for classificationState-transitioned classificationSupports re-classificationTreats applications as protocols! (wire-view)Implements parsing mechanismPerforms reconstruction (post-process or NRT)Allows extraction of artifacts (files, images, etc.)

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Benefits of advanced parsersRe-entrantProtocols in protocolsState-transitioningEfficient decodingLook for metadata only where it should beConversation-based classificationInterrogate request and responseExtractionNRT or post-process artifact reconstructionPolicy-based rules#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Correlationtemporal & flow_idAny to AnyRelationship(From any one to any/every other)#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Deep Context via extracted metadataWhat we have at our disposalPrecise application classificationClassified or UnknownUnknown is interesting, too!MetadataFlow-basedInter-relational

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Drill-down on ContextWhat we have at our disposalPrecise application classificationClassified or UnknownUnknown is interesting, too!MetadataFlow-basedInter-relational

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Correlated ContextWhat we have at our disposalPrecise application classificationClassified or UnknownUnknown is interesting, too!MetadataFlow-basedInter-relational

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Example flow record6/2/149:40:23.000PM timestamp=Jun 02 2014 21:40:23PM, dns=gpnouarwexr.www.qianyaso.net,gpnouarwexr.www.qianyaso.net , application_id=udp , application_id_2=dns , connection_flags=unknown , first_slot_id=23063 , flow_id=20495454 , initiator_country=Azerbaijan , src_ip=149.255.151.9 , src_port=46614 , interface=eth3 , ip_bad_csums=0 , ip_fragments=0 , network_layer=ipv4 , transport_layer=udp , packet_count=2 , protocol_family=Network Service , responder_country=N/A , dst_ip=10.50.165.3 , dst_port=53 , start_time=1401766596:327447386 , stop_time=1401766611:597447252 , total_bytes=176

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Full-state DPI parsers drive analyticsNRT and Post Process Reconstruction BenefitsHashesFuzzyMD5SHAAutomated reputationVirusTotalOther detailsDomain ageWHOISSORBSSANS3rd Party pluginsAutomated deliveryPolicy-based reconstruction and deliverySandboxAdditional processing w/ other tools

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.investigationMalicious ZIP file is detectedUse flow records to link HTTP source (root)

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.investigationHashes compared against reputation service sourcesLooks like ransom-ware

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Investigation

Source of exploit determinedEnergy Australia web page (reconstructed)Requests captcha for copy of billInterestingly, entering the wrong captcha values reloads pageCorrect entry starts exploit#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.investigationOther malware deliveredPresented on the wire as .gifDecoded by DPI parser as x-dosexec17 reputation know this as maliciousFirst seen in 5/29/14

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.investigationVirusTotal reports that 4 AV engines reporting site as malicious

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.But so far weve talked about analysisAnalytics vs. analysisAnalytics is a multi-dimensional discipline. There is extensive use of mathematics and statistics, the use of descriptive techniques and predictive models to gain valuable knowledge from data - data analysis. The insights from data are used to recommend action or to guide decision making rooted in business context. Thus, analytics is not so much concerned with individual analyses or analysis steps, but with the entire methodology. There is a pronounced tendency to use the term analytics in business settings e.g. text analytics vs. the more generic text mining to emphasize this broader perspective. There is an increasing use of the term advanced analytics, typically used to describe the technical aspects of analytics, especially predictive modeling, machine learning techniques, and neural networks.Short definitionMulti-dimensional analysis to uncover relationships not present discretely, yielding insight#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Multi-dimensional analysisApplicationApplication GroupEmail RecipientEmail SenderEmail SubjectSSL Common NameFile NameFuzzy HashMD5 HashMIME TypeSHA1 HashVLAN IDVoIP IDCountry InitiatorCountry ResponderDNS Query

IPv6 ResponderIPv6 Port ConversationPacket LengthPort InitiatorPort ResponderSize in BytesSize in PacketsTCP InitiatorTCP ResponderTunnel InitiatorTunnel ResponderUDP InitiatorUDP ResponderPasswordSocial PersonaUser Name

Ethernet DestinationEthernet Destination VendorsEthernet ProtocolEthernet SourceEthernet Source VendorsInterfaceIP Bad ChecksumsIP FragmentsIP ProtocolIPv4 ConversationIPv4 ResponderIPv4 InitiatorIPv4 Port ConversationIPv6 ConversationIPv6 Initiator

File AnalysisMalware AnalysisURL AnalysisURL CategoriesDatabase QueryHTTP CodeHTTP Content DispositionHTTP Forward AddressHTTP MethodHTTP ServerHTTP URIReferrerSSL Cert NumberUser AgentWeb QueryWeb Server#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Multi-dimensional analysisApplicationApplication GroupEmail RecipientEmail SenderEmail SubjectSSL Common NameFile NameFuzzy HashMD5 HashMIME TypeSHA1 HashVLAN IDVoIP IDCountry InitiatorCountry ResponderDNS Query

IPv6 ResponderIPv6 Port ConversationPacket LengthPort InitiatorPort ResponderSize in BytesSize in PacketsTCP InitiatorTCP ResponderTunnel InitiatorTunnel ResponderUDP InitiatorUDP ResponderPasswordSocial PersonaUser Name

Ethernet DestinationEthernet Destination VendorsEthernet ProtocolEthernet SourceEthernet Source VendorsInterfaceIP Bad ChecksumsIP FragmentsIP ProtocolIPv4 ConversationIPv4 ResponderIPv4 InitiatorIPv4 Port ConversationIPv6 ConversationIPv6 Initiator

File AnalysisMalware AnalysisURL AnalysisURL CategoriesDatabase QueryHTTP CodeHTTP Content DispositionHTTP Forward AddressHTTP MethodHTTP ServerHTTP URIReferrerSSL Cert NumberUser AgentWeb QueryWeb ServerAny to any/many#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Multi-dimensional analysisApplicationApplication GroupEmail RecipientEmail SenderEmail SubjectSSL Common NameFile NameFuzzy HashMD5 HashMIME TypeSHA1 HashVLAN IDVoIP IDCountry InitiatorCountry ResponderDNS Query

IPv6 ResponderIPv6 Port ConversationPacket LengthPort InitiatorPort ResponderSize in BytesSize in PacketsTCP InitiatorTCP ResponderTunnel InitiatorTunnel ResponderUDP InitiatorUDP ResponderPasswordSocial PersonaUser Name

Ethernet DestinationEthernet Destination VendorsEthernet ProtocolEthernet SourceEthernet Source VendorsInterfaceIP Bad ChecksumsIP FragmentsIP ProtocolIPv4 ConversationIPv4 ResponderIPv4 InitiatorIPv4 Port ConversationIPv6 ConversationIPv6 Initiator

File AnalysisMalware AnalysisURL AnalysisURL CategoriesDatabase QueryHTTP CodeHTTP Content DispositionHTTP Forward AddressHTTP MethodHTTP ServerHTTP URIReferrerSSL Cert NumberUser AgentWeb QueryWeb ServerAny to any/manyFlow-based#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Multi-dimensional analysisApplicationApplication GroupEmail RecipientEmail SenderEmail SubjectSSL Common NameFile NameFuzzy HashMD5 HashMIME TypeSHA1 HashVLAN IDVoIP IDCountry InitiatorCountry ResponderDNS Query

IPv6 ResponderIPv6 Port ConversationPacket LengthPo...