Presentation title goes here

Network security analytics today

Aubrey Merchant-destDirector, Security Strategies OCTOaubrey.merchant@bluecoat.comJune, 2014#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Brief history of network analysisIn the beginningSniffersTroubleshooting network issuesProtocol specific decodingMostly used by service providersSNMPCapacity PlanningEnsuring business continuityQOS for service level supportLittle traffic characterizationNo granular understanding of network bandwidthThis is how we did troubleshooting back in the dayLimited analysis capabilitiesFrame or packet-level decode

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.netflowNetFlow v4 & v5Developed by CiscoASIC basedCatalyst Operating SystemAnswered useful questionsWhat, when, where and how much (flows)Became primary network accounting and anomaly-detection toolAddressed the following:Network utilizationQOS/COS ValidationHost communicationsTraffic anomaly detection via threshold triggeringStatistical reporting on packetsSmall flows problematicNot extensibleLayer 3 and 4 only (+ interface, tos, AS, etc.)

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Representative netflow interface(mrtg)Note:Based on well-known ports5 minute granularity reporting

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Netflow v9 & ipfixNetFlow v9Added support for IPv6Added templates conceptSelf-describingSelf-containedPrimarily for bandwidth monitoringIETF standardizes IPFIX (flow information export) as standardAlmost Identical to Netflow v9Supports variable length fieldsVendor can specify own IDExport anythingDecode laterBetter application visibilityMore context

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.IPFIX Network flow reportingCisco NBAR(Network Based Application Recognition)

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Network flow reportingNetFlow & IPFIX provide visibilityA sensor in every L2/L3 switchAlso useful for east-west monitoringA good source of analyticsComparative reportingLightweight storageLonger historical viewEspecially useful forMonitoring flat network architecturesVisibility for insider activity monitoringBut essentially the equivalent of a phone billA conversation took placeContext still needed at higher layers

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Why the primer on flow data?Todays Typical EnterpriseIs under attack from multiple sources, varying motivationsEither has or is budgeting for current technologyManaging GRCFocused on passing audits and protecting assetsInsufficient number of individuals focused on securitySupporting multiple OSes and compute surfacesWe need more context to stay in this fight!!!Nation StatesCybercriminalsInside ThreatsHacktivistsTargeted AttacksDDOSAPTsAdvanced MalwareRansom and FraudData TheftZero Day ThreatsIPsEmail Security

Web GatewayHost FirewallAntiSpamNACSIEMVPNEncryptionDLPNext Gen FirewallURL FilteringIntegrityConfidentialityAvailabilityAdv. Threat ProtectionTodays Security GapVisibilityContext#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Initial Attack to CompromiseCompromised in Days or Less 90%Time and the Windowof OpportunityInitial Compromiseto DiscoveryDiscovered in Days or Less 25%Verizon 2014 Breach Investigation Reportbad guys seldom need days to get their job done, while the good guys rarely manage to get the theirs done in a month of Sundays.#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Why is a modern approach so important? Well, heres an interesting perspective from the latest Verizon Data Breach Investigation Report on the time of the initial attack, relative to the discovery of the attack. On one hand, 90 percent of the attacks took days or less to successfully compromise their targets. They're very fast. They are successful. They are penetrating your network and you are compromised before you know it.

On the other side of it, only 25% of the attacks were discovered in days or less. It could take much longerweeks, monthsor as weve seen in some prominent attacks, even longer before they are uncovered. And so, we see a lot of breaches in the news today that have gone undetected for some time. The response we see is often "Well, we're not sure we were breached. We think we were. We dont have the details, we are looking into it, but cant tell you any more at this time."That's kind of code for, Its badwe've definitely been breached, but we dont know how bad, and we dont know what to do." And oftentimes you hear things like, "Well, the threat and the attackers were in the network for four months, six months, a year. This is definitely an issue. We need to be able to see these attacks early, theres no reason that today we cant have full visibility into an attack.

It smacks us with the fact that the bad guys seldom need days to get their job done, while the good guys rarely manage to get the theirs done in a month of Sundays.

9NGFWIDS / IPSHost AVWeb Gateway SIEMEmail GatewayDLPWeb Application FirewallPost-prevention security gapAdvanced Threat ProtectionContentDetectionAnalyticsContextVisibilityAnalysisIntelligenceSignature-based Defense-in-Depth ToolsNation StatesCybercriminalsHactivistsInsider-ThreatsThreatActorsKnown ThreatsKnown MalwareKnown FilesKnown IPs/URLsTraditionalThreatsNovel MalwareZero-Day ThreatsTargeted AttacksModern Tactics & TechniquesAdvancedThreatsSSL#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.So, weve talked about the threat actors and some of the advanced threats they pose and the attack methods they use. For years we have been trying to stop those threats with the next new technologies. We use next generation firewalls, hosted AV, SIEM, email gateways and many other point solutions to detect and block these threats. They can be effective in what they are designed to do, but unfortunately, they can only prevent what they know to stop and many threats today do get by and even using encryption to evade detection. What we need today is an Advanced Threat Protection solution that gives us the context, content, visibility, detection, analysis and real-time, evolving intelligence we need to have a fighting chance against todays threats.

1060%Post-prevention security gapPercentage of Enterprise IT Security Budgets Allocated to Rapid Response Approachesby 2020. Gartner 2014#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.A recent report from Gartner indicated that 60% of Enterprise IT security budgets will be devoted to rapid response approaches. Its clear that protecting the organizations critical digital assets will come by way of swift incident response, not merely blocking what we can already identify.11

Gartner: adaptive security architecture

Source: Gartner (February 2014)#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Gartner proposes that Advanced Threat Protection is achieved through an adaptive security architecture. One where the end goal is that different capabilities integrate and share information to build a security protection system can adjust to threats and and is more intelligent overall. It addresses the entire lifecycle of a threat.12DPI and protocol parsingDeep Packet InspectionGenerally available in two flavorsShallow packet inspectionLimited flow inspection (i.e., GET)MagicByte value @ offsetProvides improved classificationMay or may not use port numbers for some classificationDeep Flow/Session Inspection (DPI+++)Interrogates network-based conversationsNo usage of port numbers for classificationState-transitioned classificationTreats applications as protocols! (wire-view)Implements parsing mechanismPerforms reconstruction (post-process or real-time)Allows extraction of artifacts (files, images, etc.)

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Benefits of advanced parsersRe-entrantProtocols in protocolsState-transitioningEfficient decodingDecode metadata only where it should beConversation-based classificationInterrogate request and responseExtractionReal-time or post-process artifact reconstructionPolicy-based rules#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Correlation of sessions over time (all protocol layersAny to AnyRelationship(From any one to any/every other)#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Deep Context via extracted metadataWhat we have at our disposalPrecise application classificationClassified or UnknownUnknown is interesting, too!MetadataFlow-basedInter-relational

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Drill interesting ContextWhat we have at our disposalPrecise application classificationClassified or UnknownUnknown is interesting, too!MetadataFlow-basedInter-relational

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Correlated ContextWhat we have at our disposalPrecise application classificationClassified or UnknownUnknown is interesting, too!MetadataFlow-basedInter-relational

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Example flow recordtimestamp=Jun 02 2014 21:40:23PM, dns=gpnouarwexr.www.qianyaso.net, , application_id=udp , application_id_2=dns , connection_flags=unknown , first_slot_id=23063 , flow_id=20495454 , initiator_country=Azerbaijan , src_ip=149.255.151.9 , src_port=46614 , interface=eth3 , ip_bad_csums=0 , ip_fragments=0 , network_layer=ipv4 , transport_layer=udp , packet_count=2 , protocol_family=Network Service , responder_country=N/A , dst_ip=10.50.165.3 , dst_port=53 , start_time=1401766596:327447386 , stop_time=1401766611:597447252 , total_bytes=176

Many other session-flow attributes are available!#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.DPI parsers offer improved analyticsReal-time and Post Process Reconstruction BenefitsHashesSSDeepMD5SHAAutomated reputationVirusTotalOther detailsDomain ageWHOISSORBSSANS3rd Party pluginsAutomated deliveryPolicy-based reconstruction and deliveryCentralized/distributed sandboxesAdditional processing w/ other tools

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.investigationMalicious ZIP file is detected (via Threat Intel, SIEM, etc.)Pivot to Security Analytics (pass tuples and temporal vars via REST API)Use Security Analytics flow records to link HTTP source (root)

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.investigationHashes compared against reputation service sourcesLooks like ransom-ware

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Investigation

Source of exploit determinedEnergy Australia web page (reconstructed)Requests captcha for copy of billInterestingly, entering the wrong captcha values reloads pageCorrect entry starts exploit#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.investigationOther malware deliveredPresented on the wire as .gifDecoded by DPI parser as x-dosexec17 reputation sources know this as maliciousFirst seen in 5/29/14

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.investigationVirusTotal reports that 4 AV engines reporting site as malicious

Take relevant actionRe-image WKSPerimeter rules

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.But so far weve talked about analysisAnalytics vs. analysisAnalytics is a multi-dimensional discipline. There is extensive use of mathematics and statistics, the use of descriptive techniques and predictive models to gain valuable knowledge from data - data analysis. The insights from data are used to recommend action or to guide decision making rooted in business context. Thus, analytics is not so much concerned with individual analyses or analysis steps, but with the entire methodology. There is a pronounced tendency to use the term analytics in business settings e.g. text analytics vs. the more generic text mining to emphasize this broader perspective. There is an increasing use of the term advanced analytics, typically used to describe the technical aspects of analytics, especially predictive modeling, machine learning techniques, and neural networks.Short definitionMulti-dimensional analysis to uncover relationships not visible discretely, yielding insight.#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Multi-dimensional analysisApplicationApplication GroupEmail RecipientEmail SenderEmail SubjectSSL Common NameFile NameFuzzy HashMD5 HashMIME TypeSHA1 HashVLAN IDVoIP IDCountry InitiatorCountry ResponderDNS Query

IPv6 ResponderIPv6 Port ConversationPacket LengthPort InitiatorPort ResponderSize in BytesSize in PacketsTCP InitiatorTCP ResponderTunnel InitiatorTunnel ResponderUDP InitiatorUDP ResponderPasswordSocial PersonaUser Name

Ethernet DestinationEthernet Destination VendorsEthernet ProtocolEthernet SourceEthernet Source VendorsInterfaceIP Bad ChecksumsIP FragmentsIP ProtocolIPv4 ConversationIPv4 ResponderIPv4 InitiatorIPv4 Port ConversationIPv6 ConversationIPv6 Initiator

File AnalysisMalware AnalysisURL AnalysisURL CategoriesDatabase QueryHTTP CodeHTTP Content DispositionHTTP Forward AddressHTTP MethodHTTP ServerHTTP URIReferrerSSL Cert NumberUser AgentWeb QueryWeb Server*1000s of additional attributes available based on protocol#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Multi-dimensional analysisApplicationApplication GroupEmail RecipientEmail SenderEmail SubjectSSL Common NameFile NameFuzzy HashMD5 HashMIME TypeSHA1 HashVLAN IDVoIP IDCountry InitiatorCountry ResponderDNS Query

IPv6 ResponderIPv6 Port ConversationPacket LengthPort InitiatorPort ResponderSize in BytesSize in PacketsTCP InitiatorTCP ResponderTunnel InitiatorTunnel ResponderUDP InitiatorUDP ResponderPasswordSocial PersonaUser Name

Ethernet DestinationEthernet Destination VendorsEthernet ProtocolEthernet SourceEthernet Source VendorsInterfaceIP Bad ChecksumsIP FragmentsIP ProtocolIPv4 ConversationIPv4 ResponderIPv4 InitiatorIPv4 Port ConversationIPv6 ConversationIPv6 Initiator

File AnalysisMalware AnalysisURL AnalysisURL CategoriesDatabase QueryHTTP CodeHTTP Content DispositionHTTP Forward AddressHTTP MethodHTTP ServerHTTP URIReferrerSSL Cert NumberUser AgentWeb QueryWeb ServerAny to any/many*1000s of additional attributes available based on protocol#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Multi-dimensional analysisApplicationApplication GroupEmail RecipientEmail SenderEmail SubjectSSL Common NameFile NameFuzzy HashMD5 HashMIME TypeSHA1 HashVLAN IDVoIP IDCountry InitiatorCountry ResponderDNS Query

IPv6 ResponderIPv6 Port ConversationPacket LengthPort InitiatorPort ResponderSize in BytesSize in PacketsTCP InitiatorTCP ResponderTunnel InitiatorTunnel ResponderUDP InitiatorUDP ResponderPasswordSocial PersonaUser Name

Ethernet DestinationEthernet Destination VendorsEthernet ProtocolEthernet SourceEthernet Source VendorsInterfaceIP Bad ChecksumsIP FragmentsIP ProtocolIPv4 ConversationIPv4 ResponderIPv4 InitiatorIPv4 Port ConversationIPv6 ConversationIPv6 Initiator

File AnalysisMalware AnalysisURL AnalysisURL CategoriesDatabase QueryHTTP CodeHTTP Content DispositionHTTP Forward AddressHTTP MethodHTTP ServerHTTP URIReferrerSSL Cert NumberUser AgentWeb QueryWeb ServerAny to any/manySession-based*1000s of additional attributes available based on protocol#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Multi-dimensional analysisApplicationApplication GroupEmail RecipientEmail SenderEmail SubjectSSL Common NameFile NameFuzzy HashMD5 HashMIME TypeSHA1 HashVLAN IDVoIP IDCountry InitiatorCountry ResponderDNS Query

IPv6 ResponderIPv6 Port ConversationPacket LengthPort InitiatorPort ResponderSize in BytesSize in PacketsTCP InitiatorTCP ResponderTunnel InitiatorTunnel ResponderUDP InitiatorUDP ResponderPasswordSocial PersonaUser Name

Ethernet DestinationEthernet Destination VendorsEthernet ProtocolEthernet SourceEthernet Source VendorsInterfaceIP Bad ChecksumsIP FragmentsIP ProtocolIPv4 ConversationIPv4 ResponderIPv4 InitiatorIPv4 Port ConversationIPv6 ConversationIPv6 Initiator

File AnalysisMalware AnalysisURL AnalysisURL CategoriesDatabase QueryHTTP CodeHTTP Content DispositionHTTP Forward AddressHTTP MethodHTTP ServerHTTP URIReferrerSSL Cert NumberUser AgentWeb QueryWeb ServerAny to any/manySession-basedTemporal*1000s of additional attributes available based on protocol#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Sample analytics

Example: user_agent over dst_ip (30 days)#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Sample analytics

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Sample analytics

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Sample analytics

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Sample analytics

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Sample analytics

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Sample analytics

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Key take-awaysNetFlow & IPFIXUnderstand the who and what of your networkYou likely have access to this informationSecurity AnalyticsStateful protocol parsingCorrelated session metadataArtifact reconstructionIntegrates with existing tools via RESTMake your tools betterEfficient workflow for IR and investigationTies in with Cyber Threat feedsRAW PacketsFlow records are much smaller than packetsProvides historic look-back (you can keep them longer)RAW packets always useful, still needed

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.What blue coat is doing todaySecurity Analytics Platform with ThreatBLADESMalware Analysis Appliance

ProxySGContent Analysis System

Security Analytics Platform

Global IntelligenceNetworkUnknown Event EscalationRetrospectiveEscalation

Fortify &Operationalize 1OngoingOperationsDetect & Protect Block AllKnown Threats

2Incident ContainmentAnalyze & MitigateNovel ThreatInterpretation

3IncidentResolutionInvestigate & Remediate BreachThreat Profiling& Eradication

SSL Visibility Appliance#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.39Where can we go from here?

#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.Q&A#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.#Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.