Roman Cupka, Regional Country Manager SEE

Network Visibility or Advanced Security?

roman.cupka@flowmon.com

TechDays 2017

• Founded in 2007 as a University Spinoff

• International Network & Security Monitoring Technology Vendor

• Gartner MQ for NPMD 2017

• Alliance partner of the premium technology vendors

Who We Are

What We Do

Network Visibility

IT Operations

Network Performance Monitoring and Diagnostics

Application PerformanceMontoring

Security

Network BehavioralAnalysis

DDoS Detection & Mitigation

NPMD APM NBA DDoS

Challenge to Network Visibility

Expanding network perimeter • FW between the enterprise network and internet• mobile users / cloud – mobility• by 2018, 25% of data will bypass traditional security

defenses and flow directly between mobile devices and the cloud

Increasing use of SSL encrypted traffic • ¾ of internet traffic• attackers also use SSL encryption to hide threats and attack

traffic • IT departments now commonly decrypt inbound and

outbound SSL traffic to identify risks and threats

Growing volume and complexity in network traffic • largely comprised of structured and unstructured data

(video/voice)• volume of network traffic can flood existing security tools

with more traffic than they were designed

Virtualization • “east-west” traffic: data that travels between these virtual

resources on the same physical host or inter-blade traffic on the same server

• network cable is not sufficient for monitoring virtual traffic

Cloud computing / Cloud Applications • public / privat / hybrid / IaaS / PaaS / SaaS• migrating workloads from data centers to public clouds • by 2018, 25% of data will bypass traditional security defenses

and flow directly between mobile devices and the cloud• it becomes more difficult to observe and monitor data flows –

new blind spots

Internet of Things (IoT) • new computing models —mobile edge computing (MEC) and

“fog” computing — to extend the network perimeter still further • needs to embrace open standards that enable data access,

security monitoring, and performance analytics

Flowmon focus - Effective „MTTR“

„Mean Time To Response“„Mean Time To Resolution“

„Mean Time To Repair“

FROM HOURS TO MINUTES!!(More than 75% operational and security issues regarding to network functionality are recognized in

1-5 hours)

How it works with Flowmon

Flow data collection,

visualisation reporting, analysis

Flow data export + app layer monitoring

/ packet analysis

Flow data export from already deployed devices

Flowmon modules for advanced flow data analysis

SPAN/Mirror port or TAP

Flow Monitoring Principle

Start Duration Proto Src IP:Port Dst IP:Port Packets Bytes …

Flow Export

9:35:24.8 0 TCP 192.168.1.1:10111 -> 10.10.10.10:80 1 40 …9:35:24.8 0.1 TCP 192.168.1.1:10111 -> 10.10.10.10:80 2 80 …

9:35:25.0 0 TCP 10.10.10.10:80 -> 192.168.1.1:10111 1 40 …9:35:25.0 0.3 TCP 10.10.10.10:80 -> 192.168.1.1:10111 2 156 …9:35:25.0 0.5 TCP 10.10.10.10:80 -> 192.168.1.1:10111 3 362 …9:35:25.0 0.7 TCP 10.10.10.10:80 -> 192.168.1.1:10111 4 862 …9:35:25.0 0.9 TCP 10.10.10.10:80 -> 192.168.1.1:10111 5 1231 …

192.168.1.1

10.10.10.10

Flow Data (format: NetFlow, IPFIX)

• Flowmon enriches traditional flow statistics

• For both operational and security use-cases

Flowmon IPFIX Extensions

L2

• MAC

• VLAN

• MPLS

• GRE tunnel

• OVT

L3/L4

• Standard items

• NPM metrics

• RTT, SRT, …

• TTL, SYN size, …

• ASN

• Geolocation

L7

• NBAR2

• HTTP

• DNS

• DHCP

• SMB/CIFS

• SQL

Use Case I.Network Operation

• SLOW INTERNET CONNECTION

Network utilization

The network is really slow todayLoading a website takes agesRemote users cannot work in our IS

Network utilization

Internet line is really saturated today more than usual

Network Performance Monitoring

• NPM METRICS VISUALIZATION

Network Performance Monitoring

• NETWORK PERFORMANCE MONITORING METRICS

• Round-Trip Time (RTT) – delay introduced by the network

• Server Response Time (SRT) – delay introduced by the server

• Delay – delay between individual packets of server response

• Jitter – variance in delay

• TCP Retransmissions – packet damage or loss

• Out-of-order packets – number of packets received in the wrong order

Network Performance Monitoring

• WHAT NPM METRICS CAN INDICATE?

• delays in the network infrastructure (e.g. malfunctioning access point)

• delays in the server (e.g. not enough HW resources)

• bad audio and video quality (e.g. VoIP calls or videoconferences)

• problems on the physical layer (e.g. interference, faulty port)

• failures in communication links

Network Analyses

Where is it coming from?

Network Analyses

Windows update? And not from our WSUS server?

Ok, I need to check all these IP addresses

Identity source – syslog export

User identity awareness

authentication

Time, login, IP address

Flow (Time, IP, …)

• Based on extended HTTP visibility

• UserAgent as a source of device identification

Passive device fingerprinting

+ MAC address, IP address, VLAN tag, flow source

Passive device fingerprinting

Flowmon NPMD usecase

Use case: Flow Monitoring of production network spread over multiple locations

Problem: long responses in the production part of the network

Problem monthly cost: 38 000 €

Flowmon costs: 28 000 € (2x probe, small collectorand 1 year maintenance

costs)Flowmon provides detailed network visibility to enable quick

troubleshooting, reduce network operations costs and optimize theperformance of an entire IT environment

Return of investment is 3 weeks

Network Performance Monitoring & Diagnostic (NetFlow/IPFIX)

Provides visibility – “eyes” into the network traffic

Reduces mean-time to resolve, builds up efficiency

Reduces downtimes and network operational costs

Ensures company productivity

Flow analyses & Packet capturing

Value Proposition

Gartner: “80% of operational issues can be analyzed and solved by flow monitoring.”

Recommendation: „Implement NetFlow/IPFIX to allow better measurement of user

experience.“

Use Case II.IT Operation

Me

What’s going on? App is running slow…

Application Admin

Application seems to run OK, it should be problem in the network…

Network AdminNetwork is running well, no other issues reported. Problem has to be in the application.

Communication Deadlock

User App Server

Request Transport

Time Application Delay

Response Transport

Time

NetworkApplication

Application Performance Monitoring

Application Performance Monitoring

App Server Database Server

SQL Query Transport

Time Database Delay

SQL Response Transport

Time

NetworkDatabase

• LIST OF TRANSACTIONS INCLUDING URL, USER AGENT, INDIVIDUAL METRICS, STATUS CODE

Detailed drill down (HTTP)

• LIST OF TRANSACTIONS INCLUDING INDIVIDUAL SQL QUERIES AND PERFORMANCE CHARACTERISTICS

Detailed drill down (SQL)

Transaction correlation

User – application – database transactions correlation

User – application transactions

Relevant app – database server transactions

Error Codes

All Error Codes Transactions

Flowmon APM usecase

Use case: Poor response time of internal information system

• Company with 500 employees, each spent 30 minut daily in average by non-productive waiting for response from information system

• We calculated expenses 10 € per hour per one employee, our daily loss is 2 500 €

By deploying Flowmon APM we reduce non-productive time to 10 minutes which means we save 1650 € every day

Return of investment is 2-4 weeks

Flowmon APM is a clever, agent-less application monitoring solutionidentifying and solving availability issues, slow response times,

bottlenecks or configuration errors of critical applications.

Non-intrusive Real Time Application Performance Monitoring

Agentless measurement of user experience

Solves poor performance of „external“ applications (e-shop, e-banking, e-portals...)

Solves poor performance of and „internal“ applications (information systems, CRM…)

Correlation of User–APP–DB transactions

Value Proposition – User Experience

Network-based APM is a cost-effective alternative for customers requiring an easy-to-

deploy solution to distinguish between network, application and database delay when

monitoring user experience.

Use Case III.Security

More sophisticated attackers techniques

Botnet„A network of infected endpoints (knownas bots) working together and controlledby an attacker through command-and-

control (C2) servers“

Distributed denial-of-service (DDoS) „A coordinated attack, often from

hundreds of thousands or millions of compro- mised endpoints, used to ood a

target system or network“ Exploit

„Software or code that takes advantage of a vulnerability in an operating system or

application and causes unintendedbehavior in the operating system or

application, such as privilege escalation, remote control, or a denial-of-service“

Phishing„social engineering technique in which anemail that appears to be from a legitimatebusiness, typically a nancial institution or retail store, attempts to trick the recipient into clicking an embedded link in the email

or opening an attachment containingmalware or an exploit“

Hijacked IP address ranges„IP addresses that are stolen from their

legitimate owners, typically by corruptingthe routing tables of Internet backbone

routers“

Advanced persistent threat (APT) „When applications run slowly or stop working, you need real-time networkdiagnosis to pinpoint the root cause“

Malware „Malicious software or code that typicallydamages or disables, takes control of, or

steals information from a computersystem. Malware broadly includes

adware, anti-AV software, backdoors, bootkits, logic bombs, RATs, rootkits, spyware, Trojan horses, viruses, and

worms“

DMZ VPN

LAN

Firewall

IDS/IPS

UTM

Application firewall

Web filter

E-mail security

SSH Access

DMZ VPN

LANAntivirus

Personal Firewall

Antimalware

Endpoint DLP

Antirootkit

DMZ VPN

LAN

Net

wo

rkB

ehav

iora

lAn

alys

is

Machine Learning

Adaptive Baselining

Heuristic Approach

Behavior Patterns

Reputation Databases

Flowmon Detection Principles

Advanced malware

78 port scans?DNS anomalies?

Advanced malware

Let’s see the scans firstOk, users cannot access webAre the DNS anomalies related?

Advanced malware

Ok, which DNS is being used?192.168.0.53? This is notebook!How did this happen?

Advanced malware

Let’s look for the details…Laptop 192.168.0.53 is doing DHCP server in the network

Advanced malware

Malware infected deviceTrying to redirect and bridge trafficAttack modificationSensitive data upload

Flowmon ADS usecase

Use case: Network intrusion

• Risk: identity theft, user credentials theft• Risk cost (SMB): 45k € per leak• Flowmon CAPEX: 19k €

Sometimes we experience situation when an employee brings his or her own device and tries to connect it into the

network. The biggest issues are caused by devices with DHCP server service. It took us quite a while to locate such a device before. Today, we identify a fake DHCP server in our

network immediately thanks to Flowmon ADS.

Break-even: single leak

Flowmon ADS utilizes sophisticated algorithms and machine learning to automatically identify network anomalies and risks that bypass

traditional solutions such as firewall, IDS/IPS or antivirus.

Flowmon Detection Capabilities

Attacksport scanning, dictionary attacks, DoS,

DDoS, Telnet, VoIP/PBX…

Traffic anomaliesDNS, DHCP, ICMP, multicast…

Unwanted applicationsP2P networks, instant messaging,

anonymization services (TOR)…

Anomalies in device behaviour

change of the long-term behaviour,

profile of a device…

Operational problemsdelays, excessive load, unresponsive

services broken updates…

Internal security issuesviruses, malware, ransomware,

botnets, outgoing SPAM, potential data leakage…

SCADA network

OPC ServerApplication / File Server

Router

Engineering Station

HMI Stations

Database Server

RTU/PLC RTU/PLC

Enterprise / Outside world

Wired or Wireless Link

Current Sensor RelayVoltage Sensor Presure Sensor Level SensorPump

OT Firewall

Ransomware ?

Attacker

Botnet Infection

Attacker

! Data Upload

Botnet Infection

Botnet Infection

FM Probe

Netflow Data Collection

Learning Baselines

FlowMon Collector

FM Probe

Netflow Data Collection

Learning Baselines

Diagnostics of NetFlow data

! Alert or notification sended

Monitoring & Anomaly Detection – SCADA / ICS

Admin

Segmentation (DMZ, WiFi, PCN...)

Security Gap: Patching, Media (USB etc.), Interconnection & no

NAC...Missing deep network visibility!!

Missing in security design!!

❓

Advantage:Stable flows in

SCADA Network!

AdminALERT!

Malware infection!Fileshare anomaly!

Data upload!

Next Generation Network Security -Behavior Analysis & Anomaly Detection

Detects and alerts on abnormal behaviors

Reports anomalies and advanced persistent threats

Detect intrusions and attacks not visible by standard signature based tools

Covering gaps left by standard perimeter and endpoint tools security

Covering both IT (Enterprise/ISP) and OT (SCADA/ICS) environment

Value Proposition

Gartner: “Blocking and prevention is not sufficient. After you deployed firewall and IPS,

you should implement network behavior analysis to identify problems that are undetectable using other techniques.”

Security Tools

Inline Tools• Intrusion prevention systems (IPS)• Firewalls and next-generation firewalls

(NGFWs)• Data loss prevention (DLP) systems• Unified threat management (UTM)

systems• SSL decryption appliances• Web application firewalls (WAF)

Out-of-Band Tools• Intrusion detection systems (IDS)• Behavior analysis systems• Forensic tools• Data recording • Packet capture (PCAP) tools • Malware analysis tools• Log management systems

Flowmon

• High-performance standalone probe –source of IPFIX

• L2/L3 invisible – transparent for monitored network

• L2, L3, L4 and L7 Application deep network layer visibility

• Deep Packet Inspection, Data Traffic Recording

• Rack mountable hardware and virtual appliances

• SPAN / MIRROR port or TAP connection

• 10/100/1G-100G network traffic monitoring

Flowmon Probe

Flowmon Collector

• Long-term statistics storage from multiple flow data sources

• Application for collecting and analysis of NetFlow/IPFIX/sFlow/jFlow… statistics –Flowmon Monitoring Center

Delivered as a software equipment of Collector

Visualization and analysis of network traffic, reporting, alerting

DC switch

CORE switchCORE switch

DATACENTER

FM Collector

FM Probe

AS DS

VS

FM Probe

FM Probe FM Probe

Internet

APM

NPMD

APM

NPMD

NPMD

ADS

NPMD

ADS

DS

Z V

S

J

DC switch

Branch Office

Branch Office

FTR FTR

Enterprise Deployment

Technology Landscape

Main drivers for Network Visibility

Troubleshooting networkperformance

„When applications run slowly or stop working, you need real-time networkdiagnosis to pinpoint the root cause“

Protecting and securing thenetwork

„If you aren’t proactively and continuously monitoring network

traffic using a total visibility, you’releaving your organization vulnerable

to cybersecurity threats.“

Proactive monitoring for SLAs„The growing use of cloud

environments means you have anincreasing number of sites and

platforms to monitor, each with itsown Service Level Agreements in

place.“

Optimizing performance of complex network

infrastructure„Monitoring tools you use will helpyou achieve excellent performance,

but only if you are seeing all the datain a timely manner.“

Monitoring applicationperformance and reliability

„Network-centric applications must becontinuously and precisely monitored

for reliability and performance. “

Flowmon Networks a.s. U Vodárny 2965/2616 00 Brno, Czech Republicwww.flowmon.com

THANK YOU FOR YOUR ATTENTION!