network visibility or advanced security? - posam · • mobile users / cloud –mobility • by...
TRANSCRIPT
Roman Cupka, Regional Country Manager SEE
Network Visibility or Advanced Security?
TechDays 2017
• Founded in 2007 as a University Spinoff
• International Network & Security Monitoring Technology Vendor
• Gartner MQ for NPMD 2017
• Alliance partner of the premium technology vendors
Who We Are
What We Do
Network Visibility
IT Operations
Network Performance Monitoring and Diagnostics
Application PerformanceMontoring
Security
Network BehavioralAnalysis
DDoS Detection & Mitigation
NPMD APM NBA DDoS
Challenge to Network Visibility
Expanding network perimeter • FW between the enterprise network and internet• mobile users / cloud – mobility• by 2018, 25% of data will bypass traditional security
defenses and flow directly between mobile devices and the cloud
Increasing use of SSL encrypted traffic • ¾ of internet traffic• attackers also use SSL encryption to hide threats and attack
traffic • IT departments now commonly decrypt inbound and
outbound SSL traffic to identify risks and threats
Growing volume and complexity in network traffic • largely comprised of structured and unstructured data
(video/voice)• volume of network traffic can flood existing security tools
with more traffic than they were designed
Virtualization • “east-west” traffic: data that travels between these virtual
resources on the same physical host or inter-blade traffic on the same server
• network cable is not sufficient for monitoring virtual traffic
Cloud computing / Cloud Applications • public / privat / hybrid / IaaS / PaaS / SaaS• migrating workloads from data centers to public clouds • by 2018, 25% of data will bypass traditional security defenses
and flow directly between mobile devices and the cloud• it becomes more difficult to observe and monitor data flows –
new blind spots
Internet of Things (IoT) • new computing models —mobile edge computing (MEC) and
“fog” computing — to extend the network perimeter still further • needs to embrace open standards that enable data access,
security monitoring, and performance analytics
Flowmon focus - Effective „MTTR“
„Mean Time To Response“„Mean Time To Resolution“
„Mean Time To Repair“
FROM HOURS TO MINUTES!!(More than 75% operational and security issues regarding to network functionality are recognized in
1-5 hours)
How it works with Flowmon
Flow data collection,
visualisation reporting, analysis
Flow data export + app layer monitoring
/ packet analysis
Flow data export from already deployed devices
Flowmon modules for advanced flow data analysis
SPAN/Mirror port or TAP
Flow Monitoring Principle
Start Duration Proto Src IP:Port Dst IP:Port Packets Bytes …
Flow Export
9:35:24.8 0 TCP 192.168.1.1:10111 -> 10.10.10.10:80 1 40 …9:35:24.8 0.1 TCP 192.168.1.1:10111 -> 10.10.10.10:80 2 80 …
9:35:25.0 0 TCP 10.10.10.10:80 -> 192.168.1.1:10111 1 40 …9:35:25.0 0.3 TCP 10.10.10.10:80 -> 192.168.1.1:10111 2 156 …9:35:25.0 0.5 TCP 10.10.10.10:80 -> 192.168.1.1:10111 3 362 …9:35:25.0 0.7 TCP 10.10.10.10:80 -> 192.168.1.1:10111 4 862 …9:35:25.0 0.9 TCP 10.10.10.10:80 -> 192.168.1.1:10111 5 1231 …
192.168.1.1
10.10.10.10
Flow Data (format: NetFlow, IPFIX)
• Flowmon enriches traditional flow statistics
• For both operational and security use-cases
Flowmon IPFIX Extensions
L2
• MAC
• VLAN
• MPLS
• GRE tunnel
• OVT
L3/L4
• Standard items
• NPM metrics
• RTT, SRT, …
• TTL, SYN size, …
• ASN
• Geolocation
L7
• NBAR2
• HTTP
• DNS
• DHCP
• SMB/CIFS
• SQL
Use Case I.Network Operation
• SLOW INTERNET CONNECTION
Network utilization
The network is really slow todayLoading a website takes agesRemote users cannot work in our IS
Network utilization
Internet line is really saturated today more than usual
Network Performance Monitoring
• NPM METRICS VISUALIZATION
Network Performance Monitoring
• NETWORK PERFORMANCE MONITORING METRICS
• Round-Trip Time (RTT) – delay introduced by the network
• Server Response Time (SRT) – delay introduced by the server
• Delay – delay between individual packets of server response
• Jitter – variance in delay
• TCP Retransmissions – packet damage or loss
• Out-of-order packets – number of packets received in the wrong order
Network Performance Monitoring
• WHAT NPM METRICS CAN INDICATE?
• delays in the network infrastructure (e.g. malfunctioning access point)
• delays in the server (e.g. not enough HW resources)
• bad audio and video quality (e.g. VoIP calls or videoconferences)
• problems on the physical layer (e.g. interference, faulty port)
• failures in communication links
Network Analyses
Where is it coming from?
Network Analyses
Windows update? And not from our WSUS server?
Ok, I need to check all these IP addresses
Identity source – syslog export
User identity awareness
authentication
Time, login, IP address
Flow (Time, IP, …)
• Based on extended HTTP visibility
• UserAgent as a source of device identification
Passive device fingerprinting
+ MAC address, IP address, VLAN tag, flow source
Passive device fingerprinting
Flowmon NPMD usecase
Use case: Flow Monitoring of production network spread over multiple locations
Problem: long responses in the production part of the network
Problem monthly cost: 38 000 €
Flowmon costs: 28 000 € (2x probe, small collectorand 1 year maintenance
costs)Flowmon provides detailed network visibility to enable quick
troubleshooting, reduce network operations costs and optimize theperformance of an entire IT environment
Return of investment is 3 weeks
Network Performance Monitoring & Diagnostic (NetFlow/IPFIX)
Provides visibility – “eyes” into the network traffic
Reduces mean-time to resolve, builds up efficiency
Reduces downtimes and network operational costs
Ensures company productivity
Flow analyses & Packet capturing
Value Proposition
Gartner: “80% of operational issues can be analyzed and solved by flow monitoring.”
Recommendation: „Implement NetFlow/IPFIX to allow better measurement of user
experience.“
Use Case II.IT Operation
Me
What’s going on? App is running slow…
Application Admin
Application seems to run OK, it should be problem in the network…
Network AdminNetwork is running well, no other issues reported. Problem has to be in the application.
Communication Deadlock
User App Server
Request Transport
Time Application Delay
Response Transport
Time
NetworkApplication
Application Performance Monitoring
Application Performance Monitoring
App Server Database Server
SQL Query Transport
Time Database Delay
SQL Response Transport
Time
NetworkDatabase
• LIST OF TRANSACTIONS INCLUDING URL, USER AGENT, INDIVIDUAL METRICS, STATUS CODE
Detailed drill down (HTTP)
• LIST OF TRANSACTIONS INCLUDING INDIVIDUAL SQL QUERIES AND PERFORMANCE CHARACTERISTICS
Detailed drill down (SQL)
Transaction correlation
User – application – database transactions correlation
User – application transactions
Relevant app – database server transactions
Error Codes
All Error Codes Transactions
Flowmon APM usecase
Use case: Poor response time of internal information system
• Company with 500 employees, each spent 30 minut daily in average by non-productive waiting for response from information system
• We calculated expenses 10 € per hour per one employee, our daily loss is 2 500 €
By deploying Flowmon APM we reduce non-productive time to 10 minutes which means we save 1650 € every day
Return of investment is 2-4 weeks
Flowmon APM is a clever, agent-less application monitoring solutionidentifying and solving availability issues, slow response times,
bottlenecks or configuration errors of critical applications.
Non-intrusive Real Time Application Performance Monitoring
Agentless measurement of user experience
Solves poor performance of „external“ applications (e-shop, e-banking, e-portals...)
Solves poor performance of and „internal“ applications (information systems, CRM…)
Correlation of User–APP–DB transactions
Value Proposition – User Experience
Network-based APM is a cost-effective alternative for customers requiring an easy-to-
deploy solution to distinguish between network, application and database delay when
monitoring user experience.
Use Case III.Security
More sophisticated attackers techniques
Botnet„A network of infected endpoints (knownas bots) working together and controlledby an attacker through command-and-
control (C2) servers“
Distributed denial-of-service (DDoS) „A coordinated attack, often from
hundreds of thousands or millions of compro- mised endpoints, used to ood a
target system or network“ Exploit
„Software or code that takes advantage of a vulnerability in an operating system or
application and causes unintendedbehavior in the operating system or
application, such as privilege escalation, remote control, or a denial-of-service“
Phishing„social engineering technique in which anemail that appears to be from a legitimatebusiness, typically a nancial institution or retail store, attempts to trick the recipient into clicking an embedded link in the email
or opening an attachment containingmalware or an exploit“
Hijacked IP address ranges„IP addresses that are stolen from their
legitimate owners, typically by corruptingthe routing tables of Internet backbone
routers“
Advanced persistent threat (APT) „When applications run slowly or stop working, you need real-time networkdiagnosis to pinpoint the root cause“
Malware „Malicious software or code that typicallydamages or disables, takes control of, or
steals information from a computersystem. Malware broadly includes
adware, anti-AV software, backdoors, bootkits, logic bombs, RATs, rootkits, spyware, Trojan horses, viruses, and
worms“
DMZ VPN
LAN
Firewall
IDS/IPS
UTM
Application firewall
Web filter
E-mail security
SSH Access
DMZ VPN
LANAntivirus
Personal Firewall
Antimalware
Endpoint DLP
Antirootkit
DMZ VPN
LAN
Net
wo
rkB
ehav
iora
lAn
alys
is
Machine Learning
Adaptive Baselining
Heuristic Approach
Behavior Patterns
Reputation Databases
Flowmon Detection Principles
Advanced malware
78 port scans?DNS anomalies?
Advanced malware
Let’s see the scans firstOk, users cannot access webAre the DNS anomalies related?
Advanced malware
Ok, which DNS is being used?192.168.0.53? This is notebook!How did this happen?
Advanced malware
Let’s look for the details…Laptop 192.168.0.53 is doing DHCP server in the network
Advanced malware
Malware infected deviceTrying to redirect and bridge trafficAttack modificationSensitive data upload
Flowmon ADS usecase
Use case: Network intrusion
• Risk: identity theft, user credentials theft• Risk cost (SMB): 45k € per leak• Flowmon CAPEX: 19k €
Sometimes we experience situation when an employee brings his or her own device and tries to connect it into the
network. The biggest issues are caused by devices with DHCP server service. It took us quite a while to locate such a device before. Today, we identify a fake DHCP server in our
network immediately thanks to Flowmon ADS.
Break-even: single leak
Flowmon ADS utilizes sophisticated algorithms and machine learning to automatically identify network anomalies and risks that bypass
traditional solutions such as firewall, IDS/IPS or antivirus.
Flowmon Detection Capabilities
Attacksport scanning, dictionary attacks, DoS,
DDoS, Telnet, VoIP/PBX…
Traffic anomaliesDNS, DHCP, ICMP, multicast…
Unwanted applicationsP2P networks, instant messaging,
anonymization services (TOR)…
Anomalies in device behaviour
change of the long-term behaviour,
profile of a device…
Operational problemsdelays, excessive load, unresponsive
services broken updates…
Internal security issuesviruses, malware, ransomware,
botnets, outgoing SPAM, potential data leakage…
SCADA network
OPC ServerApplication / File Server
Router
Engineering Station
HMI Stations
Database Server
RTU/PLC RTU/PLC
Enterprise / Outside world
Wired or Wireless Link
Current Sensor RelayVoltage Sensor Presure Sensor Level SensorPump
OT Firewall
Ransomware ?
Attacker
Botnet Infection
Attacker
! Data Upload
Botnet Infection
Botnet Infection
FM Probe
Netflow Data Collection
Learning Baselines
FlowMon Collector
FM Probe
Netflow Data Collection
Learning Baselines
Diagnostics of NetFlow data
! Alert or notification sended
Monitoring & Anomaly Detection – SCADA / ICS
Admin
Segmentation (DMZ, WiFi, PCN...)
Security Gap: Patching, Media (USB etc.), Interconnection & no
NAC...Missing deep network visibility!!
Missing in security design!!
❓
Advantage:Stable flows in
SCADA Network!
AdminALERT!
Malware infection!Fileshare anomaly!
Data upload!
Next Generation Network Security -Behavior Analysis & Anomaly Detection
Detects and alerts on abnormal behaviors
Reports anomalies and advanced persistent threats
Detect intrusions and attacks not visible by standard signature based tools
Covering gaps left by standard perimeter and endpoint tools security
Covering both IT (Enterprise/ISP) and OT (SCADA/ICS) environment
Value Proposition
Gartner: “Blocking and prevention is not sufficient. After you deployed firewall and IPS,
you should implement network behavior analysis to identify problems that are undetectable using other techniques.”
Security Tools
Inline Tools• Intrusion prevention systems (IPS)• Firewalls and next-generation firewalls
(NGFWs)• Data loss prevention (DLP) systems• Unified threat management (UTM)
systems• SSL decryption appliances• Web application firewalls (WAF)
Out-of-Band Tools• Intrusion detection systems (IDS)• Behavior analysis systems• Forensic tools• Data recording • Packet capture (PCAP) tools • Malware analysis tools• Log management systems
Flowmon
• High-performance standalone probe –source of IPFIX
• L2/L3 invisible – transparent for monitored network
• L2, L3, L4 and L7 Application deep network layer visibility
• Deep Packet Inspection, Data Traffic Recording
• Rack mountable hardware and virtual appliances
• SPAN / MIRROR port or TAP connection
• 10/100/1G-100G network traffic monitoring
Flowmon Probe
Flowmon Collector
• Long-term statistics storage from multiple flow data sources
• Application for collecting and analysis of NetFlow/IPFIX/sFlow/jFlow… statistics –Flowmon Monitoring Center
Delivered as a software equipment of Collector
Visualization and analysis of network traffic, reporting, alerting
DC switch
CORE switchCORE switch
DATACENTER
FM Collector
FM Probe
AS DS
VS
FM Probe
FM Probe FM Probe
Internet
APM
NPMD
APM
NPMD
NPMD
ADS
NPMD
ADS
DS
Z V
S
J
DC switch
Branch Office
Branch Office
FTR FTR
Enterprise Deployment
Technology Landscape
Main drivers for Network Visibility
Troubleshooting networkperformance
„When applications run slowly or stop working, you need real-time networkdiagnosis to pinpoint the root cause“
Protecting and securing thenetwork
„If you aren’t proactively and continuously monitoring network
traffic using a total visibility, you’releaving your organization vulnerable
to cybersecurity threats.“
Proactive monitoring for SLAs„The growing use of cloud
environments means you have anincreasing number of sites and
platforms to monitor, each with itsown Service Level Agreements in
place.“
Optimizing performance of complex network
infrastructure„Monitoring tools you use will helpyou achieve excellent performance,
but only if you are seeing all the datain a timely manner.“
Monitoring applicationperformance and reliability
„Network-centric applications must becontinuously and precisely monitored
for reliability and performance. “
Flowmon Networks a.s. U Vodárny 2965/2616 00 Brno, Czech Republicwww.flowmon.com
THANK YOU FOR YOUR ATTENTION!