Advanced approach to network security and

performance monitoring

Michal Drozd

TrustPort Threat Intelligence Product Manager

18 slides

Agenda

• Network monitoring

• Security and performance problems

• Common technology

• Advanced possibilities of network monitoring

• What is possible to detect

• Where are limitations

• Business models

2

Why Are We Here?

It seems every week brings a new headline

about a major data breach:

• “40 million credit card numbers compromised.”

• “80 million customers and employees affected by a data breach.”

• “8.8 to 18 million non-customers affected by latest corporate hack.”

• ”Roughly 55% of the incidents involved APTs. ”

• ”DDoS, SCADA, ”

...and so on. 3

Why Are We Here?

Customers requirements

Management requirements

Business requirements

1. Increase Network and Service Availability

2. Decrease Staffing & Training Requirements

3. Optimize Network’s Bandwidth Utilization and Performance

4. Improve Productivity while Decreasing Operational Costs

2

Business requirements

Client services

Data centers

Cloud

Software as a Service (SaaS)

Network as a Service (NaaS)

Software Defined Networks (SDN)

5

Network monitoring

1. Network performance monitoring & diagnostics:

Network flow based monitoring

Network performance monitoring

Application performance monitoring

2. Network security and network visibility:

Detection of known threats (signature-based detection)

Detection of unknown threats (APTs, zero-days, internal threats,

…)

Network behavior anomaly detection

Forensic analysis

Network security auditing and regulatory compliance

6

Network performance monitoring & diagnostics

Problems: What should by analyzed How to analyze and visualize right issue

7

Network Flow Monitoring

NetFlow v5

Uni-directional

IP statistics

L3 – L4

1:500

Flow (ASNM,…)

Bi-directional

IP statistics

L2 - L7

Applicationmetadata

Performance metrics

65535 ports

Spectralanalysis

1:100

PCAP

Bi-directional

Full Packet

Capture

1:1

NetFlow v9

Uni-

directional

IP statistics

L2 – L7

HTTP

NBAR

1:500

8

Round Trip Time (RTT) – network delay

Application Response Time (ART) – application delay

Data transfer time (DTT) – data transfer duration

Delay – delay differentiation between packet flows

Jitter – deviation from true periodicity of a presumed periodic communication

9

Network flow – performance monitoring (all services)

Client

Probe

Server

Syn Ack

SynAck

Req

Ack

TCP handshake Server responseClient request

Data Data Data Data

RTT ART DelayDTT

Security problems

Network security and network visibility:

Detection of known threats (signature-based detection)

Detection of unknown threats (APTs, zero-days, internal threats,

…)

Network behavior anomaly detection

Forensic analysis

Network security auditing and regulatory compliance

10

C&C Trojan PC framework

Neme Price Focus cVector Location Info

Citadel 2500 – 5000$

Stealing credit cardsWebInject to browser (ie. spoof authenticationform)

SSL email (Yahoo

Hotmail, GMAIL)

Japan, UAE, Austria,Turkey, …

Beta Bot 500$ (botsw)Theft of authentication data on selected banking applications

SSL C2 USA

Shylock od 1000$WebInjecting, Direct data theft

SSL C2, Skype

EU, USACílen na sandbox McAfee, FireEye, Symantec

Carberp 40.000$WebInjectVNCboot sector

C2 (+ SSLservices)

Mobil platform (CarMomultifaktor autentication)Escaped source code(5,7GB)

Hesperbot 5$/botTheft of cards and accounts, webinject to the browser

SSL C2

Czech Republic, Greece,PortugalUK

Based on Zeus

ZEUS Basis of most modern malware

GLOBAL

11

C&C Trojan Mobile framework

ZitMo, SpitMo, CitMo, CarbMo, Perkele,

Pincer,…

12

Other common and unknown threats

Data leakage (misused DNS, SSH, HTTP(s), …)

Tunneled traffic (ICMP, DNS, SSH, HTTP(s), …)

Protocol anomalies

Time consuming port scans

Mascaraed brute-force attack (dictionary, brute-force)

Preparation for data theft by an employee and other internal threats

Breach of internal security rules

Misconfiguration in network

(Distributed) Denial of Service (DoS, DDoS)

Automatic data harvesting (e-shop)

Fraud detection (web application) …

13

Modern Solution

Big Data analysis

Advance flow metrics

DPI + IDS

Machine learning and Artificial Intelligence

User Behavior Model

Network Behavior Model

– Network model

– Host model

– Service model

– Performance model

14

Costs

• Data source – mirrored communication

• Current HW solution – up to 10 Gbps

• From 20 Gbps – HW acceleration

• HW acceleration

• Up to 300 Gbps / probe

• Computing servers

• Data store

15

Business model

• Security as a Service

• Services for clients – Data source before network

gateway – backbone probe

– Data source inside client network – internal probe

• Security cloud – Data collector

– Analyzis

• Reporting

17

Benefits

• Permanent overview on the network risk status

• Time saving on incidents handling• All relevant data in one Dashboard

• Easier prioritization of detected incidents and threats

• Minimizing damages of security breaches• Thanks to early detection and solving

• Increasing network security• Covers the gaps left by common security tools

• Enables Forensic Analysis• Collects evidence for several months

17

Michal Drozd

michal.drozd@trustport.com

+420 777 792 819

TrustPort a.s.

www.trustport.com

18