Advanced approach to network security and
performance monitoring
Michal Drozd
TrustPort Threat Intelligence Product Manager
18 slides
Agenda
• Network monitoring
• Security and performance problems
• Common technology
• Advanced possibilities of network monitoring
• What is possible to detect
• Where are limitations
• Business models
2
Why Are We Here?
It seems every week brings a new headline
about a major data breach:
• “40 million credit card numbers compromised.”
• “80 million customers and employees affected by a data breach.”
• “8.8 to 18 million non-customers affected by latest corporate hack.”
• ”Roughly 55% of the incidents involved APTs. ”
• ”DDoS, SCADA, ”
...and so on. 3
Why Are We Here?
Customers requirements
Management requirements
Business requirements
1. Increase Network and Service Availability
2. Decrease Staffing & Training Requirements
3. Optimize Network’s Bandwidth Utilization and Performance
4. Improve Productivity while Decreasing Operational Costs
2
Business requirements
Client services
Data centers
Cloud
Software as a Service (SaaS)
Network as a Service (NaaS)
Software Defined Networks (SDN)
5
Network monitoring
1. Network performance monitoring & diagnostics:
Network flow based monitoring
Network performance monitoring
Application performance monitoring
2. Network security and network visibility:
Detection of known threats (signature-based detection)
Detection of unknown threats (APTs, zero-days, internal threats,
…)
Network behavior anomaly detection
Forensic analysis
Network security auditing and regulatory compliance
6
Network performance monitoring & diagnostics
Problems: What should by analyzed How to analyze and visualize right issue
7
Network Flow Monitoring
NetFlow v5
Uni-directional
IP statistics
L3 – L4
1:500
Flow (ASNM,…)
Bi-directional
IP statistics
L2 - L7
Applicationmetadata
Performance metrics
65535 ports
Spectralanalysis
1:100
PCAP
Bi-directional
Full Packet
Capture
1:1
NetFlow v9
Uni-
directional
IP statistics
L2 – L7
HTTP
NBAR
1:500
8
Round Trip Time (RTT) – network delay
Application Response Time (ART) – application delay
Data transfer time (DTT) – data transfer duration
Delay – delay differentiation between packet flows
Jitter – deviation from true periodicity of a presumed periodic communication
9
Network flow – performance monitoring (all services)
Client
Probe
Server
Syn Ack
SynAck
Req
Ack
TCP handshake Server responseClient request
Data Data Data Data
RTT ART DelayDTT
Security problems
Network security and network visibility:
Detection of known threats (signature-based detection)
Detection of unknown threats (APTs, zero-days, internal threats,
…)
Network behavior anomaly detection
Forensic analysis
Network security auditing and regulatory compliance
10
C&C Trojan PC framework
Neme Price Focus cVector Location Info
Citadel 2500 – 5000$
Stealing credit cardsWebInject to browser (ie. spoof authenticationform)
SSL email (Yahoo
Hotmail, GMAIL)
Japan, UAE, Austria,Turkey, …
Beta Bot 500$ (botsw)Theft of authentication data on selected banking applications
SSL C2 USA
Shylock od 1000$WebInjecting, Direct data theft
SSL C2, Skype
EU, USACílen na sandbox McAfee, FireEye, Symantec
Carberp 40.000$WebInjectVNCboot sector
C2 (+ SSLservices)
Mobil platform (CarMomultifaktor autentication)Escaped source code(5,7GB)
Hesperbot 5$/botTheft of cards and accounts, webinject to the browser
SSL C2
Czech Republic, Greece,PortugalUK
Based on Zeus
ZEUS Basis of most modern malware
GLOBAL
11
C&C Trojan Mobile framework
ZitMo, SpitMo, CitMo, CarbMo, Perkele,
Pincer,…
12
Other common and unknown threats
Data leakage (misused DNS, SSH, HTTP(s), …)
Tunneled traffic (ICMP, DNS, SSH, HTTP(s), …)
Protocol anomalies
Time consuming port scans
Mascaraed brute-force attack (dictionary, brute-force)
Preparation for data theft by an employee and other internal threats
Breach of internal security rules
Misconfiguration in network
(Distributed) Denial of Service (DoS, DDoS)
Automatic data harvesting (e-shop)
Fraud detection (web application) …
13
Modern Solution
Big Data analysis
Advance flow metrics
DPI + IDS
Machine learning and Artificial Intelligence
User Behavior Model
Network Behavior Model
– Network model
– Host model
– Service model
– Performance model
14
Costs
• Data source – mirrored communication
• Current HW solution – up to 10 Gbps
• From 20 Gbps – HW acceleration
• HW acceleration
• Up to 300 Gbps / probe
• Computing servers
• Data store
15
Business model
• Security as a Service
• Services for clients – Data source before network
gateway – backbone probe
– Data source inside client network – internal probe
• Security cloud – Data collector
– Analyzis
• Reporting
17
Benefits
• Permanent overview on the network risk status
• Time saving on incidents handling• All relevant data in one Dashboard
• Easier prioritization of detected incidents and threats
• Minimizing damages of security breaches• Thanks to early detection and solving
• Increasing network security• Covers the gaps left by common security tools
• Enables Forensic Analysis• Collects evidence for several months
17