All Hope is Not LostNetwork Forensics Exposes Today's Advanced Security Threats

www.wildpackets.com © WildPackets, Inc.

Jay Botelho Director of Product Management, WildPackets [email protected]

All Hope is Not Lost Network Forensics Exposes

Today's Advanced Security Threats

Patrick Riley Product Manager, Gigamon [email protected]

© WildPackets, Inc. 2

Administration

• All callers are on mute ‒ If you have problems, please let us know via the Chat window

• There will be Q&A ‒ Feel free to type a question at any time

• Slides and recording will be available ‒ Notification within 48 hours via a follow-up email


Agenda

• Today’s Security Challenges • Active Visibility for Multi-Tiered Security • Network-based Attack Analysis • ?? • Summary and Conclusions • Q&A

© 2014 Gigamon, Inc. All rights reserved.

$18.4B spent by enterprises world-wide on security in 2014

Billions are Spent on Security Annually … Source: Gartner Trends Telecom Forecast (March 2014)

4

6,721

1,520 968

9,209

Firewall/VPN Equipment

Intrusion Protection Systems (IPS)

Secure Routers

Enterprise Security Network Equip

By millions of $s


… Yet Breaches Continue To Proliferate

5


IDS/IPS and other tools raise alerts… But security teams need details – Who, what, where, when – Answers require network visibility

Advanced tools needed to meet advanced threats – High-level stats such as NetFlow and traffic sampling leave security analysts with

generalities not specifics Network visibility declining overall

– Last-generation network analysis tools can’t keep up with 10G, 40G, and 100G networks

– Attacks from multiple sources – Threats from inside and at perimeter

Why Are “Secured” Networks So Exposed?

8


YOU CAN’T SECURE WHAT YOU CAN’T SEE.

Visibility Is The Key to Comprehensive, Cost-effective Network Security

9


Need for a New Approach: Multi-Tiered Security

10

Specialized security tools Network-based attack analysis

Backed by Signatures and policy≠

Parallel deployments with IPS/IDS

Protect against known attacks (signatures)

Detect potential unknown threats (heuristics)

Deployed throughout the network Not just at the edge (castle-moat is dead)

Security tools externalize network complexity

Risk-driven, maps into corporate risk and

compliance frameworks

Support inline and out-of-band tools


Out of Band (IDS / Malware)

Removing Security Challenges

Page 11

Core Switch

Edge Router

Inline (Firewall, IPS)

Tight maintenance windows no longer a constraint

Optimize tool processing and performance

Remove single points-of-failure from inline tools

Maximize tool investment and ROI

Eliminate tool-based network bottlenecks


Active Visibility for Multi-Tiered Security A Better Approach to Integrated Security

Page 13

Intrusion Detection System

Core Switch

Edge Router

Intrusion Prevention Systems

Out-of-Band Malware

GigaStream™

NetFlow Collector

GigaSMART®

Saves Time Saves Money

Improved Reliability Protects Traffic Throughput

Integrates Best-of-Breed Solutions

WildPackets!


GigaVUE-HB1

Active Visibility for Multi-Tiered Security

14

Internet

Core Switches

Distribution Switches

Access Switches

Regional Centers

Server/ Virtual Farm FILE ACTIVITY

MONITORING

SIEM

DLP

IDS

APM

IPS

ANTI-MALWARE

VIS

IBIL

ITY

FA

BR

IC™

AR

CH

ITE

CT

UR

E

OU

T-O

F-B

AN

D

INLI

NE

GigaVUE-HC2 with Bypass Module

GigaVUE-HD8


Challenges

• IDS/IPS and other tools raise alerts • But security teams need details

‒ Who, what, where, when ‒ Answers require network visibility

• Network visibility declining overall ‒ Last-generation network analysis tools can’t keep up with 10G,

40G, and 100G networks ‒ Market trend for high-level stats such as NetFlow and traffic

sampling leave security analysts with generalities not specifics


Network-Based Attack Analysis • Benefits

‒ Give security teams evidence and insight • A comprehensive record of network activity • Powerful search and filtering tools for zeroing in on anomalies

and attack details ‒ Enable security teams to act quickly

• Find proof of attacks • Characterize attacks and stop them

‒ Who, what, where, when

• Solution: Packet Capture + Network Forensics ‒ Record, store, and analyze traffic ‒ Uncover and understand attacks so they can be stopped ‒ Tools include deep packet inspection, searches, filters,

graphs, etc.

Full visibility into everything going in and out of your network


Key Capabilities

WildPackets Attack

Analysis Node Activity Profile

High Speed Packet Capture Visualization

Transaction History

Deep Packet Inspection

Node-to-node Interaction


Forensics Security Attack Analysis Five Examples


Security Investigations with Network Forensics

Incident Response Verification

Pre-Zero Day Attack Forensics

Incident Path Tracking

Compliance with Security Regulations

Transaction Verification


Action

Problem

At approximately 11:20am IDS/IPS reports an nmap decoy attack; a number of phony addresses were used by nmap as source IP’s in addition to the actual attack machine IP

Use network forensics to rewind the attack, saving all packets from 5 minutes before to 5 minutes after the report for detailed network analysis




Incident Response Verification

Applying Attack Intelligence and Deep Packet Inspection (DPI), WildPackets provides unprecedented visibility into network events, enabling security analysts to conduct full Root Cause Analysis (RCA)

Attack Analysis Results: Reduced MTTR for Attacks Reduce Impact of Attacks

Investigate Confirm Characterize Resolve


Action

Problem

The internal security team has identified a previously undetected major security threat; the signature says it uses windows messenger service and has a UDP packet that contains “STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION…”

Immediately identify any and all systems on the network that have potentially been affected by the threat, even before the threat was initially detected



Zero Day Attack Forensics

• Unprecedented opportunity to ask: ‒Has a newly recognized attack previously struck

our network? If so, what happened? • Replay recorded network traffic to event detection systems to

discover if the new incident had occurred previously and understand who and what was affected.

• AKA “Retrospective Security Assurance”

IT begins recording

network traffic Zero-Day

attack strikes

Updates to security tools

recognize attack

Security team replays traffic through attack

signature


Action

Problem

Hundreds of users of a wireless network in a large auditorium find they cannot maintain a VPN connection, nor can they reliably connect to the Internet; everyone seems to be affected

IDS/IPS reports no problems; assess overall network connectivity and look for anomalies


Incident Path Tracking Using built-in peer-to-peer analytics, WildPackets’ Incident Path Tracking can trace the sequence of conversations between every device on the network before and after the security event

Result: Identify the security attack, in this case “denial of service”, the source of the attack, and all the affected devices


Action

Problem

While reviewing the weekly network performance report clear text protocols were discovered which violate company the security policy

Find FTP traffic and identify suspected users; analyze FTP traffic to see if sensitive data was transmitted.


Ensuring Compliance – Leaked Data

Result: Evidence of data breaches and details that help track down the particulars of security attacks

Filter for patterns like SSNs and keywords


You Can Take Back the Lead!


Accelerate Incident Response and Remediation

BEFORE Timeline of a Security Investigation without Attack Analysis • Disparate sources • Investigations can take days or weeks

AFTER Timeline of a Security Investigation with Attack Analysis • Centralized repository with comprehensive

data • Investigations are many times faster


Omnipliance Product Line

• Omnipliance TL: NOC or Data Center, 10G/40G, up to 128 TB with OmniStorage

• Omnipliance MX: Corporate Campus, 1G/10G, up to 32 TB • Omnipliance CX: Branch Offices, 1G, up to 32 TB


More Power in a Smaller Footprint ‒ Captures traffic up to 23Gbps of real-world traffic ‒ Scales up to 128 TB of storage ‒ Requires half the rack space and power of competitive solutions

Greater Precision ‒ Captures network traffic with no data loss, so you can analyze

everything, not just samples or high-level statistics ‒ Accurate metrics ‒ Rich analytics help pinpoint and characterize anomalies ‒ Enterprise-wide solution makes forensic analysis available at every

location

Better Price/Performance ‒ Superior power and precision at a price significantly lower than other

network forensics products.

The WildPackets Advantage


Summary • We need to stop the “Bad Guys” from winning.

‒ Improve capability to investigate attacks.

• Traditional methods + Forensics Security Attack Analysis • Forseniscs Security Attack Analysis = Packet Capture +

Network Forensics ‒ Provides comprehensive evidence of all attack activity within a set

period. ‒ Provides an irrefutable record of user, network, and application activity,

including transactions. ‒ Enables security teams to characterize and trace attacks.

• WildPackets Omnipliances offer unmatched performance and precision for attack analysis. ‒ Complements existing security toolset with performance network

recording, storage, and analysis.


Active Visibility for Multi-Tiered Security

38

TAP all critical links 1

Connect inline security tools 3

Leverage GigaSMART® traffic intelligence 5

Connect links to a High Availability Visibility Fabric™

2

Connect out-of-band security tools 4

Add non-security tools to maximize ROI 6


Q&A Show us your tweets!

Use today’s webinar hashtag:

#wildpackets_gigamon with any questions, comments, or feedback.

Follow us @wildpackets

Follow us on SlideShare! Check out today’s slides on SlideShare

www.slideshare.net/wildpackets

Jay Botelho Director of Product Management WildPackets [email protected]

Patrick Riley Product Manager, Gigamon patrick.riley.gigamon.com


Thank You!

WildPackets, Inc. 1340 Treat Boulevard, Suite 500 Walnut Creek, CA 94597 (925) 937-3200

Date post:	28-Nov-2014
Category:	Software
Upload:	wildpackets
View:	61 times
Download:	0 times

All Hope is Not LostNetwork Forensics Exposes Today's Advanced Security Threats

Software