Transcript the Presentation

Network as a Sensor
Using Flow Data for Visibility
Jeff Byers – Security Account Manager, Advanced Threat Solutions
Realities of Modern Threats
IPS
Highlights
One in four breaches are caused
by malicious insiders
IDS
95% of all cybercrime is triggered
by a user clicking on a malicious
link disguised to be legitimate
FW
Two in three breaches exploit
weak or stolen passwords
External
Internal
Source: 2014 Verizon Data Breach Investigations Report and Forrester research .
With lateral movement of advanced
persistent threats, even external attacks
eventually become internal threats
Internal Visibility via NetFlow Telemetry
Internet
Atlanta
Switch
San Jose
WAN
Router
New York
Firewall
Datacenter
Servers
Access
DM
Z
Flow Analysis – Not to be confused with…
IDS/IPS
•
IDS Monitors specific network
segments for malicious activities
or policy violations.
•
With NetFlow, you are turning
your entire Network into a large
sensor.
You Can’t Defend Against What You Don’t See
60%
of data is stolen in
HOURS
85%
of point-of-sale intrusions
aren’t discovered for
WEEKS
54%
of breaches remain
undiscovered for
MONTHS
51%
increase in companies
reporting a $10 million
or more loss in the last
3 YEARS
“A community that hides in plain sight avoids detection and attacks swiftly.”
— Cisco Security Annual Security Report.
Granular Visibility – Down to End User
Company
Network
EVERYTHING
must touch
the network
Assess
Assess
KNOW
every host
Audit
Posture
Detect
Response
Context
RECORD
every
conversation
Know what is
NORMAL
Be alerted to
CHANGE
Store for
MONTHS
What else
can the
network
tell me?
Gain Context-Aware Security
Flow Analysis Provides
Visibility
Identifies business-critical
applications and services
across the network
Identification of
Additional IOCs
Better Understanding of
Response to an IOC
Policy and segmentation
Audit trail of all host-to-host
communication
Network behavior anomaly
detection (NBAD)
Flow Basics
WHO
NetFlow – The Network Phone Bill
WHAT
Monthly Statement
Bill At-A-Glance
CHADWICK Q.
SULLIVAN
2259 TECHNOLOGY DR
ALPHARETTA, GA
30022
Telephone Bill
WHERE
WHEN
Flow Record
HOW
Collecting Flow
Flow Collector
•
Provides Metadata Record of Network
Conversation
•
Builds the Network’s “Phone Bill”
•
Easy to deploy; available in “most”
networking equipment
•
No packet-level visibility or response
time information
NetFlow
NetFlow Visibility
10.1.8.3
172.168.134.2
Switches
Routers
Internet
NetFlow Provides
• A trace of every conversation in your network
• An ability to collect records everywhere in your
network (switch, router, or firewall)
• Network usage measurements
• An ability to find north-south as well as
east-west communication
Flow Information
Packets
SOURCE ADDRESS
10.1.8.3
DESTINATION
ADDRESS
172.168.134.2
SOURCE PORT
47321
DESTINATION PORT
443
INTERFACE
Gi0/0/0
IP TOS
0x00
IP PROTOCOL
6
NEXT HOP
172.168.25.1
TCP FLAGS
0x1A
SOURCE SGT
100
:
APPLICATION NAME
:
NBAR SECUREHTTP
Another Flow Type: sFlow
• Packet sampling based – not a flow record
• Ex: 1 in 128 packets captured
• The first ~100 bytes of the Ethernet frame is
extracted and placed into a UDP packet
• Performs poorly in low-bandwidth environment
or when full flow details are needed
(compliance/security)
• No complete visibility to all
packets/conversations
sFlow Collection
sFlow packets are sent to the
sFlow collector.
Collector scales the byte counts
based on scaling factor
What about areas that don’t support
NetFlow?
FlowSensor Appliance
•
Enables Flow Record Creation where traditional
NetFlow is not available.
•
Requires SPAN port or Ethernet tap
NetFlow Implementation:
Items to Consider
Flow Stitching & De-duplication
• Flow records represent unidirectional Flow Data
• Flows can be subject to asymmetric routing
FlowCollector
Stitching flows together forms logical bidirectional conversations from the flow data
obtained from multiple reporting network
devices
De-duplication ensures traffic reporting is
accurate regardless of the number of device
the flow traverses.
Follow the Flows
Visualize the network path taken by the flow through stitching and de-duplication
NAT Stitching
NSEL Protocol
Obtain additional context through NSEL
• Flow Action field can provide additional context:
• Permitted or Denied Flow
• NAT stitching
• Using the Translated Host field
• State-based NSEL reporting is taken into consideration in behavioral analysis
Mapping User Details to Flow
Introducing User-Centric Monitoring: User Snapshot
Administrators can search on user names, as well as obtain a report outlining a
specific person’s network activity – including any anomalous behavior or alarms triggered.
NetFlow for Network Operations
Why NetFlow for Network Teams?
Lack of network visibility due to emerging technology results in inability to react to network problems
“10G Ethernet is so fast,
few probe technologies
can keep up and those
that can are too
expensive”
“MPLS & multi-point
VPNs create a
meshed WAN that’s
expensive to
monitor adequately”
Network Team
•
•
Interface Utilization
• QoS Monitoring
• MPLS visibility
• Application
Troubleshooting
• Connection
Troubleshooting
Billing and chargeback
Summary
When Questions Are Asked…
Do You Have Answers?
• Who is communicating on the
network?
• Is it “normal”?
• How much traffic is on the
network/interface/server by
service/application?
• Have any hosts on my network
connected with known botnets?
• How long has this activity gone on?
• How much information is leaving our
network and where is it going?
• Do we have a good audit trail of
communication for research and audit?
Consider Using NetFlow For Security
It’s There
Flow telemetry is available from all over the network …
Routers, switches, load balancers, firewalls, FlowSensors, even the virtual
network!
It’s Valuable
NetFlow analysis enables...
Inside and outside threat detection
Deep traffic analysis and network visibility
Contextual awareness and Incident response
Policy Compliance
Cisco
ISE,
NBAR
NetFlo
w
Lancop
e
StealthWat
ch
Total Visibility
Valuable Tool For Network & Security Teams
Collaboration
•
Network Operations
•
•
•
•
•
Network Usage
Network Performance
Host Integrity
User Behavior
Diagnostics
•
Avoid expensive upgrades and
complexity to existing network
management and security
architectures with fully meshed
networks.
Provides extensive historical and
trending data to facilitate network
performance capacity planning and
resource management
Security Teams
•
•
•
Fills Gaps of Traditional
Security
Forensics & Investigation
Emerging Threats
• DDoS
• APTs
• Insider Threats
• Data Exfiltration
The Many Ways To Use Flow For Security
• Detecting Sophisticated and Persistent Threats. Malware that makes it past perimeter
security can remain in the enterprise waiting to strike as lurking threats. These may be zero day
threats that do not yet have an antivirus signature or be hard to detect for other reasons.
• Uncovering Network Reconnaissance. Some attacks will probe the network looking for attack
vectors to be utilized by custom-crafted cyber threats.
• Finding Internally Spread Malware. Network interior malware proliferation can occur across
hosts for the purpose of gathering security reconnaissance data, data exfiltration or network
backdoors.
• Identifying BotNet Command & Control Activity. BotNets are implanted in the enterprise to
execute commands from their Bot herders to send SPAM, Denial of Service attacks, or other
malicious acts.
• Revealing Data Loss/Exfiltration Code can be hidden in the enterprise to export of sensitive
information back to the attacker. This Data Leakage may occur rapidly or over time.