stackarmor microsummit - niksun network monitoring - dpi
TRANSCRIPT
KNOW THE UNKNOWN®
NIKSUNInc.,CONFIDENTIAL-INTERNALUSEONLYThisdocumentcontainsconfiden0alinforma0onthatshallbedistributed,routedormadeavailableonlywithinNIKSUN.
ComprehensiveNetworkMonitoring/DPI
NIKSUNInc.
Whydoescybercrimes0llpersist,despitesignificantinvestment?
Whatdoesitmeantohavetrulycomprehensivemonitoring? Surveillance,Detec0on,andForensics
Howcanthishelpyouintherealworld? ContextualAwareness(IncidentResponse) FirewallMonitoring&DDoS Malware/Ransomware Compliance Informa0onHiding DNSServerHacked(Forensics)
Agenda
NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage. Slide2
NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage.
WhyDoesCyberCrimePersist?
Slide3Copyright NIKSUN 2014
Known
Unknown
Cyber Security Products Cover this Area
Sophisticated Hackers work here!
Known
Known
Unknown Unknown
Imagine if the CDC only looked to prevent virus’ that have already wiped out millions… they would have no recourse in mitigating incidents like Ebola! • Now imagine if they had
full visibility into every single person in the United States… they could monitor every person’s body and watch for the development of both old and new virus’
Preven0on
Howcanonepreventthatwhichonecan’tsee? Whatnewservicesandapplica0onshaveenteredyournetworkthatyouareunawareof?
Whoisbehindthem?Isitalegi0matebusinessapplica0onoratrojanormalware?
Howdoweknowthatourdefensesareeffec0ve?
NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage. Slide4
WhatKnowledgeIsNecessary?
Weneedmoreadvancedsignals(“data”)thanthosewhichwehaveprogrammedapriori
Goodcybera^ackersevadeaprioriindicatorsandexploitdifferenta^ackvectors
Anovelapproachisnecessarytogatherinforma0onfrombothknownandunknowna^ackvectors
NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage. Slide5
ComprehensiveMonitoring
NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage. Slide6
Whatisneeded?• Videocamera(surveillance)• Sensordetec0on(laserbeams)• Imagerecogni0on(easysearchforforensics,incidentresponse)
Whyareflowslimited?• Generallyonlyprovideinforma0onatlayer3• Lackgoodsupportforcorrelatedflows(FTP,Mobility,evenwebpages,etc.)• LackofbroaderThreatIntelligencesupport(files,domains,cer0ficates,
etc.)
Whyarelogslimited?• Developerschoosewhatlogstorecord.Can’tknowabouta^acksthat
havenotevenoccurredyet
WhatisNetworkMonitoring?
NIKSUN,Inc.CONFIDENTIAL.--Seeconfiden0alityrestric0onson0tlepage. Slide7
SampleFlowlogs
NIKSUN,Inc.CONFIDENTIAL.--Seeconfiden0alityrestric0onson0tlepage. Slide8
Surveillance&ThreatHun0ng Top-downHolis0cviewofAllNetworkAc0vity Cri0calNetworkInfrastructureIndicators Real-0meContentAnaly0cs Applica0onRecogni0on/Applica0onMetadata Geo-IP
Detec0on Anomaly/Signatures/Content(DataLeakage) IntelligenceFeeds
IncidentResponse&Forensics Applica0onReconstruc0on&Ar0factExtrac0on SandboxIntegra0on Flows&Connec0ons RawPackets
Other Performance Compliance
ComprehensiveMonitoring
NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage. Slide9
EmailServerCRM
Server WebServer
Enterprise-wideMonitoring
NIKSUN,Inc.CONFIDENTIAL.--Seeconfiden0alityrestric0onson0tlepage. Slide10
Monitor across all deployed physical and virtual devices, centrally, from any smart device
FastMacro-to-MicroAnalysis
Slide11NIKSUN Inc., CONFIDENTIAL. See confidentiality restrictions on title page
Global Visibility
Regional View
Specific Session
Single Packet
NIKSUN, Inc. CONFIDENTIAL -- See confidentiality restrictions on title page. Slide 11
DeepContentInspec0on-Example
NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage. Slide12
With just a few clicks, DPI / DCI can identify all of this information
UseCase–ContextualAwareness
NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage. Slide13
UseCase:ContextualAwareness
NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage. Slide14
Alarms
Firewall
Log Analyzer
IDS/IPS
Content Filters
SIEM
Scanners
Alarms
Incident Response -Integrated Analysis
Alarms
Attacks often occur over disparate parts of the network, over extended periods of time à forensic investigation is necessary to put together pieces of the puzzle and reveal how an attack was crafted
UseCase–FirewallMonitoring
NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage. Slide15
Trendinginforma0ontotuneFirewalls TCP-SYNrate(commonfirewallmetric) Fragmentedpacketrate(IPv4,IPv6) UDP,ICMP,DNS,NTP,etc.packetrates Bandwidth
In-depthanalysisofa^acka^empts Resolveissueswithfirewalls
FWvendors/usersokenneedpacketstotuneagainstana^ack ComprehensiveIntelligenceonDDoSa^acks
Isolatebadtrafficfromgood
ThreatIntelligence(didanybadURLsmakeitpasttheFW?) AnalyzeFirewalleffec0veness(Retrospec0veIDS) ReplaytraffictotestnewFWrules
UseCase-FirewallMonitoring
NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage. Slide16
Inline systems may face latency and complexity constraints, requiring a reduction in the deployed ruleset • Monitoring becomes
invaluable for a constant pulse on critical infrastructure
NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage.
FirewallInbound+OutboundMonitoring
Network Internet
Who is trying to get in?
What methods are they using?
Who got in?
What did they get
out?
Backdoor?
Slide17
DDoSMonitoring(Volumetric/Applica0on)
NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage. Slide18
RedZone/GreenZone
NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage. Slide19
TrafficVolume-BeforeandAkerFirewall
NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage. Slide20
UseCase– Ransomware(Wannacry)
NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage. Slide21
UseCase:WannacryInves0ga0on
NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage. Slide22
UseCase:WannacryInves0ga0on(cont.)
NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage. Slide23
• Leverage retrospective IDS • View SMB scans on your infrastructure • Real-time intelligence feed related information
UseCase:WannacryInves0ga0on(cont.)
NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage. Slide24
How can we know if the hosts scanned have actually been impacted?
UseCase–Compliance
NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage. Slide25
Discovercompliancelevelwithtrafficmonitoring FasterthanPenTes0ng
Validatesecuritypreandpostchanges Firewalls,networks,servers
Evidence Rawdatacaptures
Instantlyiden0fyinsecurecommunica0ons Whoisusingnoncompliant:SSL2.0,SSL3.0,TLS1.0 Whoisusingwhichciphers–strongorweak? WhatCer0ficatesareinuse?CertOrganiza0ons? Cleartextprotocols,SSN
UseCase:Compliance-PCI/Fed/Gov
NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage. Slide26
Compliance–SSLMetadata
Slide27NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage.
UseCase–InformaMonHiding/
ExfiltraMon
NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage. Slide28
NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage.
Scenic?
Slide29
NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage.
AndNow?
Slide30COPYRIGHT 2013 - NIKSUN Inc.
Social Security Numbers hidden in picture… only way to tell is by drilling down to the raw packets!
UseCase–DNSServerHacked
NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage. Slide31
Spear-phishinga^ackluredemployeestogototheirbanktoupdatetheirinfo
TheywereredirectedtoaBADsite DifficulttotraceastheDNSserverfixeditselfakersomeamountof0mesotheproblemcouldnotbeiden0fiedbytradi0onalmethods
Forensicanalysis Discoveredthatthe“windowofopportunity”wastransient GaveIPaddressofallthosethatwereluredtothewrongsite Reconstructedthea^ackandtracedthea^acker’smovesstep-by-step
DamagewasminimizedduetorapididenMficaMonandimmediateremediaMon
UseCase:DNSServerHacked
NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage. Slide32
NIKSUN:HelpingYouKnowtheUnknown®[email protected]
Foraddi0onalinforma0on:
NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage. Slide33