Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Transcription

1 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

2 Network Modeling: A real world example Presented by: Don Slife Jarrod Echols

3 Who is MacAulay-Brown, Inc.? Cybersecurity Solutions MacAulay-Brown, Inc. (MacB) Founded in 1979 Headquartered in Dayton, OH National Capital Headquarters in Vienna, VA Over 1,500 employees Privately-held Integrated quality management by design Broad and diverse Cybersecurity customer set Frank B. Rowlett award (2001): NSA recognized Outstanding Information Systems Security Organization Blue states represent operating locations. Engineering Services Information Technology MacB Offices Huntsville, AL Santa Clara, CA Aurora/Denver, CO Panama City, FL Shalimar, FL Tampa, FL Augusta, GA Bedford, MA Aberdeen Proving Grd, MD Alexandria, VA Columbia, MD Bellevue, NE Neptune, NJ Doylestown, PA San Antonio, TX Sterling, VA Hampton, VA Roanoke, VA A Proud History of Providing Technical Excellence for Over 35 Years

4 Who are we? Don Slife 10 Years US Air Force, Computer and Network Operations 3 Years Air Force CERT 15 Years Contracting Programming Red Team SOC Operations Reverse Engineering Jarrod Echols 2 Years, Cyber Threat & Intelligence Analysis BS in Information Systems: Information & Network Security Regional Team winner, Collegiate Cyber Defense Team (CCDC) Masters of Public Administration Internship, US Senate IT Security

5 Why are we doing this? ArcSight is a very powerful tool... BUT With great power, comes great complexity... AND With great complexity, comes great confusion

6 Bringing Order to the Chaos Define the Protected Environment Identify Dark Address Space Identify/Fix Misconfigurations to Reduce Noise Define Normal Traffic User Zones Asset Type Zones (Mail, DNS, VoIP ) Network Type Zones (Public, Private) Define Critical Assets Prioritize Events Against Critical Assets ArcSight Console Users Guide

7 Goals of Today Share what we have learned so far in our voyage of discovery through ArcSight network and asset modeling. Explain the mistakes we made. Explain the things we ve learned. Share our best practices. What are we going to talk about? The model we inherited. Finding unmodeled space. Our first modeling attempt. Our second modeling attempt. Where we are going from here. GOAL: You don t have to repeat our mistakes. You get to make new mistakes!

8 The Organization Multi-state Medical Co-op of 102 Doctors 40 Research Committees Made up of Subsets of Doctors Doctors have Individual Offices Around the Country Approximately 8,000 Users Co-op has a Shared Network Backbone and Core Computing Environment ( /Messaging/VoIP/VTC)

9 The Network Class B Routable Address ( /16) Doctor and Committee Main Offices /24 s for Everyone Doctors Local Offices /28 s in Some Cases Some Public Facing IP s Common Services Exchange Internal Web VTC All 3 RFC 1918 Address Spaces /8 Internal Networking Addresses VoIP /12 Overflow Address Space for Doctors Some Public Service (via NAT) /16 Overflow Address Space for Doctors Office Wireless Network Space

10 Example: Dr Schmedley Main Office (Washington, DC) /24 Original IP Space /24 Additional Space /24 VoIP Phones /28 COOP Location Atlanta Office /26 Original IP Space /28 Expansion Space /24 VoIP Phones Sacramento Office /26 Original IP Space /24 VoIP Phones DC Dr Schmedley Atlanta Sacramento / / / / / / / / /28

11 Network Model: Version 1 Folders by IP Network Most Zones in the Public /16 Address Space Fairly Static Approximately 1,700 Zones No Asset Categories Engineering Maintained Access DB Manual Asset/Zone Creation Addition of Zones/IP Space when Discovered

12 Version 1 Pro Simple to Visualize for Network Engineers Direct Mapping to Network Engineering Database Con Zone Addition is a Manual Process Trying to Group by Doctor or Committee is Difficult Difficult to Keep up with Network Changes No Asset Categories ISSUE: Network Operations has another database, and zones are added monthly!

13 Detecting Unmodeled Space Problem: How to detect unmodeled space so it can be added? Solution: Create a second network on each connector and let ArcSight do it! Discoveries NOC adds zones weekly. Only the routers really know! Over 300 unmodeled IPs.

14 Asset Modeling on the Cheap Address Space Categories Should be Assigned to Zones Application Categories Should be Assigned to Assets Problem: Not Ready to Model Assets Solution: Apply Application Categories to Networks Issue: Category Queries Become Slightly More Complicated

15 Network Model: Version 2 Single Data Source Approximately 2,500 Zones Network Model Wizard Big Groups by Organization Started Using Categories in ESM Protected DMZ Dark Wireless Name Start Address End Address Dynamic Addressing Schmedley DC 1.0: TRUE Partee Mont 202.0: TRUE Calamba Spri VoIP 8.0: FALSE International Medicine DC 63.0: TRUE Kus Anch COOP 32.0: FALSE Chivers NewY AVAILABLE 101.0: TRUE

16 Network Model: Version 2 Pro Single Data Source Semi-Standard Naming Schema [Zone Name]: IP Start IP End Visibly Organized in ArcSight Quick to Analyze in Active Channel Con 41 Step Process CIDR to IP Range Conversion Organize Into Categories ~ 16 Hours to Massage Data Still Difficult to Group by Office Zones Tagged with Asset & Network Categories Export from Infoblox Convert CIDR to IP Range Concatenate Names Group by Category Setup for Import Import to ArcSight via Wizard Delete old (broken) Zones

17 Network Model: Version 3 Flat Model ArcSight Resource Generator for Import Quick to Massage Data Pre-Import Category Tagging Custom Category Tagging Approximately 3,700 Zones #Type Name Start Address End Address Dynamic Addressing Parent Group URI Location URI Network URI Category: Zone Schmedley DC 1.0: TRUE /All Zones/Offices /All Locations/Office/Washington DC /All Networks/US Medical Zone Partee Mont 202.0: TRUE /All Zones/Offices /All Locations/Office/Alabama /All Networks/US Medical /All Asset Categories/Office/Address Spaces/Wireless Zone Calamba Spri VoIP 8.0: FALSE /All Zones/Offices /All Locations/Office/Illinois /All Networks/US Medical /All Asset Categories/Office/Application/Type/VoIP Zone International Medicine DC 63.0: TRUE /All Zones/Offices /All Locations/Office/Washington DC /All Networks/US Medical Zone Kus Anch COOP 32.0: FALSE /All Zones/Offices /All Locations/Office/Alaska /All Networks/US Medical /All Asset Categories/Office/Address Spaces/COOP

18 Network Model: Future Automate Infoblox Export Automate Massaging of Data Zones Refresh Instead of Reload Delete/Add Changed Zones Zones Tagged with Address Space Categories Assets Tagged with Application Categories

19 Lessons Learned Darkspace Network Covering Your Entire IP Space Apply Application Categories to Zones Until Assets are Modeled Establish a Single Authoritative Source for IP s Standardized Zone Naming Schema <TITLE> <NAME> <LOCATION>: StartIP EndIP Flat Folder Structure is Much Easier Close Relationship with NOC We Recommend Beer!

20 Please give me your feedback Session TB3295 Speaker Don Slife & Jarrod Echols Please fill out a survey. Hand it to the door monitor on your way out. Thank you for providing your feedback, which helps us enhance content for future events. 20 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

21 Thank you Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

22 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.