Detecting Hidden Spam Bots (and other tales from the NetFlow front lines) Jim Meehan Director, Product Marketing
|
|
- Suzan Murphy
- 6 years ago
- Views:
Transcription
1 Detecting Hidden Spam Bots (and other tales from the NetFlow front lines) Jim Meehan Director, Product Marketing
2 Agenda What is flow data? Legacy solutions and frustrations Modern requirements and architecture Forensic use cases and real-world examples Detection use cases and real-world examples All contents Kentik Inc. 2
3 What is NetFlow? De-facto standard for network traffic statistics Developed by Cisco; variants now supported by all major vendors Provides complex insight into the entire network Does not affect user privacy by content monitoring NetFlow records contain: Who communicated with whom How long Data amount transferred Which protocol was used Additional information All contents Kentik Inc. 3
4 Flow Sources and Insights Sources Insights Who? Source IP Address; Destination IP Address Routers Switches Servers Firewalls, VMs, etc. What? When? Usage? QoS? Path? Route? Source Port; Destination Port; Protocol Flow Start and End Time Packet Count; Octet Count ToS; TCP Flags; Protocol Input and Output Interface NextHop; Source AS; Destination AS All contents Kentik Inc. 4
5 Enhanced Flow Data Historically: Separate silos for Flow or Routing or SNMP or DNS Today: Flow becomes much richer when combined with: Performance and layer 7 information BGP attributes Geography DNS lookups Tags (rack, department, customer ) Config changes and software versions Threat intelligence and known-bad IPs All contents Kentik Inc. 5
6 Where to Get Enhanced Flow? On-server or sensor software - kprobe, nprobe, argus Commercial sensors - nbox, npulse, and others Packet Brokers - Ixia and Gigamon (IPFIX, potentially more) IDS (bro) a superset of most flow fields, + app decode Web servers (nginx, varnish) web logs + tcp_info for perf Load balancers already see HTTPS-decoded URLs CISCO AVC, NetFlow Lite generally only on small devices All contents Kentik Inc. 6
7 The Promise of Flow Data Pervasive collection of all network activity and conversations Instrument everything Leverage existing network elements (routers / switches) as sensors Situational awareness from macro to micro Real-time and historical visibility All contents Kentik Inc. 7
8 Network Traffic Data Use Cases Performance Management DDoS Defense Traffic Engineering Anomaly Detection Planning and Peering Threat Detection Business Analytics Network Forensics Service Creation All contents Kentik Inc. 8
9 Network Traffic Data Stakeholders Are we providing a great digital experience? Is the network the problem? Are we under DDoS attack? What does this traffic cost? Where should we invest going forward? Network Operations Network Engineering SecOps DevOps Finance Sales / BD All contents Kentik Inc. 9
10 Legacy Flow Data Storage and Processing Flow Records Reduction & Dedoop Data Warehouse Map Phase Shuffle & Sort Reduce Phase & Data Cube Analytics / Visualization User Query Src_ASN: 1234 Src_IP: Src_Port: 80 Dst_ASN: 9876 Dst_IP: Dst_Port: 6500 Interface: 307 Device: Src_ASN: 1234 Src_IP: Src_Port: 80 Dst_ASN: 9876 Dst_IP: Dst_Port: 6500 Interface: 307 Device: Src_ASN: 1234 Src_IP: Src_Port: 80 Dst_ASN: 9876 Dst_IP: Dst_Port: 6500 Interface: 307 Device: Src_ASN: 1234 Src_IP: Src_Port: 80 Dst_ASN: 9876 Dst_IP: Dst_Port: 6500 Interface: 307 Device: Src_ASN: 1234 Src_IP: Src_Port: 80 Dst_ASN: 9876 Dst_IP: Dst_Port: 6500 Src_ASN: 1234 Src_IP: Src_Port: 80 Dst_ASN: 9876 Dst_IP: Dst_Port: 6500 Src_ASN: 1234 Src_IP: Src_Port: 80 Dst_ASN: 9876 Dst_IP: Dst_Port: 6500 Src_ASN: 1234 Src_IP: Src_Port: 80 Dst_ASN: 9876 Dst_IP: Dst_Port: 6500 Gigabytes of Storage Src_ASN: 1234 Src_IP: Src_Port: 80 Dst_ASN: 9876 Dst_IP: Dst_Port: 6500 Src_ASN: 1234 Src_IP: Src_Port: 80 Dst_ASN: 9876 Dst_IP: Dst_Port: 6500 Src_ASN: 1234 Src_IP: Src_Port: 80 Dst_ASN: 9876 Dst_IP: Dst_Port: 6500 Record Drop 999:1000 on interval Src_ASN: 1234, 1 Src_ASN: 1234, 1 Src_ASN: 1234, 1 Src_IP: , 1 Src_IP: , 1 Src_IP: , 1 Src_Port: 80, 1 Src_Port: 80, 1 Src_Port: 80, 1 Dst_ASN: 9876, 1 Dst_ASN: 9876, 1 Dst_ASN: 9876, 1 Dst_IP: , 1 Dst_IP: , 1 Dst_IP: , 1 Dst_Port: 6500, 1 Dst_Port: 6500, 1 Dst_Port: 6500, 1 Src_ASN: 1234, 3 Src_IP: , 3 Src_Port: 80, 3 Dst_ASN: 9876, 3 Dst_IP: , 1 Dst_IP: , 2 Dst_Port: 6500, 3 All contents Kentik Inc. 10
11 Legacy Solution Frustrations Siloed, incomplete, 20-year-old tools based on appliances and open source Scale Detail Turnkey Unified View Ad Hoc Queries Ops BI Real Network Visibility All contents Kentik Inc. 11
12 Key Network Operator Requirements For modern data-driven network and security operations: No data aggregation or pre-filtering Correlation (fusing) between data types Full resolution, searchable and stored for months Fast: Less than 10s for results. Cannot wait minutes to explore Network-savvy UIs and APIs (understands routing and CIDR) Detect anomalies: Should not have to watch graphs manually Data and alerts available across the company APIs to access raw or processed data for integration 0 -to-usable in minutes to weeks, not months to years All contents Kentik Inc. 12
13 Modern Ingest Architecture ROUTER proxy DATA FUSION Decoder Modules NetFlow v5 NetFlow v9 DATA FUSION Mem Table es BGP RIB Geo IP BGP Daemons PCAP agent IPFIX SFlow ASN IP Custom Tags Enrichment DB PCAP Single flow fused row sent to storage SNMP Poller TRAFFIC-SAVVY DATASTORE All contents Kentik Inc. 13
14 Modern Storage and Query Architecture Flow Records Ingestion & Enhancement Data Warehouse Sub Query Master Query Open API Analytics / Visualization User Query Src_ASN: 1234 Src_IP: Src_Port: 80 Dst_ASN: 9876 Dst_IP: Dst_Port: 6500 Interface: 307 Device: Src_ASN: 1234 Src_IP: Src_Port: 80 Dst_ASN: 9876 Dst_IP: Dst_Port: 6500 Interface: 307 Device: Geo Data: + BGP: + Custom Data: + Petabytes of Storage Src_ASN: 1234 Src_IP: Src_Port: 80 Dst_ASN: 9876 Dst_IP: Dst_Port: 6500 Interface: 307 Device: Src_ASN: 1234 Src_IP: Src_Port: 80 Dst_ASN: 9876 Dst_IP: Dst_Port: 6500 Interface: 307 Device: Geo Data: + BGP: + Custom Data: + SQL Src_ASN: 1234 Src_IP: Src_Port: 80 Dst_ASN: 9876 Dst_IP: Dst_Port: 6500 Interface: 307 Device: Src_ASN: 1234 Src_IP: Src_Port: 80 Dst_ASN: 9876 Dst_IP: Dst_Port: 6500 Interface: 307 Device: Geo Data: + BGP: + Custom Data: + Portal Src_ASN: 1234 Src_IP: Src_Port: 80 Dst_ASN: 9876 Dst_IP: Dst_Port: 6500 Interface: 307 Device: Src_ASN: 1234 Src_IP: Src_Port: 80 Dst_ASN: 9876 Dst_IP: Dst_Port: 6500 Interface: 307 Device: Geo Data: + BGP: + Custom Data: + RESTFul All contents Kentik Inc. 14
15 Network Traffic Data Use Cases Performance Management DDoS Defense Traffic Engineering Anomaly Detection Planning and Peering Threat Detection Business Analytics Network Forensics Service Creation All contents Kentik Inc. 15
16 Incident #1: External Service Dependency Build system reports: Unexpected status code [429] : Quota Exceeded Investigation reveals our build system can t connect to Googlehosted container registry, gcr.io GCE admin console shows no indication of quota exceeded, error, or expiry Are we / were we talking to gcr.io? All contents Kentik Inc. 16
17 Incident #1: Hosts talking to gcr.io All contents Kentik Inc. 17
18 Incident #1: Whodunnit Relatively high pps from two hosts (k122 / k212) toward gcr.io Ended abruptly shortly after 11:00 UTC k122 / k212 are development VMs assigned to interns Interns were working on a registry project It all clicks: Interns script hammered gcr.io and got us blacklisted Without detailed traffic history data, time-to-root-cause would have been much longer (or never) All contents Kentik Inc. 18
19 Incident #2: Poor query performance Monitor indicated > 4 sec query response time, normally < 1 sec Also, network bandwidth alarm: 20+ Gbps traffic among 20+ nodes Drilled down to immediately identify affected microservice Aggregation service didn t anticipate 50+ workers responding simultaneously during a large query over many flow sources < 30 min to troubleshoot, would have been hours+ without detailed visibility As a result, we rebuilt the aggregation service pipeline All contents Kentik Inc. 19
20 Incident #2: Source IPs hitting agg service All contents Kentik Inc. 20
21 Incident #2: Definitely Service Affecting In addition to the spikes on port (aggregation) we saw a dip on (ingest) which is a service collocated on the same node. Data collection was affected, not just query latency. All contents Kentik Inc. 21
22 Incident #3: Hidden spam bots Spammers make outbound SMTP connections from origin server Origin is a host / network with bad reputation Spoofed source IP of hosting instance (reflector) that s under their control, with good reputation SYN/ACK goes back to reflector Tunneled back to origin over GRE Hosting network never sees outbound TCP/25 SYN, which would have been blocked All contents Kentik Inc. 22
23 Incident #3: Hidden spam bots All contents Kentik Inc. 23
24 Incident #3: Find the reflectors Find the hosts that are receiving traffic from source port TCP/25 AND who are also sending GRE Traffic volumes are small Probably won t appear in Top-N of either condition individually How can those conditions be combined? All contents Kentik Inc. 24
25 Incident #3: SQL over raw traffic archive All contents Kentik Inc. 25
26 Incident #3: SQL over raw traffic archive All contents Kentik Inc. 26
27 Incident #3: UNION with GRE sources SELECT ipv4_src_addr, ROUND(MAX(f_sum_both_bytes$gre_src_mbps) * 8 / / 60, 3) AS gre_src_mbps, ROUND(MAX(f_sum_both_bytes$smtp_dst_mbps) * 8 / / 60, 3) AS smtp_dst_mbps FROM ( (SELECT ipv4_src_addr, SUM(both_bytes) AS f_sum_both_bytes$gre_src_mbps, 0 AS f_sum_both_bytes$smtp_dst_mbps } Subquery FROM all_devices WHERE ctimestamp > 60 AND protocol=47 AND (src_flow_tags ILIKE '%MYNETWORK%') GROUP BY ipv4_src_addr ORDER BY f_sum_both_bytes$gre_src_mbps DESC LIMIT 10000) UNION (SELECT ipv4_dst_addr, 0 AS f_sum_both_bytes$gre_src_mbps, } SUM(both_bytes) AS f_sum_both_bytes$smtp_dst_mbps FROM all_devices WHERE ctimestamp > 60 AND protocol=6 AND l4_src_port=25 Subquery AND (dst_flow_tags ILIKE '%MYNETWORK%') GROUP BY ipv4_dst_addr ORDER BY f_sum_both_bytes$smtp_dst_mbps DESC LIMIT 10000)) a GROUP BY ipv4_src_addr HAVING MAX(f_sum_both_bytes$gre_src_mbps) > 0 AND MAX(f_sum_both_bytes$smtp_dst_mbps) > 0 ORDER BY MAX(f_sum_both_bytes$gre_src_mbps) DESC, MAX(f_sum_both_bytes$smtp_dst_mbps) DESC LIMIT 100 for dest IPs receiving traffic from source port TCP/25 for src IPs sending GRE All contents Kentik Inc. 27
28 Incident #3: Hosts meeting both conditions All contents Kentik Inc. 28
29 Anomaly Detection All contents Kentik Inc. 29
30 Anomaly Detection Continuously compare historical vs. current data Proactively find network conditions that impact: Security Performance Cost Find out before users complain! With full traffic history details Quickly determine root cause and reduce MTTI / MTTR All contents Kentik Inc. 30
31 Policy Parameters Filters: Which subset of traffic should we inspect? Segment / Group By: Which items within that subset should we generate alerts for? (IPs, interfaces, ASNs, combinations) Metrics: What should we measure for each of those items? (bits/sec, packets/sec, unique src/dst IPs, etc.) Thresholds: Static, baseline, change in Top-N Latency: Duration above threshold before alarm? Notifications: , syslog, Slack, PagerDuty, etc. Actions: API call, route injection, hardware mitigation All contents Kentik Inc. 31
32 Policy Example All contents Kentik Inc. 32
33 Incident #4: Rogue host detection Policy in place to profile count of unique src IPs per dest IP Top N dest IPs profiled, everything else (long tail) compared to lowest item in Top N Alarm fired showing 587 unique sources to one dest IP All contents Kentik Inc. 33
34 Incident #4: Digging Deeper This IP was from DHCP range Zero traffic history prior to alarm Lots of TCP/30303 traffic, which is associated with cryptocurrency mining! All contents Kentik Inc. 34
35 Incident #4: Enhanced Flow, More Context DNS flows labeled with L7 details More cryptocurrency evidence Looks like regular client host but in a datacenter network? All contents Kentik Inc. 35
36 Incident #4: Resolution Switch port was immediately disabled for this host Ops team remembered that a remote hands contractor was on-site in the cage that day Quick call to contractor s cell phone confirmed that he had connected his laptop to the production LAN! New policies and procedures to prevent unknown hosts from accessing production networks All contents Kentik Inc. 36
37 Incident #5: Load spike Policy built to profile UDP traffic volume per dest IP Alarmed on high bps / pps to an ingest node (fl13) based on deviation from historical baseline Correlated with high CPU on the same node All contents Kentik Inc. 37
38 Incident #5: Top Source ASNs for Alarming Node All contents Kentik Inc. 38
39 Incident #5: Load spike A very informative alert Indicating dramatically higher traffic volume from a customer Allowed us to quickly: Understand where additional traffic was coming from For which service Verify this node was handling the additional load adequately Instantly know where to look to verify other vitals Total time investment: < 10 minutes All contents Kentik Inc. 39
40 Incident #6: Traffic Shift Policy built to baseline traffic volume per source ASN, per PoP Continuously compares current to historical Baseline incorporates normal daily / weekly variation Alarm indicating a drop in traffic from EdgeCast s ASN at NYC PoP 1.2 Gbps observed, vs. 2.1 Gbps expected All contents Kentik Inc. 40
41 Incident #6: EdgeCast traffic per PoP Total EdgeCast traffic remains relatively constant Drop in NYC traffic mirrored by increase in Ashburn traffic Policy has detected change in traffic distribution Outage? Policy change? Could be service affecting if insufficient capacity in NYC All contents Kentik Inc. 41
42 Questions?
43 Jim Meehan Thank You kentik.com
Network Traffic Visibility and Anomaly October 27th, 2016 Dan Ellis
Network Traffic Visibility and Anomaly Detection @Scale: October 27th, 2016 Dan Ellis Introduction Network traffic visibility? Introduction Network traffic visibility? What data is available on your network
More informationNovetta Cyber Analytics
Know your network. Arm your analysts. Introduction Novetta Cyber Analytics is an advanced network traffic analytics solution that empowers analysts with comprehensive, near real time cyber security visibility
More informationRIPE75 - Network monitoring at scale. Louis Poinsignon
RIPE75 - Network monitoring at scale Louis Poinsignon Why monitoring and what to monitor? Why do we monitor? Billing Reducing costs Traffic engineering Where should we peer? Where should we set-up a new
More informationCompare Security Analytics Solutions
Compare Security Analytics Solutions Learn how Cisco Stealthwatch compares with other security analytics products. This solution scales easily, giving you visibility across the entire network. Stealthwatch
More informationTrisul Network Analytics - Traffic Analyzer
Trisul Network Analytics - Traffic Analyzer Using this information the Trisul Network Analytics Netfllow for ISP solution provides information to assist the following operation groups: Network Operations
More informationplixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels
Scrutinizer Competitor Worksheet Scrutinizer Malware Incident Response Scrutinizer is a massively scalable, distributed flow collection system that provides a single interface for all traffic related to
More informationMonitoring network bandwidth on routers and interfaces; Monitoring custom traffic on IP subnets and IP subnets groups; Monitoring end user traffic;
NetVizura NetFlow Analyzer enables you to collect, store and analyze network traffic data by utilizing Cisco NetFlow, IPFIX, NSEL, sflow and compatible netflow-like protocols. It allows you to visualize
More informationFlow Measurement. For IT, Security and IoT/ICS. Pavel Minařík, Chief Technology Officer EMITEC, Swiss Test and Measurement Day 20 th April 2018
Flow Measurement For IT, Security and IoT/ICS Pavel Minařík, Chief Technology Officer EMITEC, Swiss Test and Measurement Day 20 th April 2018 What is Flow Data? Modern method for network monitoring flow
More informationDDoS Protection in Backbone Networks
DDoS Protection in Backbone Networks The Czech Way Pavel Minarik, Chief Technology Officer Holland Strikes Back, 3 rd Oct 2017 Backbone DDoS protection Backbone protection is specific High number of up-links,
More informationhaltdos - Web Application Firewall
haltdos - DATASHEET Delivering best-in-class protection for modern enterprise Protect your website against OWASP top-10 & Zero-day vulnerabilities, DDoS attacks, and more... Complete Attack Protection
More informationData Sheet. Monitoring Automation for Web-Scale Networks MONITORING AUTOMATION FOR WEB-SCALE NETWORKS -
Data Sheet Monitoring Automation for Web-Scale Networks CLOUD-BASED MONITORING AUTOMATION FOR WEB-SCALE NETWORKS NetSpyGlass (NSG) is cloud-based, network monitoring automation for network operators seeking
More informationNetwork Security Monitoring with Flow Data
Network Security Monitoring with Flow Data IT Monitoring in Enterprises NPMD (Network Performance Monitoring & Diagnostics) SNMP basics Flow data for advanced analysis and troubleshooting Packet capture
More informationThe Future of Threat Prevention
The Future of Threat Prevention Bricata is the leading developer of Next Generation Intrusion Prevention Systems (NGIPS) technology, providing innovative, disruptive, high-speed, high-performance network
More informationDDoS Detection&Mitigation: Radware Solution
DDoS Detection&Mitigation: Radware Solution Igor Urosevic Head of Technical Department SEE CCIE #26391 Ingram Micro Inc. 1 Agenda DDoS attack overview Main point of failures Key challenges today DDoS protection
More informationCisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics
Solution Overview Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics BENEFITS Gain visibility across all network conversations, including east-west and north-south
More informationScrutinizer Flow Analytics
Scrutinizer Flow Analytics TM Scrutinizer Flow Analytics Scrutinizer Flow Analytics is an expert system that highlights characteristics about the network. It uses flow data across dozens or several hundred
More informationMonitoring and Analysis
CHAPTER 3 Cisco Prime Network Analysis Module 5.1 has two types of dashboards: One type is the summary views found under the Monitor menu, and the other type is the over time views found under the Analyze
More informationUnified Networks Administration & Monitoring System Specifications : YM - IT. YM Unified Networks Administration & Monitoring System
2115 YM Unified Networks Administration & Monitoring System 1. مواصفات نظام ادارة ومراقبة الشبكات الموحد: BOQ of Unified Networks Administration and Monitoring System: N 1 2 3 4 Item Main Network Monitoring
More informationAdvanced Application Reporting USER GUIDE
Advanced Application Reporting USER GUIDE CONTENTS 1.0 Preface: About This Document 5 2.0 Conventions 5 3.0 Chapter 1: Introducing Advanced Application Reporting 6 4.0 Features and Benefits 7 5.0 Product
More informationHow can we gain the insights and control we need to optimize the performance of applications running on our network?
SOLUTION BRIEF CA Network Flow Analysis and Cisco Application Visibility and Control How can we gain the insights and control we need to optimize the performance of applications running on our network?
More informationRIPE76 - Rebuilding a network data pipeline. Louis Poinsignon
RIPE76 - Rebuilding a network data pipeline Louis Poinsignon Who am I Louis Poinsignon Network Engineer @ Cloudflare. Building tools for data analysis and traffic engineering. What is Cloudflare? Content
More informationFlow-based Traffic Visibility
Flow-based Traffic Visibility Operations, Performance, Security Pavel Minařík, Chief Technology Officer What is Flow Data? Modern method for network monitoring flow measurement Cisco standard NetFlow v5/v9,
More informationMonitoring and Threat Detection
Monitoring and Threat Detection with Netflow Michael Belan Consulting Systems Engineer Cisco GSSO January 2017 AGENDA What is SW? Where does it fit in overall Cisco Security framework? What is SW? What
More informationEmpower stakeholders with single-pane visibility and insights Enrich firewall security data
SonicWall Analytics Transforming data into information, information into knowledge, knowledge into decisions and decisions into actions SonicWall Analytics provides an eagle-eye view into everything that
More informationCheck Point DDoS Protector Introduction
Check Point DDoS Protector Introduction Petr Kadrmas SE Eastern Europe pkadrmas@checkpoint.com Agenda 1 (D)DoS Trends 2 3 4 DDoS Protector Overview Protections in Details Summary 2 (D)DoS Attack Methods
More informationEFFECTIVE SERVICE PROVIDER DDOS PROTECTION THAT SAVES DOLLARS AND MAKES SENSE
SOLUTION BRIEF EFFECTIVE SERVICE PROVIDER DDOS PROTECTION THAT SAVES DOLLARS AND MAKES SENSE Building effective, affordable and scalable DDoS defense, then monetizing investments with value added scrubbing
More informationCYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta
CYBER ANALYTICS Architecture Overview Technical Brief May 2016 novetta.com 2016, Novetta Novetta Cyber Analytics: Technical Architecture Overview 1 INTRODUCTION 2 CAPTURE AND PROCESS ALL NETWORK TRAFFIC
More informationA10 DDOS PROTECTION CLOUD
DATA SHEET A10 DDOS PROTECTION CLOUD A10 Networks provides full spectrum DDoS defenses. This includes multi-vector protection from attacks of any type to ensure the availability of enterprise business
More informationTroubleshooting with Network Analysis Module
Troubleshooting with Network Analysis Module Introduction The Cisco Network Analysis Module (NAM) provides visibility into how the network is performing and how users experience the applications and services
More informationTitle DC Automation: It s a MARVEL!
Title DC Automation: It s a MARVEL! Name Nikos D. Anagnostatos Position Network Consultant, Network Solutions Division Classification ISO 27001: Public Data Center Evolution 2 Space Hellas - All Rights
More informationAll Events. One Platform.
All Events. One Platform. Industry s first IT ops platform that truly correlates the metric, flow and log events and turns them into actionable insights. Correlate Integrate Analyze www.motadata.com Motadata
More informationTop 10 use cases of HP ArcSight Logger
Top 10 use cases of HP ArcSight Logger Sridhar Karnam @Sri747 Karnam@hp.com #HPSecure Big data is driving innovation The Big Data will continue to expand Collect Big Data for analytics Store Big Data for
More informationIntroduction to Netflow
Introduction to Netflow Campus Network Design & Operations Workshop These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)
More informationIncrease Threat Detection & Incident Response
Martin Rudd Carrier Scale Network Security: Increase Threat Detection & Incident Response www.telesoft-technologies.com copyright 2017 by Telesoft Technologies. All rights reserved. Agenda Brief bio Threat
More informationUX - User Experience: Multi-Cloud Network Visibility
Data Sheet UX - User Experience: Multi-Cloud Network Visibility UX - User Experience monitoring User Experience dashboard summary application performance User Experience is a software module available
More informationLevel 3 SM Enhanced Management - FAQs. Frequently Asked Questions for Level 3 Enhanced Management
Level 3 SM Enhanced Management - FAQs Frequently Asked Questions for Level 3 Enhanced Management 2015 Level 3 Communications, LLC. All rights reserved. 1 LAYER 3: CONVERGED SERVICES 5 Where can I find
More informationUn SOC avanzato per una efficace risposta al cybercrime
Un SOC avanzato per una efficace risposta al cybercrime Identificazione e conferma di un incidente @RSAEMEA #RSAEMEASummit @masiste75 Mauro Costantini - Presales Consultant Agenda A look into the threat
More informationsnoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection
Snoc DDoS Protection Fast Secure Cost effective sales@.co.th www..co.th securenoc Introduction Snoc 3.0 Snoc DDoS Protection provides organizations with comprehensive protection against the most challenging
More informationNetFlow Optimizer. Overview. Version (Build ) May 2017
NetFlow Optimizer Overview Version 2.4.9 (Build 2.4.9.0.3) May 2017 Copyright 2013-2017 NetFlow Logic Corporation. All rights reserved. Patents both issued and pending. Contents About NetFlow Optimizer...
More informationCisco Tetration Analytics
Cisco Tetration Analytics Enhanced security and operations with real time analytics John Joo Tetration Business Unit Cisco Systems Security Challenges in Modern Data Centers Securing applications has become
More informationFloCon Netflow Collection and Analysis at a Tier 1 Internet Peering Point. San Diego, CA. Fred Stringer
10 January 2017 FloCon 2017 San Diego, CA Netflow Collection and Analysis at a Tier 1 Internet Peering Point Fred Stringer AT&T Chief Security Organization Systems Engineer/Network Architect AT&T Intellectual
More informationFlow-Based Network Monitoring using nprobe and ntopng
Flow-Based Network Monitoring using nprobe and ntopng Simone Mainardi, PhD @simonemainardi mainardi@ntop.org Agenda About ntop Flow-based network monitoring, beyond SNMP nprobe: NetFlow/IPFIX/sFlow probe
More informationCheck Point DDoS Protector Simple and Easy Mitigation
Check Point DDoS Protector Simple and Easy Mitigation Jani Ekman janie@checkpoint.com Sales Engineer DDoS Protector 1 (D)DoS Attacks 2 3 4 DDoS Protector Behavioral DoS Protection Summary 2 What is an
More informationDDoS Protection in Backbone Networks Deployed at Trenka Informatik AG (www.trenka.ch)
DDoS Protection in Backbone Networks Deployed at Trenka Informatik AG (www.trenka.ch) Pavel Minarik, Chief Technology Officer SwiNOG meeting, 9 th Nov 2017 Backbone DDoS protection Backbone protection
More informationUSM Anywhere AlienApps Guide
USM Anywhere AlienApps Guide Updated April 23, 2018 Copyright 2018 AlienVault. All rights reserved. AlienVault, AlienApp, AlienApps, AlienVault OSSIM, Open Threat Exchange, OTX, Unified Security Management,
More informationStager. A Web Based Application for Presenting Network Statistics. Arne Øslebø
Stager A Web Based Application for Presenting Network Statistics Arne Øslebø Keywords: Network monitoring, web application, NetFlow, network statistics Abstract Stager is a web based
More informationIntelligent and Secure Network
Intelligent and Secure Network BIG-IP IP Global Delivery Intelligence v11.2 IP Intelligence Service Brian Boyan - b.boyan@f5.com Tony Ganzer t.ganzer@f5.com 2 Agenda Welcome & Intro Introduce F5 IP Intelligence
More informationNote. Some History 8/8/2011. TECH 6 Approaches in Network Monitoring ip/f: A Novel Architecture for Programmable Network Visibility
TECH 6 Approaches in Network Monitoring ip/f: A Novel Architecture for Programmable Network Visibility Steve McCanne - CTO riverbed Note This presentation is for information purposes only and is not a
More informationAdditional Security Services on AWS
Additional Security Services on AWS Bertram Dorn Specialized Solutions Architect Security / Compliance / DataProtection AWS EMEA The Landscape The Paths Application Data Path Path Cloud Managed by Customer
More informationCisco Firepower NGFW. Anticipate, block, and respond to threats
Cisco Firepower NGFW Anticipate, block, and respond to threats Digital Transformation on a Massive Scale 15B Devices Today Attack Surface 500B Devices In 2030 Threat Actors $19T Opportunity Next 10 Years
More informationNetwork Management & Monitoring
Network Management & Monitoring NfSen These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/) What is NfSen
More informationIt s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security
It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security Pavel Minařík, Chief Technology Officer Neutral Peering Days 2018, The Hague Your customers depend on your
More informationAffordable High-Speed Sensors Everywhere. ntop Meetup Flocon 2016, Daytona Beach Jan 13th 2016
Affordable High-Speed Sensors Everywhere ntop Meetup Flocon 2016, Daytona Beach Jan 13th 2016 Welcome to the ntop Meetup Meeting Goals: Meet ntop users Describe our ideas and plans for 2016 Hear your comments
More informationNetwork Management and Monitoring
Network Management and Monitoring Introduction to Netflow These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)
More informationSeceon s Open Threat Management software
Seceon s Open Threat Management software Seceon s Open Threat Management software (OTM), is a cyber-security advanced threat management platform that visualizes, detects, and eliminates threats in real
More informationNetwork Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)
1 Network Security Kitisak Jirawannakool Electronics Government Agency (public organisation) A Brief History of the World 2 OSI Model vs TCP/IP suite 3 TFTP & SMTP 4 ICMP 5 NAT/PAT 6 ARP/RARP 7 DHCP 8
More informationThe Why, What, and How of Cisco Tetration
The Why, What, and How of Cisco Tetration Why Cisco Tetration? With the above trends as a backdrop, Cisco has seen specific changes within the multicloud data center. Infrastructure is changing. It is
More informationGrowing DDoS attacks what have we learned (29. June 2015)
Growing DDoS attacks what have we learned (29. June 2015) Miloš Kukoleča AMRES milos.kukoleca@amres.ac.rs financed by the European Union from the START Danube Region Network protection Strict network policy
More informationSourcefire Network Security Analytics: Finding the Needle in the Haystack
Sourcefire Network Security Analytics: Finding the Needle in the Haystack Mark Pretty Consulting Systems Engineer #clmel Agenda Introduction The Sourcefire Solution Real-time Analytics On-Demand Analytics
More informationSteelCentral NPM. NetProfiler, NetShark, Flow Gateway & Packet Analyzer. December 2015
SteelCentral NPM NetProfiler, NetShark, Flow Gateway & Packet Analyzer December 2015 IT Ops Network Ops App Ops DevOps LOB Unified Performance Visibility Single Performance Management Interface Real-Time,
More informationA10 HARMONY CONTROLLER
DATA SHEET A10 HARMONY CONTROLLER AGILE MANAGEMENT, AUTOMATION, ANALYTICS FOR MULTI-CLOUD ENVIRONMENTS PLATFORMS A10 Harmony Controller provides centralized agile management, automation and analytics for
More informationMonitoring and diagnostics of data infrastructure problems in power engineering. Jaroslav Stusak, Sales Director CEE, Flowmon Networks
Monitoring and diagnostics of data infrastructure problems in power engineering Jaroslav Stusak, Sales Director CEE, Flowmon Networks 35,000 kilometers of electric power, which feeds around 740,000 clients...
More informationEnterprise Performance Management. Take Control from End to End
Enterprise Performance Management Take Control from End to End Speaker Bio Joseph Convery - 25+ Years in IT Current -Associate Fellow Verizon Wireless - Adjunct Instructor Molloy College (Rockville Center
More informationTALK. agalaxy FOR THUNDER TPS REAL-TIME GLOBAL DDOS DEFENSE MANAGEMENT WITH A10 DATA SHEET DDOS DEFENSE MONITORING AND MANAGEMENT
DATA SHEET agalaxy FOR THUNDER TPS DDOS DEFENSE MONITORING AND MANAGEMENT The A10 agalaxy management system is integrated with PLATFORMS the Thunder TPS (Threat Protection System) for DDoS protection.
More informationThe IDP system generates logs for device events and security events. Table 1 summarizes options for viewing and managing logs.
IDP Logs Overview The IDP system generates logs for device events and security events. Device event logs are related to the operation of the IDP appliance. By default, the system logs events when it reaches
More informationCYBER ANALYTICS. An Advanced Network- Traffic Analytics Solution
CYBER ANALYTICS An Advanced Network- Traffic Analytics Solution Dramatically increase the efficiency and effectiveness of IT security staff and threat responders by providing them with the right information
More informationAMP-Based Flow Collection. Greg Virgin - RedJack
AMP-Based Flow Collection Greg Virgin - RedJack AMP- Based Flow Collection AMP - Analytic Metadata Producer : Patented US Government flow / metadata producer AMP generates data including Flows Host metadata
More informationFregata. DDoS Mitigation Solution. Technical Specifications & Datasheet 1G-5G
Fregata DDoS Mitigation Solution Technical Specifications & Datasheet 1G-5G Amidst fierce competition, your business cannot afford to slow down With HaltDos, you don t have to sacrifice productivity and
More informationIntelligent Edge Protection
Intelligent Edge Protection Sicherheit im Zeitalter von IoT und Mobility September 26, 2017 Flexible consumption Beacons, sensors and geo-positioning Driven by agile DevOps Mobile users, apps and devices
More informationSecure your Web Applications with AWS WAF & AWS Shield. James Chiang ( 蔣宗恩 ) AWS Solution Architect
Secure your Web Applications with AWS WAF & AWS Shield James Chiang ( 蔣宗恩 ) AWS Solution Architect www.cloudsec.com What to expect from this session Types of Threats AWS Shield AWS WAF DEMO Real World
More informationImproving Your Network Defense. Joel M Snyder Senior Partner Opus One
Improving Your Network Defense Joel M Snyder Senior Partner Opus One jms@opus1.com Agenda: Improving Your Network Defense What s the Thesis? Intrusion Detection Collecting Information Enabling Features
More informationNetFlow Integrator Standard
NetFlow Integrator Standard User Guide Version 2.4.2 (Build 2.4.2.0.11) November 2015 Copyright 2012, 2013 NetFlow Logic Corporation. All rights reserved. Patents Pending. Contents About this Guide...
More informationData-Driven Network Opera1ons. France-IX 2016 Avi Freedman
Data-Driven Network Opera1ons France-IX 2016 Avi Freedman Summary Why Data-Driven Network Opera1ons? The food: data types and sources Requirements and tool types Data Fusion Business-driven use cases:
More informationNetwork Operations Analytics
Network Operations Analytics Solution Guide Version 2.4.4 (Build 2.4.4.0.x) June 2016 Copyright 2012-2016 NetFlow Logic Corporation. All rights reserved. Patents Pending. Contents Introduction... 2 Solution
More informationData-Driven DevOps: Bringing Visibility to Any Cloud, Any App, & Any Device. Erik Giesa SVP of Marketing and Business Development, ExtraHop Networks
Data-Driven DevOps: Bringing Visibility to Any Cloud, Any App, & Any Device Erik Giesa SVP of Marketing and Business Development, ExtraHop Networks Your Monitoring Strategy Must Change How can you maintain
More informationNetFlow Integrator Standard
NetFlow Integrator Standard User Guide Version 2.4.3 (Build 2.4.3.0.24) February 2016 Copyright 2012-2016 NetFlow Logic Corporation. All rights reserved. Patents Pending. Contents About this Guide... 3
More informationAdvanced Attack Response and Mitigation
Advanced Attack Response and Mitigation Agenda Overview of cloud DDoS detection and mitigation which features geographically diverse scrubbing and high velocity auto-mitigation capabilities. - Overview
More informationCisco Firepower NGFW. Anticipate, block, and respond to threats
Cisco Firepower NGFW Anticipate, block, and respond to threats You have a mandate to build and secure a network that supports ongoing innovation Mobile access Social collaboration Public / private hybrid
More informationCisco Stealthwatch Endpoint License
Data Sheet Cisco Stealthwatch Endpoint License With the Cisco Stealthwatch Endpoint License you can conduct in-depth, context-rich investigations into endpoints that exhibit suspicious behavior. In our
More informationProCurve Network Immunity
ProCurve Network Immunity Hans-Jörg Elias Key Account Manager hans-joerg.elias@hp.com 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
More informationRSA Security Analytics
RSA Security Analytics This is what SIEM was Meant to Be 1 The Original Intent of SIEM Single compliance & security interface Analyze & prioritize alerts across various sources The cornerstone of security
More informationDetecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0
Detecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0 April 9, 2012 Introduction One of the earliest indicators of an impending network attack is the presence of network reconnaissance.
More informationZone-Based Firewall Logging Export Using NetFlow
Zone-Based Firewall Logging Export Using NetFlow Zone-based firewalls support the logging of messages to an external collector using NetFlow Version 9 export format. NetFlow Version 9 export format uses
More informationComprehensive datacenter protection
Comprehensive datacenter protection There are several key drivers that are influencing the DDoS Protection market: DDoS attacks are increasing in frequency DDoS attacks are increasing in size DoS attack
More informationNetwork Security: Firewall, VPN, IDS/IPS, SIEM
Security: Firewall, VPN, IDS/IPS, SIEM Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr What is a Firewall? A firewall is hardware, software, or a combination of both that is used to prevent unauthorized
More informationLog Data: A Source of Value. Nagios Enterprises LLC Nagios Enterprises 2017 Logs: A Source of Value // 1
Log Data: A Source of Value Nagios Enterprises LLC 2017 Nagios Enterprises 2017 Logs: A Source of Value // 1 Log Data: A Source of Value Nagios Enterprises LLC 2017 Introduction Part 1 : What s in a Log?
More informationSecurity Information Managers: State of the Art. Joel M Snyder Senior Partner Opus One
Security Information Managers: State of the Art Joel M Snyder Senior Partner Opus One jms@opus1.com Definition: SIMs accept security information from multiple sources within the enterprise and analyze
More informationCisco Cyber Range. Paul Qiu Senior Solutions Architect
Cisco Cyber Range Paul Qiu Senior Solutions Architect Cyber Range Service A platform to experience the intelligent Cyber Security for the real world What I hear, I forget What I see, I remember What I
More informationLogging, Monitoring, and Alerting
Logging, Monitoring, and Alerting Logs are a part of daily life in the DevOps world In security, we focus on particular logs to detect security anomalies and for forensic capabilities A basic logging pipeline
More informationCisco Day Hotel Mons Wednesday
Cisco Day 2016 20.4.2016 Hotel Mons Wednesday Three Friends in Security : Identity, Visibility and Enforcement Stop the bad guys immediately György Ács IT Security Consulting Systems Engineer 20 April
More informationFeatures and Functionality
Features and functionality introduced in previous versions may be superseded by new features and functionality in later versions. New or Changed Functionality in Version 6.2.2.x, page 1 Features Introduced
More informationTransforming the Cisco WAN with Network Intelligence
Transforming the Cisco WAN with Network Intelligence Introduction Branch office networks and the enterprise WAN are in a state of dramatic transformation, driven by three key trends. Enterprises are using
More informationUnified Performance Management Solution. User Guide
Unified Performance Management Solution User Guide Copyright 2016 Colasoft. All rights reserved. Information in this document is subject to change without notice. No part of this document may be reproduced
More informationWHY SIEMS WITH ADVANCED NETWORK- TRAFFIC ANALYTICS IS A POWERFUL COMBINATION. A Novetta Cyber Analytics Brief
WHY SIEMS WITH ADVANCED NETWORK- TRAFFIC ANALYTICS IS A POWERFUL COMBINATION A Novetta Cyber Analytics Brief Why SIEMs with advanced network-traffic analytics is a powerful combination. INTRODUCTION Novetta
More informationAlways Keep IT Purely Simple
Always Keep IT Purely Simple Network Monitoring Software Page 1 CEO Message AKiPS is a scalable, fully featured monitoring tool that collects, reports and alerts on the performance of your network infrastructure.
More informationNetwork Performance Analysis System. White Paper
Network Performance Analysis System White Paper Copyright Copyright 2018 Colasoft. All rights reserved. Information in this document is subject to change without notice. No part of this document may be
More informationIBM Security QRadar Deployment Intelligence app IBM
IBM Security QRadar Deployment Intelligence app IBM ii IBM Security QRadar Deployment Intelligence app Contents QRadar Deployment Intelligence app.. 1 Installing the QRadar Deployment Intelligence app.
More informationThree interface Router without NAT Cisco IOS Firewall Configuration
Three interface Router without NAT Cisco IOS Firewall Configuration Document ID: 13893 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram Configurations
More informationHealthcare IT A Monitoring Primer
Healthcare IT A Monitoring Primer Published: February 2019 PAGE 1 OF 13 Contents Introduction... 3 The Healthcare IT Environment.... 4 Traditional IT... 4 Healthcare Systems.... 4 Healthcare Data Format
More informationWEB DDOS PROTECTION APPLICATION PROTECTION VIA DNS FORWARDING
WEB DDOS PROTECTION APPLICATION PROTECTION VIA DNS FORWARDING A STRONG PARTNER COMPANY Link11 - longstanding security experience Link11 is a European IT security provider, headquartered in Frankfurt, Germany
More information