Technical Overview TDAC Anomaly Detection. copyright 2018 by Telesoft Technologies. All rights reserved.

Transcription

1 Technical Overview TDAC Anomaly Detection copyright 2018 by Telesoft Technologies. All rights reserved.

2 TDAC Anomaly Detection The volume of network events within National IPS/Telco s and Large Enterprises means that they have to classify and prioritise certain data over others, in order to protect specific elements of their networks. Elements of Carrier Scale Network Connected devices (user equipment, IoT devices, LAN & VNO) Own physical infrastructure (routing, firewalls, gateways & switches) Own services and applications Internet (web servers, streaming, OTT services, P2P & VoIP) CNI (utilities, transport & financial) This presentation gives a technical overview of TDAC Anomaly Detection, using Entity Sets to map logical and physical elements of hyper scale networks.

3 1 Features covered Entity sets Provisioned and auto-discovered sets Tagging physical & logical network assets (inc. CNI) Logical (e.g. services) and physical network topologies Anomaly detection DDoS examples HTTP flood, Water torture (Slowloris) Other threats classified: Wider DDoS, botnet C2, crimeware, data exfiltration, spam, anonymizers, network zone transgressions, zero day, more Flow reputation IPv4/6 and domain* reputation (*with Telesoft FlowProbe) Dashboard configuration See TDAC user guide ( ) section 9

4 2 Entity sets Entity sets describe: Physical and non-physical network assets Infrastructure Services/applications Logical and physical network topologies Entity set members Can be one or more of IPv4, IPv6, CIDR, domain Members can belong to more than one entity set All flows tagged with their set(s) for rapid forensics All entity sets are monitored Types Provisioned by the user Discovered by the platform

5 3 Entity set types Provisioned Discovered e.g. Router and interface network infrastructure, botnet topologies

6 4 Entity set provisioning Domain classification supported with Telesoft FlowProbe IPv4/6 and CIDR notation supported Tag or drop (do not store) per-flow actions Customer-definable list of tags supports monitoring and defence of: Logical network (e.g. application, service, VNO) Physical network (e.g. datacentre) Other customer-specific use cases

7 5 Entity sets - examples IP RANGES TAGS APPLIED FLOWS (source/destination IP or domain matched) group: Application service: Instant messaging environment: Production group: Application service: Instant messaging environment: Quality Assurance group: Application service: VoIP environment: Production group: Network zone: Northumberand name: Ashington Data Centre NOTES This is the production environment of the Instant messaging service of the operator - one item in the suite of services/applications offered by the operator Part of the logical network The QA environment of the above Part of the logical network VoIP production environment another item in the suite of applications Part of the logical network This is one of the entity sets describing the physical Network in this case the operator has multiple national data centres and is grouping them by county / /8 FC00::/96 kensington.cdn.company.com group: Network zone: Northumberand name: Longtown Data Centre group: Network zone: London name: Kensington Data Centre Part of the physical network Another data centre in Northumberland (showing single IPv4 and CIDR config) Part of the physical network Another data centre in a different county (showing IPv4 & & IPv6 CIDR and domain config) Part of the physical network

8 6 Anomaly Detection Current and historical incidents and severity All discovered data supports single-click to apply as filter or to change dashboard view for rapid incident forensic pivot Top threats and incidents by entity * * See entity sets slide Top network threats and incidents

9 7 Example pivot DDoS HTTP flood Attack profile Target An overwhelming proportion of HTTP flows attempting to consume target resources. Flow contain the expected suite of TCP flags (SYN/halfopen/flag flood attacks look similar but do not contain all TCP flags). As shown the attack is the shape of a wave. Attack sources (botnet zombies)

10 8 Example pivot DDoS Water Torture (Slowloris) Attack profile Long-duration drippingbyte flows consuming the target resources for serving legitimate requests. This attack looks blocky (like the continual dripping of water) as shown. Target Attack source

11 9 Flow reputation Threat classifications Threat descriptions

12 10 Flow reputation lists Intel sources Open threat intelligence Support for STIX format (e.g. Snort, Suricata) Bespoke/customer intel lists supported Updating Update frequency hourly to daily Central site propagates rules throughout remote systems

13 11 Threat alerting Alert on IP/domain reputation classification Anomaly (user tuning supported for severity, classification, etc) Alert mechanisms TDAC GUI Alert tied to other retained data Provides immediate first step in incident forensics Outbound webhook (JSON via secure REST API) Syslog Apache Kafka BGP Flowspec instruction attack mitigation Threat type & infrastructure dependent

14