Network Visibility or Advanced Security?

Transcription

1 Network Visibility or Advanced Security? TechDays 2017 Roman Cupka, Regional Country Manager SEE

2 Who We Are Founded in 2007 as a University Spinoff International Network & Security Monitoring Technology Vendor Gartner MQ for NPMD 2017 Alliance partner of the premium technology vendors

3 What We Do Network Visibility IT Operations Security Network Performance Monitoring and Diagnostics Application Performance Montoring Network Behavioral Analysis DDoS Detection & Mitigation NPMD APM NBA DDoS

4 Challenge to Network Visibility Expanding network perimeter FW between the enterprise network and internet mobile users / cloud mobility by 2018, 25% of data will bypass traditional security defenses and flow directly between mobile devices and the cloud Virtualization east-west traffic: data that travels between these virtual resources on the same physical host or inter-blade traffic on the same server network cable is not sufficient for monitoring virtual traffic Increasing use of SSL encrypted traffic ¾ of internet traffic attackers also use SSL encryption to hide threats and attack traffic IT departments now commonly decrypt inbound and outbound SSL traffic to identify risks and threats Growing volume and complexity in network traffic largely comprised of structured and unstructured data (video/voice) volume of network traffic can flood existing security tools with more traffic than they were designed Internet of Things (IoT) new computing models mobile edge computing (MEC) and fog computing to extend the network perimeter still further needs to embrace open standards that enable data access, security monitoring, and performance analytics Cloud computing / Cloud Applications public / privat / hybrid / IaaS / PaaS / SaaS migrating workloads from data centers to public clouds by 2018, 25% of data will bypass traditional security defenses and flow directly between mobile devices and the cloud it becomes more difficult to observe and monitor data flows new blind spots

5 Flowmon focus - Effective MTTR Mean Time To Response Mean Time To Resolution Mean Time To Repair FROM HOURS TO MINUTES!! (More than 75% operational and security issues regarding to network functionality are recognized in 1-5 hours)

6 How it works with Flowmon Flow data export from already deployed devices Flow data export + app layer monitoring / packet analysis SPAN/Mirror port or TAP Flow data collection, visualisation reporting, analysis Flowmon modules for advanced flow data analysis

7 Flow Monitoring Principle Flow Data (format: NetFlow, IPFIX) Flow Export Start Duration Proto Src IP:Port Dst IP:Port Packets Bytes 9:35: TCP : > : :35: TCP :80 -> :

8 Flowmon IPFIX Extensions Flowmon enriches traditional flow statistics For both operational and security use-cases L2 MAC VLAN MPLS GRE tunnel OVT L3/L4 Standard items NPM metrics RTT, SRT, TTL, SYN size, ASN Geolocation L7 NBAR2 HTTP DNS DHCP SMB/CIFS SQL

9 Use Case I. Network Operation

10 Network utilization SLOW INTERNET CONNECTION The network is really slow today Loading a website takes ages Remote users cannot work in our IS

11 Network utilization Internet line is really saturated today more than usual

12 Network Performance Monitoring NPM METRICS VISUALIZATION

13 Network Performance Monitoring NETWORK PERFORMANCE MONITORING METRICS Round-Trip Time (RTT) delay introduced by the network Server Response Time (SRT) delay introduced by the server Delay delay between individual packets of server response Jitter variance in delay TCP Retransmissions packet damage or loss Out-of-order packets number of packets received in the wrong order

14 Network Performance Monitoring WHAT NPM METRICS CAN INDICATE? delays in the network infrastructure (e.g. malfunctioning access point) delays in the server (e.g. not enough HW resources) bad audio and video quality (e.g. VoIP calls or videoconferences) problems on the physical layer (e.g. interference, faulty port) failures in communication links

15 Network Analyses Where is it coming from?

16 Network Analyses Windows Ok, I need update? to check And all not from these our IP addresses WSUS server?

17 User identity awareness authentication Identity source syslog export Time, login, IP address Flow (Time, IP, )

18 Passive device fingerprinting Based on extended HTTP visibility UserAgent as a source of device identification + MAC address, IP address, VLAN tag, flow source

19 Passive device fingerprinting

20 Flowmon NPMD usecase Use case: Flow Monitoring of production network spread over multiple locations Problem: long responses in the production part of the network Problem monthly cost: Flowmon costs: (2x probe, small collector and 1 year maintenance costs) Return of investment is 3 weeks Flowmon provides detailed network visibility to enable quick troubleshooting, reduce network operations costs and optimize the performance of an entire IT environment

21 Value Proposition Network Performance Monitoring & Diagnostic (NetFlow/IPFIX) Provides visibility eyes into the network traffic Reduces mean-time to resolve, builds up efficiency Reduces downtimes and network operational costs Ensures company productivity Flow analyses & Packet capturing Gartner: 80% of operational issues can be analyzed and solved by flow monitoring. Recommendation: Implement NetFlow/IPFIX to allow better measurement of user experience.

22 Use Case II. IT Operation

23 Communication Deadlock Network Admin Network is running well, no other issues reported. Problem has to be in the application. Application Admin Application seems to run OK, it should be problem in the network Me What s going on? App is running slow

24 Application Performance Monitoring User App Server Request Transport Time Response Transport Time Application Delay Application Network

25 Application Performance Monitoring App Server Database Server SQL Query Transport Time SQL Response Transport Time Database Delay Database Network

26 Detailed drill down (HTTP) LIST OF TRANSACTIONS INCLUDING URL, USER AGENT, INDIVIDUAL METRICS, STATUS CODE

27 Detailed drill down (SQL) LIST OF TRANSACTIONS INCLUDING INDIVIDUAL SQL QUERIES AND PERFORMANCE CHARACTERISTICS

28 Transaction correlation User application transactions Relevant app database server transactions User application database transactions correlation

29 Error Codes All Error Codes Transactions

30 Flowmon APM usecase Use case: Poor response time of internal information system Company with 500 employees, each spent 30 minut daily in average by nonproductive waiting for response from information system We calculated expenses 10 per hour per one employee, our daily loss is By deploying Flowmon APM we reduce non-productive time to 10 minutes which means we save 1650 every day Return of investment is 2-4 weeks Flowmon APM is a clever, agent-less application monitoring solution identifying and solving availability issues, slow response times, bottlenecks or configuration errors of critical applications.

31 Value Proposition User Experience Non-intrusive Real Time Application Performance Monitoring Agentless measurement of user experience Solves poor performance of external applications (e-shop, e-banking, e-portals...) Solves poor performance of and internal applications (information systems, CRM ) Correlation of User APP DB transactions Network-based APM is a cost-effective alternative for customers requiring an easy-todeploy solution to distinguish between network, application and database delay when monitoring user experience.

32 Use Case III. Security

33 More sophisticated attackers techniques Advanced persistent threat (APT) When applications run slowly or stop working, you need real-time network diagnosis to pinpoint the root cause Malware Malicious software or code that typically damages or disables, takes control of, or steals information from a computer system. Malware broadly includes adware, anti-av software, backdoors, bootkits, logic bombs, RATs, rootkits, spyware, Trojan horses, viruses, and worms Botnet A network of infected endpoints (known as bots) working together and controlled by an attacker through command-andcontrol (C2) servers Exploit Software or code that takes advantage of a vulnerability in an operating system or application and causes unintended behavior in the operating system or application, such as privilege escalation, remote control, or a denial-of-service Hijacked IP address ranges IP addresses that are stolen from their legitimate owners, typically by corrupting the routing tables of Internet backbone routers Distributed denial-of-service (DDoS) A coordinated attack, often from hundreds of thousands or millions of compro- mised endpoints, used to ood a target system or network Phishing social engineering technique in which an that appears to be from a legitimate business, typically a nancial institution or retail store, attempts to trick the recipient into clicking an embedded link in the or opening an attachment containing malware or an exploit

34 Firewall Web filter security SSH Access IDS/IPS UTM DMZ VPN Application firewall LAN

35 DMZ VPN Antivirus Personal Firewall Antimalware LAN Antirootkit Endpoint DLP

36 DMZ VPN LAN

37 Network Behavioral Analysis Flowmon Detection Principles Machine Learning Adaptive Baselining Heuristic Approach Behavior Patterns Reputation Databases

38 Advanced malware 78 port scans? DNS anomalies?

39 Advanced malware Let s see the scans first Ok, users cannot access web Are the DNS anomalies related?

40 Advanced malware Ok, which DNS is being used? ? This is notebook! How did this happen?

41 Advanced malware Let s look for the details Laptop is doing DHCP server in the network

42 Advanced malware Malware infected device Trying to redirect and bridge traffic Attack modification Sensitive data upload

43 Flowmon ADS usecase Use case: Network intrusion Risk: identity theft, user credentials theft Risk cost (SMB): 45k per leak Flowmon CAPEX: 19k Sometimes we experience situation when an employee brings his or her own device and tries to connect it into the network. The biggest issues are caused by devices with DHCP server service. It took us quite a while to locate such a device before. Today, we identify a fake DHCP server in our network immediately thanks to Flowmon ADS. Break-even: single leak Flowmon ADS utilizes sophisticated algorithms and machine learning to automatically identify network anomalies and risks that bypass traditional solutions such as firewall, IDS/IPS or antivirus.

44 Flowmon Detection Capabilities Attacks port scanning, dictionary attacks, DoS, DDoS, Telnet, VoIP/PBX Traffic anomalies DNS, DHCP, ICMP, multicast Internal security issues viruses, malware, ransomware, botnets, outgoing SPAM, potential data leakage Anomalies in device behaviour change of the long-term behaviour, profile of a device Operational problems delays, excessive load, unresponsive services broken updates Unwanted applications P2P networks, instant messaging, anonymization services (TOR)

45 Monitoring & Anomaly Detection SCADA / ICS Segmentation (DMZ, WiFi, PCN...) Security Gap: Patching, Media (USB etc.), Interconnection & no NAC... Missing deep network visibility!! Missing in security design!! Admin Botnet Infection Admin Engineering Station ALERT! Malware infection! Advantage: Fileshare anomaly! Stable flows Ransomware in? Data upload! SCADA Network! HMI Stations SCADA network OT Firewall Attacker! Data Upload Enterprise / Outside world Database Server FM Probe Botnet Infection FM Probe Botnet Infection Application / File Server Router OPC Server Netflow Data Collection Learning Baselines Netflow Data Collection Learning Baselines RTU/PLC Wired or Wireless Link RTU/PLC FlowMon Collector Voltage Sensor Current Sensor Relay Presure Sensor Pump Level Sensor Diagnostics of NetFlow data! Alert or notification sended

46 Value Proposition Next Generation Network Security - Behavior Analysis & Anomaly Detection Detects and alerts on abnormal behaviors Reports anomalies and advanced persistent threats Detect intrusions and attacks not visible by standard signature based tools Covering gaps left by standard perimeter and endpoint tools security Covering both IT (Enterprise/ISP) and OT (SCADA/ICS) environment Gartner: Blocking and prevention is not sufficient. After you deployed firewall and IPS, you should implement network behavior analysis to identify problems that are undetectable using other techniques.

47 Security Tools Inline Tools Intrusion prevention systems (IPS) Firewalls and next-generation firewalls (NGFWs) Data loss prevention (DLP) systems Unified threat management (UTM) systems SSL decryption appliances Web application firewalls (WAF) Out-of-Band Tools Intrusion detection systems (IDS) Behavior analysis systems Forensic tools Flowmon Data recording Packet capture (PCAP) tools Malware analysis tools Log management systems

48 Flowmon Probe High-performance standalone probe source of IPFIX L2/L3 invisible transparent for monitored network L2, L3, L4 and L7 Application deep network layer visibility Deep Packet Inspection, Data Traffic Recording Rack mountable hardware and virtual appliances SPAN / MIRROR port or TAP connection 10/100/1G-100G network traffic monitoring

49 Flowmon Collector Long-term statistics storage from multiple flow data sources Application for collecting and analysis of NetFlow/IPFIX/sFlow/jFlow statistics Flowmon Monitoring Center Delivered as a software equipment of Collector Visualization and analysis of network traffic, reporting, alerting

50 Enterprise Deployment Internet S Branch Office NPMD ADS FM Probe CORE switch CORE switch FM Probe NPMD ADS FTR FTR NPMD FM Collector NPMD APM FM Probe DC switch DC switch FM Probe APM DATACENTER VS Branch Office Z V AS DS DS J

51 Technology Landscape

52 Main drivers for Network Visibility Troubleshooting network performance When applications run slowly or stop working, you need real-time network diagnosis to pinpoint the root cause Protecting and securing the network If you aren t proactively and continuously monitoring network traffic using a total visibility, you re leaving your organization vulnerable to cybersecurity threats. Monitoring application performance and reliability Network-centric applications must be continuously and precisely monitored for reliability and performance. Optimizing performance of complex network infrastructure Monitoring tools you use will help you achieve excellent performance, but only if you are seeing all the data in a timely manner. Proactive monitoring for SLAs The growing use of cloud environments means you have an increasing number of sites and platforms to monitor, each with its own Service Level Agreements in place.

53 THANK YOU FOR YOUR ATTENTION! Flowmon Networks a.s. U Vodárny 2965/ Brno, Czech Republic