Next Generation Network Traffic Monitoring and Anomaly Detection. Petr Springl

Similar documents
Driving Network Visibility

FlowMon ADS implementation case study

Network Security Monitoring with Flow Data

It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security

Flow Measurement. For IT, Security and IoT/ICS. Pavel Minařík, Chief Technology Officer EMITEC, Swiss Test and Measurement Day 20 th April 2018

Flows at Masaryk University Brno

Flow-based Traffic Visibility

Case study: NBA as a Service at GÉANT

Network Visibility or Advanced Security?

HOW TO ANALYZE AND UNDERSTAND YOUR NETWORK

Scrutinizer Flow Analytics

DDoS Protection in Backbone Networks

FPGA accelerated application monitoring in 40 and 100G networks

DDoS Protection in Backbone Networks Deployed at Trenka Informatik AG (

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

Seceon s Open Threat Management software

Monitoring and diagnostics of data infrastructure problems in power engineering. Jaroslav Stusak, Sales Director CEE, Flowmon Networks

Cisco Stealthwatch Endpoint License

Intelligent Cybersecurity for the Real World Scott Lovett Vice President, Global Security Sales

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

Cisco Cyber Threat Defense Solution 1.0

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

CIH

Comprehensive datacenter protection

Novetta Cyber Analytics

Compare Security Analytics Solutions

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

Automated Threat Management - in Real Time. Vectra Networks

Flexible network monitoring at 100Gbps. and beyond

ADVANCED, UNKNOWN MALWARE IN THE HEART OF EUROPE

From Signature-Based Towards Behaviour-Based Anomaly Detection (Extended Abstract)

Cisco 5921 Embedded Services Router

WatchGuard Total Security Complete network protection in a single, easy-to-deploy solution.

Seqrite Endpoint Security

68 Insider Threat Red Flags

Cyber Security at large scale

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Mcafee Network Intrusion Detection System. Project Report >>>CLICK HERE<<<

CAMNEP: Multistage Collective Network Behavior Analysis System with Hardware Accelerated NetFlow Probes

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

The Eight Components of a Strong Cyber Security Defense System

Automating Security Response based on Internet Reputation

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Cisco 5921 Embedded Services Router

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

NETWORK THREATS DEMAN

Configuring Antivirus Devices

Synchronized Security

COMPUTER NETWORK SECURITY

Securing Your Most Sensitive Data

Kaspersky Open Space Security

IronPort C100 for Small and Medium Businesses

UTM 5000 WannaCry Technote

Maximize Network Visibility with NetFlow Technology. Adam Powers Chief Technology Officer Lancope

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Advanced Threat Intelligence to Detect Advanced Malware Jim Deerman

Security. Risk Management. Compliance.

Training UNIFIED SECURITY. Signature based packet analysis

Copyright 2011 Trend Micro Inc.

FIREWALL BEST PRACTICES TO BLOCK

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

Monitoring network bandwidth on routers and interfaces; Monitoring custom traffic on IP subnets and IP subnets groups; Monitoring end user traffic;

Built-in functionality of CYBERQUEST

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Empower stakeholders with single-pane visibility and insights Enrich firewall security data

Intel Security Advanced Threat Defense Threat Detection Testing

Intelligent and Secure Network

EN6200 Series Feature Sheet

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Sales Training

Hardware Acceleration in Computer Networks. Jan Kořenek Conference IT4Innovations, Ostrava

WHITEPAPER The Firewall Market

Stopping Advanced Persistent Threats In Cloud and DataCenters

Cato Cloud. Solution Brief. Software-defined and Cloud-based Secure Enterprise Network NETWORK + SECURITY IS SIMPLE AGAIN

Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics

Building Resilience in a Digital Enterprise

The Future of Threat Prevention

Chapter 9. Firewalls

SIEM (Security Information Event Management)

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

Cisco s Appliance-based Content Security: IronPort and Web Security

Palo-Alto PCNSE7. Palo Alto Networks Certified Network Security Engineer.

Gladiator Incident Alert

McAfee Network Security Platform Administration Course

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

FEATURE OVERVIEW. FGX Series firewall. Last updated February 2012

Agile Security Solutions

CIRT: Requirements and implementation

Check Point 1100 Appliances Frequently Asked Questions

2017 Annual Meeting of Members and Board of Directors Meeting

Be certain. MessageLabs Intelligence: May 2006

Croatian National CERT ACDC project Darko Perhoc, Head of National CERT CISSP, CEH, CCNP Security R&S,CCDP

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

Analyzing Huge Data for Suspicious Traffic. Christian Landström, Airbus DS

Business Strategy Theatre

3 Ways to Prevent and Protect Your Clients from a Cyber-Attack. George Anderson Product Marketing Director Business October 31 st 2017

A Unified Threat Defense: The Need for Security Convergence

Transcription:

Next Generation Network Traffic Monitoring and Anomaly Detection Petr Springl springl@invea-tech.com

INVEA-TECH University spin-off company 10 years of development, participation in EU funded projects project Liberouter and programmable hardware, 10 mil Euro invested, creation of world's unique technologies Company profile Strong academic background: CESNET, MU, VUT Founded 2007 Expansion onto foreign markets since 2010: UK, US, Canada, Germany, Japan and others Key products: FlowMon: network traffic monitoring ADS: detection of anomalies, operational and security issues FlowMon + ADS = a complete solution for monitoring and security 2/42

Reference GEÁNT2, Federica monitoring of 7 European backbones CZ Ministry of Defense (via VDI META) Korea Telecom AVG, Aegon CESNET T-Mobile and more... 3/42

Agenda Network & Security interesting/surprising statistics? standard security tools overview Network Traffic & Security Monitoring FlowMon Solution Introduction Use Case Discovery of Botnet Chuck Norris 4/42

22.10.2012 Network & Security

Malware Source: McAfee Threats Report: Fourth Quarter 2011 6/42

Botnets infected devices Source: McAfee Threats Report: Fourth Quarter 2011 7/42

Botnets infected devices Source: McAfee Threats Report: Fourth Quarter 2011 8/42

Attackers Motivation Source: Radware 2011 Global Application & Network Security Report 9/42

Data Breaches Source: McAfee Threats Report: Fourth Quarter 2011 10/42

Botnet as a Service Source: McAfee Threats Report: First Quarter 2011 11/42

How to face attacks Attacks against any organization (SMBs, enterprises, government, education or other organizations) are rising Attackers use different approaches and attack types hacking, cracking, dictionary attacks, DOS/DDOS attacks, attacks against services, social engineering, identity theft, botnets Organizations don t know which specific threats to fight Many attacks are undetectable by standard approaches Advanced Persistent Threats, Zero-Day attacks, Polymorphic malware, What possibilities are there for organizations? for ISPs? 12/42

Organizations Perimeter Security firewall, IDS/IPS, UTM, application firewall, web filter, email security, remote access Endpoint Security antivirus, personal firewall, antimalware, antirootkit, endpoint DLP Internal Network Security network traffic visibility flow monitoring, NBA - Network Behavior Analysis, automatic anomalies detection 13/42

ISPs ISPs are in different situation Have to face to the same threats, but don t have so many possibilities how to do that ISPs shouldn t protect only themselves, but also help to protect their customers protect Internet from their customers 14/42

ISPs Network Elements Security switches, routers configuration, secure management, services Network Security routing, rate limiting, filtering, redundancy Incident Detection alert from customer, ISP or other IDS, syslogs, SNMP monitoring network traffic visibility flow monitoring, NBA - Network Behavior Analysis, automatic anomalies detection 15/42

Summary All the tools and approaches mentioned are very important from a security point of view Most are aimed at protection from known threats and attackers That s why continuous monitoring and detailed information about activities in the network is important provides complete visibility into network able to detect sophisticated attacks (APTs, zero-day attacks) - even that which are not detected by other approaches 16/42

22.10.2012 Network Traffic & Security Monitoring

Flow Monitoring Principles IP flows monitoring packet headers analysis only content (packets payload) is not monitored Modern method for network monitoring NetFlow v5/v9 Cisco standard 18/42

Architecture Source of network statistics switches, routers, specialized probes or other devices network traffic monitoring - generate and export flow data Flow data collectors flow data storage, collection & analysis 19/42

Network Traffic Monitoring Benefits Complete Network Visibility real-time & historically TOP N statistics (users/customers, services, sites) user defined profiles (based on user filters) drill down up to any communication alerting & reporting Security Enhancement, Incidents Tracking Benefits also for network management fast, precise and effective troubleshooting network performance monitoring trending, capacity planning, traffic engineering IP traffic based accounting and billing network management costs reduction 20/42

Network Behavior Analysis (NBA) Automatic advanced analysis of flow (NetFlow) data Modern approach to network security Undesirable behavior patterns detection internal and external threats undesirable services and application Behavior analysis behavior profiles anomalies and suspicious behavior detection Behavior detection NBA is about higher visibility in the behavior of your network to cover gabs left by signature based mechanism. Paul E. Proctor, Vice President, GARTNER Network level Signature detection Host level 21/42

NBA Benefits Internal & external attacks detection Fast overview about any events in the network including problem indication Enables to fight modern sophisticated attacks Detection of threats which are undetectable by standard approaches Effective for encrypted traffic 22/42

22.10.2012 FlowMon solution

FlowMon Network Under Control Innovative network traffic & security monitoring solution using IP flows Based on NetFlow v5/v9 and IPFIX technology Provides information about who communicates with whom, how long, what protocol, traffic volume and more Best price/performance ratio in the industry Solution for networks of all dimensions Exceptional customer benefits Your network under control! 24/42

FlowMon Architecture FlowMon Probes passive standalone source of network statistics (NetFlow / IPFIX data) FlowMon Collectors visualization and evaluation of network statistics FlowMon plugins FlowMon ADS - automatic traffic analysis for reveal operational & security issues 25/42

FlowMon Probe High-performance standalone probe - source of IP flow records in NetFlow v5,9 and IPFIX format L2/L3 invisible - transparent for monitored network Standard and hardware accelerated models Remote configuration via a user-friendly web GUI 10/100/1000 Ethernet, 10 GbE, IPv4, IPv6, MPLS, VLAN Maintenance-free appliance with simple configuration Built-in collector (data storage redundancy) 26/42

FlowMon Probe Models Compact rack mount (1U) NetFlow probes Standard models suitable for the most networks, excellent price/performance ratio performance more than 500 k packets per second for 1GbE port up to 5 M packets per second for 10GbE port models from 1x 100MbE port up to 4x 10GbE ports Hardware-accelerated models (Pro) suitable for large networks and backbone links wire speed performance 10GbE models available, 40/100GbE models available soon 27/42

FlowMon Collector Standalone appliance for long term storage of flow statistics from multiple sources (probes, routers, switches) Support for NetFlow/IPFIX/sFlow data storage & analysis Professional solution for mid-size and large networks RAID, redundant power, remote management storage capacity from 1TB up to hundreds TBs unique performance more than 200k flows/s processing 28/42

FlowMon Collector - GUI Graphs, tables and form for further data processing Top N statistics (users, sites, services) Predefined set of profiles/views for standard protocols User defined profiles (based on IP address or ports) Intelligent reporting (online/offline email/pdf/csv reports) Profile support and automatic alerts (e-mail, syslog, SNMP etc.) 29/42

FlowMon Plugins 30/42

FlowMon ADS Undesirable behavior detection Attacks Undesirable services Operational and configuration problems Behavior profiles computing Communication partners Anomaly detection Traffic volume and structure Intuitive user interface Immediate network problems indication Interactive event visualization Integration with information from DNS, WHOIS, geolocation services Complex filtering, alerting, reporting 31/42

FlowMon ADS Detection of undesirable patterns in communication Attacks (port scanning, dictionary attacks, DOS/DDOS, telnet protocol) Data traffic anomalies (DNS, multicast, non-standard communications) Undesirable applications (P2P networks, anonymizer) Internal security problems (viruses, spyware, botnets) Mail traffic (outgoing spam) Operational problem (delays, high traffic, reverse DNS records) 32/42

FlowMon Benefits Long-term statistics storage about traffic Network capacity planning Connectivity optimization Peering agreements optimization Attacks, anomalies and suspicious behavior detection Data retention law fulfillment Accounting and billing based on traffic amount Possibility to graphs and tables integration to your IS 33/42

22.10.2012 Use Case Discovery of Botnet Chuck Norris prepared in cooperation with CSIRT-MU

Botnet Chuck Norris Lot of attempts from all over the world to connect to TELNET service discovered by network security monitoring (flow monitoring) at Masaryk University Who nowadays use TELNET??? Why do devices from all over the world try to connect to TELNET port? Following detailed analysis lead to botnet revelation 35/42

Botnet Chuck Norris Back tracking infected devices are ADSL modems, WIFI routers Analysis of infected device Connection to C&C server Analysis of botnet behavior 36/42

Botnet Chuck Norris Attacks linux servers ADSL modems, WIFI routers Infected devices try to infect other devices port scanning TELNET dictionary attack only 15 passwords!!!! connect to C&C central server, which send him commands (IRC) 37/42

Botnet Chuck Norris Compilation timestamp in pnscan tool July 2008 First file uploaded to distribution servers May 2009 Botnet discovery at Masaryk University December 2009 Trying to shutdown the botnet (CSIRT-MU) Chuck Norris v2 May 2010 Different modification till nowadays Hydra Aidra??? 38/42

Attacks Continue 39/42

Chuck Norris - summary Attacks poorly-configured Linux MIPSEL devices - ADSL modems, WIFI routers, users are not aware about the malicious activities missing anti-malware solution to detect it possible to manipulate with complete traffic to/from the network Attack based on trivial dictionary attack (15 passwords) Lot of network operators underestimated possibility of trivial attack Discovered at Masaryk University. The malware got the Chuck Norris moniker from a comment in its source code [R]anger Killato : in nome di Chuck Norris! 40/42

INVEA-TECH @ PLNOG 2012 Is network traffic & security monitoring interesting for you? Visit our next presentation @ PLNOG 2012 FlowMon Network Traffic & Security Monitoring in Examples Tomorrow at 11:50 New Technology section Visit our booth and discuss with us 41/42

Thank you for your attention High-Speed Networking Technology Partner Petr Špringl springl@invea-tech.com 00420 511 205 252 INVEA-TECH a.s. U Vodárny 2965/2 616 00 Brno Czech Republic www.invea-tech.com 42/42

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback