Network Behavioral Analysis for the Security Professional Ben Rothke CISSP CISM Security Consultant  BT INS
<ul><li>This webcast is sponsored by </li></ul>Sponsor
<ul><li>Ben Rothke, CISSP CISM </li></ul><ul><li>Security Consultant – BT INS </li></ul><ul><li>Author of Computer Securit...
<ul><li>Introduction </li></ul><ul><li>Current state of information security </li></ul><ul><li>The need for NBA </li></ul>...
Wal-mart knows <ul><li>Wal-Mart Stores knows how to run a business and how to sell products. </li></ul><ul><li>Real-time p...
Does your CIO know? <ul><li>Contrast that with today’s corporate networks. </li></ul><ul><li>Many CIO’s and CISO’s have no...
What’s going on? <ul><li>It’s 2007, decades into the computer revolution. </li></ul><ul><li>Hundreds of billions of dollar...
Threat landscape <ul><li>Today’s threat landscape should give everyone pause. </li></ul><ul><ul><li>Volume of threats cont...
Problems with today’s network security  <ul><li>Security devices are often deployed in a vacuum </li></ul><ul><ul><li>no k...
Perimeter security <ul><li>Perimeter security works when there is a perimeter </li></ul><ul><ul><li>Much of the corporate ...
Are today’s network managers blind? <ul><li>Do they know: </li></ul><ul><li>Who’s on their network? </li></ul><ul><li>What...
Partial solutions <ul><li>Currently, most IT managers have a very limited, minimally integrated views of their network </l...
Network ignorance is not bliss <ul><li>Network ignorance is not bliss, it’s expensive. </li></ul><ul><li>Extended problem ...
What’s the solution? <ul><li>First generation </li></ul><ul><ul><li>anomaly detection </li></ul></ul><ul><ul><li>IDS/IPS, ...
NBA – a definition  <ul><li>NBA provides network-wide visibility to understand how systems are used, who uses them, how sy...
Is NBA a panacea? <ul><li>The market is still immature </li></ul><ul><li>Slow adoption </li></ul><ul><li>Not a lot of expe...
NBA vision into the network UDP/TCP destination port IP data (UDP, TCP, etc.) UDP/TCP source port TCP flag Layer 7 applica...
NBA methods <ul><li>Statistical </li></ul><ul><ul><li>Determines network’s normal traffic flows via data types and connect...
NBA benefits <ul><li>Better detects following attacks </li></ul><ul><ul><li>zero-day </li></ul></ul><ul><ul><li>Targeted <...
NBA differentiators <ul><li>NBA can capture critical network-behavior information that other security devices never analyz...
Real time views <ul><li>One of the most compelling benefits of NBA is its ability to show a real-time view of network and ...
NBA - troubleshooting <ul><li>NBA facilitates rapid identification and resolution of security incidents </li></ul><ul><li>...
Optimization <ul><li>Data center consolidation is increasing </li></ul><ul><ul><li>Pressure to optimize current infrastruc...
Optimization – The Big 4 requirements <ul><li>NBA provides a better method of network optimization via: </li></ul><ul><li>...
Optimization – The Big 4 requirements <ul><li>Network/security integration  - Security operations and network operations a...
What experts say about NBA <ul><li>Network Behavior Analysis systems are the new foundation of Defense in Depth architectu...
Policy and signature-based solutions <ul><li>NBA fills the gaps left by policy- and signature-based solutions (IDS/IPS, SI...
Is NBA simply SIM/SEM on steroids? <ul><li>SIM/SEM tools are log aggregators at heart, and lack the advanced intelligence ...
Is NBA all I need? <ul><li>Don’t unload all of your security software and hardware </li></ul><ul><li>Gartner recommends NB...
NBA History <ul><li>First emerged in 2001 to deal with DDoS attacks </li></ul><ul><li>NBA began as a security only solutio...
NBA is not magic <ul><li>NBA is a decision support system </li></ul><ul><li>Requires a knowledgeable operator who can inte...
NBA product requirements <ul><li>Discovers all running applications, user of those applications, profiles of their normal ...
Using NBA – Building a normal baseline <ul><li>Determine and define normal network traffic </li></ul><ul><li>Develop model...
Using NBA – Building an abnormal baseline <ul><li>Determine and define abnormal network traffic </li></ul><ul><li>Develop ...
Using NBA – Building Rules <ul><li>Create custom rules </li></ul><ul><ul><li>application access </li></ul></ul><ul><ul><li...
Using NBA – Integration <ul><li>NBA works with, but does not  replace  your existing networking and security product infra...
Behavior analysis <ul><li>Automatic behavior analysis monitors activity to determine if it is meaningfully different from ...
Effective NBA implementation <ul><li>Define your key requirements </li></ul><ul><ul><li>Network activity </li></ul></ul><u...
Effective NBA implementation <ul><li>Product capabilities </li></ul><ul><ul><li>Integration </li></ul></ul><ul><ul><li>Rep...
Effective NBA implementation <ul><li>Network and security operations work together </li></ul><ul><ul><li>NBA has its roots...
Conclusions <ul><li>Network and security administrators have discovered the value that NBA has beyond security threat dete...
Upcoming SlideShare
Loading in …5
×

Ben Rothke - NBA for The Security Professional

701 views

Published on

Webinar - Network Behavioral Analysis for the Security Professional, by Ben Rothke

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
701
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Ben Rothke - NBA for The Security Professional

  1. 1. Network Behavioral Analysis for the Security Professional Ben Rothke CISSP CISM Security Consultant BT INS
  2. 2. <ul><li>This webcast is sponsored by </li></ul>Sponsor
  3. 3. <ul><li>Ben Rothke, CISSP CISM </li></ul><ul><li>Security Consultant – BT INS </li></ul><ul><li>Author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill 2006) </li></ul>About me
  4. 4. <ul><li>Introduction </li></ul><ul><li>Current state of information security </li></ul><ul><li>The need for NBA </li></ul><ul><li>Conclusions </li></ul>Agenda
  5. 5. Wal-mart knows <ul><li>Wal-Mart Stores knows how to run a business and how to sell products. </li></ul><ul><li>Real-time precision of how every item in every store is selling. </li></ul><ul><li>Historical, financial and other information about their products. </li></ul><ul><ul><li>Why are sales of American flags higher in Mobile, AL the third week in March than in Fresno, CA? </li></ul></ul><ul><ul><li>How many 8GB pink iPod Nano’s have been sold in Fargo, ND yesterday? </li></ul></ul><ul><ul><li>Why are 64 oz. low-pulp Tropicana orange juice sales 26% less in the Memphis north store than in Memphis south store? </li></ul></ul>
  6. 6. Does your CIO know? <ul><li>Contrast that with today’s corporate networks. </li></ul><ul><li>Many CIO’s and CISO’s have no idea what their networks look like. </li></ul><ul><ul><li>Number of networks/subnets </li></ul></ul><ul><ul><li>Connected laptops </li></ul></ul><ul><ul><li>Remote sites </li></ul></ul><ul><ul><li>Firewall rules </li></ul></ul><ul><ul><li>Visio network maps vs. production network </li></ul></ul><ul><li>Clueless to the number of protocols, subnets, users, servers, applications, third-party connections, etc., running on their infrastructure and hardware. </li></ul><ul><li>Output of effective security metrics </li></ul><ul><li>Condition: anarchy and disorder. </li></ul>
  7. 7. What’s going on? <ul><li>It’s 2007, decades into the computer revolution. </li></ul><ul><li>Hundreds of billions of dollars have been spent on IT, yet only a fraction of companies really know what is going on inside their network. </li></ul><ul><li>Never has the need for such knowledge been more important and needed. </li></ul>
  8. 8. Threat landscape <ul><li>Today’s threat landscape should give everyone pause. </li></ul><ul><ul><li>Volume of threats continues to increase </li></ul></ul><ul><ul><li>Number of new threats continues to increase </li></ul></ul><ul><ul><li>Propagation speed of threats continues to increase </li></ul></ul><ul><ul><li>Number of undetected attacks continues to increase </li></ul></ul><ul><ul><ul><li>TJX security breach went undetected for seven months </li></ul></ul></ul><ul><ul><li>Losses from attacks continues to increase </li></ul></ul><ul><ul><ul><li>Du Pont insider theft causes $400 million damages </li></ul></ul></ul><ul><ul><li>Time to exploit vulnerabilities continues to decrease </li></ul></ul>
  9. 9. Problems with today’s network security <ul><li>Security devices are often deployed in a vacuum </li></ul><ul><ul><li>no knowledge about what it’s protecting </li></ul></ul><ul><ul><li>Marcus Ranum defines a firewall as “the implementation of your Internet security policy. If you haven’t got a security policy, you haven’t got a firewall. Instead, you’ve got a thing that’s sort of doing something, but you don’t know what it’s trying to do because no one has told you what it should do”. Does that describe your organization? </li></ul></ul><ul><li>Misconfiguration </li></ul><ul><li>Configurations that have not been updated </li></ul><ul><li>Troubleshooting often takes extended amounts of time </li></ul>
  10. 10. Perimeter security <ul><li>Perimeter security works when there is a perimeter </li></ul><ul><ul><li>Much of the corporate perimeter has evaporated via extranets, vendor networks, convergence, VPN, etc. </li></ul></ul><ul><li>Network perimeter defenses such as firewalls, anti-virus, IDS/IPS), are often inadequate for dealing with a network with a collapsed perimeter </li></ul><ul><li>Nor with internal threats that reside inside the firewall </li></ul><ul><li>How many IT managers know exactly (or even roughly) what their users are doing? </li></ul>
  11. 11. Are today’s network managers blind? <ul><li>Do they know: </li></ul><ul><li>Who’s on their network? </li></ul><ul><li>What protocols they are using? </li></ul><ul><li>What applications are running? </li></ul><ul><li>What changes are made? </li></ul><ul><li>Who made those changes? </li></ul><ul><li>Historical trends? </li></ul><ul><li>How can I optimize my network? </li></ul>
  12. 12. Partial solutions <ul><li>Currently, most IT managers have a very limited, minimally integrated views of their network </li></ul><ul><li>No idea how many network incidents occur </li></ul><ul><ul><li>Varied definitions of network incident within the same company </li></ul></ul><ul><ul><li>Many lack a formalized and tested CERT </li></ul></ul><ul><ul><li>Effective security metrics are not developed and used </li></ul></ul><ul><ul><li>Implementation of a SoC is many years away </li></ul></ul>
  13. 13. Network ignorance is not bliss <ul><li>Network ignorance is not bliss, it’s expensive. </li></ul><ul><li>Extended problem resolution increase costs and downtime </li></ul><ul><li>Unauthorized activities, users and applications causes damage and downtime </li></ul><ul><li>Regulatory requirements are not met </li></ul><ul><ul><li>How many hosts are connected to that regulated server? </li></ul></ul>
  14. 14. What’s the solution? <ul><li>First generation </li></ul><ul><ul><li>anomaly detection </li></ul></ul><ul><ul><li>IDS/IPS, detects what firewall can’t detect </li></ul></ul><ul><ul><ul><li>But what about what the IDS can’t detect? </li></ul></ul></ul><ul><ul><li>in-line signature-based systems </li></ul></ul><ul><ul><li>But can’t detect unusual/anomalous behavior </li></ul></ul><ul><li>Next generation, available now </li></ul><ul><ul><li>Network Behavioral Analysis (NBA) </li></ul></ul><ul><ul><ul><li>real-time profile of network assets </li></ul></ul></ul><ul><ul><ul><li>correlates monitored events from security products </li></ul></ul></ul>
  15. 15. NBA – a definition <ul><li>NBA provides network-wide visibility to understand how systems are used, who uses them, how systems connect to and depend on each other, and which ports and protocols systems connect over. </li></ul><ul><li>Because they analyze the behavior of network traffic, NBA provides protection from threats that other security systems cannot identify, such as insider attacks, unauthorized servers and services, zero-day attacks. </li></ul><ul><li>NBA also ease the burden of regulatory compliance by reporting on network behaviors that did or did not occur. </li></ul>
  16. 16. Is NBA a panacea? <ul><li>The market is still immature </li></ul><ul><li>Slow adoption </li></ul><ul><li>Not a lot of experts </li></ul><ul><li>False-positives still an issue </li></ul>
  17. 17. NBA vision into the network UDP/TCP destination port IP data (UDP, TCP, etc.) UDP/TCP source port TCP flag Layer 7 application data TCP flag Switch port Number of bytes/ packets - sent/received Switch port IP/MAC address Path (each router / interface) IP/MAC address End-user Start time / end time End-user Destination Data Source
  18. 18. NBA methods <ul><li>Statistical </li></ul><ul><ul><li>Determines network’s normal traffic flows via data types and connection flows </li></ul></ul><ul><li>Threshold detection </li></ul><ul><ul><li>Volume thresholds for different types of network traffic </li></ul></ul><ul><li>Learning/adaptive </li></ul><ul><ul><li>Examine network over time and use neural-network and other approaches to learn which specific traffic and system behaviors are harmful </li></ul></ul>
  19. 19. NBA benefits <ul><li>Better detects following attacks </li></ul><ul><ul><li>zero-day </li></ul></ul><ul><ul><li>Targeted </li></ul></ul><ul><ul><li>Low-slow/stealth </li></ul></ul><ul><ul><li>unknown signature </li></ul></ul>
  20. 20. NBA differentiators <ul><li>NBA can capture critical network-behavior information that other security devices never analyze. </li></ul><ul><li>Passively listens to network traffic from routers and sensors, modeling the network behavior of all end points and applications on the network. </li></ul><ul><li>This baseline is a picture of how network devices and business services are being used and by whom. </li></ul><ul><li>NBA then analyzes anomalous behavior to detect and characterize threats. </li></ul>
  21. 21. Real time views <ul><li>One of the most compelling benefits of NBA is its ability to show a real-time view of network and security activity. </li></ul><ul><ul><li>Gather all relevant security information in one place that provides an accessible overview of current information security status providing a consistent, reliable view that empowers effective decision making. </li></ul></ul><ul><li>Point solutions detect specific kinds of attacks </li></ul><ul><ul><li>But creating action plans against those attacks require a real time view and in-depth analysis of network traffic </li></ul></ul><ul><li>Knowing the baseline model to define normal behavior, the ability to track network moves/adds/changes means the ability to quickly identify anomalies and react to problems in real-time. </li></ul>
  22. 22. NBA - troubleshooting <ul><li>NBA facilitates rapid identification and resolution of security incidents </li></ul><ul><li>Knowing who, what, where, when, what’s typical and what’s changed is extremely time consuming </li></ul><ul><ul><li>But not without NBA in place </li></ul></ul>
  23. 23. Optimization <ul><li>Data center consolidation is increasing </li></ul><ul><ul><li>Pressure to optimize current infrastructure </li></ul></ul><ul><li>ITIL framework gaining increased acceptance for best practices </li></ul><ul><li>NBA gives IT Managers increased visibility into user-to-user and user-to-technology interactions to optimize the end-user experience and the network performance. </li></ul><ul><li>Only way to optimize your network and IT infrastructure is to have the visibility into its behavior. </li></ul><ul><li>Companies must anticipate the impact of new applications, users, services, etc., and how they will effect the infrastructure and required service levels. </li></ul>
  24. 24. Optimization – The Big 4 requirements <ul><li>NBA provides a better method of network optimization via: </li></ul><ul><li>Global view </li></ul><ul><ul><li>Continuous view of user activities </li></ul></ul><ul><li>Change </li></ul><ul><ul><li>Today’s dynamic network environment is synonymous with change. </li></ul></ul><ul><ul><li>Knowing the typical behavior of users, networks and applications ensures that changes in behavior are easier to pinpoint and diagnose. </li></ul></ul><ul><li>Shorter troubleshooting times </li></ul><ul><ul><li>CIO’s are now being taken to task if mean time to repair (MTTR) negatively impacts the business. </li></ul></ul><ul><ul><li>Better visibility into the changes in behavior that impact performance ensures that MTTR is shorter. </li></ul></ul>
  25. 25. Optimization – The Big 4 requirements <ul><li>Network/security integration - Security operations and network operations are often not in sync with one another. </li></ul><ul><ul><li>Both should work together to mitigate both performance issues and security events; which is supported by NBA. </li></ul></ul><ul><ul><li>Dual value into working together </li></ul></ul><ul><ul><li>Physical security is coming into the scene </li></ul></ul><ul><ul><ul><li>The convergence of physical security and IT is first and foremost about collaboration. Technologies sharing information; Processes finding synergies; and people working together. The $140 billion physical security industry is beginning a tectonic shift toward IT. Steve Hunt securitydreamer.com </li></ul></ul></ul>
  26. 26. What experts say about NBA <ul><li>Network Behavior Analysis systems are the new foundation of Defense in Depth architectures </li></ul><ul><ul><li>Enterprise Strategy Group </li></ul></ul><ul><li>By year-end 2007, 25% percent of large enterprises will employ NBA as part of their network security strategy </li></ul><ul><ul><li>Gartner </li></ul></ul><ul><li>Today’s complete layered security solution should include IDS, IPS, NBA & endpoint security to ensure security posture pre and post network authorization and authentication. </li></ul><ul><ul><li>Yankee Group </li></ul></ul>
  27. 27. Policy and signature-based solutions <ul><li>NBA fills the gaps left by policy- and signature-based solutions (IDS/IPS, SIM/SEM) </li></ul><ul><li>These technologies often miss threats for which they are not specifically designed to detect. </li></ul>
  28. 28. Is NBA simply SIM/SEM on steroids? <ul><li>SIM/SEM tools are log aggregators at heart, and lack the advanced intelligence that NBA offers. </li></ul><ul><ul><li>SIM/SEM lacks user context </li></ul></ul><ul><ul><li>Broad network scoping of activities </li></ul></ul><ul><li>NBA provides a layer of intelligence of what systems, applications and users are actually doing on your network. </li></ul><ul><ul><li>Deep analysis </li></ul></ul><ul><ul><li>application layer network knowledge </li></ul></ul><ul><ul><li>agentless/auto-discovery </li></ul></ul>
  29. 29. Is NBA all I need? <ul><li>Don’t unload all of your security software and hardware </li></ul><ul><li>Gartner recommends NBA as part of a balanced strategy to protect an enterprise network after implementing and tuning firewall and IDS/IPS mechanisms. </li></ul><ul><li>You don’t have to wait: IDS at the edge, NBA at the core </li></ul><ul><li>NBA systems can be used to help tune IDS/IPS through the visibility they provide, so it makes sense to deploy them simultaneously. </li></ul>
  30. 30. NBA History <ul><li>First emerged in 2001 to deal with DDoS attacks </li></ul><ul><li>NBA began as a security only solution </li></ul><ul><ul><li>But NBA delivers value beyond security </li></ul></ul><ul><li>Provides detailed and continuous network visibility </li></ul><ul><li>Enhancing existing network management tools </li></ul><ul><ul><li>helps administrators optimize their networks for actual end-user behavior. </li></ul></ul>
  31. 31. NBA is not magic <ul><li>NBA is a decision support system </li></ul><ul><li>Requires a knowledgeable operator who can interpret, investigate and respond to a variety of suspicious activities on your network. </li></ul>
  32. 32. NBA product requirements <ul><li>Discovers all running applications, user of those applications, profiles of their normal use patterns and dependencies. </li></ul><ul><li>Automatically builds baseline of behavior </li></ul><ul><ul><li>Ability for heuristics to be constantly compared. </li></ul></ul><ul><li>Application policies customized and monitored for compliance. </li></ul><ul><li>Upon policy breach, alerts of where, why, how and by whom the breach occurred. </li></ul>
  33. 33. Using NBA – Building a normal baseline <ul><li>Determine and define normal network traffic </li></ul><ul><li>Develop model </li></ul><ul><ul><li>Who talks to whom </li></ul></ul><ul><ul><li>Protocols and ports in use </li></ul></ul><ul><ul><li>Daily/hourly traffic levels </li></ul></ul><ul><ul><li>Frequency levels </li></ul></ul><ul><ul><li>Lists of clients and servers </li></ul></ul><ul><ul><li>Days of the weeks </li></ul></ul><ul><ul><li>Times of the day </li></ul></ul>
  34. 34. Using NBA – Building an abnormal baseline <ul><li>Determine and define abnormal network traffic </li></ul><ul><li>Develop model </li></ul><ul><ul><li>Host scan </li></ul></ul><ul><ul><li>port scan </li></ul></ul><ul><ul><li>worm, malware detection </li></ul></ul><ul><ul><li>new service/application </li></ul></ul><ul><ul><li>new hardware </li></ul></ul><ul><ul><li>new host </li></ul></ul><ul><ul><li>suspicious connection </li></ul></ul><ul><ul><li>DOS, DDoS, bandwidth surges </li></ul></ul><ul><ul><li>tunneled applications </li></ul></ul><ul><ul><li>P2P, spambots, etc. </li></ul></ul>
  35. 35. Using NBA – Building Rules <ul><li>Create custom rules </li></ul><ul><ul><li>application access </li></ul></ul><ul><ul><li>usage policies to monitor for policy violations </li></ul></ul><ul><ul><li>usage policies to monitor for policy changes </li></ul></ul><ul><ul><li>enforce normal activity </li></ul></ul><ul><ul><li>define action for unique/special conditions </li></ul></ul>
  36. 36. Using NBA – Integration <ul><li>NBA works with, but does not replace your existing networking and security product infrastructure. </li></ul><ul><li>Integrate NBA with them </li></ul><ul><ul><li>“ IDS is Dead”, Gartner 2003 </li></ul></ul><ul><ul><li>IDS is alive and well in 2007. But it like other technologies need to integrate and provide a network intelligent solution </li></ul></ul><ul><ul><li>Network and threat complexity is increasing, which IDS can’t handle alone, and requires a new solutions such as NBA. </li></ul></ul><ul><li>Invoke NBA features within your existing management tools and avoid “swivel chair monitoring.” </li></ul>
  37. 37. Behavior analysis <ul><li>Automatic behavior analysis monitors activity to determine if it is meaningfully different from the known typical behavior. </li></ul><ul><li>Types of behavior analysis </li></ul><ul><ul><li>Out-of-the-box automated heuristics </li></ul></ul><ul><ul><ul><li>Preconfigured. Ability to quickly implement ongoing behavior analysis with minimal effort </li></ul></ul></ul><ul><ul><li>Custom policies </li></ul></ul><ul><ul><ul><li>Monitor specific conditions. Analysis leverages the global behavior profile. </li></ul></ul></ul>
  38. 38. Effective NBA implementation <ul><li>Define your key requirements </li></ul><ul><ul><li>Network activity </li></ul></ul><ul><ul><li>automatic heuristics </li></ul></ul><ul><ul><li>custom rule generation </li></ul></ul><ul><ul><li>monitoring </li></ul></ul><ul><ul><li>integration with existing networking and security products </li></ul></ul><ul><ul><li>Agent vs. agentless </li></ul></ul>
  39. 39. Effective NBA implementation <ul><li>Product capabilities </li></ul><ul><ul><li>Integration </li></ul></ul><ul><ul><li>Reporting </li></ul></ul><ul><ul><li>Network flow data </li></ul></ul><ul><ul><li>Deep packet inspection </li></ul></ul><ul><ul><li>Scalability </li></ul></ul><ul><ul><li>DDoS Protection </li></ul></ul><ul><ul><li>and more </li></ul></ul>
  40. 40. Effective NBA implementation <ul><li>Network and security operations work together </li></ul><ul><ul><li>NBA has its roots as a security tool </li></ul></ul><ul><ul><li>But network operations can benefit greatly. </li></ul></ul><ul><ul><li>Network operations should consult with security operations so both support organizations leverage a common investment. </li></ul></ul>
  41. 41. Conclusions <ul><li>Network and security administrators have discovered the value that NBA has beyond security threat detection. </li></ul><ul><li>NBA provides visibility into all network activity </li></ul><ul><ul><li>optimizing the end-user experience </li></ul></ul><ul><ul><li>monitor for meaningful change </li></ul></ul><ul><ul><li>troubleshoot performance issues faster </li></ul></ul><ul><ul><li>deliver value to both network and security operations </li></ul></ul><ul><li>Enterprises are experiencing the benefits today and behavioral context will become even more critical in the future. </li></ul>

×