Internal host-reputation-webinar


Published on

With so many new threat actors out there, IP reputation is becoming increasingly critical for effectively combating attacks. Under today’s security paradigm, administrators need to know not only about the bad guys lurking on the Internet, but also about the ones operating inside the network perimeter.

Lancope uniquely provides both internal and external host reputation, better preparing organizations to: combat APTs and insider threats, address BYOD challenges, and deliver actionable information for security teams.

Learn how to leverage internal host reputation to uncover a wide range of suspicious user behaviors such as:

* Sending out an unusual amount of traffic
* Communicating with known, bad external hosts
* Accessing restricted areas of the network
* Spreading malware

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Internal host-reputation-webinar

  1. 1. ©2013 Lancope , Inc. All Rights Reserved Internal Host Reputation For Combating Advanced Cyber Threats Matthew McKinley
  2. 2. ©2013 Lancope , Inc. All Rights Reserved Agenda  Background – What is IP reputation? – Why is it important? – How is it used today?  What is the Concern Index? – Basic definition – How it relates to reputation  The two sides of IP reputation – External – Internal  Combating Advanced Cyber Threats – Internal Host Reputation as a function of the Concern Index – The benefits of IHR – How IHR can help with attacks that are not easily categorized
  3. 3. ©2013 Lancope , Inc. All Rights Reserved Background  IP reputation is a measure of how trustworthy (or more commonly untrustworthy) an IP is – Based on association with SPAM, botnets, and other malicious activity – Knowing the reputation of IP addresses gives administrators an idea of what to watch for, e.g. is someone on my network talking to a known botnet??  Today, External Host Reputation is used for a variety of purposes, but mostly as a way to identify when – A known bad address has communicated with you, or… – When someone on your network has communicated with a known bad address
  4. 4. ©2013 Lancope , Inc. All Rights Reserved The Concern Index  The Concern Index is a measure of, literally, how concerned one should be about a given host – Concern Index Points are accumulated based on: Behavior, e.g. deviation from norms, scanning activity, communication patterns, etc. Communication with particular outside hosts Movement of unexpectedly large amounts of data Communication with unexpected parts of the network, e.g. a desktop talking to a server in a PCI environment – The CI is calculated network-wide because of Visibility provided by NetFlow data – The CI can be leveraged for actions such as alarming, trending, reporting and... – You guessed it: Reputation!
  5. 5. ©2013 Lancope , Inc. All Rights Reserved The Concern Index  Here is what the Concern Index looks like in use:
  6. 6. ©2013 Lancope , Inc. All Rights Reserved Reputation  Now wait a minute, I already know what reputation is! True. But there are 2 sides to the coin: – External – Internal  External is very useful and many, many security pros make use of one of the many reputation services. – This is good for knowing what to block, what to look out for, etc.  The internal side is also just as important, but harder to do. – External services cannot see the interior of your network – Even if they could, the understanding and visibility required would be complicated  Hosts on the inside of the network misbehave, too. – Data exfiltration – Users hogging bandwidth – Communication with command and control servers – Attempted communication to forbidden parts of the network
  7. 7. ©2013 Lancope , Inc. All Rights Reserved Reputation  Internal Host Reputation is a more personal form of reputation service that is unique to your environment – Issues can be spotted before they become problems – Because of ISE integration, users can be tied to IP addresses – Reputation can extend to virtual hosts – Events leading to degraded reputation are easily accessible
  8. 8. ©2013 Lancope , Inc. All Rights Reserved Tying it all together  What does the Concern Index have to do with Reputation? – The CI is a measure of how “out-of-bounds” a host on the network has become – As we’ve discussed, there can be many reasons for that – The more CI points a host accumulates, the more incorrectly it’s behaving  Dashboards are close friends of the Admin. The Reputation dashboard ranks hosts based on: – Concern Index, with the worst offenders being at the top  Running a host snapshot for the top offender gives you an idea of: – Its Reputation! How has this host been acting historically on my network?
  9. 9. ©2013 Lancope , Inc. All Rights Reserved Combating Advanced Cyber Threats  Perimeter defenses lack signatures for Advanced Cyber Threats – Phishing – Social Engineering – Well engineered email attachments – Insiders  Because the end result is similar, .i.e. the endpoints behaving in ways they might not normally, this accumulates CI points and puts those hosts on the CI dashboard.  Worm propagation can be tracked in this way, too.  If a user brings in an infected laptop that attempts to call a C&C server, it will accumulate CI points.  Hosts that are behaving the worst, particularly in the case of data exfiltration, are clearly visible.
  10. 10. ©2013 Lancope , Inc. All Rights Reserved Combating Advanced Cyber Threats  If a host is infected, it is possible to see an internal pivot to attack or infect other machines  Internal Host Reputation is a form of Data Analytics which can spot behaviors that signature-based systems would completely miss.  Attackers are well aware of the current counter measures, but countering analytics is much harder to do  Remember that StealthWatch provides IHR and links it to a user. The battle against Advanced Cyber Threats is a battle against sophisticated behaviors, and it takes a behavioral solution to combat them.
  11. 11. ©2013 Lancope , Inc. All Rights Reserved Cyber Threats Dashboard
  12. 12. ©2013 Lancope , Inc. All Rights Reserved Conclusions  As the size of internal networks grows, internal reputation will become as important as external reputation  Perimeter devices cannot provide this level of information, only an internal visibility solution leveraging network telemetry such as NetFlow can accomplish this  Advanced Cyber Threats are not easily categorized and can only be identified with an analytical approach –  The Concern Index (and IHR) is a valuable tool for tracking potential threats, both internally and externally
  13. 13. ©2013 Lancope , Inc. All Rights Reserved Lancope at RSA 2013 Return of the famous Lancope Ninja Sword!  Visit booth #1653  Presentations by Tom Cross, Director of Security Research: - Tuesday @ 4:30 pm - Wednesday @ 2 pp  Email to request a private demo at the event.
  14. 14. ©2013 Lancope , Inc. All Rights Reserved Get Engaged with Lancope! @Lancope @NetFlowNinjas SubscribeJoin DiscussionDownload @stealth_labs Access StealthLabs Intelligence Center (SLIC) Reports Security Research
  15. 15. ©2013 Lancope , Inc. All Rights Reserved Thank you!