NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08

1,141
-1

Published on

NetFlow Auditor software uses NetFlow and sFlow to detect anomalies & analyze full network traffic forensics. The objective of our software is to provide easy to use full-featured anomaly detection and analysis of Flows to quickly identify who is doing what, where, when, with whom and for how long on a network and provide alerts, scheduled reports, SNMP Traps and or filter lists. It allows organizations to quickly identify and alert on network anomalies to help resolve performance problems and manage network security and compliance across business services and applications, dramatically reducing the risk of potential downtime.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,141
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08

  1. 2. <ul><li>Flow Based technology provides huge reduction in time and costs spent understanding, alerting and reporting on network issues. </li></ul><ul><li>The information is required by many groups from Security and Performance teams to Capacity planners and Accountants. </li></ul><ul><li>Real-time visibility AND Archive/Reporting </li></ul><ul><ul><li>Act on issues as they occur or track and trace with historical forensic insight.. </li></ul></ul><ul><ul><li>Hindsight gives you visibility to forecast </li></ul></ul><ul><li>Already inbuilt in Cisco IOS or other Vendor OS </li></ul><ul><li>No Probes </li></ul><ul><li>No Appliances </li></ul><ul><li>Non Intrusive </li></ul><ul><li>Scalable </li></ul><ul><li>Ease of Deployment </li></ul><ul><li>Handles Moves, Adds, Changes Easily </li></ul><ul><li>Historical and Real-Time Information Wanted/Used by Many </li></ul>Business ROI Technical (IT) ROI Copyright 2009 IdeaData Pty Ltd Flow-Based Network Intelligence ROI
  2. 3. <ul><li>Comparative Baselining </li></ul><ul><li>Real-Time Forensic Analysis </li></ul><ul><li>Network Behavior Anomaly Detection option </li></ul><ul><li>Long-Term trending </li></ul><ul><li>Event alerting by Time of day and thresholds </li></ul><ul><li>Highly flexible exceed and degrade threshold capability </li></ul><ul><li>Learn traffic baselines </li></ul><ul><li>Collection Tuning </li></ul><ul><li>Unattended Alerting and Reporting </li></ul><ul><li>Flexible Filters </li></ul><ul><ul><li>Root Cause Analysis </li></ul></ul><ul><ul><li>Security Forensics </li></ul></ul><ul><ul><li>Performance Analysis </li></ul></ul><ul><ul><li>Data Center Analysis </li></ul></ul><ul><li>Multi-device Correlation and De-duplication </li></ul><ul><li>95th Percentile </li></ul><ul><li>Scalability in collection </li></ul><ul><li>Self Healing </li></ul>Scalability, Granularity, Flexibility NetFlow Auditor Unique Capabilities
  3. 4. Flow-Based Network Intelligence you can depend on.
  4. 5. <ul><li>Root Cause Analysis </li></ul><ul><li>Detecting the source of malicious traffic </li></ul><ul><li>Capacity Plan Trends and Substantiate IT Spend </li></ul><ul><li>Manage Change </li></ul><ul><li>5. Profiling & Chargeback </li></ul><ul><li>Proactive Baselining </li></ul><ul><li>Compliance </li></ul><ul><li>8. Verify Policy </li></ul><ul><li>9. Optimize & Consolidate </li></ul><ul><li>10. Keep service provider honest. </li></ul>“… The network never stops growing and it never gets a rest …” Purdue University Network Mapping Project Copyright 2009 IdeaData Pty Ltd Top 10 reasons why it is critical to have Visibility of the traffic on your network
  5. 6. Network Auditing: Companies are challenged with maintaining too many tools that all show a slightly different view of the same data. Often with limited Visibility. Hence the need for a convergent toolkit. Capacity Planning Accounting Performance Root Cause Analysis Security Surveillance Lockdown QoS Business Intelligence Copyright 2009 IdeaData Pty Ltd
  6. 7. Copyright 2009 IdeaData Pty Ltd How does NetFlow work?
  7. 8. NetFlow Auditor Architecture Copyright 2009 IdeaData Pty Ltd <ul><li>The Architecture is modular and scalable </li></ul><ul><li>NetFlow Auditor was built from the ground up for scalability and utilizes scalable intelligent agent technologies (Bots) to manage large amounts of network traffic information in real-time. </li></ul><ul><li>NetFlow Auditor Agents </li></ul><ul><li>Collect, tag and process data as the data passes through a nominated gateway. </li></ul><ul><li>Pass collected data between one another and the NetFlow Auditor database. </li></ul><ul><li>Can continue to function if separated from the data warehouse. </li></ul>
  8. 9. Copyright 2009 IdeaData Pty Ltd NetFlow Auditor Smart Investment Grows as your needs grow Anomaly Detection Performance Professional Scalable Flow Capture For very high-flow capture <ul><ul><li>Coupled with Professional 100% Full Flows for full compliance and billing </li></ul></ul><ul><ul><li>Coupled with Performance Supports very high-flow environment for real-time root cause analysis </li></ul></ul>Security / Compliance Forensics Comparative Baselining QoS 95 th Percentile Billing <ul><ul><li>100% Full Flow forensics, Supports Detailed Anomaly Detection and 95 th Percentile or usage based Billing. </li></ul></ul><ul><ul><li>Comprehensive Network Behavior Anomaly Detection from intelligently learnt baselines. </li></ul></ul>Root Cause Analysis QoS Billing <ul><ul><li>Top Traffic. </li></ul></ul><ul><ul><li>Supports Anomaly Detection on top traffic. </li></ul></ul><ul><ul><li>Couple with Enterprise for high-flow eg ISPs </li></ul></ul>Troubleshooting QoS <ul><ul><li>Hot Top Traffic. </li></ul></ul>Lite Free Enterprise Bandwidth Utilization <ul><ul><li>Interface </li></ul></ul><ul><ul><li>Learns Baseline and Alerts when traffic deviates on link, servers, services P2P profiling, DDoS, ICMP, DNS, QoS, Nefarious Traffic. </li></ul></ul>Anomaly Detection Add-on
  9. 10. <ul><li>Scalability : Don’t underestimate scaling needs when capturing flow data. Scalability is an important aspect to appreciate when comparing tools. NetFlow Auditor can handle copious amounts of flows per second and therefore key data won’t be missed when pipes burst or when flows increase. </li></ul><ul><li>   </li></ul><ul><li>Granularity: it is critical to have the ability to see Network data in all perspectives. Network traffic is very dynamic and new traffic behavior can be tricky to track. NetFlow Auditor provides complete drilldown tools to fully explore the data and to perform Comparative Baselining. </li></ul><ul><li>Flexibility: An inflexible tool limits ability to create relevant outputs for engineers, management and customers and can increase workload rather than decrease it. NetFlow Auditor allows easy customization of every aspect of the system from tuning of data capture to producing templates and automated Reporting and Alerting. </li></ul>Copyright 2009 IdeaData Pty Ltd NetFlow Auditor unique design Time NetFlow Auditor Other Solutions
  10. 11. Flow-Based Network Intelligence you can depend on.
  11. 12. <ul><li>Identify change ( e.g. Security/Compliance/Cost Management) </li></ul><ul><li>Identify Nefarious Traffic, DDoS, SlowDoS </li></ul><ul><li>Intrusion Detection / e-Vandalism </li></ul><ul><li>Understand what the vulnerabilities are and identify exploits, Analyze anomaly events and identify the risk level of the incidents. </li></ul><ul><li>Detect threats and Mitgate. </li></ul><ul><li>Leverages existing infrastructure </li></ul><ul><li>Rapid Deployment </li></ul><ul><li>Flexible, Scalable and Granular </li></ul><ul><li>Sensitivity can be default for most environments or can be adjusted for special Corporate, Service Provider or Defense needs. </li></ul>NetFlow Auditor Forensics plus Anomaly Detection
  12. 13. Alerts – Menus and Popups Alerts are easily seen or edited from the left menus and by clicking on the grid element you want to configure. Mouse over popup provide additional information. The “My Alerts” menu Filters the Alert information simply by clicking on its grid.
  13. 14. Standard Alerting vs Anomaly Detection
  14. 15. Anomaly Detection – Preset Monitored Traffic Items
  15. 16. Anomaly Detection – Intelligent Baseline Examples Measurement Profiles Flows / bps / Packets / Packet Size / Bytes / Counts Examples of Monitored Traffic Items 168 Intelligent Baseline Statistics are learned for each Monitored Traffic Item . (4 Statistical baselines for each of the 6 Measurement Profiles for each weekday).
  16. 17. Anomaly Detection – Multiple Baselines per Alert Count Average Flows Average Packets Average Bytes Minimum bps Average Packets Size Average Bytes Standard Deviation Bytes Maximum Statistical Standard Deviation / Average / Minimum / Maximum Measurement Profiles Flows / bps / Packets / Packet Size / Bytes / Counts <ul><li>Multiple Alert Events can occur concurrently for each Monitored Traffic Item . </li></ul><ul><li>An Alert is triggered when an Anomaly Alert Criteria setting breaches its statistical baseline. </li></ul><ul><li>Measurement alerts are combined to form a single weighted alert that best positions it in the Alert Event List. E.g. Excessive flows plus high bps will be seen as a higher risk. </li></ul><ul><li>Clicking on the Alert Event List or a specific Measurement Event will show the Traffic Item breaches. </li></ul>
  17. 18. Anomaly Detection – Primary Alert View
  18. 19. Anomaly Detection – Root Cause Analysis
  19. 20. Anomaly Detection – 3 clicks to an Intelligent Baseline Make your own rules (Steps 1 & 2) From Configuration menu choose interface, application, its protocol, location or QoS class etc …This is a useful starting point, once you have setup your criteria to begin learning a baseline you can edit it and tune the filter at anytime.
  20. 21. Anomaly Detection – 3 clicks to an Intelligent Baseline Make your own rules (Step 3)
  21. 22. Anomaly Detection – Case: Large P2P Traffic Following an Anomaly Alert we discover a large amount of P2P traffic, It’s a bittorrent and xbox traffic downloads outside of business hours. The IP Addresses and location tags indicate the department, Now that you know where its coming from it’s a simple process to build an access list and stop it dead in its tracks. As Netflow Auditor has a comprehensive scheduler and multiple output formats including csv, PDF and SNMP, this process can be fully automated
  22. 23. Standard Alerting – Case: Heavy Traffic Detection
  23. 24. <ul><li>Mitigation </li></ul><ul><ul><li>Total visibility of network traffic. </li></ul></ul><ul><ul><li>Forensics </li></ul></ul><ul><ul><li>Containment </li></ul></ul><ul><ul><li>Damage Assessment </li></ul></ul><ul><li>Detection </li></ul><ul><ul><li>Alert when changes occur outside of learnt baselines and how new patterns can be recognized </li></ul></ul>Saving you time and money Network Auditing Forensics and Security
  24. 25. <ul><li>Standard Dissemination Alerts quickly detect conversation levels. </li></ul><ul><li>Anomaly Detection identifies changes in packet levels. </li></ul><ul><li>Most attacks involve </li></ul><ul><ul><li>Packet flooding or </li></ul></ul><ul><ul><li>Saturate the system with external requests.. </li></ul></ul><ul><ul><li>Force a reset/reboot </li></ul></ul><ul><ul><li>Consume so many resources the system is unable to respond </li></ul></ul>Anomaly Plus Standard Alerting – DDoS Identification
  25. 26. <ul><li>Botnets </li></ul><ul><ul><li>Have the visibility to identify all computers who are communicating on IRC channels to IRC Servers. </li></ul></ul><ul><li>DDoS </li></ul><ul><ul><li>Identify rising thresholds outside of learnt baselines. Find all IP’s and port patterns to divert and derisk </li></ul></ul><ul><li>SlowDoS </li></ul><ul><ul><li>Identify long-talkers holding up your server threads </li></ul></ul><ul><li>P2P </li></ul><ul><ul><li>Identify P2P conversations and shadows </li></ul></ul><ul><li>Data Leaks </li></ul><ul><ul><li>Counter Surveillance. Find systems that are slowly copying their data outbound </li></ul></ul>How can Netflow Forensics and Anomaly Detection help me in Security?
  26. 27. Flow-Based Network Intelligence you can depend on.
  27. 28. <ul><li>Packet Size Distribution Analysis </li></ul><ul><ul><li>Analyze traffic patterns by standard deviation to identify what aspects have changed the most in a specific period, Can lead to early detection of issues. Identify Worms, increasing flows or data floods. </li></ul></ul><ul><li>Count Analysis </li></ul><ul><ul><li>Count records as part of a result to quickly identify excessive flows or change. Enables quick identification of Port Scanners, P2P users, DDoS attacks or other multi threaded conversations. Identify long lasting flows or conversations </li></ul></ul>Network Forensic analysis methods
  28. 29. <ul><li>Standard Deviation Analysis </li></ul><ul><ul><li>Analyze traffic patterns by standard deviation to identify what aspects have changed the most in a specific period, Can lead to early detection of issues. Identify Worms, increasing flows or data floods. </li></ul></ul><ul><li>Bi-directional Analysis </li></ul><ul><ul><li>Show forward and reverse conversations and In versus Out conversations to quickly identify which side of the conversation is responsible for traffic usage/flows. </li></ul></ul>Network Forensic analysis methods
  29. 30. <ul><li>Cross-Section Analysis </li></ul><ul><ul><li>Stacked graphs enable comparison of any two network traffic parameters. As an example, a stacked bar QoS analysis can graphically show the details of each application running within every class of service. </li></ul></ul><ul><li>Custom Group analysis </li></ul><ul><ul><li>IP addresses can be categorized in logical groups for reporting, billing and capacity planning. Enhanced Application grouping coming soon. </li></ul></ul>Network Forensic analysis methods
  30. 31. <ul><li>Percentile Analysis </li></ul><ul><ul><li>Most commonly known for its benefit in Billing also has a large benefit for security and alerting. For example a burst may occur once or may occur in ever increasing frequency. A percentile analysis of a threshold event will provide an indication of change. </li></ul></ul><ul><li>QoS Analysis </li></ul><ul><ul><li>QoS policies can help to reduce the effects of Dos and DDoS traffic floods and keep key applications available during attacks. </li></ul></ul>Network Forensic analysis methods
  31. 32. <ul><li>Drilldown Analysis </li></ul><ul><ul><li>Once an area of concern is identified drilldown into it for as much detail as required. </li></ul></ul><ul><li>Baseline Analysis </li></ul><ul><ul><li>Perform Baselines over long term or real time for any element. Knowledge of baselines provides the intelligence to create alerts. </li></ul></ul>Network Forensic analysis methods
  32. 33. <ul><li>Security Specialists </li></ul><ul><li>Performance Managers </li></ul><ul><li>VoIP Engineers </li></ul>Who needs short-term Network Analytics? <ul><li>Capacity Planners Architects </li></ul><ul><li>Data Centre Managers </li></ul><ul><li>Service Billing </li></ul>Who needs long-term Network Trending? NetFlow Auditor freeform drilldown Copyright 2009 IdeaData Pty Ltd Device/Interface, Business Group, Customer/User, AS, QoS Conversations Applications Time Last Minute, Last 15 Minutes, Last Hour, Last Day/Week/Month .... Real-time Long Term
  33. 34. Quickly find Servers such as P2P Servers Or track conversations
  34. 35. Quickly find Servers such as P2P Servers Or track conversations
  35. 36. Packet Size Distribution
  36. 37. IP Conversations Stacked. See Anomalies, Servers, P2P? Copyright 2009 IdeaData Pty Ltd
  37. 38. For specific Servers see all talkers and applications Copyright 2009 IdeaData Pty Ltd
  38. 39. Application Detail: Email and DNS Traffic Last 7 Days Copyright 2009 IdeaData Pty Ltd
  39. 40. Conversations for one Minute on a selected interface Copyright 2009 IdeaData Pty Ltd
  40. 41. Flow-Based Network Intelligence you can depend on.
  41. 42. Comparative Baselining Alert on the rising and falling threshold of every flow individually, grouped or filtered
  42. 43. Full Flow Compliance analysis for a selected interface Copyright 2009 IdeaData Pty Ltd
  43. 44. IP Bidirectional analysis Copyright 2009 IdeaData Pty Ltd
  44. 45. Right Click drilldown for a Time Period Copyright 2009 IdeaData Pty Ltd
  45. 46. Grid Options Copyright 2009 IdeaData Pty Ltd
  46. 47. Breakdown of usage by Location Copyright 2009 IdeaData Pty Ltd
  47. 48. Weekday Baseline. All SMTP Traffic for a location Copyright 2009 IdeaData Pty Ltd
  48. 49. Monitoring QoS. Long-Term Comparative Baseline Copyright 2009 IdeaData Pty Ltd
  49. 50. Route Analysis for last week Copyright 2009 IdeaData Pty Ltd
  50. 51. All http flows per minute received on an interface Copyright 2009 IdeaData Pty Ltd
  51. 52. Monitoring QoS: ToS Precedence Last 13 Hours Copyright 2009 IdeaData Pty Ltd
  52. 53. Application Bi-directional analysis on an interface Copyright 2009 IdeaData Pty Ltd
  53. 54. Packet Size Distribution analysis on a router/switch Copyright 2009 IdeaData Pty Ltd

×