What? Who? When?
How network visualization can help you answer the
difficult questions that arise from security breaches

...
You Just Suffered A Major Security Breach…
Three questions that the IT staff will
be asked in the first 8 hours:

What Hap...
How Bad Is The Problem Today?
July 2013 Gartner report: DDoS attacks
are increasing in frequency and size. The
number of a...
Like it or Not …
Your prevention and
detection tools will fail
Network visibility tools
provide a vital safety net
against...
Some Actual Customer Quotes

“We live in triage mode. It takes
too long to investigate the events
we know about today. We‟...
The Problem Is Not People or Tools - It is Data
Security tools have made great strides in their ability to
identify issues...
Network “Alerting” Stack
SIM/SEM/SEIM

Core network infrastructure

DDoS

Detection
Tools

IDS

NMS

AA-NPM

APM

SNMP Ale...
Network Visibility Stack
SIM/SEM/SEIM

Core network infrastructure

DDoS

Detection
Tools

IDS

NMS

AA-NPM

APM

Unsample...
Introducing Endace
Part of Emulex product portfolio
World leader in packet capture
and network recording
10+ year history ...
Intelligent Network Recorders
100% accurate traffic recording
– 10 Gbps, scalable to 100 Gbps
64TB = 3 days storage at typ...
Typical Network Visibility Fabric Deployments
SecOps deployment
monitoring both sides of the
DMZ; record attacks, ID
compr...
Streamlining the Analyst Workflow
Start with a SIM-generated
security event
Right click and „zoom-in‟ to
the relevant traf...
Our Approach to NPM/APM/SEM – Best of Breed
APM
App

NPM
App

IDS
App

HFT
App

EndaceVision Network Search
Engine with Fu...
Conclusions: The Business Value of Network
Visibility
Know Your Risks: Understand exactly what
data was compromised in a b...
15

2013 Emulex Corporation
Upcoming SlideShare
Loading in …5
×

SC Magazine eSymposium: SIEM

375
-1

Published on

Deploying and managing security information and event management systems can tax the brain and budget. However, if done right, they can be a huge benefit to the overall security stance of an organization, providing insight into what's happening on the entire network and enabling security teams to focus on the most pressing priorities to make sure their organizations' infrastructures are safe and sound from attacks. We explore the many challenges and their remedies.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
375
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Sissor
  • This chart shows the three places where network visibility tools are typically deployed:SecOps typically deploys network visibility tools on either side of the enterprise firewall. This provides visibility into what is hitting the network, what is getting into the enterprise, and what is going out of the enterprise.One NetOps typical deployment is at the core or aggregation level of the network. This provides visibility for north-south traffic, and is critical for content delivery and e-commerce scenarios. The other typical NetOps deployment is at the top-of-rack for critical servers, given visibility into east-west traffic.All three of these can be combined through a Network Packet Broker (NPB) infrastructure to provide flexible visibility into critical points of the network without requiring dedicated probes or netflow generators.
  • EndaceVision gives traffic level view of an event based on a 5 tuple filter (time, IP address etc)Traffic level view required for validation (is it a false postive?) enabling them to be sure before they actHelps make informed decisions about actions and activities.
  • One of the biggest differentiators for our visualization tools comes from our partnership with a variety of best-in-breed network packet broker (NPB), Network Performance Management (NPM), Application Performance Management (APM), and Security Event Management (SEM) tool vendors. We have names these partnerships the Endace Fusion Alliance. The Endace Fusion Alliance enables customers to build NPM/APM/SEM suites that meet their exact needs, and is in contrast to integrated tools, which force customers to buy tools that they may or may not need. The benefit to customers of this best-in-breed approach is lower CapEx (less tools and recording hardware to buy) and lower OpEx (less training, quicker time to resolution of network issues). This also provides channel partners with additional opportunities to integrate custom suites of tools together for customers, increasing their “share of wallet”.
  • SC Magazine eSymposium: SIEM

    1. 1. What? Who? When? How network visualization can help you answer the difficult questions that arise from security breaches 2013 Emulex Corporation
    2. 2. You Just Suffered A Major Security Breach… Three questions that the IT staff will be asked in the first 8 hours: What Happened? Who Was Affected? When Will It Be Fixed? Could your current SEM/SEIM tools (or any of your tools) provide the answers if you were breached today? What Happened? Maybe… Who Was Affected? Possibly… When Will It Be Fixed? Probably not… 2 2013 Emulex Corporation
    3. 3. How Bad Is The Problem Today? July 2013 Gartner report: DDoS attacks are increasing in frequency and size. The number of attacks has increased by more than 20% in the last year, and attack throughput has reached 160 Gbps.1 More than 70 percent of operating data centers reported DDoS attacks this year (up dramatically from under a half last year). 2 More than a third experienced attacks that exceeded total available Internet connectivity, nearly double last year. 3 About 10 percent saw more than 100 attacks per month. 4 1 – “Leverage Your Network Design to Mitigate DDoS Attacks”, Gartner Report G00253330, 2013 2, 3, 4, Graph: Worldwide Infrastructure Security Report, Volume IX”, Arbor Networks, 2014 3 2013 Emulex Corporation
    4. 4. Like it or Not … Your prevention and detection tools will fail Network visibility tools provide a vital safety net against failure With history, you can understand and minimize the damage Think like you‟ve already been breached 4 2013 Emulex Corporation
    5. 5. Some Actual Customer Quotes “We live in triage mode. It takes too long to investigate the events we know about today. We‟re exposed.” “We‟re never quite sure if what we‟re looking at is real or not. It‟s paralyzing us. We‟re too scared to act.” “When it goes wrong, and it does go wrong, it‟s a PR train wreck and we need a way to contain the problem.” 5 2013 Emulex Corporation “There are known knowns; there are things we know that we know. There are known unknowns; that is to say, there are things that we now know we don't know. But there are also unknown unknowns – there are things we do not know we don‟t know.”
    6. 6. The Problem Is Not People or Tools - It is Data Security tools have made great strides in their ability to identify issues and threats – Use of “big data” analytics to identify unusual behaviors – Baselines, profiling also help BUT most critical breaches are “unknown unknowns” – – – – The tools are often being encountered for the first time The breachers are typically difficult/impossible to find “Guesswork” is nearly unavoidable Response times are measured in days, not hours How do we speed up the process? – The key is having the right data, and all of it – Network visibility tools that capture, record, and search network traffic can help by providing context and facts for breach analysis 6 2013 Emulex Corporation
    7. 7. Network “Alerting” Stack SIM/SEM/SEIM Core network infrastructure DDoS Detection Tools IDS NMS AA-NPM APM SNMP Alerts NetFlow Data LAN SN Firewalls (prevention) Core routers and switches (connectivity) SNMP and NetFlow don‟t provide enough data to diagnose critical breaches (“unknown unknowns”) 7 2013 Emulex Corporation
    8. 8. Network Visibility Stack SIM/SEM/SEIM Core network infrastructure DDoS Detection Tools IDS NMS AA-NPM APM Unsampled Packets + SNMP Alerts, NetFlows EndaceProbe Intelligent Network Recorders Network Packet Brokers (aggregation) Firewalls (prevention) Core routers and switches (connectivity) SNMP and NetFlow don‟t provide enough data to diagnose critical breaches (“unknown unknowns”) Network visibility tools add unsampled packets to the picture – 100% visibility of what occurred, and who was affected 8 2013 Emulex Corporation
    9. 9. Introducing Endace Part of Emulex product portfolio World leader in packet capture and network recording 10+ year history selling recording solutions to top tier customers – Government, HFT, telco & enterprise Global reputation for accuracy, scalability and performance 9 2013 Emulex Corporation
    10. 10. Intelligent Network Recorders 100% accurate traffic recording – 10 Gbps, scalable to 100 Gbps 64TB = 3 days storage at typical load – Options for longer duration Integrated network traffic search engine – Layer 7 awareness & alarming RESTful API for workflow integration Deployed at Internet gateways 10 2013 Emulex Corporation
    11. 11. Typical Network Visibility Fabric Deployments SecOps deployment monitoring both sides of the DMZ; record attacks, ID compromised data NetOps deployment monitoring north-south traffic; ID inbound/ outbound application issues NetOps deployment monitoring east-west traffic; ID internal application performance issues 11 2013 Emulex Corporation
    12. 12. Streamlining the Analyst Workflow Start with a SIM-generated security event Right click and „zoom-in‟ to the relevant traffic Instant clarity – is it real? Immediate productivity gains – Move out of triage mode 12 2013 Emulex Corporation
    13. 13. Our Approach to NPM/APM/SEM – Best of Breed APM App NPM App IDS App HFT App EndaceVision Network Search Engine with Fusion Connectors Endace Capture Appliance 10/40/100GbE Our approach enables tailored best-of-breed solutions – All tools share data from same secure location in datacenter – Automated workflow, “pivot to packets” speeds up issue resolution Lower investment while Increasing ROI – Only buy what you need – Plan and train staff on the tools that fit your situation best 13 2013 Emulex Corporation
    14. 14. Conclusions: The Business Value of Network Visibility Know Your Risks: Understand exactly what data was compromised in a breach so that effective remedial actions can be taken Unambiguous Forensics Trail: Have all of the data around an attack Ensure Corrective Actions Are Effective: Ability to “replay” attacks to verify that corrective actions have addressed the security issue Avoid Future Network Uptime Issues: Enable post-incident root cause analysis SecOps CapEx/OpEx Savings: Streamline toolsets to address your specific needs and to simplify NetOps/SecOps workflow ELIMINATE GUESSWORK ! 14 2013 Emulex Corporation
    15. 15. 15 2013 Emulex Corporation

    ×