Security Attack Analysis for Finding and Stopping Network Attacks
Upcoming SlideShare
Loading in...5
×
 

Security Attack Analysis for Finding and Stopping Network Attacks

on

  • 229 views

Network breaches are on the rise, and the consequences are getting more dire. Needless to say, you don't want to be the next Target.You've invested in security tools like firewalls and IPS systems. ...

Network breaches are on the rise, and the consequences are getting more dire. Needless to say, you don't want to be the next Target.You've invested in security tools like firewalls and IPS systems. But today's stealthy attacks can still get through. When you suspect an attack, you need your insurance policy—network forensics.

In this seminar, you'll learn how network forensics—network recording along with powerful search and analysis tools—can enable your in-house security team to track down, verify, and characterize attacks.

You'll also learn about the requirements for effective forensics on today's 10G and 40G networks.

And you'll learn some best practices for configuring captures to help you and your team pinpoint and remediate anomalous behavior that could signal an attack.

Statistics

Views

Total Views
229
Views on SlideShare
229
Embed Views
0

Actions

Likes
2
Downloads
16
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Security Attack Analysis for Finding and Stopping Network Attacks Security Attack Analysis for Finding and Stopping Network Attacks Presentation Transcript

  • www.wildpackets.com Use today’s webinar hashtag: #wp_networkforensics with any questions, comments, or feedback. Follow us @wildpackets Jay Botelho Director of Product Management WildPackets jbotelho@wildpackets.com Follow me @jaybotelho Security Attack Analysis for Finding and Stopping Network Attacks Your Insurance Policy for Network Breaches
  • © 2014 WildPackets, Inc.Security Attack Analysis – May 2014 Administration • All callers are on mute – If you have problems, please let us know via the Chat window • There will be Q&A – Feel free to type a question at any time • Slides and recording will be available – Notification within 48 hours via a follow-up email 2
  • © 2014 WildPackets, Inc.Security Attack Analysis – May 2014 Agenda • The Bad Guys Are Winning • IDS/IPS Is Not Enough • Security Attack Analysis with Network Forensics • You Can Take Back the Lead! 3
  • www.wildpackets.com The Bad Guys Are Winning
  • © 2014 WildPackets, Inc.Security Attack Analysis – May 2014 “The Bad Guys Are Winning”* • Cyber espionage up 3X • Insiders stealing intellectual property • Average time in 2012 to discover and resolve a data breach: 123 days • 86% of security professionals consider incident detection time too slow 5 * Wade Baker, principal author of the 2014 Verizon Data Breach Investigations Report
  • © 2014 WildPackets, Inc.Security Attack Analysis – May 2014 Challenges • IDS/IPS and other tools raise alerts • But security teams need details – Who, what, where, when – Answers require network visibility • Network visibility declining overall – Last-generation network analysis tools can’t keep up with 10G, 40G, and 100G networks – Market trend for high-level stats such as NetFlow and traffic sampling leave security analysts with generalities not specifics 6
  • www.wildpackets.com IDS/IPS Detection and Prevention Aren’t Enough
  • © 2014 WildPackets, Inc.Security Attack Analysis – May 2014 WildPackets Attack Analysis • Benefits – Give security teams evidence and insight • A comprehensive record of network activity • Powerful search and filtering tools for zeroing in on anomalies and attack details – Enable security teams to act quickly • Find proof of attacks • Characterize attacks and stop them – Who, what, where, when • Solution: Packet Capture + Network Forensics – Record, store, and analyze traffic – Uncover and understand attacks so they can be stopped – Tools include deep packet inspection, searches, filters, graphs, etc. 8 Full visibility into everything going in and out of your network
  • © 2014 WildPackets, Inc.Security Attack Analysis – May 2014 Key Capabilities WildPackets Attack Analysis 9 Node Activity Profile High Speed Packet Capture Visualization Transaction History Deep Packet Inspection Node-to-node Interaction
  • www.wildpackets.com Security Attack Analysis with Network Forensics
  • © 2014 WildPackets, Inc.Security Attack Analysis – May 2014 Security Investigations with Network Forensics 11  Incident Response Verification  Pre-Zero Day Attack Forensics  Incident Path Tracking  Compliance with Security Regulations  Transaction Verification
  • © 2014 WildPackets, Inc.Security Attack Analysis – May 2014 Incident Response Verification Applying Attack Intelligence and Deep Packet Inspection (DPI), WildPackets provides unprecedented visibility into network events, enabling security analysts to conduct full Root Cause Analysis (RCA) Attack AnalysisResults: Reduced MTTR for Attacks Reduce Impact of Attacks  Investigate  Confirm  Characterize  Resolve 12
  • © 2014 WildPackets, Inc.Security Attack Analysis – May 2014 Action Problem At approximately 11:20am IDS/IPS reports an nmap decoy attack; a number of phony addresses were used by nmap as source IP’s in addition to the actual attack machine IP Use network forensics to rewind the attack, saving all packets from 5 minutes before to 5 minutes after the report for detailed network analysis
  • © 2014 WildPackets, Inc.Security Attack Analysis – May 2014 14Network Forensics – October 2013
  • © 2014 WildPackets, Inc.Security Attack Analysis – May 2014 Pre-Zero Day Attack Forensics • Unprecedented opportunity to ask: – Has a newly recognized attack previously struck our network? If so, what happened? • Replay recorded network traffic to event detection systems to discover if the new incident had occurred previously and understand who and what was affected. • AKA “Retrospective Security Assurance” 15 IT begins recording network traffic Zero-Day attack strikes Updates to security tools recognize attack Security team replays traffic through attack signature
  • © 2014 WildPackets, Inc.Security Attack Analysis – May 2014 Action Problem The internal security team has identified a previously undetected major security threat; the signature says it uses windows messenger service and has a UDP packet that contains “STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION…” Immediately identify any and all systems on the network that have potentially been affected by the threat, even before the threat was initially detected
  • © 2014 WildPackets, Inc.Security Attack Analysis – May 2014 Incident Path Tracking Using built-in peer-to-peer analytics, WildPackets’ Incident Path Tracking can trace the sequence of conversations between every device on the network before and after the security event 17 Result: Identify the security attack, in this case “denial of service”, the source of the attack, and all the affected devices
  • © 2014 WildPackets, Inc.Security Attack Analysis – May 2014 Action Problem Hundreds of users of a wireless network in a large auditorium find they cannot maintain a VPN connection, nor can they reliably connect to the Internet; everyone seems to be affected IDS/IPS reports no problems; assess overall network connectivity and look for anomalies
  • © 2014 WildPackets, Inc.Security Attack Analysis – May 2014 Ensuring Compliance – Leaked Data 19 Result: Evidence of data breaches and details that help track down the particulars of security attacks Filter for patterns like SSNs and keywords
  • © 2014 WildPackets, Inc.Security Attack Analysis – May 2014 Action Problem While reviewing the weekly network performance report clear text protocols were discovered which violate company the security policy Find FTP traffic and identify suspected users; analyze FTP traffic to see if sensitive data was transmitted.
  • © 2014 WildPackets, Inc.Security Attack Analysis – May 2014 Transaction Review • Verify Transactions – Did they complete successfully? – Did they occur in the way an end user is alleging? 21
  • © 2014 WildPackets, Inc.Security Attack Analysis – May 2014 Action Problem A customer refutes transactions that appear to be made by them, claiming a stolen credit card Isolate data from this customer; verify IP addresses in use and compare with previous, uncontested transactions
  • www.wildpackets.com You Can Take Back the Lead!
  • © 2014 WildPackets, Inc.Security Attack Analysis – May 2014 Accelerate Incident Response and Remediation BEFORE Timeline of a Security Investigation without Attack Analysis • Disparate sources • Investigations can take days or weeks AFTER Timeline of a Security Investigation with Attack Analysis • Centralized repository with comprehensive data • Investigations are many times faster 24
  • © 2014 WildPackets, Inc.Security Attack Analysis – May 2014 Security Best Practices • Best Practice #1: Capture Traffic at Every Location – Just as you wouldn’t leave a building entrance unguarded, don’t leave a network location unmonitored and unanalyzed. • Best Practice #2: Capture Traffic 24/7 – Some attacks strike at odd hours. • Best Practice #3: Configure Captures based on Anomalies – Understand what’s normal (e.g., email coming from your email server), and automatically capture traffic that’s abnormal (e.g., email coming from your FTP server). – Small capture files make it easy to zoom in on what’s wrong. 25
  • © 2014 WildPackets, Inc.Security Attack Analysis – May 2014 Omnipliance Product Line 26 • Omnipliance TL: NOC or Data Center, 10G/40G, up to 128 TB with OmniStorage • Omnipliance MX: Corporate Campus, 1G/10G, up to 32 TB • Omnipliance CX: Branch Offices, 1G, up to 32 TB
  • © 2014 WildPackets, Inc.Security Attack Analysis – May 2014 More Power in a Smaller Footprint – Captures traffic up to 23Gbps of real-world traffic – Scales up to 128 TB of storage – Requires half the rack space and power of competitive solutions Greater Precision – Captures network traffic with no data loss, so you can analyze everything, not just samples or high-level statistics – Accurate metrics – Rich analytics help pinpoint and characterize anomalies – Enterprise-wide solution makes forensic analysis available at every location Better Price/Performance – Superior power and precision at a price significantly lower than other network forensics products. 27 The WildPackets Advantage
  • © 2014 WildPackets, Inc.Security Attack Analysis – May 2014 • Omnipliance TL with OmniAdapter 40G has a capture-to-disk rate of 25.33Gbps with no loss in storing the data • Omnipliance TL with OmniAdapter 10G has a capture-to-disk rate of 20.94Gbps with no packet loss • Capture-to-disk rate per 10G port of 10.47Gbps is the highest observed to date in testing of network analysis and recording appliances Faster Capture = More Complete Data 28
  • © 2014 WildPackets, Inc.Security Attack Analysis – May 2014 Summary • We need to stop the “Bad Guys” from winning. – Improve capability to investigate attacks. • Attack Analysis = Packet Capture + Network Forensics – Provides comprehensive evidence of all attack activity within a set period. – Provides an irrefutable record of user, network, and application activity, including transactions. – Enables security teams to characterize and trace attacks. • WildPackets Omnipliances offer unmatched performance and precision for attack analysis. – Complements existing security toolset with performance network recording, storage, and analysis. 29
  • www.wildpackets.com Q&A Learn more: http://security.wildpackets.com sales@wildpackets.com +1 (925) 937-2500 Follow us on SlideShare! Check out today’s slides on SlideShare www.slideshare.net/wildpackets
  • www.wildpackets.com Thank You! WildPackets, Inc. 1340 Treat Boulevard, Suite 500 Walnut Creek, CA 94597 (925) 937-3200