More Related Content Similar to Security Attack Analysis for Finding and Stopping Network Attacks (20) More from Savvius, Inc (20) Security Attack Analysis for Finding and Stopping Network Attacks1. www.wildpackets.com
Use today’s webinar hashtag:
#wp_networkforensics
with any questions, comments, or feedback.
Follow us @wildpackets
Jay Botelho
Director of Product Management
WildPackets
jbotelho@wildpackets.com
Follow me @jaybotelho
Security Attack Analysis for
Finding and Stopping Network Attacks
Your Insurance Policy for Network Breaches
2. © 2014 WildPackets, Inc.Security Attack Analysis – May 2014
Administration
• All callers are on mute
– If you have problems, please let us know via the Chat
window
• There will be Q&A
– Feel free to type a question at any time
• Slides and recording will be available
– Notification within 48 hours via a follow-up email
2
3. © 2014 WildPackets, Inc.Security Attack Analysis – May 2014
Agenda
• The Bad Guys Are Winning
• IDS/IPS Is Not Enough
• Security Attack Analysis with Network Forensics
• You Can Take Back the Lead!
3
5. © 2014 WildPackets, Inc.Security Attack Analysis – May 2014
“The Bad Guys Are Winning”*
• Cyber espionage up 3X
• Insiders stealing intellectual property
• Average time in 2012 to discover and resolve a data breach: 123 days
• 86% of security professionals consider incident detection time too slow
5
* Wade Baker, principal author of the 2014 Verizon Data Breach Investigations Report
6. © 2014 WildPackets, Inc.Security Attack Analysis – May 2014
Challenges
• IDS/IPS and other tools raise alerts
• But security teams need details
– Who, what, where, when
– Answers require network visibility
• Network visibility declining overall
– Last-generation network analysis tools can’t keep up with
10G, 40G, and 100G networks
– Market trend for high-level stats such as NetFlow and traffic
sampling leave security analysts with generalities not
specifics
6
8. © 2014 WildPackets, Inc.Security Attack Analysis – May 2014
WildPackets Attack Analysis
• Benefits
– Give security teams evidence and insight
• A comprehensive record of network activity
• Powerful search and filtering tools for zeroing in on anomalies
and attack details
– Enable security teams to act quickly
• Find proof of attacks
• Characterize attacks and stop them
– Who, what, where, when
• Solution: Packet Capture + Network Forensics
– Record, store, and analyze traffic
– Uncover and understand attacks so they can be stopped
– Tools include deep packet inspection, searches, filters,
graphs, etc.
8
Full visibility into everything going in and out of your network
9. © 2014 WildPackets, Inc.Security Attack Analysis – May 2014
Key Capabilities
WildPackets
Attack
Analysis
9
Node Activity
Profile
High Speed
Packet Capture Visualization
Transaction
History
Deep Packet
Inspection
Node-to-node
Interaction
11. © 2014 WildPackets, Inc.Security Attack Analysis – May 2014
Security Investigations with
Network Forensics
11
Incident Response Verification
Pre-Zero Day Attack Forensics
Incident Path Tracking
Compliance with Security Regulations
Transaction Verification
12. © 2014 WildPackets, Inc.Security Attack Analysis – May 2014
Incident Response Verification
Applying Attack Intelligence and Deep Packet Inspection (DPI),
WildPackets provides unprecedented visibility into network events,
enabling security analysts to conduct full Root Cause Analysis (RCA)
Attack
AnalysisResults:
Reduced MTTR for Attacks
Reduce Impact of Attacks
Investigate
Confirm
Characterize
Resolve
12
13. © 2014 WildPackets, Inc.Security Attack Analysis – May 2014
Action
Problem
At approximately 11:20am IDS/IPS reports an nmap
decoy attack; a number of phony addresses were used
by nmap as source IP’s in addition to the actual attack
machine IP
Use network forensics to rewind the attack, saving all
packets from 5 minutes before to 5 minutes after the
report for detailed network analysis
14. © 2014 WildPackets, Inc.Security Attack Analysis – May 2014 14Network Forensics – October 2013
15. © 2014 WildPackets, Inc.Security Attack Analysis – May 2014
Pre-Zero Day Attack Forensics
• Unprecedented opportunity to ask:
– Has a newly recognized attack previously struck
our network? If so, what happened?
• Replay recorded network traffic to event detection systems to
discover if the new incident had occurred previously and
understand who and what was affected.
• AKA “Retrospective Security Assurance”
15
IT begins
recording
network traffic
Zero-Day
attack strikes
Updates to
security tools
recognize
attack
Security team
replays traffic
through attack
signature
16. © 2014 WildPackets, Inc.Security Attack Analysis – May 2014
Action
Problem
The internal security team has identified a previously
undetected major security threat; the signature says it
uses windows messenger service and has a UDP
packet that contains “STOP! WINDOWS REQUIRES
IMMEDIATE ATTENTION…”
Immediately identify any and all systems on the network
that have potentially been affected by the threat, even
before the threat was initially detected
17. © 2014 WildPackets, Inc.Security Attack Analysis – May 2014
Incident Path Tracking
Using built-in peer-to-peer analytics, WildPackets’ Incident Path
Tracking can trace the sequence of conversations between every
device on the network before and after the security event
17
Result: Identify the
security attack, in this
case “denial of
service”, the source of
the attack, and all the
affected devices
18. © 2014 WildPackets, Inc.Security Attack Analysis – May 2014
Action
Problem
Hundreds of users of a wireless network in a large
auditorium find they cannot maintain a VPN connection,
nor can they reliably connect to the Internet; everyone
seems to be affected
IDS/IPS reports no problems; assess overall network
connectivity and look for anomalies
19. © 2014 WildPackets, Inc.Security Attack Analysis – May 2014
Ensuring Compliance – Leaked Data
19
Result: Evidence of
data breaches and
details that help track
down the particulars
of security attacks
Filter for patterns like SSNs and keywords
20. © 2014 WildPackets, Inc.Security Attack Analysis – May 2014
Action
Problem
While reviewing the weekly network performance report
clear text protocols were discovered which violate
company the security policy
Find FTP traffic and identify suspected users; analyze
FTP traffic to see if sensitive data was transmitted.
21. © 2014 WildPackets, Inc.Security Attack Analysis – May 2014
Transaction Review
• Verify Transactions
– Did they complete successfully?
– Did they occur in the way an end user is alleging?
21
22. © 2014 WildPackets, Inc.Security Attack Analysis – May 2014
Action
Problem
A customer refutes transactions that appear to be made
by them, claiming a stolen credit card
Isolate data from this customer; verify IP addresses in
use and compare with previous, uncontested
transactions
24. © 2014 WildPackets, Inc.Security Attack Analysis – May 2014
Accelerate Incident Response
and Remediation
BEFORE
Timeline of a Security Investigation
without Attack Analysis
• Disparate sources
• Investigations can take days or weeks
AFTER
Timeline of a Security Investigation
with Attack Analysis
• Centralized repository with comprehensive
data
• Investigations are many times faster
24
25. © 2014 WildPackets, Inc.Security Attack Analysis – May 2014
Security Best Practices
• Best Practice #1: Capture Traffic at Every Location
– Just as you wouldn’t leave a building entrance unguarded,
don’t leave a network location unmonitored and unanalyzed.
• Best Practice #2: Capture Traffic 24/7
– Some attacks strike at odd hours.
• Best Practice #3: Configure Captures based on
Anomalies
– Understand what’s normal (e.g., email coming from your
email server), and automatically capture traffic that’s
abnormal (e.g., email coming from your FTP server).
– Small capture files make it easy to zoom in on what’s wrong.
25
26. © 2014 WildPackets, Inc.Security Attack Analysis – May 2014
Omnipliance Product Line
26
• Omnipliance TL: NOC or Data Center, 10G/40G, up to 128 TB with OmniStorage
• Omnipliance MX: Corporate Campus, 1G/10G, up to 32 TB
• Omnipliance CX: Branch Offices, 1G, up to 32 TB
27. © 2014 WildPackets, Inc.Security Attack Analysis – May 2014
More Power in a Smaller Footprint
– Captures traffic up to 23Gbps of real-world traffic
– Scales up to 128 TB of storage
– Requires half the rack space and power of competitive solutions
Greater Precision
– Captures network traffic with no data loss, so you can analyze
everything, not just samples or high-level statistics
– Accurate metrics
– Rich analytics help pinpoint and characterize anomalies
– Enterprise-wide solution makes forensic analysis available at every
location
Better Price/Performance
– Superior power and precision at a price significantly lower than other
network forensics products.
27
The WildPackets Advantage
28. © 2014 WildPackets, Inc.Security Attack Analysis – May 2014
• Omnipliance TL with OmniAdapter
40G has a capture-to-disk rate of
25.33Gbps with no loss in storing
the data
• Omnipliance TL with OmniAdapter
10G has a capture-to-disk rate of
20.94Gbps with no packet loss
• Capture-to-disk rate per 10G port
of 10.47Gbps is the highest
observed to date in testing of
network analysis and recording
appliances
Faster Capture = More Complete Data
28
29. © 2014 WildPackets, Inc.Security Attack Analysis – May 2014
Summary
• We need to stop the “Bad Guys” from winning.
– Improve capability to investigate attacks.
• Attack Analysis = Packet Capture + Network
Forensics
– Provides comprehensive evidence of all attack activity within
a set period.
– Provides an irrefutable record of user, network, and
application activity, including transactions.
– Enables security teams to characterize and trace attacks.
• WildPackets Omnipliances offer unmatched
performance and precision for attack analysis.
– Complements existing security toolset with performance
network recording, storage, and analysis.
29