HP Protects Massive, Global Network with StealthWatch


Published on

Learn how HP relies on StealthWatch, along with its own HP Vertica solution, to:

-improve network visibility and security across its enormously complex, global network
-obtain in-depth information that enables its security teams to act more quickly and minimize potential damage
-quickly detect anomalous activity, such as, DDoS, malware and network misuse

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

HP Protects Massive, Global Network with StealthWatch

  1. 1. Hewlett-Packard Improves Visibility & Security with Lancope StealthWatch Jim O’Shea Network Security Architect, HP jim.oshea@hp.com
  2. 2. HP Security Team • “We Say NO” (as customers see us) • We really provide VALUABLE “advise” • We would like to watch and further evaluate what we “advised on” • StealthWatch provides the opportunity to see real traffic view. • We chase Shiny objects • StealthWatch provides areas of focused interest (which have been intelligently correlated to guide our views) ©2013 Lancope , Inc. All Rights Reserved.
  3. 3. AGENDA • • • • • • • • Solution Strategy Solution Vision Solution Components Solution Overview StealthWatch Use Cases Flow Gathering & Redistribution Overview Integration Recommendations for Solution ©2013 Lancope , Inc. All Rights Reserved.
  4. 4. HP STRATEGY & SCOPE DECISIONS (Why we needed Lancope StealthWatch) • Fill the Visibility GAP • Provide Internal Monitoring and Visibility without extensive instrumentation • Provide Botnet and other Malware Detection • Provide Anomaly detection • Take Advantage of Already Collected Flow to Form a “Security View” • Already collected and used • Multiple tools in use • Ability to collect once and use multiple times • Assist in Analysis • Assist in Detection of data loss • Assist in DDoS recognition • Provide anomaly detection and visibility to sudden changes in the network ©2013 Lancope , Inc. All Rights Reserved. • Integrate • Augment and integrate with TippingPoint (IPS) and ArcSight (SIEM) and existing tools • Assist and Improve Understanding • Monitor FW policy of environments • Understand Applications • Core Requirements • Centralized management • Scalability • IPv6 ready • Help establish partnerships with – Network team, Application teams, Storage etc.
  5. 5. HP Solution Vision: Integrate, Augment, Automate Executive Reporting Tipping Point IPS Green = significant use Yellow = emerging Red = not , but planned RepDV sFlow Events SOC/SIEM ArcSight Intelligence Feeds SLIC v9 / IPFIX Network devices NetFlow Flow Records (API) StealthWatch Events sFlow HP Network ©2013 Lancope , Inc. All Rights Reserved. HPOV NOC/Ticketing System
  6. 6. StealthWatch – A Complete, Integrated Family of Products • Complete Network Visibility • Comprehensive Security Monitoring • FW Policy Monitoring • Network Troubleshooting and Usage Reporting • Mitigation and Notification • Forensics and Reporting ©2013 Lancope , Inc. All Rights Reserved.
  7. 7. HP Solution Components StealthWatch FlowReplicators • • • UDP port replication service. Listen on ANY specified UDP port and send to 1 or more backend devices on the same or new port Allows collect once, analyze as much as desired Allows a reduced number of destinations for simpler configuration standards StealthWatch FlowCollectors • • NetFlow collector to analyze NETFLOW SFLOW collector to analyze sFLOW SLIC feed • • Lancope research security feed to assist in staying current with Command & Control and other malicious IP address Has URL granularity potential – (IPFiX future ability for us) effective if using FlowSensor StealthWatch Management Console • • • User interface Queries collectors for data to performs analytics Report and event configuration and actions ArcSight • Receives Specified configured events for further action and correlation ©2013 Lancope , Inc. All Rights Reserved.
  8. 8. HP Solution Overview & Review StealthWatch + other tools • Deploy FLOW Replicator hardware focused on region. – 1 IP address for standardization of configurations. • Data is distributed as needed to new and legacy tools – Boundary Router IP spoofing must be considered if crossing compartment boundaries. • • • • • Detection of usage anomalies & utilization increases (D/DoS solution integration) Detection of Mal-Flows (worms/ C&C/ suspected data leakage) Understand application environments Integrates with ArcSight (SIEM) Allows growth ©2013 Lancope , Inc. All Rights Reserved. PROS 1. 2. 3. 4. 5. 6. 7. Simpler configurations Global Capability Able to add flows easily to devices Keep the current tool in use Collect once, reuse multiple times Understands IPv6 addressing (D)DoS solution integration opportunity CONS 1. Requires Replicator to be managed outside Console 2. Potential Tool overlap (no forced legacy tool removal)
  9. 9. Records Every Host-to-Host “Conversation”  Unique flow-based design fills gaps left by other network and security technologies  Integrates network security and optimization  Provides broader range of coverage and capabilities:  Behavioral-based monitoring and anomaly detection  Application awareness  User-level data capture  Automatic security issue prioritization  Real-time tracking and graphic display of grouped virtual host performance by business unit, function, etc.  Customizable, real-time displays of network intelligence  Reduce cost and complexity of deploying and managing probes ©2013 Lancope , Inc. All Rights Reserved.
  10. 10. HP Security Monitoring Use Cases  Botnet and other malware detection  Anomaly detection  Traffic policy enforcement  Firewall auditing  Insider abuse  Data loss prevention  DDoS indications  Use of WORM/SCAN catcher environment ©2013 Lancope , Inc. All Rights Reserved.
  11. 11. HP Monitoring – Anomalies Are Easily Visible  Ability to group IP ranges into a GROUP  Anomaly Detection  Data Loss Prevention  Potential DDoS ©2013 Lancope , Inc. All Rights Reserved.
  12. 12. Your Infrastructure Provides the Source... Internet Atlanta NetFlow NetFlow NetFlow San Jose NetFlow NetFlow NetFlow WAN NetFlow NetFlow New York DMZ NetFlow NetFlow NetFlow NetFlow Datacenter NetFlow Access NetFlow NetFlow NetFlow ©2013 Lancope , Inc. All Rights Reserved.
  13. 13. Flow Gathering & reDistribution – 1 IP concept (per collection area) High 600,000 FPS Steady 450,000 FPS ©2013 Lancope , Inc. All Rights Reserved.
  14. 14. HP: StealthWatch POC Results Objective Internal Network Security Monitoring and Visibility - All WAN sites + Egress + DC entry { emerging internal DC /IPS} Detect Network Anomalies and Fill Visibility Gaps - No additional site instrumentation / learns & informs Improved Incident Response and Forensics - Supplies detailed information (what/when/where/how) Identify Peer to Peer Networking - Some wanted/ some not Detect unauthorized communications and application access to the Internet (including Botnet, Command and Control, Malware) Enforce Network Security Policies - Emerging capability in our deployment Firewall Rule Auditing - Emerging use case deployment (what is really flowing & where) Integrate With Existing HP Security Applications ©2013 Lancope , Inc. All Rights Reserved. StealthWatch
  15. 15. StealthWatch POC – Technical Integration  Integration with ArcSight – Correlation based on Events we send – Ability to CONFIGURE the PORT we want to send Events on (not always UDP 514) – Ability to send to MULTIPLE ArcSight instances • Not every event is a Security event  Integration with HP asset management database – Ability to “right click” on a Source or Destination and ‘auto-populate’ a send to internal and external locations ( links to Internal Asset management system to find owner)  Integration with Tipping Point event correlation – Currently correlated in ArcSight vision is to pass information to Quarantine capability – Remains work in progress  Integration with HP Networking wireless controllers – Ability to “Quarantine a misbehaving wireless user” – Future capability & use ©2013 Lancope , Inc. All Rights Reserved.
  16. 16. Lancope Recommendations • Products inventory based on HP networks’ 600,000 FPS – Qty. 2 StealthWatch Management Console 2000 Series (redundant configuration) • Management appliance and reporting console for all StealthWatch components – Qty. 6 Netflow Collector 4000 (supports up to 120,000 FPS per appliance) • Collects, analyzes and stores Netflow data from HP Network – Qty. 3 Sflow Collector 2000 (supports up to 60,000 FPS per appliance) • Collects, analyzes and stores sflow data from HP Network • Supports up to 60,000 Flow Per Second per appliance – Qty. 3 FlowReplicator • Controls traffic flow of Netflow/Sflow from Routers/Switches to FlowCollectors • Can also be used to replicate Syslog and SNMP traps • Qty. 600 flow collection and analysis licenses • Software license for 600,000 FPS • 1 Year Maintenance • Software/hardware support and updates • Phone support ©2013 Lancope , Inc. All Rights Reserved.
  17. 17. Thank You For more information, download the HP Case Study “HP improves its network security with an HP Vertica and Lancope solution” or contact sales@lancope.com Jim O’Shea Network Security Architect, HP jim.oshea@hp.com