This document discusses threats faced by manufacturers from cyber attacks and how to protect important intellectual property and sensitive business data, known as "crown jewels". It describes how network behavioral anomaly detection (NBAD) can be used to monitor network traffic and identify anomalies that may indicate insider threats or external attacks. The document outlines how to identify crown jewels, monitor insiders' network activity, ensure proper audit trails are in place, and provides an overview of the Lancope StealthWatch solution for gaining network visibility and security intelligence.
There are three ways Lancope detect things. For Signatures, Lancope augments this with our SLIC Threat Feed. Our StealthWatch Labs group of researchers work with external parties that define and develop URLs and IPs that are known to be bad, that you can put into your system and you can match those against every single conversation in your network, right. So it’s real-time, it’s ubiquitous across your enterprise, its high value.
Anomaly detection is our threshold-based alerting, so that when we drop in a system, we are going to create high concern index events on day one based on devices that exceed acceptable thresholds of noise. Within our behavior-based system, you have to have thresholds on both low-end and high-end because the behavior of a host will actually live in between those two areas. But what this means is, for super slow attackers that are doing actually very little traffic, those will alert below a threshold; and for very noisy volumetric-based DDoS attacks that are coming in via UDP floods, those actually become threshold-based alarms as well.
The behavior-based alarms come with the fact that we are building this learned baseline overtime. Minimum of seven days to create a baseline, expands out to 30 days, rolls overtime, most heavily weighted on the last couple weeks of activity. It is, this is where we are actually able to detect things like worm activity and worm propagation and beaconing hosts, things like data hoarding and data exfiltration. These are based on conditions, statistical conditions that we’ve learned about you as a user on your network.
You the customer have already invested early in signature based technology and it is not like that stuff is no longer effective, it is just that your adversary has advanced and so must you. Behavior and Anomaly detection methods address the problem of not knowing what you are looking for ahead of time as in your zero-day exploitation. Behavior based detection contain the threat and observe the behavior with an objective to dynamically build a blacklist – or a list of bad things; Anomaly detection leverages known good behavior or actions either as inherit to the protocols, statistically collected from the traffic, or asserted by the user; this whitelist or list of norms allow the detection to be based not on abnormalities but on the differences that make the difference.
The story of Lancope. We started in 2001 as a behavior-based IDS, founded by Professor Dr. John Copeland at Georgia Tech.
And Dr. Copeland spent all his time consuming ATM network traffic, building statistics off that traffic, and then the intellectual property that he patented was the ability to take those statistics and create algorithmic equations that began to tell us when change was occurring in those statistics that deviated to the point where a condition of threat was met.
StealthWatch originates from a Georgia Tech professor, who measured statistical change as an indicator of concern related to an algorithm that he had developed within our security market. Lancope launched this behavior-based IDS in 2001, and for the next four years that’s where we established our initial foothold in the market. Lancope quickly grew to a 50 person organization, raised $30 million and we were a hot startup.
What we ran into was the fight for SPAN space inside of the network at the time was really starting to get consumed by other technologies like IDS/IPS. As the company evolved, Lancope pioneered a new market with the consumption of telemetry data for security intelligence. When we reference telemetry, Lancope is actually talking about NetFlow data, which is a summarized flow data or telemetry source that comes directly from your Layer-3 routers and switches into our system. By applying our patented algorithms to this flow data, Lancope gives us the ability to give you really broad scalability to see and peer into areas of the network that you cannot affordably get access to today, that tends to be that LAN infrastructure. It tends to be those deep dark quarters of your data center, where you would never go and deploy a physical asset or a probe to get adequate visibility into it. Flow data does a really job of illuminating those pieces of the network.
This is a “day in the life of the operator” slide. It is the “without ISE +SIEM/TD integration” view. This scenario can be described as the “swivel chair problem” (as indicated by the circle arrows around the operator). As this slide builds out talk about how the security analyst is having to swivel his chair to 5 or more different operations screens across different IT systems to collect all the context needed to make sense of a security event that shows up on the SIEM/TD screen at the beginning of this slide.
Orange indicates systems that you can get info from but requires looking in a siloed system to get the info. Red indicates info that most IT systems don’t even possess in this use-cases, thus it is crucial information the security analyst just doesn’t have.
A key point in this slide is the last one…”how do I mitigate?”. This is a real issue for IT orgs, as mitigation generally means accessing several different systems, CLI-ing into switches, etc. It is manual, cumbersome and, as a result, often just doesn’t get done.
So the summary is the last build…have to look across many systems/screens and you’re still missing important contextual data (like device-type) and mitigation is complicated at-best or a non-starter to execute at worst.
And here is where it starts to get fun. The traffic that would be coming from anywhere in the world. It’s going to take multiple hops to get there and it’s going to come from disparate pieces of your organization. What Lancope lives and breathes is the ability to know every single host, record every conversation, understand a posture of the host that’s involved in those conversations, who is the client, who is the server, what is considered normal, and an ability to learn and show signs of deviation and detection related to changes in that host.
So the two core components of the StealthWatch product is 1) the detection component, which is the change or the behavioral impact that a host is going through and 2) the ability to store that for long periods of time. Cisco likes to tell you the story about APT1, and their ability to have multiple months worth of flow data that they could go back and run a query against IPs they knew were bad in the past, but were no longer considered bad. APT1 is the example they use.
The Chinese hacking group APT1, we were able to, when, when those IPs were posted, they were effectively useless at that point, but Cisco did have the ability to go back and run a query against the previous 100 days to see when and if any of the APT1 hosts had accessed the Cisco internal network. And if they had who did they talk to, how much data did they touch, how did they move, how did they enter, how did they leave?
So really, really useful information, especially when you look at the lifecycle of security, and how do we push that information we learn from a past event into the future, so that we can prevent it the next time it occurs. Lancope essentially creates this rich audit repository with detection posture in response of every conversation in your network.