Decreasing Incident Response Time
•Download as PPTX, PDF•
0 likes•894 views
This presentation has been well received the the SANS community and many information security teams I engage with. It describes how integrating a full content repository to your existing security architecture can decrease incident response time and lead to fast identification of root cause. I also describe a new way of implementing NetFlow without sampling to provide greater visibility of your network. Enjoy! Boni Bruno, CISSP, CISM, CGEIT www.bonibruno.com
Recommended
Recommended
More Related Content
What's hot
What's hot (19)
Similar to Decreasing Incident Response Time
Similar to Decreasing Incident Response Time (20)
More from Boni Bruno
More from Boni Bruno (8)
Recently uploaded
Recently uploaded (20)
Decreasing Incident Response Time
- 1. Decreasing Incident Response Time ______________________________ Benefits of Packet Capture & Real-time NetFlow Generation Boni Bruno, CISSP, CISM, CGEIT Technical Director
- 2. You Just Suffered a Major Security Breach! 3 Questions Your IT Staff Better Answer in the First 8 Hours!! What Happened?! Who Was Affected?! When Will It Be Fixed?! Could Your Current SEM/SIEM Tools Cover You for this Security Breach? 2 Copyright © 2014
- 3. Suspect Identify Mitigate Impact 3 Copyright © 2014 Tools Fixed Permanent Protection Security Incident Lifecycle
- 4. Security Incident Lifecycle CUanniq lueea dE vtoe nrtepetitive events if not correctly identified… 4 Copyright © 2014
- 5. Security Incident Lifecycle 5 Copyright © 2014
- 6. Security Incident Lifecycle Minimize Scope of Impact Reduced Frequency Faster Remediation ID Root Cause 6 Copyright © 2014
- 7. Security Architecture SIEM (Security Info & Event Mgmt) Full Content Repository Current Security Infrastructure: • Firewall • IDS/IPS • DLP End Point Security Events pcaps Event-driven “snippets” and/or ALL traffic recorded into a rolling buffer 7 Copyright © 2014 Alarm Search & Analysis Event / Log Repository Packet Storage Packet Capture
- 8. SIEM Integration via RESTful API 8 Copyright © 2014
- 9. Visibility & recording infrastructure for high-speed networks Endace provides 100% accurate network recording at 1Gbps to 100Gbps!!!
- 10. Next-Generation EndaceDAG Overview Multiple Network Monitoring Interfaces -TDM/PDH T1/E1-DS3/E3 - 10/100/1000/10G Ethernet - SONET/SDH OC-3 to OC-768c - Infiniband x4 SDR and DDR Premium -Telco, high-end gov’t users and appliance OEMs Standard -HFT, market, appliance OEMs Basic - Low-end gov’t users, analytics Dual-Port 10GbE -Basic and standard Dual and quad port 10GbE -Standard and premium Single-Port 40GbE -Future/upgrade to quad port Designed for data capture applications requiring 100% network data capture Three “Feature Bundles” Three Product Configurations 10 Copyright © 2014 Low Overhead Zero Loss Capture Hardware Time Stamps Global Clock Synch In-Band Metadata Classification/filtering Load Balancing
- 11. Endace Network Visibility Infrastructure EndaceAccess™ Network Visibility EndaceProbe™ Intelligent Network Recorder 11 Copyright © 2014 Headend Network Visibility Headend Allows EndaceProbe INRs/ODE to scale to 40 and 100GbE Endace Open Hosting Platform (ODE) High Performance Intelligent Network Recording Up to 64 TB storage Mix of 1 and 10GbE ports EndaceFlow™ NetFlow Generator Appliance (NGA) Hosting Platform for Monitoring Applications 8x1GbE or 4x10GbE Ports Up to 16 TB internal storage; Fibre Channel support for SAN High-Speed NetFlow Generation for 10GbE Networks 4x10GbE Ports EndaceProbe: Provides 100% packet capture on 10Gb Ethernet links NetFlow Generator: Generate unsampled netflows from 1GbE/10GbE links EndaceAccess: Load-balances 40Gb/100Gb links across multiple INRs Endace ODE: Provide packets for hosted 3rd party applications
- 12. The Endace Probe Solution 12 Copyright © 2014
- 13. Monitoring and Recording Fabrics 13 Copyright © 2014
- 14. 100% Packet Capture means 100% Network Visibility 14 Copyright © 2014
- 15. Can you Pinpoint Microbursts Occurring on your Network? 15 Copyright © 2014
- 16. Can you Identify Applications Running on your Network? 16 Copyright © 2014
- 17. Can you Identify Traffic Changes Over Time? 17 Copyright © 2014
- 18. Can you see Conversations on the Network? 18 Copyright © 2014
- 19. Search through Packets in a Browser! 19 Copyright © 2014
- 20. 100Gbps Packet Capture… 20 Copyright © 2014
- 21. Time Synchronization 21 Copyright © 2014
- 23. NetFlow – The New Way!!! 23 Copyright © 2013
- 24. NetFlow – The New Way!!! 24 Copyright © 2013
- 25. 25 Copyright © 2013
- 26. 26 Copyright © 2013
Editor's Notes
- Key to avoid the repetitive events, that cost money, is to identify the root cause issue to begin with – as early as possible in the cycle.
- Having the content and not just a log, SIEM record, or report; but having the content will assist in identification of the root cause issue. In turn this will reduce the frequency of that particular issue reoccurring. Also limit the scope of impact and lead to faster remediation. The objective of the security engineering team, the organization processes and tools is to reduce the overall effort. If our tools can identify the root attack then we have chance reducing the frequency of the waves. Reduction in frequency also improves predictability in delivering IT projects and infrastructure reliability. Speed in developing a mitigation strategy reduces the total scope or height of the wave. Finally by reducing the time to comprehensive permanent protection we can reduce the width of the wave.
- Organizations have invested in: Firewalls IDS’ IPS’ DLP Endpoint security Events are generated from these devices and often forwarded to a SIEM. SIEM will aggregate events into some form of reporting to allow some sense to be made of the vast amount of information. Noting the Verizon Breach Report Statistics show that many incidents take weeks to identify a breach after the fact. Example: Target Goal should be to minimize the time to identify the security incident– this is necessary as the time it takes is too long. The analyst needs to go through the SIEM reports and that is a laborious exercise that takes time. We have found that if you can add a packet storage solution with the ‘Golden Data’ your search time decreases and the time to respond decreases. We believe the future security architecture will look like this: Current infrastructure of tools SIEM Full content repository at your finger tips – that is power Ability to scrub the packets: Search for the packets during the event Weed out false positives Send confirmed packets to 3rd party tools for deep analysis or forensics Implement event-driven ‘snippets’ – we refer to as triggered capture
- Fusion Connector Using our RESTful API we can integrate with various tools to allow rapid data mining from the full content repository described earlier. The top of the screen shows an example where search parameters have been populated by some tool. A search is performed across the packet fabric of probes to find packets that match the parameters. The results at the bottom show all of the possible probes and packet storage files that have content that matches the criteria as well as the combined flows across all probes. At this point, an analyst can download one or more of these flows as either PCAP or ERF to inspect in a packet decode or as input to a 3rd party tool. ERF is a format that Endace created when they first engineered the DAG card as it was necessary for nanosecond time stamping. It also provides information related to the capture port. API integration already available for: Splunk Sourcefire Compuware’s DC RUM (APM) product Any organization that wishes to use the RESTful API
- Visibility & recording infrastructure Ability to store packets on the probe or on a SAN The acquisition by Emulex provides direct support for SAN using the Emulex HBA to allow mass storage – petabytes if so desired or required Vertical markets Financial Retail Content Delivery Cloud Enterprise Government Service Provider Global customer base in each of these industries Business Unit mostly penetrated Network operations Security operations Compliance Endace provides 100Gbs network recording today in production.
- 100Gbps Endace Access Example of a 100Gb deployment. Currently in production Flow safe load balancing is performed by the Endace Access to 12 x 10Gbs egress ports. Endace 7000 probes are connected to the egress ports, one per port, to allow for recording packets to disk. Using the CMS, the user will view the array of probes holistically to allow querying of them for specific flows without needing to know what probe contains the packets of interest. Time stamping is done by the EA and the downstream probes will use this time stamp to avoid any variance due to the load balance function. This will guarantee that there are no duplicate time stamps that packet ordering is 100% accurate.
- Time synchronization is considered of utmost importance to Endace as the founding of the company was based on the most accurate time stamping possible. This being the case, each DAG and EA is equipped with a PPS input to allow synchronization of every port within a site or globally. Implementation of the PPS is done by installing a TDS (Time Distribution Server) which takes an input from either a CDMA or GPS timing device. The TDS will output the PPS to each DAG or EA connected to it with a standard CAT5 wire. The date sync is done through standard NTP. The PPS offer much better time sync than NTP with accuracy within 100ns resolution. New DAG cards now support PTP as well! This timing accuracy is of importance if you have geographically separated probes or multiple probes where you will correlate combined packets in response to an incident/breach or operational issue to assure packet order is correct.
- NetFlow in a new way! Near Real-time and un-sampled NetFlow! Environments where you have high speed links, i.e. multiple 10Gbs or 100Gbs, going into a border gateway – enabling NetFlow on said gateway is pretty much useless Sample rates wont be low enough to provide true visibility or an accurate picture of aggregated 10Gbs or 100Gbs links The Endace NGA (Netflow Generation Appliance) will allow: Snapping the packets to the necessary number of bytes to generate a flow record. 72 bytes is all that is required. Snapping the packets allows a significantly higher data rate to have flow records generated. Example of our 1U appliance: 4 x 10Gb ingress ports Operate at 75% sustained capacity – 30Gbs Handle 16M+ flows/second Output 600k+ flow records/second
- An example deployment of capturing packets from multiple high speed links and generating unsampled NetFlow. Tap your links Input the monitor feeds either into the NGA directly or into a NPB if one is desired/deployed. Output from NPB to the NGA if a NPB is deployed. NGA will generate flow records and export them to the collector/collectors that is configured. The NGA offers advanced features for the export function: Filtering based on IP tuple information, CIDR blocks, etc. Hash Load balancing: Necessary to allow many collector solutions to scale to significant numbers of flow records Controlling the number of records to a single collection device as many are licensed based on flow record consumption. Value proposition: Getting real-time Netflow in a very cost effective manner. Combining packet storage and NetFlow provides analysts an effective toolset to identify root cause issues on the network.
- My name is boni bruno! Rock on!!