Using NetFlow to Streamline Security Analysis and Response to Cyber Threats


Published on

Data centers move exabytes of data through their networks. This explosive growth in network traffic has put demands on data centers to adapt and add new technologies and standards to keep pace and make information easily accessible. Our personal information, company IP assets and sensitive data run across these networks that are constantly under persistent and malicious cyber attacks to look for vulnerabilities in their networks. IT security teams have to protect complex networks that are growing in size and complexity. They call for a new approach to gaining full – rather than partial – visibility into network behavior to stop downtime losses and data leaks.

By providing 1 to 1 NetFlow generation then collecting the data and analyzing the flow records is essential in time-to-resolution (TTR). To help you take full advantage of valuable NetFlow data for use in network security management, Emulex and Lancope have created a best-in-class network and security solution that allows you to quickly and continuously monitor the makeup of the traffic traversing your network.

In this webinar, we’ll explore why network security management is crucial in managing functionality and visibility of an organization’s network infrastructure and how Emulex helps address these deployment requirements. We'll also explore what matters most when network security is breached, and share some best practice insights gleaned from working with customers that run some of the largest and most critical data networks on the planet.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Skipping the problem domain in the interest of time
  • Using NetFlow to Streamline Security Analysis and Response to Cyber Threats

    1. 1. Using NetFlow to Streamline Security Analysis and Response to Cyber-Threats Richard Trujillo, Product Marketing Manager, Emulex Joe Yeager, Director of Product Management, Lancope Lee Doyle, Principal Analyst, Doyle Research © 2013 Emulex Corporation
    2. 2. 2013 2013 The Importance of Network Visibility Doyle Research, 2013 2
    3. 3. Leading Trends Impacting the Network Cloud VDI Mobile Big Data Doyle Research, 2013 BYOD 3
    4. 4. Networks are Critical to the Business  Networks deliver applications and information throughout the organization  Networks must be high performance, low latency, reliable, and secure  Traffic patterns are changing: more east-west, less north-south  Network/data center downtime is expensive  Managing/Securing the network remains challenging and costly (OPEX) Doyle Research, 2013 4
    5. 5. Network Complexity and Value are Increasing Customer Value SDN Adoption Bandwidth Growth Data Center  Server virtualization  VM mobility  Network/Storage Convergence  Wide spread adoption of 10GB  Separation of Control and Data Plane  Network Programmability  Cloud  Centralized Intelligence  Video  Network Slicing  Mobility Network Complexity Doyle Research, 2013 5
    6. 6. Network Visibility Benefits Security Monitor All Traffic Identify and isolate “bad” traffic, ability to handle DDOS attacks Better understand and tune the network; respond to dynamic traffic patterns Performance Improved OPEX Supports off load of traffic analysis from production switches Doyle Research, 2013 Improved network management and reduced operational costs Automation Tools help IT/network staff with routine monitoring tasks 6
    7. 7. Product Requirements  Improved performance monitoring = visibility at scale  Secure networks – leveraging behavior analysis to detect traffic anomalies  Monitoring solution must support complete analysis of 10GB traffic flow (high performance)  Move from reactive to proactive management with new tools – software defined applications  Ease of installation, ease of operation, cost effective  Support for standards and 3rd party applications Doyle Research, 2013 7
    8. 8. StealthWatch for Security Analysis and Response to CyberThreats Joe Yeager Director of Product Mgmt ©2013 Lancope , Inc. All Rights Reserved. 8
    9. 9. Who is Lancope? Company Profile • 600+ enterprise clients -- Global 2000 • HQ in Atlanta, offices all around the world Available on Cisco’s Global Price List • 4 years profitability; 160+ employees Technology Leadership • StealthWatch Labs Research Team • Patented behavioral analysis techniques • 150+ algorithms • Scalable flow analysis Management Team • Experienced senior leadership from IBM, nCircle, ISS, DELL SecureWorks, HP, and Motorola/AirDefense • Over 100 years combined experience ©2013 Lancope , Inc. All Rights Reserved. 9
    10. 10. Big Data Center Focus Areas Cyber Threat Problem Cyber Threat Solution DDoS Case Study ©2013 Lancope , Inc. All Rights Reserved. 10
    11. 11. Big Data Center Focus Areas Cyber Threat Problem Cyber Threat Solution DDoS Case Study ©2013 Lancope , Inc. All Rights Reserved. 11
    12. 12. Threat Landscape of Today APT and Insider Threats Top of Mind 174M 855 98% 416 days 100% • Records stolen • Incidents • Involve external threat actors • Before attackers discovered by a 3rd party • Valid credentials used Sources: Verizon 2013 Data Breach Investigations Report, Mandiant M Trends ©2013 Lancope , Inc. All Rights Reserved.
    13. 13. Visibility Throughout the Kill Chain Strategy for APT and Insider Threats Recon Exploitation Initial Infection Command & Control Internal Pivot Data Preparation Data Exfiltration • This is the Kill Chain concept introduced by Mike Cloppert at Lockheed. • Each step in the chain is important to look at individually to develop a security strategy across both tools and departments. • Many of these can be covered by a NetFlow solution that has both analytics and incident response capabilities. ©2013 Lancope , Inc. All Rights Reserved. 13
    14. 14. APT Timeline Example Do you know what happened while you were responding? 1:06:15 PM: Internal Host Visits Malicious Web Site 1:06:30 PM: Malware Infection Complete, Accesses Internet Command and Control ©2013 Lancope , Inc. All Rights Reserved. 1:06:35 PM: Malware begins scanning internal network 1:07:00 PM: Gateway malware analysis identifies the transaction as malicious 1:13:59 PM: Multiple internal infected hosts 1:14:00 PM: Administrators manually disconnect the initial infected host 14
    15. 15. Big Data Center Focus Areas Cyber Threat Problem Cyber Threat Solution DDoS Case Study ©2013 Lancope , Inc. All Rights Reserved. 15
    16. 16. Why Use NetFlow? Complete Network Visibility • NetFlow is a record of every conversation on your network from a “trusted 3rd party” – i.e. it is not affected by trustworthiness of hosts  Perfect audit trail  Provides ability to baseline what is normal • NetFlow is very lightweight and compresses very well  Typically can store for 45-90 days with StealthWatch NetFlow Phone Bill (CDR) ©2013 Lancope , Inc. All Rights Reserved. 16
    17. 17. Cyber Threat Solution Goal: Knowledge as Focus instead of Data Visibility Analysis Cyber Threat Intelligence Data Information Knowledge Big Data Collection ©2013 Lancope , Inc. All Rights Reserved. + Big Analytics + Big Incident Response 17
    18. 18. Big Data Collection What Constitutes “Big”? Per Second Per Hour Per Day Per 45 Days 1 StealthWatch Collector Events Data (MB) 120,000 9 432,000,000 30,960 10,368,000,000 743,040 466,560,000,000 33,436,800 Per Second Per Hour Per Day Per 45 Days StealthWatch System (x25) Events Data (MB) 3,000,000 215 10,800,000,000 774,000 259,200,000,000 18,576,000 11,664,000,000,000 835,920,000 ©2013 Lancope , Inc. All Rights Reserved. 18
    19. 19. Big Analytics Real-time Detection of Indicators of Compromise Collect Vast Amount of Data Correlate Metadata for Context ©2013 Lancope , Inc. All Rights Reserved. Baseline Normal Activity Identify Deviations from Norm Alert on Indicators of Compromise 19
    20. 20. Big Incident Response Powerful Investigation Capabilities • Who did this? – Usernames, IP Addresses, Devices, Country, ISP • What did they do? – What behavior did they engage in? What else did they do? • Where did they go? – What hosts on my network were accessed? • When? – Have we investigated the full intrusion timeline? • Why? – What is their objective? © 2013 Lancope, Inc. All rights reserved. 20
    21. 21. Big Data Center Focus Areas Cyber Threat Problem Cyber Threat Solution DDoS Case Study ©2013 Lancope , Inc. All Rights Reserved. 21
    22. 22. DDoS – a Big Problem! Sec Ops & Net Ops StealthWatch’s Focus: • Alert on attack, citing individual target of attack • Fast investigative workflow for impact & root cause analysis • Monitor mitigation success © 2013 Lancope, Inc. All rights reserved. 22
    23. 23. DDoS Sometimes DDoS Attacks Are Obvious… © 2013 Lancope, Inc. All rights reserved. 23
    24. 24. DDoS And Sometimes They Are Not So Obvious… Increase in Malformed Fragment Alarms Strange Short Bursts in Traffic © 2013 Lancope, Inc. All rights reserved. 24
    25. 25. DDoS Quick Investigation Workflow - 1.5 Gbps of DNS Traffic and 1.5 Gbps of Undefined UDP Traffic - Total of 107.25 GB of data sent between these two services - Right-click drill down to identify Top DNS Hosts Top 3 Hosts have over 96,000 peers and over 190,000 flows EACH © 2013 Lancope, Inc. All rights reserved. 25
    26. 26. DDoS Quick Investigation Workflow Each DNS response contains the same domain: “” Conclusion: This is a DNS amplification attack and these type of packets need to be blocked. © 2013 Lancope, Inc. All rights reserved. 26
    27. 27. Network Visibility Solution: EndaceFlow 3040 & StealthWatch FlowCollector Richard Trujillo – Marketing Manager, Emulex Emulex Confidential - © 2013 Emulex Corporation
    28. 28. Our Approach to NPM/APM/SEM – Best of Breed APM App NPM App IDS App HFT App EndaceVision Network Search Engine with Fusion Connectors Endace Network Visibility Products 10/40/100GbE Our approach enables tailored best-of-breed solutions – All tools share data from same secure location in datacenter – Automated workflow, “pivot to packets” speeds up issue resolution Lower Investment While Increasing ROI – Only buy what you need – Plan and train staff on the tools that fit your situation best 28 © 2013 Emulex Corporation
    29. 29. How Much Network Visibility Do You Need? Just as in the video world, there is a big difference between lowdef network visibility and high-def network visibility – Low-def shows you the overall trends – great for long-term traffic planning and identifying large deviations from the norm – High-def lets you see the action (microbursts, dropped packets, protocol errors) that underlie the most difficult application performance issues The visibility Emulex tools provide • • • See microbursts Know exactly what data has been compromised Identify issues impacting application performance The visibility most tools provide Sampled data cannot provide the detail you need to resolve difficult security breaches or application performance issues 29 © 2013 Emulex Corporation
    30. 30. EndaceFlow™ 3040– NetFlow Generation Extreme Performance – The EndaceFlow 3040 provides complete flow visibility at 10Gbps (4x10GbE) – 30Gbps of flow generation and a total of 64M active flows. Custom Filtering – Customize exports to gain visibility of specific networks within the datacenter. – Load balance flow records across multiple collectors – The EndaceFlow 3040 supports up to 120 filters across 4 collectors for load balancing flow records across multiple collectors Advanced Hash Load Balancing – The advanced HLB feature minimizes manual configuration with flow safe load balancing, reducing operational expenditures (OPEX). Ease of Integration – Supports V5, V9 and IPFIX flow formats and a broad range of fields, allows seamless integration with any NetFlow collector in the market. 30 © 2013 Emulex Corporation EndaceFlow 3040 High-speed NetFlow generation 4x10GbE ports
    31. 31. Data Center Deployment Topology Access Layer Core Switch Tap or SPAN Edge Firewall Tap or SPAN Tap or SPAN Edge Router ` NetFlow Packets Packets NetFlow Packets NetFlow Rack Servers Internet ` Packets NetFlow Packets NetFlow DMZ SecOps deployment monitoring both sides of the DMZ; record attacks, ID compromised data Packets NetFlow Endpoint Security Packets NetFlow EndaceProbe Packet Capture EndaceFlow NetFlow Generation Lancope StealthWatch FlowCollector Endace Management Server Forensics NBAD EndaceVision SIEM StealthWatch Security Operations Center 31 ` © 2013 Emulex Corporation 1. Alarm triggers event. Analyst investigates using the EM interface 2. Analyst pivots to forensics tool for deep dive into packets enabling rapid resolution 3. Analyst closes event and makes changes to prevention rules if appropriate
    32. 32. Use Case: Security Operations Consumer Electronics/Content Provider Uses Lancope and EndaceFlow to Improve Security Incident Response Times Business problem: As the customer increased deployment of 10GbE in their data centers, they needed to improve their security monitoring capabilities and significantly reduce their incident response time and costs. The customer considered integrated solutions, but found that the poor performance and high costs impacted the amount of monitoring they could deploy. They also found that the sampled nature of the data hindered the response teams ability to resolve issues quickly. Products deployed: – EndaceFlow 3040 NetFlow Generator Appliances – Lancope StealthWatch™ FlowCollector Competitors – Cisco NGA 32 © 2013 Emulex Corporation
    33. 33. Use Case: Security Operations (cont’d) Why did we win? Network Ability to generate 100% unsampled netflows on multiple 10GbE links Misc 15-20 Gbps Console Network Packet Broker 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 PWR1 PWR2 Director X Stream V Ability of our overall solution to handle up to 60Gb/s of traffic HTTPS 45-60 Gbps Management HTTPS 12-20 Gbps Misc 8-10 Gbps 100K Flows/sec Collector Collector Collector Collector Collector Collector Collector Collector Advanced filtering and load balancing enabled overall system success NetFlow Dock VM 100K Flows/sec Collector Collector Collector Collector Collector Collector Collector Collector NetFlow Dock VM Business benefits: – Reduced response time for critical security incidents from 30-50 hours to a couple of hours (average) – Reduced the time required per team member per incident by 12 man-hours – Provided future expansion room for customer to run traffic up to 100Gb/s 33 © 2013 Emulex Corporation
    34. 34. Conclusions Complete, real-time and end-to-end visibility Endace and Lancope provides a highly scalable solution Reduces cost and helps eliminate downtime …. How can we help you with visibility into your network? 34 © 2013 Emulex Corporation
    35. 35. 35 © 2013 Emulex Corporation