Ntxissacsc5 gold 4 beyond detection and prevension remediation

The Importance of
Packets in Security
Forensics

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 2
Today’s Speaker
Speaker
Rick Kingsley, Sr. Solutions Specialist
Viavi Solutions
• At Viavi Solutions for 11 years.
• Troubleshooting networks and apps at the packet level
for 25 plus years.
• Experience working with 100s of organizations in both
pre- and post-sale engagements
• Approach solutions with both technical and business
value considerations

Network Security Forensics
Packets don’t lie.

4© 2016 Viavi Solutions Inc.www.viavisolutions.com
Packets don’t lie – the ultimate source of network truth & visibility
• >50% MTTR Savings
• Full event replay
• Live Dependency Maps
• Layer4 & Layer5-7 APM

Why Enterprise is Concerned about Security
▪Today - Cybercrimes will cost the global economy $445
billion this year (CNBC 2016)
▪Cyberattacks take up to 256 days to identify & cost
companies $3.8 million per attack (Ponemon Institute, May
2015)
▪IT threats continue to escalate in frequency, type and malice
• Security perimeter breaches (must be ) assume a given
• Inside jobs are also on the rise
• Security teams under staffed and overwhelmed
▪Negative financial stake holder implications
• Breaches can lead to lost revenue, a tarnished brand

Security Operations Needs to Leverage Insight
Into the Packet
When a breach occurs, an IT organization must be
prepared to deliver quick answers to some of these
questions:
1) What was compromised, and what data was
exposed?
2) Who was responsible for the vulnerability?
3) Who was responsible for the attack itself?
4) Has the breach been resolved?
5) Can the resolution be validated?

APM Security Forensics
The Backstop to Your Security Efforts
▪ The right Application Performance Management (APM) solution can help IT
operations deliver superior performance for users. When incorporated into your IT
security initiatives, deep packet inspection can strengthen your existing antivirus
software, Intrusion Detection System (IDS), and Data Loss Prevention (DLP)
solutions.

Security Challenges – The Network Team
▪Viavi Solutions State of the Network highlights:
▫ 85% are involved with security investigations
▫ Engaged in multiple facets of security
▪ 65% implementing preventative measures
▪ 58% investigating attacks
▪ 50% validating security tool configurations
▫ 50% indicated correlating security issues with network performance to be
their top challenge
▫ 44% cited the inability to replay anomalous security issues
▪Hacking and malware cause nearly 1/3 of all data loss events*
* VERIS Community Database

Solution: Benefits (IT Execs)
▪Maximize IT resources and personnel facilitating network team
cooperation with security on investigations and clean up
• “Two-for-one” deal (NPMD + security) maximizes IT spend
▪Confirm every aspect of attack and identify what assets have
been compromised
▪More effectively spend security dollars by understanding what
attacks are getting through defenses

▪ Gain full attack context to confirm attack path and identify
compromised assets
▪ Quickly investigate and isolate attacks with post-event filtering and
expert analysis
▪ Gain advanced notice of potential attacks via alarming
• Validate security tool effectiveness
• What attacks have gotten through?
• Integrate traffic access into existing security workflows
with Rest APIs
Packet-Based Security Forensics:
A Next-Generation Approach to Attack Remediation

Vital NPMD Security Features
• High-speed (10 Gb and 40 Gb) data center traffic capture
• Write to disk speeds at 40Gbps+
• Automate extractions with Security monitoring solutions
like Firepower
• Trigger packet capture extractions with Firewall events
• Event replay and session reconstruction
• Capacity to store petabytes of traffic data for post-event
analysis and long-term incident retention

• Where the attack came from
• Which users (if any) were involved
• Which internal assets communicated with the malicious
activity
• What data was accessed in the attack
• Whether (and how) the attack spread laterally through the
network
Packet-Based Security Forensics Cont:
A Next-Generation Approach to Attack Remediation

Network Security Forensics
Five Steps to Threat Resolution

# 1 - Capture Everything on Your Network
Monitor from the core to the
edge
Don’t miss a single
packet

# 2 – Detect /Alert on Suspicious / Anomalous Behavior

# 3 – Turn Back the Clock
Using back-in-time functionality
Start Investigation at the time or leading up to the possible incident
and not after the evidence is gone

Apply advanced Analyzer filtering for zero-day events or
Snort rules for known threats
# 4 – Identify Security Threats

# 4 – Identify Security Threats
The result: A comprehensive identification of detected
threats within the time window specified

Automated Event to Packet Integration Workflow
1. Event triggered in FirePOWER
Management Console
2. Launch GigaStor web interface from
FirePOWER. Pre-populated fields
to download selected traffic
3. Investigate network and application flows
in Observer, or analyze with
third-party tools

# 5 – View Illicit Behavior In/Out of the Network
Rebuild conversations to witness the event unfold just like sports
“instant replay”

…even if encrypted

Encryption impacts your business
OF ATTACKS WILL
USE SSL/TLS
Gartner estimates that by 2017,
more than 50% of network
attacks will use SSL/TLS1
50%
INTERNET TRAFFIC IS
ENCRYPTED
Sandvine Research
70%
AVG COST OF A DATA
BREACH
IBM sponsored study by
Ponemon Institute
$4m

Packet Broker - Active SSL DECRYPTION
Active SSL Decryption via a high-
performance Application Module
with dedicated cryptographic
processor
▪ Offloads the processing burden from
firewalls, intrusion prevention systems
(IPSs), and other security tools
Full visibility into encrypted sessions

Switch InternalSwitchInternet
Security Tools
Most advanced NPB for security deployments
Powerful encryption + flexible traffic handling + advanced services
Powerful SSL
✓ Up to 10Gb SSL
✓ Decrypt once, inspect
many
✓ Offload decryption from
multiple tools
✓ No impact on other
services
Advanced inline support
✓ Heartbeat
✓ Service Chaining
✓ Load Balancing / HA
✓ Active/Active resiliency
Vision ONE core features
✓ Rich Netflow
✓ Data Masking
✓ App ID / filtering
✓ 1/10/40Gb interfaces
✓ Filter compiler / best UI

Reconstruct HTTP streams to see exactly what was
requested and received…

Case Study: Financial Service Company
▪ Network group reports attack that appeared to be network slowdown
▪ Intel and IDS/IPS groups begin investigation
▪ Packet captures are evaluated for patterns
▪ Attackers are identified from TCP payload data
Download the full Case Study –
https://comms.viavisolutions.com/lp-
cmp?cp=vi79677&th=wpp&lang=en&_ga=2.251997065.1428566310.1510067591-
311843217.1476392097&brw=pushsafari

Network Security Forensics in Practice
What began as three benign sounding user complaints regarding slow network and
application response time quickly escalated into a potentially serious threat to
security. The network engineer used a specialized probe appliance to perform
deep-packet forensic analysis of traffic generated by one of the user’s
workstations. She discovered it was sending a packet to every device on the
network; each of these destinations responded in a similar fashion. This activity
quickly saturated the network.
Desktop support and the security team were notified because
an ongoing attack compromising nearly 100 users’ machines
appeared to be underway.

Key Takeaways - Network Security Forensics
• Understanding of :
• Network
• Application
• Traffic Patterns
• Organizations need a retrospective, network-centric method to backstop other
security measures and identify and clean compromised IT assets
• Firewalls, anti-virus software, IDS and DLP systems are vital but no longer
sufficient to achieve the most robust protection or generate the paper trail for
complete resolution and documentation of breaches.
• Packet-based network monitoring solutions, which evolved from performance
monitoring and troubleshooting tools for network operations, are ideal for
forensic analysis of security incidents. As a result, both network operations and
security operations are finding value in sharing access to these tools.

Viavi GigaStor – Investigate & Analyze

The recent Network Outlaws webinar helped IT teams understand and effectively
utilize network data sources like syslogs, packet capture, and metadata, in security
investigations.
Request the webinar recording to learn how to:
▪ Understand and use the right source data
▪ Leverage traffic-capture strategies that work
▪ Protect yourself before, during, and after a breach
▪ You will also receive the complimentary white paper, Source Data for Network
Security Investigations.

Ntxissacsc5 gold 4 beyond detection and prevension remediation

Ntxissacsc5 gold 4 beyond detection and prevension remediation

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Ntxissacsc5 gold 4 beyond detection and prevension remediation

Similar to Ntxissacsc5 gold 4 beyond detection and prevension remediation (20)

More from North Texas Chapter of the ISSA

More from North Texas Chapter of the ISSA (20)

Recently uploaded

Recently uploaded (20)

Ntxissacsc5 gold 4 beyond detection and prevension remediation