Comprehensive Network Monitoring and DPI
•
2 likes•302 views
stackArmor Security MicroSummit Deep Packet Inspection on AWS by Niksun: Shivank Dua will talk about how Deep Packet Inspection on AWS provides critical capabilities required to detect data breaches, malware and other threat scenarios. The ability to reconstruct the packet stream and perform forensics is critical to speedy incident response protecting from emerging and dynamic threat patterns. Topics will include: Threat scenarios and the need for Deep Packet Inspection / Deep Content Inspection Limitations of flow and log-based analysis techniques Use cases for ‘knowing the unknown’ via deep packet and content inspection
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Comprehensive Network Monitoring and DPI
Similar to Comprehensive Network Monitoring and DPI (20)
More from Gaurav "GP" Pal
More from Gaurav "GP" Pal (19)
Recently uploaded
Recently uploaded (20)
Comprehensive Network Monitoring and DPI
- 2. Why does cyber crime s0ll persist, despite significant investment? What does it mean to have truly comprehensive monitoring? Surveillance, Detec0on, and Forensics How can this help you in the real world? Contextual Awareness (Incident Response) Firewall Monitoring & DDoS Malware / Ransomware Compliance Informa0on Hiding DNS Server Hacked (Forensics) Agenda NIKSUN, Inc. CONFIDENTIAL -- See confiden0ality restric0ons on 0tle page. Slide 2
- 3. NIKSUN, Inc. CONFIDENTIAL -- See confiden0ality restric0ons on 0tle page. Why Does Cyber Crime Persist? Slide 3 Copyright NIKSUN 2014 Known Unknown Cyber Security Products Cover this Area Sophisticated Hackers work here! Known Known Unknown Unknown Imagine if the CDC only looked to prevent virus’ that have already wiped out millions… they would have no recourse in mitigating incidents like Ebola! • Now imagine if they had full visibility into every single person in the United States… they could monitor every person’s body and watch for the development of both old and new virus’
- 4. Preven0on How can one prevent that which one can’t see? What new services and applica0ons have entered your network that you are unaware of? Who is behind them? Is it a legi0mate business applica0on or a trojan or malware? How do we know that our defenses are effec0ve? NIKSUN, Inc. CONFIDENTIAL -- See confiden0ality restric0ons on 0tle page. Slide 4
- 5. What Knowledge Is Necessary? We need more advanced signals (“data”) than those which we have programmed a priori Good cyber a^ackers evade a priori indicators and exploit different a^ack vectors A novel approach is necessary to gather informa0on from both known and unknown a^ack vectors NIKSUN, Inc. CONFIDENTIAL -- See confiden0ality restric0ons on 0tle page. Slide 5
- 7. What is needed? • Video camera (surveillance) • Sensor detec0on (laser beams) • Image recogni0on (easy search for forensics, incident response) Why are flows limited? • Generally only provide informa0on at layer 3 • Lack good support for correlated flows (FTP, Mobility, even web pages, etc.) • Lack of broader Threat Intelligence support (files, domains, cer0ficates, etc.) Why are logs limited? • Developers choose what logs to record. Can’t know about a^acks that have not even occurred yet What is Network Monitoring? NIKSUN, Inc. CONFIDENTIAL. -- See confiden0ality restric0ons on 0tle page. Slide 7
- 8. Sample Flow logs NIKSUN, Inc. CONFIDENTIAL. -- See confiden0ality restric0ons on 0tle page. Slide 8
- 9. Surveillance & Threat Hun0ng Top-down Holis0c view of All Network Ac0vity Cri0cal Network Infrastructure Indicators Real-0me Content Analy0cs Applica0on Recogni0on / Applica0on Metadata Geo-IP Detec0on Anomaly / Signatures / Content (Data Leakage) Intelligence Feeds Incident Response & Forensics Applica0on Reconstruc0on & Ar0fact Extrac0on Sandbox Integra0on Flows & Connec0ons Raw Packets Other Performance Compliance Comprehensive Monitoring NIKSUN, Inc. CONFIDENTIAL -- See confiden0ality restric0ons on 0tle page. Slide 9
- 10. Email Server CRM Server Web Server Enterprise-wide Monitoring NIKSUN, Inc. CONFIDENTIAL. -- See confiden0ality restric0ons on 0tle page. Slide 10 Monitor across all deployed physical and virtual devices, centrally, from any smart device
- 11. Fast Macro-to-Micro Analysis Slide 11 NIKSUN Inc., CONFIDENTIAL. See confidentiality restrictions on title page Global Visibility Regional View Specific Session Single Packet NIKSUN, Inc. CONFIDENTIAL -- See confidentiality restrictions on title page. Slide 11
- 12. Deep Content Inspec0on - Example NIKSUN, Inc. CONFIDENTIAL -- See confiden0ality restric0ons on 0tle page. Slide 12 With just a few clicks, DPI / DCI can identify all of this information
- 14. Use Case: Contextual Awareness NIKSUN, Inc. CONFIDENTIAL -- See confiden0ality restric0ons on 0tle page. Slide 14 Alarms Firewall Log Analyzer IDS/IPS Content Filters SIEM Scanners Alarms Incident Response -Integrated Analysis Alarms Attacks often occur over disparate parts of the network, over extended periods of time à forensic investigation is necessary to put together pieces of the puzzle and reveal how an attack was crafted
- 16. Trending informa0on to tune Firewalls TCP-SYN rate (common firewall metric) Fragmented packet rate (IPv4, IPv6) UDP, ICMP, DNS, NTP, etc. packet rates Bandwidth In-depth analysis of a^ack a^empts Resolve issues with firewalls FW vendors/users oken need packets to tune against an a^ack Comprehensive Intelligence on DDoS a^acks Isolate bad traffic from good Threat Intelligence (did any bad URLs make it past the FW?) Analyze Firewall effec0veness (Retrospec0ve IDS) Replay traffic to test new FW rules Use Case - Firewall Monitoring NIKSUN, Inc. CONFIDENTIAL -- See confiden0ality restric0ons on 0tle page. Slide 16 Inline systems may face latency and complexity constraints, requiring a reduction in the deployed ruleset • Monitoring becomes invaluable for a constant pulse on critical infrastructure
- 17. NIKSUN, Inc. CONFIDENTIAL -- See confiden0ality restric0ons on 0tle page. Firewall Inbound + Outbound Monitoring Network Internet Who is trying to get in? What methods are they using? Who got in? What did they get out? Backdoor? Slide 17
- 23. Use Case: Wannacry Inves0ga0on (cont.) NIKSUN, Inc. CONFIDENTIAL -- See confiden0ality restric0ons on 0tle page. Slide 23 • Leverage retrospective IDS • View SMB scans on your infrastructure • Real-time intelligence feed related information
- 24. Use Case: Wannacry Inves0ga0on (cont.) NIKSUN, Inc. CONFIDENTIAL -- See confiden0ality restric0ons on 0tle page. Slide 24 How can we know if the hosts scanned have actually been impacted?
- 26. Discover compliance level with traffic monitoring Faster than Pen Tes0ng Validate security pre and post changes Firewalls, networks, servers Evidence Raw data captures Instantly iden0fy insecure communica0ons Who is using non compliant: SSL 2.0, SSL 3.0, TLS 1.0 Who is using which ciphers – strong or weak? What Cer0ficates are in use? Cert Organiza0ons? Clear text protocols, SSN Use Case: Compliance - PCI/Fed/Gov NIKSUN, Inc. CONFIDENTIAL -- See confiden0ality restric0ons on 0tle page. Slide 26
- 30. NIKSUN, Inc. CONFIDENTIAL -- See confiden0ality restric0ons on 0tle page. And Now? Slide 30 COPYRIGHT 2013 - NIKSUN Inc. Social Security Numbers hidden in picture… only way to tell is by drilling down to the raw packets!
- 32. Spear-phishing a^ack lured employees to go to their bank to update their info They were redirected to a BAD site Difficult to trace as the DNS server fixed itself aker some amount of 0me so the problem could not be iden0fied by tradi0onal methods Forensic analysis Discovered that the “window of opportunity” was transient Gave IP address of all those that were lured to the wrong site Reconstructed the a^ack and traced the a^acker’s moves step-by-step Damage was minimized due to rapid idenMficaMon and immediate remediaMon Use Case: DNS Server Hacked NIKSUN, Inc. CONFIDENTIAL -- See confiden0ality restric0ons on 0tle page. Slide 32