This document discusses how using NetFlow data with Lancope's StealthWatch solution can provide network visibility and help streamline security analysis and response to cyber threats. It describes how NetFlow allows collecting vast amounts of network metadata at scale which can then be analyzed using behavioral algorithms to detect anomalies and threats. It also provides an example of how StealthWatch helped investigate and mitigate a DNS amplification distributed denial of service attack. The document concludes by describing how EndaceFlow NetFlow generators and Lancope's StealthWatch solution were deployed by a customer to improve security incident response times.

1. Using NetFlow to Streamline
Security Analysis and Response
to Cyber-Threats
Richard Trujillo, Product Marketing Manager, Emulex
Joe Yeager, Director of Product Management, Lancope
Lee Doyle, Principal Analyst, Doyle Research
© 2013 Emulex Corporation

2. 2013
2013
The Importance of
Network Visibility
Doyle Research, 2013
2

3. Leading Trends Impacting the Network
Cloud
VDI
Mobile
Big Data
Doyle Research, 2013
BYOD
3

4. Networks are Critical to the Business
 Networks deliver applications and information
throughout the organization
 Networks must be high performance, low
latency, reliable, and secure
 Traffic patterns are changing: more east-west,
less north-south
 Network/data center downtime is expensive
 Managing/Securing the network remains
challenging and costly (OPEX)
Doyle Research, 2013
4

5. Network Complexity and Value are
Increasing
Customer Value
SDN Adoption
Bandwidth
Growth
Data Center
 Server
virtualization
 VM mobility
 Network/Storage
Convergence
 Wide spread
adoption of
10GB
 Separation of
Control and Data
Plane
 Network
Programmability
 Cloud
 Centralized
Intelligence
 Video
 Network Slicing
 Mobility
Network Complexity
Doyle Research, 2013
5

6. Network Visibility Benefits
Security
Monitor All Traffic
Identify and isolate
“bad” traffic, ability to
handle DDOS attacks
Better understand and
tune the network;
respond to dynamic
traffic patterns
Performance
Improved OPEX
Supports off load of
traffic analysis from
production switches
Doyle Research, 2013
Improved network
management and
reduced operational
costs
Automation
Tools help
IT/network staff with
routine monitoring
tasks
6

7. Product Requirements
 Improved performance monitoring = visibility at scale
 Secure networks – leveraging behavior analysis to detect
traffic anomalies
 Monitoring solution must support complete analysis of
10GB traffic flow (high performance)
 Move from reactive to proactive management with new
tools – software defined applications
 Ease of installation, ease of operation, cost effective
 Support for standards and 3rd party applications
Doyle Research, 2013
7

8. StealthWatch for
Security Analysis and
Response to CyberThreats
Joe Yeager
Director of Product Mgmt
©2013 Lancope , Inc. All Rights Reserved.
8

9. Who is Lancope?
Company Profile
• 600+ enterprise clients -- Global 2000
• HQ in Atlanta, offices all around the world
Available on
Cisco’s Global
Price List
• 4 years profitability; 160+ employees
Technology Leadership
• StealthWatch Labs Research Team
• Patented behavioral analysis techniques
• 150+ algorithms
• Scalable flow analysis
Management Team
• Experienced senior leadership from IBM,
nCircle, ISS, DELL SecureWorks, HP, and
Motorola/AirDefense
• Over 100 years combined experience
©2013 Lancope , Inc. All Rights Reserved.
9

10. Big Data Center Focus Areas
Cyber Threat Problem
Cyber Threat Solution
DDoS Case Study
©2013 Lancope , Inc. All Rights Reserved.
10

11. Big Data Center Focus Areas
Cyber Threat Problem
Cyber Threat Solution
DDoS Case Study
©2013 Lancope , Inc. All Rights Reserved.
11

12. Threat Landscape of Today
APT and Insider Threats Top of Mind
174M
855
98%
416 days
100%
• Records stolen
• Incidents
• Involve external threat actors
• Before attackers discovered by a 3rd party
• Valid credentials used
Sources: Verizon 2013 Data Breach Investigations Report, Mandiant M Trends
©2013 Lancope , Inc. All Rights Reserved.

13. Visibility Throughout the Kill Chain
Strategy for APT and Insider Threats
Recon
Exploitation
Initial
Infection
Command &
Control
Internal
Pivot
Data
Preparation
Data
Exfiltration
• This is the Kill Chain concept introduced by Mike Cloppert at Lockheed.
• Each step in the chain is important to look at individually to develop a
security strategy across both tools and departments.
• Many of these can be covered by a NetFlow solution that has both
analytics and incident response capabilities.
©2013 Lancope , Inc. All Rights Reserved.
13

14. APT Timeline Example
Do you know what happened while you were responding?
1:06:15 PM:
Internal Host
Visits Malicious
Web Site
1:06:30 PM:
Malware Infection
Complete, Accesses
Internet Command and
Control
©2013 Lancope , Inc. All Rights Reserved.
1:06:35 PM:
Malware begins
scanning internal
network
1:07:00 PM:
Gateway malware analysis
identifies the transaction
as malicious
1:13:59 PM:
Multiple internal
infected hosts
1:14:00 PM:
Administrators
manually disconnect
the initial infected host
14

15. Big Data Center Focus Areas
Cyber Threat Problem
Cyber Threat Solution
DDoS Case Study
©2013 Lancope , Inc. All Rights Reserved.
15

16. Why Use NetFlow?
Complete Network Visibility
• NetFlow is a record of every conversation on your network from a
“trusted 3rd party” – i.e. it is not affected by trustworthiness of hosts
 Perfect audit trail
 Provides ability to baseline what is normal
• NetFlow is very lightweight and compresses very well
 Typically can store for 45-90 days with StealthWatch
NetFlow
Phone Bill (CDR)
©2013 Lancope , Inc. All Rights Reserved.
16

17. Cyber Threat Solution
Goal: Knowledge as Focus instead of Data
Visibility
Analysis
Cyber
Threat
Intelligence
Data
Information
Knowledge
Big Data Collection
©2013 Lancope , Inc. All Rights Reserved.
+
Big Analytics
+
Big Incident Response
17

18. Big Data Collection
What Constitutes “Big”?
Per Second
Per Hour
Per Day
Per 45 Days
1 StealthWatch Collector
Events
Data (MB)
120,000
9
432,000,000
30,960
10,368,000,000
743,040
466,560,000,000
33,436,800
Per Second
Per Hour
Per Day
Per 45 Days
StealthWatch System (x25)
Events
Data (MB)
3,000,000
215
10,800,000,000
774,000
259,200,000,000
18,576,000
11,664,000,000,000
835,920,000
©2013 Lancope , Inc. All Rights Reserved.
18

19. Big Analytics
Real-time Detection of Indicators of Compromise
Collect Vast
Amount of Data
Correlate
Metadata for
Context
©2013 Lancope , Inc. All Rights Reserved.
Baseline
Normal
Activity
Identify
Deviations
from Norm
Alert on
Indicators of
Compromise
19

20. Big Incident Response
Powerful Investigation Capabilities
• Who did this?
– Usernames, IP Addresses, Devices,
Country, ISP
• What did they do?
– What behavior did they engage in?
What else did they do?
• Where did they go?
– What hosts on my network were
accessed?
• When?
– Have we investigated the full
intrusion timeline?
• Why?
– What is their objective?
© 2013 Lancope, Inc. All rights reserved.
20

21. Big Data Center Focus Areas
Cyber Threat Problem
Cyber Threat Solution
DDoS Case Study
©2013 Lancope , Inc. All Rights Reserved.
21

22. DDoS – a Big Problem!
Sec Ops & Net Ops
StealthWatch’s Focus:
• Alert on attack, citing individual target of attack
• Fast investigative workflow for impact & root
cause analysis
• Monitor mitigation success
© 2013 Lancope, Inc. All rights reserved.
22

23. DDoS
Sometimes DDoS Attacks Are Obvious…
© 2013 Lancope, Inc. All rights reserved.
23

24. DDoS
And Sometimes They Are Not So Obvious…
Increase in Malformed
Fragment Alarms
Strange Short Bursts in Traffic
© 2013 Lancope, Inc. All rights reserved.
24

25. DDoS
Quick Investigation Workflow
- 1.5 Gbps of DNS Traffic and 1.5 Gbps of Undefined UDP Traffic
- Total of 107.25 GB of data sent between these two services
-
Right-click drill down to identify Top DNS Hosts
Top 3 Hosts have over 96,000 peers and over 190,000 flows EACH
© 2013 Lancope, Inc. All rights reserved.
25

26. DDoS
Quick Investigation Workflow
Each DNS response contains
the same domain: “pkts.asia”
Conclusion: This is a DNS amplification attack
and these type of packets need to be blocked.
© 2013 Lancope, Inc. All rights reserved.
26

27. Network Visibility Solution:
EndaceFlow 3040 & StealthWatch
FlowCollector
Richard Trujillo – Marketing Manager, Emulex
Emulex Confidential - © 2013 Emulex Corporation

28. Our Approach to NPM/APM/SEM – Best of Breed
APM
App
NPM
App
IDS
App
HFT
App
EndaceVision Network Search
Engine with Fusion
Connectors
Endace Network Visibility Products
10/40/100GbE
Our approach enables tailored best-of-breed solutions
– All tools share data from same secure location in datacenter
– Automated workflow, “pivot to packets” speeds up issue resolution
Lower Investment While Increasing ROI
– Only buy what you need
– Plan and train staff on the tools that fit your situation best
28
© 2013 Emulex Corporation

29. How Much Network Visibility Do You Need?
Just as in the video world, there is a big difference between lowdef network visibility and high-def network visibility
– Low-def shows you the overall trends – great for long-term traffic
planning and identifying large deviations from the norm
– High-def lets you see the action (microbursts, dropped packets, protocol
errors) that underlie the most difficult application performance issues
The visibility Emulex tools
provide
•
•
•
See microbursts
Know exactly what data has been
compromised
Identify issues impacting
application performance
The visibility most tools provide
Sampled data cannot provide the detail you need to resolve
difficult security breaches or application performance issues
29
© 2013 Emulex Corporation

30. EndaceFlow™ 3040– NetFlow Generation
Extreme Performance
– The EndaceFlow 3040 provides complete flow visibility at
10Gbps (4x10GbE)
– 30Gbps of flow generation and a total of 64M active flows.
Custom Filtering
– Customize exports to gain visibility of specific networks within
the datacenter.
– Load balance flow records across multiple collectors
– The EndaceFlow 3040 supports up to 120 filters across 4
collectors for load balancing flow records across multiple
collectors
Advanced Hash Load Balancing
– The advanced HLB feature minimizes manual configuration
with flow safe load balancing, reducing operational
expenditures (OPEX).
Ease of Integration
– Supports V5, V9 and IPFIX flow formats and a broad range
of fields, allows seamless integration with any NetFlow
collector in the market.
30
© 2013 Emulex Corporation
EndaceFlow 3040
High-speed NetFlow
generation
4x10GbE ports

31. Data Center Deployment Topology
Access
Layer
Core
Switch
Tap or
SPAN
Edge
Firewall
Tap or
SPAN
Tap or
SPAN
Edge
Router
`
NetFlow
Packets
Packets
NetFlow
Packets
NetFlow
Rack
Servers
Internet
`
Packets
NetFlow
Packets
NetFlow
DMZ
SecOps deployment
monitoring both sides of the
DMZ; record attacks, ID
compromised data
Packets
NetFlow
Endpoint
Security
Packets
NetFlow
EndaceProbe
Packet Capture
EndaceFlow
NetFlow Generation
Lancope StealthWatch
FlowCollector
Endace
Management
Server
Forensics
NBAD
EndaceVision
SIEM
StealthWatch
Security Operations Center
31
`
© 2013 Emulex Corporation
1. Alarm triggers
event. Analyst
investigates using
the EM interface
2. Analyst pivots to
forensics tool for deep
dive into packets enabling
rapid resolution
3. Analyst closes event
and makes changes to
prevention rules if
appropriate

32. Use Case: Security Operations
Consumer Electronics/Content Provider Uses Lancope and
EndaceFlow to Improve Security Incident Response Times
Business problem: As the customer increased deployment of 10GbE in
their data centers, they needed to improve their security monitoring
capabilities and significantly reduce their incident response time and costs.
The customer considered integrated solutions, but found that the poor
performance and high costs impacted the amount of monitoring they could
deploy. They also found that the sampled nature of the data hindered the
response teams ability to resolve issues quickly.
Products deployed:
– EndaceFlow 3040 NetFlow Generator Appliances
– Lancope StealthWatch™ FlowCollector
Competitors
– Cisco NGA
32
© 2013 Emulex Corporation

33. Use Case: Security Operations (cont’d)
Why did we win?
Network
Ability to generate 100%
unsampled netflows on
multiple 10GbE links
Misc
15-20 Gbps
Console
Network
Packet
Broker
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
PWR1
PWR2
Director X Stream
V
Ability of our overall
solution to handle up to
60Gb/s of traffic
HTTPS
45-60 Gbps
Management
HTTPS
12-20 Gbps
Misc
8-10 Gbps
100K Flows/sec
Collector Collector Collector Collector Collector Collector Collector Collector
Advanced filtering and
load balancing enabled
overall system success
NetFlow
Dock VM
100K Flows/sec
Collector Collector Collector Collector Collector Collector Collector Collector
NetFlow
Dock VM
Business benefits:
– Reduced response time for critical security incidents from 30-50 hours to a
couple of hours (average)
– Reduced the time required per team member per incident by 12 man-hours
– Provided future expansion room for customer to run traffic up to 100Gb/s
33
© 2013 Emulex Corporation

34. Conclusions
Complete, real-time and end-to-end visibility
Endace and Lancope provides a highly scalable solution
Reduces cost and helps eliminate downtime
…. How can we help you with visibility into your network?
34
© 2013 Emulex Corporation

35. 35
© 2013 Emulex Corporation