As more organizations implement cloud strategies and technologies, the volume of data being transmitted to and from the cloud increases – data that must be protected. Security monitoring for threats, compromise or data theft within cloud-based applications has been difficult to achieve without the use of VM-based monitoring agents, but this is changing. Fidelis Network® Sensors coupled with Netgate TNSR™ can provide an easy-to-deploy cloud mirror port for traffic visibility, threat detection, and data loss and theft detection. If you currently have AWS-based applications or are considering hosting applications in AWS, watch this recorded webinar to find out how Fidelis and Netgate can support the security of your cloud-based data via a high-speed cloud mirror port. In this webinar, we discuss: - The cloud environment and the state of cloud security today - The technology and the integration capabilities of Netgate TNSR and Fidelis Network - The benefits of deploying Fidelis Network sensors in the cloud no reconfiguring of applications required

1. Fidelis Network and Netgate TNSR
Extending Your Network Security toAWS

2. © Fidelis Cybersecurity
Agenda
Introductions
Cloud Migration
AWS Cloud Port Mirroring
Netgate TNSR
Fidelis Elevate
Threat Detection/Hunting
Q&A
David Weber
Director Product Management
Netgate
Tom Clare
Product/Technical Marketing
Fidelis Cybersecurity
2

3. © Fidelis Cybersecurity
Netgate®
• The open-source secure networking
company
• We productize open-source networking
and security software for enterprise and
service provider use
• Host of the pfSense® project
• Over 1 million+ installs worldwide
• Developer of TNSR™
• An open-source packet processing software platform
• Firewall, routing, VPN, and other secure networking needs
• Unparalleled performance, mgmt orchestration & services
flexibility
• Bare metal, VM, & Cloud Native capable
3
Your Network Transformed
Scale up and out
with freedom from
expensive, proprietary vendor lock-in.

4. © Fidelis Cybersecurity
Automate Threat Detection, Hunting & Response
with The Fidelis Elevate™ Platform
4
Accuracy. Clarity. Certainty.
• Gain threat visibility into networks,
endpoints, cloud and enterprise IoT
• See north-south traffic, lateral movement,
and traffic going in and out of your network
• Automate detection and response to reduce
exposure and risk to data
• Immediately respond to endpoint threats
• Prevent data leakage and exfiltration
• Reduce dwell time with an active post-
breach defense

5. © Fidelis Cybersecurity
Cloud Migration
On-Premises Co-Location Hosting IaaS PaaS SaaS
Data Data Data Data Data Data
Applications Applications Applications Applications Applications Applications
Databases Databases Databases Databases Databases Databases
Operating System Operating System Operating System Operating System Operating System Operating System
Virtualization Virtualization Virtualization Virtualization Virtualization Virtualization
Physical Servers Physical Servers Physical Servers Physical Servers Physical Servers Physical Servers
Network &
Storage
Network &
Storage
Network &
Storage
Network &
Storage
Network &
Storage
Network &
Storage
Data Center Data Center Data Center Data Center Data Center Data Center
STRATEGY → Off-Site Rehost Refactor Rebuild Replace
5
“On average, 40-60% of applications migrated to cloud by 2021” – Gartner CATALYST 2018

6. © Fidelis Cybersecurity
AWS IaaS
6
Amazon Elastic Compute (EC2)
• Virtual Computing On-Demand
• Server Instances (Machine Images)
• Pre-Defined Templates
• Elastic Block Store (EBS)
Virtual Private Cloud (VPC)
• Virtual Network per AWS Account
• Logically Isolated within AWS Cloud
• Supports Public/Private Subnets
• Security Groups and Network ACLs

7. © Fidelis Cybersecurity
Security Responsibility
7
AWS Shared Responsibility Model

8. © Fidelis Cybersecurity8

9. © Fidelis Cybersecurity
TNSR Platform Architecture
Open Source Value and
Freedom
Flexible Deployment
Models

10. © Fidelis Cybersecurity
TNSR Management Orchestration
Automation. Freedom. Scale. Cost Collapse.
Configuration Management and Orchestration Tools
Secure Networking Data Plane

11. © Fidelis Cybersecurity
GRE Tunnel
Netgate TNSR and Fidelis Network
Customer VPC Fidelis VPC
N-S N-S
E-W E-W
App Server Web Server
Fidelis
CommandPost
Fidelis
Network Sensor

12. © Fidelis Cybersecurity
Fidelis Multiple Sensors
SMTPSMTP
Email
(SMTP)
Fidelis Collector
Fidelis DirectFidelis
CommandPost
Fidelis Internal
On-Premises or Cloud
Fidelis Mail
DMZ
ICAP
Web
(HTTP, FTP)
Fidelis Web
Fidelis Insight
Enterprise File Shares,
SharePoint Servers,
Databases, etc.
High-Value
Assets Big Data
Analytics
Perimeter
Firewall / IPS
Email Servers
(Exchange)
Email
Gateways
HTTP / FTP
Proxies
12
Fidelis Sandbox
Fidelis Endpoint
(object requests
Into Collector)

13. © Fidelis Cybersecurity
Fidelis Collector
• Metadata storage and security analytics component
• Metadata – information about other information
• Retrospective and historical analysis (up to 360 days)
• ~90% of data, ~20% of storage expense, on-premise or Fidelis Cloud
• Metadata characteristics:
- All ports & protocols, including unknown protocol session data
- Non-selective session recording, no sampling or dropped data
- Network metadata (about 2% of session size)
- Structured metadata, over 300 attributes indexed and easily searchable
- Enhanced metadata (e.g. alerts, threat intel, geo-location, policy tagging, ID2IP)
13

14. © Fidelis Cybersecurity
Types of Metadata
• Investigation and Response
Alert pivots and hunting by switching
between content and context of sessions
• Automatic Retrospective Application of
Threat Intelligence
• Cross Session Correlation, plus
Security Analytics
• Network Visibility & Profiles
See patterns not seen in firewall logs or
SIEM dashboards
• Anomaly Detection
Frequent and rare instances of attributes,
plus cross session, multi-faceted and
behavioral analysis
14
Plus custom tags!

15. © Fidelis Cybersecurity
Metadata Query Examples
Have I seen this document of interest on the network before? Query: Search all network sessions
for the past three months for my document of interest based on hash, title, author, create date or other
attributes.
Who else has sent or received this document of interest? Query: Search all network sessions for
the past three months for my document of interest based on hash, title, author, create date or other
attributes.
What other data has this user sent? Query: Map out all data from this user, what was sent and where
it went.
Where has the phrase “Treadstone” been seen on the network within the last month? Tag
sessions containing phrase or keywords of interest. Query: Search for tagged sessions.
What documents contain specific header/footer text? Query: List all network sessions in the last 30
days that contained a document with a header/footer that contains specific text.
Alerts from automatic analytics based on events, event rates, event sequences, and frequency.
Analytic view of frequent/rare values across 100s of metadata attributes.
15

16. © Fidelis Cybersecurity
Metadata Comparison
NetFlow Data SIEM / Log Collectors Fidelis Metadata Full Packet Capture
(PCAPs)
Data • Source/Destination
• Transport Protocol
• Type of Service
• Session Duration
• Unstructured Log Data
• Normalize & Correlate
• NGFW, IDPS, VPN, AV/EP, DLP
• Apps, Databases & Web Servers
• Email / Web Gateways & CASBs
• Network Infrastructure
• Inventory & Vulnerabilities
• Indexed, Ready To Use
• Network, Endpoint, Cloud
• Web/Email Sensors
• Transport & Protocols
• Applications & Files
• Web Apps & Social Media
• Email, IRC, Telnet, TOR, etc.
• Encrypted Web Access
• Certificates
• Documents & Archives
• Embedded Objects
• Executable Files
• Others (Flash, Java, XML)
• Custom Defined Tags
• Raw Packet Data
• Network DVR Capture
• Endpoint DVR Capture
• Encoded, Unassembled
• Forensic Evidence
Pros /
Cons
• Misses Context
• Not Enough Data
• Resource Intensive/$$$
• Compliance/Audit Driven
• Challenge to Define Rules
• Few Rules – Miss Alerts
• Many Rules – High FPs
• Detect Known w/Threat Intel.
• UEBA Requires More Data
• SOC, Timeline, Investigations
• Rarely Detects Advanced Threats
• ~90% of Data, 20% of Cost
• Focus on Threat Detection
• Data Loss / Data Theft
• Cross Session Analysis
• Apply Threat Intelligence
• Large Data Volumes
• Expensive to Store
• Unable to Query
• Cannot Apply Threat Intel.
• Timely to
Decode/Assemble
• Forensic Skills Required

17. © Fidelis Cybersecurity
Fidelis Network Visibility & Detection
17
Traffic Analysis
Expose misuse of assets
Proxy and security circumvention
Discover encryption misuse
All ports, all protocols
Content Analysis
Deep Session Inspection®
Deep Packet Inspection
Deep Content Inspection
Data Leakage/DLP
Zip, RAR, JAR, Archive file extraction
Malware Detection
Advanced Multi-tiered Malware Detection
Heuristic Analysis
Sandbox Execution Analysis
Machine Learning Based Detection
C2 Detection
Threat Detection
Custom Protocol Detection
De-Obfuscation
Internal Threats Detection
Behavioral Analytics
Historical Analytics
Threat Hunting
Reputation Feed Matching
STIX/TAXII
YARA, Suricata Support
Open Policy Interface
Historical Analysis
1
0
1
1
0
1
0
1
0
1
0
1
0
1
1
0
0
1
0
1
0
1
0
1
0
1
0
0
0
1
1
1
1
1
0
1
Sensors
Cloud, Gateway, Internal. Email, Web
Metadata
300+ Attributes & Custom Tags
Multi-Defenses
Real-time & Retrospective Analysis
Threat Intelligence
Fidelis, 3rd Party, Internal
Automation
Detection, Investigation, Response

18. © Fidelis Cybersecurity18
See patterns in
network activity
Monitor for and
prevent
exfiltration of data
See beaconing
and block it
Identify and stop
malicious network
behavior
See lateral
movement
Perform real-time
and historical
analysis
See all endpoint
activity and
respond to threats
…!!!?!??!
BEST CASE
Hours or Days
Review alert and
determine what info is
needed to validate it.
If compromised, figure
out if you should clean
it or re-image it.
Wonder to yourself
if that’s the only
compromised endpoint.
Then move on.
Manually update your
firewall and breach
detection rules.
Get info back from
IT. It’s wrong (or
not enough).
Open a ticket with IT
to ask someone to go
get the information.
Review information and
determine if the endpoint
is compromised.
ADay in the Life of a Security Team – Without Fidelis

19. © Fidelis Cybersecurity19
Fidelis automates
response playbooks.
TYPICAL CASE
MINUTES
(vs. Hours or Days)
Fidelis detects,
validates and creates
a real alert.
You decide on remediation
activity and initiate it.
Fidelis automatically
prevents the threat
going forward.
Fidelis finds
everywhere else the
same thing that
occurred now and in
the past.
Fidelis automatically
gathers all relevant
info for investigation.
AUTOMATED
AUTOMATED
ADay in the Life of a Security Team – With Fidelis
See beaconing
and block it
Monitor for
and prevent
exfiltration
of data
See patterns in
network activity
Identify and stop malicious
network behavior
See lateral movement
See all endpoint
activity
and respond
to threats
Perform
real-time and
historical
analysis

20. © Fidelis Cybersecurity20
▪ See across all traffic, all ports, all protocols, lateral movement and all endpoint activity
▪ Discover and classify all network assets, including enterprise IoT
▪ Decode and analyze embedded sessions with patented Deep Session Inspection®
▪ Inspect all content flowing over the network – from both threat and data loss perspective
Deep
Visibility
▪ Automate response - isolate the endpoint, rollback to previous snapshot, CVE scanning,
jumpstart playbooks, and more
▪ Confirm and stop data theft by content inspection of all outgoing network activity
Faster
Response
▪ Capture and store all metadata for real-time and retrospective analysis
▪ Accurate and fast detection driven by curated threat intelligence, integrated sandboxing,
machine learning algorithms to extract IoCs, and AV
▪ Automatically validate, consolidate, and correlate network alerts against every endpoint
Accurate
Detection
Gain Full Visibility, Detect and Respond
to Threats Faster with Fidelis Elevate

21. © Fidelis Cybersecurity
24x7 Managed Detection and Response (MDR)
Let Us Be Your Threat Hunting and Data Leakage Mitigation Team
21
Contextual Perspective, Deep Visibility and Automated
Detection and Response across your Network, Endpoints,
Cloud and Enterprise IoT Devices
Full service solution focused on detection, response and
remediation - managed and monitored by security experts
Discover and Classify Network Assets
Enforce Network Detection and Response
Data Leakage Prevention (DLP)
Endpoint Detection and Response (EDR)
Deception
Verifies and enforces your security policies and compliance
requirements to ensure the highest standards

22. © Fidelis Cybersecurity
Summary
TNSR serves as a cloud gateway with
built-in traffic monitoring
Delivers high-speed traffic directly to
Fidelis Network sensors running in
AWS
No agents required
No modifications to user-defined
routes required
Delivery over GRE (ERSPAN) or
VXLAN
23
Advanced visibility, threat
detection, and data loss/theft
detection
Now capable of securing
applications and data hosted within
AWS
Deep visibility
Accurate detection
Fast response
by

23. © Fidelis Cybersecurity
Next Steps: Proof of Concept
24
Find the Blind Spots in
Your Security Stack
▪ Highly recommended next step
▪ Full platform or individual products
▪ Easy-to-implement with flexible deployment
options based on your requirements:
▪ Cloud with Netgate TNSR
▪ On-premise with sensors
▪ We work with you to define success criteria
and timeline
https://www.fidelissecurity.com/products/network/demo

24. Thank You!