Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber Defense Strategy
Similar to Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber Defense Strategy (20)
More from centralohioissa
More from centralohioissa (20)
Recently uploaded
Recently uploaded (20)
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber Defense Strategy
- 1. ©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY Leveraging APM NPM Solutions to Compliment Cyber Defense Strategy March 30, 2016 Central Ohio InfoSec Summit
- 2. A Little About Us …. Ken Czekaj • 28 Years in IT • Problem Solver @ NETSCOUT • Solutions Architect / Systems Engineering background ©2016 NETSCOUT ° PUBLIC 2 Robert Wright • 20 Years in IT • Sr. Solutions Engineer • Co-Founder NEOISF • Customer & Vendor background Our Blog http://problemsolverblog.czekaj.org
- 3. Philosophy and Approach • Cyber Security is everyone’s problem • Triage is Triage …. Cyber / Apps / Network …. all very similar • Lot’s of Excellent Security Tools Available in the Market • APM NPM Solutions can provide Additional Visibility & Analytics • Reduce your Triage time Bring All that you have available to the table !!!!! ©2016 NETSCOUT ° PUBLIC 3
- 4. ©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 4 Denial of Service In addition to straight Layer 2 “Brute Force” … Think About … • Key Services Failures – DHCP DNS LDAP Radius • Application Targeted Attacks • Cloud Services • Call Centers & VoIP Service • SYN Floods
- 5. ©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 5 Denial of Service - Granularity
- 6. ©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 6 Denial of Service – DHCP
- 7. ©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 7 Anomalous Behavior APM NPM solutions usually have their own analytics • Use the additional “set of eyes” to defend against the unknown • Same “anomaly” could be used by multiple IT groups • I.E. ….. View of a TCP Reset ??? – Security - “Could be a Bot…” – Network - “Lack of Server Resources..” – Application – “Uh Oh …”
- 8. ©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 8 Anomalous Behavior
- 9. ©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 9 Virtualized Architecture Most Cyber Security solutions have “North South” Visibility • APM NPM Solutions can provide additional visibility into “East West” traffic as well – VMWare – Citrix – HP Blade Servers – UCS Chassis
- 10. Virtualized Architecture Data Center Core Traffic typically travels “East West” Data Center Perimeter Internet, MPLS, Co-located PODs Typically “North – South” Traffic
- 11. ©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 11 Authentication Services – LDAP RADIUS APM NPM solutions have significant views into authentication services • Information on Authentication service and more importantly “failures” • Excellent Views into Single Sign On deployments • Active Directory issues can also affect Cloud Apps • Radius performance issues affect (guest) wireless & BYOD
- 12. ©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 12 Authentication Services – LDAP RADIUS
- 13. ©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 13 Policy Based Alarms Many APM NPM solutions will have additional alarming • These do not limit traffic, but can be a direct corollary to bad application traffic • Examples …. We should never see – Outbound FTP from a Web Server – DHCP traffic in the DMZ – Unencrypted protocols in PCI CDE zone • Insight into “Zero-Day” Host issues
- 14. ©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 14 Policy Based Alarms
- 15. ©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 15 Packet Capture and Decode APM NPM solutions usually have back in time historical packet analysis • Sometimes, packets are the only way to see what really happened (they never lie) • Packets an be used for – Attack Reconstruction – Evidence
- 16. Packet Capture and Decode
- 17. ©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 17 DNS Services APM NPM solutions have significant views into DNS services • Anomalies with DNS for usage and failures will affect almost every application – Many times mis-diagnosed as a Cyber event • Provide insights into DNS events – Hijacking – Poisoning – Malware phone home – Botnets – Data Exfiltration
- 18. ©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 18 DNS Services
- 19. ©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 19 PCI Compliance - V3.0 – V3.1 More credit card transactions now flying on networks than ever • PCI Requirements – You must have a logical flow of the application traffic – There are SSL version requirements to maintain compliance • View into the Cardholder Data Environment (CDE)
- 20. ©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 20 PCI Compliance – V3.0 – V3.1
- 21. ©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 21 Reporting & Evidence APM NPM solutions usually have reporting capabilities • Reports and Views can be leveraged in a post cyber event • Often easier than manually collecting the information and manually creating your own reports
- 22. ©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 22 Reporting & Evidence
- 23. ©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 23 Certificates and PKI APM NPM solutions usually have a view into Certificates • Validate identities as encrypted communications are established • Managed by spreadsheets – inaccuracy and manual toil • Alerts to avoid embarrassment for expirations or non- compliancy
- 24. ©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 24 Certificates and PKI
- 25. ©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 25 Meta Data Information APM NPM solutions usually have Meta Data that can help speed triage • Flows, Utilization, Applications, Top Talkers, All Talkers, Latency, Error Codes, etc. • While “packets” contain the evidence, Meta Data is more efficient workflow • Efficient and Fast methodology when you “don’t know” what you are looking for
- 26. ©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 26 Meta Data Information
- 27. ©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 27 Attack Reconstruction APM NPM solutions have functionality to reconstruct events • Packets and Meta Data can often yield fingerprint evidence of the attack – How did they get in? – What did they look at? – What information got compromised?
- 28. ©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 28 Attack Reconstruction
- 29. ©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 29 Host Analysis APM NPM solutions usually have detailed information on a Host • Easy to digest information about IP address traffic • Search information quickly • Can facilitate or re-route investigations • Acts as a filter to get to packet evidence
- 30. ©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 30 Host Analysis
- 31. ©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 31 Integration Points with Cyber Tools Many APM NPM tools have hooks, API’s or partnerships with Cyber Tools • Know what you have available in this area !!! • A trap sent to an event correlation engine, SIEM, or Big Data solution will help see the whole picture • Open API to request meta data directly out of APM NPM Solution
- 32. Contact Information Ken Czekaj • Ken.Czekaj@NETSCOUT.com • 419-433-6909 • Twitter - @KenCzekaj • LinkedIn • http://www.linkedin.com/in/kenczekaj ©2016 NETSCOUT ° PUBLIC 32 Robert Wright • Robert.Wright@NETSCOUT.com • 614-264-8604 • Twitter - @rjwrightohio • LinkedIn • https://www.linkedin.com/in/rjwrightohio Our Blog http://problemsolverblog.czekaj.org
- 33. ©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 33 Summary In your Cyber Defense Strategy … Bring ALL of your AVAILABLE information and intelligence to the table !!!!!