Symantec Webinar | Security Analytics Breached! Next Generation Network Forensics for the Cloud

Breached! Next Generation Network
Forensics for the Cloud
Dennis Carpio
Sr. DirectorBusiness
Development; Ixia
Karl Vogel
World Wide Solution
Architect,NetworkForensics
& Malware Analysis;
Symantec

The Need for Network
(and Cloud) Forensics

Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Online Gaming Company in Chaos
The Need for Network Forensics – Painful Story
3
Had no way to
confirm or deny…
Concerns about brand
and reputational
impact…
People and big $
thrown at the
problem…
Informed we may
be the victim of
a breach
“Why can’t you prove
if this happened
or not”…
Urgent, high-priority
project spun up…

The “Average” Enterprise
4
Cannot Quickly Detect or Accurately Assess Impact of an Incident
TODAY’S REALITY
RESOLUTION
INCIDENT
IDENTIFIED
TIME TO
DETECTION
197DAYS
TIME TO
RESPONSE
69 DAYS
IBM2018 DataBreachStudy (conducted by Ponemon)
BREACH • Damage
occurring for
over six months
before detection
• …and is not
resolved for over
two months
after identified
Average Breach Cost - $3.86M

Complete Answers for Focused Resolution
Security Analytics
5
Security Analytics –
System of Record
Security Analytics doesn’t disrupt the
Networking/IT department
Records all traffic – 24/7 lossless
packet capture (header and payload) –
Days/weeks/months
Massive Intelligence – Enriches with
Symantec and 3rd party threat and
reputation data
Reconstructs All Evidence – Artifacts,
flows, files, and activity in human-readable
form
At a minimum, organizations
should capture 30 days’ of
packet data. 60 days’ worth
is even better.”

Incident Response Challenges
What Net Ops Requires: “Don’t complicateour network and don’t slow it down!”
Incident
Response
Challenge:
“Existing tools leave information holes, an incomplete picture, and difficulty in
determining the incident source and scope – increasing my time-to-resolution.”
Working with a
fragmented
toolset increases
workload and
delays resolution
Log and event-
based
investigations
lack depth of data
to quickly find
source/scope
Inability to
recreate exact
evidence leads
to uncertainty
and extended
exposure
Limited correlation
betweendata,
security intel and
activity leads to
undetected
breaches
6

7
Working with a
fragmented
toolset increases
workload and
delays resolution

Insufficient for effective investigations
Issue: Fragmented Tools and Limited Data
8
Incident
Response
Firewall saysit’s web
traffic – from Gmail3
Firewall
Proxy says URL was
suspicious5
Proxy
Endpointsays it was
unknown7
Endpoint
DLP says nothingwas
leaked4
DLP
Now capture a simple
PCAP – Reactive – Too late8
Simple PCAP
SIEM says this shouldbe
investigated2
SIEM
Uncertainty
• Multiple disjointed stepsand
productInterfaces
• No smooth integrated
workflow
• No actualevidence and
questions go unanswered
• Time-consuming and costly
IPS says no network
threat6
IPS
Sandbox sends alert –
Malicious file!1
Sandbox

1. Alert fromSIEMor other tool – Pivot into
Security Analytics Alerts Dashboard (Open API)
Smooth workflow and resolution
Security Analytics – Deliver Integrated IR
9
Incident Response
with Security Analytics
1
2
3 4
5
6
Open Security Analytics API
Ticketing
EDR
SOAR
Integrated
Alerting
Integrated
Workflow
Sandbox
Firewall
Endpoint
3rd party
SIEM
2. Narrowed scope of investigation, eliminating
noise – malicious file fromsandboxresults
(CustomizableReports/Dashboard)
3. Determine reputation of file and the site
sourcing the file (focused threat intel reports)
4. Trace rootcause and produceall associated
artifacts – Web pages, files, executables, etc.
(extractions & Root Cause Explorer)
5. Dive deeper/wider and see related activity
(replay traffic, packet analyzer, geolocation,
customreports)
6. With full source/scoperesolve with surgical
precision
1
2
3 4
5
6

10
Working with a
fragmented
toolset increases
workload and
delays resolution
Log and event-
based
investigations
lack depth of data
to quickly find
source/scope

Unable to quickly investigate and identify source of breach
Issue: Log & Event-based Tools Lack Depth
11
Basic Packet
Capture
Difficult to acquire and
manage data from
multiple sources
No event
reconstruction
Can’t regenerate
human-readable files
No context of what
happened before,
during and after alert
Full packet capture has
been costly and
reactive –it’s too late
Simple capture is slow
– can’t keepup with
10Gb+ Networks
Difficult to navigate –
linear searchof TBs of
data
Lacks enrichment using
available threat intel

Global
Intelligence
Network
PEScanner,jSUNPACK,
Geolocation…more
Symantec
Content
Analysis
24/7 enriched recording of all traffic
Full Packet Capture = Deep Investigations
12
Data Capture, Enrichment, Retention
Ensure you capture the
breachbefore youknow
youwere breached –
24/7 full packet recording
Indexedandenriched
packets improve search
performance – massive
reputationandthreat
intel
Retainwhat youneedfor
long-term,retrospective
analysis – Days,weeks,
months of metadata and
packet retention
Replay specific trafficto
support required
workflow – specify
timeframe,combine
segments, throttle
“Security Analytics gives us the
abilityto lookat historical
records…Nowwe can analyze
what happened 15 minutes ago or
15 days ago…what led to a security
alert,and what happened.”

13
Working with a
fragmented
toolset increases
workload and
delays resolution
Log and event-
based
investigations
lack depth of data
to quickly find
source/scope
Inability to
recreate exact
evidence leads
to uncertainty
and extended
exposure

Difficult to visualize
actual artifacts– email,
texts,html pages, PDF
or .exe
Creating timeline of
network and file
activity is a difficult
and time-consuming
Hard to answer “what
happened, how, when,
what was impacted?”
Packet analysis
requires special skills –
It isn’t intuitive
Evidence gathering is difficult and time-consuming
Issue: Lack of Evidence Means Uncertainty
14
??
Where’s the
evidence.”

Real Evidence for Laser-focused Response
Paint a Clear Picture of Any Attack
15
Evidence Discovery and Delivery
Deliver human-readable
evidence: Images
Multimedia, Office,PDF,
DLL,EXE,HTML, Java,
FTP, email and more
Know where yourtraffic
is comingfrom - Identify
traffic andvolume on
mapand filterand alert
ontraffic to suspect
countries
SEE what’s crossingyour
network – View and
analyze all images and
audio files
Save time finding the
source – chaintogether
HTTPreferrers
.EXE
.EXE
You’ve made manyof the
more time-consumingtasks
as simple as pushinga
button.”

16
Working with a
fragmented
toolset increases
workload and
delays resolution
Log and event-
based
investigations
lack depth of data
to quickly find
source/scope
Inability to
recreate exact
evidence leads
to uncertainty
and extended
exposure
Limited correlation
betweendata,
security intel and
activity leads to
undetected
breaches

I need to now before negative effects
Issue: Incident Response Isn’t Proactive
17
Recon
Weaponization
Delivery
Exploitation
Installation
Command
& Control
Exfiltration
Unknown files are either malicious or safe
Sandboxingis manual and often too late to make a ruling
I don’t know what unique threats are targeting
my network?
Without knowing“normal”activity,finding“abnormal”
activityand targeted attacks is difficult – Too much noise
I need proactive alerts to stop threats
early in the “kill chain”?
At the proactiveIR maturity level,
unknown data(web pages, PDFs,
email attachments, etc.)are also
automaticallyinvestigated.

Reduce effort and respond faster
Proactive Detection and Incident Response
18
Proactive Incident Response
Customize Alerts
Dashboardandreports to
prioritize response
Leverage Anomaly
Detection: Establisha
baseline of normal
Observe and identify
anomalies
Automate additional
analysis basedon
indicators – alert,export
to PCAP, send to sandbox,
etc.
Use Sandboxingto turn
“unknown” files into
knownsafe ormalicious
100’s of Pre-built Indicators
Customize Your Own Know Abnormal … Find Evil
Organizations need to
understand their
environmentand what
constitutes normaland
abnormal behavior”

Security Analytics – Architecture
SA sits passively off the network. InOCIandAWSuses IXIA
CloudLens to duplicate packets andsendcopies to SA
Captures all network traffic(packet header/payload)
Taps GIN andoutside threat intelligence to enrichpacket data
Unknownfiles sent to Content Analysis/3rd party to Sandbox
Alerts fromSAorother tools may trigger aninvestigation
Incident response teamfinds source/scope ofattack,resolves
Execute& Isolate
SA
CA
GIN + 3rd
Party
Reputation
SEP/ATP
Virtual TAP
19

End-to-End Monitoring Fabric (Data Center/Cloud/Edge)
Intelligent Visibility Everywhere
21
Packet Capture Threat Intelligence Data Reconstruction Compliance Incident Response
Data Center Cloud Edge SDN Industrial
SecurityAnalytics
NetworkVisibility
• Powerful packetcapture,comprehensive forensicsrecording
• Threat intelligence anddata enrichment
• Acceleratedincidentresponse,deepinvestigation
• Monitoring fabricfor data collectionand distribution
• L2/7 filtering,advancedfeaturesforoptimizedconsumption
• Real-time networktrafficintelligence andinsight

Offload Advanced Capabilities
Security Monitoring Optimized by Ixia
22
Use features simultaneously,without packet loss!
NetStack
• 3 Stages of Filtering
• Dynamic Filter
Compiler
• VLAN Tagging
• Aggregation
• Replication
• Load Balancing
PacketStack
• Deduplication
• Header Stripping
• Protocol Trimming
• Timestamping
• Data Masking
• NetFlow
• GRE Tunneling
• Burst Protection
AppStack
• Application Filtering
• Optional RegEx
filtering
• Geolocation &
Tagging
• IxFlow
• Data Masking+
• PCAP
• Real-time
Dashboard
CloudLens
• Data Collection
• Auto Scaling
• Filtering
• Aggregation
• Replication

LeveragingIxia VisionOne NetworkPacket Brokersand NetworkTaps
Deploying Security Analytics in the Data Center
SSLv
Security Analytics
IDS Tool
NPMTool
Network Packet Broker
Improvedetection capabilities into
hidden threats:
• Ixia collects trafficfrom
multiple networksources,then
aggregates and filters to the
right monitoringtool
• SSLv decrypts trafficto
efficientlyspeed detection
• Ixia can service chain in-line
and out-of-band tools and
forwards decrypted trafficto
the tools that need to see it
Encrypted
Decrypted

Leveraging Ixia CloudLens
Deploying Security Analytics in the Cloud
Public Cloud
Private Cloud& Virtual Machines
Security Analytics
SecurityAnalytics
Detect and respond to threats in
publicand private cloud
environments:
• Install lightweight sensors
within customer’s security
constructs,inheriting
privacyand compliance
• Intelligent filtering
• Containerizedor agent
based options
• Collect anypacket from any
cloud

Core banking financial database
Authenticationover unencryptedprotocols
“sa” user account used for internal maintenance
Financial Database
26

Government Agency – Asset Server
27

Payment Card Terminals
28

Security Analytics
Live Demonstration

Symantec Security Analytics
SEE ALL. KNOW MORE. RESPOND FASTER.
THE SECURITY CAMERA & DVR FOR YOUR NETWORK
Turning Complexity into Context
DPI classification of over 2,800 applications and thousands of meta attributes
On the wire, real-time visibility and analysis of data exfiltration & infiltration
Security Context – including reputation, user and social personas, artifacts
The ‘Black Box’ for incident response, forensics, root cause and impact analysis
Records, classifies and indexes all packets and flows on high-speed networks
Providing
real-time analysis
and full visibility
of everything
going in and out
of your network
30

More on Security Analytics
• Check out Security Analytics
• Sample Risk & Visibility
Report
• Register for an ATA
go.symantec.com/ata
go.symantec.com/security-analytics

Questions ?
Dennis Carpio
Sr. DirectorBusiness
Development; Ixia
Karl Vogel
World Wide Solution
Architect,NetworkForensics
& Malware Analysis;
Symantec

Symantec Webinar | Security Analytics Breached! Next Generation Network Forensics for the Cloud

More Related Content

What's hot

Similar to Symantec Webinar | Security Analytics Breached! Next Generation Network Forensics for the Cloud

More from Symantec

Recently uploaded

Symantec Webinar | Security Analytics Breached! Next Generation Network Forensics for the Cloud