Cyber Security - IDS/IPS is not enough

3,353 views

Published on

Watch the full OnDemand Webcast: http://bit.ly/CyberSecurityIDSIPS

Network breaches are on the rise. You can find statistics and specific accounts of breaches all over the Web. And those are just the ones companies are willing to talk about.

You have an IDS/IPS in place so you’re protected, right? Not necessarily, since most breaches today are unique, and often employ prolonged, targeted attacks, making them hard to predict and counteract with existing IDS/IPS solutions. Worse, sometimes attacks begin, or are at least facilitated, from within the firewall, whether maliciously or simply due to negligence and inappropriate corporate network usage.

The current environment of profit-driven network attacks requires that you supplement existing IDS/IPS solutions with technology that constantly monitors and records all network traffic, and provides the ability to perform Network Forensics. This way if an attack occurs, and the odds are not in your favor, you can not only characterize the breach, but also assess the damage, ensure no further compromise, and comply with corporate and legal requirements for reporting. Additionally, by employing Network Forensics proactively, you can spot dangerous behavior on your network as it happens, swinging the odds of avoiding an attack back in your favor.

In this web seminar, we will cover:

- Current trends in cyber attacks, including APTs (Advanced Persistent Threats)
- Common characteristics of recent cyber attacks
- Limitations of IDS/IPS solutions
- Using Network Forensics to supplement your defenses

What you will learn:

- Why IDS/IPS solutions fall short
- How to implement a Network Forensics solution
- How to use Network Forensics for both proactive and post-incident security analysis

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,353
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
189
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Cyber Security - IDS/IPS is not enough

  1. 1. Cyber Security IDS/IPS Is Not Enough!Jay Botelho Show us your tweets! Use today’s webinar hashtag:Director of Product ManagementWildPackets #wp_cybersecurityjbotelho@wildpackets.com with any questions, comments, or feedback.Follow me @jaybotelho Follow us @wildpackets © WildPackets, Inc. www.wildpackets.com
  2. 2. Agenda• Current Trends in Cyber Security and Attacks• Cyber Attacks – Similarities and Differences• IDS/IPS Is Not Enough• Network Recording – Cyber Attack Insurance Policy• Cyber Attack CSI – Network Forensics• Company Overview• Product Line Overview Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 2
  3. 3. Current Trends in Cyber Security and Attacks © WildPackets, Inc. www.wildpackets.com
  4. 4. Key 2011 Cyber Attacks• Sony Playstation Network (April 2011) ‒ Account information, passwords and credit card numbers breached for 70M users ‒ Direct cost of $170M (Sony) ‒ Indirect cost estimated at 10 to 100x• The IMF (International Monetary Fund) (June 2011) ‒ Hack resulted in the loss of a “large quantity” of data, documents and email• Citigroup (June 2011) ‒ More than 200,000 customer accounts hacked ‒ Poor web application design made it easy• Android Apps ‒ More than 50% of the third-party apps on Googles official Android Market contained a Trojan called DroidDream, designed to steal personal data Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 4
  5. 5. ―2011 - The Year of the Hack‖ • So named by IT security experts • 60% of IT executives fear Advanced Persistent Threat (APT) attacks • 28% fear theft and disclosure from insiders • 60% use either a written ―honor system‖ security policy or have none at all • 51% allow employees to download/install software • Companies continue to allow employees to engage in risky behaviorsBased on Bit9’s Third Annual Endpoint Survey of 765 IT executiveshttp://www.businesswire.com/news/home/20110830006206/en/%E2%80%9CYear-Hack%E2%80%9D-Survey-Reveals-Enterprises-Concerned-%E2%80%9CAdvanced Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 5
  6. 6. Advanced Persistent Threat The New Buzzword for 2011/2012• A long-term pattern of sophisticated hacking attacks aimed at governments, companies, and political activists• Advanced – Full spectrum of techniques ‒ Not all “advanced” (e.g. malware) ‒ Can develop more advanced tools as required ‒ Combines multiple targeting methods ‒ Focus on operational security not found in less advanced threats• Persistent – Priority to a specific task ‒ Not opportunistically seeking information for financial gain ‒ A “low-and-slow” approach is typical ‒ Maintain long-term access to the target• Threat – Capability and intent ‒ Executed by coordinated human actions vs. automation ‒ Specific objective with skilled, motivated, organized and well funded entities Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 6
  7. 7. Multiple Successful AttacksPerceptions About Network Security 583 US IT practitionersSurvey of IT and IT security practitioners in the U.S. Average experience 9.5 yearsPonemon Institute Research Report, June 2011 51% in organizations > 5000 employees Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 7
  8. 8. Confidence Level for Next 12 MonthsPerceptions About Network Security 583 US IT practitionersSurvey of IT and IT security practitioners in the U.S. Average experience 9.5 yearsPonemon Institute Research Report, June 2011 51% in organizations > 5000 employees Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 8
  9. 9. Cost For The Past 12 MonthsPerceptions About Network Security 583 US IT practitionersSurvey of IT and IT security practitioners in the U.S. Average experience 9.5 yearsPonemon Institute Research Report, June 2011 51% in organizations > 5000 employees Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 9
  10. 10. Source of BreachesPerceptions About Network Security 583 US IT practitionersSurvey of IT and IT security practitioners in the U.S. Average experience 9.5 yearsPonemon Institute Research Report, June 2011 51% in organizations > 5000 employees Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 10
  11. 11. Cause of BreachPerceptions About Network Security 583 US IT practitionersSurvey of IT and IT security practitioners in the U.S. Average experience 9.5 yearsPonemon Institute Research Report, June 2011 51% in organizations > 5000 employees Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 11
  12. 12. Severity and FrequencyPerceptions About Network Security 583 US IT practitionersSurvey of IT and IT security practitioners in the U.S. Average experience 9.5 yearsPonemon Institute Research Report, June 2011 51% in organizations > 5000 employees Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 12
  13. 13. Types of AttacksPerceptions About Network Security 583 US IT practitionersSurvey of IT and IT security practitioners in the U.S. Average experience 9.5 yearsPonemon Institute Research Report, June 2011 51% in organizations > 5000 employees Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 13
  14. 14. Current Security MeasuresPerceptions About Network Security 583 US IT practitionersSurvey of IT and IT security practitioners in the U.S. Average experience 9.5 yearsPonemon Institute Research Report, June 2011 51% in organizations > 5000 employees Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 14
  15. 15. Cyber AttacksSimilarities and Differences © WildPackets, Inc. www.wildpackets.com
  16. 16. Example #1: Heartland Payment Systems • SQL injection – entering a set of SQL commands into a text entry field on the website • Access then gained to key servers • Malware then planted to collect credit and debit card numbers • 130M accounts breached • Calls into question PCI compliance and monitoring • Potential upside – end to end security for financial transactions now being more seriously investigated Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 16
  17. 17. Example #2: Twitter Breach• Compromise personal Gmail account of employee• Reset Gmail password so user is unaware• Leverage personal email account to gain access to corporate email account (hosted by Google)• Read email, attachments, etc., finding things like: ‒ Sensitive documents ‒ Other user names and passwords (or at least clues)• Fan out into other services based on acquired info: ‒ Cell phone records ‒ MobileMe ‒ Amazon/iTunes Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 17
  18. 18. Example #3: MSBlaster Worm• Exploits Microsoft Windows RPC Vulnerability ‒ Microsoft RPC vulnerability using TCP Port 135• Infected machines will attempt to propagate the worm to additional machines ‒ Infected machines will also attempt to launch a Distributed Denial of Service (DDoS) attack against Microsoft on the following schedule: • Any day in the months ‒ September - December • 16th to the 31st day of the following months: ‒ January - August Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 18
  19. 19. IDS/IPS Is Not Enough © WildPackets, Inc. www.wildpackets.com
  20. 20. What is IDS and IPS?• IDS – Intrusion Detection System ‒ Typically passive ‒ Detects and alarms on suspected intrusions using signature- based, statistical anomaly based, and/or stateful protocol analysis detection ‒ Has a reputation for false positives• IPS – Intrusion Prevention System ‒ Either works alongside and IDS, or has embedded IDS capabilities of its own ‒ Installed in-line ‒ Actively prevents intrusions by dropping the malicious packets, resetting the connection and/or blocking the traffic from the offending IP address Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 20
  21. 21. Limitations of IDS/IPS• No security product is 100%• Risk mitigation – what’s your risk tolerance?• On average 120K malware incidents identified per day by IDS/IPS• 5 - 20 new malware strains missed every day• Effectiveness vs. ease-of-use• Effectiveness vs. cost• Highly secure vs. high throughput Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 21
  22. 22. And What If …• Data breaches are occurring from within the organization?• A breached mobile device or infected personal laptop brings outside threats inside the network which goes undetected by most IDS/IPS?• Any rogue or unauthorized devices tryies to access the network internally from behind the firewall? Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 22
  23. 23. IDS/IPS – Key Questions• Will you sacrifice security for cost?• Where does the IDS/IPS provider get their rule set?• How much configuration is required?• How often is the rule set updated?• How well do they cover malware?• How well do they cover mainstream vulnerabilities?• How fast do they supply patches to update critical bugs? Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 23
  24. 24. IDS/IPS Is Not Enough IDS / IPS System 2. Partial attack data processed1. Attack bypassesfirewall 3. Network engineer gets incomplete data from switch Result: Incomplete reconstruction deters diagnosis! Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 24
  25. 25. Changing Methods – Network Recorders 2. Data Recorder records IDS/IPS System and aggregates data throughout attack 3. Event logged, attack partially tracked by IDS Servers1. Attackbypasses firewall 4. Post event analysis reveals attacker, method, damage! Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 25
  26. 26. Network RecordingCyber Attack Insurance Policy © WildPackets, Inc. www.wildpackets.com
  27. 27. Network Recording• Requires the lossless capture and storage of extremely large data volumes• Focus on Enterprise vs. Lawful Intercept ‒ Concerned with the process of reconstructing a network event • Intrusion such as a “hack” or other penetration • Network or infrastructure outage ‒ Provides a recording of the actual incident• Based on live IP packet data captures ‒ A new way of looking at trace file analysis ‒ Continues from where traditional network troubleshooting ends Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 27
  28. 28. Connectivity for Network Recording Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 28
  29. 29. Network Data Storage at 10G• 1Gbps steady-state traffic assuming no storage overhead: 7.68 GB/min 460 GB/hr 11 TB/day 2.9 days in a 32TB appliance• 10Gbps: 76.8GB/min 4.6 TB/hr 110 TB/day 7.0 hours in a 32TB appliance Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 29
  30. 30. Cyber Attack CSINetwork Forensics © WildPackets, Inc. www.wildpackets.com
  31. 31. Key Questions1. Who was the intruder?2. How did the intruder penetrate security?3. What damage has been done?4. Did the intruder leave anything behind?5. Did we capture sufficient information to effectively analyze and reproduce the attack? Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 31
  32. 32. MSBlaster Worm Example Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 32
  33. 33. Server Connects to The Target WorkstationTCP 3-Way-Handshake on Port 4444 (NV Video default) Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 33
  34. 34. MSBlaster Worm DownloadServer infects the workstation with MSBlaster-Worm via TFTP Download Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 34
  35. 35. MSBlaster Worm – Visual Reconstruction Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 35
  36. 36. MSBlaster Worm Execute Command Activation command for the Blaster Worm payload141.157.228.12 Sends the execute command to 10.1.1.31 Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 36
  37. 37. Infected Workstation Now Attacks Others 10.1.1.31 Now scans for other nodes on the 180.191.253.XXX range Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 37
  38. 38. Example #1: MSBlaster Worm Target Ports Execute CommandFilter identifies devices infected with the MSBlaster worm Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 38
  39. 39. What Can You Do?• Processes, processes, processes• Implement a network recording/network forensics solution• Establish clear baselines so changes are easy to detect• Employ solutions that continuously monitor packet- level security heuristics• Actively search for minor policy violations that could be indicators of bigger problems Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 39
  40. 40. Company Overview © WildPackets, Inc. www.wildpackets.com
  41. 41. Corporate Background• Experts in network monitoring, analysis, and troubleshooting ‒ Founded: 1990 / Headquarters: Walnut Creek, CA ‒ Offices throughout the US, EMEA, and APAC• Our customers are leading edge organizations ‒ Mid-market, and enterprise lines of business ‒ Financial, manufacturing, ISPs, major federal agencies, state and local governments, and universities ‒ Over 7,000 customers / 60+ countries / 80% of Fortune 1,000• Award-winning solutions that improve network performance ‒ Internet Telephony, Network Magazine, Network Computing Awards ‒ United States Patent 5,787,253 issued July 28, 1998 • Different approach to maintaining availability of network services Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 41
  42. 42. Real-World Deployments Education Financial GovernmentHealth Care / Retail Telecom Technology Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 42
  43. 43. Product Line Overview © WildPackets, Inc. www.wildpackets.com
  44. 44. Product Line Overview OmniPeek/CompassEnterprise Packet Capture, Decode and Analysis • 10/100/1000 Ethernet, Wireless, WAN, 10G • Portable capture and OmniEngine console • VoIP analysis and call playback Omnipliance / TimeLine Distributed Enterprise Network Forensics • Packet capture and real-time analysis • Stream-to-disk for forensics analysis • Integrated OmniAdapter network analysis cards WatchPoint Centralized Enterprise Network Monitoring Appliance • Aggregation and graphical display of network data • WildPackets OmniEngines • NetFlow and sFlow Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 45
  45. 45. OmniPeek Network Analyzer• OmniEngine Manager – Connect and configure distributed OmniEngines/Omnipliances• Comprehensive dashboards present network traffic in real-time – Vital statistics and graphs display trends on network and application performance – Visual peer-map shows conversations and protocols – Intuitive drill-down for root-cause analysis of performance bottlenecks• Visual Expert diagnosis speeds problem resolution – Packet and Payload visualizers provide business-centric views• Automated analytics and problem detection 24/7 – Easily create filters, triggers, scripting, advanced alarms and alerts Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 46
  46. 46. Omnipliance Network Recorders• Captures and analyzes all network traffic 24x7 – Runs our OmniEngine software probe – Generates vital statistics on network and application performance – Intuitive root-cause analysis of performance bottlenecks• Expert analysis speeds problem resolution – Fault analysis, statistical analysis, and independent notification• Multiple Issue Digital Forensics – Real-time and post capture data mining for compliance and troubleshooting• Intelligent data transport – Network data analyzed locally – Detailed analysis passed to OmniPeek on demand – Summary statistics sent to WatchPoint for long term trending and reporting – Efficient use of network bandwidth• User-Extensible Platform – Plug-in architecture and SDK Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 47
  47. 47. Omnipliance Network RecordersPrice/performance solutions for every application Portable Edge Core Ruggedized Small Networks Datacenter Workhorse Troubleshooting Remote Offices Easily Expandable Aluminum chassis / 17” LCD 1U rack mountable chassis 3U rack mountable chassis Quad-Core Xeon 2.5GHz Quad-Core Intel Xeon Two Quad-Core Intel Xeon X3460 2.80Ghz E5530 2.4Ghz 4GB RAM 4GB RAM 6GB RAM 2 PCI-E Slots 2 PCI-E Slots 4 PCI-E Slots 2 Built-in Ethernet Ports 2 Built-in Ethernet Ports 2 Built-in Ethernet Ports 500GB and 2.5TB SATA 1TB SATA storage capacity 2TB SATA storage capacity storage capacity Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 48
  48. 48. TimeLine• Fastest network recording and real-time statistical display — simultaneously ‒ 11.7Gbps sustained capture with zero packet loss ‒ Network statistics display in TimeLine visualization format• Rapid, intuitive forensics search and retrieval ‒ Historical network traffic analysis and quick data rewinding ‒ Several pre-defined forensics search templates making searches easy and fast• A natural extension to the WildPackets product line• Turnkey bundled solution ‒ Appliance + OmniEngine, OmniAdapter, OmniPeek Connect Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 49
  49. 49. TimeLineFor the most demanding network analysis tasks TimeLine 10g Network Forensics 3U rack mountable chassis Two Quad-Core Intel Xeon 5560 2.8Ghz 18GB RAM 4 PCI-E Slots 2 Built-in Ethernet Ports 8/16/32TB SATA storage capacity Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 50
  50. 50. WatchPointCentralized Monitoring for Distributed Enterprise Networks • High-level, aggregated view of all network segments – Monitor per campus, per region, per country • Wide range of network data – NetFlow, sFlow, OmniFlow • Web-based, customizable network dashboards • Flexible detailed reports • Omnipliances must be configured for continuous capture Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 51
  51. 51. WildPackets Key Differentiators• Visual Expert Intelligence with Intuitive Drill-down – Let computer do the hard work, and return results, real-time – Packet / Payload Visualizers are faster than packet-per-packet diagnostics – Experts and analytics can be memorized and automated• Automated Capture Analytics – Filters, triggers, scripting and advanced alarming system combine to provide automated network problem detection 24x7• Multiple Issue Network Forensics – Can be tracked by one or more people simultaneously – Real-time or post capture• User-Extensible Platform – Plug-in architecture and SDK• Aggregated Network Views and Reporting – NetFlow, sFlow, and OmniFlow Cyber Security – IDS/IPS Is Not Enough © WildPackets, Inc. 52
  52. 52. Q&A Show us your tweets! Use today’s webinar hashtag: Follow us on SlideShare! Check out today’s slides on SlideShare #wp_cybersecurity www.slideshare.net/wildpacketswith any questions, comments, or feedback. Follow us @wildpackets © WildPackets, Inc. www.wildpackets.com
  53. 53. Thank You!WildPackets, Inc.1340 Treat Boulevard, Suite 500Walnut Creek, CA 94597(925) 937-3200 © WildPackets, Inc. www.wildpackets.com

×