Embed Size (px)
Citation preview
Javier Nieto León
Is attacker hidden in your Network?Sicurezza ICT Milano, 1st February 2017
Area Sales Manager
International vendor devoted to innovative networktraffic & performance & security monitoring
Who We are
600+ customers
in 30+ countries
Strong R&D background
First 100G probes
in the world
100 % channel oriented
The only vendor recognized in both NetFlow related Gartner reports – network visibility & security
Achievements
Alliance partner of the premium technology vendors
Agenda
Network Visibility
IT Operations
Network Performance Monitoring and Diagnostics
Application PerformanceMontoring
Security
Network Behavioral Analysis DDoS Detection &
Mitigation
NPMD APM NBA DDoS
So how do we secure our networks?
Perimeter Security
DMZ VPN
LAN
Firewall
IDS/IPS
UTM
Application firewall
Web filterE-mail security
SSH Access
DMZ VPN
LANAntivirusPersonal Firewall
Antimalware
Endpoint DLPAntirootkit
That is not enough anymore!
LAN Visibility and Security
DMZ VPN
LAN
Why? What to use it for?
How you can effectively protect and manage something, if you have no visibility into it?
Network Visibility & Security
Network Security Monitoring
of security budget is focused on the network perimeter, although only 25 % of the attacks are focused on that point in the network.“– Gary Newe, F5’s director of systems engineering
Security Model
Prevention
Detection
Response
…the malware really works?
from user perspective is everything OK
malware have access to whole traffic
malware have access to login info and passwords
…IT is not monitoring the traffic?
problem would take several hours, days or week of solving instead of
15 mins
if the malware works, they would not even know…
What if…
NBA Recommendation
Neil MacDonaldVP Distinguished AnalystGartner Security & Risk Management Summit
• Detection and response are more important than blocking and prevention.
• Monitoring and analysis should be at the core of all next-generation security platforms.
Network Behavioral AnalysisNBA
Anomaly Detection
Bridges the gap left by endpoint and perimeter security tools
Behavior based Anomaly Detection (NBA)How to choose the right detection tool?
Common tools are using statistical methodsto detect traffic spikes and deviations
Specialized tools analyze each flow and goesbeyond the traditional statistical algorithms
NBA
Machine Learning
Adaptive Baselining
Heuristic Approach
Network Knowledge
Reputation Databases
Detection Principles
• Event exporting (syslog based)
• Links Flowmon <-> Log Management• Special vendor relationships
IBM QRadar (whitepaper, integration SW package) ArcSight native support through CEF
SIEM Integration
Network Traffic Monitoring
Collection and Behavior Analysis
Flowmon Collector & ADS
Event Collection and Correlation
SIEM system
NetFlowIPFIX
SyslogSNMP
Examples from the real lifeSecurity Incident
Traffic overview, anomalies detected
Attacker is looking for potential victims
And starts SSH attack
That turns out to be successful
Few minutes after that breached device starts to communicate with
botnet C&C
Botnet identification using Flowmon Threat Intelligence
© Flowmon Networks 2016
Gartner Styles Against APTs
Flow monitoring including L7Network Behavior Analysis
Full packet captureTriggered by detection
Full packet capture and packet trace
(PCAP file)
A few more examples
Ransonware Locky
1. Copying file from shared filesystem onto a compromised device2. The original file deleted from the shared filesystem3. Upload of encrypted file back to the shared filesystem
DDoS from BotNet
Real case from Financial Institution
Stations from local network under control of an attackerDetected as an outgoing DDoS attack
Data Transfer from Employee
Real case from Sales organization
Saving internal files to shared disc of YahooDetected as transfer data from LAN to the Internet
Serious incident after investigation
Customer Feedback
“We improved the opportunity to face today's and future cyber threats efficiently”, Martin Gonda, head of telecommunications at Thomayer Hospital
“We increase the safety of our environment and to react faster to unexpected operational incidents”, Peter Skorvanek, Network Administrator at Kia Motors Slovakia
“We chose Flowmon among a dozen different solutions, due to its performance, anomaly detection capabilities”, Wayne Routly, Head of Infrastructure Security at GÉANT UK
“ADS is used to quickly detect sources of security incidents and to increase protection of our customers”, Robert Grabowski, Security Expert at Orange Polska
Protection against DDoS attacks
• Trend that we can observe from all reports of major players in security market
• Average cost of one minute downtime is $22.000• Average downtime is 54 minutes per attack
DDoS Attacks on the Rise
Some of our customers
NBIP, a renowned nonprofit Internet Service Provider (ISP) alliance in the Netherlands. Their project NaWas is the biggest scrubbing capacity in Europe, configurable to mitigate attacks up to 900Gbps in volume. It is a multi-vendor scrubbing center where the Flowmon solution ensures the analytics part of DDoS mitigation.
ČD - Telematika is a prominent provider of wholesale internet, data and voice services, and a leading supplier of fibre-optic infrastructure management, maintenance and construction services. Their service CDT-ANTIDDOS, on-demand scrubbing services for their customers is orchestrated by Flowmon.
Customer Landscape
“Ensuring of IT security is now easier and more affordable for our customers. ” Jiri Sedlák, Security Director at O2 IT
ServicesISP/
Telc
o
"We can identify the causes of network issues easier than ever before."
Masahiro Sato, Operations Network Engineer at SEGAEn
terp
rise
Retail, online, cities, manufacturers, utilities,
healthcare and universitiesSMB
Flowmon Proposition
Network Visibility
IT Operations
Network Performance Monitoring and Diagnostics
Application PerformanceMontoring
Security
Network Behavioral Analysis DDoS Detection &
Mitigation
NPMD APM NBA DDoS
Summary: Security Model
Prevention
Detection
Response
Live DEMO?...on our booth
Tomáš Šárocký
...because Network Behavior Analysis matters
Javier Nieto León| E: [email protected] Flowmon Networks a.s
www.flowmon.com
