Upload
haquynh
View
218
Download
5
Embed Size (px)
Citation preview
The Importance of
Packets in Security
Forensics
Scott Hamilton
Sr. Sales Engineer
March 2017
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 2
Today’s Speaker
Speaker
Scott Hamilton, Sr. Sales EngineerViavi Solutions
SE at Viavi Solutions for 4 years.
Experience across 100s of organizations in both pre-
and post-sale engagements
Approaches solutions with both technical and business
value considerations
With more than 20 years troubleshooting network and
applications issues, he has many war stories and
lessons learned to share with others.
Network Security Forensics
Packets don’t lie.
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 4
Why Enterprise is Concerned about Security
Today - Cybercrimes will cost the global economy $445 billion this year (CNBC 2016)
Cyberattacks take up to 256 days to identify & cost companies $3.8 million per attack (Ponemon Institute, May 2015)
IT threats continue to escalate in frequency, type and malice• Security perimeter breaches (must be) assume a given• Inside jobs are also on the rise• Security teams under staffed and overwhelmed
Negative financial stake holder implications• Breaches can lead to lost revenue, a tarnished brand
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 5
• #1 spending priority for CIOs for two years (Piper Jaffray 2017 CIO
Survey)
• Gartner forecasts security spending growth from $84.9B in
2016
to $114.8B in 2020
• Regional CAGR of 8.6% (N. America), 8.3% (MidEast), & 6.2% (Europe)
Security Drives Enterprise IT Spending
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 6
Stats Behind the Spending
• Average total cost of data breach
grew from $6.53M to $7M over the
last year (IBM 2016 Cost of Data Breach
Study )
• Attackers present on average for 146
days on victim business network
before being discovered (Mandiant Feb
2016)
• Global annual cybercrime costs grow
from $3 trillion in 2015 to $6 trillion by
2021(Cybersecurity Ventures 2016)
IT Security Spending Trends
SANS Institute Feb 2016
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 7
• 85% of enterprise network teams assist in security
investigations**
• 51% of enterprises use packet data in security investigations
today, and another 30% would like to do so*
Network & Security Team Coordination
*Packet-Based Security Forensics, EMA, November 2016
**State of the Network 2015
Network Team Security Roles**
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 8
Security Operations Needs to Leverage Insight
Into the Packet
When a breach occurs, an IT organization must be prepared to
deliver quick answers to some of these questions:
• What was compromised, and what data was exposed?
• Who was responsible for the vulnerability?
• Who was responsible for the attack itself?
• Has the breach been resolved?
• Can the resolution be validated?
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 9
APM Security Forensics The Backstop to Your Security Efforts
• The right Application Performance Management (APM) solution can help
IT operations deliver superior performance for users. When incorporated
into your IT security initiatives, deep packet inspection can strengthen
your existing antivirus software, Intrusion Detection System (IDS), and
Data Loss Prevention (DLP) solutions.
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 10
Security Challenges – The Network Team
• Viavi Solutions State of the Network highlights:
• 85% are involved with security investigations
• Engaged in multiple facets of security
• 65% implementing preventative measures
• 58% investigating attacks
• 50% validating security tool configurations
• 50% indicated correlating security issues with network performance to be
their top challenge
• 44% cited the inability to replay anomalous security issues
• Hacking and malware cause nearly 1/3 of all data loss events*
* VERIS Community Database
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 11
Solution: Benefits (IT Execs)
• Maximize IT resources and personnel facilitating network
team cooperation with security on investigations and clean
up
• “Two-for-one” deal (NPMD + security) maximizes IT spend
• Confirm every aspect of the attack and identify what
assets have been compromised
• More effectively spend security dollars by understanding
what attacks are getting through
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 12
• Gain full attack context to confirm attack path and identify
compromised assets
• Quickly investigate and isolate attacks with post-event
filtering and expert analysis
• Gain advanced notice of potential attacks via alarming
• Validate security tool effectiveness
• What attacks have gotten through?
• Integrate traffic access into existing security workflows
with Rest APIs
Packet-Based Security Forensics: A Next-Generation Approach to Attack Remediation
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 13
• Where did the attack came from
• What users (if any) were involved
• Which internal assets communicated with the malicious
activity
• What data was accessed in the attack
• Whether (and how) the attack spread laterally through the
network
Packet-Based Security Forensics (cont’d): A Next-Generation Approach to Attack Remediation
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 14
Vital NPMD Security Features
• High-speed (10 Gb and 40 Gb) data center traffic capture
• Expert analytics of network activity
• Filtering using Snort or custom user defined rules
• Event replay and session reconstruction
• Capacity to store up to petabytes of traffic data for post-
event analysis
Network Security ForensicsFive Steps to Threat Resolution
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 16
# 1 - Capture Everything on Your Network
Monitor from the core to the
edge
Never miss a single
packet
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 17
# 2 – Detect /Alert on Suspicious / Anomalous
Behavior
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 18
# 3 – Turn Back the Clock
Using back-in-time functionality
Start the investigation at the time of the possible incident
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 19
Perform packet pre-processing to eliminate common obfuscation techniques
# 4 – Identify Security Threats
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 20
Then apply advanced Analyzer filtering for zero-day
events or Snort rules for known threats
# 4 – Identify Security Threats
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 21
# 4 – Identify Security Threats
The result: A comprehensive identification of detected
threats within the time window specified
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 22
# 5 – View Illicit Behavior In/Out of the Network
Rebuild conversations to witness the event unfold just like sports
“instant replay”
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 23
# 5 – View Illicit Behavior In/Out of the Network
…even if encrypted when the private key is available
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 24
# 5 – View Illicit Behavior In/Out of the Network
Reconstruct HTTP streams to see exactly what was
requested and received…
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 25
Case Study: Financial Service Company
Network group reports attack
Intel and IDS/IPS groups begin investigation
Packet captures are evaluated for patterns
Attackers are identified from TCP payload data
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 26
Network Security Forensics in Practice
What began as three benign sounding user complaints
regarding slow network and application response time quickly
escalated into a potentially serious threat to security. The
network engineer used a specialized probe appliance to
perform deep-packet forensic analysis of traffic generated by
one of the user’s workstations. She discovered it was sending
a packet to every device on the network; each of these
destinations responded in a similar fashion. This activity
quickly saturated the network.
Desktop support and the security team were notified because
an ongoing attack compromising nearly 100 users’ machines
appeared to be underway.
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 27
Key Takeaways - Network Security Forensics
• Understanding of:• Network
• Application
• Traffic Patterns
• Organizations need a retrospective, network-centric method to
backstop other security measures and identify and clean compromised
IT assets
• Firewalls, anti-virus software, IDS and DLP systems are necessary but
no longer sufficient to achieve the most robust protection or generate
the paper trail for complete resolution and documentation of breaches.
• Packet-based network monitoring solutions, which evolved from
performance monitoring and troubleshooting tools for network
operations, are ideal for forensic analysis of security incidents. As a
result, both network operations and security operations are finding
value in sharing access to these tools.
© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 28
The Best Source of Evidence
• Packets don’t lie
• Answers questions of:• Who did it?
• What was it?
• What happened?
• How did it impact?
• How did it happen?
• Reconstruct exactly what happened