The Importance of Packets in Security Forensics Scott Hamilton Sr. Sales Engineer ... Negative financial stake holder implications ... •Viavi Solutions State of the Network highlights:

The Importance of

Packets in Security

Forensics

Scott Hamilton

Sr. Sales Engineer

March 2017

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 2

Today’s Speaker

Speaker

Scott Hamilton, Sr. Sales EngineerViavi Solutions

SE at Viavi Solutions for 4 years.

Experience across 100s of organizations in both pre-

and post-sale engagements

Approaches solutions with both technical and business

value considerations

With more than 20 years troubleshooting network and

applications issues, he has many war stories and

lessons learned to share with others.

Network Security Forensics

Packets don’t lie.


Why Enterprise is Concerned about Security

Today - Cybercrimes will cost the global economy $445 billion this year (CNBC 2016)

Cyberattacks take up to 256 days to identify & cost companies $3.8 million per attack (Ponemon Institute, May 2015)

IT threats continue to escalate in frequency, type and malice• Security perimeter breaches (must be) assume a given• Inside jobs are also on the rise• Security teams under staffed and overwhelmed

Negative financial stake holder implications• Breaches can lead to lost revenue, a tarnished brand


• #1 spending priority for CIOs for two years (Piper Jaffray 2017 CIO

Survey)

• Gartner forecasts security spending growth from $84.9B in

2016

to $114.8B in 2020

• Regional CAGR of 8.6% (N. America), 8.3% (MidEast), & 6.2% (Europe)

Security Drives Enterprise IT Spending


Stats Behind the Spending

• Average total cost of data breach

grew from $6.53M to $7M over the

last year (IBM 2016 Cost of Data Breach

Study )

• Attackers present on average for 146

days on victim business network

before being discovered (Mandiant Feb

2016)

• Global annual cybercrime costs grow

from $3 trillion in 2015 to $6 trillion by

2021(Cybersecurity Ventures 2016)

IT Security Spending Trends

SANS Institute Feb 2016

https://www.sans.org/reading-room/whitepapers/analyst/security-spending-trends-36697


• 85% of enterprise network teams assist in security

investigations**

• 51% of enterprises use packet data in security investigations

today, and another 30% would like to do so*

Network & Security Team Coordination

*Packet-Based Security Forensics, EMA, November 2016

**State of the Network 2015

Network Team Security Roles**


Security Operations Needs to Leverage Insight

Into the Packet

When a breach occurs, an IT organization must be prepared to

deliver quick answers to some of these questions:

• What was compromised, and what data was exposed?

• Who was responsible for the vulnerability?

• Who was responsible for the attack itself?

• Has the breach been resolved?

• Can the resolution be validated?


APM Security Forensics The Backstop to Your Security Efforts

• The right Application Performance Management (APM) solution can help

IT operations deliver superior performance for users. When incorporated

into your IT security initiatives, deep packet inspection can strengthen

your existing antivirus software, Intrusion Detection System (IDS), and

Data Loss Prevention (DLP) solutions.


Security Challenges – The Network Team

• Viavi Solutions State of the Network highlights:

• 85% are involved with security investigations

• Engaged in multiple facets of security

• 65% implementing preventative measures

• 58% investigating attacks

• 50% validating security tool configurations

• 50% indicated correlating security issues with network performance to be

their top challenge

• 44% cited the inability to replay anomalous security issues

• Hacking and malware cause nearly 1/3 of all data loss events*

* VERIS Community Database

http://public.tableausoftware.com/profile/#!/vizhome/vcdb/Overview


Solution: Benefits (IT Execs)

• Maximize IT resources and personnel facilitating network

team cooperation with security on investigations and clean

up

• “Two-for-one” deal (NPMD + security) maximizes IT spend

• Confirm every aspect of the attack and identify what

assets have been compromised

• More effectively spend security dollars by understanding

what attacks are getting through


• Gain full attack context to confirm attack path and identify

compromised assets

• Quickly investigate and isolate attacks with post-event

filtering and expert analysis

• Gain advanced notice of potential attacks via alarming

• Validate security tool effectiveness

• What attacks have gotten through?

• Integrate traffic access into existing security workflows

with Rest APIs

Packet-Based Security Forensics: A Next-Generation Approach to Attack Remediation


• Where did the attack came from

• What users (if any) were involved

• Which internal assets communicated with the malicious

activity

• What data was accessed in the attack

• Whether (and how) the attack spread laterally through the

network

Packet-Based Security Forensics (cont’d): A Next-Generation Approach to Attack Remediation


Vital NPMD Security Features

• High-speed (10 Gb and 40 Gb) data center traffic capture

• Expert analytics of network activity

• Filtering using Snort or custom user defined rules

• Event replay and session reconstruction

• Capacity to store up to petabytes of traffic data for post-

event analysis

Network Security ForensicsFive Steps to Threat Resolution


# 1 - Capture Everything on Your Network

Monitor from the core to the

edge

Never miss a single

packet


# 2 – Detect /Alert on Suspicious / Anomalous

Behavior


# 3 – Turn Back the Clock

Using back-in-time functionality

Start the investigation at the time of the possible incident


Perform packet pre-processing to eliminate common obfuscation techniques

# 4 – Identify Security Threats


Then apply advanced Analyzer filtering for zero-day

events or Snort rules for known threats




The result: A comprehensive identification of detected

threats within the time window specified


# 5 – View Illicit Behavior In/Out of the Network

Rebuild conversations to witness the event unfold just like sports

“instant replay”



…even if encrypted when the private key is available



Reconstruct HTTP streams to see exactly what was

requested and received…


Case Study: Financial Service Company

Network group reports attack

Intel and IDS/IPS groups begin investigation

Packet captures are evaluated for patterns

Attackers are identified from TCP payload data


Network Security Forensics in Practice

What began as three benign sounding user complaints

regarding slow network and application response time quickly

escalated into a potentially serious threat to security. The

network engineer used a specialized probe appliance to

perform deep-packet forensic analysis of traffic generated by

one of the user’s workstations. She discovered it was sending

a packet to every device on the network; each of these

destinations responded in a similar fashion. This activity

quickly saturated the network.

Desktop support and the security team were notified because

an ongoing attack compromising nearly 100 users’ machines

appeared to be underway.


Key Takeaways - Network Security Forensics

• Understanding of:• Network

• Application

• Traffic Patterns

• Organizations need a retrospective, network-centric method to

backstop other security measures and identify and clean compromised

IT assets

• Firewalls, anti-virus software, IDS and DLP systems are necessary but

no longer sufficient to achieve the most robust protection or generate

the paper trail for complete resolution and documentation of breaches.

• Packet-based network monitoring solutions, which evolved from

performance monitoring and troubleshooting tools for network

operations, are ideal for forensic analysis of security incidents. As a

result, both network operations and security operations are finding

value in sharing access to these tools.


The Best Source of Evidence

• Packets don’t lie

• Answers questions of:• Who did it?

• What was it?

• What happened?

• How did it impact?

• How did it happen?

• Reconstruct exactly what happened

Documents

The Importance of Packets in Security Forensics Scott Hamilton Sr. Sales Engineer ... Negative financial stake holder implications ... •Viavi Solutions State of the Network highlights: