SC Magazine eSymposium: SIEM

2013 Emulex Corporation

What? Who? When?

How network visualization can help you answer the difficult questions that arise from security breaches

2 2013 Emulex Corporation

You Just Suffered A Major Security Breach…

Three questions that the IT staff willbe asked in the first 8 hours:

What Happened?

Who Was Affected?

When Will It Be Fixed?

Could your current SEM/SEIM tools(or any of your tools) provide theanswers if you were breached today?

What Happened? Maybe…

Who Was Affected? Possibly…

When Will It Be Fixed? Probably not…


How Bad Is The Problem Today?

July 2013 Gartner report: DDoS attacks are increasing in frequency and size. The number of attacks has increased by more than 20% in the last year, and attack throughput has reached 160 Gbps.1

More than 70 percent of operating data centers reported DDoS attacks this year (up dramatically from under a half last year). 2

More than a third experienced attacks that exceeded total available Internet connectivity, nearly double last year. 3

About 10 percent saw more than 100 attacks per month. 4

1 – “Leverage Your Network Design to Mitigate DDoS Attacks”, Gartner Report G00253330, 2013

2, 3, 4, Graph: Worldwide Infrastructure Security Report, Volume IX”, Arbor Networks, 2014


Like it or Not …

Your prevention and detection tools will fail

Network visibility tools provide a vital safety net against failure

With history, you can understand and minimize the damage

Think like you’ve already been breached


Some Actual Customer Quotes

“We live in triage mode. It takes too long to investigate the events we know about today. We’re exposed.”

“We’re never quite sure if what we’re looking at is real or not. It’s paralyzing us. We’re too scared to act.”

“When it goes wrong, and it does go wrong, it’s a PR train wreck and we need a way to contain the problem.”

“There are known knowns; there are things we know that we know. There are known unknowns; that is to say, there are things that we now know we don't know. But there are also unknown unknowns – there are things we do not know we don’t know.”


The Problem Is Not People or Tools - It is Data

Security tools have made great strides in their ability to identify issues and threats– Use of “big data” analytics to identify unusual behaviors– Baselines, profiling also help

BUT most critical breaches are “unknown unknowns”– The tools are often being encountered for the first time– The breachers are typically difficult/impossible to find– “Guesswork” is nearly unavoidable– Response times are measured in days, not hours

How do we speed up the process?– The key is having the right data, and all of it– Network visibility tools that capture, record, and search network

traffic can help by providing context and facts for breach analysis


Network “Alerting” Stack

DetectionToolsDDoS IDS AA-NPM

SN

Core routers and switches (connectivity)

Firewalls (prevention)

Cor

e ne

twor

k in

fras

truc

ture

APM

SIM/SEM/SEIM NMS

LAN

SNMP AlertsNetFlow Data

SNMP and NetFlow don’t provide enough data to diagnosecritical breaches (“unknown unknowns”)


Network Visibility Stack

DetectionToolsDDoS IDS AA-NPM

Core routers and switches (connectivity)

Firewalls (prevention)

Cor

e ne

twor

k in

fras

truc

ture

APM

SIM/SEM/SEIM NMS

Unsampled Packets + SNMP Alerts, NetFlows

SNMP and NetFlow don’t provide enough data to diagnosecritical breaches (“unknown unknowns”)

Network visibility tools add unsampled packets to the picture – 100% visibility of what occurred, and who was affected

EndaceProbe Intelligent Network Recorders

Network Packet Brokers (aggregation)


Introducing Endace

Part of Emulex product portfolio

World leader in packet capture and network recording

10+ year history selling recording solutions to top tier customers

– Government, HFT, telco & enterprise

Global reputation for accuracy, scalability and performance


Intelligent Network Recorders

100% accurate traffic recording– 10 Gbps, scalable to 100 Gbps

64TB = 3 days storage at typical load– Options for longer duration

Integrated network traffic search engine– Layer 7 awareness & alarming

RESTful API for workflow integration

Deployed at Internet gateways


Typical Network Visibility Fabric DeploymentsSecOps deployment monitoring both sides of the DMZ; record attacks, ID compromised data

NetOps deployment monitoring north-south traffic; ID inbound/outbound application issues

NetOps deployment monitoring east-west traffic; ID internal application performance issues


Streamlining the Analyst Workflow

Start with a SIM-generated security event

Right click and ‘zoom-in’ to the relevant traffic

Instant clarity – is it real?

Immediate productivity gains– Move out of triage mode


Our Approach to NPM/APM/SEM – Best of Breed

Our approach enables tailored best-of-breed solutions– All tools share data from same secure location in datacenter

– Automated workflow, “pivot to packets” speeds up issue resolution

Lower investment while Increasing ROI– Only buy what you need

– Plan and train staff on the tools that fit your situation best

APM App

NPM App

IDS App

HFT App

Endace Capture Appliance10/40/100GbE

EndaceVision Network Search Engine with Fusion

Connectors


Conclusions: The Business Value of Network Visibility

Know Your Risks: Understand exactly what data was compromised in a breach so that effective remedial actions can be taken

Unambiguous Forensics Trail: Have all of the data around an attack

Ensure Corrective Actions Are Effective: Ability to “replay” attacks to verify that corrective actions have addressed the security issue

Avoid Future Network Uptime Issues: Enable post-incident root cause analysis

SecOps CapEx/OpEx Savings: Streamline toolsets to address your specific needs and to simplify NetOps/SecOps workflow

ELIMINATE GUESSWORK !


Technology

SC Magazine eSymposium: SIEM