Upload
emulex-corporation
View
196
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Deploying and managing security information and event management systems can tax the brain and budget. However, if done right, they can be a huge benefit to the overall security stance of an organization, providing insight into what's happening on the entire network and enabling security teams to focus on the most pressing priorities to make sure their organizations' infrastructures are safe and sound from attacks. We explore the many challenges and their remedies.
Citation preview
2013 Emulex Corporation
What? Who? When?
How network visualization can help you answer the difficult questions that arise from security breaches
2 2013 Emulex Corporation
You Just Suffered A Major Security Breach…
Three questions that the IT staff willbe asked in the first 8 hours:
What Happened?
Who Was Affected?
When Will It Be Fixed?
Could your current SEM/SEIM tools(or any of your tools) provide theanswers if you were breached today?
What Happened? Maybe…
Who Was Affected? Possibly…
When Will It Be Fixed? Probably not…
3 2013 Emulex Corporation
How Bad Is The Problem Today?
July 2013 Gartner report: DDoS attacks are increasing in frequency and size. The number of attacks has increased by more than 20% in the last year, and attack throughput has reached 160 Gbps.1
More than 70 percent of operating data centers reported DDoS attacks this year (up dramatically from under a half last year). 2
More than a third experienced attacks that exceeded total available Internet connectivity, nearly double last year. 3
About 10 percent saw more than 100 attacks per month. 4
1 – “Leverage Your Network Design to Mitigate DDoS Attacks”, Gartner Report G00253330, 2013
2, 3, 4, Graph: Worldwide Infrastructure Security Report, Volume IX”, Arbor Networks, 2014
4 2013 Emulex Corporation
Like it or Not …
Your prevention and detection tools will fail
Network visibility tools provide a vital safety net against failure
With history, you can understand and minimize the damage
Think like you’ve already been breached
5 2013 Emulex Corporation
Some Actual Customer Quotes
“We live in triage mode. It takes too long to investigate the events we know about today. We’re exposed.”
“We’re never quite sure if what we’re looking at is real or not. It’s paralyzing us. We’re too scared to act.”
“When it goes wrong, and it does go wrong, it’s a PR train wreck and we need a way to contain the problem.”
“There are known knowns; there are things we know that we know. There are known unknowns; that is to say, there are things that we now know we don't know. But there are also unknown unknowns – there are things we do not know we don’t know.”
6 2013 Emulex Corporation
The Problem Is Not People or Tools - It is Data
Security tools have made great strides in their ability to identify issues and threats– Use of “big data” analytics to identify unusual behaviors– Baselines, profiling also help
BUT most critical breaches are “unknown unknowns”– The tools are often being encountered for the first time– The breachers are typically difficult/impossible to find– “Guesswork” is nearly unavoidable– Response times are measured in days, not hours
How do we speed up the process?– The key is having the right data, and all of it– Network visibility tools that capture, record, and search network
traffic can help by providing context and facts for breach analysis
7 2013 Emulex Corporation
Network “Alerting” Stack
DetectionToolsDDoS IDS AA-NPM
SN
Core routers and switches (connectivity)
Firewalls (prevention)
Cor
e ne
twor
k in
fras
truc
ture
APM
SIM/SEM/SEIM NMS
LAN
SNMP AlertsNetFlow Data
SNMP and NetFlow don’t provide enough data to diagnosecritical breaches (“unknown unknowns”)
8 2013 Emulex Corporation
Network Visibility Stack
DetectionToolsDDoS IDS AA-NPM
Core routers and switches (connectivity)
Firewalls (prevention)
Cor
e ne
twor
k in
fras
truc
ture
APM
SIM/SEM/SEIM NMS
Unsampled Packets + SNMP Alerts, NetFlows
SNMP and NetFlow don’t provide enough data to diagnosecritical breaches (“unknown unknowns”)
Network visibility tools add unsampled packets to the picture – 100% visibility of what occurred, and who was affected
EndaceProbe Intelligent Network Recorders
Network Packet Brokers (aggregation)
9 2013 Emulex Corporation
Introducing Endace
Part of Emulex product portfolio
World leader in packet capture and network recording
10+ year history selling recording solutions to top tier customers
– Government, HFT, telco & enterprise
Global reputation for accuracy, scalability and performance
10 2013 Emulex Corporation
Intelligent Network Recorders
100% accurate traffic recording– 10 Gbps, scalable to 100 Gbps
64TB = 3 days storage at typical load– Options for longer duration
Integrated network traffic search engine– Layer 7 awareness & alarming
RESTful API for workflow integration
Deployed at Internet gateways
11 2013 Emulex Corporation
Typical Network Visibility Fabric DeploymentsSecOps deployment monitoring both sides of the DMZ; record attacks, ID compromised data
NetOps deployment monitoring north-south traffic; ID inbound/outbound application issues
NetOps deployment monitoring east-west traffic; ID internal application performance issues
12 2013 Emulex Corporation
Streamlining the Analyst Workflow
Start with a SIM-generated security event
Right click and ‘zoom-in’ to the relevant traffic
Instant clarity – is it real?
Immediate productivity gains– Move out of triage mode
13 2013 Emulex Corporation
Our Approach to NPM/APM/SEM – Best of Breed
Our approach enables tailored best-of-breed solutions– All tools share data from same secure location in datacenter
– Automated workflow, “pivot to packets” speeds up issue resolution
Lower investment while Increasing ROI– Only buy what you need
– Plan and train staff on the tools that fit your situation best
APM App
NPM App
IDS App
HFT App
Endace Capture Appliance10/40/100GbE
EndaceVision Network Search Engine with Fusion
Connectors
14 2013 Emulex Corporation
Conclusions: The Business Value of Network Visibility
Know Your Risks: Understand exactly what data was compromised in a breach so that effective remedial actions can be taken
Unambiguous Forensics Trail: Have all of the data around an attack
Ensure Corrective Actions Are Effective: Ability to “replay” attacks to verify that corrective actions have addressed the security issue
Avoid Future Network Uptime Issues: Enable post-incident root cause analysis
SecOps CapEx/OpEx Savings: Streamline toolsets to address your specific needs and to simplify NetOps/SecOps workflow
ELIMINATE GUESSWORK !
15 2013 Emulex Corporation