Network Threat Behavior Analysis Monitoring Guide. McAfee Network Security Platform 6.1

Transcription

1 Network Threat Behavior Analysis Monitoring Guide McAfee Network Security Platform 6.1

2 COPYRIGHT Copyright 2011 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide

3 Contents Preface 5 About this guide Audience Conventions Finding product documentation Network monitoring with NTBA Appliance 7 2 Types of NTBA monitors and options 9 View NTBA default monitors List of NTBA default monitors List of NTBA additional default monitors List of NTBA custom monitors Typical uses of NTBA monitors 15 4 Creating and assigning custom NTBA monitors 19 Create a custom NTBA Appliance-specific monitor Create a custom zone-specific monitor Create a dashboard Assign a monitor to a dashboard Integration with other McAfee products 25 Alerts and scans TrustedSource information A NTBA Denial of Service profiles 29 B NTBA Denial of Service alerts 33 C Monitoring framework - an example 37 Index 41 McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide 3

4

5 Preface Contents About this guide Finding product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program. Conventions This guide uses the following typographical conventions and icons. Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis. Bold User input or Path Code Text that is strongly emphasized. Commands and other text that the user types; the path of a folder or program. A code sample. User interface Hypertext blue Words in the user interface including options, menus, buttons, and dialog boxes. A live link to a topic or to a website. Note: Additional information, like an alternate method of accessing an option. Tip: Suggestions and recommendations. Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data. Warning: Critical advice to prevent bodily harm when using a hardware product. McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide 5

6 Preface Finding product documentation Finding product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. Task 1 Go to the McAfee Technical Support ServicePortal at 2 Under Self Service, access the type of information you need: To access... User documentation Do this... 1 Click Product Documentation. 2 Select a Product, then select a Version. 3 Select a product document. KnowledgeBase Click Search the KnowledgeBase for answers to your product questions. Click Browse the KnowledgeBase for articles listed by product and version. 6 McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide

7 1 Network 1 monitoring with NTBA Appliance Monitoring of networks is a complex process. The process involves monitoring of network components consisting of network devices and the traffic that flows through such devices. Monitoring of network devices is essential as it has a direct impact on decisions regarding optimal use of network resources, and tailored allocation of available bandwidth. The ability to monitor network traffic in real-time provides the inputs needed to take critical decisions that address the economic and security concerns of an enterprise. This is more so when the network is spread across different geographical locations with distributed applications. McAfee Network Threat Behavior Analysis (NTBA) Appliance effectively addresses these concerns and provides several options of network monitoring that can be tailored by an enterprise to suit its requirements. How NTBA Appliance helps network monitoring McAfee NTBA Appliance provides a graphic configurable real-time view of the network traffic. The NTBA Appliance gathers flow and application data from across users, applications, hosts, devices, and stores them in an embedded database. You can see real-time data and a moving profile of the typical behavior of users, applications, hosts, and devices. All this information is coalesced into a summary view in the Threat Analyzer of the McAfee Network Security Manager (Manager) that can be drilled down for more detailed information. A typical activity like host scans, port scans, worm detection, new service / application, new host, suspicious connection, DoS, P2P, and spambots can be tracked based on user-defined policies. Real-time monitoring of network reduces the time needed to solve network related problems, and helps in identifying threats. Questions like, why is our network slow, which application has the maximum download impact, are easily answered in a network that is monitored by the NTBA Appliance. The NTBA Appliance does effective malware monitoring by detecting unauthorized reconnaissance scanning by any infected laptops in the system that can spread worm traffic. The NTBA Appliance detects unauthorized applications, rogue web servers, and peer-to-peer Applications. If McAfee TrustedSource integration is enabled in the Manager, relevant NTBA monitor options provide access to TrustedSource portal data. This data is powered by McAfee TrustedSource global threat correlation engine that receives and analyzes billions of queries per month from a network of McAfee sensors deployed to protect consumer and enterprise network traffic across 120 countries globally, collecting and correlating threat data for URLs, IP addresses, domains, and content. For more information on the NTBA Appliance features, see McAfee Network Security Platform NTBA Administrator's Guide. McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide 7

8 1 Network monitoring with NTBA Appliance Host threat factor The NTBA Appliance maintains a threat factor per host in the network by correlating host behavior with alerts raised on the host. This threat factor is called the host threat factor. The NTBA Appliance calculates traffic profiles for every host on the network by calculating and summarizing host behavior into behavior indexes. Behavior indexes are calculated by comparing normal host behavior over a period over its average behavior over a larger period. The behavior index is maintained in the database along with the metrics and other data for every host as its "traffic profile." When an alert is raised for the host, the alert level is combined with the current behavior index to generate a threat factor for the host. The host threat factor is an index, which ranges from zero to 10, including fractional values. When a host first comes on the network, the host threat factor is initialized to -1, and the behavior of the host is learned for the next seven days. During this time, the host profile is built up and the host threat factor is maintained at 1. After the learning period, the host threat factor is set to zero for the host, and alerts thereafter for the host modifies its host threat factor. The host threat factor is aged automatically if a host no longer raises alerts (say after it was quarantined after a high critical alert, and subsequently its behavior was brought to normal). In such a situation, the NTBA Appliance brings the behavioral index of the host to zero as soon as the host behavior approaches its average behavior. If a host shows no anomalous behavior for long periods, its host threat factor will remain at, or decrease to zero, which is the normal host threat factor value for a benign host. The host threat factor has the following color-coded threat ranges: Less than Six (Low/Medium Threat) YELLOW Greater or equal to Six (High Threat) ORANGE Greater or equal to Nine (Critical Threat) RED The host threat factor vaulues for the hosts in the network are displayed in the Host Threat Factor monitor. 8 McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide

9 2 Types 2 of NTBA monitors and options The Threat Analyzer of the Manager displays ten default monitors in the NTBA dashboard. You can create additional dashboards and assign additional default or custom monitors. You can create a set of dashboards and monitors to suit your monitoring requirements. The right-click menu in the relevant default and additional default monitors has options for scanning hosts and viewing alerts listed in the All Alerts page of the Threat Analyzer. Viewing options Some monitors have options to switch views. To switch between graph and table, click View Graph (table to bar graph) and View Table (graph to table) icons at top right of the monitor. To switch between pie chart and table, click View Pie Chart (table to pie chart) and View Table (pie chart to table) icons at top right of the monitor. To switch between area chart and table, click Area Chart (table to area chart) and Table View (area chart to table) icons at top right of the monitor. The refresh rate of data in all the monitors is five minutes. The Enterprise Traffic Summary and Application Traffic Summary monitors show data for the past 30 minutes when the Real-time Threat Analyzer is started. Contents View NTBA default monitors List of NTBA default monitors List of NTBA additional default monitors List of NTBA custom monitors View NTBA default monitors The NTBA default and additional default monitors provide an enterprise-wide view of the various components of NetFlow traffic. There are 10 NTBA monitors displayed in the default dashboard of the Threat Analyzer. You can display additional default monitors by assigning them to newly created dashboards. McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide 9

10 2 Types of NTBA monitors and options List of NTBA default monitors Task 1 Start the Threat Analyzer: In the Manager, click Real-Time Threats. The dashboards page appears. 2 Click the NTBA tab to view the default NTBA dashboard. The NTBA default dashboard displays the ten default monitors. You can drill down for more information through the right-click menu in some of the default monitors. List of NTBA default monitors Ten monitors are displayed in the default NTBA dashboard. Some of the default monitors have drill-down options in the right-click menu. You can use the drill-down information to view realted information in drill-down monitors. Table 2-1 NTBA default and drill-down monitors Monitor name Drill-down monitors 1 Throughput Enterprise Traffic (Bytes) None 2 Host Threat Factor Host Information Service Traffic Summary Host Profile DoS Profile Host Interaction Layer7 Activity Host Traffic Application Traffic Summary Active Services Active Applications Active Ports NSLookup Information 3 Traffic Volume (Bytes) - Top Source Hosts Host Information Host Profile DoS Profile Layer7 Activity Host Interactions NSLookup Information 4 Bandwidth Utilization (%) - Interface Interface Traffic - Throughput (bps) Interface Traffic - Packet Rate (pps) Bandwidth Utilization (%) Interface Traffic - Show All Top Bandwidth Consumers Service Traffic Summary 5 Top Files Show File Activity 6 Top URLs Show URL Activity 7 Application Traffic (Bytes) Application Profile 8 Protocols Distribution (Bytes) None 10 McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide

11 Types of NTBA monitors and options List of NTBA additional default monitors 2 Table 2-1 NTBA default and drill-down monitors (continued) Monitor name Drill-down monitors 9 Hosts New (Last 1 day) Host Information Layer7 Activity Active Services Active Applications Active Ports NSLookup Information 10 Traffic volume (Bytes) - Zones Zone Traffic Zone Services Traffic Top Bandwidth Consumers Zone Files Zone URLs Zone DoS Profile Figure 2-1 Accessing right-click monitors - an example List of NTBA additional default monitors NTBA additional default monitors provide an enterprise-wide view of various components of the network traffic. You can create new dashboards and assign the additional monitors to suit your monitoring requirements Table 2-2 NTBA additional default monitors Monitor name Drill-down monitors 1 Applications - Active (Last 1 hour) None 2 Applications - New (Last 1 day) Application Profile 3 Hosts - Active (Last 1 hour) None 4 Services - Active (Last 1 hour ) None McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide 11

12 2 Types of NTBA monitors and options List of NTBA custom monitors Table 2-2 NTBA additional default monitors (continued) Monitor name Drill-down monitors 5 Services - New (Last 1 day) None 6 Services Traffic (Bytes) None 7 Top External Hosts by Reputation None 8 Top URLs by Category Show URLs 9 Top URLs by Reputation None List of NTBA custom monitors The NTBA custom monitors display NTBA Appliance-specific or zone-specific information in new dashboards. All the NTBA default and additional default monitors can be assigned to new dashboards as NTBA Appliance-specific custom monitors. In addition you can also create zone-specific custom monitors and assign them to new dashboards. Each custom monitor has parameters that are customizable. Table 2-3 Custom monitors - NTBA Appliance-specific Monitor Parameters 1 Hosts - Threat Factor Top N, Time Period [Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom (Start Time and End Time)] 2 Top External Hosts By Reputation Top N, Time Period [Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom (Start Time and End Time)] 3 Protocol Distribution (Bytes) Top N, Direction (Bi-directional, Inbound, Outbound), Frequency (1 min, 10 min, hourly, daily), Customize (Start Time, End Time) 4 Top Urls By Reputation Top N, Time Period [Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom (Start Time and End Time)] 5 Applications Traffic (Bytes) Top N, Direction (Bi-directional, Inbound, Outbound), Frequency (1 min, 10 min, hourly, daily), Customize (Start Time, End Time) 6 Top Files Top N, Customize (Start Time, End Time) 7 Top Urls By Category Time Period [Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom (Start Time and End Time)] 8 Traffic Volume (Bytes) - Zones Top N, Direction (Bi-directional, Inbound, Outbound), Frequency (1 min, 10 min, hourly, daily), Customize (Start Time, End Time) 9 Traffic Volume (Bytes) - Top Source Hosts Top N, Direction (Bi-directional, Inbound, Outbound), Frequency (1 min, 10 min, hourly, daily), Customize (Start Time, End Time) 10 Services - New (Last 1 day) Top N 11 Applications - Active (Last 1 hour) Top N, Time Period [Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom (Start Time and End Time)] 12 Applications - New (Last 1 day) Top N 13 Bandwidth Utilization (%) - Interfaces Top N 14 Hosts - Active (Last 1 hour) Top N, Time Period [Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom (Start Time and End Time)] 15 Hosts - New (Last 1 day) Top N 16 Services - Active (Last 1 hour) Top N, Time Period [Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom (Start Time and End Time)] 17 Services Traffic (Bytes) Top N, Direction (Bi-directional, Inbound, Outbound), Frequency (1 min, 10 min, hourly, daily), Customize (Start Time, End Time) 12 McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide

13 Types of NTBA monitors and options List of NTBA custom monitors 2 Table 2-3 Custom monitors - NTBA Appliance-specific (continued) Monitor Parameters 18 Throughput Enterprise Traffic (Bytes) Frequency (1 min, 10 min, hourly, daily), Customize (Start Time, End Time) 19 Top URLs Top N, Customize (Start Time, End Time) Table 2-4 Custom monitors - zone specific Monitor Parameters 1 Top Zone Conversations Direction (Bi-directional, Inbound, Outbound), Time Period [Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom (Start Time and End Time)] 2 Zone DoS Profile Direction (Inbound, Outbound), Measure Name (tcp_syn_fin_pkt, udp_pkt, non-tcp_udp_icmp_pkt, tcp_rst_pkt, icmp_echo_or_reply_pkt, icmp_pkt) 3 Zone Files Top N, Customize (Start Time, End Time) 4 Zone Services Traffic (Bytes) Top N, Direction (Bi-directional, Inbound, Outbound), Frequency (1 min, 10 min, hourly, daily), Time Period [Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom (Start Time and End Time)] 5 Zone Traffic Summary Frequency (1 min, 10 min, hourly, daily), Customize (Start Time, End Time) 6 Zone URLs Top N, Time Period [Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom (Start Time and End Time)] McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide 13

14

15 3 Typical uses of NTBA monitors The following table shows typical uses for various NTBA monitors. Table 3-1 NTBA monitors - typical uses Monitor Traffic Volume (Bytes) - Top Source Hosts Bandwidth Utilization (%) - Interfaces Use Enables threat investigation. For example, if there are any hosts in the list that are not normally expected to be in the list of top traffic volume consumers, it is a pointer for further investigation. The sliding marker in the Inbound and Outbound columns can be set to any percentage. The color-coded bar shows red when bandwidth utilization approaches the set point. The bar changes color when the set threshold is approached as follows 0% of the configured threshold Empty bar 0% to 50% of the configured threshold GREEN 51% to 75% of the configured threshold YELLOW 76% to 95% of the configured threshold ORANGE 96% to 100% of the configured threshold RED Tool tip for the interfaces listed in the Interface column shows the interface details. You can set the bandwidth threshold based on a knowledge of your bandwidth availability and monitor the utilization Interface Traffic - Throughput (bps) Interface Traffic - Packet Rate (pps) Interface Traffic - Bandwidth Utilization (%) Interface Traffic - Show All Monitors real-time throughput of selected exporter interface. This is an important indicator of the exporter interface-wise throughput. This monitor enables monitoring of packet rate of the selected interface in real time. This is a very useful indicator of packet flow through exporter interfaces, and helps in appropriate interface allocation. Enables monitoring of exporter interface-wise bandwidth utilization. This information is a key input into bandwidth allocation, and capacity planning. Enables monitoring of throughput, packet rate, and bandwidth utilization of the selected interface in real time in a single monitor. This monitor provides a composite view of traffic pattern of the selected exporter interface. Interface - Top Bandwidth Consumers Interface Service Traffic Summary Identifies bandwidth consumption of hosts in the selected interface. You can click on a pie slice for an exploded view of the clicked slice. This monitor provides detailed information on bandwidth utilization of the selected interface. High traffic volumes and conversations can be pointers to threat investigation. Enables monitoring the inbound, and outbound service traffic throughput in real time for the selected interface. McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide 15

16 3 Typical uses of NTBA monitors Table 3-1 NTBA monitors - typical uses (continued) Monitor Top Files Show File Activity Top URLs Show URL Activity Applications Profile Protocol Distribution (Bytes) Hosts - New (Last 1 day) Traffic Volume (Bytes) - Zones Use Monitors files that are used most in the network through this monitor. Information on top files is an aid to threat investigation. Unknown files that have high access counts can be identified for further investigation. Enables monitoring of file activity for the selected file. The files listed are the files with top counts. Hence, this monitor is an aid to check on these files for general information, and from a threat investigation angle. Enables monitoring of URLs that are most visited by hosts in the network. High URL visit counts of URLs that are suspicious are alarm calls for threat investigation. Appropriate action can be taken based on the information displayed in this monitor. Enables monitoring the URL details of the top URLs in the network. The URLs listed are the ones accessed the most in the network. Hence, this monitor is an important aid to threat investigation of URL activity in the network. Displays unusual application usage for in-depth investigation. The hosts associated with the Application can also be identified. Enables monitoring of traffic distribution among the various protocols used in the network. The usage pattern can be an important input for capacity planning, and appropriate distribution of existing bandwidth. Displays information on hosts that are new in the network. New hosts can be watched for any possible issues using this monitor. Enables monitoring of traffic volumes by zone. An NTBA zone is a concept of segregating the traffic either logically based on IP Addresses (CIDR zones), or physically based on Exporter interfaces (Interface zones). Zones represent groups of hosts whose traffic should be analyzed collectively for anomalous behavior. You can use this monitor to watch for traffic and security threats for individual zones. Zone Traffic Summary Zone Services Traffic Zone Top Bandwidth Consumers Enables monitoring of inbound, and outbound zone traffic volume for the selected zone. This information is an indicator of variations in traffic patterns in different zones created from the Manager. Charts the inbound and outbound zone services traffic for the selected zone. This information is an indicator of variations in services traffic in different zones created in the Manager. Identifies bandwidth consumption of hosts in the selected zone. This monitor provides detailed granular information on pattern of bandwidth consumption for the selected zone. Zone URLs Host Information Enables monitoring of URLs that are most visited by hosts in the selected zone. High URL visit counts of URLs that are suspicious are alarm calls for threat investigation. Appropriate action like blocking such URLs can be taken based on the information displayed in this monitor. Displays high traffic volume or high threat factor values in particular hosts. New hosts can also be identified from threat investigation point of view. 16 McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide

17 Typical uses of NTBA monitors 3 Table 3-1 NTBA monitors - typical uses (continued) Monitor Host Profile Host Interactions Use Enables detailed investigation of a host as part of threat investigation. Displays color-coded hosts to indicate threat factor and reputation. Red indicates a high threat factor level, Orange - medium, Yellow-low, and Blue-normal. The reputation information is color-coded as Red, Green, Grey, and White. The meaning of color-code is displayed in the tool-tip. You can use this monitor to observe the threat level and reputation of hosts interacting in the network. Layer 7 Activity You can watch layer 7 information for the selected host using this monitor. Sensor can be configured to export layer 7 data to the NTBA Appliance. Host DoS Profile Zone DoS Profile Applications Active (Last 1 hour) A DoS profile is an analysis of network traffic with reference to the normal traffic flow captured during the learning period of an NTBA Appliance. displays the long-term and short-term distribution for the chosen direction and measure. This monitor displays information with reference to the following parameters for the chosen host: Sensor Name of the NTBA Appliance Host IP Reputation TrustedSource reputation Country Direction Inbound or Outbound Measure icmp_pkt, tcp,rst_pkt, tcp_syn_or_fin_pkt, icmp_echo_or_reply_pkt,, udp_pkt. Country The DoS profile information is a graphic indicator of potential DoS related threat of the selected host traffic with reference to a chosen measure. The monitor displays the long-term and short-term distribution for the chosen direction, and measure. Displays information with reference to the following parameters for the chosen zone: Sensor Name of the NTBA Appliance Zone Mode Detection or Learning Direction Inbound or Outbound Measure icmp_pkt, tcp,rst_pkt, tcp_syn_or_fin_pkt, icmp_echo_or_reply_pkt, udp_pkt. The DoS profile information is a graphic indicator of potential DoS related threat of the selected zone traffic with reference to a chosen measure. Enables monitoring of applications that are currently active in the network. This information can be used to identify active applications that are known to be potentially unsafe as also to check on the effectiveness of blocking applications. McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide 17

18 3 Typical uses of NTBA monitors Table 3-1 NTBA monitors - typical uses (continued) Monitor Applications New (Last 1 day) Hosts - Active (Last 1 hour) Services Active (Last 1 hour) Services - New (Last 1 day) Services Traffic (Bytes) Top External Hosts by Reputation Use Enables monitoring of new applications in the network during the last day. New applications that are known to be potential threats can be identified. Effectiveness of blocking of applications can also be verified through this monitor. Monitors the currently active hosts. This information can be used for threat related administrative purposes like choosing the time for remote access, and putting in place threat prevention related software in the host. Enables monitoring of currently active services in the network. Service, and protocol related traffic pattern for the last one hour could be monitored using this monitor. Enables monitoring of new services in the network during the last one day. Service and protocol related traffic pattern for the last one day could be monitored using this monitor. Charts the inbound and outbound services traffic volume in bytes over time. This monitor enables monitoring of services traffic in the network at 10-minute intervals. Specific protocols can be displayed in the graphic by selecting, or clearing the check box for each protocol in the color legend. Monitors the reputation of external hosts. External hosts that might pose a threat to the network can be identified through this monitor. 18 McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide

19 4 4 Creating and assigning custom NTBA monitors NTBA monitors are displayed in the default NTBA dashboard and new dashboards that you can create in the Threat Analyzer of the Manager. You can create custom monitors specific to an NTBA Appliance or to an NTBA zone and assign them to new dashboards that you create. Thus you can have a set of dashboards and monitors tailored to your monitoring requirements. Custom NTBA monitors are in addition to the default monitors displayed in the NTBA tab of the Dashboards page of the Threat Analyzer. The Assign Monitor button in a new dashboard displays a choice of monitors that can you can assign to the dashboard; these include default, additional default, and custom monitors. Custom monitors provide an easy way to track the hosts and alerts about which you care the most. Contents Create a custom NTBA Appliance-specific monitor Create a custom zone-specific monitor Create a dashboard Assign a monitor to a dashboard Create a custom NTBA Appliance-specific monitor In a deployment scenario where more that one NTBA Appliance is installed, you can create custom monitors for a specific NTBA Appliance. Follow this procedure to create a custom NTBA Appliance-specific monitor: McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide 19

20 4 Creating and assigning custom NTBA monitors Create a custom zone-specific monitor Task 1 Select Options Monitor New. 2 In the New Monitor Dialog, make the following entries and selections and click OK: Enter a name for this monitor. (A monitor name cannot contain special characters or spaces.) From the Data Source drop-down list, select NTBA. Figure 4-1 Create a new monitor dialog 3 From the Select Monitor Type list, select a monitor type and click Next. 4 From the Select an NTBA Appliance list, select the NTBA Appliance for which you want a monitor and click Next. 5 From the Select a Monitor list, select the monitor you want to assign. Configure the parameters and click Finish. After you assign a custom monitor to a dashboard, you can click on the View Settings icon at top right of the custom monitor to toggle to the parameters page where you can edit and update the parameters for the monitor. Parameter choices might vary from monitor to monitor. Create a custom zone-specific monitor Custom NTBA zone-specific monitors can be created, and displayed in new dashboards that you create. You can monitor a particular zone through a zone-specific monitor. Follow this procedure to create a custom NTBA zone-specific monitor: 20 McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide

21 Creating and assigning custom NTBA monitors Create a dashboard 4 Task 1 Select Options Monitor New. 2 In the New Monitor Dialog, make the following entries and selections and click OK: Enter a name for this monitor. (A monitor name cannot contain special characters or spaces.) From the Data Source drop-down list, select NTBA. Figure 4-2 Create a new monitor dialog 3 From the Select Monitor Type list, select a monitor type, then click Next. 4 Select a zone in the NTBA Monitor Type Selection page and click Next. The list of zones is displayed under the Select a Zone list in the NTBA Zone Selection page. 5 Select a zone listed under Select a Zone and click Next. The NTBA Monitor Selection - Zone page is displayed. 6 Select a monitor from the list under Select a Monitor. Click Finish. After you assign a custom monitor to a dashboard, you can click on the View Settings icon at top right of the custom monitor to toggle to the parameters page where you can edit and update the parameters for the monitor. Parameter choices might vary from monitor to monitor. Create a dashboard Perform this task to create a new dashboard in the Threat Analyzer of the Manager: McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide 21

22 4 Creating and assigning custom NTBA monitors Assign a monitor to a dashboard Task 1 Start the Real-time Threat Analyzer from the Manager home page and click the NTBA tab to open the NTBA Default Monitors page. 2 Select Options Dashboard New. Figure 4-3 New dashboard menu 3 Enter a name for the dashboard and click OK to view the newly created dashboard with the Assign Monitor button. Figure 4-4 Dashboard - Assign Monitor button No blanks spaces or special characters are allowed in the Dashboard Name. Assign a monitor to a dashboard Perform this task to assign a monitor to a dashboard that you created. 22 McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide

23 Creating and assigning custom NTBA monitors Assign a monitor to a dashboard 4 Task 1 On the dashboard click Assign Monitor to view the Assign Monitor page. Figure 4-5 Create a new monitor dialog 2 Make the following selections: a Select Assign an existing Monitor. b c d Select the Category. Select NTBA as the Type. Select the monitor from the listed monitors. 3 Click OK to display the selected monitor in the dashboard. McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide 23

24

25 5 Integration 5 with other McAfee products Manager can be integrated with McAfee epolicy Orchestrator (McAfee epo), McAfee TrustedSource, and McAfee Vulnerability Manager to provide related alerts and scans. For more information on integration of Manager with other McAfee products, see McAfee Network Security Platform Integration Guide. Contents Alerts and scans TrustedSource information Alerts and scans The NTBA Appliance detects threats and displays alerts in the All Alerts page of the Threat Analyzer. You can use McAfee epo, and vulnerability scan options to investigate hosts for security status. Alerts and scan options are available in relevant monitors as follows. Table 5-1 Alerts and scans options To view this... Right-click this monitor... All alerts Host Threat Factor Traffic Volume - Zones monitor The right-click menu of the Host Threat Factor monitor has options for viewing of All Alerts, IPS Alerts, and NTBA Alerts though the All Alerts page NTBA alerts Host scan Traffic Volume - Zones monitor. Traffic Volume - Top Source Hosts Host Threat Factor Hosts - New (Last 1 day) Selected host can be scanned using McAfee epo Scan and Vulnerability Scan. All Alerts include IPS as well as NTBA alerts. Viewing alerts on a host gives detailed threat related information on the selected Host. Scan results are displayed in the Host Forensics page of the Threat Analyzer. These scans are part of the threat investigation on a host. With the integration of Vulnerability Manager, top five new hosts are automatically subjected to vulnerability scan. The process is repeated every five minutes as the next McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide 25

26 5 Integration with other McAfee products TrustedSource information top five Hosts are automatically scanned, providing continuous vulnerability information. The automatic scan can be enabled or disabled by changing the Enable Auto Scan property in the General tab of the preferences page in the Threat Analyzer. McAfee epo and Vulnerability Scan options are available when Vulnerability Manager and epolicy Orchestrator are integrated with and enabled in the Manager. IPS alerts are available in a deployment scenario where both Sensor and NTBA appliance are installed. TrustedSource information TrustedSource data is powered by McAfee Global Threat Intelligence correlation engine that receives and analyzes billions of queries per month from McAfee's network of Sensors deployed to protect consumer, and enterprise network traffic across 120 countries globally, collecting and correlating threat data for URLs, IP addresses, domains, and content. TrustedSource assigns a reputation score and further classifies network identities, and content with a risk level based on an in-depth highly sophisticated analysis derived by processing thousands of behavior attributes to profile each network traffic sender, website, domain, or content. TrustedSource is the first and only reputation system to combine traffic data, routing, IP/domain registration data, and network characteristics with the unparalleled breadth of McAfee's global customer base. You can view the TrustedSource portal data for a selected host from the right-click options in the Traffic Volume (Bytes) - Top Source Hosts, Host Threat Factor, and Hosts - New (Last 1 day) NTBA monitors. TrustedSource integration needs to configured in the Manager (Root Admin Domain / NTBA Settings NTBA Settings TrustedSource) for viewing TrustedSource information in NTBA monitors. Before configuring TrustedSource integration with NTBA, participation in Global Threat Intelligence needs to be enabled at <Root Admin Domain> / Integration Global Threat Intelligence Participation. Figure 5-1 TrustedSource information 26 McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide

27 Integration with other McAfee products TrustedSource information 5 Firewall port 443 (port is for TrustedSource queries) and port 80 (port for TrustedSource database download) should be open for TrustedSource information to be displayed in the NTBA monitors. NTBA Appliance does host look-up through NetBIOS or DNS. Hence, this type of network traffic emanating from NTBA is normal. For more information on configuring TrustedSource integration in the Manager, see McAfee Network Security Platform 6.1 Integration Guide. McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide 27

28

29 A NTBA Denial of Service profiles A Denial-of-Service (DoS) attack is a malicious attempt to render a service, system, or network unusable by its legitimate users. DoS profiles are a method used to combat DoS attacks. The NTBA Appliance automatically creates two types of DoS Profiles: Host DoS profiles are created for every host in the network.host DoS profiles are created for every host in the network. Zone DoS profiles are created for every zone in the network. You can view the Host DoS profile by clicking DoS profile listed in the right-click menu for the Traffic Volume (Bytes) - Top Source Hosts, and Hosts - Threat Factor default monitors in the NTBA tab under the Dashboards page of the Threat Analyzer. Figure A-1 Host DoS profile monitor McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide 29

30 A NTBA Denial of Service profiles You can view the Zone DoS profile by clicking Zone DoS Profile listed in the right-click menu for the Traffic Volume (Bytes) - Zones default monitor in the NTBA tab under the Dashboards page of the Threat Analyzer. Figure A-2 Zone DoS profile monitor These profiles are created for six measures, namely, icmp_pkt (ICMP Echo Packet), tcp_rst_pkt (TCP Reset Packet), tcp_syn_or_fin_pkt (TCP Syn or Fin Packet), icmp_echo_or_reply_pkt (ICMP Echo or Reply Packet), and udp_pkt (UDP Packet). The dynamics of the Zone DoS profiles is explained here. The dynamics of Host DoS profiles are similar. 30 McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide

31 NTBA Denial of Service profiles A Zone DoS profile The following example illustrates the Zone DoS profile for one measure. The method for reading the profile for the other five measures is similar. Figure A-3 Zone DoS profile for ICMP Echo packet Two parameters are used, namely, packet rate (rate value), and percentage. Packet rate refers to the number of packets observed per second. Percentage refers to the percentage of observations out of the total for a given rate in a bin. The X-axis shows the packet rate breakdown, from low to high, in packets per second. The Y-bars are percentages of rate samples that fall into the ranges represented by the X points (bins). Long-term distribution is based on observations made over a long period. Short-term distribution is based on observations made over a short period (a few minutes). In the above profile, the x-axis points are bins representing 1.1, 1.5, 1.8, 2, 3.6, 5.2, 6.8, 8.4, 10, and 13 packets per second. The values for the bins are set based on an analysis of traffic, and its statistical significance and hence vary from time to time. Each bin represents the percentage of samples that fall between the rate values for the bin, and the next bin. The values for the bins represented in the illustration are as follows: McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide 31

32 A NTBA Denial of Service profiles Long-term distribution The first bin represents the percentage of long-term samples that fall between the rate values 1.1 and 1.4. The second bin represents the percentage of long-term samples that fall between the rate values 1.5 and 1.7, and so on. The percentage of samples in the first bin is 6.06, for the second bin 0.68, and so on. The total percentage of samples that are above the 1.1 rate value (the first bin) is = This is indicated in the legend for the long-term distribution in the profile. This means that 91.96% ( = 91.96) of the packets were in the percentage range below These were considered benign traffic and hence not represented in the profile. The long-term distribution represents values that were learned initially for a few days, and then updated every four hours or so. During the updating process, 90% of the long-term profile value is retained and 10% of the short-term value is incorporated into the long-term value. Short-term distribution The short-term distribution is based on observations during a short-term (few minutes), and is updated every few minutes. In this example profile, the short-term profile values at the time of viewing the profile add upto This is a snapshot of the short-term rate sample observation during a short period. Alerts against the Volume DoS category are raised in the Threat Analyzer when there is a significant deviation from the profiles as determined by the NTBA Appliance. The short-term Y bars can at times exceed the long-term Y bars if there is a short-term traffic burst. The short-term Y bars can be zero when the short-term profile is reset to zero every four hours are so when the process of updating the long-term profile takes place. Further, the short-term, and long-term Y bars for a bin can be zero when there is no traffic relating to that bin. 32 McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide

33 B NTBA Denial of Service alerts The NTBA DoS alerts in the Threat Analyzer are grouped under the category Volume DoS. The attacks listed against the Volume DoS category alerts are of two kinds. They are either Volume Anomaly attacks or Threshold Anomaly Attacks. Volume DoS alerts for volume anomaly attacks The volume anomaly attacks listed as alerts in the Threat Analyzer are attacks that are detected with reference to DoS profiles. They are essentially anomalies in the volume of traffic with reference to the Host DoS Profiles and Zone DoS Profiles. If the rate sample for any short-term observation in a bin of a DoS profile exceeds the corresponding rate sample for the long-term significantly, for a duration determined as significant by the NTBA Appliance, an alert is raised in the Threat Analyzer. Figure B-1 Volume DoS anomaly attack alert listed in the Threat Analyzer You can double-click on an attack listed in the Alerts page of the Threat Analyzer to view the Alert Details page. The alerts detail for a Volume DoS Anomaly Alert reflects the sample rate distribution at the time of raising the alert. McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide 33

34 B NTBA Denial of Service alerts In the following illustration, the percentage of observed rate samples at the time of raising the alert in the 10th bin is 100, whereas the corresponding rate sample value for the long-term is Hence, an alert was raised in the Threat Analyzer. Figure B-2 NTBA volume DoS anomaly alert details 34 McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide

35 NTBA Denial of Service alerts B Volume DoS alerts for threshold anomaly attacks Threshold anomaly attack alerts are listed under Volume DoS alerts if the threshold for an attack set in the NTBA Policy Editor is exceeded beyond the set threshold interval. Figure B-3 Setting threshold for an attack in the NTBA Policy Editor Threshold anomaly attack alerts are listed against the Volume DoS category in the Threat Analyzer. Figure B-4 Volume DoS threshold alert listed in the Threat Analyzer The Alerts Detail for a Volume DoS threshold alert lists the details of the alert. McAfee Network Security Platform 6.1 Network Threat Behavior Analysis Monitoring Guide 35