Using LYNXeon with NetFlow to Complete Your Cyber Security Picture

Transcription

1 Using LYNXeon with NetFlow to Complete Your Cyber Security Picture 21CT.COM Combine NetFlow traffic with other data sources and see more of your network, over a longer period of time. Introduction Many organizations have a variety of cyber security technologies, such as Intrusion Detection Systems (IDS), Security Information and Event Management (SIEM), and packet capture (PCAP). Each tool provides data sources that are valuable for understanding specific events, but each lacks tie backs into the big picture, and can add complexity to understanding what is truly occurring on the network. Because of storage constraints, many tools also actively filter out data or narrowly limit data collection windows. Missing data means windows of vulnerabilities increase. These traditional tools are valuable in each of their specific lanes, but are not sufficient for protecting your network, especially when the consequences of a network compromise are so high that failure is not an option. 21CT LYNXeon fills these gaps with network flow data and advanced analytics. Network flow data (NetFlow) is the glue that holds various different network traffic data sources together. NetFlow records all the transactions traversing the network in a compact format and provides the referential integrity necessary to organize and relate all of the data sources mentioned above to one another. With LYNXeon, security professionals can collect NetFlow traffic, fuse it with other data sources, and see more of their network, over a longer period of time. In this Paper Introduction 1 Seeing It All 2 Case Study: National Instruments Amplifys their Perimeter Defenses 3 Seeing It All So You Can Act 4 Doing More with Technology So Operations are Simplified and More Effective 4 Getting More Out of Your Data To Make Operations Proactive 5 A LYNXeon + PCAP Workflow: First Breadth, then Depth 6 Conclusion 6 Many traditional tools also offer analytics that allow you to see certain data in limited windows of time, but do not allow you to interact, search, correlate, and automate pattern discovery in the data. LYNXeon does this by offering more advanced, accessible, and automated analytics than any other tool on the market. Without NetFlow, without the ability to aggregate other data, and without proactive and interactive data analytics all capabilities that LYNXeon supports an enterprise will have major gaps in its ability to see the right kind of data, in the right way, over the right period of time.

2 Seeing It All NetFlow data provides a record of all transactions across the network over the Internet. Using LYNXeon, you can understand network traffic and what the traffic patterns or changes to those patterns mean. This understanding helps determine whether there is a security risk, or if these changes in the traffic indicate a misuse of resources, such as network based fraud or intellectual property theft. A broader data view closes the growing window of vulnerability. Because NetFlow data is readily available and manageable to store, enterprises can access more of this data, covering months instead of days. Capturing all Internet data, such as all packet capture (PCAP), is an expensive endeavor, so most enterprises can only afford to capture and store it for a very limited period of time (e.g., several days). Further, some network monitoring technologies practice sampling, filtering, or dropping certain traffic to scale to enterprise size data. The logic is that certain traffic is known to be noise and is not important from a cyber security perspective; therefore, it need not be examined. Unfortunately, there is a fatal flaw in this logic. What may appear to be without value today may turn out to be priceless tomorrow. Where would I hide if I were an attacker and wanted to persist APT (Advanced Persistent Threat) style? The answer: in the traffic most commonly sampled, filtered, or dropped by most network monitoring technologies. Even the most highly skilled security professional will not be able to find a stealthy threat if the data isn t there to analyze it. We are only as good as our data. We need to see it all. LYNXeon is designed to efficiently warehouse, rapidly search across, and intuitively interact with vast quantities of data, data that records all the transactions on the network over a long period of time, not just a sample. Example: Overly Broad Data Filters Packet capture technologies often throw away scans in order to accommodate the size of their pipe and enable their tools to function. Scans provide valuable insight into what attackers are after since they are designed to look for vulnerabilities on your network as well as to map out your network from the inside out. If you throw scans away, you are running partially blind. Example: Limited Data Windows Intrusions may be spaced out by weeks or months, perhaps starting with a spear phishing and continuing with phoning home of malicious code. Understanding the historical continuity of activity helps the security professional answer what happened, how it happened, and when. NetFlow gives you visibility into Unknown Unknowns. Some network monitoring technologies take a signature based approach. The logic is that there are known threats that we must look for. This is necessary, but leaves us blind to that which we aren t yet aware of. For example, an Intrusion Detection System (IDS) is designed to look for threats we are currently aware of (known knowns). Unfortunately, many compromises evade signature based approaches and persist for months or years without detection. These are the unknown unknowns and present us with our greatest risk. Those intrusions are in the data, but only if we collect it all, regardless of whether we know to be concerned with it or not. LYNXeon s ability to collect and analyze NetFlow addresses this gap by providing broader visibility into the network.

3 Case Study: National Instruments Amplifies their Perimeter Defenses Josh Sokol leads the charge for network security at National Instruments as their Information Security Program Owner. He has long been a proponent of combining the strengths of multiple security tools. In mid-2013, Josh took this approach when he first detected an instance of malware using FireEye, and then imported that data, with NetFlow, into LYNXeon where he applied security analytics and visualization. After importing the FireEye data, Josh used LYNXeon to create custom security analytics using pattern queries to detect the spread of malware on the network: Using LYNXeon, we can create special queries that will show us all connectivity from the potentially infected system after the time of the malware download. All this and more is possible now that we have identified a potentially infected system on our network. Next, he successfully identified other infected systems across his global network: Because we are sending NetFlow data from our devices around the world into LYNXeon, we can search for any connections to these common malware servers. No more needle in a haystack. The data is all there, we just needed to know how to look for it. Finally, using patented graph pattern matching technologies, LYNXeon helped Josh discover other types of attacks: Once we ve identified an attacker s IP address, we can now use our NetFlow data to see all other traffic coming from that IP address. Often times, expanding these types of relationships can shed light on other activities they are performing on your network. Security analysts know that the most advanced threats use a combination of methods beyond the known signature until they succeed at breaching our defenses. Perimeter defenses, however good they may be at what they do, can only detect what they know about, leaving holes in your security posture where these unknown threats lie. The application of investigative creativity and experience combined with the intelligent use of all the cyber security solutions at his disposal allowed Josh to yield results not previously attainable with traditional perimeter defenses: By combining our malware analysis using FireEye and our NetFlow analysis using LYNXeon, we have created a hybrid system capable of far more than either of these tools by themselves. Our tools become infinitely more powerful when we are able to share the data between them.

4 Seeing It All So You Can Act Some behaviors like network based fraud are best understood by watching a series of transactions over a period of time. In the cyber domain, NetFlow is the best form of transactional data to use in investigations. This is because NetFlow records all the transactions traversing the network in a compact format, and provides the referential integrity necessary to organize and relate various data sources to one another. Because of this, NetFlow should be the cornerstone of any historical investigation into compromises, network based fraud, or a proactive plan for keeping your network safe. Much like your telephone bill, NetFlow data from a variety of sensors on the network can tell you who is communicating with whom, how long, and the ports and protocols involved. For example, an unusually large transfer outbound from your network to the Internet (exfiltration) would be an irregularity identified by NetFlow data that could be indicative of a compromise. High Stakes Intrusions Security professionals report that high reward/low risk forms of network based theft are increasing and succeeding at alarming rates. These illegal activities include intellectual property theft, ID theft, exfiltration of highly sensitive health or financial data, or millions of dollars in fraudulent gains from enterprises that conduct online transactions. Given the ease with which most networks can be attacked, security professionals report that it is much easier to steal intellectual property than it is to create it. It is much easier to create a network of fraudulent online applications than it is to engage in traditional non network based fraud. With high reward crimes, illicit behavior usually involves complex plans, and strategic intrusions that occur over long periods of time intentionally designed to operate under the radar of traditional intrusion detection and network monitoring technologies. By using LYNXeon to analyze months of NetFlow data, security professionals can identify how a compromise occurred. This allows them to develop remediation plans, and provide executive and public reports that illustrate how vulnerabilities have been corrected, and measures taken to prevent future compromises. Network based Fraud The more that transactions are conducted on the Internet, the more criminal behavior will happen on the Internet. These illegal transactions can show up as a series of irregular patterns of traffic in NetFlow. For example, if an enterprise allows outside users to apply for memberships or benefits online, and one particular host is communicating to the website in repeated and regularly timed intervals, this behavior would be flagged as irregular (since normal communications occur more sporadically). By analyzing NetFlow traffic, an analyst could identify this irregular activity. Remediation and Historical Forensics When an intrusion is discovered, decision makers expect their security professionals to be able to quickly determine the intrusion vector, point of entry, date of entry, and number of hosts involved and affected. This information is expected to be gathered quickly, reported, and then remediated by closing the windows of vulnerability that enabled the intrusion. According to the Verizon Data Breach Report, intrusions are often discovered 6 to 9 months after the fact. This means that security professionals need to have a broad data source, such as the one offered by LYNXeon in order to effectively report the information to decision makers, and develop remediation plans. Doing More with Technology So Operations are Simplified and More Effective Because LYNXeon is highly adaptable to various data sources and has a rich user interface, it allows a security professional to do more with less time and greater ease. Data Enrichment Multiple data sources provide valuable enrichment for the whole picture of what s occurring on a network. LYNXeon provides a centralized platform with which to quickly and easily search, analyze, correlate, and report across multiple data types. Examples: DHCP Logs LYNXeon can fuse and correlate NetFlow data with DHCP logs. Since IP address assignments can change daily, malicious activity that occurs on one day may be difficult to trace back to the affected system once the assignments change. Including DHCP logs with NetFlow and other sources allows for this functionality. Enriching Data with DNS Logs LYNXeon can fuse and correlate NetFlow data with DNS logs, and look for abnormalities and unusual instances of DNS. This provides a richer context for investigations. For example, traffic communicating directly with an IP address with no corresponding DNS lookup would be suspicious and warrant further investigation. Segmenting the Network for Targeted Analysis With LYNXeon, it is easy to segment NetFlow data to allow for analysis of sub networks individually. This allows a security professional to spot anomalies in particular segments of the network that may have gone unnoticed while looking at the whole network.

5 Encryption is Not an Obstacle As more and more illicit traffic moves from clear text transit to encrypted transit, signature based technologies begin to fail and break down. Analytical technologies that look at patterns and metadata, such as NetFlow, work exceptionally well because metadata is not blinded by encryption. Network Metrics A large, enterprise network can be greatly impacted by a small number of resource intensive applications or technologies. LYNXeon can provide insight into which systems, applications, or technologies are utilizing more resources than can be allotted to them to help improve the performance of the network. Identifying Aberrant Ports and Protocols LYNXeon quickly and easily facilitates studying all the transactions crossing the network and identifies ports and protocols that may be undesirable or unexpected. Malicious traffic can often hide in less often used ports and protocols. Hardening the Information Security Posture of the Enterprise LYNXeon facilitates studying the data to understand if there are areas where the information security posture may need to be tightened. For example, allowing only the protocols and services necessary for business purposes is an industry best practice. LYNXeon can be used to identify such protocols and services that are not needed for business functions. Long Term Retention Due to the extremely compact nature of metadata, it can be retained for long periods of time, such as one or two years. This historical evidence is valuable when law enforcement or government request historical data as part of an investigation, or in order to prosecute. Getting More Out of Your Data To Make Operations Proactive Not all analytics are created equal. Because all products in the cyber ecosystem collect, store or warehouse some form of data over some window of time, they must also offer customers a way to see and use the data. These functions are often referred to as analytics. But having the ability to just access and see the data is not analysis. And when search capabilities are in fact offered, not all analysis is truly interactive and customized to enterprise specific challenges. In short, LYNXeon is the Best in Breed analytic tool for network data, including NetFlow, layer 5 7 metadata, DNS logs, web logs, and IDS logs. Being able to see the data in certain windows of time is necessary, but not sufficient. Large volumes of data produce unmanageable pictures of data. To address this, traditional tools organize their big data in a way that produces a manageable picture. But in order for this data picture to produce actionable results such as identifying patterns of suspicious behavior so you can close network vulnerabilities a security professional needs to interact with, search, correlate, and automate pattern discovery in the data in a way that is specific to the data retrieved and the customer s needs. LYNXeon was designed to excel at this. Customized Analytics Empower Forensics and Predictive Remediation: A security professional begins analysis on LYNXeon with a predetermined catalogue of search choices LYNXeon s Analytic Catalog. The LYNXeon Analytic Catalog is presented in a user friendly GUI, and includes a series of pattern queries that have already been identified as strong jumping off points for digging into your data. These search choices can be expanded upon and customized before the analyst ever begins work (i.e., during the initial phases of a LYNXeon engagement). They can also be expanded once the analyst continues his work and becomes more familiar with his data and the challenges in his network. Analytics that Train the Workforce: Many cyber challenges are new. Sophisticated attackers are constantly devising new ways to get into your network. Your network evolves as traffic volumes increase, and new protocols are added. Security professionals need to constantly stay on top of the best ways to interact and search through specific activity in their specific network. Sometimes, knowing how to start, and what to do once you ve started, is the biggest challenge. LYNXeon s Analytic Catalog walks analysts through the data and investigative workflow. It allows every analyst, regardless of training, to become effective on day one, and drastically shortens an analyst s learning curve. Analytics that Automate the Expert: Understanding activity on your network and devising ways to remediate and prevent compromises are actions that become more effective with practice and experience. But time and resources are limited. Machines have to do more. Technology has to be smarter. With LYNXeon, we are pushing the envelope further in

6 automating expert workflows faster than any other commercially available tool. LYNXeon Analytic Catalog allows you to customize searches or use pre existing searches and then schedule them to run at regular intervals later in the day, during swing and night shifts for example. Assisted Pattern Discovery allows you to point and click on patterns or segments of patterns in the data, and find similar patterns elsewhere. Area of Interest allows the analyst to pre identify specific segments in the data to drill into, thereby predetermining windows or subsets for deeper inspection, and foregoing those likely to lead to false positives. A LYNXeon + PCAP Workflow: First Breadth, then Depth Step 1: Start with a jumping off point from one of the analytics in the LYNXeon Analytic Catalog. Step 2: Investigate the NetFlow data resulting from Step 1, using LYNXeon s iterative analytics. Step 3: Enrich with other data to produce a complete picture of what occurred. LYNXeon makes this easy with a one step, point and click capability. About 21CT At 21CT we create investigative analytics products for the way users think, look, and find. Our innovative products and services are used to detect and neutralize healthcare fraud, target and eradicate network security attacks, and more. 21CT solutions shed light on the intelligence hidden within your data. Reward your curiosity at 21ct.com. Step 4: Pull PCAP from the PCAP tool to further determine the nature of the traffic. Conclusion Enterprises often have a combination of traditional cyber security tools, including intrusion detection systems (IDS), and Packet Capture (PCAP) tools with limited windows. Given the complexity and high cost of cyber compromises, these tools are all necessary, but not sufficient. Even with these tools, significant gaps remain in the kind of data a security professional can see; data is filtered out, and data windows are limited. It is precisely within these gaps where vulnerabilities exist. LYNXeon is a necessary tool to fully complement and harden an enterprise s network security posture. 21CT, Inc. Corporate Headquarters 6011 W. Courtyard Drive Building 5, Suite 300 Austin, TX Phone: Fax: CT, Inc. All rights reserved. 21CT, LYNXeon, Torch, the 21CT logo, the LYNXeon logo, and the Torch logo are trademarks, service marks, or registered trademarks of 21CT, Inc. info@21ct.com