Mata : Garuda An advanced Network Monitoring System The S.L.A.D Network Security Framework. FIRST Conference Berlin, 19 June 2015

Size: px

Start display at page:

Download "Mata : Garuda An advanced Network Monitoring System The S.L.A.D Network Security Framework. FIRST Conference Berlin, 19 June 2015"

Cora Ray
8 years ago
Views:

1 Mata : Garuda An advanced Network Monitoring System The S.L.A.D Network Security Framework FIRST Conference Berlin, 19 June

2 Security in Real Life 2

3 3

4 Car Alarms Network Security Alarms 4

5 Our responsibility : Indonesia CERT/CC Vision Build Indonesia Internet within safe, comfortable and conducive environment Mission Improves the Nation s cyber security posture, and proactively manages cyber risks to the Nation s cyberspace. 40 Network Access Providers 300 Internet Service Providers 12 Telco s with BTS 3G/4G 23 Million ICT ready companies 75 Million Internet User 5

manages cyber risks to the Nation s cyberspace.

Worldwide Security Service Spending 2015* Total: 49,140 Consulting 2012 2011 2010 Total: 38,269 Total: 35,117 Total: 31,129-5,000 10,000

6 Worldwide Security Service Spending 2015* Total: 49,140 Consulting Total: 38,269 Total: 35,117 Total: 31,129-5,000 10,000 15,000 20,000 25,000 30,000 35,000 40,000 45,000 50,000 In Million $ Estimated Source: Gartner Development IT Management SW Support HW Suport 6

15,000 20,000 25,000 30,000 35,000 40,000 45,000 50,000 In Million $

7 Common Technology Packet Decoder Detection Engine Message/Alert Attack packet Database of signatures of known threats (supplied by vendor) 7

8 $ Everything i$ OK NAP $ $ $ $ Bad packet True Positive 8

9 $ Everything i$ OK NAP $ $ $ $ False Positive Good packet 9

10 Valuable Net Activity get Lo$t True Negative Good packet 10

11 Data Lo$t Money Lo$t Privacy Lo$t False Negative NAP Attack packet 11

12 Detection State of IDS A legitimate attacks which trigger alarms True positive False Positive Positive Alarms are generated, But no attacks have taken place No attack has taken place and no alarm is raised True Negative False False Negative A failure of an IDS to detect actual attacks 12

have taken place No attack has taken place and no alarm is raised True

13 Threats change Common IDS Technology Have not 13

14 What the Cyber Security Needs is. See Decide Learn Adapt a continuous process to responds to continuous change 14

15 See everything in one place depth seeing Learn - Gain insight into your local traffic characteristic by Intelligent engine Adapt - Change is constant : leverage open architecture Decide - Reduce the false noise to make better decision 15

Intelligent engine Adapt - Change is constant : leverage

Mata Garuda Network Monitoring Common IDS Technology Closed / blind Black box / inflexible Fixed analysis tools Solutions SEE LEARN ADAPT Technology See not only the

16 Mata Garuda Network Monitoring Common IDS Technology Closed / blind Black box / inflexible Fixed analysis tools Solutions SEE LEARN ADAPT Technology See not only the attacking phase Intelligence about Local traffic with machine learning tech. Modularity analysis tools Many false alarms DECIDE Reducing false alarms with intelligence technology 16

attacking phase Intelligence about Local traffic with machine learning tech.

17 How it works? Base Module 1 st Module 2 nd Module Packet Decoder Database of signatures of known threats Collection Classifiers by Intelligent engine* Detection Engine Detection Engine Network Situational Awareness Application n th Module Alerts Alerts Reports S L A D 17

signatures of known threats Collection Classifiers by Intelligent

18 Value to Government, Public and Private Sectors 18

19 Community vs. Commercial Services Incident Handling Deep Analysis Advance Monitoring Basic Monitoring Commercial Services Community Services 300 ISPs 12 Telco s 23 Million companies 40 NAPs 19

20 Intelligence detection engine based on Machine Learning tech Machine Learning as second classification engine It is based on Support Vector Machine (SVM) It has been proven to be one of the best classification method We have done benchmarking by using data from DARPA (Defense Advanced Research Projects Agency). By using 8 features It can give 99% detection rate 20

one of the best classification method We have done benchmarking by using data from DARPA

21 Train data set from local traffic packet without payload Incoming packets sampling SVM a1 Detection engine DDoS Probe SVM a2 Train data set from local traffic packet with payload sampling SVM b1 Detection engine R2L U2R SVM b2 No Alert 21

22 See not only the attacking phase log of packet header 22

23 Cyber Situational Awareness System Packet Header Forensic : Before Current Attacking Phase After past -Where was I? - What happened? present - Where am I? -What is happening? future - Where am I going to? - What could happened 23

24 Tier 1 Sniffer s Networks The Topology Tier 2 Sensors Networks Tier 3 Administrator s Networks Tapper Sensor (PC ) Tapper Sensor (PC ) Tapper Sensor (PC ) Tapper Tapper Tapper Sensor (PC ) Sensor (PC ) Sensor (PC ) Switch Network Situational Awareness back-end storage Defense Center To administrator s networks To administrator s networks Tapper Sensor (PC ) SVM 24

25 Thank You Id-SIRTII/CC Ravindo Tower 17th Floor Jalan Kebon Sirih Kav. 75 Central Jakarta, Phone Fax Website

Introducing IBM s Advanced Threat Protection Platform

Introducing IBM s Advanced Threat Protection Platform Introducing IBM s Extensible Approach to Threat Prevention Paul Kaspian Senior Product Marketing Manager IBM Security Systems 1 IBM NDA 2012 Only IBM