Mata : Garuda An advanced Network Monitoring System The S.L.A.D Network Security Framework. FIRST Conference Berlin, 19 June 2015

Similar documents

Introducing IBM s Advanced Threat Protection Platform

The Cyber Threat Profiler

Cyber Watch. Written by Peter Buxbaum

Der Weg, wie die Verantwortung getragen werden kann!

Bridging the gap between COTS tool alerting and raw data analysis

Network Security Monitoring: Looking Beyond the Network

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015.

Cisco IPS Tuning Overview

THE ROLE OF IDS & ADS IN NETWORK SECURITY

RAVEN, Network Security and Health for the Enterprise

Advanced Threats: The New World Order

Contents. Intrusion Detection Systems (IDS) Intrusion Detection. Why Intrusion Detection? What is Intrusion Detection?

Repsheet. A Behavior Based Approach to Web Application Security. Aaron Bedra Application Security Lead Braintree Payments. tirsdag den 1.

On-Premises DDoS Mitigation for the Enterprise

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

How To Manage Log Management

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

QRadar SIEM and FireEye MPS Integration

Firewalls. Chapter 3

Cyber Security Defense Services Portfolio Development Status. February 2016

KASPERSKY DDOS PROTECTION. Discover how Kaspersky Lab defends businesses against DDoS attacks

How To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

The SIEM Evaluator s Guide

Modelling Next Generation Intelligent Network Intrusion Prevention System using M-Key technique

Solera Networks, A Blue Coat Company SOLERA NETWORKS BIG DATA SECURITY ANALYTICS

Open Source in Government: Delivering Network Security, Flexibility and Interoperability

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

How To Buy Nitro Security

The Need for Intelligent Network Security: Adapting IPS for today s Threats

Network Instruments white paper

UP L13: Leveraging the full protection of SEP 12.1.x

Bio-inspired cyber security for your enterprise

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

Service Description DDoS Mitigation Service

Internet of Things (IoT): Security Awareness. Sandra Liepkalns, CRISC

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

CONTINUOUS MONITORING THE MISSING PIECE TO SECURITY OPERATION (SOC) TODAY

The Next Generation of Security Leaders

ORGANIZADOR: APOIANTE PRINCIPAL:

Society, Law Enforcement and the Internet

Splunk Company Overview

IT Security and OT Security. Understanding the Challenges

A Review on Network Intrusion Detection System Using Open Source Snort

Network Based Intrusion Detection Using Honey pot Deception

THE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

U. S. Attorney Office Northern District of Texas March 2013

Security Solutions for the New Threads

Network Security Demonstration - Snort based IDS Integration -

SANS Top 20 Critical Controls for Effective Cyber Defense

MACHINE LEARNING & INTRUSION DETECTION: HYPE OR REALITY?

Become a hunter: fi nding the true value of SIEM.

White Paper: Leveraging Web Intelligence to Enhance Cyber Security

Stop the Maelstrom: Using Endpoint Sensor Data in a SIEM to Isolate Threats

NERC CIP Version 5 and the PI System

SecurityDAM On-demand, Cloud-based DDoS Mitigation

CyberArk Privileged Threat Analytics. Solution Brief

Open Source Software for Cyber Operations:

Second-generation (GenII) honeypots

REVOLUTIONIZING ADVANCED THREAT PROTECTION

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

Stephen Coty Director, Threat Research

Detecting Anomalous Behavior with the Business Data Lake. Reference Architecture and Enterprise Approaches.

Cybersecurity Delivering Confidence in the Cyber Domain

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

Dashboards as an Effective Tool for HIPAA Security and Privacy Compliance

How we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz)

Update On Smart Grid Cyber Security

Security strategies to stay off the Børsen front page

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

Solutions and IT services for Oil-Gas & Energy markets

Intrusion Detection in AlienVault

Threat Intelligence: What is it, and How Can it Protect You from Today s Advanced Cyber-Attacks A Webroot publication featuring analyst research

Information Blue Valley Schools FEBRUARY 2015

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Role of Anomaly IDS in Network

DDoS ATTACKS: MOTIVES, MECHANISMS AND MITIGATION

Managed Security Services for Data

Accenture Cyber Security Transformation. October 2015

Ultimate Windows Security for ArcSight. YOUR COMPLETE ARCSIGHT SOLUTION FOR MICROSOFT WINDOWS Product Overview - October 2012

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Transcription:

Mata : Garuda An advanced Network Monitoring System The S.L.A.D Network Security Framework FIRST Conference Berlin, 19 June 2015 1

Security in Real Life 2

3

Car Alarms Network Security Alarms 4

Our responsibility : Indonesia CERT/CC Vision Build Indonesia Internet within safe, comfortable and conducive environment Mission Improves the Nation s cyber security posture, and proactively manages cyber risks to the Nation s cyberspace. 40 Network Access Providers 300 Internet Service Providers 12 Telco s with 110.000 BTS 3G/4G 23 Million ICT ready companies 75 Million Internet User 5

Worldwide Security Service Spending 2015* Total: 49,140 Consulting 2012 2011 2010 Total: 38,269 Total: 35,117 Total: 31,129-5,000 10,000 15,000 20,000 25,000 30,000 35,000 40,000 45,000 50,000 In Million $ Estimated Source: Gartner Development IT Management SW Support HW Suport 6

Common Technology Packet Decoder Detection Engine Message/Alert Attack packet Database of signatures of known threats (supplied by vendor) 7

$ Everything i$ OK NAP $ $ $ $ Bad packet True Positive 8

$ Everything i$ OK NAP $ $ $ $ False Positive Good packet 9

Valuable Net Activity get Lo$t True Negative Good packet 10

Data Lo$t Money Lo$t Privacy Lo$t False Negative NAP Attack packet 11

Detection State of IDS A legitimate attacks which trigger alarms True positive False Positive Positive Alarms are generated, But no attacks have taken place No attack has taken place and no alarm is raised True Negative False False Negative A failure of an IDS to detect actual attacks 12

Threats change Common IDS Technology Have not 13

What the Cyber Security Needs is. See Decide Learn Adapt a continuous process to responds to continuous change 14

See everything in one place depth seeing Learn - Gain insight into your local traffic characteristic by Intelligent engine Adapt - Change is constant : leverage open architecture Decide - Reduce the false noise to make better decision 15

Mata Garuda Network Monitoring Common IDS Technology Closed / blind Black box / inflexible Fixed analysis tools Solutions SEE LEARN ADAPT Technology See not only the attacking phase Intelligence about Local traffic with machine learning tech. Modularity analysis tools Many false alarms DECIDE Reducing false alarms with intelligence technology 16

How it works? Base Module 1 st Module 2 nd Module Packet Decoder Database of signatures of known threats Collection Classifiers by Intelligent engine* Detection Engine Detection Engine Network Situational Awareness Application n th Module Alerts Alerts Reports S L A D 17

Value to Government, Public and Private Sectors 18

Community vs. Commercial Services Incident Handling Deep Analysis Advance Monitoring Basic Monitoring Commercial Services Community Services 300 ISPs 12 Telco s 23 Million companies 40 NAPs 19

Intelligence detection engine based on Machine Learning tech Machine Learning as second classification engine It is based on Support Vector Machine (SVM) It has been proven to be one of the best classification method We have done benchmarking by using data from DARPA (Defense Advanced Research Projects Agency). By using 8 features It can give 99% detection rate 20

Train data set from local traffic packet without payload Incoming packets sampling SVM a1 Detection engine DDoS Probe SVM a2 Train data set from local traffic packet with payload sampling SVM b1 Detection engine R2L U2R SVM b2 No Alert 21

See not only the attacking phase log of packet header 22

Cyber Situational Awareness System Packet Header Forensic : Before Current Attacking Phase After past -Where was I? - What happened? present - Where am I? -What is happening? future - Where am I going to? - What could happened 23

Tier 1 Sniffer s Networks The Topology Tier 2 Sensors Networks Tier 3 Administrator s Networks Tapper Sensor (PC ) Tapper Sensor (PC ) Tapper Sensor (PC ) Tapper Tapper Tapper Sensor (PC ) Sensor (PC ) Sensor (PC ) Switch Network Situational Awareness back-end storage Defense Center To administrator s networks To administrator s networks Tapper Sensor (PC ) SVM 24

Thank You Id-SIRTII/CC Ravindo Tower 17th Floor Jalan Kebon Sirih Kav. 75 Central Jakarta, 10340 Phone +62 21 3192 5551 Fax +62 21 3193 5556 Email info@idsirtii.or.id Website http://www.idsirtii.or.id