SECURITY & REAL-TIME APPLICATION INSIGHT

SECURITY & REAL-TIME APPLICATION INSIGHT OCTOBER 2014

AGENDA Knowing what s on your Network Benefits of Application Recognition Deeper Insight and Content Decoding Security Customer Use Case

NETWORK SECURITY CHALLENGES Sophisticated Cyber Threats Layer 4 rules and port based security are not enough Point-based security products are not enough Application and Content Overload Ever-changing applications need continuous up-to-date Layer 7 awareness Encryption Trend towards encryption needs expertise to ensure visibility

THE PERVASIVENESS OF MALICIOUS TRAFFIC Cisco 2014 Annual Security Report

UNSEEN BACKDOORS To defend their network, organizations must be aware of what s on it: devices, operating systems, services, applications, users, and more. Many users download mobile apps regularly without any thought to security. Cisco 2014 Annual Security Report

HOW APPLICATION AWARENESS HELPS SECURITY Security Defense Proactive in Real-time Embed real-time application awareness into security infrastructure Improve visibility of network-based risks such as viruses and malware. Deep analysis of protocol metadata to show application behavior Fast processing speeds to handle live traffic volumes Forensics Deeper Analysis Off-line Gather deeper information on captured traffic Filter only specific traffic for multiple analysis techniques

REALLY GET TO KNOW WHAT S ON YOUR NETWORK PACE is software that provides full protocol and application visibility Layer 3 to 7 and identifies applications used as well as attributes such as video or voice for deeper insight.

EXAMPLE 1: FACEBOOK

GAIN DEEPER APPLICATION INSIGHT PRE-PROCESSING CLASSIFICATION METADATA EXTRACTION by app Traffic volume by user by protocol Application performance e.g. latency and jitter for VoLTE and video Performance troubleshooting e.g. application download time Identifiers e.g. email sender/receiver addresses Files e.g. used codec from Video on Demand application Usage e.g. HTTP URL or client software used

FACEBOOK METADATA EXAMPLE Profile Visit - other user, ID IPD_EVENT_FACEBOOK_PROFILE_ VISIT Wall story, wall path, story owner, story owner link, story message, target fbit IPD_EVENT_FACEBOOK_WALL_STOR Y Searching Typed dynamic search results - search text - result list (uid, text, type, category, path) IPD_EVENT_FACEBOOK_SEARCH Search results page - search text - result list (text, path) IPD_EVENT_FACEBOOK_SE ARCH Login / Logout Login - ID - user IPD_EVENT_FACEBOOK_L OGIN USER Sending Private Message New/reply simple text message to one/multiple ent/list of friends without/with link attachment - thread ID - recipient/recipient list/empty in case of reply - subject - Message (author, rendered time, message text) -rendered attachment IPD_EVENT_FACEBOOK_SEND_MESSAGE Logout - ID - user IPD_EVENT_FACEBOOK_LOG OUT Reading Private Message viewing list of messages - thread list (thread ID, subject, snippet, original author, time last updated rendered, recent authors list) IPD_EVENT_FACEBOOK_INBOX viewing inbox/send message without/with photo/video/link attachment - thread ID - original author - recipients list, - subject - message list (author, rendered time, message text, rendered attachment) IPD_EVENT_FACEBOOK_MESSAGE_THREAD New/reply simple message with photo/video attachment - comment - composer_id - profile_id - photo/video items [{filename, data}] IPD_EVENT_FACEBOOK_SEND_MESSAGE

FACEBOOK METADATA EXAMPLE (CONTINUED) Friends List of friends - friends list owner -list of friends IPD_EVENT_FACEBOOK_FRIEND_LIST requesting friendship - other user, ID IPD_EVENT_FACEBOOK_REQUEST_FRIEN DSHIP Removing friend - other user, ID IPD_EVENT_FACEBOOK_REMOVE_FRIEND Accepting a friendship request - other user, ID IPD_EVENT_FACEBOOK_ACCEPT_FRIEND SHIP Rejecting a friendship request - other user, ID IPD_EVENT_FACEBOOK_REJECT_FRIEND SHIP USER Instant Messages Sending/receiving an instant message - user ID - from - to - message, message ID - time - client_time IPD_EVENT_FACEBOOK_MESSAGE_CHAT Posting on user s/friend s wall Posting a text message/link - message text - _/attachment url - target user (in case of friend s wall) IPD_EVENT_FACEBOOK_POST Posting a photo/video - comment, composer ID - profile ID - photo/video items (filename, data) IPD_EVENT_PHOTO_VIDEO_UPLOAD Commenting on a post Commenting a post - user, target profile ID, target fbid, assoc obj ID - comment text IPD_EVENT_FACEBOOK_COMMENT_ADD Deleting a comment - user, target profile ID, target fbid, assoc obj ID IPD_EVENT_FACEBOOK_COMMENT_DELETE

END-TO-END APPLICATION AND THREAT VISIBILITY

MAKING SECURITY SECURE

ALWAYS APPLICATION & USER BEHAVIOUR AWARE Enterprise VoIP / Messaging Social Networking P2P / Filesharing Streaming Examples of protocols and applications Citrix, WebEx, Blackberry, SAP, Lync, Exchange, Diameter, Lotus Notes, IPsec, OpenVPN, etc.. Skype, Oscar (ICQ/AIM), SIP, RTP, RTSP, Skinny, QQ, WebEx, WhatsApp, WeChat, LINE, etc. Facebook, Twitter, MySpace, LinkedIn, Sina Weibo, Instgram, Tumblr, RenRen, etc. BitTorrent, edonkey, Rapidshare, Uploaded.to, 4shared, Xunlei, etc. YouTube, Netflix, Deezer, MyVideo, Vimeo, PPStream, QQLive, Youku, itunes Radio, etc. Examples of metadata Traffic volume: per user, per protocol, per application, etc. QoS KPIs: Jitter, Throughput, Latency, Roundtrip time, Packet loss rate (per direction), Packet direction, etc. User ID: MSIDN, Diameter/ RADIUS login, Mail address, Callee, Caller, Sender, Receiver, etc. User info: Callstate, Used operating system, Tethering status, Clicked URL, etc. Client/Server indication per subscriber

PERFORMANCE Optimized for high-performance live network traffic processing. Performance tests based on real world traffic show very good performance values. CPU usage increases in direct proportion with the number of activated applications.

MEMORY FOOTPRINT Lowest memory usage compared to competition. No memory allocating during run time to save processing power.

THE ENCRYPTION CHALLENGE Currently one out of every four protocols or applications are encrypted In addition, protocols such as edonkey, Freenet and other P2P apps can adapt to circumvent firewalls and detection

HOW WE DO APPLICATION DETECTION Variety of techniques pattern matching & behavioral & heuristic analyses and finite state machine to reliably detect protocols and apps Simple pattern matching WA FFAO Pattern matching over multiple packets HTTP USERAGENT FACEBOOK Flow tracking mandatory Behavioral analysis - pattern matching over multiple packets SHOR T LONG SHOR T SHOR T SHOR T

PACE APPLICATION RECOGNITION IS ALWAYS CURRENT

WHY INTEGRATE OEM SOFTWARE FROM IPOQUE? Development of an IP classification engine is difficult and costly. ipoque estimates: A team of 40 engineers in-house 8 to 24 months to develop the software $2 million to $3 million dollars for initial development and then annually for R&D. Licensing from ipoque is simple and cost-effective: Minimal incremental staff requirements Integration in 1-2 quarters Licensing fees are a small fraction of necessary R&D and include signature plug-ins and maintenance.

LANCOPE STEALTHWATCH The Customer StealthWatch is a leading network behavioral analysis solution for network visibility and security intelligence across physical and virtual environments. The Challenge Challenged to provide effective behavior-based network protection security for distributed enterprises. The Solution Selected ipoque s PACE for its Layer 7 application awareness and visibility into traffic flows for improved network security intelligence. The Result Lancope StealthWatch can detect more sophisticated attacks as anomalies in the network and applications are more easily identified.

CASE STUDY LANCOPE BUSINESS CASE BENEFITS Fast time to market for Lancope Continuous updates from ipoque ensure that the latest applications can be detected. Anomalies in the network and applications are more easily detected. By basing development on standard servers, annual opportunity to improve performance by up to 30%.

PACE BENEFITS IN BRIEF Ipoque s PACE is key for application detection & metadata extraction which is crucial for next generation network security solutions PACE detects around 95% of all IP traffic in a reliable manner which ensures high network visibility PACE needs only 1 to 3 IP packets for a classification for the most common protocols and applications which is crucial for online processing PACE comes with a ready-to-use interface where a security vendor can easily define their own protocols and applications The update of the signatures will be done during runtime no reboot necessary

IN SUMMARY: HOW APPLICATION RECOGNITION HELPS Defend and Gain Deeper Insight Accelerate time to detection as seeing more of the traffic Continuously monitor and scan network traffic and applications Aggregate unique context awareness that is not possible with just point security devices. High performance to solve increasing data and capacity requirements Search more levels of data, every element of every packet, to identify threats Respond faster to security threats