Advanced approach to network security and performance monitoring

Advanced approach to network security and performance monitoring Michal Drozd TrustPort Threat Intelligence Product Manager 18 slides

Agenda Network monitoring Security and performance problems Common technology Advanced possibilities of network monitoring What is possible to detect Where are limitations Business models 2

Why Are We Here? It seems every week brings a new headline about a major data breach: 40 million credit card numbers compromised. 80 million customers and employees affected by a data breach. 8.8 to 18 million non-customers affected by latest corporate hack. Roughly 55% of the incidents involved APTs. DDoS, SCADA, 3...and so on.

Why Are We Here? Customers requirements Management requirements Business requirements 1. Increase Network and Service Availability 2. Decrease Staffing & Training Requirements 3. Optimize Network s Bandwidth Utilization and Performance 4. Improve Productivity while Decreasing Operational Costs 2

Business requirements Client services Data centers Cloud Software as a Service (SaaS) Network as a Service (NaaS) Software Defined Networks (SDN) 5

Network monitoring 1. Network performance monitoring & diagnostics: Network flow based monitoring Network performance monitoring Application performance monitoring 2. Network security and network visibility: Detection of known threats (signature-based detection) Detection of unknown threats (APTs, zero-days, internal threats, ) Network behavior anomaly detection Forensic analysis Network security auditing and regulatory compliance 6

Network performance monitoring & diagnostics Problems: What should by analyzed How to analyze and visualize right issue 7

Network Flow Monitoring NetFlow v5 Unidirectional IP statistics L3 L4 1:500 NetFlow v9 Unidirectional IP statistics L2 L7 HTTP NBAR 1:500 Flow (ASNM, ) Bi-directional IP statistics L2 - L7 Application metadata Performance metrics 65535 ports Spectral analysis 1:100 PCAP Bi-directional Full Packet Capture 1:1 8

Network flow performance monitoring (all services) TCP handshake Client request Server response Client Syn Ack Req Probe Server Syn Ack Ack Data Data Data Data RTT ART DTT Delay Round Trip Time (RTT) network delay Application Response Time (ART) application delay Data transfer time (DTT) data transfer duration Delay delay differentiation between packet flows Jitter deviation from true periodicity of a presumed periodic communication 9

Security problems Network security and network visibility: Detection of known threats (signature-based detection) Detection of unknown threats (APTs, zero-days, internal threats, ) Network behavior anomaly detection Forensic analysis Network security auditing and regulatory compliance 10

C&C Trojan PC framework Neme Price Focus cvector Location Info Citadel 2500 5000$ Beta Bot 500$ (botsw) Shylock od 1000$ Carberp 40.000$ Hesperbot ZEUS 5$/bot Stealing credit cards WebInject to browser ( ie. spoof authentication form) Theft of authentication data on selected banking applications WebInjecting, Direct data theft WebInject VNC boot sector Theft of cards and accounts, webinject to the browser Basis of most modern malware SSL email (Yahoo Hotmail, GMAIL) SSL C2 SSL C2, Skype C2 (+ SSL services) SSL C2 Japan, UAE, Austria, Turkey, USA EU, USA Czech Republic, Greece, Portugal UK GLOBAL Cílen na sandbox McAfee, FireEye, Symantec Mobil platform (CarMo multifaktor autentication) Escaped source code(5,7gb) Based on Zeus 11

C&C Trojan Mobile framework ZitMo, SpitMo, CitMo, CarbMo, Perkele, Pincer, 12

Other common and unknown threats Data leakage (misused DNS, SSH, HTTP(s), ) Tunneled traffic (ICMP, DNS, SSH, HTTP(s), ) Protocol anomalies Time consuming port scans Mascaraed brute-force attack (dictionary, brute-force) Preparation for data theft by an employee and other internal threats Breach of internal security rules Misconfiguration in network (Distributed) Denial of Service (DoS, DDoS) Automatic data harvesting (e-shop) Fraud detection (web application) 13

Modern Solution Big Data analysis Advance flow metrics DPI + IDS Machine learning and Artificial Intelligence User Behavior Model Network Behavior Model Network model Host model Service model Performance model 14

Costs Data source mirrored communication Current HW solution up to 10 Gbps From 20 Gbps HW acceleration HW acceleration Up to 300 Gbps / probe Computing servers Data store 15

Business model Security as a Service Services for clients Data source before network gateway backbone probe Data source inside client network internal probe Security cloud Data collector Analyzis Reporting 17

Benefits Permanent overview on the network risk status Time saving on incidents handling All relevant data in one Dashboard Easier prioritization of detected incidents and threats Minimizing damages of security breaches Thanks to early detection and solving Increasing network security Covers the gaps left by common security tools Enables Forensic Analysis Collects evidence for several months 17

Michal Drozd michal.drozd@trustport.com +420 777 792 819 TrustPort a.s. www.trustport.com 18