First Line of Defense



Similar documents
First Line of Defense

Analysis of a DDoS Attack

Corero Network Security First Line of Defense Executive Overview

On-Premises DDoS Mitigation for the Enterprise

Hosting Provider DDoS Protection Playbook

Corero Network Security First Line of Defense Overview

First Line of Defense to Protect Critical Infrastructure

Your First Line of Defense AGAINST DDOS ATTACKS. scalability for First Line of Defense protection against cyber threats. ROBUST SECURITY COVERAGE

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

WHITE PAPER Hybrid Approach to DDoS Mitigation

Real Life DoS/DDOS Threats and Benefits of Deep DDOS Inspection. Oğuz YILMAZ CTO Labris Networks

Your First Line of Defense AGAINST DDOS ATTACKS AND CYBER THREATS. for inspection performance, security. while providing an unprecedented

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

How To Protect A Dns Authority Server From A Flood Attack

SecurityDAM On-demand, Cloud-based DDoS Mitigation

CloudFlare advanced DDoS protection

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

Acquia Cloud Edge Protect Powered by CloudFlare

VALIDATING DDoS THREAT PROTECTION

DDoS Attacks - Peeling the Onion on One of the Most Sophisticated Ever Seen. Eldad Chai, VP Product

How To Block A Ddos Attack On A Network With A Firewall

IBM QRadar Security Intelligence April 2013

DDoS ATTACKS: MOTIVES, MECHANISMS AND MITIGATION

Corero Network Security

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

DDoS Overview and Incident Response Guide. July 2014

DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

Understanding and Defending Against the Modern DDoS Threat

Network Metrics Content Pack for VMware vrealize Log Insight

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

DYNAMIC DNS: DATA EXFILTRATION

First Line of Defense

Concierge SIEM Reporting Overview

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Introducing IBM s Advanced Threat Protection Platform

DDoS DETECTING. DDoS ATTACKS WITH INFRASTRUCTURE MONITORING. [ Executive Brief ] Your data isn t safe. And neither is your website or your business.

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

IBM SECURITY QRADAR INCIDENT FORENSICS

Cloud Security In Your Contingency Plans

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

Business Case for a DDoS Consolidated Solution

DDoS Protection on the Security Gateway

The Hillstone and Trend Micro Joint Solution

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Bridging the gap between COTS tool alerting and raw data analysis

FIRST LINE OF DEFENSE

How to launch and defend against a DDoS

Introducing FortiDDoS. Mar, 2013

DDoS Attacks & Mitigation

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

How To Protect Yourself From A Dos/Ddos Attack

CyberArk Privileged Threat Analytics. Solution Brief

A Layperson s Guide To DoS Attacks

Stop DDoS Attacks in Minutes

Distributed Denial of Service Attack Tools

Threat intelligence visibility the way forward. Mike Adler, Senior Product Manager Assure Threat Intelligence

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

Stop DDoS Attacks in Minutes

An Elastic and Adaptive Anti-DDoS Architecture Based on Big Data Analysis and SDN for Operators

Security strategies to stay off the Børsen front page

ADC Survey GLOBAL FINDINGS

Stop advanced targeted attacks, identify high risk users and control Insider Threats

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

SP Monitor. nfx One gives MSPs the agility and power they need to confidently grow their security services business. NFX FOR MSP SOLUTION BRIEF

North American Electric Reliability Corporation (NERC) Cyber Security Standard

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

Arbor s Solution for ISP

Denial of Service Attacks

[Restricted] ONLY for designated groups and individuals Check Point Software Technologies Ltd.

ThreatSTOP Technology Overview

DDoS Attacks Can Take Down Your Online Services

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

THE 2014 THREAT DETECTION CHECKLIST. Six ways to tell a criminal from a customer.

Load Balancing Security Gateways WHITE PAPER

Automated Mitigation of the Largest and Smartest DDoS Attacks

XpoLog Center Suite Log Management & Analysis platform

The webinar will begin shortly

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Stop DDoS Attacks in Minutes

Cyber Security Services: Data Loss Prevention Monitoring Overview

How To Create An Insight Analysis For Cyber Security

How To Mitigate A Ddos Attack

Distributed Denial of Service protection

Don t get DDoSed and Confused. Patrick Sullivan, CISSP, GSLC, GWAPT, GCIH Managed, Security Services

Transcription:

First Line of Defense SecureWatch ANALYTICS FIRST LINE OF DEFENSE OVERVIEW KEY BENEFITS Comprehensive Visibility Powerful web-based security analytics portal with easy-to-read security dashboards Proactive Protection Transforms security data into actionable security intelligence, visually exposing suspicious and malicious activity Services Capabilities Provides a virtual SOC for MSSPs to centrally deliver security services in a turn-key manner TURN-KEY VISIBILITY INTO DDOS ATTACKS AND CYBER THREATS A significant challenge facing many enterprises is how to extract meaningful real-time information on DDoS attacks and cyber threats from volumes of security events. To date, only minimal visibility into these classes of security events has been available, and only to organizations with significant investments in analytics tools and expert security staff; and in any case enterprises are left to react to the threats after the damage has been done. Corero SecureWatch Analytics is a powerful web-based security analytics portal that delivers turnkey visibility into DDoS attacks and cyber threats with comprehensive and easy-to-read security dashboards. Large organizations can benefit from the targeted granular DDoS event data they have been lacking that complements their security event monitoring practice. All companies benefit from the turnkey SecureWatch Analytics portal that delivers unprecedented DDoS and cyber threat visibility without requiring dedicated security analysts to sift through reams of unintelligible log data. The ability to uncover hidden patterns of data, identify emerging vulnerabilities within the massive streams of DDoS attack and security event data, and respond decisively with countermeasures, provides our team with the tools required to better protect our organization against the dynamic cyber threat landscape - Jay Naik, Assistant Director of Technical Services, Shubert Ticketing SecureWatch Analytics is included with the purchase of the Corero First Line of Defense products as a part of your DDoS defense investment. The portal transforms DDoS tailored security feeds from Corero SmartWall and DDoS Defense System security solutions into dashboards of actionable security intelligence, exposing: Reflective amplified DDoS attacks Targeted application layer attacks Under the radar low and slow attacks Victim servers, ports, and services Malicious IP addresses and botnets Empowered by this enhanced visibility, enterprises can utilize SecureWatch Analytics as a single pane of glass to visualize and mitigate DDoS attacks and cyber threats, and ensure uninterrupted business continuity for their Internet facing services. Additionally, MSSPs can augment their existing Security Operations Center (SOC) with a virtual SOC to create targeted dashboards that are relevant to specific industry verticals and deliver managed security services to the enterprise.

FEATURES AND FUNCTIONALITY SecureWatch Analytics is easily accessible via any browser and provides real-time and historical dashboard views that summarize network and security activity on an enterprise network. Users can view these dashboards at a site by site level or in an aggregate view that comprehends the total enterprise. Likewise, MSSPs can manage reporting for all their customers from one central location. NETWORK LEVEL VISIBILITY Network level statistics are typically the leading indicators of detecting unusual activity on an enterprise network. Link utilization, packets per second rate, number of active flows, and flow set up rates provide insight into the following analysis: Is there any anomaly in the volume of network traffic as compared to normal activity? In which direction (inbound/outbound/bidirectional) is the traffic anomaly? Which other events can the anomaly be correlated to? The charts in Figure 1 show an anomaly in network level activity during a 30-minute period in a hosting data center network. Four-fold increase in link utilization Ten-fold increase in TCP Connections 30-fold increase in Packets per Second Figure 1 - Network Level Visibility Eight-fold increase TCP Connection Setup Rate In the example above, the link utilization jumps from 1 Gbps to 4 Gbps, the packets per second (pps) rate spikes from 200K pps to over 6 million pps. TCP connection counts and set up rates go up by ten-fold at the same time. These indicators would cause security administrators to investigate security events in that time period in more detail. As seen in Figure 2 below, SecureWatch Analytics can greatly assist in this process, accelerating the response time for an enterprise that is under attack. SecureWatch Analytics 2

Volumetric SYN Flood Attack Other Blended Attacks Descriptions and summary statistics of attack vectors Figure 2 - Volumetric SYN flood attack from malicious botnets Figure 2 shows security activity occurring at the same time as the anomalous network activity shown in Figure 1. The most notable is that the enterprise was targeted with excessive TCP connections and a volumetric SYN flood attack. The number of security events generated per second went from just 1K/second to 150K/second. In addition, a variety of smaller attacks such as port scanning, illegal ICMP traffic, and NTP MONLIST requests/responses were blended in during this volumetric attack. Often, volumetric attacks are used as a smoke screen to hide low and slow application layer attacks. Hence, visibility into malicious application layer activity such as NTP and DNS attacks is another important feature of SecureWatch Analytics. APPLICATION LAYER VISIBILITY Application layer attacks are generally comprised of targeted server attacks, reflective amplification attacks, and low and slow attacks that are difficult to detect. Figures in this section show examples of application layer attacks that can be targeted at servers or can be generated from compromised servers. In Figure 3, botnets spoof target server IP addresses and send DNS requests to open DNS resolvers on the Internet. The DNS resolvers send responses, which are amplified by a large factor as compared to the requests, back to the target server(s), overwhelming them with large amounts of unsolicited traffic. SecureWatch Analytics 3

Unsolicited DNS responses targeted at servers. Attackers spoof server IP addresses to send DNS requests. Unsolicited amplified responses overwhelm the spoofed servers. Figure 3 Reflective DNS attack targeted at data center servers Similarly, compromised servers in a data center can be used as launch pads for sending large amounts of DDoS traffic out of a data center. In Figure 4, the SecureWatch Analytics dashboard shows a large scale DDoS attack as a result of amplified NTP monlist responses generated from a compromised NTP server in a data center. Compromised NTP servers can be used as DDoS launch pads, causing data centers to participate in large scale DDoS attacks. Such activity damages the IP reputation of legitimate servers. Figure 4 - Amplified NTP monlist responses from compromised servers SecureWatch Analytics 4

SecureWatch Analytics provides granular visibility into each type of application layer attack (e.g. HTTP GET floods, DNS request floods and unsolicited responses, NTP amplification) and tracks their behavior over time. ATTACKER IDENTIFICATION It is just as critical to know who is attacking you as it is to know that you are under attack. SecureWatch Analytics gives you the ability to immediately drill down to see the offending addresses and hostnames associated with attackers targeting your infrastructure. These can then easily be incorporated into ACLs and blacklists to permanently block access for devices with no legitimate reason to be accessing your network. Hostnames and country of origin of blocked clients provide visibility into who is perpetrating attacks TARGETED SERVER VISIBILITY Enterprises provide a variety of Internet facing services ranging from web, DNS, mail, and more. Malicious attackers seek out target servers to attack by scanning open ports on an enterprise network. SecureWatch Analytics provides a detailed report of activity on server ports highlighting which ports are being accessed the most, how many clients are accessing them, and which protocols are being used. Continuous port scanning activity occurring on well-known server ports as well as high numbered application ports. SecureWatch Analytics 5

FORENSIC ANALYSIS AND REPORT GENERATION SecureWatch Analytics archives security event data to enable forensic analysis of past threats and compliance reporting of security activity. Users can analyze event data based on preset times (last 24 hours, 7 days, 30 days) or select a more specific time frame. In addition, the data can be analyzed in granular resolutions as low as 5 second intervals. Preset time intervals for historical analysis Granular resolutions for getting details within a specific window of attack Date and time range selection for more specific attack analysis within a time period BROWSER REQUIREMENTS FOR CORERO SecureWatch ANALYTICS Corero SecureWatch Analytics is accessible to all Corero customers with an operational SecureWatch Server (included with your purchase of SecureWatch Analytics) and an active support contract. The portal supports the following browsers: Firefox latest release Internet Explorer 9 and higher Safari latest release Chrome latest release SecureWatch Analytics 7

LEARN MORE ABOUT CORERO SECUREWATCH ANALYTICS SecureWatch Analytics was developed with the deep security experience and knowledge base obtained by our security analysts that deliver our market leading SecureWatch PLUS service. SecureWatch PLUS is a comprehensive suite of DDoS configuration optimization, monitoring and response services. As your trusted advisor, Corero is extending the lessons from this security expertise to our customers and partners to better defend against cyber-crime. To learn more and see a demonstration of SecureWatch Analytics, please visit http://www.corero.com/securewatch_analytics or contact us at info@corero.com. ABOUT CORERO NETWORK SECURITY Corero Network Security, an organization s First Line of Defense against DDoS attacks and cyber threats, is a pioneer in global network security. Corero products and services provide online enterprises, service providers, hosting providers, and Managed Security Service Providers with an additional layer of security capable of inspecting Internet traffic and enforcing real-time access and monitoring policies designed to match the needs of the protected business. Corero technology enhances any defense-in-depth security architecture with a scalable, flexible and responsive defense against DDoS attacks and cyber threats before they reach the targeted IT infrastructure allowing online services to perform as intended. For more information, visit www.corero.com. Corporate Headquarters EMEA Headquarters 1 Cabot Road Regus House, Highbridge, Oxford Road Hudson, MA 01749 USA Uxbridge, England Phone: +1.978.212.1500 UB8 1HR, UK Web: www.corero.com Phone: +44.0.1895.876579 Copyright 2014 Corero Network Security, Inc. All rights reserved. 867-5309-002 SecureWatch Analytics 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information