1 / 29

Enterprise Situational Awareness and Monitoring through Network Behavior Analysis

Enterprise Situational Awareness and Monitoring through Network Behavior Analysis. Mark McDaniel, Systems Engineering Team Leader, Lancope. Agenda. What is Network Behavior Analysis? How Does NBA Work? NetFlow - A Brief Overview Current Organizational Security and Operational Challenges

colin
Download Presentation

Enterprise Situational Awareness and Monitoring through Network Behavior Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enterprise Situational Awareness and Monitoring through Network Behavior Analysis Mark McDaniel, Systems Engineering Team Leader, Lancope

  2. Agenda • What is Network Behavior Analysis? • How Does NBA Work? • NetFlow - A Brief Overview • Current Organizational Security and Operational Challenges • Traditional Security Framework • NBA's Role in the Security Environment • Traditional Network Operations Framework • NBA's Role in the Network Operations Environment • Traditional Compliance and Policy Monitoring Framework • NBA for Compliance and Policy Monitoring • NBA's Future

  3. What is Network Behavior Analysis? Put simply, Network Behavior Analysis is the monitoring and analysis of network flows to understand host behavior. NBA systems monitor the network through a variety of methods to gain visibility into the behavior of hosts and their relationships with one another. NBA systems profile the behavior of a number of different factors (data points) for every host on the network to create an observed baseline of what constitutes “normal” activity for that host. NBA systems continuously monitor the network to ensure compliance with the established baseline for each behavioral data point for every active host, alarming when thresholds or other variables are exceeded. NBA systems allow administrators to divide the network into logical segments to improve the granularity of reporting and to define policies based on a number of different factors. NBA systems also provide information into the health of the network infrastructure and a wealth of other information.

  4. How Does NBA Work? • NBA systems monitor the network via SPAN or mirror ports or inline taps to capture traffic for analysis. In addition, and much more commonly, NBA systems monitor flow records generate by the network infrastructure; NetFlow for Cisco devices, sFlow for many other hardware vendors. • There are pros and cons to each monitoring approach: • SPAN/Mirror/Tap Systems are segment based with limited visibility but offer packet payload analysis. • NetFlow monitoring can deliver visibility for the entire network provide the hardware infrastructure supports it but doesn’t offer payload. • sFlow also can deliver enterprise wide visibility AND offer some payload analysis but is a sampled technology analyzing every 1:X packets. • Once packets or flows are captured for analysis, tables are built within the system to create a session record. • Next, a series of algorithms is performed on the session record to detect malicious activity, threshold violations and policy exceptions. • NBA systems using NetFlow or sFlow also report on the traffic transiting the interfaces of flow export capable hardware and deliver information regarding their health.

  5. NetFlow - A Brief Introduction, Terminology • As with any self-respecting technology, NetFlow has a number of unique terms: • Exporter - Any network hardware device capable of collecting and exporting NetFlow. • Collector - The device to which flows are exported and analyzed. • NetFlow Cache - Where the flow records are kept prior to being exported • Cache Timers - Specify flow record export in minutes and seconds. • Inactive Timeout - The timer for flows representing completed sessions. • Active Timeout - The time for flows representing sessions still continuing.

  6. NetFlow NetFlow - A Brief Introduction, Part 1 Monitoring IP data StealthWatchFlow Collector

  7. NetFlow - A Brief Overview, Part 2 Record Creation • NetFlow is “uni-directional” • Flows stats are counted inbound on the router interface • Flows are stored on the router in a “flow cache” router

  8. NetFlow - A Brief Overview, Part 3, Creating Flow Records 7 pre-defined Key fields Example 2 • Inspect packet for key field values • Compare set of values to NetFlow cache • If the set of values are unique create a flow in cache • Inspect the next packet Example 1 Inspect Packet Inspect Packet

  9. NetFlow - A Brief Overview, Part 4 Flow Record Export 1500 byte UDP PDU 30 NetFlow Records per PDU

  10. NetFlow - A Brief Overview, Part 5 Flow De-Duplication

  11. NetFlow - A Brief Overview, Part 6 Flow Analysis Overview

  12. NetFlow - A Brief Overview, Part 7 Scanning Host Example • Flows are collected and exported • Collected flows are put into a state table for algorithmic analysis to check for threshold and policy violations. • Alarms are triggered and propagated.

  13. Current Organizational Security Challenges Existing Security Technologies Do Their Jobs Well but Present Challenges: • Security Devices Are Segment Based, Unable to Monitor the Entire Network. • Security Devices Can Only Detect “The Known Bad” Through Signatures. • Security Devices Lack Contextual Awareness of the Hosts, Applications and Services. • HIDS/Anti-Virus/Anti-Malware Can Be Difficult to Manage Requiring Agent Installation. • NAC Only Defines Pre-Admission Control and Offers Little to No Monitoring After a Host is Authenticated • SEIMs Are “Data Haystacks” Requiring Complex Rule Writing and Configuration While Not Being Effective for Real-time Analysis • Continuous, Real-time Policy Monitoring is Practically Impossible with Segment by Segment Visibility. • ACLs and Firewalls Lack Continuous Monitoring Mechanism Resulting in a Plug and Pray Policy. • The Tools Aren’t Integrated in Any Meaningful Way With Net Ops Tools Creating Points of Contention Between the Two Teams if Their Tools are Generating Conflicting Information. • None of These Technologies Deliver Global, Real-time Situational Awareness.

  14. The Traditional Security Framework - The Core is Highly Secure Lightly Protected Remote Site Protected Remote Site Internet Small Branch Office Midsized Branch Office Branch Edge Router HQ Edge Router Packet Filter Highly Protected Network Core Packet Filter SIEM Packet Inspector Core Switch w/ACLs End User Switch VPN Concentrator End User System w/HIDS,AV,NAC Etc. Remote User Business Critical Assets

  15. How NBA Helps Solve Many Current Security Challenges NBA Compliments the Existing Security Infrastructure Delivering: • Enterprise-Wide Visibility Through NetFlow and sFlow Enabling the Entire Network as a Sensor Grid. • Analysis of Host Behaviors Rather Than Pattern Matching to Detect Zero-Day Attacks. • NBA is Based on Relationship Modeling and Awareness Delivering Excellent Context. • NBA Systems Are Agentless and Reside on the Network Like Any Other Host for Ease of Management. • NBA Compliments NAC for Compliance Monitoring and Post-Admission Control. • NBA Uses a Limited Number of Data Feeds for Continuous Real-time Analysis Not Requiring Complex Rule Writing and Becoming Overloaded with Massive Amounts of Data for Analysis. • NBA Monitors the Entire Network Detailing Host-to-Host Relationships as well as Applications, Services and Protocols in Use, Delivering Continuous Policy Monitoring. • NBA is Configured with Policies to Continuously Monitor and Audit ACLs and Firewall Rule Sets. • NBA, Through Its Host, Traffic and Behavioral Profiling as well as NetFlow Analysis and Exporter Interface Information, is an Excellent Complimentary Net Ops Tool to the Existing SNMP and Sniffer Based Systems. • NBA’s Primary Function is to Deliver Real-time Situational Awareness Through a Combination of Behavioral Analysis, Configured Policy and Host-to-Host Relationship Modeling.

  16. NBA’s Role in the Security Infrastructure - Continuous, Global Visibility Internet Small Branch Office Midsized Branch Office Branch Edge Router HQ Edge Router Packet Filter Packet Filter SIEM Packet Inspector Core Switch w/ACLs End User Switch VPN Concentrator End User System w/HIDS,AV,NAC Etc. Remote User Business Critical Assets

  17. Current Organizational Network Operations Challenges Existing Net Ops Technologies Do Their Jobs Fairly Well but Also Present Challenges: • Most Net Ops Monitoring Tools are SNMP Based “Noise Generators” Reporting an Event Occurred but Not Why The Event Occurred. • Sniffer Type Devices Are Expensive, Difficult to Deploy and Not Real-Time. • Almost All Net Ops Products Lack Contextual Awareness of the Network and Hosts. • Determining Root Cause of Most Events Requires Access to Multiple Consoles and Network Hardware CLI. • Sniffer Type Devices Require a Strong Level of Knowledge to Operate Correctly. • EMS/NMS and MoMs Are “Data Haystacks” Requiring Complex Rule Writing and Configuration While Not Being Effective for Real-time Analysis. • Continuous, Real-time Policy Monitoring is Practically Impossible Because of Technology Limitations. • Most Appliance Based Net Ops Tools are Segment-Based Not Delivering Global Visibility. NetFlow Offerings to Date are Extremely Limited. • The Tools Aren’t Integrated in Any Meaningful Way With Security Ops Tools Creating Points of Contention Between the Two Teams if Their Tools are Generating Conflicting Information. • None of These Technologies Deliver Global, Real-time Operational Awareness.

  18. The Traditional Network Ops Framework - SNMP and Sniffers Internet Small Branch Office Midsized Branch Office Branch Edge Router HQ Edge Router Packet Filter Sniffer Packet Filter EMS/NMS/MoM Packet Inspector Core Switch w/ACLs End User Switch VPN Concentrator End User System w/HIDS,AV,NAC Etc. Remote User Business Critical Assets

  19. How NBA Helps Solve Many Current Net Ops Challenges NBA Compliments the Existing Net Ops Infrastructure Delivering: • Enterprise-Wide Visibility Through NetFlow and sFlow Enabling the Entire Network as a Sensor Grid. • NBA Systems Deliver Rich, Contextual Information Surrounding Events Explaining WHY They Occurred. • NetFlow is Everywhere and Able to Deliver Meaningful Insight Into Host and Application Performance Throughout the Enterprise. • NBA Systems Deliver Rich and Meaningful Data About the Applications and Hosts as well as Host-to-Host Relationships, Group-to-Group Relationships, Service Distribution and Consumption and Detailed Network Interface Utilization both at a Point-In-Time as well as Long Term Trending. • Root Cause Analysis is Performed on the NBA System not Multiple Consoles. • The Intelligence of NBA System is Built-In Requiring Much Less Training to Deliver Useful Information. • NBA Uses a Limited Number of Data Feeds for Continuous Real-time Analysis Not Requiring Complex Rule Writing and Becoming Overloaded with Massive Amounts of Data for Analysis. • NBA is Configured with Policies to Continuously Monitor Compliance to AUP and Change Control. • NBA, Through Its Host, Traffic and Behavioral Profiling as well as NetFlow Analysis and Exporter Interface Information, is an Excellent Complimentary Security Tool to the Existing Infrastructure.

  20. NBA’s Role in the Network Ops Infrastructure - Contextual Visibility Internet Small Branch Office Midsized Branch Office Branch Edge Router HQ Edge Router Packet Filter Packet Filter EMS/NMS/MoM Packet Inspector Core Switch w/ACLs End User Switch VPN Concentrator End User System w/HIDS,AV,NAC Etc. Remote User Business Critical Assets

  21. Current Organizational AUP Policy Monitoring Challenges Existing Policy Monitoring Technologies Do Their Jobs in a Mediocre Manner and Also Present Major Challenges: • Policy Monitoring and Enforcement is a Point by Point Proposition with Almost No Holistic Visibility Therefore Not Delivering Global, Real-time Compliance Monitoring. • Policy Definitions Are Configured on Different Devices with Different Capabilities and are Difficult to Deploy and Manage. • Almost All Policy Monitoring Products Are Myopic and Lack Contextual Awareness of the Network and Hosts. • Determining Root Cause of Most Policy Events Requires Access to Multiple Consoles for Multiple Products with Hugely Different Capabilities. • Maintaining AUP is Extremely Complex Because of the Constantly Evolving Nature of Networks and the Multitude and Variety of Policy Monitoring Products and Capabilities. • Policy Monitoring Tools are Still Very Immature and Limited in Scope. Deployment Creates Yet Another Monitoring Console and Touch Point. • Continuous, Real-time Policy Monitoring is Practically Impossible Because of Inherent Technology Limitations. • The Tools Aren’t Integrated in Any Meaningful Way With Security Ops OR Net Ops Tools Creating Points of Contention Between the Three Teams if Their Tools are Generating Conflicting Information.

  22. The Traditional AUP Monitoring Framework - Unique Points Internet Small Branch Office Midsized Branch Office Branch Edge Router HQ Edge Router Packet Filter Packet Filter Policy Monitoring Tool Packet Inspector Core Switch w/ACLs End User Switch VPN Concentrator End User System w/HIDS,AV,NAC Etc. Remote User Business Critical Assets

  23. NBA’s Role in Policy Management and Monitoring - Global Configuration Management and Monitoring Existing Policy Monitoring Technologies Do Their Jobs in an Inconsistent Manner and Also Present Major Challenges: • Policy Monitoring and Enforcement is a Point by Point Proposition with Almost No Holistic Visibility Therefore Not Delivering Global, Real-time Compliance Monitoring. • Policy Definitions Are Configured on Different Devices with Different Capabilities and are Difficult to Deploy and Manage. • Almost All Policy Monitoring Products Are Myopic and Lack Contextual Awareness of the Network and Hosts. • Determining Root Cause of Most Policy Events Requires Access to Multiple Consoles for Multiple Products with Hugely Different Capabilities. • Maintaining AUP is Extremely Complex Because of the Constantly Evolving Nature of Networks and the Multitude and Variety of Policy Monitoring Products and Capabilities. • Policy Monitoring Tools are Still Very Immature and Limited in Scope. Deployment Creates Yet Another Monitoring Console and Touch Point. • Continuous, Real-time Policy Monitoring is Practically Impossible Because of Inherent Technology Limitations. • The Tools Aren’t Integrated in Any Meaningful Way With Security Ops OR Net Ops Tools Creating Points of Contention Between the Three Teams if Their Tools are Generating Conflicting Information.

  24. NBA’s Role in the AUP Monitoring Framework - Global Configuration Management and Monitoring Internet Small Branch Office Midsized Branch Office Branch Edge Router HQ Edge Router Packet Filter Packet Filter NetFlow Collector Packet Inspector Core Switch w/ACLs End User Switch VPN Concentrator End User System w/HIDS,AV,NAC Etc. Remote User Business Critical Assets

  25. OR!!! - Highly Granular Configuration Management and Monitoring - Users, Groups, Applications Internet Small Branch Office Midsized Branch Office Branch Edge Router HQ Edge Router Packet Filter Packet Filter NetFlow Collector Packet Inspector Core Switch w/ACLs End User Switch VPN Concentrator End User System w/HIDS,AV,NAC Etc. Remote User Business Critical Assets

  26. NBA - What Other Benefits Does It Deliver? NBA Systems Offer a Large Variety of Other Beneficial Features: • Management Reporting for Alarms and Events, Host Behaviors Over Time, Service and Traffic Patterns, Etc. • User to IP Correlation Reporting for a More Complete Picture of Host and User Activity as well as Decreasing Event Remediation Time. • DHCP and MAC Correlation Reporting to Reduce Event Remediation Time and Add Additional Data Points to Profiled Hosts. • Closest Router Interface for Improved Troubleshooting and Remediation. • Other Associated Router Interfaces for Improved Troubleshooting and Remediation. • QoS Utilization Reporting using DiffServ from the NetFlow Record. • Trending for Capacity Planning by Application, Host, Segment, Location and Network. • 802.1Q VLAN Tag Correlation for Improved Traffic Analysis. • MPLS Label Correlation for Improved Traffic Analysis. • BPG Traffic Reporting for Improved Understanding of External Traffic Origination and Destination. • Flexible and Extensible Flow Reporting for Additional, Easy to Add Features.

  27. NBA - In the Future NBA Systems Will Continue to Expand Their Features to Leverage Improvements in Flow Data Export: • Network Hardware Vendors will Seek to Leverage Flow Reporting to Include Much More Network Telemetry Data. • IP-SLA for Detailed Quality of Service Reporting. • NBAR for Deep Packet Inspection and Flow Application Tagging. • Flexible Packet Matching for Traffic Shaping. • Packet Payload Capture for Analysis by both NBA and Other Signature Based Tools. • Using NetFlow v9 to Export Data traditionally sent by other protocols - syslog, etc. • Using Flow Reporting Information to Improve Security and Remediation Through Other Protocols - ACT/TIDP/TMS

  28. That’s All Folks! Questions? Comments?

  29. The End Thank You Mark McDaniel mmcdaniel@lancope.com

More Related