1 / 31

Network Behavior Analysis: Improving Network Security, Operations and Application Availability

Network Behavior Analysis: Improving Network Security, Operations and Application Availability. Charles Kaplan Chief Security Strategist. What the Industry is Saying .

sidney
Download Presentation

Network Behavior Analysis: Improving Network Security, Operations and Application Availability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Behavior Analysis: Improving Network Security, Operations and Application Availability Charles Kaplan Chief Security Strategist

  2. What the Industry is Saying “NBA systems are near the top of the list for purchase intent in 2007, a big leap compared to 2006. A higher percentage of networking pros are increasing their spend on NBA than security pros, though both are high.” “By year-end 2007, 25% percent of large enterprises will employ NBA as part of their network security strategy.” “NBA is a Powerhouse for Providing Context into Network and Security Solutions” “Without NBA, organizations are ‘flying blind.’” “Network Behavior Analysis systems are the new foundation of Defense-in-Depth architectures.”

  3. Have you ever heard of NBA?

  4. So what is NBA? • “NBA provides network-wide visibility to understand how systems are used, who uses them, how systems connect to and depend on each other, and which ports and protocols systems connect over. Because they analyze the behavior of network traffic, NBAs provide protection from threats that other security systems cannot identify, such as insider attacks, unauthorized servers and services, zero-day attacks, etc. NBAs also ease the burden of regulatory compliance by reporting on network behaviors that did or did not occur.”

  5. So what is NBA? • Resolve incidents 7-10x faster • Discover unauthorized activities, users, applications or hosts • Detect/stop internal threats and malware • Establish/enforce policies to reduce the cost of compliance Protectcritical services, data, and IP Network Security

  6. So what is NBA? • Troubleshoot performance issues7-10X faster • Detect behavior changes that affect performance before they disrupt users • Analyze WAN usage to improve availability and reduce cost • Optimize and accelerate infrastructure change Optimizeinfrastructure to support the business Network Operations

  7. Typical network Internet Partners Firewall Employees Logs IPS SEM/SIM ILP NAC admittance test Key data store ENCRYPTED NAC Quarantine Un-patched or no AV NBA visibility Users (fully patched) Key Assets

  8. Network Complexity Outpacing Tools • Network complexity • Distributed applications • VoIP • SOA • Virtualization • Etc. • NBA fills the gap • Behavior • Users • Applications • Traffic flows • Threat detection • Network and Security tools • Link-based • Structure vs. traffic • End points vs. flows • Device-status vs. applications and users • Signature-based

  9. What NBA Sees Destination Source Conversation • Start time/End time • Path (each router/interface) • # Bytes/packets • IP Protocol (UDP, TCP, etc) • Application (Layer 7) • (user) • IP/MAC address • Switch port • Dest UDP/TCP Port • TCP Flags • User • IP/MAC address • Switch port • Source UDP/TCP Port • TCP Flags

  10. Rapid, Agent-less Deployment Data Center Corporate departments Remote locations Regional locations NBA Corporate departments

  11. How NBA works Continuous Global Visibility What Where When Who What’s typical What’s changed Network Intelligence Database Real-time data Typical behavior Historical details Flow & App data Users Applications Hosts Devices

  12. What is Typical? What is “typical behavior”? • Who talks to whom • Using what protocols and ports • Generating how much traffic • With what frequency • Who is the client, who is the server • Which days or time of day Network Intelligence Database Real-time data Typical behavior Historical details

  13. Atypical Activity • Host Scans • Port Scans • Worm Detection • New Service/Application • New Host • Suspicious Connection • DOS • Tunneled applications • P2P & SPAM BOTS • User defined Policy • Etc…

  14. Atypical Activity – Port Scanning

  15. Atypical Activity – Host Scanning

  16. Atypical Activity – WORM Event

  17. Atypical Activity – Printers Connecting to the Internet

  18. Lock down SMTP

  19. Detect suspect activity from credentialed users– Massive tftp Download

  20. Tighten up FW policies

  21. WHO Is Logged In? WHAT Applications Are Running?

  22. Does anyone use this port? It is not safe to block tcp/445

  23. Tackle the fallout from M&A Network map on file As running in production

  24. Compliance 66% failed to Build and Maintain a Secure Network Source: VeriSign 2006 paper, “Lessons Learned: Top Reasons for PCI Audit Failure and How to Avoid Them”

  25. Who talks with our PCI/SOX/xxx regulated asset server? Identify who talks to a regulated asset

  26. Who talks with our PCI/SOX/xxx regulated asset server? RepresentDependencies Identify who talks to a regulated asset

  27. Prove the positive or the negative to auditors

  28. NBA: filling the gap • Network complexity • Distributed applications • VoIP • SOA • Virtualization • Etc. • NBA fills the gap • Behavior • Users • Applications • Traffic flows • Threat detection • Network and Security tools • Link-based • Structure vs. traffic • End points vs. flows • Device-status vs. applications and users • Signature-based

  29. How to shop for NBA Objective Benefit Rapidly resolve issues • Know who/what/where/when Fastest time-to-value • Rapid, cost-effective deployment Detect issues before they disrupt users • Detect meaningful change Leverage existing investment • Intelligent integration with existing products

  30. Details that matter • Detection means and accuracy • Behavior-based threat detection  • Business cycle aware • Dynamic/self maintaining baseline • Policy monitoring and enforcement • Operational effectiveness • Alert explanations versus black box • Integration to infrastructure & processes • Enterprise-wide: inter-zone visibility • Other considerations • Historical context / NAS • Application discovery and profiling • Topology-based profiling and reporting

  31. Thank You

More Related