View
13
Download
0
Category
Preview:
Citation preview
Is an attacker hidden in your network?Have your network under your control
Tomáš Šárocký, Channel Specialist
CloudSec • 29th of August • Seoul, South Korea
Agenda
Network Visibility
IT Operations
Network Performance Monitoring and Diagnostics
Application PerformanceMontoring
Security
Network BehavioralAnalysis
DDoS Detection & Mitigation
NPMD APM NBA DDoS
Security Approach
Prevention
Detection
Response
How do we secure our networks?
Technology Approaches
Network Visibility
& Security
Perimeter
Security
Endpoint
Security
DMZ VPN
LAN
Firewall
IDS/IPS
UTM
Application
firewall
Web filter
E-mail security
SSH Access
DMZ VPN
LANAntivirus
Personal Firewall
Antimalware
Endpoint DLP
Antirootkit
That is not enough anymore!
DMZ VPN
LAN
Network Visibility & Security
Why? What to use it for?
How you can effectively protect and manage something, if you
have no visibility into it?
Real Life ExamplesSecurity Incident
Advanced malware
I don‘t know what is happening
Most of us cannot access the Internet
In konference room is everything OK
And IS is working as well
That is weird…
There is no announcement in Zabbix
Servers and VPN are available
I will check and let you know
Advanced malware
78 port scans?
DNS anomalies?
Advanced malware
Let’s see the scans first
Ok, users cannot access web
Are the DNS anomalies related?
Advanced malware
Ok, which DNS is being used?
192.168.0.53? This is notebook!
How did this happen?
Advanced malware
Let’s look for the details…
Laptop 192.168.0.53 is doing
DHCP server in the network
Advanced malware
Malware infected device
Trying to redirect and bridge traffic
Probably to get sensitive data
What if
…the malware reallyworks?
from user perspective iseverything OK
malware have access to wholetraffic
malware have access to logininfo and passwords
…IT is not monitoring thetraffic?
problem would take severalhours of solving instead of 20
mins
if the malware works, theywould not even know…
Real Life ExamplesSecurity Incident
Traffic overview,
anomalies
detected
Attacker activity
(port scan, SSH
authentica-tion
attack)
Victim of the
attack, source of
anomalies
Attacker is looking
for potential victims
And starts SSH
attack
That turns
out to be
successful
Few minutes after
that breached
device
starts to
communicate with
botnet C&C
Botnet
identification using
Flowmon Threat
Intelligence
Flow data on
L2/L3/L4
Including L7
visibility
Full packet capture
and packet trace
(PCAP file)
Analysis of PCAP
file with botnet
C&C communica-
tion in Wireshark
Data exfiltration
command via
ICMP
Command to
discover RDP
servers
ICMP anomaly
traffic with payload
present
PCAP available,
what is the ICMP
payload?
Linux /etc/passwd
file with user
accounts and hash
of passwords
Looking for
Windows servers
with RDP
Attack against
RDP services
Network Against Threats
Flow monitoring including L7
Network Behavior AnalysisFull packet capture
Triggered by detection
Few More Real Life Examples
Stations from local network
under control of an attacker were
performing a DDoS attack on command from
C&C server.
Detected as an outgoing DDoS
attack.
Employee on a leave notice wassaving internal files to shared
disc of Yahoo. Itwas detected as
transfer highamount of data from LAN to the
Internet.
A serious incident after investigation
1. Copying file from shared filesystem
onto a compromised
device
2. The original file deleted from the shared filesystem
3. Upload of encrypted file back to the
shared filesystem
Network Behaviour AnalysisThe unknown is known
Anomaly Detection
▪ Network as a sensor concept (and enforcer)▪ blogs.cisco.com/enterprise/the-network-as-a-security-sensor-and-enforcer
Statistical analysisVolumetric DDoS detection
Advanced data analysis algorithmsDetection of non-volumetric anomalies
DDoS Anomaly detection
Detection Principles
Behavio
ur
Analy
sis Machine Learning
Adaptive Baselining
Heuristics
Behavior Patterns
Reputation Databases
Cloud Monitoring
Terminology
vs.
Cloud Delivery
Flowmon available in all major
platforms ready to be deployed in
a hybrid mode
Cloud Monitoring
To monitor the traffic comming to,
from, and within the cloud
environment
Flowmon Architecture
Flow export from
already deployed
devices
Flow data export +
L7 monitoring
Flow data
collection,
reporting, analysis
Flowmon modules for advanced flow data analysis
Questions?
Network Visibility
IT Operations
Network Performance Monitoring and Diagnostics
Application PerformanceMontoring
Security
Network BehavioralAnalysis
DDoS Detection & Mitigation
NPMD APM NBA DDoS
Summary: Security Approach
Prevention
Detection
Response
Live DEMO?
...on our booth
Flowmon Networks a.s.
Sochorova 3232/34
616 00 Brno, Czech Republic
www.flowmon.com
Thank youPerformance monitoring, visibility and security with a single solution
Tomáš Šárocký, Regional Sales Manager
tomas.sarocky@flowmon.com, +420 734 202 431
Recommended