Decreasing Incident Response Time______________________________

Benefits of Packet Capture & Real-time NetFlow Generation

Boni Bruno, CISSP, CISM, CGEITTechnical Director

2 Copyright © 2014

You Just Suffered a Major Security Breach!

What Happened?!

Who Was Affected?!

When Will It Be Fixed?!

3 Questions Your IT Staff Better Answer in the First 8 Hours!!

Could Your Current SEM/SIEM Tools Cover You for this Security Breach?

3 Copyright © 2014

Suspect

Identify

Mitigate

Impact

Tools Fixed

Permanent Protection

Security Incident Lifecycle

4 Copyright © 2014

Security Incident Lifecycle

Unique EventCan lead to repetitive events if not correctly identified…

5 Copyright © 2014

Security Incident Lifecycle

6 Copyright © 2014

Security Incident Lifecycle

Reduced Frequency

Minimize Scope of Impact

FasterRemediation

ID Root Cause

7 Copyright © 2014

Security Architecture

Full ContentRepository

Current SecurityInfrastructure:

• Firewall

• IDS/IPS

• DLP

End Point Security

Events

pcaps

Event-driven “snippets”and/or

ALL traffic recorded into a rolling buffer

Alarm

Search &Analysis

Event / LogRepository

Packet Storage

SIEM (Security Info & Event Mgmt)

Packet Capture

8 Copyright © 2014

SIEM Integration via RESTful API

Visibility & recording infrastructure for high-speed networks

Endace provides 100% accurate network recording at 1Gbps to 100Gbps!!!

10 Copyright © 2014

Next-Generation EndaceDAG Overview

Multiple Network Monitoring Interfaces-TDM/PDH T1/E1-DS3/E3- 10/100/1000/10G Ethernet- SONET/SDH OC-3 to OC-768c- Infiniband x4 SDR and DDR

Premium-Telco, high-end gov’t users and appliance OEMs

Standard-HFT, market, appliance OEMs

Basic- Low-end gov’t users, analytics

Dual-Port 10GbE-Basic and standard

Dual and quad port 10GbE-Standard and premium

Single-Port 40GbE-Future/upgrade to quad port

Designed for data capture applications

requiring 100% network data capture

Three “Feature Bundles”

Three ProductConfigurations

Low Overhead

Zero Loss Capture

Hardware Time Stamps

Global Clock Synch

In-Band Metadata

Classification/filtering

Load Balancing

11 Copyright © 2014

Endace Network Visibility Infrastructure

Network Visibility Headend

Allows EndaceProbe INRs/ODE to scale to 40 and

100GbE

EndaceAccess™Network Visibility

Headend

Endace OpenHosting Platform

(ODE)

High Performance Intelligent Network Recording

Up to 64 TB storageMix of 1 and 10GbE ports

EndaceProbe™ Intelligent Network

Recorder

EndaceFlow™ NetFlow Generator

Appliance (NGA)

Hosting Platform for Monitoring Applications

8x1GbE or 4x10GbE PortsUp to 16 TB internal storage;

Fibre Channel support for SAN

High-Speed NetFlow Generation for 10GbE

Networks

4x10GbE Ports

EndaceProbe: Provides 100% packet

capture on 10Gb Ethernet links

NetFlow Generator: Generate unsampled

netflows from 1GbE/10GbE links

EndaceAccess: Load-balances

40Gb/100Gb links across multiple INRs

Endace ODE: Provide packets for

hosted 3rd party applications

12 Copyright © 2014

The Endace Probe Solution

13 Copyright © 2014

Monitoring and Recording Fabrics

14 Copyright © 2014

100% Packet Capture means 100% Network Visibility

15 Copyright © 2014

Can you Pinpoint Microbursts Occurring on your Network?

16 Copyright © 2014

Can you Identify Applications Running on your Network?

17 Copyright © 2014

Can you Identify Traffic Changes Over Time?

18 Copyright © 2014

Can you see Conversations on the Network?

19 Copyright © 2014

Search through Packets in a Browser!

20 Copyright © 2014

100Gbps Packet Capture…

21 Copyright © 2014

Time Synchronization

23 Copyright © 2013

NetFlow – The New Way!!!

24 Copyright © 2013

NetFlow – The New Way!!!

25 Copyright © 2013

26 Copyright © 2013