Is an attacker hidden in your network?Have your network under your control

Tomáš Šárocký, Channel Specialist

CloudSec • 29th of August • Seoul, South Korea

Agenda

Network Visibility

IT Operations

Network Performance Monitoring and Diagnostics

Application PerformanceMontoring

Security

Network BehavioralAnalysis

DDoS Detection & Mitigation

NPMD APM NBA DDoS

Security Approach

Prevention

Detection

Response

How do we secure our networks?

Technology Approaches

Network Visibility

& Security

Perimeter

Security

Endpoint

Security

DMZ VPN

LAN

Firewall

IDS/IPS

UTM

Application

firewall

Web filter

E-mail security

SSH Access

DMZ VPN

LANAntivirus

Personal Firewall

Antimalware

Endpoint DLP

Antirootkit

That is not enough anymore!

DMZ VPN

LAN

Network Visibility & Security

Why? What to use it for?

How you can effectively protect and manage something, if you

have no visibility into it?

Real Life ExamplesSecurity Incident

Advanced malware

I don‘t know what is happening

Most of us cannot access the Internet

In konference room is everything OK

And IS is working as well

That is weird…

There is no announcement in Zabbix

Servers and VPN are available

I will check and let you know

Advanced malware

78 port scans?

DNS anomalies?

Advanced malware

Let’s see the scans first

Ok, users cannot access web

Are the DNS anomalies related?

Advanced malware

Ok, which DNS is being used?

192.168.0.53? This is notebook!

How did this happen?

Advanced malware

Let’s look for the details…

Laptop 192.168.0.53 is doing

DHCP server in the network

Advanced malware

Malware infected device

Trying to redirect and bridge traffic

Probably to get sensitive data

What if

…the malware reallyworks?

from user perspective iseverything OK

malware have access to wholetraffic

malware have access to logininfo and passwords

…IT is not monitoring thetraffic?

problem would take severalhours of solving instead of 20

mins

if the malware works, theywould not even know…

Real Life ExamplesSecurity Incident

Traffic overview,

anomalies

detected

Attacker activity

(port scan, SSH

authentica-tion

attack)

Victim of the

attack, source of

anomalies

Attacker is looking

for potential victims

And starts SSH

attack

That turns

out to be

successful

Few minutes after

that breached

device

starts to

communicate with

botnet C&C

Botnet

identification using

Flowmon Threat

Intelligence

Flow data on

L2/L3/L4

Including L7

visibility

Full packet capture

and packet trace

(PCAP file)

Analysis of PCAP

file with botnet

C&C communica-

tion in Wireshark

Data exfiltration

command via

ICMP

Command to

discover RDP

servers

ICMP anomaly

traffic with payload

present

PCAP available,

what is the ICMP

payload?

Linux /etc/passwd

file with user

accounts and hash

of passwords

Looking for

Windows servers

with RDP

Attack against

RDP services

Network Against Threats

Flow monitoring including L7

Network Behavior AnalysisFull packet capture

Triggered by detection

Few More Real Life Examples

Stations from local network

under control of an attacker were

performing a DDoS attack on command from

C&C server.

Detected as an outgoing DDoS

attack.

Employee on a leave notice wassaving internal files to shared

disc of Yahoo. Itwas detected as

transfer highamount of data from LAN to the

Internet.

A serious incident after investigation

1. Copying file from shared filesystem

onto a compromised

device

2. The original file deleted from the shared filesystem

3. Upload of encrypted file back to the

shared filesystem

Network Behaviour AnalysisThe unknown is known

Anomaly Detection

▪ Network as a sensor concept (and enforcer)▪ blogs.cisco.com/enterprise/the-network-as-a-security-sensor-and-enforcer

Statistical analysisVolumetric DDoS detection

Advanced data analysis algorithmsDetection of non-volumetric anomalies

DDoS Anomaly detection

Detection Principles

Behavio

ur

Analy

sis Machine Learning

Adaptive Baselining

Heuristics

Behavior Patterns

Reputation Databases

Cloud Monitoring

Terminology

vs.

Cloud Delivery

Flowmon available in all major

platforms ready to be deployed in

a hybrid mode

Cloud Monitoring

To monitor the traffic comming to,

from, and within the cloud

environment

Flowmon Architecture

Flow export from

already deployed

devices

Flow data export +

L7 monitoring

Flow data

collection,

reporting, analysis

Flowmon modules for advanced flow data analysis

Questions?

Network Visibility

IT Operations

Network Performance Monitoring and Diagnostics

Application PerformanceMontoring

Security

Network BehavioralAnalysis

DDoS Detection & Mitigation

NPMD APM NBA DDoS

Summary: Security Approach

Prevention

Detection

Response

Live DEMO?

...on our booth

Flowmon Networks a.s.

Sochorova 3232/34

616 00 Brno, Czech Republic

www.flowmon.com

Thank youPerformance monitoring, visibility and security with a single solution

Tomáš Šárocký, Regional Sales Manager

tomas.sarocky@flowmon.com, +420 734 202 431