Network security analytics today …and tomorrow

Network security analytics today …and tomorrow

NETWORK SECURITY ANALYTICS TODAY AND TOMORROW AUBREY MERCHANT-DEST Director, Security Strategies OCT) June, 2014 Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 1 BRIEF HISTORY OF NETWORK ANALYSIS Before NetFlow Sniffers Troubleshooting network applications Very expense! Then came Ethereal/Wireshark SNMP Capacity Planning Ensuring business continuity Adequate QOS for service levels Little traffic characterization No granular understanding of network bandwidth This is how we did troubleshooting back in the day Still useful nowadays (Wireshark) Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 2 ENTER NETFLOW NetFlow appears

Developed by Cisco in 1995 ASIC based Catalyst Operating System Answered useful questions What, when, where and how Became primary network accounting and anomaly-detection tool Addressed the following: Network utilization QOS/COS Validation Host communications Traffic anomaly detection via threshold triggering Generally statistical reporting No 1:1 unless dedicated device present Statistical reporting highly accurate but Not extensible Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 3 REPRESENTATIVE NETFLOW INTERFACE (PLIXER) Note: Based on well-known ports Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 4

IPFIX OFFERS ADVANCEMENTS IETF Chooses NetFlow v9 as standard in 2003 IPFIX is born (Flexible NetFlow): Flexible, customizable templates New data fields Unidirectional protocol for export Exporter -> Collector Data format for efficient collection record collection Similar format/structure Self-describing Uses templates Purpose Collector analyzes flow records Conversations, volumes, AS, and hundreds of other information elements A sensor in each switch or router Great visibility, even in flat networks Scales great Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 5 NETWORK FLOW REPORTING (THRESHOLD ALARMS) Useful for Profiling your network What and how much Whos talking to whom Top or bottom n talkers

Understand application utilization Protocol distribution Performance of QOS policy Troubleshooting Capacity Planning Network Security A useful source of analytics over time Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 6 WHY THE PRIMER ON FLOW DATA? Todays Typical Enterprise Hos Firew t all Adv. Threat Protection URL Filte ring Inside Threats

cr En ti An am Sp yp n ti o VPN Hacktivists Confidentiality Email ity Secur Availability Context Integrity eb y W ewa at G SIEM IPS en

G ll Visibility xt wa e N ire Todays Security Gap F DLP Is under attack from multiple sources, varying motivations Either has or is budgeting for current technology Managing GRC Focused on passing audits and protecting assets Has one or more individuals focused on security Supporting multiple OSes and compute surfaces Nation States NAC Cybercriminals We need more context to stay in this fight!!! Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 7 Insider-Threats

Known IPs/URLs Modern Tactics & Techniques Web Application Firewall Hactivists KnownAttacks Files Targeted DLP Known Malware Zero-Day Threats Email Gateway Cybercriminals SIEM Known Threats Novel Malware Web Gateway Nation States Host AV Traditional

Advanced Threats IDS / IPS Threat Actors NGFW POST-PREVENTION SECURITY GAP Advanced Advanced Threat Threat Protection Protection Content Content Detection Detection Analytics Analytics Context Context Visibility Visibility Analysis Analysis Intelligence Intelligence SIGNATURE-BASED DEFENSE-IN-DEPTH TOOLS SSL

Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 8 TIME AND THE WINDOW OF OPPORTUNITY Initial Attack to Compromise Initial Compromise to Discovery Compromised in Days or Less Discovered in Days or Less 90% 25% bad guys seldom need days to get their job done, while the good guys rarely manage to get the theirs done in a month of Sundays. Verizon 2014 Breach Investigation Report Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 9 POST-PREVENTION SECURITY GAP 60%

Percentage of Enterprise IT Security Budgets Allocated to Rapid Response Approaches by 2020. Gartner 2014 Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 10 GARTNER: ADAPTIVE SECURITY ARCHITECTURE Source: Gartner (February 2014) Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 11 DPI AND PROTOCOL PARSING Deep Packet Inspection Comes in at least two flavors Shallow packet inspection Limited flow inspection (i.e., GET) Magic Byte value @ offset Provides improved classification May or may not use port numbers for some classification Deep Flow Inspection (DPI+++) Interrogates network-based conversations No usage of port numbers for classification State-transitioned classification Supports re-classification

Treats applications as protocols! (wire-view) Implements parsing mechanism Performs reconstruction (post-process or NRT) Allows extraction of artifacts (files, images, etc.) Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 12 BENEFITS OF ADVANCED PARSERS Re-entrant Protocols in protocols State-transitioning Efficient decoding Look for metadata only where it should be Conversation-based classification Interrogate request and response Extraction NRT or post-process artifact reconstruction Policy-based rules Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 13

CORRELATION TEMPORAL & FLOW_ID Any to Any Relationship (From any one to any/every other) Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 14 DEEP CONTEXT VIA EXTRACTED METADATA What we have at our disposal Precise application classification Classified or Unknown Unknown is interesting, too! Metadata Flow-based Inter-relational Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 15 DRILL-DOWN ON CONTEXT What we have at our disposal Precise application classification Classified or Unknown Unknown is interesting, too! Metadata

Flow-based Inter-relational Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 16 CORRELATED CONTEXT What we have at our disposal Precise application classification Classified or Unknown Unknown is interesting, too! Metadata Flow-based Inter-relational Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 17 EXAMPLE FLOW RECORD 6/2/14 9:40:23.000 PM timestamp=Jun 02 2014 21:40:23PM, dns=gpnouarwexr.www.qianyaso.net,gpnouarwexr.www.qian yaso.net , application_id=udp , application_id_2=dns , connection_flags=unknown , first_slot_id=23063 , flow_id=20495454 , initiator_country=Azerbaijan , src_ip=149.255.151.9 , src_port=46614 , interface=eth3 , ip_bad_csums=0 , ip_fragments=0 , network_layer=ipv4 , transport_layer=udp , packet_count=2 , protocol_family=Network Service , responder_country=N/A , dst_ip=10.50.165.3 , dst_port=53 , start_time=1401766596:327447386 ,

stop_time=1401766611:597447252 , total_bytes=176 Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 18 FULL-STATE DPI PARSERS DRIVE ANALYTICS NRT and Post Process Reconstruction Benefits Hashes Fuzzy MD5 SHA Automated reputation VirusTotal Other details Domain age WHOIS SORBS SANS 3rd Party plugins Automated delivery Policy-based reconstruction and delivery Sandbox Additional processing w/ other tools Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 19 INVESTIGATION Malicious ZIP file is detected Use flow records to link HTTP source (root) Copyright 2014 Blue Coat Systems Inc. All Rights Reserved.

20 INVESTIGATION Hashes compared against reputation service sources Looks like ransom-ware Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 21 INVESTIGATION Source of exploit determined Energy Australia web page (reconstructed) Requests captcha for copy of bill Interestingly, entering the wrong captcha values reloads page Correct entry starts exploit Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 22 INVESTIGATION

Other malware delivered Presented on the wire as .gif Decoded by DPI parser as x-dosexec 17 reputation know this as malicious First seen in 5/29/14 Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 23 INVESTIGATION VirusTotal reports that 4 AV engines reporting site as malicious Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 24 BUT SO FAR WEVE TALKED ABOUT ANALYSIS Analytics vs. analysis Analytics is a multi-dimensional discipline. There is extensive use of mathematics and statistics, the use of descriptive techniques and predictive models to gain valuable knowledge from data - data analysis. The insights from data are used to recommend action or to guide decision making rooted in business context. Thus, analytics is not so much concerned with individual analyses or analysis steps, but with the entire methodology. There is a pronounced tendency to use the term analytics in business settings e.g. text analytics vs. the more generic text mining to emphasize this broader perspective. There is an increasing use of the term advanced analytics, typically used to describe the technical aspects of

analytics, especially predictive modeling, machine learning techniques, and neural networks. Short definition Multi-dimensional analysis to uncover relationships not present discretely, yielding insight Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 25 MULTI-DIMENSIONAL ANALYSIS Application Ethernet Destination IPv6 Responder File Analysis Application Group Ethernet Destination Vendors IPv6 Port Conversation Malware Analysis Ethernet Protocol Packet Length URL Categories

Ethernet Source Port Initiator Database Query SSL Common Name Ethernet Source Vendors Port Responder HTTP Code File Name Interface Size in Bytes HTTP Content Disposition Fuzzy Hash IP Bad Checksums MD5 Hash IP Fragments MIME Type IP Protocol

Email Recipient Email Sender Email Subject Size in Packets URL Analysis TCP Initiator HTTP Forward Address TCP Responder HTTP Method Tunnel Initiator HTTP Server Tunnel Responder HTTP URI UDP Initiator Referrer UDP Responder SSL Cert Number Country Initiator IPv4 Port

Conversation Password User Agent Country Responder IPv6 Conversation Social Persona Web Query DNS Query IPv6 Initiator User Name Web Server SHA1 Hash VLAN ID VoIP ID IPv4 Conversation IPv4 Responder IPv4 Initiator Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 26 MULTI-DIMENSIONAL ANALYSIS

Application Ethernet Destination IPv6 Responder File Analysis Application Group Ethernet Destination Vendors IPv6 Port Conversation Malware Analysis Ethernet Protocol Packet Length URL Categories Ethernet Source Port Initiator Database Query SSL Common Name Ethernet Source Vendors Port Responder

HTTP Code File Name Interface Size in Bytes HTTP Content Disposition Fuzzy Hash IP Bad Checksums MD5 Hash IP Fragments MIME Type IP Protocol URL Analysis Any to any/many Email Recipient Email Sender Email Subject Size in Packets TCP Initiator

HTTP Forward Address TCP Responder HTTP Method Tunnel Initiator HTTP Server Tunnel Responder HTTP URI UDP Initiator Referrer UDP Responder SSL Cert Number Country Initiator IPv4 Port Conversation Password User Agent Country Responder IPv6 Conversation

Social Persona Web Query DNS Query IPv6 Initiator User Name Web Server SHA1 Hash VLAN ID VoIP ID IPv4 Conversation IPv4 Responder IPv4 Initiator Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 27 MULTI-DIMENSIONAL ANALYSIS Application Ethernet Destination IPv6 Responder File Analysis Application Group

Ethernet Destination Vendors IPv6 Port Conversation Malware Analysis Ethernet Protocol Packet Length URL Categories Ethernet Source Port Initiator Database Query SSL Common Name Ethernet Source Vendors Port Responder HTTP Code File Name Interface Size in Bytes HTTP Content

Disposition Fuzzy Hash IP Bad Checksums MD5 Hash IP Fragments MIME Type IP Protocol URL Analysis Any to any/many Email Recipient Email Sender Email Subject Flow-based Size in Packets TCP Initiator HTTP Forward Address TCP Responder HTTP Method Tunnel Initiator

HTTP Server Tunnel Responder HTTP URI UDP Initiator Referrer UDP Responder SSL Cert Number Country Initiator IPv4 Port Conversation Password User Agent Country Responder IPv6 Conversation Social Persona Web Query DNS Query IPv6 Initiator User Name

Web Server SHA1 Hash VLAN ID VoIP ID IPv4 Conversation IPv4 Responder IPv4 Initiator Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 28 MULTI-DIMENSIONAL ANALYSIS Application Ethernet Destination IPv6 Responder File Analysis Application Group Ethernet Destination Vendors IPv6 Port Conversation Malware Analysis Ethernet Protocol

Packet Length URL Categories Ethernet Source Port Initiator Database Query SSL Common Name Ethernet Source Vendors Port Responder HTTP Code File Name Interface Size in Bytes HTTP Content Disposition Fuzzy Hash IP Bad Checksums MD5 Hash IP Fragments

MIME Type IP Protocol URL Analysis Any to any/many Email Recipient Email Sender Email Subject Flow-based Size in Packets TCP Initiator HTTP Forward Address TCP Responder HTTP Method Tunnel Initiator HTTP Server Tunnel Responder HTTP URI UDP Initiator Referrer

UDP Responder SSL Cert Number Country Initiator IPv4 Port Conversation Password User Agent Country Responder IPv6 Conversation Social Persona Web Query DNS Query IPv6 Initiator User Name Web Server SHA1 Hash VLAN ID VoIP ID IPv4 Conversation

Time-stamped IPv4 Responder IPv4 Initiator Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 29 ANALYTICS Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 30 STIX + ANALYTICS Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 31 Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 32

Recently Viewed Presentations

  • Carbon & Oxygen Cycle Practice Q's

    Carbon & Oxygen Cycle Practice Q's

    O2, CO2, Photosynth. Respiration. B. A. Process: Process: Carbon-Oxygen Diagram. Use the last page of your packet to complete the Carbon-Oxygen Cycle on the 1st page. You can write the words in or cut them out and glue them onto...
  • Monday, January 3rd 2017

    Monday, January 3rd 2017

    Once you are done, flip it over and read an AR book silently. Answers: New York Times. ... 3/9 - Maniac Magee Final Test (9wks test grade) 3/6-10 - Case 21 exams. 3/12 - Daylight Savings (spring forward) 3/13-3/17 -...
  • Romanticism John Keats Ode to Autumn

    Romanticism John Keats Ode to Autumn

    Romantic literature is dominated by poetry. The triumvirate of Keats, Shelley, and Byron are still well-known. The poetry of Keats is sentimental, that of Shelley intense, and Byron displays a mastery of sardonic wit. *Romanticism was an artistic and intellectual...
  • Expressed sequence tags - biology.unm.edu

    Expressed sequence tags - biology.unm.edu

    JOHN MCCREADY. BIOL 446L. background. Late 80's: GenBank estimates it will take 10-12 years to sequence the ~3 billion bp human genome. Roughly 3% of the DNA are coding sequences for genes. Complete DNA sequencing is expensive and time consuming.
  • The Intra-Americas low-level jet * Jorge A. Amador

    The Intra-Americas low-level jet * Jorge A. Amador

    Zero contours are omitted. Areas where positive (negative) value is statistically significant at the 5% level are shaded light (dark), (b) same as (a), but for 925 hPa wind from the RR. The unit vector is 6 m s-1, (c)...
  • Dictionaries and Grammar Questions to Address  Do we

    Dictionaries and Grammar Questions to Address Do we

    Word stem combines with grammatical morpheme. Usually produces word of . different . class. Complex rules that are less productive with many exceptions. Sometimes meanings of derived terms are hard to predict (E.g. hapless) Examples: verbs to nouns.
  • Lab Network Diagram FDDI Topaz 168.16.0.20/27 to 0

    Lab Network Diagram FDDI Topaz 168.16.0.20/27 to 0

    FDDI-HUB-2. 3 com link builder. Author: edwin Created Date: 12/01/2013 20:37:04 Title: PowerPoint Presentation Last modified by: edwin ...
  • Module 5 Describing Families RDA Training University of

    Module 5 Describing Families RDA Training University of

    RDA TrainingUniversity of Nevada, Reno. February 2013. Module 5Describing Families. This module was taken from the draft NACO training for family names created by RLM in September 2012.