An Introduction to Flow-based Network Anomaly Detection

Download Report

Transcript An Introduction to Flow-based Network Anomaly Detection 

Lancope StealthWatch Technology
Security Through Network Intelligence
www.lancope.com

3 years focused research in flow-based network and security
technologies.

StealthWatch evolved from research conducted by Dr. John
Copeland at Georgia Tech

Based in Atlanta, GA

Flagship product: StealthWatch
-Real time attacks inside your network (Not signature based)
-Mitigation and documentation of real time attacks
-Forensic short and long term
About Lancope
Why Stealth Watch vs. other technology for your
internal Network?
• Easy to deploy
• 1/3rd to 1/2 the cost of other
solution
• Shows the performance and
risks of your Enterprise NOC
and SOC in real time.
• Not Signature based
• Not perimeter based
• Not multilayer steps to get
results
Why Stealth Watch vs. other technology for your internal Network
• StealthWatch is Best at:
Discovering
Prioritizing
Mitigating
Real time worms, viruses and
exploits in your Internal
Network
• StealthWatch gives you
Network Optimization and
Threat Management for your
Enterprise NOC and SOC
t
Internal Attacks on the rise!
The trend has been moving away from external to internal
security”
(Security Analysts)
Wall Street Journal June 2005
 Internal Breaches:
Bandwidth consumption, Policy
Violations, Trojans, Zero Day
Attacks, Application Misuse
and others have caused:
 Service and System
Interruptions
 Data Loss
 Intellectual Property Theft
 Major loss in Company
credibility
 Huge Financial Losses
 The growth in Internal
Attacks in a survey of 600
North American Companies
and Western Europe:
 2003 up 30%
 2004 up 50%
 2005 could be up 75%
How to protect your environment from Internal attacks?
•
Organizations should establish a trusted behavior baseline for each
machine on the network.
•
Look for changes in current foot print behavior.
•
If these procedures are implemented effectively they can detect and
protect systems against new malicious code, worms and other Internal
Breaches.
(US
Secret Service and Gov. Cert May 2005)
How to protect your environment from Internal attacks?
140+ Existing Customers…
- CVE Contains 7819 Vulnerabilities (Feb, 2005)
- Most Signature Vendors block on about 150 sigs
- That’s 2%
- What about the other 98%?
attacks
blocked
attacks
remaining
Too Many Attack Vectors
“Given the widespread use of automated attack tools, attacks against Internet-connected systems have become so
commonplace that counts of the number of incidents reported provide little information with regard to assessing the
scope and impact of attacks. Therefore, as of 2004, we will no longer publish the number of incidents reported.”
- CERT
150000
100000
50000
0
2003
2002
2001
2000
1999
1998
1997
1996
1995
1994
1993
1992
1991
Signatures Can’t Keep Up
1990
…while discovery-to-exploit
window decreases.
1989
1988
Attack frequency
increases…
“Flows” provide total visibility across a wide network range by collecting data from
routers in varying locations. This gives Stealth Watch total supervision over the network
and provides an ability to track behavior throughout the network, from start to end.
NetFlow provides “Mountaintop visibility”
Analyze Flows…
Number of concurrent flows
Establish
Packets baseline…
per sec
Bits per second
New flows created
Number of SYNs sent
Time of day
Number of SYNs received
Rate of connection resets
Duration of the flow
<Many others>
Alarm on changes in behavior…
BEHAVIOR RATHER THAN SIGNATURES
STEALTHWATCH: BEHAVIOR-BASED FLOW ANALYSIS
Cisco
Native Ethernet
NetFlow
SPAN
Signatures
SIM/SEM
ISS
Snort
Etc.
ArcSight
Guarded
Powerful audit, compliance reporting, and forensic capabilities
Streamline and shorten resolution time
Provides visibility into “most significant” network behaviors
Cost-effective, extended enterprise-wide protection and control
INFRASTRUCTURE IPS
StealthWatch
Automated
Mitigation
Install Cisco PIX
firewall rules
Install Checkpoint
firewall rules
Inject Cisco Null0
route
Customizable scripted
response
Devices
Vendors
• Checkpoint NG, NGAI, Provider 1
Firewalls
Routers
and
switches
Customer

• Cisco PIX

• Cyberguard

• Lucent Brick

• Juniper

• Symantec Enterprise

•Cisco
•Extreme

•Juniper
•Foundry

• Flow Analysis Server

Forensics
STM Features
Supported Security Devices
Devices
IDS
IPS
Vendors
Customer
• ISS RealSecure, Workgroup Manager
• Site Protector

• Cisco Secure IDS v4(RDEP)



• Enterasys Dragon
• Snort
• Symantec Manhunt
• nCircle IP360
• TopLayer Mitigator IPS



• Netscreen Firewall/IDS

• Network Associates Intrushield

Locations
Main Data Centers
How Many Main Data Centers do you manage?
Customer


How many DC’s would you want to monitor with Stealth
Watch?


Do you want to have the NOC and SOC monitored?


How many remote locations do you have?


What kind of connections do you have to those remote
locations?


M250
M45
Designed for DS3 links or Designed for fast
underutilized fast Ethernet Ethernet networks
connections
Xe-500
Entry-level StealthWatch
NetFlow Collector
Xe-1000
Midrange StealthWatch
NetFlow Collector
G1
Designed for networks with
speeds up to one gigabit per
second.
Xe-2000
High-end StealthWatch
NetFlow Collector.
SMC
Collects and Manages
multiple StealthWatch
and StealthWatch Xe
appliances.
(StealthWatch Rack Mountable 1U Appliance)
StealthWatch Product Line
Deployment: How do we collect flows?
1 StealthWatch
Xe Required
StealthWatch Xe: Monitor Remote Locations
12 IDP/IPS
Sensors
Required
8 Inline IPS @ $64,995:
$519,960
1 Netflow-based Xe-2000:
Inline IPS
<$50,000
Inline IPS
Inline IPS
Overcome complex deployments and cost
Inline IPS
Inline IPS
PRE-EXISTING CONDITIONS ARE DETECTED
Concern Index
FLOW VISUALIZATION
• StealthWatch Solution
• StealthWatch is a fast, accurate and cost-effective solution that
immediately detects malicious or unauthorized network
activity, including new and otherwise unidentifiable threats. As
a network-based system, StealthWatch overcomes the cost and
complexity of deploying and maintaining signature- or hostbased systems. With StealthWatch, organizations can now
identify and resolve network exposures, such as new,
misconfigured or unauthorized devices and applications. These
threats, which include rogue servers and P2P file sharing
applications, result in 65% of network risks, according to a
Gartner estimate. When unpreventable network events or host
infections occur, StealthWatch detects and contains the
incident while delivering critical insight that accelerates
resolution and minimizes damage.
StealthWatch Solution
Cost and Complexity
Network Security Problems Addressed
Problems Solved
Reduced
Prioritization and
Visibility
Across the Entire
Network
NOC and SOC
Reaction Time
Detect and Mitigate
Zero day attacks
Inside your Network
Next Steps for your Company and Lancope
Next Steps for your Company and Lancope
• NDA
• Evaluation
• References