stackArmor MicroSummit - Niksun Network Monitoring - DPI

KNOW THE UNKNOWN®

NIKSUNInc.,CONFIDENTIAL-INTERNALUSEONLYThisdocumentcontainsconfiden0alinforma0onthatshallbedistributed,routedormadeavailableonlywithinNIKSUN.

ComprehensiveNetworkMonitoring/DPI

NIKSUNInc.

  Whydoescybercrimes0llpersist,despitesignificantinvestment?

  Whatdoesitmeantohavetrulycomprehensivemonitoring?  Surveillance,Detec0on,andForensics

  Howcanthishelpyouintherealworld?  ContextualAwareness(IncidentResponse)  FirewallMonitoring&DDoS  Malware/Ransomware  Compliance  Informa0onHiding  DNSServerHacked(Forensics)

Agenda

NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage. Slide2

NIKSUN,Inc.CONFIDENTIAL--Seeconfiden0alityrestric0onson0tlepage.

WhyDoesCyberCrimePersist?

Copyright NIKSUN 2014

Unknown

Cyber Security Products Cover this Area

Sophisticated Hackers work here!

Unknown Unknown

Imagine if the CDC only looked to prevent virus’ that have already wiped out millions… they would have no recourse in mitigating incidents like Ebola! •  Now imagine if they had

full visibility into every single person in the United States… they could monitor every person’s body and watch for the development of both old and new virus’

Preven0on

  Howcanonepreventthatwhichonecan’tsee?  Whatnewservicesandapplica0onshaveenteredyournetworkthatyouareunawareof?

  Whoisbehindthem?Isitalegi0matebusinessapplica0onoratrojanormalware?

  Howdoweknowthatourdefensesareeffec0ve?

WhatKnowledgeIsNecessary?

  Weneedmoreadvancedsignals(“data”)thanthosewhichwehaveprogrammedapriori

  Goodcybera^ackersevadeaprioriindicatorsandexploitdifferenta^ackvectors

  Anovelapproachisnecessarytogatherinforma0onfrombothknownandunknowna^ackvectors

ComprehensiveMonitoring

Whatisneeded?•  Videocamera(surveillance)•  Sensordetec0on(laserbeams)•  Imagerecogni0on(easysearchforforensics,incidentresponse)

Whyareflowslimited?•  Generallyonlyprovideinforma0onatlayer3•  Lackgoodsupportforcorrelatedflows(FTP,Mobility,evenwebpages,etc.)•  LackofbroaderThreatIntelligencesupport(files,domains,cer0ficates,

Whyarelogslimited?•  Developerschoosewhatlogstorecord.Can’tknowabouta^acksthat

havenotevenoccurredyet

WhatisNetworkMonitoring?

NIKSUN,Inc.CONFIDENTIAL.--Seeconfiden0alityrestric0onson0tlepage. Slide7

SampleFlowlogs

  Surveillance&ThreatHun0ng  Top-downHolis0cviewofAllNetworkAc0vity  Cri0calNetworkInfrastructureIndicators  Real-0meContentAnaly0cs  Applica0onRecogni0on/Applica0onMetadata  Geo-IP

  Detec0on  Anomaly/Signatures/Content(DataLeakage)  IntelligenceFeeds

  IncidentResponse&Forensics  Applica0onReconstruc0on&Ar0factExtrac0on  SandboxIntegra0on  Flows&Connec0ons  RawPackets

  Other  Performance  Compliance

ComprehensiveMonitoring

EmailServerCRM

Server WebServer

Enterprise-wideMonitoring

Monitor across all deployed physical and virtual devices, centrally, from any smart device

FastMacro-to-MicroAnalysis

NIKSUN Inc., CONFIDENTIAL. See confidentiality restrictions on title page

Global Visibility

Regional View

Specific Session

Single Packet

NIKSUN, Inc. CONFIDENTIAL -- See confidentiality restrictions on title page. Slide 11

DeepContentInspec0on-Example

With just a few clicks, DPI / DCI can identify all of this information

UseCase–ContextualAwareness

UseCase:ContextualAwareness

Alarms

Firewall

Log Analyzer

IDS/IPS

Content Filters

Scanners

Alarms

Incident Response -Integrated Analysis

Alarms

Attacks often occur over disparate parts of the network, over extended periods of time à forensic investigation is necessary to put together pieces of the puzzle and reveal how an attack was crafted

UseCase–FirewallMonitoring

  Trendinginforma0ontotuneFirewalls  TCP-SYNrate(commonfirewallmetric)  Fragmentedpacketrate(IPv4,IPv6)  UDP,ICMP,DNS,NTP,etc.packetrates  Bandwidth

  In-depthanalysisofa^acka^empts  Resolveissueswithfirewalls

  FWvendors/usersokenneedpacketstotuneagainstana^ack  ComprehensiveIntelligenceonDDoSa^acks

  Isolatebadtrafficfromgood

  ThreatIntelligence(didanybadURLsmakeitpasttheFW?)  AnalyzeFirewalleffec0veness(Retrospec0veIDS)  ReplaytraffictotestnewFWrules

UseCase-FirewallMonitoring

Inline systems may face latency and complexity constraints, requiring a reduction in the deployed ruleset •  Monitoring becomes

invaluable for a constant pulse on critical infrastructure

FirewallInbound+OutboundMonitoring

Network Internet

Who is trying to get in?

What methods are they using?

Who got in?

What did they get

Backdoor?

DDoSMonitoring(Volumetric/Applica0on)

RedZone/GreenZone

TrafficVolume-BeforeandAkerFirewall

UseCase– Ransomware(Wannacry)

UseCase:WannacryInves0ga0on

UseCase:WannacryInves0ga0on(cont.)

•  Leverage retrospective IDS •  View SMB scans on your infrastructure •  Real-time intelligence feed related information

UseCase:WannacryInves0ga0on(cont.)

How can we know if the hosts scanned have actually been impacted?

UseCase–Compliance

  Discovercompliancelevelwithtrafficmonitoring  FasterthanPenTes0ng

  Validatesecuritypreandpostchanges  Firewalls,networks,servers

  Evidence  Rawdatacaptures

  Instantlyiden0fyinsecurecommunica0ons  Whoisusingnoncompliant:SSL2.0,SSL3.0,TLS1.0  Whoisusingwhichciphers–strongorweak?  WhatCer0ficatesareinuse?CertOrganiza0ons?  Cleartextprotocols,SSN

UseCase:Compliance-PCI/Fed/Gov

Compliance–SSLMetadata

UseCase–InformaMonHiding/

ExfiltraMon

Scenic?

AndNow?

Social Security Numbers hidden in picture… only way to tell is by drilling down to the raw packets!

UseCase–DNSServerHacked

  Spear-phishinga^ackluredemployeestogototheirbanktoupdatetheirinfo

  TheywereredirectedtoaBADsite  DifficulttotraceastheDNSserverfixeditselfakersomeamountof0mesotheproblemcouldnotbeiden0fiedbytradi0onalmethods

  Forensicanalysis  Discoveredthatthe“windowofopportunity”wastransient  GaveIPaddressofallthosethatwereluredtothewrongsite  Reconstructedthea^ackandtracedthea^acker’smovesstep-by-step

  DamagewasminimizedduetorapididenMficaMonandimmediateremediaMon

UseCase:DNSServerHacked

NIKSUN:HelpingYouKnowtheUnknown®Visitusatniksun.comoremailtoinfo@niksun.com

Foraddi0onalinforma0on:

stackArmor MicroSummit - Niksun Network Monitoring - DPI

Technology

Transcript of stackArmor MicroSummit - Niksun Network Monitoring - DPI

Color A4 Multifunction Printer Up to 42 PPM Small/Medium …business.toshiba.com/media/tabs/downloads/product/mfp/330AC-40… · Scan Resolution 600 dpi, 400 dpi, 300 dpi, 200 dpi,

Walter Willinger NIKSUN, Inc. wwillinger@niksun · Engineering hack Example of what we can measure, not what we want to measure! Basic problem #1: IP alias resolution problem How

Dpi 17 - demo

stackArmor Security MicroSummit - AWS Security with Splunk

Introducing FreeBSD in new environment of FreeBSD... · pfSense FreeNAS Niksun ...

Dpi National

ID CARD CUSTOMIZATION SOLUTIONS - Spec …...RESOLUTION • 300 dpi • 300 dpi • Standard mode: 300x300 dpi • Extended mode: 300x600 dpi (monochrome and color printing), 300x1200

DPI Updates

stackArmor Security MicroSummit - Next Generation Firewalls for AWS

DPI Internal Correspondence

DPI Parent Meeting

e195 225 245 - Office Solution eStudio 195...20 spm: 150 / 200 / 300 / 400 dpi 14 spm: 600 dpi Local: 300 dpi / 600 dpi Network: 150 / 200 / 300 / 400 / 600 dpi Local: TWAIN Network:

Speed Forward Edition - RISONormal Master Making mode Approx. 19 seconds (Letter, short-edge feed) Resolution Scanning 600 dpi × 600 dpi Printing 300 dpi × 600 dpi, Quick Master

Eurecom dpi

stackArmor presentation for DevOpsDC ver 4

NCCTM Leadership Conference October 24, 2012 DPI UPDATE DPI UPDATE

DPI article

A Short History of Radio - NIKSUN: Know the Unknown

dpi revisión_2002

Intecal v10 Calibration Management Software - industrial.ai · • Data analysis, certificate generation, archiving • Extensive connectivity including the DPI 611, DPI 612, DPI