Network Behavioral Analysis for the Security

Professional

Ben Rothke CISSP CISMSecurity Consultant

BT INS

2

• This webcast is sponsored by

Sponsor

• Ben Rothke, CISSP CISM• Security Consultant – BT INS• Author of Computer Security: 20 Things Every

Employee Should Know (McGraw-Hill 2006)

About me

4

• Introduction• Current state of information security• The need for NBA• Conclusions

Agenda

Wal-mart knows

• Wal-Mart Stores knows how to run a business and how to sell products.

• Real-time precision of how every item in every store is selling.

• Historical, financial and other information about their products.– Why are sales of American flags higher in Mobile, AL

the third week in March than in Fresno, CA? – How many 8GB pink iPod Nano’s have been sold in

Fargo, ND yesterday? – Why are 64 oz. low-pulp Tropicana orange juice sales

26% less in the Memphis north store than in Memphis south store?

Does your CIO know?

• Contrast that with today’s corporate networks.• Many CIO’s and CISO’s have no idea what their

networks look like. – Number of networks/subnets– Connected laptops– Remote sites– Firewall rules– Visio network maps vs. production network

• Clueless to the number of protocols, subnets, users, servers, applications, third-party connections, etc., running on their infrastructure and hardware.

• Output of effective security metrics• Condition: anarchy and disorder.

What’s going on?

• It’s 2007, decades into the computer revolution.• Hundreds of billions of dollars have been spent

on IT, yet only a fraction of companies really know what is going on inside their network.

• Never has the need for such knowledge been more important and needed.

Threat landscape

Today’s threat landscape should give everyone pause.

– Volume of threats continues to increase– Number of new threats continues to increase– Propagation speed of threats continues to increase– Number of undetected attacks continues to increase

• TJX security breach went undetected for seven months

– Losses from attacks continues to increase• Du Pont insider theft causes $400 million damages

– Time to exploit vulnerabilities continues to decrease

Problems with today’s network security

• Security devices are often deployed in a vacuum– no knowledge about what it’s protecting– Marcus Ranum defines a firewall as “the

implementation of your Internet security policy. If you haven’t got a security policy, you haven’t got a firewall. Instead, you’ve got a thing that’s sort of doing something, but you don’t know what it’s trying to do because no one has told you what it should do”. Does that describe your organization?

• Misconfiguration• Configurations that have not been updated• Troubleshooting often takes extended amounts of

time

Perimeter security

• Perimeter security works when there is a perimeter– Much of the corporate perimeter has evaporated via

extranets, vendor networks, convergence, VPN, etc.

• Network perimeter defenses such as firewalls, anti-virus, IDS/IPS), are often inadequate for dealing with a network with a collapsed perimeter

• Nor with internal threats that reside inside the firewall

• How many IT managers know exactly (or even roughly) what their users are doing?

Are today’s network managers blind?Do they know:• Who’s on their network?• What protocols they are using?• What applications are running?• What changes are made?• Who made those changes?• Historical trends?• How can I optimize my network?

Partial solutions

• Currently, most IT managers have a very limited, minimally integrated views of their network

• No idea how many network incidents occur– Varied definitions of network incident within the same

company– Many lack a formalized and tested CERT– Effective security metrics are not developed and used– Implementation of a SoC is many years away

Network ignorance is not bliss

• Network ignorance is not bliss, it’s expensive.• Extended problem resolution increase costs and

downtime• Unauthorized activities, users and applications

causes damage and downtime• Regulatory requirements are not met

– How many hosts are connected to that regulated server?

What’s the solution?

• First generation– anomaly detection– IDS/IPS, detects what firewall can’t detect

• But what about what the IDS can’t detect?– in-line signature-based systems– But can’t detect unusual/anomalous behavior

• Next generation, available now– Network Behavioral Analysis (NBA)

• real-time profile of network assets• correlates monitored events from security products

NBA – a definition

• NBA provides network-wide visibility to understand how systems are used, who uses them, how systems connect to and depend on each other, and which ports and protocols systems connect over.

• Because they analyze the behavior of network traffic, NBA provides protection from threats that other security systems cannot identify, such as insider attacks, unauthorized servers and services, zero-day attacks.

• NBA also ease the burden of regulatory compliance by reporting on network behaviors that did or did not occur.

Is NBA a panacea?

• The market is still immature• Slow adoption• Not a lot of experts• False-positives still an issue

NBA vision into the network

Source Data Destination

End-user Start time / end time

End-user

IP/MAC address Path (each router / interface)

IP/MAC address

Switch port Number of bytes/ packets - sent/received

Switch port

TCP flag Layer 7 application data

TCP flag

UDP/TCP source port

IP data (UDP, TCP, etc.)

UDP/TCP destination port

NBA methods

• Statistical– Determines network’s normal traffic flows via

data types and connection flows• Threshold detection

– Volume thresholds for different types of network traffic

• Learning/adaptive– Examine network over time and use neural-

network and other approaches to learn which specific traffic and system behaviors are harmful

NBA benefits

• Better detects following attacks– zero-day– Targeted– Low-slow/stealth– unknown signature

NBA differentiators

• NBA can capture critical network-behavior information that other security devices never analyze.

• Passively listens to network traffic from routers and sensors, modeling the network behavior of all end points and applications on the network.

• This baseline is a picture of how network devices and business services are being used and by whom.

• NBA then analyzes anomalous behavior to detect and characterize threats.

Real time views

• One of the most compelling benefits of NBA is its ability to show a real-time view of network and security activity. – Gather all relevant security information in one place

that provides an accessible overview of current information security status providing a consistent, reliable view that empowers effective decision making.

• Point solutions detect specific kinds of attacks– But creating action plans against those attacks require

a real time view and in-depth analysis of network traffic

• Knowing the baseline model to define normal behavior, the ability to track network moves/adds/changes means the ability to quickly identify anomalies and react to problems in real-time.

NBA - troubleshooting

• NBA facilitates rapid identification and resolution of security incidents

• Knowing who, what, where, when, what’s typical and what’s changed is extremely time consuming– But not without NBA in place

Optimization

• Data center consolidation is increasing– Pressure to optimize current infrastructure

• ITIL framework gaining increased acceptance for best practices

• NBA gives IT Managers increased visibility into user-to-user and user-to-technology interactions to optimize the end-user experience and the network performance.

• Only way to optimize your network and IT infrastructure is to have the visibility into its behavior.

• Companies must anticipate the impact of new applications, users, services, etc., and how they will effect the infrastructure and required service levels.

Optimization – The Big 4 requirementsNBA provides a better method of network optimization

via:

• Global view– Continuous view of user activities

• Change– Today’s dynamic network environment is synonymous with

change. – Knowing the typical behavior of users, networks and

applications ensures that changes in behavior are easier to pinpoint and diagnose.

• Shorter troubleshooting times– CIO’s are now being taken to task if mean time to repair

(MTTR) negatively impacts the business. – Better visibility into the changes in behavior that impact

performance ensures that MTTR is shorter.

Optimization – The Big 4 requirements

• Network/security integration - Security operations and network operations are often not in sync with one another. – Both should work together to mitigate both

performance issues and security events; which is supported by NBA.

– Dual value into working together– Physical security is coming into the scene

• The convergence of physical security and IT is first and foremost about collaboration. Technologies sharing information; Processes finding synergies; and people working together. The $140 billion physical security industry is beginning a tectonic shift toward IT. Steve Hunt securitydreamer.com

What experts say about NBA

• Network Behavior Analysis systems are the new foundation of Defense in Depth architectures– Enterprise Strategy Group

• By year-end 2007, 25% percent of large enterprises will employ NBA as part of their network security strategy– Gartner

• Today’s complete layered security solution should include IDS, IPS, NBA & endpoint security to ensure security posture pre and post network authorization and authentication.– Yankee Group

Policy and signature-based solutions• NBA fills the gaps left by policy- and signature-

based solutions (IDS/IPS, SIM/SEM)• These technologies often miss threats for which

they are not specifically designed to detect.

Is NBA simply SIM/SEM on steroids?

• SIM/SEM tools are log aggregators at heart, and lack the advanced intelligence that NBA offers.– SIM/SEM lacks user context– Broad network scoping of activities

• NBA provides a layer of intelligence of what systems, applications and users are actually doing on your network. – Deep analysis– application layer network knowledge– agentless/auto-discovery

Is NBA all I need?

• Don’t unload all of your security software and hardware

• Gartner recommends NBA as part of a balanced strategy to protect an enterprise network after implementing and tuning firewall and IDS/IPS mechanisms.

• You don’t have to wait: IDS at the edge, NBA at the core

• NBA systems can be used to help tune IDS/IPS through the visibility they provide, so it makes sense to deploy them simultaneously.

NBA History

• First emerged in 2001 to deal with DDoS attacks• NBA began as a security only solution

– But NBA delivers value beyond security

• Provides detailed and continuous network visibility

• Enhancing existing network management tools– helps administrators optimize their networks for actual

end-user behavior.

NBA is not magic

• NBA is a decision support system• Requires a knowledgeable operator who can

interpret, investigate and respond to a variety of suspicious activities on your network.

NBA product requirements

• Discovers all running applications, user of those applications, profiles of their normal use patterns and dependencies.

• Automatically builds baseline of behavior– Ability for heuristics to be constantly compared.

• Application policies customized and monitored for compliance.

• Upon policy breach, alerts of where, why, how and by whom the breach occurred.

Using NBA – Building a normal baseline• Determine and define normal network traffic• Develop model

– Who talks to whom– Protocols and ports in use– Daily/hourly traffic levels– Frequency levels– Lists of clients and servers– Days of the weeks– Times of the day

Using NBA – Building an abnormal baseline

• Determine and define abnormal network traffic• Develop model

– Host scan– port scan– worm, malware detection– new service/application– new hardware– new host – suspicious connection– DOS, DDoS, bandwidth surges– tunneled applications– P2P, spambots, etc.

Using NBA – Building Rules

• Create custom rules– application access– usage policies to monitor for policy violations– usage policies to monitor for policy changes– enforce normal activity– define action for unique/special conditions

Using NBA – Integration

• NBA works with, but does not replace your existing networking and security product infrastructure.

• Integrate NBA with them– “IDS is Dead”, Gartner 2003– IDS is alive and well in 2007. But it like other

technologies need to integrate and provide a network intelligent solution

– Network and threat complexity is increasing, which IDS can’t handle alone, and requires a new solutions such as NBA.

• Invoke NBA features within your existing management tools and avoid “swivel chair monitoring.”

Behavior analysis

• Automatic behavior analysis monitors activity to determine if it is meaningfully different from the known typical behavior.

• Types of behavior analysis– Out-of-the-box automated heuristics

• Preconfigured. Ability to quickly implement ongoing behavior analysis with minimal effort

– Custom policies

• Monitor specific conditions. Analysis leverages the global behavior profile.

Effective NBA implementation

• Define your key requirements– Network activity– automatic heuristics– custom rule generation– monitoring– integration with existing networking and security

products– Agent vs. agentless

Effective NBA implementation

• Product capabilities– Integration– Reporting– Network flow data– Deep packet inspection– Scalability– DDoS Protection– and more

Effective NBA implementation

• Network and security operations work together– NBA has its roots as a security tool– But network operations can benefit greatly.– Network operations should consult with security

operations so both support organizations leverage a common investment.

Conclusions

• Network and security administrators have discovered the value that NBA has beyond security threat detection.

• NBA provides visibility into all network activity– optimizing the end-user experience– monitor for meaningful change– troubleshoot performance issues faster– deliver value to both network and security

operations• Enterprises are experiencing the benefits today

and behavioral context will become even more critical in the future.