Security Through Network Intelligencewww.lancope.com

Lancope StealthWatch Technology

About LancopeAbout Lancope

3 years focused research in flow-based network and security technologies.

StealthWatch evolved from research conducted by Dr. John Copeland at Georgia Tech

Based in Atlanta, GA Flagship product: StealthWatch -Real time attacks inside your network (Not signature based) -Mitigation and documentation of real time attacks -Forensic short and long term

Why Stealth Watch vs. other technology for your internal NetworkWhy Stealth Watch vs. other technology for your internal Network

• Easy to deploy

• 1/3rd to 1/2 the cost of other solution

• Shows the performance and risks of your Enterprise NOC and SOC in real time.

• Not Signature based

• Not perimeter based

• Not multilayer steps to get results

• StealthWatch is Best at: Discovering Prioritizing Mitigating Real time worms,

viruses and exploits in your Internal Network

• StealthWatch gives you Network Optimization and Threat Management for your Enterprise NOC and SOC

Why Stealth Watch vs. other technology for your internal Network?

t t Internal Attacks on the rise!The trend has been moving away from external to internal

security” (Security Analysts)

Wall Street Journal June 2005

Internal Breaches:Bandwidth consumption,

Policy Violations, Trojans, Zero Day Attacks, Application Misuse and others have caused:

Service and System Interruptions

Data Loss Intellectual Property

Theft Major loss in Company

credibility Huge Financial Losses

The growth in Internal Attacks in a survey of 600 North American Companies and Western Europe:

2003 up 30%

2004 up 50%

2005 could be up 75%

How to protect your environment from Internal attacks?How to protect your environment from Internal attacks?

• Organizations should establish a trusted behavior baseline for each machine on the network.

• Look for changes in current foot print behavior.

• If these procedures are implemented effectively they can detect and protect systems against new malicious code, worms and other Internal Breaches.

(US Secret Service and Gov. Cert May 2005)

How to protect your environment from Internal attacks?

140+ Existing Customers…140+ Existing Customers…

- CVE Contains 7819 Vulnerabilities (Feb, 2005)

attacksblockedattacksremaining

- Most Signature Vendors block on about 150 sigs

- That’s 2%

- What about the other 98%?

Too Many Attack VectorsToo Many Attack Vectors

“Given the widespread use of automated attack tools, attacks against Internet-connected systems have become so commonplace that counts of the number of incidents reported provide little information with regard to assessing the scope and impact of attacks. Therefore, as of 2004, we will no longer publish the number of incidents reported.”

- CERT

…while discovery-to-exploit window decreases.

Attack frequency increases…

050000

100000150000

1988

1989

1990

1991

1992

1993

1994

1995

1996

1997

1998

1999

2000

2001

2002

2003

Signatures Can’t Keep UpSignatures Can’t Keep Up

NetFlow provides “Mountaintop visibility”NetFlow provides “Mountaintop visibility”

“Flows” provide total visibility across a wide network range by collecting data from routers in varying locations. This gives Stealth Watch total supervision over the network and provides an ability to track behavior throughout the network, from start to end.

BEHAVIOR RATHER THAN SIGNATURESBEHAVIOR RATHER THAN SIGNATURES

Analyze Flows… Establish baseline…

Alarm on changes in behavior…

Number of concurrent flows

Packets per sec

Bits per second

New flows created

Number of SYNs sent

Time of day

Number of SYNs received

Rate of connection resets

Duration of the flow

<Many others>

STEALTHWATCH: BEHAVIOR-BASED FLOW ANALYSISSTEALTHWATCH: BEHAVIOR-BASED FLOW ANALYSIS

Cost-effective, extended enterprise-wide protection and control

Provides visibility into “most significant” network behaviors

Streamline and shorten resolution time

Powerful audit, compliance reporting, and forensic capabilities

SPANNetFlow

Cisco Native Ethernet

ArcSightGuarded

SIM/SEMSignatures

ISSSnortEtc.

INFRASTRUCTURE IPSINFRASTRUCTURE IPS

StealthWatch Automated Mitigation

Install Cisco PIX firewall rulesInstall Checkpoint firewall rulesInject Cisco Null0 routeCustomizable scripted response

Devices Vendors Customer

• Checkpoint NG, NGAI, Provider 1 • Cisco PIX • Cyberguard • Lucent Brick • Juniper • Symantec Enterprise

Routers and switches

•Cisco•Extreme

•Juniper•Foundry

• Flow Analysis Server

Firewalls

Forensics

STM FeaturesSTM FeaturesSupported Security DevicesSupported Security Devices

Devices Vendors Customer

• ISS RealSecure, Workgroup Manager• Site Protector

• Cisco Secure IDS v4(RDEP) • Enterasys Dragon • Snort • Symantec Manhunt • nCircle IP360 • TopLayer Mitigator IPS • Netscreen Firewall/IDS • Network Associates Intrushield

IDSIPS

Locations Main Data Centers Customer

How Many Main Data Centers do you manage?

How many DC’s would you want to monitor with Stealth Watch?

Do you want to have the NOC and SOC monitored?

How many remote locations do you have?

What kind of connections do you have to those remote locations?

(StealthWatch Rack Mountable 1U Appliance)

StealthWatch Product LineStealthWatch Product Line

M250Designed for fast Ethernet networks

M45Designed for DS3 links or underutilized fast Ethernet connections

G1Designed for networks with speeds up to one gigabit per second.

Xe-1000Midrange StealthWatch NetFlow Collector

Xe-500Entry-level StealthWatch NetFlow Collector

Xe-2000High-end StealthWatch NetFlow Collector.

SMCCollects and Manages multiple StealthWatch and StealthWatch Xe appliances.

Deployment: How do we collect flows?Deployment: How do we collect flows?

StealthWatch Xe: Monitor Remote LocationsStealthWatch Xe: Monitor Remote Locations

12 IDP/IPS Sensors Required

1 StealthWatch Xe Required

Overcome complex deployments and costOvercome complex deployments and cost

8 Inline IPS @ $64,995:

$519,9601 Netflow-based Xe-2000:

<$50,000

Inline IPSInline IPS Inline IPS Inline IPS

Inline IPS

PRE-EXISTING CONDITIONS ARE DETECTEDPRE-EXISTING CONDITIONS ARE DETECTED

Concern Index

FLOW VISUALIZATIONFLOW VISUALIZATION

StealthWatch Solution StealthWatch Solution

• StealthWatch Solution

• StealthWatch is a fast, accurate and cost-effective solution that immediately detects malicious or unauthorized network activity, including new and otherwise unidentifiable threats. As a network-based system, StealthWatch overcomes the cost and complexity of deploying and maintaining signature- or host-based systems. With StealthWatch, organizations can now identify and resolve network exposures, such as new, misconfigured or unauthorized devices and applications. These threats, which include rogue servers and P2P file sharing applications, result in 65% of network risks, according to a Gartner estimate. When unpreventable network events or host infections occur, StealthWatch detects and contains the incident while delivering critical insight that accelerates resolution and minimizes damage.

Problems SolvedProblems Solved

Cost and ComplexityReduced

Prioritization and Visibility

Across the Entire Network

NOC and SOC

Reaction Time Detect and Mitigate

Zero day attacksInside your Network

Netw

ork Security P

roblems A

ddressed

Next Steps for your Company and Next Steps for your Company and LancopeLancope

Next Steps for your Company and Lancope

• NDA

• Evaluation

• References