Plixer - Cyber Security SummitCyber Summit USA – The Official Cyber Security...
Transcript of Plixer - Cyber Security SummitCyber Summit USA – The Official Cyber Security...
![Page 1: Plixer - Cyber Security SummitCyber Summit USA – The Official Cyber Security …cybersummitusa.com/wp-content/uploads/2017/11/Cyber... · 2017. 11. 15. · Cybersecurity Summit](https://reader035.fdocuments.in/reader035/viewer/2022081410/609f389042beaa704368cf5d/html5/thumbnails/1.jpg)
Advanced Security Analytics: NetFlow and Metadata for Incident Response
plixer
Cybersecurity Summit : Boston
![Page 2: Plixer - Cyber Security SummitCyber Summit USA – The Official Cyber Security …cybersummitusa.com/wp-content/uploads/2017/11/Cyber... · 2017. 11. 15. · Cybersecurity Summit](https://reader035.fdocuments.in/reader035/viewer/2022081410/609f389042beaa704368cf5d/html5/thumbnails/2.jpg)
Agenda
• Shifting security strategies
• Mining data from your network infrastructure
• Flow and metadata export types and sources
• Data correlation, visualization and reporting
• Complement existing security platforms
• Least privilege reduce risks from IoT
• Data-driven approach to incident response
![Page 3: Plixer - Cyber Security SummitCyber Summit USA – The Official Cyber Security …cybersummitusa.com/wp-content/uploads/2017/11/Cyber... · 2017. 11. 15. · Cybersecurity Summit](https://reader035.fdocuments.in/reader035/viewer/2022081410/609f389042beaa704368cf5d/html5/thumbnails/3.jpg)
Failing Security Strategy
As an industry we have focused primarily on preventionOut-of-control threat surfaces and sophistication of attacksIn today’s reality breaches are inevitable
![Page 4: Plixer - Cyber Security SummitCyber Summit USA – The Official Cyber Security …cybersummitusa.com/wp-content/uploads/2017/11/Cyber... · 2017. 11. 15. · Cybersecurity Summit](https://reader035.fdocuments.in/reader035/viewer/2022081410/609f389042beaa704368cf5d/html5/thumbnails/4.jpg)
Detection Alone is Not Enough
Detecting incidents is just the first stepNow what do I do, where do I startFocus must shift to incident response
![Page 5: Plixer - Cyber Security SummitCyber Summit USA – The Official Cyber Security …cybersummitusa.com/wp-content/uploads/2017/11/Cyber... · 2017. 11. 15. · Cybersecurity Summit](https://reader035.fdocuments.in/reader035/viewer/2022081410/609f389042beaa704368cf5d/html5/thumbnails/5.jpg)
The Network Sees All
Every “1” and “0” you care about traverses the networkThe network is your most reliable source of truthCollect, summarize and export via NetFlow, IPFIX and metadata
![Page 6: Plixer - Cyber Security SummitCyber Summit USA – The Official Cyber Security …cybersummitusa.com/wp-content/uploads/2017/11/Cyber... · 2017. 11. 15. · Cybersecurity Summit](https://reader035.fdocuments.in/reader035/viewer/2022081410/609f389042beaa704368cf5d/html5/thumbnails/6.jpg)
Context is King
Latest buzzword bingo, but has real market traction Single source of who, what, where, when, why and howEffective incident response requires more context
![Page 7: Plixer - Cyber Security SummitCyber Summit USA – The Official Cyber Security …cybersummitusa.com/wp-content/uploads/2017/11/Cyber... · 2017. 11. 15. · Cybersecurity Summit](https://reader035.fdocuments.in/reader035/viewer/2022081410/609f389042beaa704368cf5d/html5/thumbnails/7.jpg)
NetFlow
Invented by Cisco L2-4 source/dest., TCP/UDP port & type, AS source/dest., packet countTop talkers, bandwidth consumption, etc
![Page 8: Plixer - Cyber Security SummitCyber Summit USA – The Official Cyber Security …cybersummitusa.com/wp-content/uploads/2017/11/Cyber... · 2017. 11. 15. · Cybersecurity Summit](https://reader035.fdocuments.in/reader035/viewer/2022081410/609f389042beaa704368cf5d/html5/thumbnails/8.jpg)
NetFlow
Cisco proprietary – not intended for other vendor exportsTemplate driven, exports fixed length elementsSupports sampled flows
![Page 9: Plixer - Cyber Security SummitCyber Summit USA – The Official Cyber Security …cybersummitusa.com/wp-content/uploads/2017/11/Cyber... · 2017. 11. 15. · Cybersecurity Summit](https://reader035.fdocuments.in/reader035/viewer/2022081410/609f389042beaa704368cf5d/html5/thumbnails/9.jpg)
IP Flow Information Export (IPFIX)
RFC 7011
Industry standard established for exporting metadataTemplate driven with support for user-defined fieldsExported data can be translated as a structured database
![Page 10: Plixer - Cyber Security SummitCyber Summit USA – The Official Cyber Security …cybersummitusa.com/wp-content/uploads/2017/11/Cyber... · 2017. 11. 15. · Cybersecurity Summit](https://reader035.fdocuments.in/reader035/viewer/2022081410/609f389042beaa704368cf5d/html5/thumbnails/10.jpg)
The Growth of Metadata
Vendors are striving for market differentiationProprietary data exports are rapidly growingContext enables data driven incident response
![Page 11: Plixer - Cyber Security SummitCyber Summit USA – The Official Cyber Security …cybersummitusa.com/wp-content/uploads/2017/11/Cyber... · 2017. 11. 15. · Cybersecurity Summit](https://reader035.fdocuments.in/reader035/viewer/2022081410/609f389042beaa704368cf5d/html5/thumbnails/11.jpg)
Data Exporter Examples
![Page 12: Plixer - Cyber Security SummitCyber Summit USA – The Official Cyber Security …cybersummitusa.com/wp-content/uploads/2017/11/Cyber... · 2017. 11. 15. · Cybersecurity Summit](https://reader035.fdocuments.in/reader035/viewer/2022081410/609f389042beaa704368cf5d/html5/thumbnails/12.jpg)
Security Details in Flow and Metadata
Traffic Patterns (FTP beaconing)Tor connectionsDDoS detectionP2P lateral movement
URL detailsDNS queriesSSL detailsDomain reputation
![Page 13: Plixer - Cyber Security SummitCyber Summit USA – The Official Cyber Security …cybersummitusa.com/wp-content/uploads/2017/11/Cyber... · 2017. 11. 15. · Cybersecurity Summit](https://reader035.fdocuments.in/reader035/viewer/2022081410/609f389042beaa704368cf5d/html5/thumbnails/13.jpg)
One Database
Data correlationVisualizationReporting
![Page 14: Plixer - Cyber Security SummitCyber Summit USA – The Official Cyber Security …cybersummitusa.com/wp-content/uploads/2017/11/Cyber... · 2017. 11. 15. · Cybersecurity Summit](https://reader035.fdocuments.in/reader035/viewer/2022081410/609f389042beaa704368cf5d/html5/thumbnails/14.jpg)
Incident Response - The House that NetFlow Built
NetFlow: the foundation providing source/dest to every conversationInvestigative forensics leveraging thousands of data elementsContext enables data driven incident response
![Page 15: Plixer - Cyber Security SummitCyber Summit USA – The Official Cyber Security …cybersummitusa.com/wp-content/uploads/2017/11/Cyber... · 2017. 11. 15. · Cybersecurity Summit](https://reader035.fdocuments.in/reader035/viewer/2022081410/609f389042beaa704368cf5d/html5/thumbnails/15.jpg)
Complement Existing Security
Rapid root cause analysis with timestampPivot into SIEM and DPI for additional incident detailsTake dynamic action to automate incident response (IPS, Firewall, etc.)
![Page 16: Plixer - Cyber Security SummitCyber Summit USA – The Official Cyber Security …cybersummitusa.com/wp-content/uploads/2017/11/Cyber... · 2017. 11. 15. · Cybersecurity Summit](https://reader035.fdocuments.in/reader035/viewer/2022081410/609f389042beaa704368cf5d/html5/thumbnails/16.jpg)
IoT Least Privilege Policy
Stop deploying IoT as trusted assetsIoT devices are purpose built with a narrow set of communicationsIdentify least privilege policy then monitor and alert for any deviation
![Page 17: Plixer - Cyber Security SummitCyber Summit USA – The Official Cyber Security …cybersummitusa.com/wp-content/uploads/2017/11/Cyber... · 2017. 11. 15. · Cybersecurity Summit](https://reader035.fdocuments.in/reader035/viewer/2022081410/609f389042beaa704368cf5d/html5/thumbnails/17.jpg)
Data Driven Incident Response
Desired goal is faster time-to-responseContextual data is actionable dataFlow and metadata is emerging as a critical source of forensics
![Page 18: Plixer - Cyber Security SummitCyber Summit USA – The Official Cyber Security …cybersummitusa.com/wp-content/uploads/2017/11/Cyber... · 2017. 11. 15. · Cybersecurity Summit](https://reader035.fdocuments.in/reader035/viewer/2022081410/609f389042beaa704368cf5d/html5/thumbnails/18.jpg)
Collector/Reporting Engine Evaluation Criteria
How many elements are supported and from which vendors?How well does reporting stitch together L2-7 metadata?How quickly can you query the data and pivot on elements?