Enterprise situational awareness and monitoring through network behavior analysis l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 29

Enterprise Situational Awareness and Monitoring through Network Behavior Analysis PowerPoint PPT Presentation


  • 133 Views
  • Uploaded on
  • Presentation posted in: General

Enterprise Situational Awareness and Monitoring through Network Behavior Analysis. Mark McDaniel, Systems Engineering Team Leader, Lancope. Agenda. What is Network Behavior Analysis? How Does NBA Work? NetFlow - A Brief Overview Current Organizational Security and Operational Challenges

Download Presentation

Enterprise Situational Awareness and Monitoring through Network Behavior Analysis

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Enterprise situational awareness and monitoring through network behavior analysis l.jpg

Enterprise Situational Awareness and Monitoring through Network Behavior Analysis

Mark McDaniel,

Systems Engineering Team Leader,

Lancope


Slide2 l.jpg

Agenda

  • What is Network Behavior Analysis?

  • How Does NBA Work?

  • NetFlow - A Brief Overview

  • Current Organizational Security and Operational Challenges

  • Traditional Security Framework

  • NBA's Role in the Security Environment

  • Traditional Network Operations Framework

  • NBA's Role in the Network Operations Environment

  • Traditional Compliance and Policy Monitoring Framework

  • NBA for Compliance and Policy Monitoring

  • NBA's Future


Slide3 l.jpg

What is Network Behavior Analysis?

Put simply, Network Behavior Analysis is the monitoring and analysis of network flows to understand host behavior.

NBA systems monitor the network through a variety of methods to gain visibility into the behavior of hosts and their relationships with one another.

NBA systems profile the behavior of a number of different factors (data points) for every host on the network to create an observed baseline of what constitutes “normal” activity for that host.

NBA systems continuously monitor the network to ensure compliance with the established baseline for each behavioral data point for every active host, alarming when thresholds or other variables are exceeded.

NBA systems allow administrators to divide the network into logical segments to improve the granularity of reporting and to define policies based on a number of different factors.

NBA systems also provide information into the health of the network infrastructure and a wealth of other information.


Slide4 l.jpg

How Does NBA Work?

  • NBA systems monitor the network via SPAN or mirror ports or inline taps to capture traffic for analysis. In addition, and much more commonly, NBA systems monitor flow records generate by the network infrastructure; NetFlow for Cisco devices, sFlow for many other hardware vendors.

  • There are pros and cons to each monitoring approach:

  • SPAN/Mirror/Tap Systems are segment based with limited visibility but offer packet payload analysis.

  • NetFlow monitoring can deliver visibility for the entire network provide the hardware infrastructure supports it but doesn’t offer payload.

  • sFlow also can deliver enterprise wide visibility AND offer some payload analysis but is a sampled technology analyzing every 1:X packets.

  • Once packets or flows are captured for analysis, tables are built within the system to create a session record.

  • Next, a series of algorithms is performed on the session record to detect malicious activity, threshold violations and policy exceptions.

  • NBA systems using NetFlow or sFlow also report on the traffic transiting the interfaces of flow export capable hardware and deliver information regarding their health.


Slide5 l.jpg

NetFlow - A Brief Introduction, Terminology

  • As with any self-respecting technology, NetFlow has a number of unique terms:

  • Exporter - Any network hardware device capable of collecting and exporting NetFlow.

  • Collector - The device to which flows are exported and analyzed.

  • NetFlow Cache - Where the flow records are kept prior to being exported

  • Cache Timers - Specify flow record export in minutes and seconds.

  • Inactive Timeout - The timer for flows representing completed sessions.

  • Active Timeout - The time for flows representing sessions still continuing.


Slide6 l.jpg

NetFlow

NetFlow - A Brief Introduction, Part 1 Monitoring

IP data

StealthWatchFlow Collector


Netflow a brief overview part 2 record creation l.jpg

NetFlow - A Brief Overview, Part 2 Record Creation

  • NetFlow is “uni-directional”

  • Flows stats are counted inbound on the router interface

  • Flows are stored on the router in a “flow cache”

router


Netflow a brief overview part 3 creating flow records l.jpg

NetFlow - A Brief Overview, Part 3, Creating Flow Records

7 pre-defined Key fields

Example 2

  • Inspect packet for key field values

  • Compare set of values to NetFlow cache

  • If the set of values are unique create a flow in cache

  • Inspect the next packet

Example 1

Inspect

Packet

Inspect

Packet


Netflow a brief overview part 4 flow record export l.jpg

NetFlow - A Brief Overview, Part 4 Flow Record Export

1500 byte UDP PDU

30 NetFlow Records per PDU


Netflow a brief overview part 5 flow de duplication l.jpg

NetFlow - A Brief Overview, Part 5 Flow De-Duplication


Netflow a brief overview part 6 flow analysis overview l.jpg

NetFlow - A Brief Overview, Part 6 Flow Analysis Overview


Slide12 l.jpg

NetFlow - A Brief Overview, Part 7 Scanning Host Example

  • Flows are collected and exported

  • Collected flows are put into a state table for algorithmic analysis to check for threshold and policy violations.

  • Alarms are triggered and propagated.


Current organizational security challenges l.jpg

Current Organizational Security Challenges

Existing Security Technologies Do Their Jobs Well but Present Challenges:

  • Security Devices Are Segment Based, Unable to Monitor the Entire Network.

  • Security Devices Can Only Detect “The Known Bad” Through Signatures.

  • Security Devices Lack Contextual Awareness of the Hosts, Applications and Services.

  • HIDS/Anti-Virus/Anti-Malware Can Be Difficult to Manage Requiring Agent Installation.

  • NAC Only Defines Pre-Admission Control and Offers Little to No Monitoring After a Host is Authenticated

  • SEIMs Are “Data Haystacks” Requiring Complex Rule Writing and Configuration While Not Being Effective for Real-time Analysis

  • Continuous, Real-time Policy Monitoring is Practically Impossible with Segment by Segment Visibility.

  • ACLs and Firewalls Lack Continuous Monitoring Mechanism Resulting in a Plug and Pray Policy.

  • The Tools Aren’t Integrated in Any Meaningful Way With Net Ops Tools Creating Points of Contention Between the Two Teams if Their Tools are Generating Conflicting Information.

  • None of These Technologies Deliver Global, Real-time Situational Awareness.


The traditional security framework the core is highly secure l.jpg

The Traditional Security Framework - The Core is Highly Secure

Lightly

Protected

Remote

Site

Protected

Remote

Site

Internet

Small Branch Office

Midsized Branch Office

Branch Edge Router

HQ Edge Router

Packet Filter

Highly

Protected

Network

Core

Packet Filter

SIEM

Packet Inspector

Core Switch

w/ACLs

End User Switch

VPN Concentrator

End User System

w/HIDS,AV,NAC

Etc.

Remote

User

Business Critical Assets


How nba helps solve many current security challenges l.jpg

How NBA Helps Solve Many Current Security Challenges

NBA Compliments the Existing Security Infrastructure Delivering:

  • Enterprise-Wide Visibility Through NetFlow and sFlow Enabling the Entire Network as a Sensor Grid.

  • Analysis of Host Behaviors Rather Than Pattern Matching to Detect Zero-Day Attacks.

  • NBA is Based on Relationship Modeling and Awareness Delivering Excellent Context.

  • NBA Systems Are Agentless and Reside on the Network Like Any Other Host for Ease of Management.

  • NBA Compliments NAC for Compliance Monitoring and Post-Admission Control.

  • NBA Uses a Limited Number of Data Feeds for Continuous Real-time Analysis Not Requiring Complex Rule Writing and Becoming Overloaded with Massive Amounts of Data for Analysis.

  • NBA Monitors the Entire Network Detailing Host-to-Host Relationships as well as Applications, Services and Protocols in Use, Delivering Continuous Policy Monitoring.

  • NBA is Configured with Policies to Continuously Monitor and Audit ACLs and Firewall Rule Sets.

  • NBA, Through Its Host, Traffic and Behavioral Profiling as well as NetFlow Analysis and Exporter Interface Information, is an Excellent Complimentary Net Ops Tool to the Existing SNMP and Sniffer Based Systems.

  • NBA’s Primary Function is to Deliver Real-time Situational Awareness Through a Combination of Behavioral Analysis, Configured Policy and Host-to-Host Relationship Modeling.


Nba s role in the security infrastructure continuous global visibility l.jpg

NBA’s Role in the Security Infrastructure - Continuous, Global Visibility

Internet

Small Branch Office

Midsized Branch Office

Branch Edge Router

HQ Edge Router

Packet Filter

Packet Filter

SIEM

Packet Inspector

Core Switch

w/ACLs

End User Switch

VPN Concentrator

End User System

w/HIDS,AV,NAC

Etc.

Remote

User

Business Critical Assets


Current organizational network operations challenges l.jpg

Current Organizational Network Operations Challenges

Existing Net Ops Technologies Do Their Jobs Fairly Well but Also Present Challenges:

  • Most Net Ops Monitoring Tools are SNMP Based “Noise Generators” Reporting an Event Occurred but Not Why The Event Occurred.

  • Sniffer Type Devices Are Expensive, Difficult to Deploy and Not Real-Time.

  • Almost All Net Ops Products Lack Contextual Awareness of the Network and Hosts.

  • Determining Root Cause of Most Events Requires Access to Multiple Consoles and Network Hardware CLI.

  • Sniffer Type Devices Require a Strong Level of Knowledge to Operate Correctly.

  • EMS/NMS and MoMs Are “Data Haystacks” Requiring Complex Rule Writing and Configuration While Not Being Effective for Real-time Analysis.

  • Continuous, Real-time Policy Monitoring is Practically Impossible Because of Technology Limitations.

  • Most Appliance Based Net Ops Tools are Segment-Based Not Delivering Global Visibility. NetFlow Offerings to Date are Extremely Limited.

  • The Tools Aren’t Integrated in Any Meaningful Way With Security Ops Tools Creating Points of Contention Between the Two Teams if Their Tools are Generating Conflicting Information.

  • None of These Technologies Deliver Global, Real-time Operational Awareness.


The traditional network ops framework snmp and sniffers l.jpg

The Traditional Network Ops Framework - SNMP and Sniffers

Internet

Small Branch Office

Midsized Branch Office

Branch Edge Router

HQ Edge Router

Packet Filter

Sniffer

Packet Filter

EMS/NMS/MoM

Packet Inspector

Core Switch

w/ACLs

End User Switch

VPN Concentrator

End User System

w/HIDS,AV,NAC

Etc.

Remote

User

Business Critical Assets


How nba helps solve many current net ops challenges l.jpg

How NBA Helps Solve Many Current Net Ops Challenges

NBA Compliments the Existing Net Ops Infrastructure Delivering:

  • Enterprise-Wide Visibility Through NetFlow and sFlow Enabling the Entire Network as a Sensor Grid.

  • NBA Systems Deliver Rich, Contextual Information Surrounding Events Explaining WHY They Occurred.

  • NetFlow is Everywhere and Able to Deliver Meaningful Insight Into Host and Application Performance Throughout the Enterprise.

  • NBA Systems Deliver Rich and Meaningful Data About the Applications and Hosts as well as Host-to-Host Relationships, Group-to-Group Relationships, Service Distribution and Consumption and Detailed Network Interface Utilization both at a Point-In-Time as well as Long Term Trending.

  • Root Cause Analysis is Performed on the NBA System not Multiple Consoles.

  • The Intelligence of NBA System is Built-In Requiring Much Less Training to Deliver Useful Information.

  • NBA Uses a Limited Number of Data Feeds for Continuous Real-time Analysis Not Requiring Complex Rule Writing and Becoming Overloaded with Massive Amounts of Data for Analysis.

  • NBA is Configured with Policies to Continuously Monitor Compliance to AUP and Change Control.

  • NBA, Through Its Host, Traffic and Behavioral Profiling as well as NetFlow Analysis and Exporter Interface Information, is an Excellent Complimentary Security Tool to the Existing Infrastructure.


Nba s role in the network ops infrastructure contextual visibility l.jpg

NBA’s Role in the Network Ops Infrastructure - Contextual Visibility

Internet

Small Branch Office

Midsized Branch Office

Branch Edge Router

HQ Edge Router

Packet Filter

Packet Filter

EMS/NMS/MoM

Packet Inspector

Core Switch

w/ACLs

End User Switch

VPN Concentrator

End User System

w/HIDS,AV,NAC

Etc.

Remote

User

Business Critical Assets


Current organizational aup policy monitoring challenges l.jpg

Current Organizational AUP Policy Monitoring Challenges

Existing Policy Monitoring Technologies Do Their Jobs in a Mediocre Manner and Also Present Major Challenges:

  • Policy Monitoring and Enforcement is a Point by Point Proposition with Almost No Holistic Visibility Therefore Not Delivering Global, Real-time Compliance Monitoring.

  • Policy Definitions Are Configured on Different Devices with Different Capabilities and are Difficult to Deploy and Manage.

  • Almost All Policy Monitoring Products Are Myopic and Lack Contextual Awareness of the Network and Hosts.

  • Determining Root Cause of Most Policy Events Requires Access to Multiple Consoles for Multiple Products with Hugely Different Capabilities.

  • Maintaining AUP is Extremely Complex Because of the Constantly Evolving Nature of Networks and the Multitude and Variety of Policy Monitoring Products and Capabilities.

  • Policy Monitoring Tools are Still Very Immature and Limited in Scope. Deployment Creates Yet Another Monitoring Console and Touch Point.

  • Continuous, Real-time Policy Monitoring is Practically Impossible Because of Inherent Technology Limitations.

  • The Tools Aren’t Integrated in Any Meaningful Way With Security Ops OR Net Ops Tools Creating Points of Contention Between the Three Teams if Their Tools are Generating Conflicting Information.


The traditional aup monitoring framework unique points l.jpg

The Traditional AUP Monitoring Framework - Unique Points

Internet

Small Branch Office

Midsized Branch Office

Branch Edge Router

HQ Edge Router

Packet Filter

Packet Filter

Policy Monitoring Tool

Packet Inspector

Core Switch

w/ACLs

End User Switch

VPN Concentrator

End User System

w/HIDS,AV,NAC

Etc.

Remote

User

Business Critical Assets


Nba s role in policy management and monitoring global configuration management and monitoring l.jpg

NBA’s Role in Policy Management and Monitoring - Global Configuration Management and Monitoring

Existing Policy Monitoring Technologies Do Their Jobs in an Inconsistent Manner and Also Present Major Challenges:

  • Policy Monitoring and Enforcement is a Point by Point Proposition with Almost No Holistic Visibility Therefore Not Delivering Global, Real-time Compliance Monitoring.

  • Policy Definitions Are Configured on Different Devices with Different Capabilities and are Difficult to Deploy and Manage.

  • Almost All Policy Monitoring Products Are Myopic and Lack Contextual Awareness of the Network and Hosts.

  • Determining Root Cause of Most Policy Events Requires Access to Multiple Consoles for Multiple Products with Hugely Different Capabilities.

  • Maintaining AUP is Extremely Complex Because of the Constantly Evolving Nature of Networks and the Multitude and Variety of Policy Monitoring Products and Capabilities.

  • Policy Monitoring Tools are Still Very Immature and Limited in Scope. Deployment Creates Yet Another Monitoring Console and Touch Point.

  • Continuous, Real-time Policy Monitoring is Practically Impossible Because of Inherent Technology Limitations.

  • The Tools Aren’t Integrated in Any Meaningful Way With Security Ops OR Net Ops Tools Creating Points of Contention Between the Three Teams if Their Tools are Generating Conflicting Information.


Nba s role in the aup monitoring framework global configuration management and monitoring l.jpg

NBA’s Role in the AUP Monitoring Framework - Global Configuration Management and Monitoring

Internet

Small Branch Office

Midsized Branch Office

Branch Edge Router

HQ Edge Router

Packet Filter

Packet Filter

NetFlow Collector

Packet Inspector

Core Switch

w/ACLs

End User Switch

VPN Concentrator

End User System

w/HIDS,AV,NAC

Etc.

Remote

User

Business Critical Assets


Or highly granular configuration management and monitoring users groups applications l.jpg

OR!!! - Highly Granular Configuration Management and Monitoring - Users, Groups, Applications

Internet

Small Branch Office

Midsized Branch Office

Branch Edge Router

HQ Edge Router

Packet Filter

Packet Filter

NetFlow Collector

Packet Inspector

Core Switch

w/ACLs

End User Switch

VPN Concentrator

End User System

w/HIDS,AV,NAC

Etc.

Remote

User

Business Critical Assets


Nba what other benefits does it deliver l.jpg

NBA - What Other Benefits Does It Deliver?

NBA Systems Offer a Large Variety of Other Beneficial Features:

  • Management Reporting for Alarms and Events, Host Behaviors Over Time, Service and Traffic Patterns, Etc.

  • User to IP Correlation Reporting for a More Complete Picture of Host and User Activity as well as Decreasing Event Remediation Time.

  • DHCP and MAC Correlation Reporting to Reduce Event Remediation Time and Add Additional Data Points to Profiled Hosts.

  • Closest Router Interface for Improved Troubleshooting and Remediation.

  • Other Associated Router Interfaces for Improved Troubleshooting and Remediation.

  • QoS Utilization Reporting using DiffServ from the NetFlow Record.

  • Trending for Capacity Planning by Application, Host, Segment, Location and Network.

  • 802.1Q VLAN Tag Correlation for Improved Traffic Analysis.

  • MPLS Label Correlation for Improved Traffic Analysis.

  • BPG Traffic Reporting for Improved Understanding of External Traffic Origination and Destination.

  • Flexible and Extensible Flow Reporting for Additional, Easy to Add Features.


Nba in the future l.jpg

NBA - In the Future

NBA Systems Will Continue to Expand Their Features to Leverage Improvements in Flow Data Export:

  • Network Hardware Vendors will Seek to Leverage Flow Reporting to Include Much More Network Telemetry Data.

  • IP-SLA for Detailed Quality of Service Reporting.

  • NBAR for Deep Packet Inspection and Flow Application Tagging.

  • Flexible Packet Matching for Traffic Shaping.

  • Packet Payload Capture for Analysis by both NBA and Other Signature Based Tools.

  • Using NetFlow v9 to Export Data traditionally sent by other protocols - syslog, etc.

  • Using Flow Reporting Information to Improve Security and Remediation Through Other Protocols - ACT/TIDP/TMS


That s all folks l.jpg

That’s All Folks!

Questions?

Comments?


The end l.jpg

The End

Thank You

Mark McDaniel

[email protected]


  • Login