enterprise wide threat characterization n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Enterprise-wide Threat Characterization PowerPoint Presentation
Download Presentation
Enterprise-wide Threat Characterization

Loading in 2 Seconds...

play fullscreen
1 / 10

Enterprise-wide Threat Characterization - PowerPoint PPT Presentation


  • 125 Views
  • Uploaded on

Enterprise-wide Threat Characterization. Bill Nickless Pacific Northwest National Laboratory ESCC / Internet2 Joint Techs Workshop Albuquerque, NM Feb 5-8, 2006. The Art of War by Sun-tzu 500 B.C. "The supreme art of war is to subdue the enemy without fighting...

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Enterprise-wide Threat Characterization


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
enterprise wide threat characterization

Enterprise-wide Threat Characterization

Bill Nickless

Pacific Northwest National Laboratory

ESCC / Internet2

Joint Techs Workshop

Albuquerque, NM

Feb 5-8, 2006

the art of war by sun tzu 500 b c
The Art of War by Sun-tzu500 B.C.

"The supreme art of war is to subdue the enemy without fighting...

“The means by which enlightened rulers and sagacious generals moved and conquered others, that their achievements surpassed the masses, was advanced knowledge.

Advanced knowledge cannot be gained from ghosts and spirits, inferred from phenomena, or projected from the measures of heaven, but must be gained from men... for it is the knowledge of the enemy’s true situation.”

Pacific Northwest National Laboratory

2

system requirements
System Requirements

The System Must Defend:

  • A large, diverse enterprise that engages in
  • cutting edge R&D in multiple sensitive and critical technologies by
  • thousands of scientists from all over the world at
  • multiple sites with
  • diverse cultures and capabilities for defense

Against

  • Multiple, dynamic, and increasing threats from outside and inside

Pacific Northwest National Laboratory

3

collection instrumented sites
Collection: Instrumented Sites
  • Large Enterprises
    • Dozens to hundreds of dispersed sites
    • Each site with multiple ISPs
    • Private connections to suppliers, contractors, etc.
  • Enterprise Data at Risk
    • Foreign adversaries
    • Cyber-terrorists
    • Insider threats
    • Competitors using open source research

Pacific Northwest National Laboratory

4

slide5

Collection: Sensor

Pacific Northwest National Laboratory

5

v3 sensor flo daemon

Traffic From

Linux Bonding

Kernel Module

libpcap

Match Flow

(or)

Create New Flow

Frame

Decode

Frame

Sanity Check

Select and Format Flows

Flow Time-outs

And Signals

Flows In

Memory

Write and

Manage

Output Files

.dat and .sem Files

V3 Sensor Flo Daemon
  • libpcap API
  • Portable and standard
  • Compatible with high performance

capture cards

  • Allows for off-line file playback testing
  • Efficient data structures
  • Only save what is needed
  • Fast access to support high performance

Runs as a daemon

  • “Always on” rather than batch mode
  • Continuous stream of records
  • Syslog reporting for data quality mgmt

Pacific Northwest National Laboratory

6

slide7

AnalyticalSystems Accomplishments

  • Cost Effective
  • Scalable

- 500M records/day

- 150 GB/day

- 1 year retention

  • Data Summarization

Central Analysis

ORG A1

ORG A2

ORG A…

ORG B1

ORG B2

ORG B…

ORG X1

ORG X2

Pacific Northwest National Laboratory

7

ORG X…

monthly record counts
Monthly Record Counts

Massive record volumes drove requirement to better understand the traffic

Pacific Northwest National Laboratory

8

traffic characterization anomaly identification
Traffic Characterization: Anomaly Identification

Characterizing each flow as it occurs

enables immediate attack detection

Interesting anomalies in

SSH and FTP that can now

be observed after the OOB

traffic has been removed

9

Pacific Northwest National Laboratory

summary
Enterprise-wide collection and analysis capability enables correlation of activity across multiple organizational elements

The collection, data management, and analysis challenges of building and operating an enterprise-wide centralized analysis capability are significant but solvable

Automation can enable analysts to identify both security threats and information exfiltration attempts from within or without

Summary

Pacific Northwest National Laboratory

10