NPM and Security Forensics Mark Cromley Solutions Engineer Viavi Solutions, Inc.

Slides:



Advertisements
Similar presentations
1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
Advertisements

F3 Collecting Network Based Evidence (NBE)
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
The Most Analytical and Comprehensive Defense Network in a Box.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Cyber Security Discussion Craig D’Abreo – VP Security Operations.
Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
NetFlow Analyzer Drilldown to the root-QoS Product Overview.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Security+ Guide to Network Security Fundamentals, Fourth Edition
Security Guidelines and Management
Website Hardening HUIT IT Security | Sep
IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.
Net Optics Confidential and Proprietary Net Optics appTap Intelligent Access and Monitoring Architecture Solutions.
Did You Hear That Alarm? The impacts of hitting the information security snooze button.
The Most Analytical and Comprehensive Defense Network in a Box.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
What is FORENSICS? Why do we need Network Forensics?
Agenda Review route summarization Cisco acquire Sourcefire Review Final Exam.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin Business Plug-In B6 Information Security.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
1 Managed Premises Firewall. 2 Typical Business IT Security Challenges How do I protect all my locations from malicious intruders and malware? How can.
Observer Platform Network Security Forensics. Agenda Introduction o Today’s security challenges o Observer Platform network forensics benefits Five Steps.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
APM for Security Forensics ENHANCING IT SECURITY WITH POST-EVENT INTRUSION RESOLUTION Lakshya Labs.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Security fundamentals Topic 10 Securing the network perimeter.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Role Of Network IDS in Network Perimeter Defense.
IS3220 Information Technology Infrastructure Security
Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.
2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC The Anatomy of a Breach Phillip Naples, Pritchard & Jerden, Inc. Jeremy Henley, ID Experts.
Welcome Information Security Office Services Available to Counties Security Operations Center Questions.
Keeping your network devices secure Despite constituting the lifeline of every corporate IT infrastructure, network devices happen to be the most notoriously.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
Security fundamentals
Proactive Incident Response
Protect your Digital Enterprise
SIEM Rotem Mesika System security engineering
Maciej Pęciak Robert Dąbroś
CompTIA Security+ Study Guide (SY0-401)
CSCE 548 Student Presentation By Manasa Suthram
Cybersecurity - What’s Next? June 2017
Critical Security Controls
Real-time protection for web sites and web apps against ATTACKS
Security Methods and Practice CET4884
Active Cyber Security, OnDemand
Firewalls.
StealthWatch: Network Visibility & Security Intelligence BATTLE CARD
CompTIA Security+ Study Guide (SY0-401)
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
Healthcare Cloud Security Stack for Microsoft Azure
Sizing …today. T: Here’s how. .
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Panda Adaptive Defense Platform and Services
Intrusion Prevention Systems
Chapter 4: Protecting the Organization
Healthcare Cloud Security Stack for Microsoft Azure
Overview UA has formed is forming a Security Operations Center (SOC) with Students supporting Tier 1 Activities. The SOC provides benefits to the University.
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.
Presentation transcript:

NPM and Security Forensics Mark Cromley Solutions Engineer Viavi Solutions, Inc.

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 2 The Challenge - IT Resources at High Risk  Today’s open network paradigm is a challenge for effective security  Everyone and everything is vulnerable and under constant attack  The network is the primary IT security battleground ▫Attackers had access to victims environments for 205 days before they were discovered* ▫Sixty-nine percent of victims learn from a third party that they are compromised* * Source: M-Trends 2015 Threat Report, Mandiant, February 26, 2015M-Trends 2015 Threat Report

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 3 Overcoming IT Security Challenges  Move to “5 Step Security Program” using a strategy of “Defense in Depth” 1.Perform vulnerability assessments 2.Require adherence to security best practices 3.Deploy multiple targeted security solutions 4.Backstop these efforts with NPMD capabilities 5.Apply network security fundamentals

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 4

5 A Comprehensive Security Strategy Firewalls Intrusion Prevention Intrusion Detection Packet Forensics - Network Packet Recorder Increasing Level of Prevention Increasing Level of Forensics

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 6 4. Backstop Security with NPMD Solutions  Multiply the value of network and service analytics capabilities in IT security  In-depth packet and payload analysis ▫Visualize suspicious network traffic patterns ▫Perform stream reconstruction  Snort rule support  Advanced filtering for zero-day threats  Extended back-in-time packet storage PACKET’S NEVER LIE

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 7 How do we look for security problems?  Understanding of: ▫Network ▫Application ▫Traffic patterns -  Baseline – normal vs. abnormal (under breach)  Real mitigation requires someone that understand Packet level analysis  Expert Analysis Tools  Leveraging an ecosystem of tools  Packet capture is just ‘part’ of the toolset.

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 8 BaseLine – Understand Network (24/7) Normal vs Abnormal (Under Attack?)

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 9 5. Apply Network Security Fundamentals  The NPMD solution offers these capabilities  Ongoing monitoring of inbound and outbound network traffic is a must  Establish baselines for overall “typical” network utilization and latency values ▫May vary considerably by day and time  Remember many malware or security breaches result in: ▫No measureable changes in overall network performance ▫May not be signature based  Assume the worst, your security will be compromised ▫Perimeter will be breached or circumvented ▫Internal threats will bypass

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 10 Packets do not LIE – Validate against false positives  NPMD solutions are designed to provide deep insight in network, infrastructure, and service health by observing, analyzing, and reporting from the perspective of the packets traversing the network  IDS has triggered a potential DDOS with an external web farm  You have narrowed it down to time and date of suspected attack ▫Trace files have been gathered and brought into wireshark  Do we have a DDOS attack?

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 11 How do you know you have been hacked?  Rule of Thumb – Assume you have been breached and do not rest. ▫A study taken has shown it has taken an average of 200 days before a known breach is known.  Eyes always open – the risk of not assuming the worst, costs millions of dollars. ▫Insurance companies have increased deductibles because of enormous risks today.  What TCP/IP fundamentals do network engineers need to know for security analysis?  Do I need the full packet? (payload)  What can we turn off during off hours to minimize threat?

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 12 Validation of an ATTACK

13 5 Phases of Hacking

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 14 Phase 1 - Reconnaissance Gathering Information 5 Phases Of Hacking Co-developed with Jeffrey Barbieri of Atrion Communications

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 15 Phase 1 - Reconnaissance Gathering Information 5 Phases Of Hacking Phase 2 – Scanning Computer Names, etc. Co-developed with Jeffrey Barbieri of Atrion Communications

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 16 Phase 1 - Reconnaissance Gathering Information 5 Phases Of Hacking Phase 2 – Scanning Computer Names, etc. Phase 3 - Gaining Access Vulnerability Discovery Co-developed with Jeffrey Barbieri of Atrion Communications

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 17 Phase 1 - Reconnaissance Gathering Information 5 Phases Of Hacking Phase 2 – Scanning Computer Names, etc. Phase 3 - Gaining Access Phase 4 - Maintaining Access Vulnerability Discovery Securing Backdoors Co-developed with Jeffrey Barbieri of Atrion Communications

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 18 Phase 1 - Reconnaissance Gathering Information 5 Phases Of Hacking Phase 2 – Scanning Computer Names, etc. Phase 3 - Gaining Access Phase 4 - Maintaining Access Phase 5 – Covering Tracks Vulnerability Discovery Securing Backdoors Remove Log Files Co-developed with Jeffrey Barbieri of Atrion Communications

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 19 Questions Answered with Network Recorders  Who’s trying to enter/communicate with my resource(s)?  What other resources has this person communicated with?  When did this entity enter/communicate previously?  What Files has this entity tried to access?  Who’s been trying to enter false passwords?  Is an entity trying to deliver a malicious “package” to a device on my network?

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 20 Network Forensics – Essential Capabilities Full packet capture at massive scale and in compliance with digital evidence rules Retention of data for days or longer Fast access to captured data via search and other tools Packet header analysis, including summarizing and trending the network activity Packet contents analysis across protocols, including file extraction, session viewing, and application protocol analysis. Ability to replay and reconstruct attacks and malicious behavior Compare data with known threat signatures See all traffic and make inferences about relationships

21 Investigating the Packets

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 22 Anomaly Detection – It Starts Here

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 23 Visibility and Actionable Insight

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 24 Expert Analysis and reconstruction of packets

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 25 Filter Down to the IP Address(es) Involved in Security Alert

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 26

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 27 Reconstruct the Tables – FTP

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 28 Logical Troubleshooting Workflows Copy in Arial Regular 18pt  Bullet point ▫Bullet point  Bullet point ▫Bullet point

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 29 Behavior Learning and Analysis  Understand and benchmark the environment  Set dynamic thresholds based on critical elements

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 30 Security Challenges – The Network Team  Viavi Solutions 2015 State of the Network highlights: ▫85% are involved with security investigations ▫Engaged in multiple facets of security  65% implementing preventative measures  58% investigating attacks  50% Validating security tool configurations  50% indicated correlating security issues with network performance to be their top challenge  44% cited the inability to replay anomalous security issues  Hacking and malware cause nearly 1/3 of all data loss Source: State of the Network 2015State of the Network 2015

© 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 31 The VIAVI Solution Real Time and Retrospective Packet Analysis and storage

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.