Flow Collection and Analytics

Slides:

Advertisements

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Advertisements

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

6/1/2014FLOCON 2009, Scottsdale, AZ. DoD Disclaimer 6/1/2014FLOCON 2009, Scottsdale, AZ This document was prepared as a service to the DoD community.

Network Systems Sales LLC

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

The Most Analytical and Comprehensive Defense Network in a Box.

Network+ Guide to Networks, Fourth Edition

Traffic Engineering With Traditional IP Routing Protocols

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

NetFlow Analyzer Drilldown to the root-QoS Product Overview.

A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.

Network+ Guide to Networks, Fourth Edition Chapter 1 An Introduction to Networking.

SANS Technology Institute - Candidate for Master of Science Degree Implementing and Automating Critical Control 19: Secure Network Engineering for Next.

Security Guidelines and Management

H-1 Network Management Network management is the process of controlling a complex data network to maximize its efficiency and productivity The overall.

Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted.

Network+ Guide to Networks, Fourth Edition Chapter 1 An Introduction to Networking.

Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.

Net Optics Confidential and Proprietary Net Optics appTap Intelligent Access and Monitoring Architecture Solutions.

Malware Hunter How To Guide for SecurityCenter Continuous View™

The Most Analytical and Comprehensive Defense Network in a Box.

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

What is FORENSICS? Why do we need Network Forensics?

workshop eugene, oregon What is network management? System & Service monitoring  Reachability, availability Resource measurement/monitoring.

1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.

Chapter 5: Implementing Intrusion Prevention

Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.

CINBAD CERN/HP ProCurve Joint Project on Networking 26 May 2009 Ryszard Erazm Jurga - CERN Milosz Marian Hulboj - CERN.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

Packet Capture and Analysis: An Introduction to Wireshark 1.

Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.

Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.

NETWORKING FUNDAMENTALS. Network+ Guide to Networks, 4e2.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

Overview SessionVista™ Enterprise is the first integrated network monitoring and control appliance that combines application layer firewall capabilities.

+ Logentries Is a Real-Time Log Analytics Service for Aggregating, Analyzing, and Alerting on Log Data from Microsoft Azure Apps and Systems MICROSOFT.

Internet2 Abilene & REN-ISAC Arbor Networks Peakflow SP Identification and Response to DoS Joint Techs Winter 2006 Albuquerque Doug Pearson.

Joe Budzyn Jeff Goeke-Smith Jeff Utter. Risk Analysis  Match the technologies used with the security need  Spend time and resources covering the most.

Malicious Yahoo! Xtra attack: minimising customer impact.

Palindrome Technologies all rights reserved © 2016 – PG: Palindrome Technologies all rights reserved © 2016 – PG: 1 Peter Thermos President & CTO Tel:

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Multiprotocol Label Switching (MPLS) Routing algorithms provide support for performance goals – Distributed and dynamic React to congestion Load balance.

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Intrusion Detection and Incidence Response Course Name – IT Intrusion Detection and Incidence.

Application Protocol - Network Link Utilization Capability: Identify network usage by aggregating application protocol traffic as collected by a traffic.

Some Great Open Source Intrusion Detection Systems (IDSs)

25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.

أمن المعلومات لـ أ. عبدالرحمن محجوب حمد mtc.edu.sd أمن المعلومات Information Security أمن المعلومات Information Security  أ. عبدالرحمن محجوب  Lec (5)

DISA Cyclops Program.

SIEM Rotem Mesika System security engineering

IBM Tivoli Provisioning Manager IPv6 Enablement

CompTIA Security+ Study Guide (SY0-401)

Latency and Communication Challenges in Automated Manufacturing

Lab A: Planning an Installation

AESA – Module 8: Using Dashboards and Data Monitors

OptiView™ XG Network Analysis Tablet

Security Methods and Practice CET4884

Network and Services Management

Data collection methodology and NM paradigms

SECURITY INFORMATION AND EVENT MANAGEMENT

Getting Started with LANGuardian

CompTIA Security+ Study Guide (SY0-401)

SVTRAININGS. SVTRAININGS Splunk overview  Overview  These use cases walk you through monitoring, investigation, and detection scenarios for security.

11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

An Introduction to Computer Networking

Network+ Guide to Networks, Fourth Edition

CIPSEC Framework components: XL-SIEM

AT&T Firewall Battlecard

Presentation transcript:

Flow Collection and Analytics Dennis Marti January 11, 2017

Disclaimer The views and opinions expressed in this presentation are those of the author and do not necessarily reflect the official policy or position of Verizon. Reference to any product, commercial, free or open source, does not constitute endorsement or recommendation by Verizon.

Network Security Data Capabilities have Evolved Over Time Background Capabilities have Evolved Over Time Initially based on a handful of network security sensors. Three full-time analysts Part of “Network Abuse” function Since 2011 Number of network security data collection points has grown. Coverage includes multiple geographic areas including international. Collect and process a broader variety of netflow data elements Twelve analysts with dedicated management Faster, more flexible on-boarding of data Dedicated, fault-tolerant, managed environment Function provides a variety of internal support Analytics platform Ad hoc research/response capability

Infrastructure Overview

Data Collection and Preparation

Netflow Processing Extract, transform, load Incoming flow files are written every minute by load- balanced collectors. Routine tasks are triggered by the file transfer event that moves data from the collection tier to storage. Netflow processing includes: Monitoring internal devices and edge routers for malicious addresses. Matching flows are decorated with geographic and network information then loaded into Splunk for additional analysis. Aggregating flows to support network operations and engineering applications. Filtering managed services flow data and join with geographic and IOC data. Load into Splunk for MSS analysis and reporting. Writing to Kafka for anomaly detection. Creating Bloom filters to speed up forensic searches. Counting ports, protocols, bytes, packets, flows, etc.

Enhancing Netflow for Analysis Data fusion Single pane of glass Almost all incoming data is indexed into Splunk. Netflow is an exception due to its volume, but we index a lot of it based on watch list matches. Since firewall, DNS, SNMP, and IDS events reside in Splunk, alerts and reports trigger additional actions like loading relevant netflow. Aggregating flows End points are typically aggregated prior to indexing. Aggregate data is often summarized and indexed a second time to speed up searching and dashboards. Network and customer information Netflow collected for indexing is enhanced with network, customer and geographic information.

Peering Traffic Analysis 15 minute ingress traffic by peer

Netflow Search

Incident Response Recent success stories By observing the ports used across flows, we were able to establish that an address was being used as an SMTP server. This behavior tied it to the delivery of phishing emails and Vawtrack malware. Netflow data was used to analyze the changing exploit kit landscape by tracking the distinct flows from a set of malicious landing pages. This analysis was met with great reception from our customers given the impact these kits have on their environments Allowed us to reevaluate a recent rise in shellshock activity that was initially reported by another organization. Using flow data increased the estimation of targeted systems 8x, bringing to light a massive campaign