Presentation is loading. Please wait.

Presentation is loading. Please wait.

NPM and Security Forensics Mark Cromley Solutions Engineer Viavi Solutions, Inc.

Published byVincent Robertson Modified over 8 years ago

Similar presentations

Presentation on theme: "NPM and Security Forensics Mark Cromley Solutions Engineer Viavi Solutions, Inc."— Presentation transcript:

1 NPM and Security Forensics Mark Cromley Solutions Engineer Viavi Solutions, Inc.

2 © 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 2 The Challenge - IT Resources at High Risk  Today’s open network paradigm is a challenge for effective security  Everyone and everything is vulnerable and under constant attack  The network is the primary IT security battleground ▫Attackers had access to victims environments for 205 days before they were discovered* ▫Sixty-nine percent of victims learn from a third party that they are compromised* * Source: M-Trends 2015 Threat Report, Mandiant, February 26, 2015M-Trends 2015 Threat Report

3 © 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 3 Overcoming IT Security Challenges  Move to “5 Step Security Program” using a strategy of “Defense in Depth” 1.Perform vulnerability assessments 2.Require adherence to security best practices 3.Deploy multiple targeted security solutions 4.Backstop these efforts with NPMD capabilities 5.Apply network security fundamentals

4 © 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 4

5 5 A Comprehensive Security Strategy Firewalls Intrusion Prevention Intrusion Detection Packet Forensics - Network Packet Recorder Increasing Level of Prevention Increasing Level of Forensics

6 © 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 6 4. Backstop Security with NPMD Solutions  Multiply the value of network and service analytics capabilities in IT security  In-depth packet and payload analysis ▫Visualize suspicious network traffic patterns ▫Perform stream reconstruction  Snort rule support  Advanced filtering for zero-day threats  Extended back-in-time packet storage PACKET’S NEVER LIE

7 © 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 7 How do we look for security problems?  Understanding of: ▫Network ▫Application ▫Traffic patterns -  Baseline – normal vs. abnormal (under breach)  Real mitigation requires someone that understand Packet level analysis  Expert Analysis Tools  Leveraging an ecosystem of tools  Packet capture is just ‘part’ of the toolset.

8 © 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 8 BaseLine – Understand Network (24/7) Normal vs Abnormal (Under Attack?)

9 © 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 9 5. Apply Network Security Fundamentals  The NPMD solution offers these capabilities  Ongoing monitoring of inbound and outbound network traffic is a must  Establish baselines for overall “typical” network utilization and latency values ▫May vary considerably by day and time  Remember many malware or security breaches result in: ▫No measureable changes in overall network performance ▫May not be signature based  Assume the worst, your security will be compromised ▫Perimeter will be breached or circumvented ▫Internal threats will bypass

10 © 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 10 Packets do not LIE – Validate against false positives  NPMD solutions are designed to provide deep insight in network, infrastructure, and service health by observing, analyzing, and reporting from the perspective of the packets traversing the network  IDS has triggered a potential DDOS with an external web farm  You have narrowed it down to time and date of suspected attack ▫Trace files have been gathered and brought into wireshark  Do we have a DDOS attack?

11 © 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 11 How do you know you have been hacked?  Rule of Thumb – Assume you have been breached and do not rest. ▫A study taken has shown it has taken an average of 200 days before a known breach is known.  Eyes always open – the risk of not assuming the worst, costs millions of dollars. ▫Insurance companies have increased deductibles because of enormous risks today.  What TCP/IP fundamentals do network engineers need to know for security analysis?  Do I need the full packet? (payload)  What can we turn off during off hours to minimize threat?

12 © 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 12 Validation of an ATTACK

13 13 5 Phases of Hacking

14 © 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 14 Phase 1 - Reconnaissance Gathering Information 5 Phases Of Hacking Co-developed with Jeffrey Barbieri of Atrion Communications

15 © 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 15 Phase 1 - Reconnaissance Gathering Information 5 Phases Of Hacking Phase 2 – Scanning Computer Names, etc. Co-developed with Jeffrey Barbieri of Atrion Communications

16 © 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 16 Phase 1 - Reconnaissance Gathering Information 5 Phases Of Hacking Phase 2 – Scanning Computer Names, etc. Phase 3 - Gaining Access Vulnerability Discovery Co-developed with Jeffrey Barbieri of Atrion Communications

17 © 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 17 Phase 1 - Reconnaissance Gathering Information 5 Phases Of Hacking Phase 2 – Scanning Computer Names, etc. Phase 3 - Gaining Access Phase 4 - Maintaining Access Vulnerability Discovery Securing Backdoors Co-developed with Jeffrey Barbieri of Atrion Communications

18 © 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 18 Phase 1 - Reconnaissance Gathering Information 5 Phases Of Hacking Phase 2 – Scanning Computer Names, etc. Phase 3 - Gaining Access Phase 4 - Maintaining Access Phase 5 – Covering Tracks Vulnerability Discovery Securing Backdoors Remove Log Files Co-developed with Jeffrey Barbieri of Atrion Communications

19 © 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 19 Questions Answered with Network Recorders  Who’s trying to enter/communicate with my resource(s)?  What other resources has this person communicated with?  When did this entity enter/communicate previously?  What Files has this entity tried to access?  Who’s been trying to enter false passwords?  Is an entity trying to deliver a malicious “package” to a device on my network?

20 © 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 20 Network Forensics – Essential Capabilities Full packet capture at massive scale and in compliance with digital evidence rules Retention of data for days or longer Fast access to captured data via search and other tools Packet header analysis, including summarizing and trending the network activity Packet contents analysis across protocols, including file extraction, session viewing, and application protocol analysis. Ability to replay and reconstruct attacks and malicious behavior Compare data with known threat signatures See all traffic and make inferences about relationships

21 21 Investigating the Packets

22 © 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 22 Anomaly Detection – It Starts Here

23 © 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 23 Visibility and Actionable Insight

24 © 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 24 Expert Analysis and reconstruction of packets

25 © 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 25 Filter Down to the IP Address(es) Involved in Security Alert

26 © 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 26

27 © 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 27 Reconstruct the Tables – FTP

28 © 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 28 Logical Troubleshooting Workflows Copy in Arial Regular 18pt  Bullet point ▫Bullet point  Bullet point ▫Bullet point

29 © 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 29 Behavior Learning and Analysis  Understand and benchmark the environment  Set dynamic thresholds based on critical elements

30 © 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 30 Security Challenges – The Network Team  Viavi Solutions 2015 State of the Network highlights: ▫85% are involved with security investigations ▫Engaged in multiple facets of security  65% implementing preventative measures  58% investigating attacks  50% Validating security tool configurations  50% indicated correlating security issues with network performance to be their top challenge  44% cited the inability to replay anomalous security issues  Hacking and malware cause nearly 1/3 of all data loss Source: State of the Network 2015State of the Network 2015

31 © 2015 Viavi Solutions, Inc. | Viavi Confidential and Proprietary Information 31 The VIAVI Solution Real Time and Retrospective Packet Analysis and storage

Download ppt "NPM and Security Forensics Mark Cromley Solutions Engineer Viavi Solutions, Inc."

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
F3 Collecting Network Based Evidence (NBE)

F3 Collecting Network Based Evidence (NBE)
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Cyber Security Discussion Craig D’Abreo – VP Security Operations.

Cyber Security Discussion Craig D’Abreo – VP Security Operations.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
NetFlow Analyzer Drilldown to the root-QoS Product Overview.

NetFlow Analyzer Drilldown to the root-QoS Product Overview.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.

Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
Security Guidelines and Management

Security Guidelines and Management
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.

IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.
Net Optics Confidential and Proprietary Net Optics appTap Intelligent Access and Monitoring Architecture Solutions.

Net Optics Confidential and Proprietary Net Optics appTap Intelligent Access and Monitoring Architecture Solutions.
Did You Hear That Alarm? The impacts of hitting the information security snooze button.

Did You Hear That Alarm? The impacts of hitting the information security snooze button.

Similar presentations

Ads by Google