Whitepaper Addressing the Threat Within: …detection/prevention systems (IDS/IPS) and other malware detection and prevention systems. Typically these would assume a ˜xed perimeter

1© 2015-2016 Gigamon. All rights reserved.

IntroductionCyber security breaches are happening at an industrial scale. The unabated volume of cyber breaches along with the scale and magnitude of the breaches is forcing the entire industry to re-think how cyber security gets deployed, managed and addressed. At the heart of this change is a fundamental shift in the assumptions and the model under which cyber security has been operating.

The traditional model was one that operated under simple assumptions. Those assumptions led to deployment models which in todays’ world of cyber security have been proven to be woefully inadequate at addressing malware and cyber breaches. Some of these are outlined below:

• Perimeter Based Security: The traditional cyber security trust model was based on simplistic assumptions of creating a perimeter and ensuring that what was outside the perimeter was unsafe and what was inside was considered secure. That perimeter security typically consisted of a �rewall at the internet edge and endpoint security software such as an anti-virus solution, at the user end. However, most of the perimeter �rewalls and endpoint security software solutions leverage rules and signatures to identify malware. In today’s world, many of the cyber breaches exploit zero-day vulnerabilities. These are vulnerabilities that have been detected but for which no patches exist in various pieces of software or for which no signature or rule exists as yet. Consequently it is increasingly dif�cult for traditional perimeter-based solutions to prevent malware and threats from breaking in.

• Simple Trust Model: The traditional cyber security trust model was based on a simple trust model of employees being trusted and everyone else being not trusted. However, in today’s world where employees are using personal computing devices, such as smart phones for business needs, or where the work force consists of employees, consultants, contractors, and vendors, all of whom access an enterprise’s network and IT resources, that simple trust model breaks down and the source of a threat could just as easily be an employee or contract employee. Additionally, the traditional trust model also incorporated the

notion of IT-owned assets that were considered trusted as they had the right build of software and anti-virus, among others. However, today employees use not just IT-owned assets but personal assets such as personal laptops, tablets, and smart phones for business productivity. In other words Bring Your Own Device (BYOD) is increasing productivity, but breaking down the simple trust model assumptions.

• Static Environment: Traditionally, security appliances were deployed at �xed locations. This included �rewalls, intrusion detection/prevention systems (IDS/IPS) and other malware detection and prevention systems. Typically these would assume a �xed perimeter or a set of �xed “choke” points at which traf�c was expected to traverse and consequently be monitored for threats. However, with the mobility of users, devices and applications the predictability of traf�c patterns has diminished. Additionally the adoption of the cloud has extended the edge and perimeter boundaries with the ability to dynamically burst capacity into the cloud on-demand. This is making the workplace a far more dynamic environment with far less predictability on where the boundaries and choke points lie. Consequently, the ability to consistently and comprehensively identify all threats based on the static deployment of security appliances at �xed locations has been severely impaired.

Despite the breakdown in some of the traditional assumptions outlined above, a lot of enterprise security architectures still rely on them for preventing network breach. Additionally, the very nature of cyber threats has also evolved signi�cantly over time. In the past, once a worm or virus breached into a network it would propagate quickly and do as much damage as possible in as short a time as possible. This made it possible to detect worms and viruses more quickly due to the footprint they left in the wake of their disruption. Today’s threats have evolved to become far stealthier, more sophisticated and destructive at an industrial scale. Many of them are grouped under an umbrella called Advanced Persistent Threats (APT). These APTs are the source of many of the recent large scale breaches. They tend to employ a variety of sophisticated methods to compromise the network and take up residence there for long periods of time, hence the name: Advanced Persistent Threat.

Whitepaper

Addressing the Threat Within: Rethinking Network Security Deployment

© 2014 –2016 Gigamon. All rights reserved. 1

白皮書

迎戰內部威脅:重新思考網路安全部署

簡介

網路安全入侵影響範圍遍及產業的所有層面，不勝枚舉的

網路攻擊，加上入侵攻擊的規模與強度，迫使整個產業需

重新思考網路安全該如何佈建、管理以及因應。這波變革

的最新核心，在於網路安全所根據的假設，以及底層的模

式已經產生根本性的變化。

傳統模式奠基於簡單的假設，然而這些假設引伸出的佈建

模式在現今的網路安全情境中變得左支右絀，無法應付惡

意程式與網路入侵的威脅。

• 邊界式防護: 傳統的網路安全信賴模型根據幾項基本設

想，包括建立防禦邊界，然後確定邊界外部是不安全，

邊界之內則視為安全無虞。這樣的邊界防禦通常包含在

網際網路邊界設置防火牆，在使用者端則裝設類似防毒

解決方案等端點防護軟體。然而大多數邊界防火牆與端

點防護軟體解決方案都是根據規則與特徵來辨別惡意程

式。在現今世界中，許多網路攻擊會利用零時差

(zero-day) 防禦漏洞。這些漏洞儘管已被發現，但許多

軟體仍還未有修補程式，或是至今還沒有歸納出特徵與

規則以便用來偵測這類入侵。因此，傳統的邊界式解決

方案越來越難以防堵那些已經滲透到內部的惡意程式與

威脅。

• 簡單信任模式: 傳統網路安全信任模式依據一個簡單的信

任模型，亦即信任員工而不信任其他所有人。然而在現

今的世界，員工經常使用包括智慧型手機等個人運算裝

置來處理業務，或著工作人員中包含有自家員工、顧問

、承包商、廠商等，他們都會使用企業網路與 IT 資源，

於是這樣的簡單信任模型就完全崩解，因為威脅可能就

來自自家員工或承包商的員工。

此外在傳統的信任模型中，會信任 IT 部門的資產，因為

認為他們安裝的軟體來歷明白而且有裝防毒程式。然而

現今員工不光使用 IT 擁有的資產，還會用到許多個人資

產，例如個人的筆電、平板、以及智慧型手機來執行商

業生產力活動。也就是說自攜設備上班 (BYOD) 不僅提

高生產力，同時也打破了簡單信任模型的假設。

• 靜態環境: 以往安全設備都部署在固定位置。包括防火牆

、入侵偵測/防禦系統 (IDS/IPS)、以及其他惡意程式偵

測與防堵系統。這些作法通常會假設一個固定邊界或設

置一系列固定 “匣控點”，預期所有傳輸資料都會經過

這些匣控點，因此即可固守這些據點，監控各種安全威

脅。然而隨著使用者、裝置、以及應用的行動化，傳輸

資料的模式變得完全無法預測。此外，雲端的運用延伸

了網路邊界以及防禦邊界，以便配合需求擴充容量。這

意謂著工作場所變成高度動態的環境，邊界以及匣控點

所在位置也變得難以預測。因此，在固定位置靜態佈建

安全設備，想要用這種方法持續且全面地辨識所有威脅

，已經變得越來越不可行。

儘管上述傳統假設已經崩潰，但仍有許多企業安全架構依

據這樣的假設來防止網路入侵。此外，長期下來網路威脅

的本質已出現大幅度的演變。以往，當蠕蟲或病毒滲透到

網路後就會快速繁殖散佈，以盡可能在短時間內造成最多

的損害。這讓防禦者能更快偵測到蠕蟲與病毒，因為它們

在破壞時會留下顯著的痕跡。然而現今的安全威脅已演化

成更加隱匿、更加精密、而且破壞力更強。其中許多被歸

類為進階持續性威脅 (APT)。這些 APT 是近期許多大規模

滲透的源頭，它們通常會運用各種複雜手法滲透到網路內

，並潛伏很久的時間，所以才稱之為進階持續性威脅。


Whitepaper: Addressing the Threat Within: Rethinking Network Security Deployment

Anatomy of an Advanced Persistent ThreatMany of today’s large scale breaches take place over multiple stages and over extended periods of time ranging from weeks to months. Some of these stages are outlined below:

Reconnaissance: During this stage, the threat perpetrator or threat actor typically spends time understanding the various online activities of possible targets and trying to identify a way to inject malware based on those activities. For example, the actor would observe what bank websites, or what social networks a user browses, what interest groups a user subscribes to, and other online habits. Based on this a pro�le for possible targets is built.

Initial breach: This is the phase where the user or target is initially compromised. Typically based on a user’s activities and pro�le, an email or a blog post is formulated that invites the user to click on a link. Once the user clicks the link, the user is re-directed to a website where a zero-day vulnerability is downloaded onto the user’s system. This is typically referred to as a phishing attack. Other such attacks like drive-by downloads are commonplace as well. Their job is to simply inject a piece of malware onto the user’s system. In many cases that malware footprint is quite small and really intended to create a backdoor communication channel.

Backdoor access: Once the user’s system has been compromised via the initial malware download, that malware then explores possible communication backdoors that can pass through �rewalls, with the intention of opening up a communication channel with a command and control center that could be located anywhere in the world. Once that communication channel is established, additional malware and/or instructions are downloaded.

Lateral movement: The malware then starts probing and propagating internally by �nding other systems that have vulnerabilities. However, this is done in a very stealthy way by disguising the malware’s activity and by minimizing the footprint of activity, methodically. This activity can take weeks to months. In other words the lateral movement of the malware is very low and slow. During this phase, additional backdoors may also be opened in the event that the initial backdoor is detected and closed.

Data gathering: Once the malware spreads and �nds access to critical resources across the infrastructure, it begins the process of identifying critical data resources to ex�ltrate or recording data for the purposes of ex�ltration.

Ex�ltration: The gathered data is then ex�ltrated in a mass way through the various backdoors. At this point the organization’s information is severely compromised. The threat actor may request ransom, expose classi�ed or con�dential data, or sell the information at auction.

In many cases the organization stays compromised after the ex�ltration, making it susceptible to continuous attacks and breaches. In fact, even after a breach is detected and many of the compromised systems are cleansed, in many cases, due the extensive nature of the breach, some systems continue to remain compromised and undetected. These compromised systems may then be made available through sites offering malware-as-a-service where individuals or groups can purchase these infected assets. Malware-as-a-service has grown into a big industry giving individuals and organizations easy and cheap means to leverage compromised systems to mount DDoS attacks for example.

Figure 1: Anatomy of an advanced persistent threat

1 2 3 4 5 6

Reconnaissance Back door ExfiltratePhishing & zeroday attack

Lateralmovement

Datagathering

剖析進階持續性威脅

白皮書:迎戰內部威脅:重新思考網路安全部署

現今許多大規模滲透會分成多個階段長期進行，為期數週

到數月。這些階段詳述如下:

偵察: 在這個階段，駭客或威脅發起者會花時間瞭解可

能目標的網路活動，並試著找出方法藉由這些活動來植

入惡意程式。舉例來說，駭客會觀察被害人會瀏覽的銀

行網站、社群網路、訂閱的社群、以及其他線上習慣，

並根據相關背景資料找出可能的攻擊目標。

發動滲透: 在這個階段，使用者或目標被駭客滲透。駭

客通常會利用使用者的活動或背景資料，偽造電子郵件

或部落格貼文邀請使用者點選一個網路鏈結。使用者不

察點選該鏈結後，就會連上一個網站，然後把零時差攻

擊的漏洞下載到自己系統。這樣的模式通常稱為網路釣

魚攻擊。另一種常見的攻擊則是瀏覽網頁時不知覺地下

載惡意程式。它們的任務就是把惡意程式碼塞入使用者

的系統。許多案例中，惡意程式留下的痕跡非常小，其

真正的意圖是建立後門通訊管道。

後門管道: 使用者下載惡意程式以致自己系統被滲透，

接著惡意程式就會探察可行的通訊後門來避開防火牆，

試著和遠端控制中心 (Command & Control) 建立通訊

管道，而這個中心可能位在世界任何角落。在建立通訊

管道後，系統就可能下載更多惡意程式以及 / 或指令。

橫向移動: 惡意程式接著會發掘存在防禦漏洞的其他系

統，開始偵察與複製擴散。但由於這類程式會有系統地

掩護其活動，並盡可能減少活動留下的蹤跡，因此很難

發現它們。此時的活動會持續數週到數月，也就是說惡

意程式的橫向散佈活動極為低調且緩慢。在這個階段，

即使初期的後門已被發現並關閉，後續還是可能會被打

開更多的後門。

資料蒐集: 當惡意程式展開散播並存取整個基礎設施的

關鍵資源，它就會開始辨別之後要竊取的關鍵數據資

源，或是竊出資料必須用到的紀錄資料。

外洩資料: 蒐集到的資料之後會透過不同的後門整批外

傳。到這個階段，組織的資訊就已嚴重外洩。攻擊者可

能會要求贖金、外洩敏感或機密資料，或是拍賣這些

資訊。

在許多案例中，即使滲透程式開始將資料外傳，組織單位依

舊渾然不知且門戶大開，極易遭受持續攻擊與滲透。事實上

，即使偵測到滲透而且許多被入侵系統已經清理完畢，在許

多實例中，由於滲透規模極為龐大，以致部分系統內部依然

有攻擊程式潛伏而未被發現。這些系統可能被擺到惡意程式

即服務 (malware-as-a-service) 的網站上拍賣，個人或團

體可付錢購買這些被入侵的資產。這類不法服務已發展成規

模龐大的行業，因為個人和組織都能輕易廉價地利用這些被

滲透的系統發動分散式阻斷服務 (DDoS) 攻擊。

圖1: 進階持續性威脅的解析



最近一項研究調查 63個國家的 1200家企業，結果發現97%

的受訪企業在測試期間就被滲透。在這些組織中，75%曾被

進行遠端控制活動。在另一項調查2 中發現從發動入侵開始

，一直到偵測到滲透為止，平均隔了 134天，顯示出許多組

織被滲透後數個月依舊渾然不知。

這些情況反映出我們必須重新思考建構安全的方式。企業不

能再假設自己有能力把威脅擋在外部。組織單位應更加專注

於偵測早已滲透到自已內部的系統以及圍堵惡意程式。

在當前的 IT 趨勢下，想要找出已被滲透的系統已變得越來

越困難。

IT 趨勢影響安全防護持續變遷的工作人員與自攜設備上班 (BYOD)

許多IT趨勢對維護內部安全的能力產生負面影響。如先前所

述，工作人士的性質已經不同以往，包括員工、顧問、承包

商都被視為企業工作人員。這使得IT部門更難根據規則實施

管控。自攜設備上班以及 IT 的消費化 (consumerization)

使得嚴格的控管措施鬆綁，IT 部門針對電腦、筆電、手機、

以及其他用來發揮生產力的裝置都設定有維安計畫。

東西向傳輸量持續增加

另一個重大轉變發生在資料中心，傳輸資料模式轉變成東西

向，因為伺服器與虛擬機器 (VM) 除了相互通訊外還會和資

料庫系統、儲存系統、以及資料中心內的其他應用程式進行

通訊。東西向傳輸通常不會經由網路核心交換器，雖然在網

路核心端通常會裝有像 IPS/IDS 這類安全偵測設備來找出藏

匿在傳輸數據封包裡的惡意程式或威脅，由於不會經過核心

端的東西向傳輸流量也就無法被這些安全設備偵測到。

此外，東西向傳輸量的比重迅速大幅超越南北向傳輸，南北

向傳輸是進出網際網路的數據封包。這使得惡意程式碼更容

易滲透較老舊或尚未補強的伺服器，得以在資料中心內橫向

散佈，而不被負責攔截與檢測南北向傳輸的安全措施發現

(如圖2所示)。

舉例來說，臉書公司每天會執行100萬次的對映-歸納

(map-reduce) 作業3。結果導致大量的網路傳輸限縮在資料

中心內部。雖然大多數企業無法達到這麼大的規模，但中大

型企業越來越頻繁運用巨量資料解決方案，促使資料中心內

部的傳輸模式出現這樣的趨勢。另一個例子，許多企業採用

VDI (虛擬桌面基礎架構)，將桌面移到資料中心，這使得傳

統南北向傳輸並會經過網路核心的資料，以及會通過定義完

善匣控點的主從架構資料，現在都變成在虛擬桌面與應用程

式之間的東西向傳輸，這些傳輸都會在資料中心內部進行。

以上所有傳輸都會低空躲過安全設備的雷達，以致安全設備

無法過濾這類網路傳輸。


圖2: 資料中心內部的東西向傳輸

1 FireEye. 2015. Manginot revisited: More Real-World Results from Real-World Tests. https://www2.fireeye.com/WEB-2015RPTMaginotRevisited.html2 Trustwave. 2014. Global Security Report. https://www2.trustwave.com/rs/trustwave/images/2014_Trustwave_Global_Security_Report.pdf3 Wiener, Janet and Bronson, Nathan. “Facebook’s Top Open Data Problems.” Web blog post. research.facebook.com, Sept. 2014. https://research.facebook.com/blog/1522692927972019/facebook-s-top-open-data-problems/



MobilityMobility further compounds the challenge of securing today’s networks. Users, devices, and applications are all mobile today. For example, an application packaged as a virtual machine can be moved at the click of a mouse or perhaps even in a completely automated way between racks, rows, pods, or even across data centers. And this can happen without the knowledge of the security team. A security appliance such as an IDS or IPS that is connected directly into a link within a data center and focused on inspecting application traf�c may be rendered ineffective when the application itself moves to a different location unbeknownst to the security team. In other words location is now becoming less relevant when deploying security solutions. This is true even in the campus edge where users and devices are mobile.

Growing Use of EncryptionFinally, there is a growing use of encryption technologies such as SSL within enterprises. While encrypting data in motion offers security from prying eyes the secure communications channel it creates can also be used by malware to masquerade under the privacy umbrella. Many security appliances are blind to encrypted traf�c and consequently the use of encryption by malware is on the rise. Where security appliances are able to inspect SSL encrypted traf�c, their performance takes a signi�cant hit due to the computationally intensive nature of SSL decryption. A Gartner report4 has predicted that by 2017 more than 50% of network attacks will use encrypted traf�c to bypass controls.

4FD’Hoinne, Jeremy and Hils, Adam. ‘Security Leaders Must Address Threats From Rising SSL Traf�c’. Gartner Report, 9 Dec 2013.

The combination of these factors, i.e. the sophisticated and evolved nature of threats, the changes in network traf�c patterns, mobility, the growing use of SSL and encryption technologies by malware, and the use of an outdated trust model to design security architecture, is creating an environment that is leading to at-will breaches.

Addressing the ChallengeIn order to better address this growing challenge, the fundamental trust assumptions around cyber security have to be revisited. Modern security strategies have to be forged on the assumption that breaches are inevitable. In other words, there has to be a growing emphasis on detection and containment of breaches from within, in addition to prevention of breaches. Since the network is the primary medium that bridges the physical, virtual and cloud environments, network traf�c is becoming increasingly critically important for its role in providing the window to the enterprise for malware and threats. Many security vendors are doing just this, by analyzing network traf�c for threats, anomalies, and lateral movement of malware. However, no matter how sophisticated these security solutions become, they are only as good as the network traf�c they see.

Figure 3: An ad-hoc and unstructured approach to security deployment


行動性

維護現今網路的安全方面，行動力使得業界面臨的挑戰更加

嚴峻。現今包括使用者、裝置、以及程式都全面行動化。例

如包裝成一個虛擬機器的程式，只須點一下滑鼠鍵就能移動

到他處，甚至交由系統自動幫你搬移虛擬機器，包括在機架

、整列機櫃、貨櫃式機房 (PoD)、或不同資料中心之間自動

移動，過程中安全團隊可能完全不知情。像是 IDS 或 IPS 這

類安全設備直接連結到資料中心內的一條鏈路，專注於檢測

應用程式的傳輸資料，但是當程式本身搬移到安全團隊不知

道的位置時，這樣的保全機制就完全失效。也就是說，在部

署安全解決方案方面，位置的關連性已不如以往高。甚至在

園區邊界，在這樣使用者與裝置都行動化的環境中，情況也

是如此。

加密的使用日趨頻繁

最後一點，企業內部越來越常運用像 SSL 這類加密技術。對

搬移的資料進行加密，儘管能省下麻煩，不必費心確保通訊

管道的安全，然而惡意程式也會利用這樣的管道，在隱私的

掩護下進行滲透。許多安全設備對加密傳輸資料完全不設防

，因此越來越多惡意程式會利用加密傳輸作為入侵途徑。由

於SSL解密須進行大量的運算，因此能夠檢測 SSL 加密傳輸

資料的安全設備，其效能會因此而受顯著的影響。Gartner

一份報告4 預測在 2017年之前，超過 50% 的網路攻擊將利

用加密傳輸躲避各種控管機制。

結合這些因素，像是安全威脅日趨複雜與持續演化、網路傳

輸模式的改變、行動化、惡意程式頻繁使用 SSL 與各種加

密技術; 以及採用過時的信任模型去設計安全架構，這些因

素構成門戶洞開的環境讓駭客如入無人之境地任意滲透。

因應挑戰

為了更有效地應付日趨嚴峻的挑戰，網路安全最基本的信任

假設必須加以修正。現今的安全策略必須認定滲透是無法避

免的，也就是說除了防止從外部而來的入侵，還得更加著重

於在內部偵測與圍堵滲透。由於網路是連結實體、虛擬、以

及雲端環境的主要媒介，網路傳輸也日趨重要，因為它可能

為惡意程式與安全威脅提供滲透到企業內的窗口。許多安全

產品廠商正看中這點，針對各種威脅、異常狀況、以及惡意

程式的橫向移動，著手分析網路傳輸資料。然而不論這些安

全解決方案變得如何精密，它們的防護能力也僅限於能看到

的網路傳輸資料。


圖3:常見與非結構化的安全部署模式


從內部偵查的傳統方法

傳統的作法是把安全設備透過網路 TAP 分光器介面埠直接

連到網路，或是透過網路設備上的鏡射 /SPAN 埠連到網路

交換器/路由器。提供更完備的管道以偵察網路傳輸資料，

意謂著必須在網路更多位置部署大幅增加的網路安全設備。

然而安全防護的多面向性質，代表必須運用不同類型的網路

安全設備才能提高覆蓋範圍。這對於這些安全解決方案的部

署模型形成許多挑戰。(如圖3所示) ，這些模型包括:

• 不同類型安全設備爭相存取在網路的同一節點上的傳輸資料。也就是說，直接把一部設備連到網路 TAP 或鏡射 / SPAN埠，就只會允許一部設備存取傳輸資料，而其他資安設備就無法接到同一個網路節點處。

• 不僅安全設備處理效能不能與網路頻寬相匹配，安全設備必須處理的傳輸資料量也不相同。

• 有許多網路流量的盲點以及傳輸資料的檢視不連貫。連結到網路中特定節點的安全設備，它們可能看不到從整體網路其他邊界端點與端點間部分互傳來的資料，當使用者或程式移到網路其他部分而未經過該特定節點的網路設備時，他們所傳的資料這些安全設備也看不到。

• 誤報數量越來越多。安全設備越來越多，意謂這些設備產生的誤報也會變多。

• 網路各處大量佈建安全工具，導致管理的複雜度與成本攀升，使得資本門支出成本隨之增加。

• 部署模式從頻外 (out-of-band) 監視器轉為頻內 (inline) 保護模式時，一定會出現網路中斷狀況。

安全訊息派送平台作為安全部署的新模型隨著各個業界聯盟將偵察惡意程式的焦點轉向網路內部，大

家也開始注意到安全解決方案亦變得越來越精密。各界對這

類解決方案的部署架構一直沒有太多的關注，以致出現許多

先前發現的挑戰。這個領域一直沒有投入足夠的資源，但卻

是偵測網路內部潛伏惡意程式與滲透的基礎。要解決上述挑

戰，須採用結構化的平台措施，以可擴充、全面性、且低成

本的方法，為大量的安全設備提供傳輸資料的可視性。這種

解決方案應包含以下元件:

• 即使包括使用者、裝置、以及應用程式不斷移動，仍能針對實體與虛擬環境持續提供傳輸資料可視性。

• 不必再盲面猜測該把安全解決方案置於何處，像是在現今使用者/裝置/應用全面行動化的動態環境，無須在網路中找出靜態的匣控點。

• 提供一個解決方案，對已加密的通訊內容加以解密，讓安全工具能偵測出那些利用加密通訊管道進行滲透的惡意程式，同時確保敏感資訊不會外洩。

• 向特定種類的安全設備提供有關連性的傳輸資料流。例如，電子郵件安全設備沒有必要偵察 YouTube 的傳輸資料。僅傳送有關連性的資料讓安全設備能更有效發揮功能，減少浪費頻寬與資源來處理不相關的資訊。


圖4: 安全訊息派送平台:重要元件



Legacy Approach to Looking WithinThe legacy approach to doing this was to connect security appliances directly into the network through a network TAP or to a mirror/SPAN port on a network switch/router. Providing greater access to network traf�c meant deploying signi�cantly more network security appliances at more places in the network. However, the multi-dimensional nature of security lends itself to use of a variety of different types of network security solutions in order to increase the coverage envelope. This creates several challenges in the deployment model for these security solutions (see Figure 3). Some of these include:

• Contention across the different security appliances for access to traf�c from the same points in the network. In other words, directly connecting an appliance to a network TAP or a mirror/SPAN port allows just one appliance to get access to that traf�c.

• Mismatch between the processing capability of the security appliances and the volume of traf�c that the security appliance needs to process.

• Blind spots and inconsistent view of traf�c. Security appliances that are connected into speci�c points of the network may not see traf�c from other parts of the network or from users or applications that have moved to other parts of the network.

• Increase in the number of false positives. More security appliances mean more false positives for those security applications prone to them.

• Rapidly increasing cost as security tools proliferate across the network increasing management complexity and cost.

• Network disruption as deployments move from an out-of-band monitor mode, to an inline protection mode.

A Security Delivery Platform as a New Model for Security DeploymentsAs the industry coalesces on increasingly looking within the network for malware, the focus has been on the growing sophistication of the security solutions. There has not been much thought around the deployment architecture for such solutions, which leads to several of the challenges identi�ed previously. This is an area that has been largely under-served and yet is fundamental to looking within the network for malware and breaches. In order to address the above challenges, a structured platform-based approach is required that delivers traf�c visibility for a multitude of security appliances in a scalable, pervasive, and cost effective manner. The solution should encompass the following components:

• Deliver traf�c visibility from physical and virtual environments consistently even when users, devices, and applications are moving around.

• Take out the guesswork on where to place security solutions i.e. eliminate the dependence on identifying static choke points within the network especially in today’s dynamic environments characterized by user/device/application mobility.

• Provide a solution to decrypt encrypted communications so that security tools can detect malware that leverages encrypted communication channels, while at the same time ensuring that sensitive information is not compromised.

• Provide the ability to deliver just the relevant traf�c streams to the speci�c types of security appliances. For example, an email security solution need not see YouTube traf�c. Sending only relevant traf�c allows the security solutions to function more effectively and waste less bandwidth and resources processing irrelevant information.

Figure 4: A Security Delivery Platform: Key components

GigaVUE-2404



• Generate detailed �ow and session intelligence based on actual traf�c not just a sample of the traf�c.

• Support inline and out-of-band network security deployments from the same platform, while providing the ability to load balance both inline and out-of-band security appliances as well as provide the ability to bypass inline security appliances in the event of failure.

A Security Delivery Platform that addresses the above considerations provides a powerful solution for deploying a diverse set of security solutions, as well as scaling each security solution beyond traditional deployments. Such a platform would deliver visibility into the lateral movement of malware, accelerate the detection of ex�ltration activity, and could signi�cantly reduce the overhead, complexity and costs associated with such security deployments (see Figure 4). In today’s world of industrialized and well-organized cyber threats, it is no longer suf�cient to focus on the security applications exclusively. Focusing on how those solutions get deployed and how they get consistent access to relevant data is a critical piece of the solution. A Security Delivery Platform in this sense is a foundational building block of any cyber security strategy.

GigaSECURE as a Security Delivery PlatformGigaSECURE® is Gigamon’s offering of a Security Delivery Platform. The GigaSECURE platform connects into the network, across physical and virtual infrastructures, and delivers traf�c to all of the applications that require it. Security appliances simply connect into the GigaSECURE platform at whatever interface speeds they are capable of connecting and consequently receive a high-�delity and relevant traf�c stream from across the network infrastructure. Flow meta-data extraction from network traf�c is also done within GigaSECURE and �ow records can be exported to various security tools for analysis. See Figure 5.

GigaSECURE supports a variety of security solutions that can sit out-of-band to the production network, for detection of malware and the lateral movement of malware, detection of ex�ltration activity, post incident forensics, as well as other security initiatives. Additionally, it also serves as a platform for deployment of a diverse set of security solutions that need to sit inline with the network traf�c. Inline security solutions typically provide the ability to take preventive measures in real time on detection of threats, malware or anomalous behavior. GigaSECURE can support both inline and out-of-band deployments in parallel. When supporting inline security deployments, GigaSECURE provides full failure protection and load distribution capabilities across a variety of inline deployment modes.

Figure 5: GigaSECURE Security Delivery Platform

Internet

Routers

“Spine”Switches

“Leaf”Switches

VirtualizedServer Farm

GigaSECURE Security Delivery Platform

GigaVUE-VM andGigaVUE® Nodes

ApplicationSession Filtering

SSLDecryption

InlineBypass

Anti-Malware(Inline)

Data LossPrevention

IntrusionDetectionSystem

Forensics Email ThreatDetection

IPS(Inline)

API

Anti-Malware(Inline)

SIEM /Big Data

IntrusionDetectionSystem

Forensics Email ThreatDetection

IPS(Inline)

MetadataEngine


• 根據實際傳輸資料而不是僅依據傳輸資料的樣本，產生詳細的傳輸資料與通訊交談訊息。

• 能從相同平台部署頻內（In-Line）與頻外網路安全機制，並能針對頻內與頻外的安全設備進行流量平衡，以及在發生故障時繞過頻內安全設備繼續傳輸。

因應上述考量因素的安全訊息派送平台提供一個強有力的解

決方案，不僅能供用戶部署各種類型的安全解決方案，每個

解決方案還能單獨擴充，完全超越傳統部署方式。這樣的平

台能讓用戶觀察惡意程式的橫向移動，加快偵測出資料外洩

，並大幅降低這類安全部署的耗用資源、複雜度、以及成本

(如圖4所示)。在現今網路威脅規劃縝密的工業化世界，將

焦點全部集中在安全設備上，已經不足以應付防護所需，應

該還得注意這些解決方案如何部署，以及其如何持續存取相

關資料，這些都是構成整體解決方案的關鍵元素。在這樣的

環境中，安全訊息派送平台會是所有網路安全策略的基礎建

構元件。

GigaSECURE 作為資安訊息派送平台 (Security Delivery Platform)

GigaSECURE® 是 Gigamon 的資安全訊息派送平台方案(Security Delivery Platform)。GigaSECURE 平台能跨過實體與虛擬基礎設施連到網路，並向所有需要的設備提供傳輸資料。不論其連結介面的速度多高，安全設備可輕易連到GigaSECURE 平台，接著就能從網路基礎設施的各處收到高解析且和本身功能相關的流量。從網路傳輸資料中擷取出流量的元資料，同樣也是在 GigaSECURE 內部進行，流量紀錄還能匯出到各種安全工具以便進行分析。如圖5所示。

GigaSECURE 允許各種安全解決方案裝設在上線網路的頻外(out-of-band) 位置，從外部偵測惡意程式以及惡意程式的橫向活動、偵測資料外洩活動、公布事件偵察結果、以及執行其他安全計畫。此外，它還能作為一個平台用來部署各種安全解決方案，並將這些設備設置在和網路流量同一網路內的頻內 (inline) 位置。頻內安全解決方案通常在偵測到各種威脅或異常行為後，能立即採取預防性措施。GigaSECURE 能同時進行頻內與頻外的部署作業。在支援頻內部署時，GigaSECURE 提供完全失效保護 (In-Line Bypass) 以及負載分散功能，涵蓋各種頻內部署模式。


圖5: GigaSECURE 安全訊息派送平台


平台的元件GigaSECURE 內含可視性節點; 支援 Flow Mapping 專利技術的GigaVUE OS 軟體; GigaSMART 驅動的流量情報功能; 以及集中光纖控制器 (GigaVUE-FM)。以下為詳細介紹:

• 虛擬化可視性節點: GigaVUE-VM 是一個虛擬化節點 TAP，它讓用戶能針對虛擬化作業負載各 VM 間觀察傳輸資料流的內容予以監控或轉送出到實體網路上的安全工具設備上。GigaVUE-VM 解決方案能追蹤在伺服器之間搬移的虛擬機器，並執行 Follow-the-VM 策略，以確保當虛擬機器移動時，應用程式的流量依然會傳送到安全工具。

• 橫向擴充的低成本可視化節點: GigaVUE TA 系列可視化節點，加上 GigaVUE-OS 搭配自行組建 white box 的乙太網路交換器，讓用戶以低廉的成本得到橫向擴充的流量可視化功能。這些節點透過流量對應 (Flow Mapping) 技術提供精密的匯整、過濾、以及複製功能，以低廉的價位提供一種全網式的部署模式，讓基礎設施中的流量能連回到選定的安全設備。

• GigaVUE-VM 與 GigaVUE TA 系列的組合，讓用戶不僅能觀察東西向傳輸資料，還能觀察單位內部 IT 網路園區與資料中心網路之間的傳輸資料。另外它們還解決許多行動力衍生的問題，並為安全設備提供一貫的高解析流量來源，這類設備現在能監視各種安全威脅的橫向擴散，並全面監控基礎設施的內部。

• GigaSMART 驅動的 Traffic Intelligence功能: GigaVUE-VM 與 GigaVUE TA 系列產品讓安全設備能從基礎設施各節點取得高度相關性的流量，而且成本低廉又具備橫向擴充能力。而採用 GigaSMART 技術的 GigaVUE H 系列平台則能處理這些流量以及執行一系列進階功能，進行負荷分載 (Load balance) 以及優化各種安全解決方案。能透過安全解決方案提供的先進 GigaSMART 功能包括:

– 高效能 NetFlow (IPFIX) 產生方案: IPFIX 是一項強大的標準技術，已在網路安全領域快速竄起，其可用來執行偵察、趨勢分析、以及異常偵測。IPFIX 會偵察未處理的網路數據封包，然後產生詳盡的流量彙整資料 (Meta Data)，像是端點之間的對談紀錄、對談時間、以及使用的通訊頻道等。GigaSECURE 集中匯整產生這些流量紀錄的功能，並讓這類功能能在不同的基礎網路設備上持續進行。流量紀錄能供予各種能分析流量彙整資料的資訊安全解決方案。流量彙整資料以及高解析紀錄的產生程序都是在極高的吞吐量下進行，這樣的效率對於完善的安全分析至關重要。此外，這款解決方案還讓客戶能定義樣板，藉以針對特定部署環境量身規劃需從流量中蒐集哪些資訊。

– SSL 解密: 由於越來越多惡意程式利用加密通訊管道進行滲透，因此用戶越來越需要深入偵察透過加密通訊管道傳送的資料。要對這類加密管道進行解密，最好的方法是透過 GigaSECURE 的資安訊息派送平台執行，此平台能以極高的效能完成解密工作，同時消弭多部資訊安全設備無法處理加密的通訊。對於這類情形，此平台能分擔運算解密的作業，而不需要讓每部資安設備重複不斷地執行解密的工作。

– 應用通訊過濾: 由許多安全解決方案沒有必要檢視整個流量內容，因為這些數據封包受到信任，或者設備根本沒有能力處理這些數據封包。透過應用通訊過濾 (Application Session Filtering) 功能，GigaSECURE 資安訊息派送平台有能力在應用層深入剖析數據封包，並根據數據封包內的任何特徵，辨識出應用流量，然後控制整個交談通訊 (諸如找出所有屬於特定交談階段的數據封包，即使該交談階段先前與後續的數據封包不符合這些特徵) 傳送到特定的安全解決方案，或是棄置整個交談階段流量。這項強大功能讓系統能精準控制哪些種類的流量資料會傳送到特定的安全工具，所根據的是 Layer 4 到 Layer 7 的資料，以及更精密的內容匹配機制，進而確保安全解決方案專注於處理和設備最有關連的網路流量，同時分擔這些設備的處理負荷，讓它們不必處理大量的非相關資料。每部安全設備可自行定義如何分辨哪些流量和自己有關與無關。

• 頻內保護與流量平衡: 許多安全設備以頻內模式處理網路流量，以即時模式防範惡意程式與各種惡意活動。許多其他安全設備以頻外 (out-of-band) 模式運作，進行偵測與事件產生作業。GigaSECURE 資安全訊息派送平台提供一個共用平台，針對頻內與頻外安全部署環境提供流量。在服務頻內安全部署環境方面，GigaSECURE 平台不只能在多個頻內安全解決方案之間進行流量平衡，還能串接不同的頻內安全設備，每部設備提供不同等級的保護功能。系統可根據各種標準，將流量分派到多部安全設備，並確保中繼與回傳數據封包不會派給同一部安全設備。在頻內安全設備發生故障時，此平台還提供回復彈性與保護（Bypass）功能，包括在流量平衡模式以及頻內設備相互串連的情境，確保在設備故障時網路流量的轉送作業不會受影響。安全設備還能無縫地從頻外模式轉移到頻內模式，反之亦然，而且網路完全不受影響。此項平台強化功能不僅統合並簡化了各種頻內與頻外安全解決方案的部署，同時可極有效率地解決回復問題與故障狀況。

© 2014 –2016 Gigamon. All rights reserved. 77© 2015-2016 Gigamon. All rights reserved.


Components of the PlatformGigaSECURE consists of visibility nodes, GigaVUE OS™ software with patented Flow Mapping® technology, traf�c intelligence functions powered by GigaSMART® and a centralized fabric controller (GigaVUE-FM). These are described below.

• Virtualized visibility nodes: GigaVUE-VM is a virtualized node that provides the ability to deliver traf�c visibility into virtualized workloads. The GigaVUE-VM solution provides the ability to track virtual machines as they move from server to server, and enforce Follow-the-VM policies to ensure that application traf�c is always sent to the security tools even as the VMs move.

• Scale-out, cost-effective visibility nodes: The GigaVUE TA Series of visibility nodes, along with the GigaVUE-OS in conjunction with whitebox Ethernet switches, provide a cost-effective way to provide scale-out traf�c visibility. These nodes through the power of Flow Mapping® technology provide sophisticated aggregation, �ltering, and replication capabilities at a cost-effective price point enabling a deployment model where traf�c from across the infrastructure can be channeled back to selective security appliances. The combination of the GigaVUE-VM and the GigaVUE TA Series enables visibility into east-west traf�c and visibility across the internal campus and data center networks. They also address the issues of mobility and provide a consistent source of high-�delity traf�c to security appliances which now have the ability to monitor the lateral propagation of threats and look pervasively inside the infrastructure.

• Traf�c Intelligence functions powered by GigaSMART: While the GigaVUE-VM and GigaVUE TA Series products enable security appliances to get highly relevant traf�c feeds from across the infrastructure in a cost-effective scale-out manner, the GigaVUE H Series platforms powered with GigaSMART technology provide the ability to act on those traf�c streams and perform a series of functions that serve to of�oad and optimize a variety of security solutions. Some of the advanced GigaSMART functions that can be availed by security solutions include:

– High performance NetFlow (IPFIX) and metadata generation: IPFIX is a powerful standards-based technology that is gaining momentum in the network security space for forensics, trend analysis, and anomaly detection. IPFIX looks at raw network packets and derives sophisticated �ow-based meta-data such as records of conversations between endpoints, duration of conversations, channels of communication, etc. GigaSECURE centralizes the function of generating these �ow records so that this can be done consistently across heterogeneous and disparate infrastructure. The �ow records can be served up to a variety of security solutions that analyze �ow metadata. The �ow meta-data generation is done at very high

throughput so as to generate high-�delity records that are essential for good security analytics. The solution also enables custom templates to be de�ned so that the information that can be gleaned from the traf�c can be highly tailored to the speci�c deployment environment.

– SSL decryption: As the volume of malware that leverages encrypted communication channels increases, the need to peek into those encrypted channels of communication increases. Decrypting those encrypted channels of communication is best done within the GigaSECURE Security Delivery Platform so that this is done once, at very high performance thereby eliminating this blind spot simultaneously for multiple security appliances that do not have the ability to deal with encrypted communications. For those security appliances that do have the ability to do this, it of�oads a computationally intensive task from being repetitively done in each such security appliance.

– Application session �ltering: Many security solutions do not need to look at entire �ows that are either trusted or that they have no ability to process. With the Application Session Filtering capability, the GigaSECURE Security Delivery Platform has the ability to look deep into the packet at the application layer, identify application �ows based on any arbitrary pattern within the packets, and steer entire sessions (i.e. all packets belonging to that session even if subsequent or preceding packets for that session do not match that pattern) to a speci�c security solution, or to discard the entire session. This powerful capability allows precise control of what types of traf�c data are sent to security tools based on L4-L7 and more sophisticated content matching, thereby ensuring that security solutions are focused on working off network traf�c that is most relevant to them while simultaneously of�oading those appliances from having to process large volumes of irrelevant data. The identi�cation of what is relevant and what is not can be customized to each security appliance.

• Inline protection and load balancing: Many security appliances work inline with the network traf�c to prevent malware and malicious activities in real time. Many other security appliances work in an out-of-band mode for detection and incident generation purposes. The GigaSECURE Security Delivery Platform provides a common platform to serve traf�c feeds to both inline and out-of-band security deployments. When serving inline security deployments, the GigaSECURE platform provides the ability to load balance traf�c across multiple inline security solutions, as well as the ability to daisy chain different inline security appliances, each providing different levels of protection. Traf�c can be distributed to the security appliances based on a variety of criteria, while ensuring that forward and reverse traf�c for a given �ow always go to the same security appliance. The platform also provides resiliency and protection in the event that any of the inline security appliances experiences a failure, both in


• 流量核心管理平台 (GigaVUE-FM): GigaVUE-FM 作為流量核心管理平台，能統合 GigaSECURE 資安訊息派送平台的多種不同元件設備。可執行集中流量過濾與派送策略的設定，用來控管虛擬化以及實體可視性設備節點。 GigaVUE-FM 提供一組 North-bond API，讓安全解決方案在收到流量之後，以接近即時的模式進行微調，故能根據所看到的異常狀況、威脅、以及情境立即調整對網路與 IT 基礎設施的可視化功能。也就是說，API 提供一定程度的資安工具自動化互動功能，讓安全工具能根據即時或接近即時的所見狀況，在資安訊息派送平台及時變動過濾條件，收容所需要的流量加以進一步資安的判別處理。

在可擴充與平價平台方面的市場，廠商提供的產品不足但市場需求極為殷切，GigaSECURE 安全訊息派送平台不僅滿足了這方面的需求，並擴展多重安全設備的版圖，同時還解決了爭奪數據封包的問題，協助降低成本以及簡化部署架構。這種方案大幅改進網路安全的覆蓋範圍，進而對內部威脅與威脅橫向散佈提供更良好的可視性。

利益採用這樣結構化與平台導向的方法進行安全部署，能得到許多利益。解決方案優點包括:

• 不僅能立即全面剖析觀察企業內網路傳輸資料，並能看到惡意程式的所有橫向移動

• 向安全設備提供流量，無須猜測應將安全設備設置在何處，讓這類設備快速取得有關連性的流量

• 支援升級、變動、或從頻外移到頻內，過程中不會影響到網路安全解決方案

• 大幅減少匯整多部安全解決方案所衍生的誤報狀況，匯整到較少數量的設備後，由安全訊息派送平台集中管理與運用

• 消除行動化以及加密所衍生的盲點

• 為所有安全設備提供一貫的數據封包與流量資料來源

• 消弭爭相存取流量的問題 – 有關連性的流量加以複製後再傳給所有解決方案解決方案

• 提升安全解決方案的效率，避免讓不相關的流量傳送到這些解決方案

總結由於網路安全威脅情境持續演變，安全信任模型也必須作出根本性的改變。企業組織在接受自身網路被滲透在所難免之後，其焦點將轉向安全架構，用來偵察潛伏在組織內部的惡意程式與威脅，然後加以回應以降低風險。這方面的工作保護必須大幅深入解析流量，還得涵蓋整個基礎設施，如此的要求遠遠超出現今傳統架構方案的能力範圍，因此需要一種全新的模型用來部署安全解決方案。這種架構必須全面覆蓋網路; 剖析流量內容; 以及解決工具爭相處理傳輸資料的問題。運用規劃完善的結構化方式，建立網路可視性，讓安全解決方案獲得存取能力，並讓用戶能以低廉成本進行擴充。提高安全性與成本效益讓安訊息派送平台成為基礎的建構元件，以用來佈建各種安全解決方案。GigaSECURE是Gigamon 推出的資安全訊息派送平台，其為業界第一款結合運算與數據封包過濾功能的產品，並已超越在網路中提供安全服務的既有型態，進一步配備偵測與回應的功能。

© 2014-2016 Gigamon. All rights reserved. Gigamon and the Gigamon logo are trademarks of Gigamon in the United States and/or TW 3163-04 04/16other countries. Gigamon trademarks can be found at www.gigamon.com/legal-trademarks. All other trademarks are the trademarksof their respective owners. Gigamon reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

3300 Olcott Street, Santa Clara, CA 95054 USA | +1 (408) 831-4000 | www.gigamon.com

Documents

Whitepaper Addressing the Threat Within: …detection/prevention systems (IDS/IPS) and other malware detection and prevention systems. Typically these would assume a ˜xed perimeter