Using NetFlow for
Cyber Threat Defense
COMPANY CONFIDENTIAL
Michael BelanSenior Systems EngineerLancope Federal
© 2014 Lancope, Inc. All rights reserved.
Agenda
● Cyber Threat Defense 2.0 Security Model
● Netflow – Visibility to CTD 2.0
● Lancope StealthWatch in CTD 2.0
Use case: Forensic IssueUse case: Insider Threat
● Review
© 2014 Lancope, Inc. All rights reserved.
NetFlow provides Enterprise-wide visibility to CTD 2.0
Destination
Destination
© 2014 Lancope, Inc. All rights reserved.
Massively Scalable StealthWatch Architecture
© 2013 Lancope, Inc. All rights reserved. 5
© 2014 Lancope, Inc. All rights reserved.
StealthWatch Architecture: Putting It All Together
StealthWatchManagement
Console
FlowCollector
NetFlow,syslog, SNMP NetFlow enabled
infrastructure
FlowSensor
User and DeviceInformation
StealthWatchIDentity
Cisco ISE
Feeds of emerging threatinformation
VMware ESX withFlowSensor VE
UDP Director
© 2014 Lancope, Inc. All rights reserved.
Stitching, Deduplication, and Unsampled Flow
Stitching● Netflow is unidirectional● Two records per conversation● Stealthwatch creates biflows
Deduplication • Aggregates data from all exporters• Stores one record• Faster query response
© 2014 Lancope, Inc. All rights reserved.
Attack Lifecycle: Detect Internal Recon with Concern Index
© 2014 Lancope, Inc. All rights reserved.
Attack Lifecycle: Detect Propagation with Host Locking
A A
UsersResources/Datacenter
B B
ALARM
© 2014 Lancope, Inc. All rights reserved.
Resource Group A
Attack Lifecycle: Detect Data Hoarding
2GB per day
User
2GB per day
25GB today !!!ALARM
© 2014 Lancope, Inc. All rights reserved.
Attack Lifecycle: Detecting Data Exfiltration
Internet
Internal Network
Resource Group A
User
ALARM
© 2014 Lancope, Inc. All rights reserved.
Scenario: You have been notified of anunauthorized data transfer and need to pullback historical conversations.
The notification could be from:• Internal auditor• External authority • Security response team
Pull back all historical conversations around ahost, port, application, or traffic type.
ALERT: Incident ResponseALERT: Incident Response Below is an example notification received
List of infringing content------------------------------Taylor Swift Fearless------------------------------INFRINGEMENT DETAIL------------------------------Infringing Work : FearlessFilename : Taylor Swift - FearlessFirst found (UTC): 3:59:00 PMLast found (UTC): 4:24:59 PM Filesize : 79176908 bytes IP Address: 209.182.184.7IP Port: 14001Network: BitTorrentProtocol: BitTorrent
10.201.3.51..
50.23.115.72
© 2014 Lancope, Inc. All rights reserved.
Scenario: An internal user is stealing data!
The user could be a:• Disgruntled employee• Person about to leave the company• Person with privileged credentials• Person stealing and selling trade secrets
Security events have triggered indicating a useris connecting to a terminal server, collectingdata from a sensitive database, and tunnelingthe traffic out of the network using P2P throughUDP port 53 (DNS port).
ALERT: Insider ThreatALERT: Insider Threat 1. Internal user connects to Terminal Server
2. Terminal server used to collect sensitive datafrom within the same subnet inside thedatacenter.
3. Terminal server used to encrypt data andtunnel through DNS port to an upload server
10.201.3.18 10.201.0.23..
10.201.0.23..
10.201.0.55
10.201.0.23..
74.213.99.97
© 2014 Lancope, Inc. All rights reserved.
Review: Stealthwatch Highlights
• Flows based – One record to rule them all!
• Profile Hosts –based on behavior, traffic sent and received
• Enforce Policy – Identify the known bad
• Detect Anomalies – Find and alert on outliers
• Metadata – Light weight, efficient, not hindered byencryption