Using NetFlow for Cyber Threat Defense

Using NetFlow for

Cyber Threat Defense

COMPANY CONFIDENTIAL

Michael BelanSenior Systems EngineerLancope Federal

© 2014 Lancope, Inc. All rights reserved.

Agenda

● Cyber Threat Defense 2.0 Security Model

● Netflow – Visibility to CTD 2.0

● Lancope StealthWatch in CTD 2.0

Use case: Forensic IssueUse case: Insider Threat

● Review


The Cyber Threat Defense 2.0 Model


NetFlow provides Enterprise-wide visibility to CTD 2.0

Destination

Destination


Massively Scalable StealthWatch Architecture

© 2013 Lancope, Inc. All rights reserved. 5


StealthWatch Architecture: Putting It All Together

StealthWatchManagement

Console

FlowCollector

NetFlow,syslog, SNMP NetFlow enabled

infrastructure

FlowSensor

User and DeviceInformation

StealthWatchIDentity

Cisco ISE

Feeds of emerging threatinformation

VMware ESX withFlowSensor VE

UDP Director


Stitching, Deduplication, and Unsampled Flow

Stitching● Netflow is unidirectional● Two records per conversation● Stealthwatch creates biflows

Deduplication • Aggregates data from all exporters• Stores one record• Faster query response


Host-Centric Visibility: Host Snapshot


Regional Visibility: Relational Flow Maps


The Attack Lifecycle


Attack Lifecycle: Detecting Command & Control


Attack Lifecycle: Detecting C&C Channels with SLIC


Attack Lifecycle: Country-based Detection


Attack Lifecycle: Detecting Internal Reconnaissance


Attack Lifecycle: Detect Internal Recon with Concern Index


Attack Lifecycle: Detecting Internal Propagation


Attack Lifecycle: Detect Propagation with Host Locking

A A

UsersResources/Datacenter

B B

ALARM


Attack Lifecycle: Detect Propagation with Worm Tracker


Attack Lifecycle: Detecting Data Exfiltration


Resource Group A

Attack Lifecycle: Detect Data Hoarding

2GB per day

User

2GB per day

25GB today !!!ALARM


Attack Lifecycle: Detecting Data Exfiltration

Internet

Internal Network

Resource Group A

User

ALARM


Use Cases


Scenario: You have been notified of anunauthorized data transfer and need to pullback historical conversations.

The notification could be from:• Internal auditor• External authority • Security response team

Pull back all historical conversations around ahost, port, application, or traffic type.

ALERT: Incident ResponseALERT: Incident Response Below is an example notification received

List of infringing content------------------------------Taylor Swift Fearless------------------------------INFRINGEMENT DETAIL------------------------------Infringing Work : FearlessFilename : Taylor Swift - FearlessFirst found (UTC): 3:59:00 PMLast found (UTC): 4:24:59 PM Filesize : 79176908 bytes IP Address: 209.182.184.7IP Port: 14001Network: BitTorrentProtocol: BitTorrent

10.201.3.51..

50.23.115.72


Scenario: An internal user is stealing data!

The user could be a:• Disgruntled employee• Person about to leave the company• Person with privileged credentials• Person stealing and selling trade secrets

Security events have triggered indicating a useris connecting to a terminal server, collectingdata from a sensitive database, and tunnelingthe traffic out of the network using P2P throughUDP port 53 (DNS port).

ALERT: Insider ThreatALERT: Insider Threat 1. Internal user connects to Terminal Server

2. Terminal server used to collect sensitive datafrom within the same subnet inside thedatacenter.

3. Terminal server used to encrypt data andtunnel through DNS port to an upload server

10.201.3.18 10.201.0.23..

10.201.0.23..

10.201.0.55

10.201.0.23..

74.213.99.97


Review: Stealthwatch Highlights

• Flows based – One record to rule them all!

• Profile Hosts –based on behavior, traffic sent and received

• Enforce Policy – Identify the known bad

• Detect Anomalies – Find and alert on outliers

• Metadata – Light weight, efficient, not hindered byencryption


Thank you

Technology

Using NetFlow for Cyber Threat Defense