WordPress Websites for Engineers: Elevate Your Brand
Combating Advanced Persistent Threats with Flow-based Security Monitoring
1. Combating Advanced Persistent Threats
with Flow-based Security Monitoring
Jeffrey M. Wells, CCIE, CISSP
Sr. Systems Engineer
Lancope
Know Your Network, Run Your Business
Thank you for joining. We will begin shortly.
24. The Science of Flow Analysis
• Lancope specializes in Behavior-based Network Flow Analysis
• Detects attacks by baselining and analyzing network traffic patterns
• Excellent defense in depth strategy to aid in defense of critical assets
• Over 600 customers world-wide
• Designed for the large enterprise
http://netflowninjas.lancope.com
24
31. StealthWatch Threat Indexes – Attack Detection Without Sigs
31
StealthWatch tracks not only the statistical behavior of normal
traffic, but also the behavior of well over a hundred specific
network traffic patterns. Concern points are generated by
anomalous changes in any –and all – of these.
Examples: number of new connections to or from a device.
Connection attempts that go unanswered (common in
scanning). New ports seen. Number of clients for a server or
service. Rejected traffic. Long-lived connections.
StealthWatch also alerts when the concern index itself changes.
34. Relational Flow Maps
34
The powerful Relational Flow Mapping feature allows you to track the relationships between
your host groups as well as their relationships to external groups whether they are business
partners, Internet hosts, countries, or suspicious hosts from threat feeds. Once the
relationsnip is established, StealthWatch automatically creates a statistical baseline and
applies its powerful anomaly detection logic to the relationship.
43. Knowing Will Help Decision Making
Bot Detection:
Are there bot infected hosts within the network?
44. Knowing Will Help Decision Making
Suspect Data Loss:
Is there any sensitive data being uploaded to the Internet?
45. Knowing Will Help Decision Making
Reconnaissance Detection:
What hosts are trying to find resources to compromise?
46. Quick Recap
• NetFlow analysis gives us APT defense via
A PROVEN, time-honored end-to-end rich view of every conversation
Topology independence
Deep statistical analysis and alerting
Very high performance and scale
• Flow telemetry is available from all over the network …
Routers
Switches
Load Balancers
Firewalls
FlowSensors
Even the virtual network!
• Once you’ve enabled flow collection you can...
Gain deep traffic analysis and network visibility
Detect attacks and network anomalies faster
Investigate incidents and build up operational context
46
47. Next Steps
47
Contact Lancope:
Jeffrey M. Wells
jwells@lancope.com
Lancope
sales@lancope.com
Lancope Marketing
marketing@lancope.com
Visit Lancope for a live demonstration of
the StealthWatch System @
InfoSecurity Europe booth F61
Cisco Live US booth 944
48. Thank You
Web
http://www.lancope.com
Blog
http://netflowninjas.lancope.com
Twitter
@netflowninjas
LinkedIn : NetFlow Ninjas
http://www.linkedin.com/groups?about=&gid=2261596&trk=anet_ug_grppro
NetFlow Ninjas Challenge
http://www.lancope.com/netflow-ninja-quiz