Financial services organizations are prime targets for cyber criminals. They must take extreme care to protect customer data, while also ensuring high levels of network availability to allow for 24/7 access to critical financial information. Additionally, industry consolidation has created large, heterogeneous network environments within large financial institutions, making it difficult to ensure that networks have the necessary visibility and protection to prevent a devastating security breach. By leveraging NetFlow from existing network infrastructure, financial services organizations can achieve comprehensive visibility across even the largest, most complex networks. The ability to quickly detect a wide range of potentially malicious activity helps prevent damaging data breaches and network disruptions. Attend this informational webinar, conducted by Lancope’s Director of Security Research, Tom Cross, to learn: How NetFlow can help quickly uncover both internal and external threats How pervasive network insight can accelerate incident response and forensic investigations How to substantially decrease enterprise risks
8. Netflow Basics
• Devices with one or more Flow producing interfaces are
“Exporters”
• Exporters cache and forward records to “Collectors”
• Common Exporters include firewalls, switches, and routers
8
NetFlow Collector
Internet
DMZ
VPN
3G
NetFlow Packets
src and dst ip
src and dst port
start time
end time
mac address
byte count
- more -
9. How do I want to cache information
Which interface do I want to monitor?
What data do I want to meter?
Router(config)# flow record my-record
Router(config-flow-record)# match ipv4 destination address
Router(config-flow-record)# match ipv4 source address
Router(config-flow-record)# collect counter bytes
Where do I want my data sent?
Router(config)# flow exporter my-exporter
Router(config-flow-exporter)# destination 1.1.1.1
Router(config)# flow monitor my-monitor
Router(config-flow-monitor)# exporter my-exporter
Router(config-flow-monitor)# record my-record
Router(config)# interface gi0/1
Router(config-if)# ip flow monitor my-monitor input
1. Configure the Exporter
2. Configure the Flow Record
3. Configure the Flow Monitor
4. Apply to an Interface
9
11. Netflow Advantages
• Its easy to configure
– Your network already speaks it
– Its standardized
– It doesn’t need to be configured on every endpoint
• Visibility down to the access layer
• Compact records are inexpensive to store
11
NetFlow Collector
Internet
DMZ
VPN
3G
NetFlow Packets
src and dst ip
src and dst port
start time
end time
mac address
byte count
- more -
13. 13
Following IOC
Malware campaign
targeting your industry
has been publicly
disclosed.
A quick search of your
network audit trail
reveals an internal host
that accessed the
malicious site.
14. 14
Following IOC
Check host details around that time
Suspicious HTTP connections right after contact- good candidate for a drive-by download
Suspicious download followed by a reverse SSH shell. Most SSH bytes sent by “client”
15. 15
Following IOC
Attacker recons your network. Investigate any hosts contacted by the compromised host.
Additionally- look for any other hosts scanning for 445 and 135.
16. 16
Following IOC
Since we have uncovered a new IOC (IP address controlling the reverse SSH shell), we
Should check to see if that host has touched the network anywhere else.
Another host showing a reverse shell
21. Cisco Identity Services Engine (ISE)
• Cisco ISE is a context aware, policy based 802.1x authentication solution
• Detect
– Device type, operating system and patch level
– Time and location from which user attempting to gain access
21
User Name MAC Address Device Type
Bob.Smith
8c:77:12:a5:64:05
(Samsung
Electronics Co.,Ltd)
Android
John.Doe
10:9a:dd:27:cb:70
(Apple Inc)
Apple-iPhone
29. HeartBleed Detection in StealthWatch
2007 2014
March
StealthWatch
Introduces
Suspect Long
Flow Alarm
March
OpenSSL with
HeartBleed
vulnerability
released
April 7
HeartBleed
vulnerability
publicly
disclosed
Sometime
Later…
You patched
your servers
April 8
Attackers hijack
SSL VPN
connections
with HeartBleed,
bypassing
two-factor
authentication
April 15
Teenager
arrested for
siphoning
data from
the Canadian
Revenue Agency
using HeartBleed
2012
31. DDOS Attacks More Automated & Powerful
• Prolexic Q2 2012 to Q2 2013
– 33% increase in attacks
– 925% increase in bandwidth
• 4.47 Gbps to 49.24 Gbps
– 1655% increase in packets per second
• 2.7 Mpps to 47.4 Mpps