Deploying and managing security information and event management systems can tax the brain and budget. However, if done right, they can be a huge benefit to the overall security stance of an organization, providing insight into what's happening on the entire network and enabling security teams to focus on the most pressing priorities to make sure their organizations' infrastructures are safe and sound from attacks. We explore the many challenges and their remedies.
Generative AI for Technical Writer or Information Developers
SC Magazine eSymposium: SIEM
1. What? Who? When?
How network visualization can help you answer the
difficult questions that arise from security breaches
2013 Emulex Corporation
2. You Just Suffered A Major Security Breach…
Three questions that the IT staff will
be asked in the first 8 hours:
What Happened?
Who Was Affected?
When Will It Be Fixed?
Could your current SEM/SEIM tools
(or any of your tools) provide the
answers if you were breached today?
What Happened? Maybe…
Who Was Affected? Possibly…
When Will It Be Fixed? Probably not…
2
2013 Emulex Corporation
3. How Bad Is The Problem Today?
July 2013 Gartner report: DDoS attacks
are increasing in frequency and size. The
number of attacks has increased by more
than 20% in the last year, and attack
throughput has reached 160 Gbps.1
More than 70 percent of operating data
centers reported DDoS attacks this year
(up dramatically from under a half last
year). 2
More than a third experienced attacks that
exceeded total available Internet
connectivity, nearly double last year. 3
About 10 percent saw more than 100
attacks per month. 4
1 – “Leverage Your Network Design to Mitigate DDoS Attacks”, Gartner Report G00253330, 2013
2, 3, 4, Graph: Worldwide Infrastructure Security Report, Volume IX”, Arbor Networks, 2014
3
2013 Emulex Corporation
4. Like it or Not …
Your prevention and
detection tools will fail
Network visibility tools
provide a vital safety net
against failure
With history, you can
understand and minimize
the damage
Think like you‟ve already
been breached
4
2013 Emulex Corporation
5. Some Actual Customer Quotes
“We live in triage mode. It takes
too long to investigate the events
we know about today. We‟re
exposed.”
“We‟re never quite sure if what
we‟re looking at is real or not. It‟s
paralyzing us. We‟re too scared
to act.”
“When it goes wrong, and it does
go wrong, it‟s a PR train wreck
and we need a way to contain the
problem.”
5
2013 Emulex Corporation
“There are known knowns;
there are things we know that
we know. There are known
unknowns; that is to say,
there are things that we now
know we don't know. But
there are also unknown
unknowns – there are things
we do not know we don‟t
know.”
6. The Problem Is Not People or Tools - It is Data
Security tools have made great strides in their ability to
identify issues and threats
– Use of “big data” analytics to identify unusual behaviors
– Baselines, profiling also help
BUT most critical breaches are “unknown unknowns”
–
–
–
–
The tools are often being encountered for the first time
The breachers are typically difficult/impossible to find
“Guesswork” is nearly unavoidable
Response times are measured in days, not hours
How do we speed up the process?
– The key is having the right data, and all of it
– Network visibility tools that capture, record, and search network
traffic can help by providing context and facts for breach analysis
6
2013 Emulex Corporation
7. Network “Alerting” Stack
SIM/SEM/SEIM
Core network infrastructure
DDoS
Detection
Tools
IDS
NMS
AA-NPM
APM
SNMP Alerts
NetFlow Data
LAN
SN
Firewalls (prevention)
Core routers and switches
(connectivity)
SNMP and NetFlow don‟t provide enough data to diagnose
critical breaches (“unknown unknowns”)
7
2013 Emulex Corporation
8. Network Visibility Stack
SIM/SEM/SEIM
Core network infrastructure
DDoS
Detection
Tools
IDS
NMS
AA-NPM
APM
Unsampled Packets +
SNMP Alerts, NetFlows
EndaceProbe Intelligent Network Recorders
Network Packet Brokers (aggregation)
Firewalls (prevention)
Core routers and switches
(connectivity)
SNMP and NetFlow don‟t provide enough data to diagnose
critical breaches (“unknown unknowns”)
Network visibility tools add unsampled packets to the picture – 100%
visibility of what occurred, and who was affected
8
2013 Emulex Corporation
9. Introducing Endace
Part of Emulex product portfolio
World leader in packet capture
and network recording
10+ year history selling
recording solutions to top
tier customers
– Government, HFT, telco & enterprise
Global reputation for accuracy,
scalability and performance
9
2013 Emulex Corporation
10. Intelligent Network Recorders
100% accurate traffic recording
– 10 Gbps, scalable to 100 Gbps
64TB = 3 days storage at typical load
– Options for longer duration
Integrated network traffic search engine
– Layer 7 awareness & alarming
RESTful API for workflow integration
Deployed at Internet gateways
10
2013 Emulex Corporation
11. Typical Network Visibility Fabric Deployments
SecOps deployment
monitoring both sides of the
DMZ; record attacks, ID
compromised data
NetOps deployment
monitoring north-south
traffic; ID inbound/
outbound application
issues
NetOps deployment
monitoring east-west traffic;
ID internal application
performance issues
11
2013 Emulex Corporation
12. Streamlining the Analyst Workflow
Start with a SIM-generated
security event
Right click and „zoom-in‟ to
the relevant traffic
Instant clarity – is it real?
Immediate productivity gains
– Move out of triage mode
12
2013 Emulex Corporation
13. Our Approach to NPM/APM/SEM – Best of Breed
APM
App
NPM
App
IDS
App
HFT
App
EndaceVision Network Search
Engine with Fusion
Connectors
Endace Capture Appliance
10/40/100GbE
Our approach enables tailored best-of-breed solutions
– All tools share data from same secure location in datacenter
– Automated workflow, “pivot to packets” speeds up issue resolution
Lower investment while Increasing ROI
– Only buy what you need
– Plan and train staff on the tools that fit your situation best
13
2013 Emulex Corporation
14. Conclusions: The Business Value of Network
Visibility
Know Your Risks: Understand exactly what
data was compromised in a breach so that
effective remedial actions can be taken
Unambiguous Forensics Trail: Have all of
the data around an attack
Ensure Corrective Actions Are Effective:
Ability to “replay” attacks to verify that
corrective actions have addressed the
security issue
Avoid Future Network Uptime Issues:
Enable post-incident root cause analysis
SecOps CapEx/OpEx Savings: Streamline
toolsets to address your specific needs and
to simplify NetOps/SecOps workflow
ELIMINATE GUESSWORK !
14
2013 Emulex Corporation
This chart shows the three places where network visibility tools are typically deployed:SecOps typically deploys network visibility tools on either side of the enterprise firewall. This provides visibility into what is hitting the network, what is getting into the enterprise, and what is going out of the enterprise.One NetOps typical deployment is at the core or aggregation level of the network. This provides visibility for north-south traffic, and is critical for content delivery and e-commerce scenarios. The other typical NetOps deployment is at the top-of-rack for critical servers, given visibility into east-west traffic.All three of these can be combined through a Network Packet Broker (NPB) infrastructure to provide flexible visibility into critical points of the network without requiring dedicated probes or netflow generators.
EndaceVision gives traffic level view of an event based on a 5 tuple filter (time, IP address etc)Traffic level view required for validation (is it a false postive?) enabling them to be sure before they actHelps make informed decisions about actions and activities.
One of the biggest differentiators for our visualization tools comes from our partnership with a variety of best-in-breed network packet broker (NPB), Network Performance Management (NPM), Application Performance Management (APM), and Security Event Management (SEM) tool vendors. We have names these partnerships the Endace Fusion Alliance. The Endace Fusion Alliance enables customers to build NPM/APM/SEM suites that meet their exact needs, and is in contrast to integrated tools, which force customers to buy tools that they may or may not need. The benefit to customers of this best-in-breed approach is lower CapEx (less tools and recording hardware to buy) and lower OpEx (less training, quicker time to resolution of network issues). This also provides channel partners with additional opportunities to integrate custom suites of tools together for customers, increasing their “share of wallet”.