1. Hewlett-Packard Improves Visibility & Security with Lancope StealthWatch Jim OShea Network Security Architect, HP jim.oshea@hp.com

2. HP Security Team We Say NO (as customers see us) We really provide VALUABLE advise We would like to watch and further evaluate what we advised on StealthWatch provides the opportunity to see real traffic view. We chase Shiny objects StealthWatch provides areas of focused interest (which have been intelligently correlated to guide our views)2013 Lancope , Inc. All Rights Reserved. 3. AGENDA Solution Strategy Solution Vision Solution Components Solution Overview StealthWatch Use Cases Flow Gathering & Redistribution Overview Integration Recommendations for Solution2013 Lancope , Inc. All Rights Reserved. 4. HP STRATEGY & SCOPE DECISIONS (Why we needed Lancope StealthWatch) Fill the Visibility GAP Provide Internal Monitoring and Visibility without extensive instrumentation Provide Botnet and other Malware Detection Provide Anomaly detection Take Advantage of Already Collected Flow to Form a Security View Already collected and used Multiple tools in use Ability to collect once and use multiple times Assist in Analysis Assist in Detection of data loss Assist in DDoS recognition Provide anomaly detection and visibility to sudden changes in the network 2013 Lancope , Inc. All Rights Reserved. Integrate Augment and integrate with TippingPoint (IPS) and ArcSight (SIEM) and existing tools Assist and Improve Understanding Monitor FW policy of environments Understand Applications Core Requirements Centralized management Scalability IPv6 ready Help establish partnerships with Network team, Application teams, Storage etc. 5. HP Solution Vision: Integrate, Augment, Automate Executive ReportingTipping Point IPSGreen = significant use Yellow = emerging Red = not , but plannedRepDV sFlowEventsSOC/SIEM ArcSightIntelligence Feeds SLICv9 / IPFIXNetwork devicesNetFlowFlow Records (API)StealthWatchEventssFlowHP Network2013 Lancope , Inc. All Rights Reserved.HPOV NOC/Ticketing System 6. StealthWatch A Complete, Integrated Family of Products Complete Network Visibility Comprehensive Security Monitoring FW Policy Monitoring Network Troubleshooting and Usage Reporting Mitigation and Notification Forensics and Reporting2013 Lancope , Inc. All Rights Reserved. 7. HP Solution Components StealthWatch FlowReplicators UDP port replication service. Listen on ANY specified UDP port and send to 1 or more backend devices on the same or new port Allows collect once, analyze as much as desired Allows a reduced number of destinations for simpler configuration standardsStealthWatch FlowCollectors NetFlow collector to analyze NETFLOW SFLOW collector to analyze sFLOWSLIC feed Lancope research security feed to assist in staying current with Command & Control and other malicious IP address Has URL granularity potential (IPFiX future ability for us) effective if using FlowSensorStealthWatch Management Console User interface Queries collectors for data to performs analytics Report and event configuration and actionsArcSight Receives Specified configured events for further action and correlation2013 Lancope , Inc. All Rights Reserved. 8. HP Solution Overview & Review StealthWatch + other tools Deploy FLOW Replicator hardware focused on region. 1 IP address for standardization of configurations.Data is distributed as needed to new and legacy tools Boundary Router IP spoofing must be considered if crossing compartment boundaries. Detection of usage anomalies & utilization increases (D/DoS solution integration) Detection of Mal-Flows (worms/ C&C/ suspected data leakage) Understand application environments Integrates with ArcSight (SIEM) Allows growth2013 Lancope , Inc. All Rights Reserved.PROS 1. 2. 3. 4. 5. 6. 7.Simpler configurations Global Capability Able to add flows easily to devices Keep the current tool in use Collect once, reuse multiple times Understands IPv6 addressing (D)DoS solution integration opportunityCONS 1. Requires Replicator to be managed outside Console 2. Potential Tool overlap (no forced legacy tool removal) 9. Records Every Host-to-Host Conversation Unique flow-based design fills gaps left by other network and security technologies Integrates network security and optimization Provides broader range of coverage and capabilities: Behavioral-based monitoring and anomaly detection Application awareness User-level data capture Automatic security issue prioritization Real-time tracking and graphic display of grouped virtual host performance by business unit, function, etc. Customizable, real-time displays of network intelligence Reduce cost and complexity of deploying and managing probes 2013 Lancope , Inc. All Rights Reserved. 10. HP Security Monitoring Use Cases Botnet and other malware detection Anomaly detection Traffic policy enforcement Firewall auditing Insider abuse Data loss prevention DDoS indications Use of WORM/SCAN catcher environment2013 Lancope , Inc. All Rights Reserved. 11. HP Monitoring Anomalies Are Easily Visible Ability to group IP ranges into a GROUP Anomaly Detection Data Loss Prevention Potential DDoS2013 Lancope , Inc. All Rights Reserved. 12. Your Infrastructure Provides the Source...InternetAtlantaNetFlowNetFlow NetFlowSan Jose NetFlowNetFlow NetFlowWANNetFlow NetFlowNew YorkDMZ NetFlowNetFlowNetFlowNetFlowDatacenter NetFlowAccess NetFlowNetFlowNetFlow2013 Lancope , Inc. All Rights Reserved. 13. Flow Gathering & reDistribution 1 IP concept (per collection area)High 600,000 FPS Steady 450,000 FPS2013 Lancope , Inc. All Rights Reserved. 14. HP: StealthWatch POC Results Objective Internal Network Security Monitoring and Visibility - All WAN sites + Egress + DC entry { emerging internal DC /IPS} Detect Network Anomalies and Fill Visibility Gaps - No additional site instrumentation / learns & informs Improved Incident Response and Forensics - Supplies detailed information (what/when/where/how) Identify Peer to Peer Networking - Some wanted/ some not Detect unauthorized communications and application access to the Internet (including Botnet, Command and Control, Malware) Enforce Network Security Policies - Emerging capability in our deployment Firewall Rule Auditing - Emerging use case deployment (what is really flowing & where) Integrate With Existing HP Security Applications 2013 Lancope , Inc. All Rights Reserved.StealthWatch 15. StealthWatch POC Technical Integration Integration with ArcSight Correlation based on Events we send Ability to CONFIGURE the PORT we want to send Events on (not always UDP 514) Ability to send to MULTIPLE ArcSight instances Not every event is a Security event Integration with HP asset management database Ability to right click on a Source or Destination and auto-populate a send to internal and external locations ( links to Internal Asset management system to find owner) Integration with Tipping Point event correlation Currently correlated in ArcSight vision is to pass information to Quarantine capability Remains work in progress Integration with HP Networking wireless controllers Ability to Quarantine a misbehaving wireless user Future capability & use2013 Lancope , Inc. All Rights Reserved. 16. Lancope Recommendations Products inventory based on HP networks 600,000 FPS Qty. 2 StealthWatch Management Console 2000 Series (redundant configuration) Management appliance and reporting console for all StealthWatch components Qty. 6 Netflow Collector 4000 (supports up to 120,000 FPS per appliance) Collects, analyzes and stores Netflow data from HP Network Qty. 3 Sflow Collector 2000 (supports up to 60,000 FPS per appliance) Collects, analyzes and stores sflow data from HP Network Supports up to 60,000 Flow Per Second per appliance Qty. 3 FlowReplicator Controls traffic flow of Netflow/Sflow from Routers/Switches to FlowCollectors Can also be used to replicate Syslog and SNMP traps Qty. 600 flow collection and analysis licenses Software license for 600,000 FPS 1 Year Maintenance Software/hardware support and updates Phone support2013 Lancope , Inc. All Rights Reserved. 17. Thank You For more information, download the HP Case Study HP improves its network security with an HP Vertica and Lancope solution or contact sales@lancope.comJim OShea Network Security Architect, HP jim.oshea@hp.com