ken czekaj & robert wright - leveraging apm npm solutions to compliment cyber defense strategy
TRANSCRIPT
©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY
Leveraging APM NPM Solutions to Compliment Cyber Defense Strategy
March 30, 2016
Central Ohio InfoSec Summit
A Little About Us ….
Ken Czekaj
• 28 Years in IT
• Problem Solver @ NETSCOUT
• Solutions Architect / Systems
Engineering background
©2016 NETSCOUT ° PUBLIC 2
Robert Wright
• 20 Years in IT
• Sr. Solutions Engineer
• Co-Founder NEOISF
• Customer & Vendor background
Our Blog
http://problemsolverblog.czekaj.org
Philosophy and Approach
• Cyber Security is everyone’s problem
• Triage is Triage …. Cyber / Apps / Network …. all very similar
• Lot’s of Excellent Security Tools Available in the Market
• APM NPM Solutions can provide Additional Visibility & Analytics
• Reduce your Triage time
Bring All that you have available to the table !!!!!
©2016 NETSCOUT ° PUBLIC 3
©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 4
Denial of Service
In addition to straight Layer 2 “Brute Force” … Think About …
• Key Services Failures
– DHCP DNS LDAP Radius
• Application Targeted Attacks
• Cloud Services
• Call Centers & VoIP Service
• SYN Floods
©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 7
Anomalous Behavior
APM NPM solutions usually have their own analytics
• Use the additional “set of eyes” to
defend against the unknown
• Same “anomaly” could be used by
multiple IT groups
• I.E. ….. View of a TCP Reset ???
– Security - “Could be a Bot…”
– Network - “Lack of Server Resources..”
– Application – “Uh Oh …”
©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 9
Virtualized Architecture
Most Cyber Security solutions have “North South” Visibility
• APM NPM Solutions can
provide additional visibility into
“East West” traffic as well
– VMWare
– Citrix
– HP Blade Servers
– UCS Chassis
Virtualized Architecture
Data Center Core
Traffic typically travels “East West”
Data Center Perimeter Internet, MPLS, Co-located PODs
Typically “North – South”
Traffic
©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 11
Authentication Services – LDAP RADIUS
APM NPM solutions have significant views into authentication services
• Information on Authentication service and more importantly “failures”
• Excellent Views into Single Sign On deployments
• Active Directory issues can also affect Cloud Apps
• Radius performance issues affect (guest) wireless & BYOD
©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 13
Policy Based Alarms
Many APM NPM solutions will have additional alarming
• These do not limit traffic, but can be a direct corollary to bad application traffic
• Examples …. We should never see
– Outbound FTP from a Web Server
– DHCP traffic in the DMZ
– Unencrypted protocols in PCI CDE zone
• Insight into “Zero-Day” Host issues
©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 15
Packet Capture and Decode
APM NPM solutions usually have back in time historical packet analysis
• Sometimes, packets are the
only way to see what really
happened (they never lie)
• Packets an be used for
– Attack Reconstruction
– Evidence
©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 17
DNS Services
APM NPM solutions have significant views into DNS services
• Anomalies with DNS for usage and
failures will affect almost every application
– Many times mis-diagnosed as a Cyber event
• Provide insights into DNS events – Hijacking
– Poisoning
– Malware phone home
– Botnets
– Data Exfiltration
©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 19
PCI Compliance - V3.0 – V3.1
More credit card transactions now flying on networks than ever
• PCI Requirements
– You must have a logical flow of the application traffic
– There are SSL version requirements to maintain compliance
• View into the Cardholder Data Environment (CDE)
©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 21
Reporting & Evidence
APM NPM solutions usually have reporting capabilities
• Reports and Views can be
leveraged in a post cyber
event
• Often easier than manually
collecting the information and
manually creating your own
reports
©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 23
Certificates and PKI
APM NPM solutions usually have a view into Certificates
• Validate identities as encrypted communications are established
• Managed by spreadsheets
– inaccuracy and manual toil
• Alerts to avoid embarrassment for expirations or non-compliancy
©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 25
Meta Data Information
APM NPM solutions usually have Meta Data that can help speed triage
• Flows, Utilization, Applications, Top Talkers, All Talkers, Latency, Error Codes, etc.
• While “packets” contain the evidence, Meta Data is more efficient workflow
• Efficient and Fast methodology when you “don’t know” what you are looking for
©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 27
Attack Reconstruction
APM NPM solutions have functionality to reconstruct events
• Packets and Meta Data can
often yield fingerprint evidence
of the attack
– How did they get in?
– What did they look at?
– What information got
compromised?
©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 29
Host Analysis
APM NPM solutions usually have detailed information on a Host
• Easy to digest information
about IP address traffic
• Search information quickly
• Can facilitate or re-route
investigations
• Acts as a filter to get to packet
evidence
©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 31
Integration Points with Cyber Tools
Many APM NPM tools have hooks, API’s or partnerships with Cyber Tools
• Know what you have available in
this area !!!
• A trap sent to an event correlation
engine, SIEM, or Big Data solution
will help see the whole picture
• Open API to request meta data directly out of APM NPM Solution
Contact Information
Ken Czekaj
• 419-433-6909
• Twitter - @KenCzekaj
• http://www.linkedin.com/in/kenczekaj
©2016 NETSCOUT ° PUBLIC 32
Robert Wright
• 614-264-8604
• Twitter - @rjwrightohio
• LinkedIn • https://www.linkedin.com/in/rjwrightohio
Our Blog
http://problemsolverblog.czekaj.org