©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY

Leveraging APM NPM Solutions to Compliment Cyber Defense Strategy

March 30, 2016

Central Ohio InfoSec Summit

A Little About Us ….

Ken Czekaj

• 28 Years in IT

• Problem Solver @ NETSCOUT

• Solutions Architect / Systems

Engineering background

©2016 NETSCOUT ° PUBLIC 2

Robert Wright

• 20 Years in IT

• Sr. Solutions Engineer

• Co-Founder NEOISF

• Customer & Vendor background

Our Blog

http://problemsolverblog.czekaj.org

Philosophy and Approach

• Cyber Security is everyone’s problem

• Triage is Triage …. Cyber / Apps / Network …. all very similar

• Lot’s of Excellent Security Tools Available in the Market

• APM NPM Solutions can provide Additional Visibility & Analytics

• Reduce your Triage time

Bring All that you have available to the table !!!!!

©2016 NETSCOUT ° PUBLIC 3

©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 4

Denial of Service

In addition to straight Layer 2 “Brute Force” … Think About …

• Key Services Failures

– DHCP DNS LDAP Radius

• Application Targeted Attacks

• Cloud Services

• Call Centers & VoIP Service

• SYN Floods

©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 5

Denial of Service - Granularity

©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 6

Denial of Service – DHCP

©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 7

Anomalous Behavior

APM NPM solutions usually have their own analytics

• Use the additional “set of eyes” to

defend against the unknown

• Same “anomaly” could be used by

multiple IT groups

• I.E. ….. View of a TCP Reset ???

– Security - “Could be a Bot…”

– Network - “Lack of Server Resources..”

– Application – “Uh Oh …”

©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 8

Anomalous Behavior

©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 9

Virtualized Architecture

Most Cyber Security solutions have “North South” Visibility

• APM NPM Solutions can

provide additional visibility into

“East West” traffic as well

– VMWare

– Citrix

– HP Blade Servers

– UCS Chassis

Virtualized Architecture

Data Center Core

Traffic typically travels “East West”

Data Center Perimeter Internet, MPLS, Co-located PODs

Typically “North – South”

Traffic

©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 11

Authentication Services – LDAP RADIUS

APM NPM solutions have significant views into authentication services

• Information on Authentication service and more importantly “failures”

• Excellent Views into Single Sign On deployments

• Active Directory issues can also affect Cloud Apps

• Radius performance issues affect (guest) wireless & BYOD

©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 12

Authentication Services – LDAP RADIUS

©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 13

Policy Based Alarms

Many APM NPM solutions will have additional alarming

• These do not limit traffic, but can be a direct corollary to bad application traffic

• Examples …. We should never see

– Outbound FTP from a Web Server

– DHCP traffic in the DMZ

– Unencrypted protocols in PCI CDE zone

• Insight into “Zero-Day” Host issues

©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 14

Policy Based Alarms

©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 15

Packet Capture and Decode

APM NPM solutions usually have back in time historical packet analysis

• Sometimes, packets are the

only way to see what really

happened (they never lie)

• Packets an be used for

– Attack Reconstruction

– Evidence

Packet Capture and Decode

©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 17

DNS Services

APM NPM solutions have significant views into DNS services

• Anomalies with DNS for usage and

failures will affect almost every application

– Many times mis-diagnosed as a Cyber event

• Provide insights into DNS events – Hijacking

– Poisoning

– Malware phone home

– Botnets

– Data Exfiltration

©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 18

DNS Services

©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 19

PCI Compliance - V3.0 – V3.1

More credit card transactions now flying on networks than ever

• PCI Requirements

– You must have a logical flow of the application traffic

– There are SSL version requirements to maintain compliance

• View into the Cardholder Data Environment (CDE)

©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 20

PCI Compliance – V3.0 – V3.1

©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 21

Reporting & Evidence

APM NPM solutions usually have reporting capabilities

• Reports and Views can be

leveraged in a post cyber

event

• Often easier than manually

collecting the information and

manually creating your own

reports

©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 22

Reporting & Evidence

©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 23

Certificates and PKI

APM NPM solutions usually have a view into Certificates

• Validate identities as encrypted communications are established

• Managed by spreadsheets

– inaccuracy and manual toil

• Alerts to avoid embarrassment for expirations or non-compliancy

©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 24

Certificates and PKI

©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 25

Meta Data Information

APM NPM solutions usually have Meta Data that can help speed triage

• Flows, Utilization, Applications, Top Talkers, All Talkers, Latency, Error Codes, etc.

• While “packets” contain the evidence, Meta Data is more efficient workflow

• Efficient and Fast methodology when you “don’t know” what you are looking for

©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 26

Meta Data Information

©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 27

Attack Reconstruction

APM NPM solutions have functionality to reconstruct events

• Packets and Meta Data can

often yield fingerprint evidence

of the attack

– How did they get in?

– What did they look at?

– What information got

compromised?

©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 28

Attack Reconstruction

©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 29

Host Analysis

APM NPM solutions usually have detailed information on a Host

• Easy to digest information

about IP address traffic

• Search information quickly

• Can facilitate or re-route

investigations

• Acts as a filter to get to packet

evidence

©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 30

Host Analysis

©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 31

Integration Points with Cyber Tools

Many APM NPM tools have hooks, API’s or partnerships with Cyber Tools

• Know what you have available in

this area !!!

• A trap sent to an event correlation

engine, SIEM, or Big Data solution

will help see the whole picture

• Open API to request meta data directly out of APM NPM Solution

Contact Information

Ken Czekaj

• Ken.Czekaj@NETSCOUT.com

• 419-433-6909

• Twitter - @KenCzekaj

• LinkedIn

• http://www.linkedin.com/in/kenczekaj

©2016 NETSCOUT ° PUBLIC 32

Robert Wright

• Robert.Wright@NETSCOUT.com

• 614-264-8604

• Twitter - @rjwrightohio

• LinkedIn • https://www.linkedin.com/in/rjwrightohio

Our Blog

http://problemsolverblog.czekaj.org

©2016 NETSCOUT ° CONFIDENTIAL & PROPRIETARY 33

Summary

In your Cyber Defense Strategy …

Bring ALL of your AVAILABLE information

and intelligence to the table !!!!!