monitoring the data center
DESCRIPTION
learn how to protect the data center from dangerous attacks including advanced malware, APTs, insider threats and DDoS. Leverage your existing network resources to: • Obtain in-depth visibility into the data center, including virtual systems • Quickly detect and address anomalies that could signify risks • Prevent devastating data loss • Improve incident response, forensics and compliance For more information visit www.lancope.comTRANSCRIPT
Monitoring the Data Center
Matthew McKinley
Technical Product Marketing Manager
August 22, 2013
• The Datacenter as a blind spot
• The major threats:– Malware
– DDoS
• Example of a Datacenter attack– “itsoknoproblembro” attack toolkit
• Bridging the visibility gap with StealthWatch
What we’ll cover today
• IPS, NGFW, and AV leave dangerous
blind spots in security
• Placement of these devices has been:– At the edge
– At major intersections in the network
– In front of critical assets
• Yet so much more in happening in the Data Center– VM to VM communication
• A really big blind spot for virtual Data Centers
– Device to device communication within the Data Center
– Non-network access adds a vector for infection
The Data Center as a blind spot
And the survey shows…
In your opinion, what are the biggest challenges your organization faces with regard to protecting the IT assets residing in its data centers?
Source: ESG Research Brief, Source: Enterprise Strategy Group (ESG) Top Security Challenges of IT Assets Residing in Data Centers, May 2013
• Malware– Non-network access could introduce malware
directly into the Data Center, circumventing perimeter defenses
– The zero day problem
– Evasion of signature-based technologies
• DDoS– Data Centers usually are high-bandwidth
– Commercial servers are attractive targets
– Liability for Data Centers if the attack originates from within
The Big Threats to the Data Center
• “itsoknoproblembro”– Terrible name, effective attack
– Toolkit
• Used for compromising things like commercial CMS– Often located in data centers
• Does not make use of botnets– Botnets require many, many hosts
– “itsoknoproblembro” does not have to infect as many machines to get the same result
• The bandwidth of data centers is a powerful tool
Data Center attack example
• The perimeter is only part of the story
• Signature-based technologies are critical, but…– They are not the entire solution
• The infrastructure can be used for security using NetFlow– Routers, switches, firewalls, proxies, etc. can be used to
get security telemetry about what’s happening inside
• Behavioral Analysis can discover problems in the “grey area” of security– Spikes in traffic, unusual behavior from a server or a
client, scanning
– StealthWatch!!
The Visibility Gap
• StealthWatch is a behavioral analysis solution that:– Looks for changes in network behavior based on a rolling
baseline
• StealthWatch adds other security context such as:– User names
– Application layer information
– Information from edge devices such as firewalls
• StealthWatch monitors for:– Behavioral anomalies
• e.g. spikes in network traffic, inbound, outbound, and within
– Activity with botnets using data from SLIC
• StealthWatch Labs Intelligence Center
– Internal spread of malware
Bridging the Gap
DDoS Detection
Bridging the Gap
Malware Infection
Botnet Monitoring
Changes in behavior are crystal clear
• Visual queues to make any problem obvious
Visualize the problem
THANK
YOU
11© 2013 Lancope, Inc. All rights reserved.
Matthew McKinley
Technical Product Marketing Manager
+1(770)225-6500
Get Engaged with Lancope
@Lancope@NetFlowNinjas
SubscribeJoin DiscussionDownload
@stealth_labs
Access StealthWatch
Labs Intelligence Center
Security Research