visibility: the foundation of your cybersecurity infrastructure · 2019. 12. 3. · visibility...

Visibility: The Foundation of your Cybersecurity Infrastructure

Marlin McFateFederal CTO, Riverbed

© 2018 Riverbed Technology, Inc. All rights reserved. 2

Detection is Only One Part of the StoryPlanning and Remediation are just as critical

146 daysAverage duration it takes to discover attackers are present on a network

0.5

2

5 5

8

18

0

2

4

6

8

10

12

14

16

18

20

Target JPMorgan Neiman Marcus Home Depot Michaels Goodwill

Hackers Went Undetected for Months


59% of Organizations are notified about their breach by an external entity.


What could you do with $8,850,000,000.00?

In just one industry/vertical there were 72 total breaches reported (2016), over 56 Million records exposed

205 days on average threats were present before detection

Estimated loss for those 72 breaches was over $8.85 billion


$33,440,756,448.00

1339 Identity theft breaches, over 174 Million records exposed

In 2017 it grew to 191 days on average threats were present before detection

Estimated 2017 loss for identity record breaches cost ~$24.6 billion

“...network security forensics is an important technology. Without a proper post-breach forensic investigation, the ability to remediate

damages from the current threat, as well as to the ability to properly mitigate future threats remains very much in doubt.”


Russia’s 5th-Dimension Cyber Army

Hezbollah China


This is Cyber Warfare!


Riverbed provides visibility on the cyber battlefield like a drone or satellite provides generals with real-time physical battlefield info

“”


Attack Continuum

BEFOREDiscoverEnforceHarden

DURINGDetectBlock

Defend

AfterScope

ContainRemediate


Understand the Surface Area


Total Enterprise Visibility Is CriticalAttacks can come from anywhere, anytime, anyone

Visibility is the glue that empowers both the business and the IT teams with the insight they need to make effective resourcing decisions and to resolve problems fasterIf you can’t see it, you can’t protect it!

Servers Applications

Protocols

Ports

Network Behavior

End-Users

Operating Systems

Services


Visibility Driving Security ValueOnce you know what you have, you can properly secure it

• All the moving parts of an application (what is in scope)

• All hosts/paths/ports/protocols that need to be monitored

• Paths of attack that may have gone overlooked

• Clear text protocols that may be a means of eavesdropping

• Un-related systems that need to be treated at the same trust level due to proximity

Identify Everything


Visibility Driving Security Value


Identify Lateral Movement & Network Behavior Anomaly Detection

Track lateral movement, governance violations and other challenges such as P2P, tunneling, and SPAM activity

Analysis of network behavior can identify suspect activity including; scans, suspicious connections,new hosts, worms, and more


Assess Application Usage and Combat Shadow IT

1. Discover every local, cloud, and mobile application, to combat “Shadow IT”

1 23

3. Consider mainstreaming popular Shadow IT apps

2. Immediately assess the breadth, surface area of Shadow IT

2


Configuration, Network, and Service Hardening


Hackers are Always Looking for the Weak Link to Gain EntryWhat are your weak links? Where are they?


• Edge routers block incoming ICMP, telnet, FTP sessions

• No redundant ACL statements

• No overlapping NAT translation addresses

• …

Rules Engine

BeforeHarden – Infrastructure patching and configuration

Checks all collected network devices for known OS vulnerabilities

Check for any instance of OS vulnerability “Advisory ID: cisco-sa-20140924-nat”

440 OS vulnerabilities30% devices with vulnerabilities25 vulnerabilities remediated

NPCM Security Workflow 3

Potential Exposures

Validations

Metrics


Automated Compliance Reporting

Automated Topology Diagramming

• Automate generation of audit-quality diagrams

• Out-of-the box templates for regulatory & industry standards STIG, CCRI,NIST 800-53

• Validate against a “golden” configuration

• Automatic & periodic security advisory updates

• Analyze ACLs, firewall policies, and other security controls

• Analyze device administrative control

• Leverage best practices from Cisco, AAA, NSA security guidelines, and more

• Trend audit results over time

• Automatically generate high-definition network diagrams using configuration and operational data

• Provide detailed insight into physical, logical and virtual components

• Generate professional quality HTML or Visio diagrams

• Customizable diagram layout and annotations

Manage Security Audits Effectively


Change ControlSee changes, route propagations, survivability/redundancy testing

Visualize BGP Route Propagation…


Understand Movement NSEWGo Threat Hunting


We can take a proactive approach to searching for those intruders rather than a reactive approach that focuses on known incidents – government has to start searching for the unknown.

Jeff Wagner, (OPM Director of Security Operations)

“”


Find Every Sensitive device & Who it Talks with in 30 seconds

1

2 3


Leverage Reporting To Track Activity

Run on-demand or scheduled• Progressive SSH/RDP burrowing across the network • SMTP requests not on TCP/25• DNS requests not on UDP/53• CIFS to/from the Internet• Weekly foreign country business reports• Tunneled traffic• Access to production network not during change windows• Servers not within the data center subnets• East/West traffic where none is expected• North/South traffic where none is expected• …

Discover and remediate


Assess Impact of Code/SQL Injection…Using your Phone!

GENUINE TRANSACTIONS

TRANSACTIONS FROM INJECTION ATTACK


Identify Scope of Intrusion


Extend Visibility into Attack Surface Go Beyond Attack Points of Entry

URL http://www.xxxx.com/yyy/zzz.aspx?cm_re=${@print(md5(acunetix_wvs_security_test))}

Using Typical Security Tools Injection Detection occurs ONLY at

Points of Entry

• Discover Entire Surface Area of Attack

• For every SINGLE transactions – No Transaction Sampling

• Would it acceptable to have visibility into just 1 of 10,000 intrusions?


Alarm On Violations


New Host Analytic

New Host Policy workflow: New host appears on VLAN supporting

PCI-compliant ERP servers Alert via SNMP trap or email with context-sensitive

drill-down to details Complete visibility into offending host, with

conversational details, packets for deep-dive analysis, and MAC address/switch port info

Optional vulnerability scanningDetect changes in sensitive parts of the network to improve security posture and help with regulatory compliance

Alert on new hosts in secured areas of the network


Malware Analytics

Drill-down for event details, including start/end time, duration, list of scanned traffic, etc.Graphical view of the threat propagation including patient zeroMultiple host infections are recognized as a single eventImprove your security posture, detect worms and malware that don’t rely on signatures

Details of worm propagation


Alarm on Anything/Any Place

Anyone trying or succeeding in accessing routers• Log or alert on anyone who tries to connect to an IP x.x.x.1Non-encrypted connections to/from regulated servers• Log or alert on anyone NOT using SSH or SSLConnections to/from restricted network segmentsFind tunneling• Port 80 != HTTP• Port 443 != HTTPS• Port 53 != DNS• …

Your creativity is the limit here


Address Real Problems


1. Report events to your SIEM or enable your SIEM to extract contextual information from NetProfiler

A. SIEM identifies a problemB. Right-click the node IP2. Get context information. All of

the detailed information that NetProfiler collects is delivered through the SIEM console

SIEM integration – Instantly Add ContextScope & Triage

2

1


Packet level integration – Instantly drill downScope & Triage

REST call to NetShark


Programmability/3rd-party Integration

• Script common or tedious tasks• React to IT events faster• Benefit from custom features created

by the community

Automate Expert WorkflowsScripting Library

REST API

Custom Apps

Threat Visualization Server Fail Over


DECISION SUPPORTManeuver CYBER to affect our adversaries• Discrete Event Simulation — to support decisions• Understand where and who• Mitigate an immediate attack (Opportunity to insert Mis-information) • Monitor — trace the path (Attack Vectors) adversary used• Packets — see the data the adversary took

Thank You


visibility: the foundation of your cybersecurity infrastructure · 2019. 12. 3. · visibility...

Documents