SlideShare uma empresa Scribd logo

Network Security and Visibility through NetFlow

Lancope, Inc.
Lancope, Inc.

With the rise of disruptive forces such as cloud computing and mobile technology, the enterprise network has become larger and more complex than ever before. Meanwhile, sophisticated cyber-attackers are taking advantage of the expanded attack surface to gain access to internal networks and steal sensitive data. Perimeter security is no longer enough to keep threat actors out, and organizations need to be able to detect and mitigate threats operating inside the network. NetFlow, a context-rich and common source of network traffic metadata, can be utilized for heightened visibility to identify attackers and accelerate incident response. Join Richard Laval to discuss the security applications of NetFlow using StealthWatch. This session will cover: - An overview of NetFlow, what it is, how it works, and how it benefits security - Design, deployment, and operational best practices for NetFlow security monitoring - How to best utilize NetFlow and identity services for security telemetry - How to investigate and identify threats using statistical analysis of NetFlow telemetry

Tecnologia
1 de 55
Baixar para ler offline
Network Visibility through NetFlow Richard Laval Stealthwatch SEM, Europe rilaval@cisco.com 30-Mar-16
Changing Business Models Dynamic Threat Landscape Complexity and Fragmentation New Networks Mean New Security Challenges Organizations lack visibility into which and how many devices are on their Network Services are moving to the Cloud at a faster rate than IT can keep up Over 50 billion connected “smart objects” by 2020. Acquisitions, joint ventures, and partnerships are increasing in regularity. ENTERPRISE MOBILITY ACQUISITIONS AND PARTNERSHIPS CLOUD INTERNET OF THINGS It’s Not “IF” You Will Be Breached…It’s “WHEN.” Expanded Enterprise Attack Surface
Partner Security Day @ Cisco Live Berlin Lawrence Orans, Gartner, Network and Gateway Security Primer for 2016 January 22, 2016 “Network security architects should accept the reality that, in 2016, it is unreasonable to expect that they can build perimeter defenses that will block every attack and prevent every security breach. Instead, they need to adopt new products and/or services that will enable the network to be an integral part of a strategy that focuses on detecting and responding to security incidents.”
Cisco Confidential 5© 2013 2014 Cisco and/or its affiliates. All rights reserved. You Can’t Protect What You Can’t See The Network sees everything. Gives Deep and Broad Visibility Answers Who, what, when, where, How did they come on network 0101 0100 1011 0101 0100 1011 0101 0100 1011 0101 0100 1011
The Insider Threat About this session
This session is about using network analysis or the network (our obvious things) to mitigate an attack. “The world is full of obvious things which nobody by any chance observes.” Sherlock Holmes, The Hound of the Baskervilles
Managing the Insider Threat Access Controls • Control who and what is on the network Segmentation • Define what they can do SGT You are who you say you are and these are the resources you are allowed access to based on your credentials.
Managing the Insider Threat Control movement of malicious content through inspection points Content Controls • Deep contextual visibility at inspection points This is what you are allowed to bring into the secure zone/network.
Once the walls are built monitor for security visibility 10 Now monitor the activity inside the secure controlled zone. Managing the Insider Threat
Introduction to NetFlow • Developed by Cisco in 1996 as a packet forwarding mechanism • Statistical Reporting became relevant to customers • Reporting is based on Flow and not necessarily per-packet (Full Flow vs. Sampled) • Various versions exist version 1 through 9, with 5 being the most popular and 9 being the most functional • Traditional NetFlow (TNF) – fixed info to identify a flow • Flexible Netflow (FNF) – user defines how to identify a flow
NetFlow 10.2.2.2 port 1024 10.1.1.1 port 80 eth0/1 eth0/2 Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent SGT DGT TCP Flags 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH 10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100 SYN,ACK,FIN Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent SGT DGT TCP Flags 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH
NetFlow = Visibility A single NetFlow Record provides a wealth of information
NetFlow Deployment Architecture Management/Reporting Layer: • Run queries on flow data • Centralize management and reporting Flow Collection Layer: • Collection, storage and analysis of flow records Flow Exporting Layer: • Enables telemetry export • As close to the traffic source as possible NetFlow
Considerations: Flow Exporting Layer 1. NetFlow support 2. Which version of NetFlow to use 3. How to configure/what to measure 4. Where in the network to enable NetFlow export
Versions of NetFlow Version Major Advantage Limits/Weaknesses V5 Defines 18 exported fields Simple and compact format Most commonly used format IPv4 only Fixed fields, fixed length fields only Single flow cache V9 Template-based IPv6 flows transported in IPv4 packets MPLS and BGP nexthop supported Defines 104 fields, including L2 fields Reports flow direction IPv6 flows transported in IPv4 packets Fixed length fields only Uses more memory Slower performance Single flow cache Flexible NetFlow (FNF) Template-based flow format (built on V9 protocol) Supports flow monitors (discrete caches) Supports selectable key fields and IPv6 Supports NBAR data fields Less common Requires more sophisticated platform to produce Requires more sophisticated system to consume IP Flow Information Export (IPFIX) AKA NetFlow V10 Standardized – RFC 5101, 5102, 6313 Supports variable length fields, NBAR2 Can export flows via IPv4 and IPv6 packets Even less common Only supported on a few Cisco platforms NSEL (ASA only) Built on NetFlow v9 protocol State-based flow logging (context) Pre and Post NAT reporting Missing many standard fields Limited support by collectors
NetFlow Deployment Catalyst® 6500 Distribution & Core Catalyst® 4500 ASA ISR Edge ASR Each network layer offers unique NetFlow capabilities Access Catalyst® 3560/3750-X Catalyst® 4500 Catalyst® 3650/3850
Where to collect NetFlow from? Listed below are the typical use cases and the recommendations of where to collect the NetFlow from in the network: 1. Use case detection of security events – a. Only need to account for the packet once. b. Collect at the edge, if not 100% flow capable then distribution, if not 100% flow capable then core. c. Enable flow on any exporter that will provide additional context like ASA FWs (provide NAT and FW actions), and Proxy data (allow visibility into outbound traffic that has been translated) 2. Use case forensics or auditing – a. You should be looking to account for all packets. b. Deploy as close to the edges of the network as possible. c. Enable flow on any exporter that will provide additional context like ASA FWs (provide NAT and FW actions), and Proxy data (allow visibility into outbound traffic that has been translated). 3. Use case networking (performance) – a. You need flow from everywhere to help with interface utilization, QoS monitoring, trending and capacity planning and tracking issues back to the source of the problem which could be any interface.
NetFlow Terminology
Aside: Myths about NetFlow Generation Myth #1: NetFlow impacts performance • Hardware implemented NetFlow has no performance impact • Software implementation is typically significantly <15% processing overhead Myth #2: NetFlow has bandwidth overhead • NetFlow is a summary protocol • Traffic overhead is typically significantly <1% of total traffic per exporting device
NetFlow Collection: Flow Stitching 10.2.2.2 port 1024 10.1.1.1 port 80 eth0/1 eth0/2 Start Time Client IP Client Port Server IP Server Port Proto Client Bytes Client Pkts Server Bytes Server Pkts Client SGT Server SGT Interfaces 10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 100 1010 eth0/1 eth0/2 Uni-directional flow records Bi-directional: • Conversation flow record • Allows easy visualization and analysis Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent SGT DGT 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100
NetFlow Collection: De-duplication Start Time Client IP Client Port Server IP Server Port Proto Client Bytes Client Pkts Server Bytes Server Pkts App Client SGT Server SGT Exporter, Interface, Direction, Action 10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 HTTP 100 1010 Sw1, eth0, in Sw1, eth1, out Sw2, eth0, in Sw2, eth1, out ASA, eth1, in ASA, eth0, out, Permitted ASA eth0, in, Permitted ASA, eth1, out Sw3, eth1, in Sw3, eth0, out Sw1, eth1, in Sw1, eth0, out 10.2.2.2 port 1024 10.1.1.1 port 80 Sw1 Sw2 Sw3 ASA Any unique information is added to the record. Path of the packet for example is unique.
How The Conversational Flow Record Looks in SW Where WhoWhat When How Who • Highly scalable (enterprise class) collection • High compression => long term storage • Months of data retention More context
Host Groups: Applied Situational Awareness Virtual container of multiple IP Addresses/ranges that have similar attributes Best Practice: classify all known IP Addresses in one or more host groups Lab servers
ISE as a Telemetry Source (adding context) Monitor Mode • Open Mode, Multi-Auth • Unobstructed Access • No impact on productivity • Profiling, posture assessment • Gain Visibility Authenticated Session Table Cisco ISE • Maintain historical session table • Correlate NetFlow to username • Build User-centric reports StealthWatch Management Console syslog
Global Intelligence (adding more context) • Known C&C Servers • Tor Entrance and Exits
Conversational Flow Record with added context ISE Telemetry NBAR Applied situational awareness FlowSensor Geo-IP mapping Threat feed
Flow Table – IPv6 StealthWatch can also display IPv6 flow records
“There is nothing like first hand evidence” Sherlock Holmes, A Study in Scarlett Now, lets analyse all that good NetFlow data/evidence generated by the network.
NetFlow Analysis with StealthWatch can help: Identify additional IOCs • Policy & Segmentation • Network Behaviour & Anomaly Detection (NBAD) Better understand / respond to an IOC: • Audit trail of all host-to-host communication Discovery • Identify business critical applications and services across the network
Locate Assets 32 Find hosts communicating on the network • Pivot based on transactional data
Host Groups – Targeted Reporting Geo-IP-based Host Group Summary chart of traffic inbound and outbound from this Host Group
Host Groups – Discovering Rogue Hosts Catch All: All unclassified RFC1918 addresses Table of all individual hosts
Host Groups – Discovering Rogue Hosts Rogue Hosts (IP addresses you don’t know about as they have not been classified)
Concept: Indicator of Compromise IDS/IPS Alert Log analysis (SIEM) Raw flow analysis Outside notification Behavioural analysis Activity monitoring IoC = is an artifact observed on a network or in an operating system that with high confidence indicates a computer intrusion • http://en.wikipedia.org/wiki/Indicator_of_compromise Anomaly detection File hashes IP Addresses There are many IoCs from the network which we need to piece together to solve the crime.
Attack Lifecycle Model Exploratory Actions Footprint Expansion Execution Theft Disruption Staging Initial Compromise Initial Recon Infiltration (C&C) Now we use our evidence from the IoCs to build a map/model of and attack.
IoC’s from Traffic Analysis Behavioural Analysis: • Leverages knowledge of known bad behaviour • Policy and segmentation Anomaly Detection: • Identify a change from “normal”
StealthWatch NBAD Model Algorithm Security Event Alarm Track and/or measure behaviour/activity Suspicious behaviour observed or anomaly detected Notification of security event generated This how StealthWatch processes all the IoCs to make sense of them.
Alarm Categories Each category accrues points.
Example Alarm Category: Concern Index Concern Index: Track hosts that appear to compromising network integrity Security events
StealthWatch: Alarms Alarms • Indicate significant behaviour changes and policy violations • Known and unknown attacks generate alarms • Activity that falls outside the baseline, acceptable behaviour or established policies
Watching for Data Theft Data Exfiltration • Identify suspect movement from Inside Network to Outside • Single or multiple destinations from a single source • Policy and behavioral
Data Hoarding Suspect Data Hoarding: • Unusually large amount of data inbound from other hosts Target Data Hoarding: • Unusually large amount of data outbound from a host to multiple hosts
Suspect Data Hoarding Data Hoarding • Unusually large amount of data inbound to a host from other hosts • Policy and behavioral
“The Science of Deduction.” Chapter 1: The Sign of the Four Now we are going to use the evidence generated by the network to solve our mystery.
Investigating a Host IOC: IDS Alert from FirePower provides an IP address that StealthWatch can use to investigate. Host report for 10.201.3.59 Behavior alarms Quick view of host group communication Summary information
Investigating: Host Drilldown User information Applications
Investigating: Applications A lot of applications. Some suspicious!
Investigating: Behaviour Alarms Significant network activity
It Could Start with a User … Alarms Devices and Sessions Active Directory Details Username View Flows
Links and Recommended Reading More about StealthWatch and the Cisco Cyber Threat Defense Solution: http://www.cisco.com/go/threatdefense http://www.lancope.com Recommended Reading Cyber Threat Defense Cisco Validated Design Guide: http://www.cisco.com/en/US/solutions/collateral/ns1015/ns1238/cyber_threat_defense_design_guide.pdf Cyber Threat Defense for the Data Center Cisco Validated Design Guide: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/ctd-first-look-design-guide.pdf Securing Cisco Networks with Threat Detection and Analysis (SCYBER) https://learningnetwork.cisco.com/community/certifications/security/cybersecurity/scyber_exam
Key Takeaways Insider threats are operating on the network interior Threat detection and response requires visibility and context into network traffic NetFlow and the StealthWatch System provide actionable security intelligence
Q & A
“The game is afoot!” Sherlock Holmes, The Adventure of the The Abbey Grange
Thank you
57

Recomendados

Netflow slides
Netflow slidesNetflow slides
Netflow slidesJose Manuel Vega Monroy
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a DefenderBangladesh Network Operators Group
 
Network Monitoring System
Network Monitoring SystemNetwork Monitoring System
Network Monitoring SystemRofiq Fauzi
 
Next Generation Network Automation
Next Generation Network AutomationNext Generation Network Automation
Next Generation Network AutomationLaurent Ciavaglia
 
Netflow Protocol
Netflow ProtocolNetflow Protocol
Netflow ProtocolWajid Hassan
 
SDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center NetworkingSDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center NetworkingThomas Graf
 
Wireless Penetration Testing
Wireless Penetration TestingWireless Penetration Testing
Wireless Penetration TestingMohammed Adam
 
Firewalls, SIP Servers and SBC - What's the Differences?
Firewalls, SIP Servers and SBC - What's the Differences?Firewalls, SIP Servers and SBC - What's the Differences?
Firewalls, SIP Servers and SBC - What's the Differences?Alan Percy
 

Recomendados

Netflow slides
Netflow slidesNetflow slides
Netflow slidesJose Manuel Vega Monroy
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a DefenderBangladesh Network Operators Group
 
Network Monitoring System
Network Monitoring SystemNetwork Monitoring System
Network Monitoring SystemRofiq Fauzi
 
Next Generation Network Automation
Next Generation Network AutomationNext Generation Network Automation
Next Generation Network AutomationLaurent Ciavaglia
 
Netflow Protocol
Netflow ProtocolNetflow Protocol
Netflow ProtocolWajid Hassan
 
SDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center NetworkingSDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center NetworkingThomas Graf
 
Wireless Penetration Testing
Wireless Penetration TestingWireless Penetration Testing
Wireless Penetration TestingMohammed Adam
 
Firewalls, SIP Servers and SBC - What's the Differences?
Firewalls, SIP Servers and SBC - What's the Differences?Firewalls, SIP Servers and SBC - What's the Differences?
Firewalls, SIP Servers and SBC - What's the Differences?Alan Percy
 
Mininet introduction
Mininet introductionMininet introduction
Mininet introductionVipin Gupta
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G! Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G!PositiveTechnologies
 
dlux - Splunk Technical Overview
dlux - Splunk Technical Overviewdlux - Splunk Technical Overview
dlux - Splunk Technical OverviewDavid Lutz
 
VRF Lab WorkBook
VRF Lab WorkBookVRF Lab WorkBook
VRF Lab WorkBookRHC Technologies
 
Policy Based Routing (PBR) on Mikrotik
Policy Based Routing (PBR) on MikrotikPolicy Based Routing (PBR) on Mikrotik
Policy Based Routing (PBR) on MikrotikGLC Networks
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPNAbdullaziz Tagawy
 
Asterisk: the future is at REST
Asterisk: the future is at RESTAsterisk: the future is at REST
Asterisk: the future is at RESTPaloSanto Solutions
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)Netwax Lab
 
SDN Architecture & Ecosystem
SDN Architecture & EcosystemSDN Architecture & Ecosystem
SDN Architecture & EcosystemKingston Smiler
 
NMap
NMapNMap
NMapPritesh Raka
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onJustin Henderson
 
FreeSWITCH Cluster by K8s
FreeSWITCH Cluster by K8sFreeSWITCH Cluster by K8s
FreeSWITCH Cluster by K8sChien Cheng Wu
 
6LoWPAN: An Open IoT Networking Protocol
6LoWPAN: An Open IoT Networking Protocol6LoWPAN: An Open IoT Networking Protocol
6LoWPAN: An Open IoT Networking ProtocolSamsung Open Source Group
 
Transform your enterprise branch with secure sd-wan
Transform your enterprise branch with secure sd-wanTransform your enterprise branch with secure sd-wan
Transform your enterprise branch with secure sd-wanDATA SECURITY SOLUTIONS
 
10 palo alto nat policy concepts
10 palo alto nat policy concepts10 palo alto nat policy concepts
10 palo alto nat policy conceptsMostafa El Lathy
 
ACI MultiFabric 소개
ACI MultiFabric 소개ACI MultiFabric 소개
ACI MultiFabric 소개Woo Hyung Choi
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalKwonSun Bae
 
NETCONF YANG tutorial
NETCONF YANG tutorialNETCONF YANG tutorial
NETCONF YANG tutorialTail-f Systems
 
01- intro to firewall concepts
01- intro to firewall concepts01- intro to firewall concepts
01- intro to firewall conceptsMostafa El Lathy
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsCisco Canada
 
Orion NTA Customer Training
Orion NTA Customer TrainingOrion NTA Customer Training
Orion NTA Customer TrainingSolarWinds
 

Mais conteúdo relacionado

Mais procurados

Mininet introduction
Mininet introductionMininet introduction
Mininet introductionVipin Gupta
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G! Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G!PositiveTechnologies
 
dlux - Splunk Technical Overview
dlux - Splunk Technical Overviewdlux - Splunk Technical Overview
dlux - Splunk Technical OverviewDavid Lutz
 
Policy Based Routing (PBR) on Mikrotik
Policy Based Routing (PBR) on MikrotikPolicy Based Routing (PBR) on Mikrotik
Policy Based Routing (PBR) on MikrotikGLC Networks
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)Netwax Lab
 
SDN Architecture & Ecosystem
SDN Architecture & EcosystemSDN Architecture & Ecosystem
SDN Architecture & EcosystemKingston Smiler
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onJustin Henderson
 
FreeSWITCH Cluster by K8s
FreeSWITCH Cluster by K8sFreeSWITCH Cluster by K8s
FreeSWITCH Cluster by K8sChien Cheng Wu
 
Transform your enterprise branch with secure sd-wan
Transform your enterprise branch with secure sd-wanTransform your enterprise branch with secure sd-wan
Transform your enterprise branch with secure sd-wanDATA SECURITY SOLUTIONS
 
10 palo alto nat policy concepts
10 palo alto nat policy concepts10 palo alto nat policy concepts
10 palo alto nat policy conceptsMostafa El Lathy
 
ACI MultiFabric 소개
ACI MultiFabric 소개ACI MultiFabric 소개
ACI MultiFabric 소개Woo Hyung Choi
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalKwonSun Bae
 
01- intro to firewall concepts
01- intro to firewall concepts01- intro to firewall concepts
01- intro to firewall conceptsMostafa El Lathy
 

Mais procurados (20)

Mininet introduction
Mininet introductionMininet introduction
Mininet introduction
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 
Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G! Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G!
 
dlux - Splunk Technical Overview
dlux - Splunk Technical Overviewdlux - Splunk Technical Overview
dlux - Splunk Technical Overview
 
VRF Lab WorkBook
VRF Lab WorkBookVRF Lab WorkBook
VRF Lab WorkBook
 
Policy Based Routing (PBR) on Mikrotik
Policy Based Routing (PBR) on MikrotikPolicy Based Routing (PBR) on Mikrotik
Policy Based Routing (PBR) on Mikrotik
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
 
Asterisk: the future is at REST
Asterisk: the future is at RESTAsterisk: the future is at REST
Asterisk: the future is at REST
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)
 
SDN Architecture & Ecosystem
SDN Architecture & EcosystemSDN Architecture & Ecosystem
SDN Architecture & Ecosystem
 
NMap
NMapNMap
NMap
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is on
 
FreeSWITCH Cluster by K8s
FreeSWITCH Cluster by K8sFreeSWITCH Cluster by K8s
FreeSWITCH Cluster by K8s
 
6LoWPAN: An Open IoT Networking Protocol
6LoWPAN: An Open IoT Networking Protocol6LoWPAN: An Open IoT Networking Protocol
6LoWPAN: An Open IoT Networking Protocol
 
Transform your enterprise branch with secure sd-wan
Transform your enterprise branch with secure sd-wanTransform your enterprise branch with secure sd-wan
Transform your enterprise branch with secure sd-wan
 
10 palo alto nat policy concepts
10 palo alto nat policy concepts10 palo alto nat policy concepts
10 palo alto nat policy concepts
 
ACI MultiFabric 소개
ACI MultiFabric 소개ACI MultiFabric 소개
ACI MultiFabric 소개
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 final
 
NETCONF YANG tutorial
NETCONF YANG tutorialNETCONF YANG tutorial
NETCONF YANG tutorial
 
01- intro to firewall concepts
01- intro to firewall concepts01- intro to firewall concepts
01- intro to firewall concepts
 

Semelhante a Network Security and Visibility through NetFlow

Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsCisco Canada
 
Orion NTA Customer Training
Orion NTA Customer TrainingOrion NTA Customer Training
Orion NTA Customer TrainingSolarWinds
 
OpenFlow tutorial
OpenFlow tutorialOpenFlow tutorial
OpenFlow tutorialopenflow
 
Data center webinar_v2_1
Data center webinar_v2_1Data center webinar_v2_1
Data center webinar_v2_1Lancope, Inc.
 
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...Brandon DeVault
 
Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data DATA SECURITY SOLUTIONS
 
Cisco Stealtwatch
Cisco StealtwatchCisco Stealtwatch
Cisco StealtwatchRayudu Babu
 
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPKrzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPPROIDEA
 
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...ir. Carmelo Zaccone
 
Zaccone Carmelo - IPv6 and security from a user’s point of view
Zaccone Carmelo - IPv6 and security from a user’s point of view Zaccone Carmelo - IPv6 and security from a user’s point of view
Zaccone Carmelo - IPv6 and security from a user’s point of view IPv6 Conference
 
IoT Story: From Edge to HDP
IoT Story: From Edge to HDPIoT Story: From Edge to HDP
IoT Story: From Edge to HDPDataWorks Summit
 
IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...
IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...
IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...Christian Esteve Rothenberg
 
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014SAMeh Zaghloul
 
Addressing Network Operator Challenges in YANG push Data Mesh Integration
Addressing Network Operator Challenges in YANG push Data Mesh IntegrationAddressing Network Operator Challenges in YANG push Data Mesh Integration
Addressing Network Operator Challenges in YANG push Data Mesh IntegrationThomasGraf42
 
NetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseNetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseCisco Canada
 
Kiến trúc mạng cho hệ thống VDI - Mr Nguyễn Phạm Vĩnh Khương
Kiến trúc mạng cho hệ thống VDI - Mr Nguyễn Phạm Vĩnh KhươngKiến trúc mạng cho hệ thống VDI - Mr Nguyễn Phạm Vĩnh Khương
Kiến trúc mạng cho hệ thống VDI - Mr Nguyễn Phạm Vĩnh KhươngLac Viet Computing Corporation
 

Semelhante a Network Security and Visibility through NetFlow (20)

Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage Threats
 
Orion NTA Customer Training
Orion NTA Customer TrainingOrion NTA Customer Training
Orion NTA Customer Training
 
OpenFlow tutorial
OpenFlow tutorialOpenFlow tutorial
OpenFlow tutorial
 
Data center webinar_v2_1
Data center webinar_v2_1Data center webinar_v2_1
Data center webinar_v2_1
 
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
 
NFA - Middle East Workshop
NFA - Middle East WorkshopNFA - Middle East Workshop
NFA - Middle East Workshop
 
Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data
 
Cisco Stealtwatch
Cisco StealtwatchCisco Stealtwatch
Cisco Stealtwatch
 
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPKrzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
 
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
 
Zaccone Carmelo - IPv6 and security from a user’s point of view
Zaccone Carmelo - IPv6 and security from a user’s point of view Zaccone Carmelo - IPv6 and security from a user’s point of view
Zaccone Carmelo - IPv6 and security from a user’s point of view
 
IoT Story: From Edge to HDP
IoT Story: From Edge to HDPIoT Story: From Edge to HDP
IoT Story: From Edge to HDP
 
OpenFlow Tutorial
OpenFlow TutorialOpenFlow Tutorial
OpenFlow Tutorial
 
IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...
IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...
IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...
 
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
 
Addressing Network Operator Challenges in YANG push Data Mesh Integration
Addressing Network Operator Challenges in YANG push Data Mesh IntegrationAddressing Network Operator Challenges in YANG push Data Mesh Integration
Addressing Network Operator Challenges in YANG push Data Mesh Integration
 
VPN
VPNVPN
VPN
 
Vp ns
Vp nsVp ns
Vp ns
 
NetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseNetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat Defense
 
Kiến trúc mạng cho hệ thống VDI - Mr Nguyễn Phạm Vĩnh Khương
Kiến trúc mạng cho hệ thống VDI - Mr Nguyễn Phạm Vĩnh KhươngKiến trúc mạng cho hệ thống VDI - Mr Nguyễn Phạm Vĩnh Khương
Kiến trúc mạng cho hệ thống VDI - Mr Nguyễn Phạm Vĩnh Khương
 

Mais de Lancope, Inc.

Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecurityLancope, Inc.
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is HereLancope, Inc.
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider ThreatLancope, Inc.
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Lancope, Inc.
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchLancope, Inc.
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)Lancope, Inc.
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointLancope, Inc.
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesLancope, Inc.
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseLancope, Inc.
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesLancope, Inc.
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Lancope, Inc.
 
Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Lancope, Inc.
 
Protecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesProtecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesLancope, Inc.
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of SpartaLancope, Inc.
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14Lancope, Inc.
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowLancope, Inc.
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeLancope, Inc.
 

Mais de Lancope, Inc. (20)

Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective Security
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is Here
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident Response
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly Breaches
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
 
Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Insider threats webinar 01.28.15
Insider threats webinar 01.28.15
 
Protecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesProtecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data Breaches
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of Sparta
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 

Último

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Último (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

Network Security and Visibility through NetFlow

  • 1. Network Visibility through NetFlow Richard Laval Stealthwatch SEM, Europe rilaval@cisco.com 30-Mar-16
  • 2. Changing Business Models Dynamic Threat Landscape Complexity and Fragmentation New Networks Mean New Security Challenges Organizations lack visibility into which and how many devices are on their Network Services are moving to the Cloud at a faster rate than IT can keep up Over 50 billion connected “smart objects” by 2020. Acquisitions, joint ventures, and partnerships are increasing in regularity. ENTERPRISE MOBILITY ACQUISITIONS AND PARTNERSHIPS CLOUD INTERNET OF THINGS It’s Not “IF” You Will Be Breached…It’s “WHEN.” Expanded Enterprise Attack Surface
  • 3. Partner Security Day @ Cisco Live Berlin Lawrence Orans, Gartner, Network and Gateway Security Primer for 2016 January 22, 2016 “Network security architects should accept the reality that, in 2016, it is unreasonable to expect that they can build perimeter defenses that will block every attack and prevent every security breach. Instead, they need to adopt new products and/or services that will enable the network to be an integral part of a strategy that focuses on detecting and responding to security incidents.”
  • 4. Cisco Confidential 5© 2013 2014 Cisco and/or its affiliates. All rights reserved. You Can’t Protect What You Can’t See The Network sees everything. Gives Deep and Broad Visibility Answers Who, what, when, where, How did they come on network 0101 0100 1011 0101 0100 1011 0101 0100 1011 0101 0100 1011
  • 6. This session is about using network analysis or the network (our obvious things) to mitigate an attack. “The world is full of obvious things which nobody by any chance observes.” Sherlock Holmes, The Hound of the Baskervilles
  • 7. Managing the Insider Threat Access Controls • Control who and what is on the network Segmentation • Define what they can do SGT You are who you say you are and these are the resources you are allowed access to based on your credentials.
  • 8. Managing the Insider Threat Control movement of malicious content through inspection points Content Controls • Deep contextual visibility at inspection points This is what you are allowed to bring into the secure zone/network.
  • 9. Once the walls are built monitor for security visibility 10 Now monitor the activity inside the secure controlled zone. Managing the Insider Threat
  • 10. Introduction to NetFlow • Developed by Cisco in 1996 as a packet forwarding mechanism • Statistical Reporting became relevant to customers • Reporting is based on Flow and not necessarily per-packet (Full Flow vs. Sampled) • Various versions exist version 1 through 9, with 5 being the most popular and 9 being the most functional • Traditional NetFlow (TNF) – fixed info to identify a flow • Flexible Netflow (FNF) – user defines how to identify a flow
  • 11. NetFlow 10.2.2.2 port 1024 10.1.1.1 port 80 eth0/1 eth0/2 Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent SGT DGT TCP Flags 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH 10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100 SYN,ACK,FIN Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent SGT DGT TCP Flags 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH
  • 12. NetFlow = Visibility A single NetFlow Record provides a wealth of information
  • 13. NetFlow Deployment Architecture Management/Reporting Layer: • Run queries on flow data • Centralize management and reporting Flow Collection Layer: • Collection, storage and analysis of flow records Flow Exporting Layer: • Enables telemetry export • As close to the traffic source as possible NetFlow
  • 14. Considerations: Flow Exporting Layer 1. NetFlow support 2. Which version of NetFlow to use 3. How to configure/what to measure 4. Where in the network to enable NetFlow export
  • 15. Versions of NetFlow Version Major Advantage Limits/Weaknesses V5 Defines 18 exported fields Simple and compact format Most commonly used format IPv4 only Fixed fields, fixed length fields only Single flow cache V9 Template-based IPv6 flows transported in IPv4 packets MPLS and BGP nexthop supported Defines 104 fields, including L2 fields Reports flow direction IPv6 flows transported in IPv4 packets Fixed length fields only Uses more memory Slower performance Single flow cache Flexible NetFlow (FNF) Template-based flow format (built on V9 protocol) Supports flow monitors (discrete caches) Supports selectable key fields and IPv6 Supports NBAR data fields Less common Requires more sophisticated platform to produce Requires more sophisticated system to consume IP Flow Information Export (IPFIX) AKA NetFlow V10 Standardized – RFC 5101, 5102, 6313 Supports variable length fields, NBAR2 Can export flows via IPv4 and IPv6 packets Even less common Only supported on a few Cisco platforms NSEL (ASA only) Built on NetFlow v9 protocol State-based flow logging (context) Pre and Post NAT reporting Missing many standard fields Limited support by collectors
  • 16. NetFlow Deployment Catalyst® 6500 Distribution & Core Catalyst® 4500 ASA ISR Edge ASR Each network layer offers unique NetFlow capabilities Access Catalyst® 3560/3750-X Catalyst® 4500 Catalyst® 3650/3850
  • 17. Where to collect NetFlow from? Listed below are the typical use cases and the recommendations of where to collect the NetFlow from in the network: 1. Use case detection of security events – a. Only need to account for the packet once. b. Collect at the edge, if not 100% flow capable then distribution, if not 100% flow capable then core. c. Enable flow on any exporter that will provide additional context like ASA FWs (provide NAT and FW actions), and Proxy data (allow visibility into outbound traffic that has been translated) 2. Use case forensics or auditing – a. You should be looking to account for all packets. b. Deploy as close to the edges of the network as possible. c. Enable flow on any exporter that will provide additional context like ASA FWs (provide NAT and FW actions), and Proxy data (allow visibility into outbound traffic that has been translated). 3. Use case networking (performance) – a. You need flow from everywhere to help with interface utilization, QoS monitoring, trending and capacity planning and tracking issues back to the source of the problem which could be any interface.
  • 19. Aside: Myths about NetFlow Generation Myth #1: NetFlow impacts performance • Hardware implemented NetFlow has no performance impact • Software implementation is typically significantly <15% processing overhead Myth #2: NetFlow has bandwidth overhead • NetFlow is a summary protocol • Traffic overhead is typically significantly <1% of total traffic per exporting device
  • 20. NetFlow Collection: Flow Stitching 10.2.2.2 port 1024 10.1.1.1 port 80 eth0/1 eth0/2 Start Time Client IP Client Port Server IP Server Port Proto Client Bytes Client Pkts Server Bytes Server Pkts Client SGT Server SGT Interfaces 10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 100 1010 eth0/1 eth0/2 Uni-directional flow records Bi-directional: • Conversation flow record • Allows easy visualization and analysis Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent SGT DGT 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100
  • 21. NetFlow Collection: De-duplication Start Time Client IP Client Port Server IP Server Port Proto Client Bytes Client Pkts Server Bytes Server Pkts App Client SGT Server SGT Exporter, Interface, Direction, Action 10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 HTTP 100 1010 Sw1, eth0, in Sw1, eth1, out Sw2, eth0, in Sw2, eth1, out ASA, eth1, in ASA, eth0, out, Permitted ASA eth0, in, Permitted ASA, eth1, out Sw3, eth1, in Sw3, eth0, out Sw1, eth1, in Sw1, eth0, out 10.2.2.2 port 1024 10.1.1.1 port 80 Sw1 Sw2 Sw3 ASA Any unique information is added to the record. Path of the packet for example is unique.
  • 22. How The Conversational Flow Record Looks in SW Where WhoWhat When How Who • Highly scalable (enterprise class) collection • High compression => long term storage • Months of data retention More context
  • 23. Host Groups: Applied Situational Awareness Virtual container of multiple IP Addresses/ranges that have similar attributes Best Practice: classify all known IP Addresses in one or more host groups Lab servers
  • 24. ISE as a Telemetry Source (adding context) Monitor Mode • Open Mode, Multi-Auth • Unobstructed Access • No impact on productivity • Profiling, posture assessment • Gain Visibility Authenticated Session Table Cisco ISE • Maintain historical session table • Correlate NetFlow to username • Build User-centric reports StealthWatch Management Console syslog
  • 25. Global Intelligence (adding more context) • Known C&C Servers • Tor Entrance and Exits
  • 26. Conversational Flow Record with added context ISE Telemetry NBAR Applied situational awareness FlowSensor Geo-IP mapping Threat feed
  • 27. Flow Table – IPv6 StealthWatch can also display IPv6 flow records
  • 28. “There is nothing like first hand evidence” Sherlock Holmes, A Study in Scarlett Now, lets analyse all that good NetFlow data/evidence generated by the network.
  • 29. NetFlow Analysis with StealthWatch can help: Identify additional IOCs • Policy & Segmentation • Network Behaviour & Anomaly Detection (NBAD) Better understand / respond to an IOC: • Audit trail of all host-to-host communication Discovery • Identify business critical applications and services across the network
  • 30. Locate Assets 32 Find hosts communicating on the network • Pivot based on transactional data
  • 31. Host Groups – Targeted Reporting Geo-IP-based Host Group Summary chart of traffic inbound and outbound from this Host Group
  • 32. Host Groups – Discovering Rogue Hosts Catch All: All unclassified RFC1918 addresses Table of all individual hosts
  • 33. Host Groups – Discovering Rogue Hosts Rogue Hosts (IP addresses you don’t know about as they have not been classified)
  • 34. Concept: Indicator of Compromise IDS/IPS Alert Log analysis (SIEM) Raw flow analysis Outside notification Behavioural analysis Activity monitoring IoC = is an artifact observed on a network or in an operating system that with high confidence indicates a computer intrusion • http://en.wikipedia.org/wiki/Indicator_of_compromise Anomaly detection File hashes IP Addresses There are many IoCs from the network which we need to piece together to solve the crime.
  • 36. IoC’s from Traffic Analysis Behavioural Analysis: • Leverages knowledge of known bad behaviour • Policy and segmentation Anomaly Detection: • Identify a change from “normal”
  • 37. StealthWatch NBAD Model Algorithm Security Event Alarm Track and/or measure behaviour/activity Suspicious behaviour observed or anomaly detected Notification of security event generated This how StealthWatch processes all the IoCs to make sense of them.
  • 39. Example Alarm Category: Concern Index Concern Index: Track hosts that appear to compromising network integrity Security events
  • 40. StealthWatch: Alarms Alarms • Indicate significant behaviour changes and policy violations • Known and unknown attacks generate alarms • Activity that falls outside the baseline, acceptable behaviour or established policies
  • 41. Watching for Data Theft Data Exfiltration • Identify suspect movement from Inside Network to Outside • Single or multiple destinations from a single source • Policy and behavioral
  • 42. Data Hoarding Suspect Data Hoarding: • Unusually large amount of data inbound from other hosts Target Data Hoarding: • Unusually large amount of data outbound from a host to multiple hosts
  • 43. Suspect Data Hoarding Data Hoarding • Unusually large amount of data inbound to a host from other hosts • Policy and behavioral
  • 44. “The Science of Deduction.” Chapter 1: The Sign of the Four Now we are going to use the evidence generated by the network to solve our mystery.
  • 45. Investigating a Host IOC: IDS Alert from FirePower provides an IP address that StealthWatch can use to investigate. Host report for 10.201.3.59 Behavior alarms Quick view of host group communication Summary information
  • 47. Investigating: Applications A lot of applications. Some suspicious!
  • 49. It Could Start with a User … Alarms Devices and Sessions Active Directory Details Username View Flows
  • 50. Links and Recommended Reading More about StealthWatch and the Cisco Cyber Threat Defense Solution: http://www.cisco.com/go/threatdefense http://www.lancope.com Recommended Reading Cyber Threat Defense Cisco Validated Design Guide: http://www.cisco.com/en/US/solutions/collateral/ns1015/ns1238/cyber_threat_defense_design_guide.pdf Cyber Threat Defense for the Data Center Cisco Validated Design Guide: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/ctd-first-look-design-guide.pdf Securing Cisco Networks with Threat Detection and Analysis (SCYBER) https://learningnetwork.cisco.com/community/certifications/security/cybersecurity/scyber_exam
  • 51. Key Takeaways Insider threats are operating on the network interior Threat detection and response requires visibility and context into network traffic NetFlow and the StealthWatch System provide actionable security intelligence
  • 52. Q & A
  • 53. “The game is afoot!” Sherlock Holmes, The Adventure of the The Abbey Grange
  • 55. 57