Extending Network Visibility: Down to the Endpoint

1. © 2015 Lancope, Inc. All rights reserved. Extending Network Visibility: Down to the Endpoint Peter Johnson, Technical Alliances Engineer (Lancope) Josh Applebaum, Director of Product Marketing (Ziften) Matthew Frederickson, Director of Information Technology (CRSD)

2. © 2015 Lancope, Inc. All rights reserved. 2 Good vs. Evil: The Other Side is Always Innovating Evolution of conflict/threats Requires constant innovation from practitioners and vendors to combat this

3. © 2015 Lancope, Inc. All rights reserved. 3 The Evolution of Cyber Threats Viruses (1990s) Worms(2000s) Defense: Reputation, DLP, App.-aware Firewalls Botnets (late 2000s to current) Strategy: Visibility and Context Directed Attacks (APTs) (today) I LOVE YOU Melissa Anna Kournikova Nimda SQL Slammer Conficker Tedroo Rustock Conficker Aurora Shady Rat Duqu Heartbleed Cryptolocker Defense: Anti-Virus, Firewalls Defense: Intrusion Detection & Prevention

4. © 2015 Lancope, Inc. All rights reserved. 4 The Problems Customers Face FW IPS IDS James Comey, FBI Director: “There are two kinds of big companies in the United States. There are those who’ve been hacked…and those who don’t know they’ve been hacked.” 209 days before attackers were discovered 783 incidents & hundreds of millions of compromised records $3.5M is the average lost business cost of a breach Customer Impact External Internal

5. © 2015 Lancope, Inc. All rights reserved. 5 Flow Data - A Light in the Darkness • Low cost monitoring solution • Uses outputs from existing infrastructure • Single or small number of regional collectors support an infrastructure • Easy to configure • Enabled on the devices • No hardware to insert • Broad presence already in the networks • Routers • Switches • Firewalls, etc… • Accounting data stores well • Fractions of a percentage of storage needed for Packet Capture • Common format means it’s easy to write to tables for analysis

8. © 2015 Lancope, Inc. All rights reserved. 8 Two Halves of the Puzzle Real Time Detection: StealthWatch consumes data from devices all over the network and through a mix of policy and behavioral knowledge identifies threats that move past the traditional methods of detection. Incident Response: StealthWatch allows operators to move quickly from a singular event to understanding the full context of what is known about network activity from that host. How they communicated and with whom, while quickly detailing any additional points of concern.

9. © 2015 Lancope, Inc. All rights reserved. 9 Stop Problems Before They Are Crisis ImpacttotheBusiness($) credit card data compromised attack identified vulnerability closed attack thwarted early warning attack identified vulnerability closed attack onset STEALTHWATCH REDUCES MTTK Company with StealthWatch Company with Legacy Monitoring Tools ~70% of Incident Response is spent on MTTK “Worm outbreaks impact revenue by up to $250k / hour. StealthWatch pays for itself in 30 minutes.” F500 Media Conglomerate 259% ROI MTTK Time

13. © 2015 Lancope, Inc. All rights reserved. Overview • 11,200 students • 1,300 staff • 12th largest out of 500 in Pennsylvania • 2 High Schools (grades 9 through 12) • 3 Middle Schools (grades 7 and 8) • 10 Elementary Schools (Kindergarten through 6) • 72 square miles • 10 person IT department

14. © 2015 Lancope, Inc. All rights reserved. Network Infrastructure • Microsoft Active Directory • Windows PC/Laptops (5,386) • 1 GB Fiber between buildings • 300 MB Fiber to Internet • Cisco ASA • Cisco 6513 Core Switch • Lightspeed Rocket Content Filter

16. © 2015 Lancope, Inc. All rights reserved. Integrated Approach • SANS 20 Critical Controls • Now Version 5.1, Council on Cyber Security • Understand WHAT is happening on the network • Lancope StealthWatch – Netflow from BOTH 6513 and ASA • Understand WHY it’s happening • Ziften Desktops – Dashboard, Splunk • Infoblox DDI • Understand Baseline • HS – Alienvault UMS • Cisco IDS • Active Directory • Netwrix • Splunk

17. © 2015 Lancope, Inc. All rights reserved. Real World Example • Infoblox DNS Firewall • Top RPZ Hits – 192.168.x.x IP • StealthWatch IP Look • 192.168.x.x – 10.12.2.134 • Ziften • 10.12.2.134 • Running Malware Botnet

18. © 2015 Lancope, Inc. All rights reserved. StealthWatch Use Cases 18 Context-Aware Visibility • Network, application and user activity • East-West traffic monitoring • Advanced Persistent Threats • Insider Threat • DDoS • Data Exfiltration • In-depth, flow-based forensic analysis of suspicious incidents • Scalable repository of security information • Application Awareness • Capacity Planning • Performance Monitoring • Troubleshooting • Cisco ISE • Monitor privileged access • Policy enforcement Threat Detection Incident Response Network Diagnostics User Monitoring

19. © 2015 Lancope, Inc. All rights reserved. Ziften Use Cases 19 Continuous Monitoring • Endpoint activity • User activity • Network attribution • Indicators of compromise (IOCs) • Custom threat intelligence • Who is patient-zero? • What has changed? • Is there lateral movement? • Endpoint network quarantine • Threat termination • Remediation • Is antivirus running? • OS and application vulnerabilities • Hard drive encryption Real-Time Detection Rapid Forensic Investigation Incident Response Compliance

Extending Network Visibility: Down to the Endpoint

Extending Network Visibility: Down to the Endpoint

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados(20)

Destaque

Destaque(16)

Similar a Extending Network Visibility: Down to the Endpoint

Similar a Extending Network Visibility: Down to the Endpoint(20)

Mais de Lancope, Inc.

Mais de Lancope, Inc.(15)

Extending Network Visibility: Down to the Endpoint

Notas do Editor