Cyber Security - IDS/IPS is not enough

www.wildpackets.com © WildPackets, Inc.

Jay Botelho

Director of Product Management

WildPackets

[email protected]

Follow me @jaybotelho

Cyber Security

IDS/IPS Is Not Enough!

Show us your tweets! Use today’s webinar hashtag:

#wp_cybersecurity with any questions, comments, or feedback.

Follow us @wildpackets

© WildPackets, Inc. 2 Cyber Security – IDS/IPS Is Not Enough

Agenda

• Current Trends in Cyber Security and Attacks

• Cyber Attacks – Similarities and Differences

• IDS/IPS Is Not Enough

• Network Recording – Cyber Attack Insurance Policy

• Cyber Attack CSI – Network Forensics

• Company Overview

• Product Line Overview


Current Trends in Cyber Security

and Attacks


Key 2011 Cyber Attacks

• Sony Playstation Network (April 2011)

‒ Account information, passwords and credit card numbers breached for

70M users

‒ Direct cost of $170M (Sony)

‒ Indirect cost estimated at 10 to 100x

• The IMF (International Monetary Fund) (June 2011)

‒ Hack resulted in the loss of a “large quantity” of data, documents and

email

• Citigroup (June 2011)

‒ More than 200,000 customer accounts hacked

‒ Poor web application design made it easy

• Android Apps

‒ More than 50% of the third-party apps on Google's official Android

Market contained a Trojan called DroidDream, designed to steal

personal data


―2011 - The Year of the Hack‖

• So named by IT security experts

• 60% of IT executives fear Advanced Persistent

Threat (APT) attacks

• 28% fear theft and disclosure from insiders

• 60% use either a written ―honor system‖ security

policy or have none at all

• 51% allow employees to download/install software

• Companies continue to allow employees to engage

in risky behaviors

Based on Bit9’s Third Annual Endpoint Survey of 765 IT executives

http://www.businesswire.com/news/home/20110830006206/en/%E2%80%9CYear-

Hack%E2%80%9D-Survey-Reveals-Enterprises-Concerned-%E2%80%9CAdvanced

http://www.businesswire.com/news/home/20110830006206/en/%E2%80%9CYear-Hack%E2%80%9D-Survey-Reveals-Enterprises-Concerned-%E2%80%9CAdvanced














Advanced Persistent Threat

The New Buzzword for 2011/2012

• A long-term pattern of sophisticated hacking attacks aimed at

governments, companies, and political activists

• Advanced – Full spectrum of techniques

‒ Not all “advanced” (e.g. malware)

‒ Can develop more advanced tools as required

‒ Combines multiple targeting methods

‒ Focus on operational security not found in less advanced threats

• Persistent – Priority to a specific task

‒ Not opportunistically seeking information for financial gain

‒ A “low-and-slow” approach is typical

‒ Maintain long-term access to the target

• Threat – Capability and intent

‒ Executed by coordinated human actions vs. automation

‒ Specific objective with skilled, motivated, organized and well funded

entities


Multiple Successful Attacks

Perceptions About Network Security

Survey of IT and IT security practitioners in the U.S.

Ponemon Institute Research Report, June 2011

583 US IT practitioners

Average experience 9.5 years

51% in organizations > 5000 employees


Confidence Level for Next 12 Months








Cost For The Past 12 Months








Source of Breaches








Cause of Breach








Severity and Frequency








Types of Attacks








Current Security Measures








Cyber Attacks

Similarities and Differences


Example #1: Heartland Payment Systems

• SQL injection – entering a set of SQL commands into

a text entry field on the website

• Access then gained to key servers

• Malware then planted to collect credit and debit card

numbers

• 130M accounts breached

• Calls into question PCI compliance and monitoring

• Potential upside – end to end security for financial

transactions now being more seriously investigated


Example #2: Twitter Breach

• Compromise personal Gmail account of employee

• Reset Gmail password so user is unaware

• Leverage personal email account to gain access to

corporate email account (hosted by Google)

• Read email, attachments, etc., finding things like: ‒ Sensitive documents

‒ Other user names and passwords (or at least clues)

• Fan out into other services based on acquired info: ‒ Cell phone records

‒ MobileMe

‒ Amazon/iTunes


Example #3: MSBlaster Worm

• Exploits Microsoft Windows RPC Vulnerability ‒ Microsoft RPC vulnerability using TCP Port 135

• Infected machines will attempt to propagate the

worm to additional machines ‒ Infected machines will also attempt to launch a Distributed

Denial of Service (DDoS) attack against Microsoft on the

following schedule: • Any day in the months

‒ September - December

• 16th to the 31st day of the following months:

‒ January - August


IDS/IPS Is Not Enough


What is IDS and IPS?

• IDS – Intrusion Detection System ‒ Typically passive

‒ Detects and alarms on suspected intrusions using signature-

based, statistical anomaly based, and/or stateful protocol

analysis detection

‒ Has a reputation for false positives

• IPS – Intrusion Prevention System ‒ Either works alongside and IDS, or has embedded IDS

capabilities of its own

‒ Installed in-line

‒ Actively prevents intrusions by dropping the malicious packets,

resetting the connection and/or blocking the traffic from the

offending IP address


Limitations of IDS/IPS

• No security product is 100%

• Risk mitigation – what’s your risk tolerance?

• On average 120K malware incidents identified per day by

IDS/IPS

• 5 - 20 new malware strains missed every day

• Effectiveness vs. ease-of-use

• Effectiveness vs. cost

• Highly secure vs. high throughput


• Data breaches are occurring from within the

organization?

• A breached mobile device or infected personal laptop

brings outside threats inside the network which goes

undetected by most IDS/IPS?

• Any rogue or unauthorized devices tryies to access the

network internally from behind the firewall?

And What If …


IDS/IPS – Key Questions

• Will you sacrifice security for cost?

• Where does the IDS/IPS provider get their rule set?

• How much configuration is required?

• How often is the rule set updated?

• How well do they cover malware?

• How well do they cover mainstream vulnerabilities?

• How fast do they supply patches to update critical

bugs?


IDS/IPS Is Not Enough

3. Network engineer gets

incomplete data from switch

IDS / IPS System

1. Attack bypasses

firewall

2. Partial attack data processed

Result: Incomplete reconstruction deters diagnosis!


Changing Methods – Network Recorders

IDS/IPS System

1. Attack

bypasses firewall

3. Event logged, attack

partially tracked by IDS

2. Data Recorder records

and aggregates data

throughout attack

4. Post event analysis reveals

attacker, method, damage!

Serv

ers


Network Recording

Cyber Attack Insurance Policy


Network Recording

• Requires the lossless capture and storage of

extremely large data volumes

• Focus on Enterprise vs. Lawful Intercept ‒ Concerned with the process of reconstructing a network event

• Intrusion such as a “hack” or other penetration

• Network or infrastructure outage

‒ Provides a recording of the actual incident

• Based on live IP packet data captures ‒ A new way of looking at trace file analysis

‒ Continues from where traditional network troubleshooting ends


Connectivity for Network Recording


Network Data Storage at 10G

• 1Gbps steady-state traffic assuming no storage

overhead:

7.68 GB/min

460 GB/hr

11 TB/day

2.9 days in a 32TB appliance

• 10Gbps:

76.8GB/min

4.6 TB/hr

110 TB/day

7.0 hours in a 32TB appliance


Cyber Attack CSI

Network Forensics


Key Questions

1. Who was the intruder?

2. How did the intruder penetrate security?

3. What damage has been done?

4. Did the intruder leave anything behind?

5. Did we capture sufficient information to

effectively analyze and reproduce the attack?


MSBlaster Worm Example


Server Connects to The Target Workstation

TCP 3-Way-Handshake on Port 4444 (NV Video default)


MSBlaster Worm Download

Server infects the workstation with MSBlaster-Worm via TFTP Download


MSBlaster Worm – Visual Reconstruction


MSBlaster Worm Execute Command

Activation command for the Blaster Worm payload

141.157.228.12 Sends the execute command to 10.1.1.31


Infected Workstation Now Attacks Others

10.1.1.31 Now scans for other nodes on the 180.191.253.XXX range


Example #1: MSBlaster Worm

Target Ports Execute Command

Filter identifies devices infected with the MSBlaster worm


What Can You Do?

• Processes, processes, processes

• Implement a network recording/network forensics

solution

• Establish clear baselines so changes are easy to

detect

• Employ solutions that continuously monitor packet-

level security heuristics

• Actively search for minor policy violations that could

be indicators of bigger problems


Company Overview


Corporate Background

• Experts in network monitoring, analysis, and troubleshooting

‒ Founded: 1990 / Headquarters: Walnut Creek, CA

‒ Offices throughout the US, EMEA, and APAC

• Our customers are leading edge organizations

‒ Mid-market, and enterprise lines of business

‒ Financial, manufacturing, ISPs, major federal agencies,

state and local governments, and universities

‒ Over 7,000 customers / 60+ countries / 80% of Fortune 1,000

• Award-winning solutions that improve network performance

‒ Internet Telephony, Network Magazine, Network Computing Awards

‒ United States Patent 5,787,253 issued July 28, 1998 • Different approach to maintaining availability of network services


Real-World Deployments

Education

Health Care / Retail

Financial

Telecom

Government

Technology

http://www.fbiband.com/

http://www.dea.gov/


Product Line Overview


OmniPeek/Compass Enterprise Packet Capture, Decode and Analysis

• 10/100/1000 Ethernet, Wireless, WAN, 10G

• Portable capture and OmniEngine console

• VoIP analysis and call playback

Omnipliance / TimeLine Distributed Enterprise Network Forensics

• Packet capture and real-time analysis

• Stream-to-disk for forensics analysis

• Integrated OmniAdapter network analysis cards

WatchPoint Centralized Enterprise Network Monitoring Appliance

• Aggregation and graphical display of network data

• WildPackets OmniEngines

• NetFlow and sFlow

Product Line Overview


OmniPeek Network Analyzer

• OmniEngine Manager

– Connect and configure distributed OmniEngines/Omnipliances

• Comprehensive dashboards present network traffic in real-time

– Vital statistics and graphs display trends on network and application

performance

– Visual peer-map shows conversations and protocols

– Intuitive drill-down for root-cause analysis of performance bottlenecks

• Visual Expert diagnosis speeds problem resolution

– Packet and Payload visualizers provide business-centric views

• Automated analytics and problem detection 24/7

– Easily create filters, triggers, scripting, advanced alarms and alerts


Omnipliance Network Recorders

• Captures and analyzes all network traffic 24x7

– Runs our OmniEngine software probe

– Generates vital statistics on network and application performance

– Intuitive root-cause analysis of performance bottlenecks

• Expert analysis speeds problem resolution

– Fault analysis, statistical analysis, and independent notification

• Multiple Issue Digital Forensics

– Real-time and post capture data mining for compliance and troubleshooting

• Intelligent data transport

– Network data analyzed locally

– Detailed analysis passed to OmniPeek on demand

– Summary statistics sent to WatchPoint for long term trending and reporting

– Efficient use of network bandwidth

• User-Extensible Platform

– Plug-in architecture and SDK


Omnipliance Network Recorders Price/performance solutions for every application

Portable Edge Core

Ruggedized

Troubleshooting

Small Networks

Remote Offices

Datacenter Workhorse

Easily Expandable

Aluminum chassis / 17” LCD 1U rack mountable chassis 3U rack mountable chassis

Quad-Core Xeon 2.5GHz Quad-Core Intel Xeon

X3460 2.80Ghz

Two Quad-Core Intel Xeon

E5530 2.4Ghz

4GB RAM 4GB RAM 6GB RAM

2 PCI-E Slots 2 PCI-E Slots 4 PCI-E Slots

2 Built-in Ethernet Ports 2 Built-in Ethernet Ports 2 Built-in Ethernet Ports

500GB and 2.5TB SATA

storage capacity

1TB SATA storage capacity 2TB SATA storage capacity


TimeLine

• Fastest network recording and real-time statistical

display — simultaneously ‒ 11.7Gbps sustained capture with zero packet loss

‒ Network statistics display in TimeLine visualization format

• Rapid, intuitive forensics search and retrieval ‒ Historical network traffic analysis and quick data rewinding

‒ Several pre-defined forensics search templates making

searches easy and fast

• A natural extension to the WildPackets product line

• Turnkey bundled solution ‒ Appliance + OmniEngine, OmniAdapter, OmniPeek Connect


TimeLine For the most demanding network analysis tasks

TimeLine

10g Network Forensics

3U rack mountable chassis

Two Quad-Core Intel Xeon 5560 2.8Ghz

18GB RAM

4 PCI-E Slots

2 Built-in Ethernet Ports

8/16/32TB SATA storage capacity


WatchPoint Centralized Monitoring for Distributed Enterprise Networks

• High-level, aggregated

view of all network

segments

– Monitor per campus, per

region, per country

• Wide range of network

data

– NetFlow, sFlow, OmniFlow

• Web-based, customizable

network dashboards

• Flexible detailed reports

• Omnipliances must be

configured for continuous

capture


WildPackets Key Differentiators

• Visual Expert Intelligence with Intuitive Drill-down

– Let computer do the hard work, and return results, real-time

– Packet / Payload Visualizers are faster than packet-per-packet diagnostics

– Experts and analytics can be memorized and automated

• Automated Capture Analytics

– Filters, triggers, scripting and advanced alarming system combine to provide

automated network problem detection 24x7

• Multiple Issue Network Forensics

– Can be tracked by one or more people simultaneously

– Real-time or post capture

• User-Extensible Platform

– Plug-in architecture and SDK

• Aggregated Network Views and Reporting

– NetFlow, sFlow, and OmniFlow


Q&A

Show us your tweets! Use today’s webinar hashtag:

#wp_cybersecurity with any questions, comments, or feedback.

Follow us @wildpackets

Follow us on SlideShare! Check out today’s slides on SlideShare

www.slideshare.net/wildpackets


Thank You!

WildPackets, Inc.

1340 Treat Boulevard, Suite 500

Walnut Creek, CA 94597

(925) 937-3200

Cyber Security - IDS/IPS is not enough

Technology

Transcript of Cyber Security - IDS/IPS is not enough