www.wildpackets.c om Use today’s webinar hashtag: #wp_networkforensics with any questions, comments, or feedback. Follow us @wildpackets Jay Botelho Director of Product Management WildPackets [email protected]Follow me @jaybotelho Security Attack Analysis for Finding and Stopping Network Attacks Your Insurance Policy for Network Breaches
31
Embed
Security Attack Analysis for Finding and Stopping Network Attacks
Network breaches are on the rise, and the consequences are getting more dire. Needless to say, you don't want to be the next Target.You've invested in security tools like firewalls and IPS systems. But today's stealthy attacks can still get through. When you suspect an attack, you need your insurance policy—network forensics.
In this seminar, you'll learn how network forensics—network recording along with powerful search and analysis tools—can enable your in-house security team to track down, verify, and characterize attacks.
You'll also learn about the requirements for effective forensics on today's 10G and 40G networks.
And you'll learn some best practices for configuring captures to help you and your team pinpoint and remediate anomalous behavior that could signal an attack.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
www.wildpackets.com
Use today’s webinar hashtag:
#wp_networkforensicswith any questions, comments, or feedback.
• Cyber espionage up 3X• Insiders stealing intellectual property• Average time in 2012 to discover and resolve a data breach: 123 days• 86% of security professionals consider incident detection time too slow
5
* Wade Baker, principal author of the 2014 Verizon Data Breach Investigations Report
– Give security teams evidence and insight• A comprehensive record of network activity• Powerful search and filtering tools for zeroing in on anomalies
and attack details– Enable security teams to act quickly
• Find proof of attacks• Characterize attacks and stop them
– Who, what, where, when
• Solution: Packet Capture + Network Forensics– Record, store, and analyze traffic– Uncover and understand attacks so they can be stopped– Tools include deep packet inspection, searches, filters,
graphs, etc.
8
Full visibility into everything going in and out of your network
Applying Attack Intelligence and Deep Packet Inspection (DPI), WildPackets provides unprecedented visibility into network events, enabling security analysts to conduct full Root Cause Analysis (RCA)
At approximately 11:20am IDS/IPS reports an nmap decoy attack; a number of phony addresses were used by nmap as source IP’s in addition to the actual attack machine IP
Use network forensics to rewind the attack, saving all packets from 5 minutes before to 5 minutes after the report for detailed network analysis
The internal security team has identified a previously undetected major security threat; the signature says it uses windows messenger service and has a UDP packet that contains “STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION…”
Immediately identify any and all systems on the network that have potentially been affected by the threat, even before the threat was initially detected
Incident Path TrackingUsing built-in peer-to-peer analytics, WildPackets’ Incident Path Tracking can trace the sequence of conversations between every device on the network before and after the security event
17
Result: Identify the security attack, in this case “denial of service”, the source of the attack, and all the affected devices
Hundreds of users of a wireless network in a large auditorium find they cannot maintain a VPN connection, nor can they reliably connect to the Internet; everyone seems to be affected
IDS/IPS reports no problems; assess overall network connectivity and look for anomalies
• Best Practice #1: Capture Traffic at Every Location– Just as you wouldn’t leave a building entrance unguarded,
don’t leave a network location unmonitored and unanalyzed.
• Best Practice #2: Capture Traffic 24/7– Some attacks strike at odd hours.
• Best Practice #3: Configure Captures based on Anomalies
– Understand what’s normal (e.g., email coming from your email server), and automatically capture traffic that’s abnormal (e.g., email coming from your FTP server).
– Small capture files make it easy to zoom in on what’s wrong.
• Omnipliance TL: NOC or Data Center, 10G/40G, up to 128 TB with OmniStorage• Omnipliance MX: Corporate Campus, 1G/10G, up to 32 TB• Omnipliance CX: Branch Offices, 1G, up to 32 TB
More Power in a Smaller Footprint– Captures traffic up to 23Gbps of real-world traffic– Scales up to 128 TB of storage– Requires half the rack space and power of competitive solutions
Greater Precision – Captures network traffic with no data loss, so you can analyze
everything, not just samples or high-level statistics– Accurate metrics– Rich analytics help pinpoint and characterize anomalies – Enterprise-wide solution makes forensic analysis available at every
location
Better Price/Performance– Superior power and precision at a price significantly lower than other