Security Through Network Intelligence www.lancope.com Lancope StealthWatch Technology
Jan 14, 2016
Security Through Network Intelligencewww.lancope.com
Lancope StealthWatch Technology
About LancopeAbout Lancope
3 years focused research in flow-based network and security technologies.
StealthWatch evolved from research conducted by Dr. John Copeland at Georgia Tech
Based in Atlanta, GA
Flagship product: StealthWatch
-Real time attacks inside your network (Not signature based)
-Mitigation and documentation of real time attacks
-Forensic short and long term
Why Stealth Watch vs. other technology for your internal NetworkWhy Stealth Watch vs. other technology for your internal Network
• Easy to deploy
• 1/3rd to 1/2 the cost of other solution
• Shows the performance and risks of your Enterprise NOC and SOC in real time.
• Not Signature based
• Not perimeter based
• Not multilayer steps to get results
• StealthWatch is Best at: Discovering Prioritizing Mitigating Real time worms,
viruses and exploits in your Internal Network
• StealthWatch gives you Network Optimization and Threat Management for your Enterprise NOC and SOC
Why Stealth Watch vs. other technology for your internal Network?
t t Internal Attacks on the rise!The trend has been moving away from external to internal
security” (Security Analysts)
Wall Street Journal June 2005
Internal Breaches:Bandwidth consumption,
Policy Violations, Trojans, Zero Day Attacks, Application Misuse and others have caused:
Service and System Interruptions
Data Loss Intellectual Property
Theft Major loss in Company
credibility Huge Financial Losses
The growth in Internal Attacks in a survey of 600 North American Companies and Western Europe:
2003 up 30%
2004 up 50%
2005 could be up 75%
How to protect your environment from Internal attacks?How to protect your environment from Internal attacks?
• Organizations should establish a trusted behavior baseline for each machine on the network.
• Look for changes in current foot print behavior.
• If these procedures are implemented effectively they can detect and protect systems against new malicious code, worms and other Internal Breaches.
(US Secret Service and Gov. Cert May 2005)
How to protect your environment from Internal attacks?
140+ Existing Customers…140+ Existing Customers…
- CVE Contains 7819 Vulnerabilities (Feb, 2005)
attacksblocked
attacksremaining
- Most Signature Vendors block on about 150 sigs
- That’s 2%
- What about the other 98%?
Too Many Attack VectorsToo Many Attack Vectors
“Given the widespread use of automated attack tools, attacks against Internet-connected systems have become so commonplace that counts of the number of incidents reported provide little information with regard to assessing the scope and impact of attacks. Therefore, as of 2004, we will no longer publish the number of incidents reported.”
- CERT
…while discovery-to-exploit window decreases.
Attack frequency increases…
0
50000
100000
150000
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
Signatures Can’t Keep UpSignatures Can’t Keep Up
NetFlow provides “Mountaintop visibility”NetFlow provides “Mountaintop visibility”
“Flows” provide total visibility across a wide network range by collecting data from routers in varying locations. This gives Stealth Watch total supervision over the network and provides an ability to track behavior throughout the network, from start to end.
BEHAVIOR RATHER THAN SIGNATURESBEHAVIOR RATHER THAN SIGNATURES
Analyze Flows… Establish baseline…
Alarm on changes in behavior…
Number of concurrent flows
Packets per sec
Bits per second
New flows created
Number of SYNs sent
Time of day
Number of SYNs received
Rate of connection resets
Duration of the flow
<Many others>
STEALTHWATCH: BEHAVIOR-BASED FLOW ANALYSISSTEALTHWATCH: BEHAVIOR-BASED FLOW ANALYSIS
Cost-effective, extended enterprise-wide protection and control
Provides visibility into “most significant” network behaviors
Streamline and shorten resolution time
Powerful audit, compliance reporting, and forensic capabilities
SPANNetFlow
Cisco Native Ethernet
ArcSightGuarded
SIM/SEMSignatures
ISSSnortEtc.
INFRASTRUCTURE IPSINFRASTRUCTURE IPS
StealthWatch Automated Mitigation
Install Cisco PIX firewall rulesInstall Checkpoint firewall rulesInject Cisco Null0 routeCustomizable scripted response
Devices Vendors Customer
• Checkpoint NG, NGAI, Provider 1 • Cisco PIX • Cyberguard • Lucent Brick • Juniper • Symantec Enterprise
Routers and switches
•Cisco•Extreme
•Juniper•Foundry
• Flow Analysis Server
Firewalls
Forensics
STM FeaturesSTM FeaturesSupported Security DevicesSupported Security Devices
Devices Vendors Customer
• ISS RealSecure, Workgroup Manager• Site Protector
• Cisco Secure IDS v4(RDEP) • Enterasys Dragon • Snort • Symantec Manhunt • nCircle IP360 • TopLayer Mitigator IPS • Netscreen Firewall/IDS • Network Associates Intrushield
IDSIPS
Locations Main Data Centers Customer
How Many Main Data Centers do you manage?
How many DC’s would you want to monitor with Stealth Watch?
Do you want to have the NOC and SOC monitored?
How many remote locations do you have?
What kind of connections do you have to those remote locations?
(StealthWatch Rack Mountable 1U Appliance)
StealthWatch Product LineStealthWatch Product Line
M250Designed for fast Ethernet networks
M45Designed for DS3 links or underutilized fast Ethernet connections
G1Designed for networks with speeds up to one gigabit per second.
Xe-1000Midrange StealthWatch NetFlow Collector
Xe-500Entry-level StealthWatch NetFlow Collector
Xe-2000High-end StealthWatch NetFlow Collector.
SMCCollects and Manages multiple StealthWatch and StealthWatch Xe appliances.
Deployment: How do we collect flows?Deployment: How do we collect flows?
StealthWatch Xe: Monitor Remote LocationsStealthWatch Xe: Monitor Remote Locations
12 IDP/IPS Sensors Required
1 StealthWatch Xe Required
Overcome complex deployments and costOvercome complex deployments and cost
8 Inline IPS @ $64,995:
$519,960
1 Netflow-based Xe-2000:
<$50,000
Inline IPSInline IPS Inline IPS Inline IPS
Inline IPS
PRE-EXISTING CONDITIONS ARE DETECTEDPRE-EXISTING CONDITIONS ARE DETECTED
Concern Index
FLOW VISUALIZATIONFLOW VISUALIZATION
StealthWatch Solution StealthWatch Solution
• StealthWatch Solution
• StealthWatch is a fast, accurate and cost-effective solution that immediately detects malicious or unauthorized network activity, including new and otherwise unidentifiable threats. As a network-based system, StealthWatch overcomes the cost and complexity of deploying and maintaining signature- or host-based systems. With StealthWatch, organizations can now identify and resolve network exposures, such as new, misconfigured or unauthorized devices and applications. These threats, which include rogue servers and P2P file sharing applications, result in 65% of network risks, according to a Gartner estimate. When unpreventable network events or host infections occur, StealthWatch detects and contains the incident while delivering critical insight that accelerates resolution and minimizes damage.
Problems SolvedProblems Solved
Cost and Complexity
Reduced
Prioritization and Visibility
Across the Entire Network
NOC and SOC
Reaction Time Detect and Mitigate
Zero day attacksInside your Network
Netw
ork Security P
roblems A
ddressed
Next Steps for your Company and Next Steps for your Company and LancopeLancope
Next Steps for your Company and Lancope
• NDA
• Evaluation
• References