NetFlow Ninjas Blog

Why Duplicate Flows Are A Good Thing

2013-05-13T14:23:54+00:00

Many people ask about the “problem” of duplicate flows. They are coming from the point of view that duplicate flows are not efficient, are redundant and are a drain on resources; and therefore we should eliminate them. Duplicate flows are inherent in a NetFlow collection strategy, and I would argue that they are a good thing. Here’s why….

Network flows equal visibility, and you can never have too much visibility. Flow data provides vital network traffic data and statistics for router and switch interfaces at each layer of the network. This allows for Layer 3, 4 and 7 data to be analyzed at each interface for troubleshooting, bandwidth consumption, capacity planning, network segmentation analysis, and more. Additionally, important data including MPLS information, BGP and peering data is collected at the edge. From inside the network, Quality of Service and VLAN information is available. No matter where you collect NetFlow, you obtain crucial data such as packet counts, byte counts, flags, L4 port information and much more.

Different flows for different things. Flow telemetry has matured to provide much more than the original network metadata such as source/destination IP, port and protocol information. Some flow exports today include fields such as application type (Packeteer-2, NBAR, StealthWatch FlowSensor, Palo Alto); firewall drops/permits (Cisco ASA, Palo Alto, SonicWALL); NAT/PAT translations (Cisco ASA, ASR); username (Palo Alto) and even payload capture (StealthWatch FlowSensor, sFlow). In some cases, NetFlow is the only source of real visibility – for example, in virtualized environments where most data traffic never leaves the host.

Collecting flows at all layers of the network provides a holistic, 360⁰ view. The information provided by NetFlow is essential for teams across functions including operations, analysis, security policy, incident response, compliance, etc. Removing NetFlow reduces your overall situational awareness and your ability to react to changing conditions both inside your network and on the Internet.

Click to see larger image.

Receiving and processing duplicate flows is an inherent and essential part of a mature flow collection strategy. NetFlow provides critical telemetry data at almost every hop in the network. When properly analyzed with advanced monitoring solutions like Lancope’s StealthWatch System, NetFlow can give you the clearest, most concise picture of what is going on inside the network at any given time. It is invaluable for both real-time threat detection and network forensic analysis.

Click here for more information on leveraging NetFlow for comprehensive network visibility and security.

SCADA Security Webinar Next Week

2013-05-08T13:48:58+00:00

Lancope will host a complimentary webinar next Wednesday, May 15 to discuss SCADA security. The security risks tied to SCADA systems have often been debated, and sometimes even denied. What’s more, the inherent nature of control systems prevents organizations from applying many of the conventional strategies that have been used to protect other kinds of computer networks.

The threats to SCADA systems are indeed real, and are especially challenging to address. Join Lancope’s director of security research, Tom Cross, to learn about:

The state of control system security vulnerabilities
Attack activity that is prompting a change in perspective
The unique, long term challenges associated with protecting SCADA networks
How anomaly detection can play a key role in protecting SCADA systems now

The webinar, “SCADA Security: The Five Stages of Cyber Grief,” will take place at 11:00 a.m. Eastern on May 15. Click here to register.

Emerging Threats and Cyber Defense Symposium

2013-05-07T14:32:10+00:00

This week, Lancope’s director of security research, Tom Cross, will speak at the Emerging Threats and Cyber Defense Symposium presented by the FBI and the Atlanta-based Defense Industry Cyber Threat Working Group (DI-CTWG). Taking place May 8-9 at the Georgia Tech Research Institute, the invitation-only event features sessions led by recognized security experts to help IT professionals better understand current and emerging cyber threats.

Tom Cross will speak on Thursday, May 9 on the growing issue of insider threats. He will discuss how to spot insider threats within an organization, identify their network activity, and protect valuable infrastructure and assets against them. Cross has over a decade of experience as a security researcher and thought leader. Prior to joining Lancope, he served as manager of the IBM X-Force Advanced Research team. He is credited with discovering a number of critical security vulnerabilities and frequently speaks on security issues at conferences around the world.

The intended audience for the upcoming symposium includes CIOs, CISOs, security and IT professionals at defense contractors, critical infrastructure companies, government organizations, law enforcement, and IT security and research organizations. Further information on the event can be found here.

Click here to learn more about how to combat rising insider threats.

NetFlow Training Courses in May

2013-04-30T19:53:08+00:00

Lancope's University of NetFlow will offer four training courses in May in Boston, Montreal, Minneapolis and Chicago. Attendees will learn how to harness the power of NetFlow for dramatically improved network security and risk posture.

Responding to today’s network and security challenges requires a new approach. Organizations can no longer prevent every attack from entering the network, but must instead focus on quickly detecting and mitigating attacks that bypass perimeter defenses. By collecting and analyzing flow data with advanced monitoring solutions like Lancope’s StealthWatch System, organizations can achieve unprecedented network visibility and security intelligence for combating today’s sophisticated threats.

Join Lancope and discover the benefits of NetFlow through complimentary presentations, best practice discussions and hands-on labs. Learn how flow-based monitoring can help fill in the gaps left by conventional solutions for advanced detection of APTs, insider threats, zero-day malware and other attacks lurking inside the network.

Specific dates for the seminars include:

May 2 - Boston
May 3 - Montreal
May 16 - Minneapolis
May 17 - Chicago

For more information on the University of NetFlow, or to see future seminar dates, click here.

Lancope’s Analysis of the Verizon 2013 Data Breach Report

2013-04-29T15:46:00+00:00

Verizon has recently published the 2013 edition of its highly regarded Data Breach Investigations Report. Including analysis of more than 47,000 reported security incidents and 621 confirmed data breaches, the report reveals some very telling statistics and trends involving cyber security. Most importantly, it points to the fact that incident response and network surveillance need to be playing a much bigger role in organizations’ overall security strategies.

Insider Threats and APTs

First of all, the report points out that 14% of breaches were perpetrated by insiders, and 19% were attributed to state-sponsored actors. These two types of attackers are very difficult to detect with conventional perimeter- or signature-based security controls. Insiders are already trusted entities on your network, and don’t need to bypass any traditional security measures at all to start stealing data or doing bad things to your infrastructure. Meanwhile, state-sponsored attackers (aka the Advanced Persistent Threat, or APT), are known to employ stealthy methods for bypassing the perimeter and getting inside networks without even using malware that would be detected by conventional defenses.

In fact, 76% of the breaches analyzed by Verizon used weak or stolen credentials to gain network access, and 29% used social engineering tactics. Additionally, more than 95% of all state-sponsored espionage attacks used phishing as a means of infiltrating target systems. The only way to defend against these rising classes of attackers (insiders and APTs) is to know what is going on inside your network and be able to detect suspicious behaviors that could signify risk.

The Importance of Incident Response

According to the Verizon report, “Prevention is crucial, and we can’t lose sight of that goal. But we must accept the fact that no barrier is impenetrable, and detection/response represents an extremely critical line of defense. Let’s stop treating it like a backup plan if things go wrong, and start making it a core part of THE plan.”

Verizon also points to NetFlow specifically as a “useful investigative resource.” By collecting and analyzing NetFlow and other types of flow data, Lancope’s StealthWatch System provides a complete picture of network activity to detect threats lurking inside the network as well as conduct forensic investigations to help prevent subsequent attacks.

This snippet from the Verizon report discusses the value of NetFlow for investigating and preventing future breaches. (Source: Verizon)

Network Visibility Is Key

Forrester also drove this point home in its analysis of the Verizon report, calling out network visibility providers such as Lancope as a key component for identifying many steps of the sophisticated attacker’s “kill chain.” Forrester’s Rick Holland states, “A Network Analysis and Visibility (NAV) solution should be deployed within your environment. When preventive controls fail, and we know they will, we need strong detective controls. These solutions can detect delivery, command and control as well as exfiltration.” He then lists several vendors, including Lancope, that can make a difference in this regard.

Overall, the Verizon report is a very valuable document for any organization. With 66% of breaches taking months or more to discover (according to the report), it serves as a great reminder that status quo security measures are no longer enough in this day and age. Security teams must play a more active role in protecting their networks, employing tools like flow-based monitoring that provide comprehensive network visibility and security intelligence, and continuously analyzing that intelligence to improve threat detection and incident response.

This figure from the report shows that organizations are unfortunately no longer making progress when it comes to early threat detection. (Source: Verizon)

For more information on using NetFlow for thwarting advanced attacks, see our new white paper, “Internal Network Visibility for APTs and Insider Threats.”

StealthWatch Is Not a Four-Letter Word

2013-04-26T18:40:11+00:00

I speak with a fair amount of people at meetings, events and tradeshows about why flow-based network and security visibility is an important tool to have in your bag. One of the most common questions I get right up front when discussing why Lancope’s StealthWatch System fills this need is something along the lines of, “so, you’re a SIEM?” Or a statement like “but I already have a SIEM” or “my SIEM already collects NetFlow.” This, of course, leads us down a rabbit hole about how StealthWatch differs from a SIEM, addresses some common problems associated with SIEM, and often compliments an existing SIEM investment. After thinking about it, there are common threads in every one of these discussions that I thought I’d write a little bit about here.

What’s a SIEM (for the uninitiated)?

A SIEM (Security Information and Event Management system) is either a software- or appliance-based technology that serves the function of correlating informational input from various sources (log files, SNMP, even NetFlow in some cases) for the purpose of identifying a pattern within the data that may point to an anomalous event. There are some very good SIEMs out there: HP’s ArcSight, IBM’s Q1 Labs QRadar, RSA enVision, LogRhythm, and others. Cruise the rows of vendors at just about any security-themed tradeshow and you’ll undoubtedly run into several SIEMs.

Correlating a spike in interface utilization with Syslog which notes that a user logged into a host from a previously unknown source may be interesting, for instance. If it never happened before, it may be even more interesting. If the host was a build server containing your source code, it may be more interesting (concerning) still. This is a simplistic example of things that a SIEM may correlate, but nevertheless demonstrates how this type of knowledge can be useful.

(As a side note and interesting bit of trivia, Lancope’s CTO Amrit Williams coined the term ‘SIEM’ during his tenure at Gartner back in 2005.)

The SIEM problem

SIEMs are very good at what they do, and I would suggest that security organizations with the requisite infrastructure, time and money invest in one; however, there are a few inherent problems with relying solely on data provided by a SIEM. Understanding these problems can not only help you better utilize your SIEM, but also know how to augment the data it provides (or in some cases, doesn’t provide).

SIEMs only provide intelligence about the information which they are fed

Are you sure that everything on your network is sending information to your SIEM? Are there areas of your network or hosts that you’re not getting that information from? Do you have a policy in place internally to ensure that new system resources are provisioned in such a way that your SIEM will collect data from them? Your SIEM cannot correlate against data that it is not fed, and when we begin focusing at a host level, this could mean hundreds, thousands, or hundreds of thousands of hosts that need to be feeding this information to provide complete visibility.
Compromised hosts are no longer a reliable source of log data.

When a host on your network becomes compromised (either via something as nefarious as targeted malware or simplistic as user recklessness), that host’s log data can no longer be trusted and must be taken with a grain of salt. After all, malware doesn’t want to advertise its own presence, and altering what gets logged to a Windows Event Log, for instance, might be an attempt at covering its tracks.
Scale and cost.

There’s no way around it, SIEMs can get spendy. Scaling a SIEM to your organization’s requirements for true visibility can be an expensive endeavor and in some cases prohibitively so. Many SIEM vendors tend to license by events per second (or similar), and as the SIEM begins monitoring more and more aspects of your network, the cost rises. It may be difficult to size a SIEM for what you truly need within your organization’s budget, and you may notice that the level of visibility you truly require is out of your price range and would only increase as your organization grows.

Some SIEMs Collect NetFlow

Some SIEM vendors have begun collecting NetFlow and correlating this data with the other types of data that it aggregates. This is a pretty good idea, but again, scale and cost may come into play. Often (though not universally), a SIEM may not be able to collect NetFlow at the rate at which your network is able to generate it. Your SIEM may consider each flow record as an event, which may chew against your license. Each NetFlow record from each device may not be logically associated with a larger conversation that’s traversing your network (something StealthWatch does, called flow stitching), leaving a pile of data to sift through. SIEMs may also be limited in terms of the types of network behavior that they can identify from the flow data they collect.

StealthWatch is designed for handling huge volumes of flow records, deduplicating them, stitching them, assigning each observed host on the network various indexes based on that host’s current and prior behavior, alarming on all of it, and, if you want, sending all of that alarm intelligence right into your SIEM as another Syslog source. At this point, you’re taking in intelligence from your flow data, and not just the raw flow data itself.

Peeling Back the Onion

StealthWatch allows for complete network visibility using devices you already have. If a device supports NetFlow (or some type of flow), you are able to gain visibility from that point on your network simply by turning it on. The more places you enable it, the better the fidelity of the picture that StealthWatch is ultimately going to draw of your network. StealthWatch is not limited by what you are feeding it at the host level – a host’s communication across the network will be made visible whether or not that communication was due to legitimate host activity, targeted malware, or something in between.

Flow collection bridges the gap between packet capture and SIEMs. Collecting NetFlow can provide a complete repository of host-to-host communication down to the leaf nodes on your network, and this level of visibility is critical for making sense of today’s complex threats. Deploying comprehensive internal packet capture for complete visibility is nearly impossible from a cost and storage standpoint and is much better suited for targeted deployment, and a SIEM is better designed for painting a very large picture. Why not complete the picture by collecting NetFlow with StealthWatch?

For more information on filling in network visibility and security gaps with StealthWatch, go to: http://www.lancope.com/resource-center/white-papers/filling-in-the-gaps-with-stealthwatch/.

Social Media Threats Webinar - Hosted by Lancope

2013-04-22T17:01:53+00:00

This week, Lancope will host a free webinar on the threats to network infrastructure posed by various social media channels. Join Lancope’s Joey Muniz, aka The Security Blogger, to hear about his real-life experiments in using social media to easily compromise high-profile targets.

Unfortunately, attackers are often successful in breaching large enterprises by targeting specific individuals and utilizing social engineering to obtain confidential information. By collecting enough sensitive data, attackers can then easily bypass conventional security defenses and obtain the “keys to the kingdom.”

Learn how attackers are leveraging social media and how to defend your network against this growing threat. The webinar will take place on Thursday, April 25 at 11:00 a.m. Eastern. Click here for further details or to register.

Free Trial of StealthWatch FlowReplicator

2013-04-17T17:46:15+00:00

Lancope is now offering a free trial of its StealthWatch FlowReplicator. Available as either a standalone solution or as part of a larger StealthWatch deployment, the FlowReplicator enables both novice and advanced NetFlow users to significantly improve their security posture and network operations by making it easy to collect flow data for analysis and reporting. By aggregating and providing a single, standardized destination for NetFlow, IPFIX, sFlow, Syslog and SNMP information, the FlowReplicator greatly simplifies the integration of multiple types of network and security data within large enterprises.

The FlowReplicator free trial is a fast, easy way to begin experiencing the power of NetFlow for enhanced security, forensics, performance and compliance. To access the free trial, go to: http://www.lancope.com/trials/fr/. Further information on the product can be found at: http://www.lancope.com/products/stealthwatch-flowreplicator/.

*VMware vSphere v4.x or v5.x infrastructure required to deploy trial.

In Network Security, the Best Defense Is a Good Offense

2013-04-16T01:47:13+00:00

Network Security and the NCAA

With the conclusion of March Madness and the success of Michigan breakout star, Mitch McGary, as both a great defensive and offensive player, I’m reminded of an old concept: “the best defense is a good offense.” This phrase has been used in many contexts including competitive completions, sporting events and even war. In order to successfully combat attacks on your network infrastructure, it’s imperative to adopt this methodology to form a complete and effective security strategy.

The Threat Is Real

Lately, the news is plastered full of stories about outside attackers who have made their way inside a network. The reality is, while many security teams are on high alert waiting for IDS/IPS alarms to sound, they’re overlooking the most important part of the network, the inside. To date, the InfoSec community has not had a very clear understanding of insider threats – what they are, how they happen, or how to prevent them. While most would likely agree that these types of attacks are dangerous, there are very few data driven resources that identify exactly how many organizations fall victim to these types of attacks because quite frankly, they are not always identified.

According to the Verizon 2012 Data Breach Report, 98% of breaches stemmed from external agents while only 4% implicated internal employees. This indicates that organizations are not detecting breaches on their own. They are relying upon third parties (typically law enforcement) for said information. Organizations that fall victim to breaches are not getting basic security controls right. In terms of hacking incidents, Verizon reports that 55% involved default credentials while 40% involved stolen credentials and 29 % involved brute force attacks.

The Threat Is Costly

CERT Insider Threat research group reports that the cost of IP theft averages $13.5 million. The problem with most insider attacks is that often attackers are able to gain authentic user credentials and infiltrate the network without setting off any alarms. The “best practices” implemented right now are not necessarily working, which leads to the question: Is it more costly to update your security system or to fall victim to a stealthy attack?

Examining Different Types of Insider Threats

1. Stealthy attackers who have bypassed perimeter defense

These types of attacks usually leverage some type of malware or 0-day attack that allows the breach of the perimeter without setting off any alarms.

2. External attackers posing as authentic users

These types of attacks are the most dangerous because there is no traditional security mechanism to prevent this sort of attack from occurring. When a “real” user logs on, there is no concern. Once an individual user has been compromised, and the attacker gains access to the internal network, it is much easier for them to own other machines operating on the network and gain information undetected. The only way to defend against this type of attack is through an active offense – by monitoring user behavior. What devices are associated with this user? When do they access the network? Is this user extracting large amounts of data? User behavior can be telling of an attacker using authentic credentials to access your valued information.

3. Users with Authentic Credentials

The new contractor hired to help write your latest code may have alternative intentions for working with your company. There is essentially no way to detect this kind of activity other than monitoring user activity. What kind of files is this user accessing? When does this user access said files? The reality is no organization no matter how great or small is immune. Recently Information Week reported that NASA closed down its technical reports database and imposed tighter restrictions on remote access to its computer systems as a contractor was arrested for suspect theft of intellectual property.

4. Disgruntled or rogue employees who have been fired, but still have access to the network

These types of attacks can result in IT sabotage, data loss, espionage and more. Do you have something in place to detect this?

It's time to protect critical assets from the inside out

By leveraging an identity-based network surveillance tool that proactively monitors the network, your security team will be able to offensively defend your entire network. New threats require a new approach. The paint (internal network) is where a goal (an undetected breach) is most likely to be scored. It’s harder to score points when shooting from three feet behind the 3 point line (breaching from the exterior).

Security monitoring is the Mitch McGary of your network infrastructure – the missing component to outdated security strategies and the secret weapon to an organization’s security success. Network monitoring plays offense with the ability to quickly identify network issues. The added bonus is that it can also be leveraged as a forensic defense mechanism with the total visibility and insight into user behavior it provides, which is essential to defending against interior network threats.

Next week, Lancope will host a webinar on just how easy it is to gain information to successfully breach an organization from the inside, and in turn how to detect this type of attack using internal host reputation. To register, click here. For more information on internal network monitoring for more effective security, click here.

Lancope To Speak at Upcoming Security Events

2013-04-11T17:47:26+00:00

Lancope’s Director of Security Research, Tom Cross, will be speaking at two security industry events this month – SOURCE Boston and the FS-ISAC Summit.

At SOURCE Boston, Cross will deliver a presentation on insider threats on April 17 at 11:00 a.m. The session, entitled “Insider Threat: Hunting for Authorized Evil,” will review academic research into insider threats, discussing the frequency and impact of the attacks, and will also cover strategies for managing the problem from both a business and technical perspective. Taking place at the Marriott Courtyard in Boston, Mass. from April 16-18, the purpose of the SOURCE Conference is to bridge the gap between technical excellence and business acumen within the security industry.

At the FS-ISAC Annual Summit in Ponte Vedra Beach, Fla., Cross will present on April 30 at 3:00 p.m. He will discuss how to effectively obtain and use actionable threat intelligence from high volumes of security data for improved threat detection and incident response. The FS-ISAC Summit will bring together hundreds of information security professionals serving the financial services industry at the Marriott Sawgrass from April 28 – May 1.

Click here for further details on Lancope’s upcoming event participation. More information on Lancope’s security solutions can be found at: http://www.lancope.com/solutions/security-operations/.