Lancope StealthWatch Technology

1
Lancope StealthWatch Technology
Security Through Network Intelligence www.lancope.
com

2
About Lancope

• 3 years focused research in flow-based network
  and security technologies.
• StealthWatch evolved from research conducted by
  Dr. John Copeland at Georgia Tech
• Based in Atlanta, GA
• Flagship product StealthWatch
• -Real time attacks inside your network (Not
  signature based)
• -Mitigation and documentation of real time
  attacks
• -Forensic short and long term

3
Why Stealth Watch vs. other technology for your
internal Network
Why Stealth Watch vs. other technology for your
internal Network?

• Easy to deploy
• 1/3rd to 1/2 the cost of other solution
• Shows the performance and risks of your
  Enterprise NOC and SOC in real time.
• Not Signature based
• Not perimeter based
• Not multilayer steps to get results

• StealthWatch is Best at
• Discovering
• Prioritizing
• Mitigating
• Real time worms, viruses and exploits in your
  Internal Network
• StealthWatch gives you Network Optimization and
  Threat Management for your Enterprise NOC and SOC

4
t Internal Attacks on the rise!The trend has
been moving away from external to internal
security (Security Analysts)Wall Street
Journal June 2005

• Internal Breaches
• Bandwidth consumption, Policy Violations,
  Trojans, Zero Day Attacks, Application Misuse and
  others have caused
• Service and System Interruptions
• Data Loss
• Intellectual Property Theft
• Major loss in Company credibility
• Huge Financial Losses

• The growth in Internal Attacks in a survey of 600
  North American Companies and Western Europe
• 2003 up 30
• 2004 up 50
• 2005 could be up 75

5
How to protect your environment from Internal
attacks?
How to protect your environment from Internal
attacks?

• Organizations should establish a trusted behavior
  baseline for each machine on the network.
• Look for changes in current foot print behavior.
• If these procedures are implemented effectively
  they can detect and protect systems against new
  malicious code, worms and other Internal
  Breaches.
• (US Secret Service and Gov. Cert
  May 2005)

6
140 Existing Customers
7
Too Many Attack Vectors

• - CVE Contains 7819 Vulnerabilities (Feb, 2005)

- Most Signature Vendors block on about 150 sigs
- Thats 2

• What about the other 98?

8
Signatures Cant Keep Up
Given the widespread use of automated attack
tools, attacks against Internet-connected systems
have become so commonplace that counts of the
number of incidents reported provide little
information with regard to assessing the scope
and impact of attacks. Therefore, as of 2004, we
will no longer publish the number of incidents
reported.
- CERT
Attack frequency increases
while discovery-to-exploit window decreases.
9
NetFlow provides Mountaintop visibility
Flows provide total visibility across a wide
network range by collecting data from routers in
varying locations. This gives Stealth Watch total
supervision over the network and provides an
ability to track behavior throughout the network,
from start to end.
10
BEHAVIOR RATHER THAN SIGNATURES

• Number of concurrent flows
• Packets per sec
• Bits per second
• New flows created
• Number of SYNs sent
• Time of day
• Number of SYNs received
• Rate of connection resets
• Duration of the flow
• ltMany othersgt

Analyze Flows
Establish baseline
Alarm on changes in behavior
11
STEALTHWATCH BEHAVIOR-BASED FLOW ANALYSIS
Cisco
Native Ethernet
SPAN
LAN/WAN
NetFlow
Signatures
SIM/SEM
ArcSight Guarded
ISS Snort Etc.
BEHAVIOR-BASED FLOW ANALYSIS
Powerful audit, compliance reporting, and
forensic capabilities
Streamline and shorten resolution time
Provides visibility into most significant
network behaviors
Cost-effective, extended enterprise-wide
protection and control
12
INFRASTRUCTURE IPS
StealthWatch Automated Mitigation
Install Cisco PIX firewall rules
Install Checkpoint firewall rules
Inject Cisco Null0 route
Customizable scripted response
13
Devices Vendors Customer
Checkpoint NG, NGAI, Provider 1
Cisco PIX
Cyberguard
Lucent Brick
Juniper
Symantec Enterprise
Routers and switches Cisco Extreme
Juniper Foundry

Flow Analysis Server
14
STM FeaturesSupported Security Devices
Devices Vendors Customer
ISS RealSecure, Workgroup Manager Site Protector
Cisco Secure IDS v4(RDEP)
Enterasys Dragon
Snort
Symantec Manhunt
nCircle IP360
TopLayer Mitigator IPS
Netscreen Firewall/IDS
Network Associates Intrushield
15
Locations Main Data Centers Customer
How Many Main Data Centers do you manage?

How many DCs would you want to monitor with Stealth Watch?

Do you want to have the NOC and SOC monitored?

How many remote locations do you have?

What kind of connections do you have to those remote locations?

16
StealthWatch Product Line
M250 Designed for fast Ethernet networks
M45 Designed for DS3 links or underutilized fast
Ethernet connections
G1 Designed for networks with speeds up to one
gigabit per second.
Xe-1000 Midrange StealthWatch NetFlow Collector
Xe-500 Entry-level StealthWatch NetFlow Collector
Xe-2000 High-end StealthWatch NetFlow Collector.
SMCCollects and Manages multiple StealthWatch
and StealthWatch Xe appliances.
(StealthWatch Rack Mountable 1U Appliance)
17
Deployment How do we collect flows?
18
StealthWatch Xe Monitor Remote Locations
12 IDP/IPS Sensors Required
1 StealthWatch Xe Required
19
Overcome complex deployments and cost
8 Inline IPS _at_ 64,995 519,960
1 Netflow-based Xe-2000 lt50,000
Inline IPS
20
PRE-EXISTING CONDITIONS ARE DETECTED
Concern Index
21
FLOW VISUALIZATION
22
StealthWatch Solution

• StealthWatch Solution
• StealthWatch is a fast, accurate and
  cost-effective solution that immediately detects
  malicious or unauthorized network activity,
  including new and otherwise unidentifiable
  threats. As a network-based system, StealthWatch
  overcomes the cost and complexity of deploying
  and maintaining signature- or host-based systems.
  With StealthWatch, organizations can now identify
  and resolve network exposures, such as new,
  misconfigured or unauthorized devices and
  applications. These threats, which include rogue
  servers and P2P file sharing applications, result
  in 65 of network risks, according to a Gartner
  estimate. When unpreventable network events or
  host infections occur, StealthWatch detects and
  contains the incident while delivering critical
  insight that accelerates resolution and minimizes
  damage.

23
Problems Solved
Cost and Complexity Reduced

Prioritization and Visibility Across the Entire Network NOC and SOC

Reaction Time Detect and Mitigate Zero day attacks Inside your Network
Network Security Problems Addressed
24
Next Steps for your Company and Lancope

• Next Steps for your Company and
  Lancope
• NDA
• Evaluation
• References