SlideShare a Scribd company logo

Harnessing the Power of Metadata for Security

Download as PPTX, PDF
J
John Pollack

This document discusses how network metadata can be leveraged to improve security analytics and threat detection. As network speeds increase, it is difficult for security tools to keep up and analyze all transmitted data. However, metadata extracted from the network can provide important context like user and device information, DNS queries, and SSL data to help security tools more efficiently detect threats. The document proposes that Gigamon's metadata engine and Security Delivery Platform can extract and provide this metadata to various security tools, allowing them to build up context and identify threats faster through analytics.

Related slideshows

Accelerate your digital transformation
Accelerate your digital transformationAccelerate your digital transformation
Accelerate your digital transformation
 
Cloud vs. On-Premises Security: Can you afford not to switch?
Cloud vs. On-Premises Security: Can you afford not to switch?Cloud vs. On-Premises Security: Can you afford not to switch?
Cloud vs. On-Premises Security: Can you afford not to switch?
 
Intent Based Networking: turning intentions into reality with network securit...
Intent Based Networking: turning intentions into reality with network securit...Intent Based Networking: turning intentions into reality with network securit...
Intent Based Networking: turning intentions into reality with network securit...
 
1 of 20
1© 2016 Gigamon. All rights reserved. A Story about Metadata…......
2© 2016 Gigamon. All rights reserved. Harnessing the Power of Metadata for Security John Pollack Senior Sales Engineer, Gigamon
3© 2016 Gigamon. All rights reserved. First Some Context
4© 2016 Gigamon. All rights reserved. Consider First: There’s Too Much Data 4 Network Speed % of Data Consumable by Tools Signature- and Policy-Based  Advanced AnalyticsSecurity Tools 1Gb  10Gb  40Gb  100Gb Network & Applications Infrastructure This is the BIG DATA problem: Volume of data accelerating faster than the ability of the tools to consume it
5© 2016 Gigamon. All rights reserved. Growth in the “Speed” of Data Time to process a single Ethernet frame on a 100Gbs link with minimum size packets 5©2016 Gigamon. All rights reserved.
6© 2016 Gigamon. All rights reserved. Real-time Threat Prevention Is Getting Harder PARTICULARLY FOR UNKNOWN THREATS Democratization of cyber threats! • 67.2 ns between packets at 10G • For unknown threats, just not enough time, knowledge, or context to make determination Too Little Time • Large established ecosystem of distributors for malware • Sophisticated kits &tools for rent • Front end, back end, and support infrastructure Too Many Bad Guys
7© 2016 Gigamon. All rights reserved. What Can Be Done?
8© 2016 Gigamon. All rights reserved. Remember The Attacker Lifecycle? GOAL IS TO BREAK THE CHAIN – NOT JUST TRY TO PREVENT IT 65432 Phishing & zero day attack Back door Lateral movement Data gathering Exfiltrate 1 Reconnaissance
9© 2016 Gigamon. All rights reserved. What Does It Take? TRIANGULATION THROUGH BIG DATA AND PREDICTIVE ANALYTICS • Specific to each organization • Requires data from across the entire organization Normal-ish Bad-ish Need to establish “Context” Need to understand “Intent” • Built from previous bad behavior, sandboxing, threat information feeds • Build out predictive models Triangulation against both Constant feedback loop
10© 2016 Gigamon. All rights reserved. BUT Context Is Hard To Derive A LABORIOUS AND INEFFICIENT EFFORT IN TODAY’S ENVIRONMENTS Slows Down Analysis, Slows Down Response, Slows Down The Feedback Cycle Consequences • Massive inefficiencies • Too much data • Less control • Performance impact • Different departments • Different access rights • Different formats • Agent requirements • Endpoints and servers • Applications • Switches, routers • Network appliances
11© 2016 Gigamon. All rights reserved. Leverage Network “Metadata”! CONTEXT AND ULTIMATELY FASTER TRIANGULATION User Device ApplicationCloud Virtual Physical The Network Is The Single Most Content Rich Source of Truth!
12© 2016 Gigamon. All rights reserved. Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and subject to change. The Case for Metadata Better Security Efficacy • Reduce massive volumes of data • Extract essential information for security tools to consume Faster Time to Detect • Analyze metadata versus raw packet streams over time • Discover suspicious threats and anomalous behavior Overcome Limited Reach • Security tools do not have access to valuable information in network • E.g.: access to AD server, authoritative DNS requests & responses Separate Signal from Noise • Security tools unable to decipher signal to noise in Big Data • Detect threats more efficiently
13© 2016 Gigamon. All rights reserved. How Can It Be Accomplished?
14© 2016 Gigamon. All rights reserved. The World of Network MetaData DNS query and response information User flow records and session information Kerberos and user login information Server, application connectivity information SSL certificate information HTTP request, response information DHCP query and response information URL access information
15© 2016 Gigamon. All rights reserved. Necessary and Sufficient? Metadata For Fast Approximation
16© 2016 Gigamon. All rights reserved. Necessary And Sufficient? Full Packet Stream For Homing In On Threats
17© 2016 Gigamon. All rights reserved. Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and subject to change. GigaSECURE’s Metadata Engine SPEEDING UP TRIANGULATION -> FASTER ANALYTICS Intrusion Detection System Data Loss Prevention Email Threat Detection IPS (Inline) Anti-Malware (Inline) Forensics GigaVUE-VM and GIgaVUE® Nodes Application Session Filtering SSL Decryption Inline Bypass Context and Intent-based Big Data Analytics NetFlow / IPFIX Generation Metadata Engine DNS query and response information DHCP query and response information URL access Information HTTP request, response information SSL certificate information Kerberos and user login information Server, application connectivity information User flow records and session information
18© 2016 Gigamon. All rights reserved. Consumers of Metadata NetFlow / IPFIX Generation Currently Available Currently Available In progress In progress In progress In progress
19© 2016 Gigamon. All rights reserved. Key Takeaways • Security will increasingly rely on building Context and Intent • Network based metadata followed by programmable packet data streams will become the simplest and most comprehensive approach to security analytics • Gigamon with its GigaSECURE® SDP is uniquely positioned to be the single, best source of both content rich metadata and programmable streams of packet data
20© 2016 Gigamon. All rights reserved. For More Information • GigaSECURE Security Delivery Platform - https://www.gigamon.com/products/technology/gigasecure • Metadata whitepaper – https://www.gigamon.com/sites/default/files/resources/whitepaper/wp- harnessing-the-power-of-metadata-for-security-4068.pdf

More Related Content

Harnessing the Power of Metadata for Security

  • 1. 1© 2016 Gigamon. All rights reserved. A Story about Metadata…......
  • 2. 2© 2016 Gigamon. All rights reserved. Harnessing the Power of Metadata for Security John Pollack Senior Sales Engineer, Gigamon
  • 3. 3© 2016 Gigamon. All rights reserved. First Some Context
  • 4. 4© 2016 Gigamon. All rights reserved. Consider First: There’s Too Much Data 4 Network Speed % of Data Consumable by Tools Signature- and Policy-Based  Advanced AnalyticsSecurity Tools 1Gb  10Gb  40Gb  100Gb Network & Applications Infrastructure This is the BIG DATA problem: Volume of data accelerating faster than the ability of the tools to consume it
  • 5. 5© 2016 Gigamon. All rights reserved. Growth in the “Speed” of Data Time to process a single Ethernet frame on a 100Gbs link with minimum size packets 5©2016 Gigamon. All rights reserved.
  • 6. 6© 2016 Gigamon. All rights reserved. Real-time Threat Prevention Is Getting Harder PARTICULARLY FOR UNKNOWN THREATS Democratization of cyber threats! • 67.2 ns between packets at 10G • For unknown threats, just not enough time, knowledge, or context to make determination Too Little Time • Large established ecosystem of distributors for malware • Sophisticated kits &tools for rent • Front end, back end, and support infrastructure Too Many Bad Guys
  • 7. 7© 2016 Gigamon. All rights reserved. What Can Be Done?
  • 8. 8© 2016 Gigamon. All rights reserved. Remember The Attacker Lifecycle? GOAL IS TO BREAK THE CHAIN – NOT JUST TRY TO PREVENT IT 65432 Phishing & zero day attack Back door Lateral movement Data gathering Exfiltrate 1 Reconnaissance
  • 9. 9© 2016 Gigamon. All rights reserved. What Does It Take? TRIANGULATION THROUGH BIG DATA AND PREDICTIVE ANALYTICS • Specific to each organization • Requires data from across the entire organization Normal-ish Bad-ish Need to establish “Context” Need to understand “Intent” • Built from previous bad behavior, sandboxing, threat information feeds • Build out predictive models Triangulation against both Constant feedback loop
  • 10. 10© 2016 Gigamon. All rights reserved. BUT Context Is Hard To Derive A LABORIOUS AND INEFFICIENT EFFORT IN TODAY’S ENVIRONMENTS Slows Down Analysis, Slows Down Response, Slows Down The Feedback Cycle Consequences • Massive inefficiencies • Too much data • Less control • Performance impact • Different departments • Different access rights • Different formats • Agent requirements • Endpoints and servers • Applications • Switches, routers • Network appliances
  • 11. 11© 2016 Gigamon. All rights reserved. Leverage Network “Metadata”! CONTEXT AND ULTIMATELY FASTER TRIANGULATION User Device ApplicationCloud Virtual Physical The Network Is The Single Most Content Rich Source of Truth!
  • 12. 12© 2016 Gigamon. All rights reserved. Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and subject to change. The Case for Metadata Better Security Efficacy • Reduce massive volumes of data • Extract essential information for security tools to consume Faster Time to Detect • Analyze metadata versus raw packet streams over time • Discover suspicious threats and anomalous behavior Overcome Limited Reach • Security tools do not have access to valuable information in network • E.g.: access to AD server, authoritative DNS requests & responses Separate Signal from Noise • Security tools unable to decipher signal to noise in Big Data • Detect threats more efficiently
  • 13. 13© 2016 Gigamon. All rights reserved. How Can It Be Accomplished?
  • 14. 14© 2016 Gigamon. All rights reserved. The World of Network MetaData DNS query and response information User flow records and session information Kerberos and user login information Server, application connectivity information SSL certificate information HTTP request, response information DHCP query and response information URL access information
  • 15. 15© 2016 Gigamon. All rights reserved. Necessary and Sufficient? Metadata For Fast Approximation
  • 16. 16© 2016 Gigamon. All rights reserved. Necessary And Sufficient? Full Packet Stream For Homing In On Threats
  • 17. 17© 2016 Gigamon. All rights reserved. Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and subject to change. GigaSECURE’s Metadata Engine SPEEDING UP TRIANGULATION -> FASTER ANALYTICS Intrusion Detection System Data Loss Prevention Email Threat Detection IPS (Inline) Anti-Malware (Inline) Forensics GigaVUE-VM and GIgaVUE® Nodes Application Session Filtering SSL Decryption Inline Bypass Context and Intent-based Big Data Analytics NetFlow / IPFIX Generation Metadata Engine DNS query and response information DHCP query and response information URL access Information HTTP request, response information SSL certificate information Kerberos and user login information Server, application connectivity information User flow records and session information
  • 18. 18© 2016 Gigamon. All rights reserved. Consumers of Metadata NetFlow / IPFIX Generation Currently Available Currently Available In progress In progress In progress In progress
  • 19. 19© 2016 Gigamon. All rights reserved. Key Takeaways • Security will increasingly rely on building Context and Intent • Network based metadata followed by programmable packet data streams will become the simplest and most comprehensive approach to security analytics • Gigamon with its GigaSECURE® SDP is uniquely positioned to be the single, best source of both content rich metadata and programmable streams of packet data
  • 20. 20© 2016 Gigamon. All rights reserved. For More Information • GigaSECURE Security Delivery Platform - https://www.gigamon.com/products/technology/gigasecure • Metadata whitepaper – https://www.gigamon.com/sites/default/files/resources/whitepaper/wp- harnessing-the-power-of-metadata-for-security-4068.pdf