a real world example - hewlett packard enterprise

Network Modeling: A real world example

Presented by: Don Slife

Jarrod Echols

Who is MacAulay-Brown, Inc.?

Cybersecurity Solutions

Information Technology

Engineering Services

A Proud History of Providing Technical Excellence for Over 35 Years

MacB Offices

Huntsville, AL Santa Clara, CA

Aurora/Denver, CO Panama City, FL

Shalimar, FL Tampa, FL

Augusta, GA Bedford, MA

Aberdeen Proving Grd, MD

MacAulay-Brown, Inc. (MacB) • Founded in 1979 • Headquartered in Dayton, OH • National Capital Headquarters in Vienna, VA • Over 1,500 employees • Privately-held • Integrated quality management by design • Broad and diverse Cybersecurity customer set • Frank B. Rowlett award (2001): NSA recognized

Outstanding Information Systems Security Organization

Blue states represent operating locations.

Alexandria, VA Columbia, MD Bellevue, NE Neptune, NJ

Doylestown, PA San Antonio, TX

Sterling, VA Hampton, VA Roanoke, VA

Who are we?

• 2 Years, Cyber Threat & Intelligence Analysis

• BS in Information Systems: Information & Network Security

• Regional Team winner, Collegiate Cyber Defense Team (CCDC)

• Masters of Public Administration • Internship, US Senate IT Security

• 10 Years US Air Force, Computer and Network Operations

• 3 Years Air Force CERT • 15 Years Contracting

• Programming • Red Team • SOC Operations • Reverse Engineering

Don Slife Jarrod Echols

Why are we doing this?

• ArcSight is a very powerful tool. . . BUT • With great power, comes great complexity. . .

AND • With great complexity, comes great confusion……

Bringing Order to the Chaos

• Define the Protected Environment • Identify Dark Address Space • Identify/Fix Misconfigurations to

Reduce Noise • Define Normal Traffic

• User Zones • Asset Type Zones (Mail, DNS, VoIP…) • Network Type Zones (Public, Private)

• Define Critical Assets • Prioritize Events Against Critical

Assets ArcSight Console Users Guide

Goals of Today

• Share what we have learned so far in our “voyage of discovery” through ArcSight network and asset modeling.

• Explain the mistakes we made. • Explain the things we’ve learned. • Share our best practices.

• What are we going to talk about? • The model we inherited. • Finding unmodeled space. • Our first modeling attempt. • Our second modeling attempt. • Where we are going from here.

GOAL: You don’t have to repeat our mistakes. You get to make new mistakes!

The Organization

• Multi-state Medical Co-op of 102 Doctors • 40 Research Committees Made up of Subsets of Doctors • Doctors have Individual Offices Around the Country • Approximately 8,000 Users • Co-op has a Shared Network Backbone and Core Computing

Environment (Email/Messaging/VoIP/VTC)

The Network

• 10.0.0.0/8 • Internal Networking Addresses • VoIP

• 172.16.0.0/12 • Overflow Address Space for Doctors • Some Public Service (via NAT)

• 192.168.0.0/16 • Overflow Address Space for Doctors • Office Wireless Network Space

• Doctor and Committee Main Offices • /24’s for Everyone

• Doctors Local Offices • /28’s in Some Cases

• Some Public Facing IP’s • Common Services

• Exchange • Internal Web • VTC

Class B Routable Address (1.1.0.0/16) All 3 RFC 1918 Address Spaces

Example: Dr Schmedley

• Main Office (Washington, DC) • 1.1.1.0/24 – Original IP Space • 1.1.197.0/24 – Additional Space • 10.8.1.0/24 – VoIP Phones • 192.168.18.0/28 – COOP Location

• Atlanta Office • 1.1.100.64/26 – Original IP Space • 172.26.3.16/28 – Expansion Space • 10.200.49.0/24 – VoIP Phones

• Sacramento Office • 1.1.94.192/26 – Original IP Space • 10.157.1.0/24 – VoIP Phones

Dr Schmedley

DC

1.1.1.0/24

1.1.97.0/24

10.8.1.0/24

192.168.18.0/28

Atlanta

1.1.100.64/26

172.26.3.16/28

10.200.49.0/24

Sacramento

1.1.94.192/26

10.157.1.0/24

Network Model: Version 1

• Folders by IP Network • Most Zones in the Public 1.1.0.0/16

Address Space • Fairly Static • Approximately 1,700 Zones • No Asset Categories

Engineering Maintained Access DB

Manual Asset/Zone

Creation

Addition of Zones/IP Space

when Discovered

Version 1

• Zone Addition is a Manual Process

• Trying to Group by Doctor or Committee is Difficult

• Difficult to Keep up with Network Changes

• No Asset Categories

• Simple to Visualize for Network Engineers

• Direct Mapping to Network Engineering Database

Pro Con

ISSUE: Network Operations has another database, and zones are added monthly!

Detecting Unmodeled Space

Problem: How to detect unmodeled space so it can be added? Solution: Create a second network on each connector and let ArcSight do it! • Discoveries

• NOC adds zones weekly. • Only the routers really know! • Over 300 unmodeled IPs.

Asset Modeling on the Cheap

• Address Space Categories Should be Assigned to Zones

• Application Categories Should be Assigned to Assets • Problem: Not Ready to Model Assets • Solution: Apply Application Categories to Networks • Issue: Category Queries Become Slightly More

Complicated


• Single Data Source • Approximately 2,500 Zones

• Network Model Wizard • Big Groups by Organization • Started Using Categories in ESM

Name Start Address End Address Dynamic Addressing

Schmedley DC 1.0: 1.1.1.0 - 1.1.1.255 1.1.1.0 1.1.1.255 TRUE

Partee Mont 202.0: 1.1.202.0 - 1.1.202.63 1.1.202.0 1.1.202.63 TRUE

Calamba Spri VoIP 8.0: 10.100.8.0 - 10.100.8.15 10.100.0.0 10.100.0.15 FALSE

International Medicine DC 63.0: 1.1.63.0 - 1.1.63.255 1.1.63.0 1.1.63.255 TRUE

Kus Anch COOP 32.0: 192.168.32.0 - 192.168.32.15 192.168.32.0 192.168.32.15 FALSE

Chivers NewY AVAILABLE 101.0: 1.1.101.0 - 1.1.101.255 1.1.101.0 1.1.101.255 TRUE

• Protected • DMZ

• Dark • Wireless

• 41 Step Process • CIDR to IP Range Conversion • Organize Into Categories

• ~ 16 Hours to Massage Data • Still Difficult to Group by Office • Zones Tagged with Asset &

Network Categories

• Single Data Source • Semi-Standard Naming Schema

• [Zone Name]: IP Start – IP End

• Visibly Organized in ArcSight • Quick to Analyze in Active Channel

Pro Con

Export from Infoblox

Convert CIDR to IP Range

Concatenate Names

Group by Category

Setup for Import

Import to ArcSight via

Wizard

Delete old (broken)

Zones



• Flat Model • ArcSight Resource Generator for Import

• Quick to Massage Data • Pre-Import Category Tagging

• Custom Category Tagging • Approximately 3,700 Zones

#Type Name Start Address End Address Dynamic Addressing Parent Group URI Location URI Network URI Category:

Zone Schmedley DC 1.0: 1.1.1.0 - 1.1.1.255 1.1.1.0 1.1.1.255 TRUE /All Zones/Offices /All Locations/Office/Washington DC /All Networks/US Medical

Zone Partee Mont 202.0: 1.1.202.0 - 1.1.202.63 1.1.202.0 1.1.202.63 TRUE /All Zones/Offices /All Locations/Office/Alabama /All Networks/US Medical /All Asset Categories/Office/Address Spaces/Wireless

Zone Calamba Spri VoIP 8.0: 10.100.8.0 - 10.100.8.15 10.100.0.0 10.100.0.15 FALSE /All Zones/Offices /All Locations/Office/Illinois /All Networks/US Medical /All Asset Categories/Office/Application/Type/VoIP

Zone International Medicine DC 63.0: 1.1.63.0 - 1.1.63.255 1.1.63.0 1.1.63.255 TRUE /All Zones/Offices /All Locations/Office/Washington DC /All Networks/US Medical

Zone Kus Anch COOP 32.0: 192.168.32.0 - 192.168.32.15 192.168.32.0 192.168.32.15 FALSE /All Zones/Offices /All Locations/Office/Alaska /All Networks/US Medical /All Asset Categories/Office/Address Spaces/COOP

Network Model: Future

• Automate Infoblox Export • Automate Massaging of Data • Zones Refresh Instead of Reload

• Delete/Add Changed Zones

• Zones Tagged with Address Space Categories • Assets Tagged with Application Categories

Lessons Learned

• Darkspace Network Covering Your Entire IP Space • Apply Application Categories to Zones Until Assets are Modeled • Establish a Single Authoritative Source for IP’s • Standardized Zone Naming Schema

• <TITLE> <NAME> <LOCATION>: StartIP – EndIP

• Flat Folder Structure is Much Easier • Close Relationship with NOC

• We Recommend Beer!

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20

Please fill out a survey. Hand it to the door monitor on your way out.

Thank you for providing your feedback, which helps us enhance content for future events.

Session TB3295 Speaker Don Slife & Jarrod Echols

Please give me your feedback


Thank you

a real world example - hewlett packard enterprise

Documents