Observer Platform Network Security Forensics

Agenda

• Introductiono Today’s security challengeso Observer Platform network forensics benefits

• Five Steps to Threat Resolution• Real-world customer example

o Jack Henry & Associates

• Investigating the packets demonstrationo #1 – Identify a DDoso #2 – Botnet detection

• Key Take-aways

Security Challenges

• IT threats continue to escalate in frequency, type, and maliceo Security perimeter breaches (must be) assumed a giveno “Inside jobs” are also on the rise

• Negative financial and stakeholder implications are increasingo Revenue, profitability, and customer relationso Long-term business survivability at risk

• Damage control and remediation urgency growingo What has been compromised?o How do we validate “all clear”?

• Take-Away: Organizations need a retrospective, network-centric method to backstop other security measures and identify and clean compromised IT assets

Security Challenges – A Reality Today for the Network Team

• Network Instruments 2015 State of the Network highlights:o 85% are involved with security investigationso Engaged in multiple facets of security

• 65% implementing preventative measures• 58% investigating attacks• 50% validating security tool configurations

o 50% indicated correlating security issues with network performance to be their top challenge

o 44% cited the inability to replay anomalous security issues

• Hacking and malware cause nearly 1/3 of all data loss events** VERIS Community Database

Our Benefits

• Leverage Observer Platform performance monitoring functionality to bolster existing IT security measureso “Two-for-one” deal (NPMD + security)

• GigaStor offers back-in-time peace of mindo The “gold standard” in packet capture ensures every packet is captured

No network conversations are missed

• Apex provides high-level views into possible errant behavior o Baseline graphs are a powerful means to visualize unusually activity

• Analyzer includes deep packet awareness

• Integrated SNORT rule support for known malware

• Sophisticated post-event filtering and pre-packet processing to quickly detect zero-day or other suspicious activity

• Advanced alarming to alert on targeted conditions

Real-Time and Back-in-Time - Complement

Riverbed & NetScout

• Don't offer Snort rule support

• Cannot match our storage capacity

• Drop packets as utilization rates increase

• NetScout does offer Cyber Investigatoro Dedicated hardened solution

OBSERVER PLATFORM SECURITY FORENSICS

Five Steps to Threat Resolution

# 1 - Capture Everything on Your Network

Monitor from the core to the edge

Never miss a single packet

# 2 – Detect /Alert on Suspicious / Anomalous Behavior

# 3 – Turn Back the Clock

Using GigaStor back-in-time functionality

Start Investigation at the time of the possible incident

Leverage GigaStor forensics

# 4 – Identify Security Threats

Leverage GigaStor forensics

# 4 – Identify Security Threats

Perform packet pre-processing to eliminate common obfuscation techniques

# 4 – Identify Security Threats

Then apply advanced Analyzer filtering for zero-day events or Snort rules for known threats

# 4 – Identify Security Threats

# 4 – Identify Security Threats

The result: A comprehensive identification of detected threats within the time window specified

# 5 – View Illicit Behavior In/Out of the Network

Rebuild conversations to witness the event unfold just like sports “instant replay”

# 5 – View Illicit Behavior In/Out of the Network

Rebuild conversations to witness the event unfold just like sports “instant replay”

# 5 – View Illicit Behavior In/Out of the Network

Reconstruct HTTP streams to see exactly what was requested and received…

# 5 – View Illicit Behavior In/Out of the Network

…even if encrypted when the private key is available

# 5 – View Illicit Behavior In/Out of the Network

Reconstruct inside jobs where valuable IP may be at risk via extrusion

Remediate / perform damage control as required to assess compromised assets

CUSTOMER EXAMPLE JACK HENRY & ASSOCIATES

About Jack Henry & Associates (JHA)

• S&P 400 company with $1.2 Billion revenue (FY2014)

• Support 11,300 financial service customers o Electronic payment solutionso Financial processing serviceso Business process automation

• Three primary brandso Jack Henry Banking, Symitar, and ProfitStars

JHA – Protecting Critical Customer Data

• Already using Observer Platform to monitor network and app performance

• Ongoing targeted attacks on IT resources

• GigaStor to the rescueo Fortified existing security efforts by validating

attempted breach into data center not successful

• Having all the packets critical

Solving the Customer’s Challenge

• Late night call from the VP of Network Ops.o Oversees the security team

• Significant expansion of GigaStor deployments o Now an integral part of ongoing security detection

and remediation

o Save every packet across seven DCs for two weeks

• GigaStor data-at-rest adds more peace-of-mind

Business Outcome – Additional Sales

• Current (new) sales:o Observer Expert Consoleso Qty.2 – 10 Gb GigaStor-Expandable – 96 TB

• Redundant on-shelf for rapid deployment if failure o Qty.2 – 10 Gb GigaStor-Expandable – 288 TBo Qty.1 – 10 Gb GigaStor – Expandable – 576 TBo Four years of maintenance

• Future sales upside:o Qty.2 – 10 Gb GigaStor-Expandable – 288 TBo Qty.1 – 10 Gb GigaStor-Expandable – 96 TBo Qty.1 – 10 Gb GigaStor-Upgradeable – 16 TB

INVESTIGATING IN THE PACKETS

Key Takeaways

• The number and severity of the IT security breaches continues to escalate

• Network teams are playing an increasingly larger role in security investigations, preventive measures, and damage control

• Having all the packets are critical for detecting breaches, identifying compromised assets, and validating cleanup

Key Takeaways

• Observer Platform offers tremendous value to network teams and security organizations to optimize IT resource health and performanceo GigaStor data-at-rest adds even more value

• GigaStor (easily) beats NetScout and Riverbed in high-speed packet capture, capacity, and integrated security functionality

QUESTIONS?

OPTIONAL SLIDES

Is the Network Team involved in Security?

• 8 in 10 network teams also involved in security

Source: State of the Network 2015

Time Spent on Security

• One-quarter of network teams spend more than 10 hours per week involved in security issues

Source: State of the Network 2015

Has this Increased over the Past Year?

Source: State of the Network 2015

Network Team Roles in Security

Source: State of the Network 2015

Greatest Challenges Addressing Security

Source: State of the Network 2015