technical overview tdac anomaly detection · 2020. 7. 1. · tdac anomaly detection the volume of...
TRANSCRIPT
![Page 1: Technical Overview TDAC Anomaly Detection · 2020. 7. 1. · TDAC Anomaly Detection The volume of network events within National IPS/Telco’s and Large Enterprises means that they](https://reader035.vdocument.in/reader035/viewer/2022071415/610f5e587aa09b5e9a689f85/html5/thumbnails/1.jpg)
www.telesoft-technologies.com | © copyright 2018 by Telesoft Technologies. All rights reserved.
TDAC Anomaly DetectionTechnical Overview
![Page 2: Technical Overview TDAC Anomaly Detection · 2020. 7. 1. · TDAC Anomaly Detection The volume of network events within National IPS/Telco’s and Large Enterprises means that they](https://reader035.vdocument.in/reader035/viewer/2022071415/610f5e587aa09b5e9a689f85/html5/thumbnails/2.jpg)
TDAC Anomaly Detection
The volume of network events within National IPS/Telco’s and Large Enterprises means
that they have to classify and prioritise certain data over others, in order to protect specific
elements of their networks.
Elements of Carrier Scale Network
• Connected devices (user equipment, IoT devices, LAN & VNO)
• Own physical infrastructure (routing, firewalls, gateways & switches)
• Own services and applications
• Internet (web servers, streaming, OTT services, P2P & VoIP)
• CNI (utilities, transport & financial)
This presentation gives a technical overview of TDAC Anomaly Detection, using ‘Entity
Sets’ to map logical and physical elements of hyper scale networks.
![Page 3: Technical Overview TDAC Anomaly Detection · 2020. 7. 1. · TDAC Anomaly Detection The volume of network events within National IPS/Telco’s and Large Enterprises means that they](https://reader035.vdocument.in/reader035/viewer/2022071415/610f5e587aa09b5e9a689f85/html5/thumbnails/3.jpg)
• Entity sets• Provisioned and auto-discovered sets
• Tagging physical & logical network assets (inc. CNI)
• Logical (e.g. services) and physical network topologies
• Anomaly detection• DDoS examples – HTTP flood, Water torture (Slowloris)
• Other threats classified:• Wider DDoS, botnet C2, crimeware, data exfiltration,
spam, anonymizers, network zone transgressions, zero day, more …
• Flow reputation• IPv4/6 and domain* reputation (*with Telesoft FlowProbe)
• Dashboard configuration• See TDAC user guide (35298-07) section 9
Features covered1
![Page 4: Technical Overview TDAC Anomaly Detection · 2020. 7. 1. · TDAC Anomaly Detection The volume of network events within National IPS/Telco’s and Large Enterprises means that they](https://reader035.vdocument.in/reader035/viewer/2022071415/610f5e587aa09b5e9a689f85/html5/thumbnails/4.jpg)
Entity sets2
• Entity sets describe:• Physical and non-physical network assets
• Infrastructure
• Services/applications
• Logical and physical network topologies
• Entity set members• Can be one or more of IPv4, IPv6, CIDR, domain
• Members can belong to more than one entity set
• All flows tagged with their set(s) for rapid forensics
• All entity sets are monitored
• Types• Provisioned – by the user
• Discovered – by the platform
![Page 5: Technical Overview TDAC Anomaly Detection · 2020. 7. 1. · TDAC Anomaly Detection The volume of network events within National IPS/Telco’s and Large Enterprises means that they](https://reader035.vdocument.in/reader035/viewer/2022071415/610f5e587aa09b5e9a689f85/html5/thumbnails/5.jpg)
Entity set types3
Provisioned Discovered
e.g. Router and interfacenetwork infrastructure,
botnet topologies
![Page 6: Technical Overview TDAC Anomaly Detection · 2020. 7. 1. · TDAC Anomaly Detection The volume of network events within National IPS/Telco’s and Large Enterprises means that they](https://reader035.vdocument.in/reader035/viewer/2022071415/610f5e587aa09b5e9a689f85/html5/thumbnails/6.jpg)
Entity set provisioning4
IPv4/6 and CIDR notation supported
Domain classification supportedwith Telesoft FlowProbe
Tag or drop (do not store)per-flow actions
Customer-definable list of tags supports monitoring and defence of: • Logical network (e.g. application, service, VNO)• Physical network (e.g. datacentre)• Other customer-specific use cases
![Page 7: Technical Overview TDAC Anomaly Detection · 2020. 7. 1. · TDAC Anomaly Detection The volume of network events within National IPS/Telco’s and Large Enterprises means that they](https://reader035.vdocument.in/reader035/viewer/2022071415/610f5e587aa09b5e9a689f85/html5/thumbnails/7.jpg)
Entity sets - examples5
IP RANGES TAGS APPLIED FLOWS (source/destination IPor domain matched)
NOTES
10.0.0.0 group: Applicationservice: Instant messagingenvironment: Production
This is the production environment of the Instant messaging service of the operator - one item in the suite of services/applications offered by the operator
Part of the logical network
10.0.0.2 group: Applicationservice: Instant messagingenvironment: Quality Assurance
The QA environment of the above
Part of the logical network
10.0.0.15 group: Applicationservice: VoIPenvironment: Production
VoIP production environment – another item in the suite of applications
Part of the logical network
10.0.0.010.0.0.2
group: Networkzone: Northumberandname: Ashington Data Centre
This is one of the entity sets describing the physical Network – in this case the operator has multiple national data centres and is grouping them by county.
Part of the physical network
10.0.0.111.0.0.0/8
group: Networkzone: Northumberandname: Longtown Data Centre
Another data centre in Northumberland (showing single IPv4 and CIDR config)
Part of the physical network
12.0.0.0/8FC00::/96kensington.cdn.company.com
group: Networkzone: Londonname: Kensington Data Centre
Another data centre in a different county (showing IPv4 & & IPv6 CIDR and domain config)
Part of the physical network
![Page 8: Technical Overview TDAC Anomaly Detection · 2020. 7. 1. · TDAC Anomaly Detection The volume of network events within National IPS/Telco’s and Large Enterprises means that they](https://reader035.vdocument.in/reader035/viewer/2022071415/610f5e587aa09b5e9a689f85/html5/thumbnails/8.jpg)
Anomaly Detection6
Current and historicalincidents and severity
Top network threats and incidents
Top threats and incidents by entity *
* See entity sets slide
All discovered data supports single-click to apply as filter or to change dashboardview for rapid incident forensic pivot
![Page 9: Technical Overview TDAC Anomaly Detection · 2020. 7. 1. · TDAC Anomaly Detection The volume of network events within National IPS/Telco’s and Large Enterprises means that they](https://reader035.vdocument.in/reader035/viewer/2022071415/610f5e587aa09b5e9a689f85/html5/thumbnails/9.jpg)
Example pivot – DDoS HTTP flood7
Attack profile
Target
Attack sources(botnet zombies)
An overwhelming proportion of HTTP flows attempting to consume target resources. Flow contain the expected suite of TCP flags (SYN/half-open/flag flood attacks look similar but do not contain all TCP flags). As shown the attack is the shape of a wave.
![Page 10: Technical Overview TDAC Anomaly Detection · 2020. 7. 1. · TDAC Anomaly Detection The volume of network events within National IPS/Telco’s and Large Enterprises means that they](https://reader035.vdocument.in/reader035/viewer/2022071415/610f5e587aa09b5e9a689f85/html5/thumbnails/10.jpg)
Example pivot – DDoS Water Torture (Slowloris)8
Attack profile
Target
Attack source
Long-duration dripping-byte flows consuming the target resources for serving legitimate requests. This attack looks blocky (like the continual dripping of water) as shown.
![Page 11: Technical Overview TDAC Anomaly Detection · 2020. 7. 1. · TDAC Anomaly Detection The volume of network events within National IPS/Telco’s and Large Enterprises means that they](https://reader035.vdocument.in/reader035/viewer/2022071415/610f5e587aa09b5e9a689f85/html5/thumbnails/11.jpg)
Flow reputation9
Threat classifications
Threat descriptions
![Page 12: Technical Overview TDAC Anomaly Detection · 2020. 7. 1. · TDAC Anomaly Detection The volume of network events within National IPS/Telco’s and Large Enterprises means that they](https://reader035.vdocument.in/reader035/viewer/2022071415/610f5e587aa09b5e9a689f85/html5/thumbnails/12.jpg)
Flow reputation lists10
• Intel sources• Open threat intelligence
• Support for STIX format (e.g. Snort, Suricata)
• Bespoke/customer intel lists supported
• Updating• Update frequency – hourly to daily
• Central site propagates rules throughout remote systems
![Page 13: Technical Overview TDAC Anomaly Detection · 2020. 7. 1. · TDAC Anomaly Detection The volume of network events within National IPS/Telco’s and Large Enterprises means that they](https://reader035.vdocument.in/reader035/viewer/2022071415/610f5e587aa09b5e9a689f85/html5/thumbnails/13.jpg)
Threat alerting11
• Alert on• IP/domain reputation classification
• Anomaly (user tuning supported for severity, classification, etc)
• Alert mechanisms• TDAC GUI
• Alert tied to other retained data
• Provides immediate first step in incident forensics
• Outbound webhook (JSON via secure REST API)
• Syslog
• Apache Kafka
• BGP Flowspec instruction – attack mitigation• Threat type & infrastructure dependent
![Page 14: Technical Overview TDAC Anomaly Detection · 2020. 7. 1. · TDAC Anomaly Detection The volume of network events within National IPS/Telco’s and Large Enterprises means that they](https://reader035.vdocument.in/reader035/viewer/2022071415/610f5e587aa09b5e9a689f85/html5/thumbnails/14.jpg)