Presentation on theme: "Distributed Continuous Monitoring and Cyber Security"— Presentation transcript:
1Distributed Continuous Monitoring and Cyber Security Carter BullardCEO/PresidentQoSient, LLC150 E 57th Street Suite 12DNew York, New York 10022
2Network Monitoring Strategies Current Trends in Cyber Security MonitoringSEIM event and security log consolidation/correlationDPI based pattern recognition reportingSecurity policy enforcement validationNetwork forensics collection and analyticsFull Packet CapturePacket Summarization Data (Flow)Critical need for improved Situational AwarenessWhy don’t current methods deliver?Attribution?Mitigation?Deterrence?
3Theoretical Security Threats and Countermeasures CryptographicCountermeasuresThreatUnauthorizedDegradationofServiceRepudiationUseModificationDisclosureAuthenticationXIntegrityConfidentialityAccess Control xxNon-Repudiation / AuditPrimary Security CountermeasureSecondary Security CountermeasureDerived from ITU-T Recommendation X.805Security Architecture for Systems Providing End-to-End Communications
4Non-Repudiation Most misunderstood countermeasure * ITU-T Recommendation X.805 security dimensionPrevent ability to deny that an activity on the network occurredFlow approach to network non-repudiation systemsGenerate audit data to account for all network activityNetwork Transactional Auditing SystemsMechanism specified by DoD in NCSC-TG-005 “The Red Book” Trusted Network Interpretation of the Trusted Computer System Evaluation Criteria (1987)User, Control and Management plane network auditingPrincipal source of true deterrenceNon-repudiation provides comprehensive accountabilityCreates the concept that you can get caughtCrypto-technical redefinition of non-repudiation by Adrian McCullagh in 2000 to apply only to digital signatures has created a great deal of confusion. While you can have repudiation of a signature, it’s not the only thing you can repudiate.
5Network Flow Information All flow data contain addresses, network service identifiers, starting time, duration and basic usage metrics, such as number of packets and bytes transmitted.More advanced types are transactional, bi-directional, convey network status and treatment information, service identification, performance data, geo-spatial and net- spatial information, control plane information, and extended service content.Available Network Flow InformationArgusControl and Data Plane network forensics auditingArchive, file, stream formats. (Binary, SQL, CSV, XML)YAF/SiLK - CERT-CCDesigned for Cyber security forensics analysisIETF IPFIX stream formats. Binary file format.IPDR - Billing and Usage AccountabilityATIS, ANSI, CableLabs, SCTE, 3GPP, Java CP, ITU/NGNFile and stream formats (XML).Netflow, JFlow, SflowIntegrated network vendor flow information - statistical/sampledUsed primarily for router operations, network management
7Security and Performance Security and performance are tightly coupled conceptsNetwork performance is an asset that needs protectionDoD GIG Information availability assurance (DoDD )Performance is being specifically attacked (DDoS Attacks)Security and performance contribute directly to QoSSecurity and performance are both optimizationsMany times at odds with each otherPerformance awareness data is security awareness dataPresence with identifying information is much of the forensics storyPerformance as a leading security indicatorExfiltration and spam generation consume resourcesClassic “man in the middle” and “traffic diversion” detectionScenarios create measurable end-to-end performance impacts[D]DoS detection is a performance anomaly problem
8Degradation of Service A primary design goal of Argus is DoS identificationArgus used in DDoS research papers ( )CERT Advisory CA UDP Port Denial of ServiceMany commercial DDoS products are flow systemsDenial of Service is an attack on Quality of ServiceQoS sensitive situational awareness is criticalQoS anomaly detectionQoS fault managementQoS intentional assignmentsDoS protection really needs to be a part of QoS optimizationCan’t discriminate QoS degradation when there is poor QoSNeeds data specifically designed to support:QoS Fault identification/discrimination/mitigation/recoveryPre fault QoS Characterization and OptimizationRealtime fault detection and QoS anomaly characterizationPost fault recovery, forensics and impact assessments
11Denial of Service (cont) QoS Fault MediationProvide realtime forensics for threat analysisRealize that QoS of critical assets are being affectedProvide real-time list of active nodesFor web attacks provide recurring URL visitsProvide CIDR addresses to blockNeed to be sensitive to ACL limits of network equipmentNeed to be clever when trying to block 50K IP addressesProvide CIDR addresses to allowHistorical Community of Interest (COI) for allowable customersThe list of networks active at the initial time of attackFlow information to assure mediation workedNetwork now performing within SLATrack conditions to indicate when to revert, if ever
13Denial of Service (cont) Methods used to defeat [D]DoS mitigationMitigation involves denying access from list of exploit IP addressesIP address spoofingHost along attack path emulates [D]DoS trafficInternal host that can “see” the target can forge 100,000’s of simultaneous active connections to/from foreign hostsRouting mediated address spoofingBGP modifications allow near local networks to spoof address spaceInternal modification to locally support foreign address spaceStatic routes can be setup so that “China” is routed to port 23bControl plane attacks (ARP, RIP, OSPF) to advertise “China” is over hereResult is that you just can’t seem to shake the attackDistributed sensing detects this scenarioNet-spatial data and active traceback strategies
14Distributed Situational Awareness IP Spoofing ScenariosWhite/Visible NodeBlack/Non-Visible NodeComprehensive Flow ISArgus SensorData PlaneSituational Awareness Data
15Who’s using Argus? U.S. Government Network Service Providers DoD Performance/Security Research - Gargoylehttps://software.forge.mil/projects/gargoyleJCTD-Large Data, NEMO, JRAE, Millennium ChallengeTactical Network Security Monitoring / Performance AnalysisNaval Research Laboratory (NRL), DISA, General Dynamics, ICNetwork Service ProvidersOperational/Performance OptimizationAcceptable Use Policy VerificationEducational (1000’s of sites world-wide)Carnegie Mellon UniversityStanford UniversityUniversity of ChicagoNew York UniversityISPs, Enterprises, Corporations, IndividualsEnterprise wide near realtime network security auditDistributed security monitoringNetwork security researchAcceptable use policy verification
16Where are we headed? Distributed Network Auditing Sensor Improvements Very Large Scale Situational AwarenessAuditing system scalability using cloud architecturesQuery strategies to enable high performance searchComplete end-to-end capabilityAutomated AttributionDevelopment of new security mechanismsSensor ImprovementsHigher performance - multi-coreMore Control Plane AuditingOSPF, BGP, SIP ...WirelessArgus is now 23 years young and its history has been as interesting as it has been long.