Decreasing Incident Response Time
______________________________
Benefits of Packet Capture &
Real-time NetFlow Generation
Boni Bruno, CISSP, CISM, CGEIT
Technical Director
You Just Suffered a Major Security Breach!
3 Questions Your IT Staff Better Answer in
the First 8 Hours!!
What Happened?!
Who Was Affected?!
When Will It Be Fixed?!
Could Your Current SEM/SIEM Tools Cover
You for this Security Breach?
2
Copyright © 2014
Security Incident Lifecycle
Permanent
Protection
Impact
Mitigate
Tools
Fixed
Identify
Suspect
3
Copyright © 2014
Security Incident Lifecycle
Unique
Can
leadEvent
to repetitive events if not correctly identified…
4
Copyright © 2014
Security Incident Lifecycle
5
Copyright © 2014
Security Incident Lifecycle
Faster
Remediation
Minimize Scope of Impact
ID Root Cause
6
Reduced Frequency
Copyright © 2014
Security Architecture
SIEM (Security Info & Event Mgmt)
Current Security
Infrastructure:
Events
Event / Log
Repository
• Firewall
Alarm
• IDS/IPS
Packet Storage
• DLP
End Point
Security
pcaps
Packet Capture
Full Content
Repository
Search &
Analysis
Event-driven “snippets”
and/or
ALL traffic recorded into a rolling buffer
7
Copyright © 2014
SIEM Integration via RESTful API
8
Copyright © 2014
Visibility & recording infrastructure for highspeed networks
Endace provides 100% accurate network recording at
1Gbps to 100Gbps!!!
Next-Generation EndaceDAG Overview
Designed for data
capture applications
requiring 100%
network data capture
Multiple Network Monitoring
Interfaces
-TDM/PDH T1/E1-DS3/E3
- 10/100/1000/10G Ethernet
- SONET/SDH OC-3 to OC-768c
- Infiniband x4 SDR and DDR
Premium
Three “Feature
Bundles”
-Telco, high-end gov’t users and appliance OEMs
Standard
-HFT, market, appliance OEMs
Basic
- Low-end gov’t users, analytics
Low Overhead
Zero Loss Capture
Hardware Time Stamps
Global Clock Synch
Three Product
Configurations
Dual-Port 10GbE
-Basic and standard
Dual and quad port 10GbE
Classification/filtering
-Standard and premium
Single-Port 40GbE
-Future/upgrade to quad port
10
In-Band Metadata
Copyright © 2014
Load Balancing
Endace Network Visibility Infrastructure
EndaceProbe™
Intelligent Network
Recorder
EndaceFlow™
NetFlow Generator
Appliance (NGA)
EndaceAccess™
Network Visibility
Headend
Endace Open
Hosting Platform
High Performance Intelligent
Network Recording
High-Speed NetFlow
Generation for 10GbE
Networks
Network Visibility
Headend
Hosting Platform for
Monitoring Applications
Allows EndaceProbe
INRs/ODE to scale to 40 and
100GbE
8x1GbE or 4x10GbE Ports
Up to 16 TB internal storage;
Fibre Channel support for SAN
Up to 64 TB storage
Mix of 1 and 10GbE ports
EndaceProbe:
Provides 100% packet
capture on 10Gb Ethernet
links
11
4x10GbE Ports
NetFlow Generator:
Generate unsampled
netflows from
1GbE/10GbE links
Copyright © 2014
EndaceAccess:
Load-balances
40Gb/100Gb links
across multiple INRs
(ODE)
Endace ODE:
Provide packets for
hosted 3rd party
applications
The Endace Probe Solution
12
Copyright © 2014
Monitoring and Recording Fabrics
13
Copyright © 2014
100% Packet Capture means 100% Network Visibility
14
Copyright © 2014
Can you Pinpoint Microbursts Occurring on your
Network?
15
Copyright © 2014
Can you Identify Applications Running on your
Network?
16
Copyright © 2014
Can you Identify Traffic Changes Over Time?
17
Copyright © 2014
Can you see Conversations on the Network?
18
Copyright © 2014
Search through Packets in a Browser!
19
Copyright © 2014
100Gbps Packet Capture…
20
Copyright © 2014
Time Synchronization
21
Copyright © 2014
NetFlow – The New Way!!!
23
Copyright © 2013
NetFlow – The New Way!!!
24
Copyright © 2013
25
Copyright © 2013
26
Copyright © 2013