Do you think it requires an advanced degree to initiate an advanced security attack? Think again. Tool kits are readily available for immediate download that guide those with even just basic computer skills through the steps to initiate complex network attacks. But all hope is not lost. One of the best defenses is readily available in the market today – network recorders with network forensics – and when combined with the appropriate visibility fabric architecture, these solutions defend against attacks on even the fastest networks available today. Join WildPackets and Gigamon as we explore the current state of network attacks, network vulnerabilities, and the solutions available to combat the most aggressive, and the most subtle, attacks.

1. © WildPackets, Inc. www.wildpackets.com
Jay Botelho Director of Product Management, WildPackets jbotelho@wildpackets.com
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Threats
Patrick Riley Product Manager, Gigamon patrick.riley@gigamon.com

2. © WildPackets, Inc. 2
Administration
•
All callers are on mute
‒
If you have problems, please let us know via the Chat window
•
There will be Q&A
‒
Feel free to type a question at any time
•
Slides and recording will be available
‒
Notification within 48 hours via a follow-up email

3. © WildPackets, Inc. 3
Agenda
•
Today’s Security Challenges
•
Active Visibility for Multi-Tiered Security
•
Network-based Attack Analysis
•
??
•
Summary and Conclusions
•
Q&A

4. © 2014 Gigamon, Inc. All rights reserved.
$18.4B spent by enterprises world-wide on security in 2014
Billions are Spent on Security Annually …
Source: Gartner Trends Telecom Forecast (March 2014)
4
6,721
1,520
968
9,209
Firewall/VPN Equipment
Intrusion Protection Systems (IPS)
Secure Routers
Enterprise Security Network Equip
By millions of $s

5. © 2014 Gigamon, Inc. All rights reserved.
… Yet Breaches Continue To Proliferate
5

6. © 2014 Gigamon, Inc. All rights reserved.
 IDS/IPS and other tools raise alerts… But security teams need details
– Who, what, where, when
– Answers require network visibility
 Advanced tools needed to meet advanced threats
– High-level stats such as NetFlow and traffic sampling leave security analysts with
generalities not specifics
 Network visibility declining overall
– Last-generation network analysis tools can’t keep up with 10G, 40G, and 100G networks
– Attacks from multiple sources
– Threats from inside and at perimeter
Why Are “Secured” Networks So Exposed?
8

7. © 2014 Gigamon, Inc. All rights reserved.
YOU CAN’T SECURE
WHAT YOU CAN’T SEE.
Visibility Is The Key to Comprehensive, Cost-effective Network Security
9

8. © 2014 Gigamon, Inc. All rights reserved.
Need for a New Approach:
Multi-Tiered Security
10
 Specialized security tools
 Network-based attack analysis
 Backed by Signatures and policy≠
 Parallel deployments with IPS/IDS
 Protect against known attacks (signatures)
 Detect potential unknown threats (heuristics)
 Deployed throughout the network
 Not just at the edge (castle-moat is dead)
 Security tools externalize network complexity
 Risk-driven, maps into corporate risk and
compliance frameworks
 Support inline and out-of-band tools

9. © 2014 Gigamon, Inc. All rights reserved.
Out of Band
(IDS / Malware)
Removing Security Challenges
Page 11
Core
Switch
Edge
Router
Inline
(Firewall, IPS)
Tight maintenance windows no longer a constraint
Optimize tool processing and performance
Remove single points-of-failure from inline tools
Maximize tool investment and ROI
Eliminate tool-based network bottlenecks

10. © 2014 Gigamon, Inc. All rights reserved.
Active Visibility for Multi-Tiered Security
A Better Approach to Integrated Security
Page 13
Intrusion Detection
System
Core
Switch
Edge
Router
Intrusion Prevention
Systems
Out-of-Band Malware
GigaStream™
NetFlow Collector
GigaSMART®
Saves Time
Saves Money
Improved Reliability
Protects Traffic Throughput
Integrates Best-of-Breed Solutions
WildPackets!

11. © 2014 Gigamon, Inc. All rights reserved.
GigaVUE-HB1
Active Visibility for Multi-Tiered Security
14
Internet
Core
Switches
Distribution
Switches
Access
Switches
Regional Centers
Server/
Virtual
Farm FILE ACTIVITY
MONITORING
SIEM
DLP
IDS
APM
IPS
ANTI-MALWARE
VISIBILITY FABRIC™ ARCHITECTURE
OUT-OF-BAND INLINE
GigaVUE-HC2 with Bypass Module
GigaVUE-HD8

12. © WildPackets, Inc. 15
Challenges
•
IDS/IPS and other tools raise alerts
•
But security teams need details
‒
Who, what, where, when
‒
Answers require network visibility
•
Network visibility declining overall
‒
Last-generation network analysis tools can’t keep up with 10G, 40G, and 100G networks
‒
Market trend for high-level stats such as NetFlow and traffic sampling leave security analysts with generalities not specifics

13. © WildPackets, Inc. 16
Network-Based Attack Analysis
•
Benefits
‒
Give security teams evidence and insight
•
A comprehensive record of network activity
•
Powerful search and filtering tools for zeroing in on anomalies and attack details
‒
Enable security teams to act quickly
•
Find proof of attacks
•
Characterize attacks and stop them
‒
Who, what, where, when
•
Solution: Packet Capture + Network Forensics
‒
Record, store, and analyze traffic
‒
Uncover and understand attacks so they can be stopped
‒
Tools include deep packet inspection, searches, filters, graphs, etc.
Full visibility into everything going in and out of your network

14. © WildPackets, Inc. 17
Key Capabilities
WildPackets Attack Analysis
Node Activity Profile
High Speed Packet Capture
Visualization
Transaction History
Deep Packet Inspection
Node-to-node Interaction

15. © WildPackets, Inc. www.wildpackets.com
Forensics Security Attack Analysis Five Examples

16. © WildPackets, Inc. 21
Security Investigations with Network Forensics

Incident Response Verification

Pre-Zero Day Attack Forensics

Incident Path Tracking

Compliance with Security Regulations

Transaction Verification

17. © WildPackets, Inc. 22
Action
Problem
At approximately 11:20am IDS/IPS reports an nmap decoy attack; a number of phony addresses were used by nmap as source IP’s in addition to the actual attack machine IP
Use network forensics to rewind the attack, saving all packets from 5 minutes before to 5 minutes after the report for detailed network analysis

18. © WildPackets, Inc. 23

19. © WildPackets, Inc. 24

20. © WildPackets, Inc. 25
Incident Response Verification
Applying Attack Intelligence and Deep Packet Inspection (DPI), WildPackets provides unprecedented visibility into network events, enabling security analysts to conduct full Root Cause Analysis (RCA)
Attack Analysis
Results: Reduced MTTR for Attacks Reduce Impact of Attacks

Investigate

Confirm

Characterize

Resolve

21. © WildPackets, Inc. 26
Action
Problem
The internal security team has identified a previously undetected major security threat; the signature says it uses windows messenger service and has a UDP packet that contains “STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION…”
Immediately identify any and all systems on the network that have potentially been affected by the threat, even before the threat was initially detected

22. © WildPackets, Inc. 27

23. © WildPackets, Inc. 28
Zero Day Attack Forensics
•
Unprecedented opportunity to ask:
‒
Has a newly recognized attack previously struck our network? If so, what happened?
•
Replay recorded network traffic to event detection systems to discover if the new incident had occurred previously and understand who and what was affected.
•
AKA “Retrospective Security Assurance”
IT begins recording network traffic
Zero-Day attack strikes
Updates to security tools recognize attack
Security team replays traffic through attack signature

24. © WildPackets, Inc. 29
Action
Problem
Hundreds of users of a wireless network in a large auditorium find they cannot maintain a VPN connection, nor can they reliably connect to the Internet; everyone seems to be affected
IDS/IPS reports no problems; assess overall network connectivity and look for anomalies

25. © WildPackets, Inc. 30
Incident Path Tracking
Using built-in peer-to-peer analytics, WildPackets’ Incident Path Tracking can trace the sequence of conversations between every device on the network before and after the security event
Result: Identify the security attack, in this case “denial of service”, the source of the attack, and all the affected devices

26. © WildPackets, Inc. 31
Action
Problem
While reviewing the weekly network performance report clear text protocols were discovered which violate company the security policy
Find FTP traffic and identify suspected users; analyze FTP traffic to see if sensitive data was transmitted.

27. © WildPackets, Inc. 32
Ensuring Compliance – Leaked Data
Result: Evidence of data breaches and details that help track down the particulars of security attacks
Filter for patterns like SSNs and keywords

28. © WildPackets, Inc. www.wildpackets.com
You Can Take Back the Lead!

29. © WildPackets, Inc. 34
Accelerate Incident Response and Remediation
BEFORE Timeline of a Security Investigation without Attack Analysis
•
Disparate sources
•
Investigations can take days or weeks
AFTER Timeline of a Security Investigation with Attack Analysis
•
Centralized repository with comprehensive data
•
Investigations are many times faster

30. © WildPackets, Inc. 35
Omnipliance Product Line
•
Omnipliance TL: NOC or Data Center, 10G/40G, up to 128 TB with OmniStorage
•
Omnipliance MX: Corporate Campus, 1G/10G, up to 32 TB
•
Omnipliance CX: Branch Offices, 1G, up to 32 TB

31. © WildPackets, Inc. 36
More Power in a Smaller Footprint
‒
Captures traffic up to 23Gbps of real-world traffic
‒
Scales up to 128 TB of storage
‒
Requires half the rack space and power of competitive solutions
Greater Precision
‒
Captures network traffic with no data loss, so you can analyze everything, not just samples or high-level statistics
‒
Accurate metrics
‒
Rich analytics help pinpoint and characterize anomalies
‒
Enterprise-wide solution makes forensic analysis available at every location
Better Price/Performance
‒
Superior power and precision at a price significantly lower than other network forensics products.
The WildPackets Advantage

32. © WildPackets, Inc. 37
Summary
•
We need to stop the “Bad Guys” from winning.
‒
Improve capability to investigate attacks.
•
Traditional methods + Forensics Security Attack Analysis
•
Forseniscs Security Attack Analysis = Packet Capture + Network Forensics
‒
Provides comprehensive evidence of all attack activity within a set period.
‒
Provides an irrefutable record of user, network, and application activity, including transactions.
‒
Enables security teams to characterize and trace attacks.
•
WildPackets Omnipliances offer unmatched performance and precision for attack analysis.
‒
Complements existing security toolset with performance network recording, storage, and analysis.

33. © 2014 Gigamon, Inc. All rights reserved.
Active Visibility for Multi-Tiered Security
38
TAP all critical links 1
Connect inline security tools 3
Leverage GigaSMART®
traffic intelligence 5
Connect links to a High Availability Visibility Fabric™ 2
Connect out-of-band security tools 4
Add non-security tools to maximize ROI 6

34. © WildPackets, Inc. www.wildpackets.com
Q&A
Show us your tweets! Use today’s webinar hashtag: #wildpackets_gigamon with any questions, comments, or feedback. Follow us @wildpackets
Follow us on SlideShare! Check out today’s slides on SlideShare www.slideshare.net/wildpackets
Jay Botelho
Director of Product Management
WildPackets
jbotelho@wildpackets.com
Patrick Riley Product Manager, Gigamon patrick.riley.gigamon.com

35. © WildPackets, Inc. www.wildpackets.com
Thank You!
WildPackets, Inc. 1340 Treat Boulevard, Suite 500 Walnut Creek, CA 94597 (925) 937-3200