Decreasing Incident Response Time______________________________
Benefits of Packet Capture & Real-time NetFlow Generation
Boni Bruno, CISSP, CISM, CGEITTechnical Director
2 Copyright © 2014
You Just Suffered a Major Security Breach!
What Happened?!
Who Was Affected?!
When Will It Be Fixed?!
3 Questions Your IT Staff Better Answer in the First 8 Hours!!
Could Your Current SEM/SIEM Tools Cover You for this Security Breach?
3 Copyright © 2014
Suspect
Identify
Mitigate
Impact
Tools Fixed
Permanent Protection
Security Incident Lifecycle
4 Copyright © 2014
Security Incident Lifecycle
Unique EventCan lead to repetitive events if not correctly identified…
5 Copyright © 2014
Security Incident Lifecycle
6 Copyright © 2014
Security Incident Lifecycle
Reduced Frequency
Minimize Scope of Impact
FasterRemediation
ID Root Cause
7 Copyright © 2014
Security Architecture
Full ContentRepository
Current SecurityInfrastructure:
• Firewall
• IDS/IPS
• DLP
End Point Security
Events
pcaps
Event-driven “snippets”and/or
ALL traffic recorded into a rolling buffer
Alarm
Search &Analysis
Event / LogRepository
Packet Storage
SIEM (Security Info & Event Mgmt)
Packet Capture
8 Copyright © 2014
SIEM Integration via RESTful API
Visibility & recording infrastructure for high-speed networks
Endace provides 100% accurate network recording at 1Gbps to 100Gbps!!!
10 Copyright © 2014
Next-Generation EndaceDAG Overview
Multiple Network Monitoring Interfaces-TDM/PDH T1/E1-DS3/E3- 10/100/1000/10G Ethernet- SONET/SDH OC-3 to OC-768c- Infiniband x4 SDR and DDR
Premium-Telco, high-end gov’t users and appliance OEMs
Standard-HFT, market, appliance OEMs
Basic- Low-end gov’t users, analytics
Dual-Port 10GbE-Basic and standard
Dual and quad port 10GbE-Standard and premium
Single-Port 40GbE-Future/upgrade to quad port
Designed for data capture applications
requiring 100% network data capture
Three “Feature Bundles”
Three ProductConfigurations
Low Overhead
Zero Loss Capture
Hardware Time Stamps
Global Clock Synch
In-Band Metadata
Classification/filtering
Load Balancing
11 Copyright © 2014
Endace Network Visibility Infrastructure
Network Visibility Headend
Allows EndaceProbe INRs/ODE to scale to 40 and
100GbE
EndaceAccess™Network Visibility
Headend
Endace OpenHosting Platform
(ODE)
High Performance Intelligent Network Recording
Up to 64 TB storageMix of 1 and 10GbE ports
EndaceProbe™ Intelligent Network
Recorder
EndaceFlow™ NetFlow Generator
Appliance (NGA)
Hosting Platform for Monitoring Applications
8x1GbE or 4x10GbE PortsUp to 16 TB internal storage;
Fibre Channel support for SAN
High-Speed NetFlow Generation for 10GbE
Networks
4x10GbE Ports
EndaceProbe: Provides 100% packet
capture on 10Gb Ethernet links
NetFlow Generator: Generate unsampled
netflows from 1GbE/10GbE links
EndaceAccess: Load-balances
40Gb/100Gb links across multiple INRs
Endace ODE: Provide packets for
hosted 3rd party applications
12 Copyright © 2014
The Endace Probe Solution
13 Copyright © 2014
Monitoring and Recording Fabrics
14 Copyright © 2014
100% Packet Capture means 100% Network Visibility
15 Copyright © 2014
Can you Pinpoint Microbursts Occurring on your Network?
16 Copyright © 2014
Can you Identify Applications Running on your Network?
17 Copyright © 2014
Can you Identify Traffic Changes Over Time?
18 Copyright © 2014
Can you see Conversations on the Network?
19 Copyright © 2014
Search through Packets in a Browser!
20 Copyright © 2014
100Gbps Packet Capture…
21 Copyright © 2014
Time Synchronization
23 Copyright © 2013
NetFlow – The New Way!!!
24 Copyright © 2013
NetFlow – The New Way!!!
25 Copyright © 2013
26 Copyright © 2013