Discussion on the Future of Security

deanwebb · November 04, 2015, 06:37:34 AM

Had an interesting conference yesterday about the future of security. Level 3 sponsored a lunchtime panel discussion that included academics, law enforcement, and vendors.

For me, the key point was that security is going to move ore into the network itself. Endpoint security is about as complete as it needs to be in concept, given that we can have endpoint FW/IPS running. What is needed now is better intelligence about the threats hitting those endpoints, and that intelligence comes from the network.

Netflow, therefore, is going to be a huge aspect of doing proper security. Another huge aspect will be participating in information-sharing groups composed of law enforcement, vendors, service providers, and other firms.

JP Morgan, for example, discovered its ongoing breach as a result of a minor marketing firm reporting an unusual traffic flow to a particular IP address. When JPM checked its netflow records, it found tons of traffic heading to that IP address.

If all we have are perimeter permit/deny and endpoint defenses, we will stop a lot of badness out there, but will be doing so unconsciously. When we turn on netflow and make real efforts to understand it, we are in a position to both gather and share information that will allow us to attack threats at the root. That, in turn, makes for a lighter load on our networks, more efficient operations, and helps other people to get rid of threats. Although this was not directly stated, I realize now that that can lead to a "herd immunity" effect. If enough people are no longer vulnerable to a particular threat, it may be discarded in general - which means that the remaining percentage of people that are still vulnerable will benefit in that one area.

User Behavior Analysis - UBA - is coming. Expect a Gartner report on it in a few weeks/months. When that happens, your executives will be asking for UBA, and that means getting netflow turned on in your network. That means a Lancope/Plixer comparison and making sure your layer 3 devices are ready to sent netflow data to your collectors. This might also mean getting Gigamon into the picture to consolidate flows and to provide a single IP address for netflow systems to utilize. If you do a little thinking now about how to collect the data on your network and what you will do with it, you'll be ahead of the curve.

Hope this helps.

DanC · November 04, 2015, 02:00:59 PM

Interesting.

Out of interest, what are you guys using for Netflow collection and analysis?

deanwebb · November 04, 2015, 02:06:09 PM

Nothing right now. Our R&S architects will never let us put one more protocol on the network unless the executives tell them that Gartner said we had to.

Otanx · November 04, 2015, 02:57:48 PM

Your R&S architects are idiots then. Netflow has uses for them as well. Let me guess; they never look at syslog either unless something is already broken.

-Otanx

deanwebb · November 04, 2015, 03:04:07 PM

Quote from: Otanx on November 04, 2015, 02:57:48 PM
they never look at syslog

Fixed that for you.

LynK · November 05, 2015, 11:01:28 AM

We are in the works of buying lancope right now. This gives us what we need from a netflow perspective, but also from a security. Not to mention just just announced the merger of the two.

mmcgurty · November 05, 2015, 09:54:05 PM

I also recommend Lancope StealthWatch. We have used it since about 2008 at our organization. On the Network and Security teams we use almost daily for one reason or another.

wintermute000 · November 06, 2015, 11:28:33 PM

Having been through the crucible of managing operations and handling the high level escalations, I can tell you right now that if you don't have syslog and netflow in place you WILL eventually run into a situation where you simply do not have the information required to assess the issue - and then have to scramble to build something half-cocked from scratch just so you can formulate a solution.

It ain't exactly hard and it ain't even expensive (unless you want to say keep a year's worth of netflow on a 1Gb internet link for example!!!) and even if you're lazy and only look at it reactively it will save your bacon. As others have alluded to before, proactive monitoring will pick up a lot of trouble (any syslogs SEV4 or higher etc. will indicate downed backup links, flapping links or thresholds yellow-lining for example) and regular netflow top talkers / top connection counts will pickup your big downloaders/spyware/spam senders. The sophisticated packages will even fire up ad-hoc alerts e.g. any host that initiates more than 1000 connections in the last 30 minutes, raise a ticket coz its likely to be peer to peer.

Heck hit me up and I'll build you a cacti-in-a-box deployment for the graphs, free splunk for syslogs and nagios/nfsen for netflow, all on linux, all free except of course for my valuable time

(I won't mention what cashed up, international mega-corps I've seen that were too cheap to pay for a commercial solution so got me to hack together a bunch of open source VMs). I've done that kind of thing so many times now its almost second nature (the basics at least). I reckon I could get that running in a day flat with basics.

DanC · November 13, 2015, 10:57:47 AM

Quote from: wintermute000 on November 06, 2015, 11:28:33 PM
Having been through the crucible of managing operations and handling the high level escalations, I can tell you right now that if you don't have syslog and netflow in place you WILL eventually run into a situation where you simply do not have the information required to assess the issue - and then have to scramble to build something half-cocked from scratch just so you can formulate a solution.

It ain't exactly hard and it ain't even expensive (unless you want to say keep a year's worth of netflow on a 1Gb internet link for example!!!) and even if you're lazy and only look at it reactively it will save your bacon. As others have alluded to before, proactive monitoring will pick up a lot of trouble (any syslogs SEV4 or higher etc. will indicate downed backup links, flapping links or thresholds yellow-lining for example) and regular netflow top talkers / top connection counts will pickup your big downloaders/spyware/spam senders. The sophisticated packages will even fire up ad-hoc alerts e.g. any host that initiates more than 1000 connections in the last 30 minutes, raise a ticket coz its likely to be peer to peer.

Heck hit me up and I'll build you a cacti-in-a-box deployment for the graphs, free splunk for syslogs and nagios/nfsen for netflow, all on linux, all free except of course for my valuable time (I won't mention what cashed up, international mega-corps I've seen that were too cheap to pay for a commercial solution so got me to hack together a bunch of open source VMs). I've done that kind of thing so many times now its almost second nature (the basics at least). I reckon I could get that running in a day flat with basics.

How easy is it to get Nagios/nfsen running for Netwflow with limited Linux exposure? We're a cheapass company and I wouldn't mind having a go at this if it's pretty staright forward? Do you have any good links to tutorials or do I need to hit the product reference guides?

wintermute000 · November 13, 2015, 06:37:53 PM

not the easiest, i recall having to compile some of nfsen via source.... not sure if now there's an easy repo solution (probably?). The interface is also horrific, I ended up using CLI most of the time. But hey, its free. I would have followed some guy's linux blog or forum posts etc. (you know, the usual linux approach lol), don't have any specific links sorry.

nagios for netflow is a commercial product so they'll have commercial support/doco, last time I saw it deployed it cost $1000AUD so around $700USD, surely you can afford that

I believe its an appliance so much easier for you.