Analysis of IP flow records from Internet peering points provides some interesting challenges. The total volume is large to say the least, the number of hosts very large and diverse and the number of flows per Gbps of bandwidth is larger than most enterprises. The traffic is all asymmetrical and the infrastructure seems to be always evolving. The challenges are all surmountable and the analysis is effective and useful. The infrastructure seems to be always evolving so that just when the evolution from SONET cores to everything Ethernet is completed the introduction of orchestrated NFVs begin. The new infrastructures again provide some challenges but they also provide some opportunities for new approaches using orchestrated Security Functions Virtualization (SFVs or SNFVs). The orchestration capabilities can enable scheduled surveillance of traffic and network elements.
In an IT environment where more and more enterprise IT is located outside the physical confines of enterprises, security data collection and sensing has to follow. “Cyclops" is the US Department of Defense’s solution to migrate the collection of unsampled flow data, network metadata, and security analysis to the "cloud." Sylvia Mapes (DISA), Alan Fraser (CenturyLink), and Greg Virgin (RedJack) will discuss the challenges and solutions of flow data “as-a-service,” including deployment strategies, analysis strategies, and coping with the massive scale of malicious activity on ISP-sized network connections.
Verizon Network Security Services collects netflow from internal devices, edge routers and the Internet backbone. The group is also the central repository for logs in hundreds of formats and thousands of machines, including firewalls, IDS engines, web proxies, SNMP managers, BGP aggregators, DNS servers and desktops. Deriving useful information from all this data is a task shared by the data owners, repository operators and security analysts.
In this presentation we will go over the growth of the Verizon Network Security data repository; the infrastructure in place that receives and processes 100GB of data an hour, including two billion flows. We will also cover some of the open source, commercial and homegrown software that helps the security, network planning, and network performance teams gain insight into the current state of networks from local offices to the Internet.
We will also discuss some of the challenges encountered along the way, various attempts to make searching flow faster, and some recent developments using machine learning to identify attacks on the network.
In recent years, many organizations across government, industry, and academia have recognized the need to build an insider threat program (InTP) to protect their critical assets. Insider threat programs fuse information from across traditionally stovepiped portions of organizations (such as HR, IT, and physical security) to identify technical and behavioral activity of concern. In this presentation, we will discuss how modern insider threat programs, work, what they’re designed to prevent, detect, and respond to, and how Netflow analysis can (and should be) incorporated into an insider threat program.
Insider threat analysts look for anomalous behavior and activity across a wide array of data sources – host-based audit logs, human resource management systems, anonymous reporting mechanisms, and even SIEM tools. In this presentation, we will provide examples of how Netflow data can be and has been used to detect anomalous insider behavior and activity, and show how correlating information from other data sources can be used to increase the effectiveness of the Netflow-based indicators.