Lightweight extrusion detection with NetFlow and StealthWatch 5.10.1
 |
POSTED BY Adam Powers on 04.07.2010 2 comments |
Hi all, just getting back from vacation in Gatlinburg, TN. If you live in the southeast and like mountains, beef jerky, ninja stars, and pancakes this is the place for you! Lots of kitschy stuff to buy and/or eat and it's only three hours from our home office in Atlanta, GA.
Anyway, while I was out we announced a new version of the StealthWatch System v5.10.1. This is a minor release containing a number of small bugs fixes and a new "Suspect Data Loss" alarm designed to help detect suspicious uploads to the Internet.
The Suspect Data Loss feature is designed to work in conjunction with your existing Data Loss Prevention technology (if you have one). Content-based DLP tech has proven its value and is now being offered by a number of vendors such as Websense, Experian, and others. We don't want to take anything away from what these guys are doing however the new StealthWatch 5.10.1 Suspect Data Loss alarm introduces a clever new method of detecting "interesting uploads" without the use of payload content analysis. StealthWatch uses statistics, behavior, and analysis of NetFlow to detect suspicious uploads. Based on our past experience working along side traditional IDS/IPS vendors, we know that flow-based analysis of network traffic works well when paired with content-based systems.
The Suspect Data Loss algorithms works like this:
1. Collect flows from network routers or a Lancope FlowSensor. Be sure to cover all major Internet uplinks.
2. For each flow elect a "client" and a "server". The client is the side that initiated the transfer. Your browser is a client. www.google.com would be a server.
3. Build up a baseline of the average amount of data bytes flowing from clients within your internal network to servers out on the Internet. The user can whitelist websites such as facebook.com, salesforce.com, or youtube.com.
4. Raise alerts and build reports that describe uploads to servers on the Internet that appear to be outside the norm.
There is a bit more to it than that but you get the general idea. We've had a lot of success with this new alert in the beta sites and think that it'll work quite well in our general user population. Some tuning is involved (whitelisting for instance) but the added visibility into uploads leaving your network is well worth it.
Contact support@lancope.com to get started with the upgrade and shoot me an email or comment here once you have had some time to work with it to let us know how it's going.
Tweet
Comments (2)
is this now available by URL or still just IP. Most last experience was with the 5.9 version. I don’t recall URIs as a filter option.
The user can whitelist websites such as facebook.com, salesforce.com, or youtube.com.
 |
Adam Powers on 04.07.2010
Hi Jeff, URL filtering isn’t currently an option given NetFlow’s layer3/4 restrictions. You’ll have to include all possible youtube/facebook/salesforce/etc IP addresses. It’s possible just a bit tedious. I’m still waiting on Cisco to provide URL and/or HTTP info in Flexible NetFlow. This would solve MANY problems with filtering and analysis of NetFlow data. Yes they are adding NBAR support to NetFlow but this doesn’t satisfy the requirement. |
Post a Comment
Join the conversation. Post a comment using the form below.