Combating APTs with NetFlow
Gone are the days when the biggest threats were relatively innocuous hackers launching widespread worms for simple notoriety. Today’s worst attacks are sharply targeted and nefarious in nature, driven by profit, theft of sensitive data, espionage, etc., and take great measures to evade detection. We are now seeing a newer and even more dangerous threat vector, known as the advanced persistent threat (APT). Those launching APTs take an even more stealthy and targeted approach, infiltrating specific corporate and government entities over long periods of time to extract highly sensitive information or even gain access to critical systems.
APTs are coming from a wide variety of sources including highly organized crime groups, nation-states, unscrupulous corporations and hacktivists. In 2011, we saw a surge in APTs aimed at high-profile corporations and government agencies from Sony to the CIA by hacktivist groups such as LulzSec, WikiLeaks and Anonymous. Even security companies including HBGary and RSA have been subjected to APTs.
Because they use an advanced combination of various attack methods launched “low and slow,” typically exploiting zero-day vulnerabilities, APTs are not often detected by traditional security technologies such as antivirus, firewalls and IDS/IPS. Additionally, those who launch these types of attacks often bypass the perimeter altogether, instead gaining access to the internal network by stealing log-in credentials through methods such as social engineering and spear phishing. APTs are therefore most effectively investigated and mitigated at the network level through technologies such as flow-based monitoring and anomaly detection.
StealthWatch Raises Situational Awareness to Better Investigate & Mitigate APTs
Not relying on signature updates to detect attacks, and providing in-depth visibility into the internal network, Lancope’s StealthWatch® System provides a key layer of protection against APTs. By collecting and analyzing NetFlow and other flow data from existing network devices, StealthWatch provides IT administrators with a complete picture of everything happening on the network, making it easier to investigate and mitigate anomalous behaviors that could signify APTs or other types of attacks. Through sophisticated, behavioral analytics, StealthWatch uncovers not only externally-launched attacks, but also suspicious insider activities that could be the result of an APT, such as network misuse, policy violations, data leakage and device misconfigurations. According to the Ponemon Institute, “Over reliance on A/V and IDS solutions has weakened the collective security posture, as these solutions cannot stand up in the face of the advanced threats we now see. New solutions focused on network and traffic intelligence are seen as the best way to combat advanced threats, and much broader adoption is required.”1
Overall, StealthWatch fills in the gaps left by other solutions to eliminate network blind spots and dramatically reduce the time from problem onset to resolution, all at a fraction of the cost of traditional monitoring solutions. In addition to providing in-depth intelligence on the internal network, StealthWatch can also conduct behavioral analysis on data from perimeter devices such as firewalls, delivering even greater situational awareness.
Advanced features including application and identity awareness, as well as automatic threat prioritization and mitigation, further enhance troubleshooting and support other efforts such as forensic investigations and compliance initiatives. StealthWatch is scalable to meet the needs of even the largest networks, analyzing up to 3 million flows per second, and can also monitor and protect virtual environments. With the 24/7, end-to-end network visibility provided by StealthWatch, organizations can obtain the levels of contextual awareness and actionable intelligence needed to better respond to the full breadth of network and security issues facing today’s enterprises.
|
With Lancope’s StealthWatch, organizations can easily track the spread of malware throughout their infrastructure to more effectively investigate and mitigate APTs. |
| Customer Testimonials | |
|---|---|
| Detecting attacks |
“Immediately upon deployment, StealthWatch uncovered 400 misbehaving hosts and helped reduce network threats by 90 percent. New attacks, for which no signatures exist, now fail to gain a foothold unlike before.” -Dartmouth College |
| Forensics |
“Before StealthWatch, potential attacks, such as Internetworms, were usually identified and tracked through manualreviews of firewall logs, and we lacked adequate forensic toolsto quickly investigate network attacks. Now, StealthWatchautomatically notifies us of potential breaches and providesactionable forensics and host intelligence.” -Children’s Hospital and Health System |
| Situational awareness |
“StealthWatch goes beyond catching worms and denial-of service attacks to provide a great deal of information about our network. The expanded knowledge StealthWatch affords helps our security team focus more on prevention than detection.” -Telenor Norway |
1 – Ponemon Institute, “Growing Risk of Advanced Threats,” June 30, 2010
