Combating APTs with NetFlow
Over the past several years, the Advanced Persistent Threat (APT) has quickly risen as a top-level concern for organizations of all types and sizes. The term APT refers to highly targeted, sophisticated attacks associated with nation-state efforts to conduct cyber espionage. Any organization that houses valuable intellectual property or national intelligence, or that controls key components of a nation’s infrastructure, can now find itself squarely in the bullseye of an APT.
Conventional Defenses Leave Gaps
The APT is able to anticipate and evade conventional security defenses. Technologies that guard just the perimeter of the network, or that rely on signature updates to detect attacks, are still necessary lines of defense, but are often rendered powerless in the face of an APT. Determined attackers will eventually find their way into their target’s network, often employing social engineering tactics to steal credentials and obtain access. In order to combat APTs, it is imperative that organizations know what is going on within their internal networks to fill in the gaps left by perimeter security solutions.
According to Mandiant, a firm that specializes in APT investigations, 100% of the attacks they investigated in 2011 utilized stolen access credentials, and conversely, only 54% of compromised machines were infected with malware. What this means is that advanced attackers can often only be identified by analyzing the behavior of legitimately logged-in users. Mandiant also reported that it takes a median of 416 days for the typical organization to discover an advanced attack within its network.1
StealthWatch Provides Internal Visibility and Threat Intelligence to Combat APTs
Lancope’s StealthWatch® System serves as a key layer of protection against APTs by delivering in-depth visibility into the internal network without relying on signature updates to detect attacks. By collecting and analyzing NetFlow, IPFIX and other flow data from existing network devices, StealthWatch provides IT administrators with a complete picture of everything happening on the network, making it easier to investigate and mitigate anomalous behaviors that could signify an APT.
Through sophisticated, behavioral analysis, StealthWatch uncovers not only externally-launched attacks, but also suspicious insider activities, providing critical insight into what compromised machines are doing after attacks inevitably evade perimeter defenses. This in-depth, internal visibility allows organizations to detect the various steps that sophisticated attackers take to infiltrate a network, including network reconnaissance, internal malware propagation, communication with command-and-control servers and data exfiltration.
According to the Ponemon Institute, “Over reliance on A/V and IDS solutions has weakened the collective security posture, as these solutions cannot stand up in the face of the advanced threats we now see. New solutions focused on network and traffic intelligence are seen as the best way to combat advanced threats, and much broader adoption is required.”2
StealthWatch eliminates network blind spots by providing the actionable intelligence required to better respond to network and security issues, at a fraction of the cost of traditional monitoring solutions. Advanced features including application and identity awareness, as well as automatic threat prioritization and mitigation, further enhance troubleshooting and support other efforts such as forensic investigations and compliance initiatives.
StealthWatch is scalable to meet the needs of even the largest networks, analyzing up to 120,000 flows per second (fps) per collector, or 3 million fps total, and can also monitor and protect virtual and BYOD environments. Global 2000 enterprises and government agencies around the world, including Cisco Systems, Siemens, AirTran Airways and over 20 U.S. federal government agencies, rely on StealthWatch to help keep their networks up and running and secure. StealthWatch is also a major component of the Cisco Cyber Threat Defense Solution, designed to combat the most dangerous threats facing today’s enterprises.
With Lancope’s StealthWatch, organizations can easily track the spread of malware throughout their infrastructure to more effectively investigate and mitigate APTs.
“Immediately upon deployment, StealthWatch uncovered 400 misbehaving hosts and helped reduce network threats by 90 percent. New attacks, for which no signatures exist, now fail to gain a foothold unlike before.”
“Before StealthWatch, potential attacks, such as Internet worms, were usually identified and tracked through manual reviews of firewall logs, and we lacked adequate forensic tools to quickly investigate network attacks. Now, StealthWatch automatically notifies us of potential breaches and provides actionable forensics and host intelligence.”
-Children’s Hospital and Health System
“We knew that the volume of new attacks and the vectors used were only going to increase, so we chose to stay ahead of the curve with a behavioral analysis system. StealthWatch was the only solution we tested that does not rely on canned signature-matching techniques to identify risky network traffic.”
“StealthWatch goes beyond catching worms and denial-of service attacks to provide a great deal of information about our network. The expanded knowledge StealthWatch affords helps our security team focus more on prevention than detection.”
“StealthWatch is an incredibly useful tool for blocking external reconnaissance traffic and locating compromised systems throughout our campus. In fact, StealthWatch detected two major systems that were exploited, a problem that was not seen with our current IPS devices.”
-Illinois State University
1 – Mandiant M-Trends Report, https://blog.mandiant.com/archives/2326
2 – Ponemon Institute, “Growing Risk of Advanced Threats,” June 30, 2010