During his presentation, Herring will review how network logging technologies such as NetFlow and IPFIX can be used to create an audit trail of network activity. This audit trail can then be used to create detailed forensic timelines of security events, determine the impact of the events and discern the attack vectors used in circumventing security controls.

As a senior systems engineer, Herring focuses on assisting operators of Lancope’s StealthWatch System in detecting and responding to advanced security threats. Prior to joining Lancope, he spent 10 years on active duty with the U.S. Navy. His last position in the Navy was as the lead network security analyst for the Naval Postgraduate School. After leaving the Navy, Herring spent six years consulting with the U.S. Federal government, as well as serving as a contributing network security product reviewer for the InfoWorld Test Center.

Click here for more information on the ISSA Motor City Chapter Meeting and the Lancope presentation, “Incident Response and Forensics with NetFlow.” For further details on Lancope’s solutions for incident response and forensics, go to: http://www.lancope.com/solutions/security-operations/forensics/.

Cisco also announced yesterday a new Security Threat Defense Ecosystem to integrate with leading threat defense systems including Lancope’s StealthWatch. The Cisco Security Threat Defense Ecosystem centers around partner platforms that integrate with the Cisco Identity Services Engine (ISE), and will expand upon the security context available to customers for identifying and mitigating today’s most dangerous cyber-attacks – even those stemming from mobile devices.

ISE is also the first product to adopt Cisco’s new Platform Exchange Grid (pxGrid) framework. Through pxGrid, Cisco is enabling Lancope and other partners to share valuable security information back and forth between its systems, as well as among its various partners to foster a stronger, more collaborative approach to network security.

According to joint Lancope and Cisco customer, CareFusion, “NetFlow, ISE and Lancope together represent the cyber defense trifecta that gives CareFusion the network visibility and security context to respond to security threats much more efficiently. We now have a single pane of glass that tells us the 'who/what/when/where/how' associated with a potential threat, which helps us prioritize the most serious events and respond to them quickly.”

In addition to being part of the Cisco Security Technology Partner Ecosystem and pxGrid, Lancope technology also makes up a key component of the Cisco Cyber Threat Defense Solution designed to combat APTs and other stealthy, targeted attacks lurking within enterprise networks. As a Registered Developer of network security products in the Cisco Developer Network, Lancope consumes data from a wide range of Cisco devices including ISE, the Catalyst Series, NGA, ASA, ASR/ISR and Nexus platforms.

See Cisco’s blog post for more details on this announcement. For more information on StealthWatch for combating advanced threats, go to: http://www.lancope.com/solutions/security-threats/.

The activities of negligent and nefarious insiders, as well as targeted attacks such as APTs, are difficult to differentiate from legitimate network transactions – especially when using conventional, perimeter- and signature-based security measures. McKinley’s presentation will cover recent research on the characteristics and behaviors associated with insider threats and targeted, external attacks, as well as discuss technologies like NetFlow that can help organizations detect them. 

FIRST conferences promote worldwide coordination among Computer Security Incident Response Teams (CSIRTs), providing a forum for sharing ideas and information on improving global computer security. Further details on McKinley and his presentation can be found here. For more information on NetFlow for combating advanced threats, go to: http://www.lancope.com/solutions/security-threats/.

However, SCADA operators have been skeptical about claims surrounding vulnerabilities within their systems. They are demanding solid proof of these concerns before they take the appropriate actions to secure them.

Lancope’s director of security research, Tom Cross, has recently delivered several presentations surrounding SCADA security to provide concrete examples of these problems and discuss potential solutions. According to Tom, because they were largely built on proprietary systems never meant to be connected to the Internet, SCADA systems pose a significant challenge when it comes to cyber security. Evolving industry regulations such as NERC CIP and FISMA/NIST are also forcing critical infrastructure providers to take a closer look at their security procedures to meet tougher compliance requirements.

While many SCADA operators would still like to believe that their systems are not connected to the Internet, this is simply not the case. According to Sean McGurk, Director, National Cybersecurity & Communications Integration Center, U.S. Department of Homeland Security, “In our experience in conducting hundreds of vulnerability assessments in the private sector, in no case have we ever found the operations network, the SCADA system or energy management system separated from the enterprise network. On average, we see 11 direct connections between those networks. In some extreme cases, we have identified up to 250 connections between the actual producing network and the enterprise network.”

Source: HP 2012 Cyber Risk Report

Recent years have seen an increase in SCADA vulnerability disclosures.

So what do we do about this? Unfortunately, due to the time-sensitive and crucial operations of SCADA systems, conventional security practices such as patching, which cause downtime and introduce changes to the system, are not always practical options. Additionally, technologies like anti-virus and intrusion prevention systems may be incompatible with SCADA systems and interfere with their correct operation.

While better SCADA system patching procedures are a necessity for the future, it may take the industry a while to work it out so that systems can be safely patched without requiring large-scale upgrades or causing excessive downtime or performance issues. Moving forward, SCADA systems will also need to be designed from the ground up with cyber security in mind.  

While these are all long-term solutions to this rising issue, one best practice that can make a difference immediately is flow-based monitoring. Flow-based monitoring solutions like Lancope’s StealthWatch System collect and analyze NetFlow and other flow data from existing infrastructure to provide in-depth network visibility.

SCADA operators can leverage NetFlow to baseline normal network activity and keep a watchful eye on their systems to quickly identify anomalous behaviors that could signify an issue. Since NetFlow is already inherent within government and enterprise networks, organizations can simply turn it on without having to make any changes to their systems, and can monitor the network for security issues without running the risk of interfering with the critical operations of the control system.

This technology is invaluable for detecting both external threats including sophisticated malware and APTs, as well as insider threats – malicious, negligent or compromised insiders who could use their privileged access to cause equipment malfunctions, disrupt operations or even spark widespread disasters. NetFlow can also help identify and correct risky connections between SCADA systems and less secure networks, and through identity awareness, can help hold users accountable for any actions that jeopardize security or compliance.

According to the Henry County Water & Sewerage Authority, “There are considerable security risks associated with even the smallest changes to the [SCADA] system. StealthWatch proved its value immediately by helping us determine the security and effectiveness of our SCADA changes in real time.”

For more information on how StealthWatch can help secure SCADA networks, click here or listen to our recent webinar delivered by Tom Cross.

Attendees will learn about the power of NetFlow for network and security monitoring through expert presentations, best practice discussions and hands-on labs. The goal of the seminars is to enable network and security teams to maximize their existing infrastructure to improve operations and dramatically enhance their defenses against sophisticated cyber-attacks.

Click here to learn more about the “University of NetFlow” or to register for an upcoming training.

It's hard to make it through a single week without hearing of another data breach on a scale large enough to at least give us a mild case of indigestion.  Just last week the Financial Times' Twitter feed (@FT) was taken over by a group of pro al-Assad activists who call themselves the Syrian Electronic Army (SEA).  It wasn't their first successful attempt, either. 

The fallout in this particular case amounted to nothing more than run-of-the-mill social media vandalism, though with a gruesome twist: numerous tweets were posted that linked to a YouTube video which reportedly shows a Syrian rebel group executing blindfolded members of the Syrian army.  I'll take Al Jazeera's and the Huffington Post's word on that as I'd rather not see the footage for myself. 

More interesting, however, than the conversation about the Financial Times' social media security policy and Twitter's woes lately involving two-factor authentication is a conversation about the motives and potential downside of attacks by groups such as the SEA which are politically motivated.  Their intent may transcend the typical motives of money or data and move squarely into the realm of damaging reputation or disrupting normal activity. 

Consider the SEA's previous hijinks, whereby they were able to take control of the Associated Press (@AP) and send a few tweets about multiple explosions at the White House, and reports that President Obama was injured in the blasts.  Immediately the major stock exchanges took a tumble.  Fortunately, it was reported as a hoax very shortly after and the market recovered swiftly, but how do you begin quantifying that damage in financial terms?  What's the dollar value on each keystroke of a 140 character tweet that can affect a global economy? 

The Financial Times and the Associated Press are not the SEA's only recent victims; they've mounted successful attacks against social media accounts of numerous media outlets like the BBC, NPR, 60 Minutes, and Reuters.  They even went after The Onion (is nothing sacred anymore?), but weren't successful there.  What if they had coordinated the false messaging among numerous legitimate, Twitter-verified accounts that they had silent control of?  What kind of damage is done then?  How much longer before it's announced as a hoax, and how much longer do the ripples of misinformation take to calm down across the sea of social media?  It's like a game of telephone gone horribly wrong. 

If you're expecting a boiler-plate about how StealthWatch is the silver bullet to fix this scenario, you won't get one, because it isn't.  The secret is that there is no silver bullet.  These types of problems are complex, vary from organization to organization, and require a significant effort by multiple facets of an organization to develop an effective and secure social media policy.  It follows much of the same complexities as insider threat. 

Can StealthWatch help parts of this problem?  Sure!  Attacks like these often begin as spear phishing attacks.  Slate ran an article back in April about how legitimate the SEA's targeted emails to the AP looked.  That link could easily point somewhere we don't intend it to, opening the door to malware infection of compromised credentials.  One user doing this effectively takes every IDS/IPS an organization has deployed and throws it right in the trash can. That investment was worth $0 at this point, and we now have to rely on a new strategy to identify network behavior that deviates from the expected norm.   

(Note that I am not advocating removing IDS/IPS from your network; we must always lock our front doors!) 

In short, I do not claim to know what advanced malware will look like 12 months from now.  I am reasonably sure that the process by which these attacks will perpetuate will remain the same, however, and by deploying a comprehensive and pervasive flow-based behavioral detection system such as StealthWatch, identifying this type of behavior post-infection will be greatly assisted where traditional IDS/IPS and even reputation scoring will fall flat.

According to the 2013 Verizon Data Breach Investigations Report, 14% of breaches were perpetrated by insiders. Additionally, the report states that 76% of the breaches it analyzed used weak or stolen credentials to gain network access, and 29% used social engineering tactics – making insiders a key point of weakness when it comes to network security. And according to The CERT Guide to Insider Threats, IT sabotage, theft and fraud conducted by insiders is costing companies millions.

Network Visibility

While preventative security technologies and best practices such as perimeter defenses, access control, data encryption and user education can make some level of difference when it comes to thwarting insider threats, these controls are often no match against those that already have privileged access to the internal network and do not need to use exploits and malware to carry out attacks. Often times, the only real way to identify and halt insider threats is to have comprehensive visibility into what is going on inside the network. Obtaining a complete audit trail of network activity allows organizations to quickly pinpoint anomalous behavior that could signify risks.

Various technologies such as firewalls, SIEMs, IDS/IPS, packet capture and NetFlow can log network activity to provide insight into what is going on in the network. There are tradeoffs associated with each method, so it is important to consider the advantages and disadvantages of each approach. (See white paper for further details.)

Benefits of NetFlow

As demonstrated by the slide below, NetFlow provides a very broad, cost-effective and lightweight means of obtaining a comprehensive view of network activity. NetFlow provides a look at all transactions occurring on the network to enable quick detection of suspicious activities such as emails with large attachments being sent to third parties or unusually high traffic to a printer (which could be signs of data theft/exfiltration).

When leveraged with advanced technologies like Lancope’s StealthWatch System, NetFlow-based monitoring can also provide additional layers of context including device, application and identity awareness for more enhanced forensics and incident response. Lancope also announced new user-centric monitoring functionality today that enables administrators to investigate network behaviors and anomalies based on specific user names, further increasing protection against insider threats.

The best way to detect and prevent insider threats is to have in-depth visibility into the internal environment and a means of filtering and prioritizing the massive amount of data available on the network into concise, actionable intelligence. This is the main goal and premise of StealthWatch.

While technology alone cannot entirely solve the issue of insider threats (it has to be a cross-functional effort involving IT, HR and Legal), NetFlow can provide a key piece of the defense-in-depth strategy needed to successfully curb these types of attacks.

Click here to learn more about leveraging NetFlow to combat insider threats. Additional tips and best practices from Tom Cross for addressing insider threats can be found here.

1. Network flows equal visibility, and you can never have too much visibility. Flow data provides vital network traffic data and statistics for router and switch interfaces at each layer of the network. This allows for Layer 3, 4 and 7 data to be analyzed at each interface for troubleshooting, bandwidth consumption, capacity planning, network segmentation analysis, and more. Additionally, important data including MPLS information, BGP and peering data is collected at the edge. From inside the network, Quality of Service and VLAN information is available. No matter where you collect NetFlow, you obtain crucial data such as packet counts, byte counts, flags, L4 port information and much more.

2. Different flows for different things. Flow telemetry has matured to provide much more than the original network metadata such as source/destination IP, port and protocol information. Some flow exports today include fields such as application type (Packeteer-2, NBAR, StealthWatch FlowSensor, Palo Alto); firewall drops/permits (Cisco ASA, Palo Alto, SonicWALL); NAT/PAT translations (Cisco ASA, ASR); username (Palo Alto) and even payload capture (StealthWatch FlowSensor, sFlow). In some cases, NetFlow is the only source of real visibility – for example, in virtualized environments where most data traffic never leaves the host.

3. Collecting flows at all layers of the network provides a holistic, 360⁰ view.  The information provided by NetFlow is essential for teams across functions including operations, analysis, security policy, incident response, compliance, etc. Removing NetFlow reduces your overall situational awareness and your ability to react to changing conditions both inside your network and on the Internet.

Click to see larger image.

Receiving and processing duplicate flows is an inherent and essential part of a mature flow collection strategy. NetFlow provides critical telemetry data at almost every hop in the network. When properly analyzed with advanced monitoring solutions like Lancope’s StealthWatch System, NetFlow can give you the clearest, most concise picture of what is going on inside the network at any given time. It is invaluable for both real-time threat detection and network forensic analysis.

Click here for more information on leveraging NetFlow for comprehensive network visibility and security.

The threats to SCADA systems are indeed real, and are especially challenging to address. Join Lancope’s director of security research, Tom Cross, to learn about:

• The state of control system security vulnerabilities
• Attack activity that is prompting a change in perspective
• The unique, long term challenges associated with protecting SCADA networks
• How anomaly detection can play a key role in protecting SCADA systems now

The webinar, “SCADA Security: The Five Stages of Cyber Grief,” will take place at 11:00 a.m. Eastern on May 15. Click here to register.

Tom Cross will speak on Thursday, May 9 on the growing issue of insider threats. He will discuss how to spot insider threats within an organization, identify their network activity, and protect valuable infrastructure and assets against them. Cross has over a decade of experience as a security researcher and thought leader. Prior to joining Lancope, he served as manager of the IBM X-Force Advanced Research team. He is credited with discovering a number of critical security vulnerabilities and frequently speaks on security issues at conferences around the world. 

The intended audience for the upcoming symposium includes CIOs, CISOs, security and IT professionals at defense contractors, critical infrastructure companies, government organizations, law enforcement, and IT security and research organizations. Further information on the event can be found here.

Click here to learn more about how to combat rising insider threats.