Detecting Botnets Before They Wreak Havoc

If your enterprise is connected to the Internet, you are the target of a bot-driven attack. It is not a question of if or when you'll be compromised — it's a question of how bad the problem is, and how soon your staff can identify and minimize the damage. Targeted botnet attacks are difficult to detect using traditional security solutions. However, despite their quiet nature, they can cause very expensive, sometimes irreparable damage to an organization.

Through advanced behavioral analysis, Lancope's StealthWatch System can detect the command-and-control (CnC) communications between botnet attackers and compromised hosts within the network. This way, botnets can be quickly contained before they wreak havoc on network assets or performance, or even ruin a company’s reputation or financial health. This innovative approach is cost-effective and enables fast, effective remediation of this especially damaging attack method.

Thwarting Insider Threats

Everyone agrees that even the best perimeter defenses are permeable, but how do you detect data theft or sabotage by insiders? This activity can be difficult to differentiate from legitimate network transactions and is often not detected by signature-based security systems.

Delivering a complete picture of network activity, Lancope’s StealthWatch System provides the internal visibility and full audit trail necessary to fill in dangerous network blind spots and detect damaging insider attacks. By collecting and analyzing NetFlow, IPFIX and other types of flow data, StealthWatch can detect and alarm on suspicious insider behaviors such as unusually large file transfers or attempts to access restricted areas.

Advanced levels of insight including virtual, identity, application and mobile awareness further enhance Lancope’s insider threat detection capabilities, helping to pinpoint anomalous behaviors down to the device and user level. 

Combating APTs with NetFlow

The Advanced Persistent Threat (APT) has quickly become a top-level concern for organizations of all types and sizes. 

Today’s determined attackers will eventually penetrate their target’s network, often employing social engineering tactics to steal credentials and obtain access. In order to combat APTs, it is imperative that organizations gain visibility into their internal networks to fill gaps left by perimeter security solutions.

Lancope’s StealthWatch® System protects against APTs by delivering in-depth visibility into the network without relying on signature updates to detect attacks.

By leveraging flow data with sophisticated, behavioral analysis, StealthWatch can help organizations:

  • uncover externally-launched attacks
  • pinpoint suspicious insider activities
  • provide critical insight into network activity after attacks inevitably evade perimeter defenses
  • detect the various “kill chain” activities that sophisticated attackers follow to infiltrate a network, including network reconnaissance, covert C&C communications and internal pivoting
Detecting Distributed Denial-of-Service (DDoS) Attacks

Distributed denial-of-service (DDoS) attacks have risen in popularity with attackers over the past several years, and the size and duration of the attacks keep getting larger. Hacktivist groups around the world are launching DDoS attacks to make a political statement, while the attacks have also reportedly been used to distract corporate security staff from catching network break-ins aimed at stealing money or data. The time to prepare for a DDoS attack is not the day that one’s website goes down.

To effectively prevent large-scale DDoS attacks, organizations require not only mitigation solutions, but also network visibility tools that can make sense of the fog that rises during a denial-of-service attack. By providing continuous security monitoring across the enterprise network, Lancope’s StealthWatch System can help quickly detect both application-layer and volumetric DDoS attacks for fast incident response, helping to prevent costly service outages.

StealthWatch provides DDoS detection capabilities at the application layer with the ability to identify and alarm on slow connection floods for HTTP and HTTPS. StealthWatch also enables organizations to detect the source of volumetric DDoS attacks by alarming on unusually large traffic volumes, providing a multi-pronged approach to thwarting these rising attacks.

“StealthWatch allows us to quickly see when a DDoS attack is happening, and identify the source and destination for fast resolution,”  said Michael Jordan, director of network operations for Edge Web Hosting. (Read the Edge Web Hosting Case Study)

StealthWatch provides organizations with:

  • Layered DDoS protection
  • A simplified DDoS workflow
  • Small-volume, application-layer DDoS detection
  • Scalable DDoS identification
  • On-premise DDoS detection to augment carrier detection and provide local visibility and control
  • Dashboards, analytics and reporting for early warning
  • Forensic data for post-mortem analysis

For more information, download the Lancope and Radware integration brief on Non-intrusive DDoS Attack Detection and Mitigation.

Tracking the Spread of Malware on the Internal Network

With the porous nature of today’s enterprise networks, organizations can no longer rely on perimeter defenses to keep the bad guys out. Instead, governments and enterprises also require a means of tracking and stopping the spread of malware on the internal network. Through sophisticated behavioral analysis, Lancope’s StealthWatch System can quickly detect and mitigate the spread of malware across internal hosts.

With the StealthWatch Worm Tracker, administrators can easily view where a worm has been in an enterprise and where it is likely to go next. The Worm Tracker visually graphs the spread of a worm or virus throughout the network from node to node, providing instant visibility into the scope and impact of an outbreak. This way, malware propagation can be halted within hours instead of weeks.

In addition to worms, StealthWatch tracks and alarms on a wide variety of other malware including APTs, botnets and denial-of-service attacks, among others. The SLIC Threat Feed adds another layer of protection by monitoring customer networks for thousands of known command-and-control (C&C) servers and adding new botnets to its radar as they are identified in the wild.

Additionally, through StealthWatch Labs security updates, Lancope delivers behavioral protection algorithms for top threats lurking online to customers outside of their regular product upgrade cycles. These security updates provide yet another layer of assurance for defending networks from the latest threat vectors.