dlp detection with netflow
play

DLP Detection with Netflow Christopher Poetzel Network Security - PowerPoint PPT Presentation

Jan 27, 2023 •142 likes •347 views

DLP Detection with Netflow Christopher Poetzel Network Security Engineer Argonne National Laboratory FloCon 2011 Jan 11, 2012 Who Am I? Christopher Joseph Poetzel University of Wisconsin-Madison BS Computer Science

  1. DLP Detection with Netflow Christopher Poetzel Network Security Engineer Argonne National Laboratory FloCon 2011 Jan 11, 2012

  2. Who Am I?  Christopher Joseph Poetzel  University of Wisconsin-Madison – BS Computer Science  Argonne National Laboratory – summer student through college Brextyn Ayers Poetzel – 10 years full time Nov 5 th , 2010  Network/Security Engineer – Firewall/VPN/Network Administrator – IDS/Netflow Scripting – Proxy/URL Filtering

  3. Argonne National Laboratory IT Environment Challenges  Diverse population: – 2500 employees – 10,000+ visitors annually – Off-site computer users – Foreign national employees, users, and collaborators  Diverse funding: – Not every computer is a DOE computer. – IT is funded in many ways.  Every program is working in an increasingly distributed computing model.  Our goal: a consistent and comprehensively secure environment that supports the diversity of IT and requirements.  Balance Science, Security, and Architecture. Argonne is managed by the UChicago Argonne LLC for the Department of Energy. 3

  4. Emphasis on the Synergies of Multi-Program Science, Engineering & Applications Accelerator Fundamental Physics Research Infrastructure Computational Analysis Science Materials Characterization Catalysis Science Transportation Science Nuclear User Facilities Fuel Cycle Structural .. and much more. Biology 4

  5. High Level Split of Argonne Divisions Scientific Operations • Advanced Photon Source • HR, Finances • Biology • Plant and Facility Management • High Entergy Physics • Medical • Environmental Sciences • IT Computer Support, Core Networking • Super Computers • Cyber Security  Mission is Support Science  Less open and little collaboration  Mission is to do Science  More Controlled by Central IT  More open and collaborative  with world Access to Sensitive Information  – Less controlled by Central IT PII Records, Payroll, Medical  Full outbound restrictions  Benefits, Travel System  Limited Http, HTTPS (some ftp)

  6. Data Loss Prevention (DLP)  Data Loss Prevention ( DLP ) is a computer security term referring to systems that identify, monitor, and protect data in use, data in motion, and data at rest through deep content inspection, contextual security analysis of transactions, and with a centralized management framework. • Protect Data in use: endpoint actions • Protect Data in motion: network actions • Protect Data at rest: data storage  The systems are designed to detect and prevent the unauthorized use and transmission of confidential information.  The Data to protect is dependant on organization – PII (Social Security Numbers, Birth Dates, Addresses) – Credit Card Numbers – Source Code – Internal Only Documents  Many Many Vendors in this Game – McAfee, BlueCoat, RSA, Symantec, Trend …………….. BECAUSE

  7. DLP Happens .. All the time .. Even to Me  WikiLeaks: Nov 2010 – Government Documents leaked for all to see – Arrests Made, USA Government “Embarrassed”, National Security “Threatened”  Gawker Media Hacked: Dec 12, 2010 – 1.3 million user names and passwords exposed after user database compromised – 500MB Torrent file of all accounts/passwords – Gawker Advises users to change passwords or delete account  Heartland Payment Systems (Credit Card Processing): May 15 th , 2008 – 130,000,000 Credit Card Numbers Stolen – Settlement with VISA: $60,000,000.00 Jan 2010 – Settlement with AMEX: $3,538,380.00 Dec 17, 2009  University of Wisconsin-Madison: Nov 26, 2010 – 60,000 names and identification card numbers including Social Security numbers stolen from server (1 was me)  http://datalossdb.org

  8. DLP happens, so now what  Early 2009, Argonne Cyber Security Program Office says DLP as a capability we would like to have.  How can this be done given the following: – No money for vendor solution – No complete desktop network control of all hosts – Small amount of time to commit to project – Automated System • minimal human interaction • We do not have 24X7 analysts or operations center • We do not want be chasing down alerts all the time – We are not web traffic cops. We are not trying to stop people from getting to Facebook/Yahoo/etc • Want to be alerted on large unauthorized offsite uploads that might be DLP • Want to catch those “abuse” cases of people web surfing all day/night long  What is the our best bang for out buck?

  9. Our Solution  A Netflow based solution to look for anomalous amounts of offsite data within the last hour.  Focus on areas of greatest risk  Alert us to things “out of normal”  Configurable – Ability to exclude ips – Ability for different thresholds for different networks  Automated Email Alerting

  10. Focus on areas of greatest risk Operations  Operations Divisions provide the greatest area of risk • HR, Finances – Contains the meat • Plant and Facility Management of sensitive data • Medical • IT Computer Support, Core Networking  Jobs are not about • Cyber Security collaboration, about support  Mission is Support Science  Less open and little collaboration  Offsite traffic is  More Controlled by Central IT limited to Http, Https and thus easier to  Access to Sensitive Information model and  PII Records, Payroll, Medical understand  Benefits, Travel System  Limited Http, HTTPS (some ftp)

  11. Alert us to things “out of normal”  Using netflow we base lined the normal hourly amount of offsite web traffic for 1 month. – Fairly simple netflow script  On Average, Per subnet, offsite Web traffic threshold  Weekdays – 6am-6pm, 25 MB – 6pm – 6am, 5 MB  Weekends, 5MB Configurable  Exclude known offsite uploaders by IP Address – Stored in a mysql database table  MB Thresholds are on a per subnet basis  Also in a mysql database table

  12. Automated Email Alerting  ALERT for Excessive OFFSITE WEB Traffic  FWInterface: sample_yellow network  FWNetwork: 146.137.XXX.0  FWIntDescr: Sample Yellow network  Dest: Offsite NON-ANL on TCP 80,443  TimeStart: Monday, 2010-12-13 11AM  TimeEnd: Monday, 2010-12-13 12PM  Offsite MB  For Subnet: 38.096  Threshold for 1 Host During Period: 25 MB/hour for single host  Further Information for Alarm Period  # --- ---- ---- Report Information --- --- --- #  # Fields: Total  # Symbols: Disabled  # Sorting: Descending Field 2  # Name: Source IP  # Args: flow-stat -f9 -S2

  13.  # IPaddr flows octets packets  #  146.137.58.24 704 27035481 28856  User:Doe, Jane DNS:csi3388XX  Top 25 Dest Hosts  # recn: ip-destination-address*,flows,octets,packets,duration  post.craigslist.org,89,25080978,21459,197888  Key Line in Alert Email  a184-84-255-8.deploy.akamaitechnologies.com,44,416136,745,2060800  159.53.64.105,85,383093,1324,137472  ** others removed **  # stop, hit record limit.  146.137.58.25 1596 5510900 49389  146.137.58.30 82 1380209 25425  146.137.58.42 492 1196430 5126  Apparently this user was uploading something large to craigslist during work hours. – Work related??

  14. Script Logic / Flow-Tools Guts  Create ACL to watch for traffic from network Y (include exemptions)  Determine Offsite Traffic in last hour for network Y (146.137.X.Y) – Run Netflow on Border Router to get Offsite Mb amount for subnet for past hour – flow-cat $flowargs | flow-filter -f /tmp/$Tempfile -S check1 -P 80,443 | flow-stat -f9 -S2  Check amount against thresholds – Thresholds run against database limits  Send Alert Email if threshold tripped  356 line perl script, backend database table for thresholds, exclusions, and subnets to watch  Fairly Efficient / Quick – Watching 49 networks for DLP detection – Average runtime is 5minutes – Took less than a week to come together

  15. What the solutions does  First insight into DLP for those networks where it matters – HR, Financial People, Lab Directors, etc  Identifies people uploading large amounts of data to offsite services – Facebook – Online Email attachments – Snapfish/Walgreens/ETC – YouTube Videos – Or something large heading offsite that shouldn’t be  Identifies afterhours personal doing lots of web surfing in the wee hours of the morning  Exemptions and different thresholds do not bury us with false positives  Helps us know our network better

  16. What this solution is not  Does not actually stop DLP, just helps detect it  Focused only on the network detection side of DLP  Gives no information on data offloaded – Not available within netflow – Can obtain with use of local PCAP device  No Polices like a vendor solution – No inspection of traffic leaving (social security numbers, credit card, resumes, etc)  Will not catch DLP when – Network MB volume is low – Local Argonne network is not being monitored

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Using of time characteristic in Netflow data for improvement of protocol detection P. Piska,

Using of time characteristic in Netflow data for improvement of protocol detection P. Piska,

Using of time characteristic in Netflow data for improvement of protocol detection P. Piska, J. Novotn, {piskac|novotny}@ics.muni.cz 3rd NMRG Workshop on NetFlow/IPFIX Usage in Network Management July 30, 2010, Maastricht, The Netherlands

479 views • 26 slides
Malware Detection From The Network Perspective Using NetFlow Data P. eleda, J. Vykopal, T.

Malware Detection From The Network Perspective Using NetFlow Data P. eleda, J. Vykopal, T.

Malware Detection From The Network Perspective Using NetFlow Data P. eleda, J. Vykopal, T. Plesnk, M. Truneka, V. Krmek {celeda|vykopal|plesnik|trunecka|vojtec}@ics.muni.cz 3rd NMRG Workshop on NetFlow/IPFIX Usage in Network

1.19k views • 36 slides
NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis Intrusion Detection, Protection, and Usage Reporting NetFlow is a cornucopia of information that allows for: Intrusion Detection, Bandwidth usage,

665 views • 17 slides
Security Hands-on @ Pavilion Stream + NetFlow for Security & Insider Threat Detection Kelly

Security Hands-on @ Pavilion Stream + NetFlow for Security & Insider Threat Detection Kelly

Security Hands-on @ Pavilion Stream + NetFlow for Security & Insider Threat Detection Kelly Feagans | Sales Engineering September 2017 | Washington, DC Objective OBJECTIVE Learn how to use NetFlow with the Splunk Stream Forwarder for

444 views • 20 slides
Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering University of Amsterdam Master thesis presentation, July 3 rd 2014 Supervisor: Pepijn Janssen RedSocks Botnets Large group of infected computers,

610 views • 23 slides
Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon 2011, January 12, Salt Lake City, Utah Presentation Outline NetFlow Monitoring at MU Chuck Norris Botnet in a Nutshell Botnet Detection Methods

906 views • 63 slides
SSH Compromise Detection using NetFlow/IPFIX Rick Hofstede, Luuk Hendriks 51 percent of

SSH Compromise Detection using NetFlow/IPFIX Rick Hofstede, Luuk Hendriks 51 percent of

SSH Compromise Detection using NetFlow/IPFIX Rick Hofstede, Luuk Hendriks 51 percent of respondents admitted that their organizations have already been impacted by an SSH key-related compromise in the last 24 months. Ponemon 2014 SSH

916 views • 57 slides
NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents

NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents

NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents Netflow What it is and how it works Uses and Applications Vendor Configurations/Implementation Cisco and Juniper NetFlow tools

1.24k views • 62 slides
Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network

Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network

Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network Monitoring and Visibility Challenges Technology of the future Q&A What t is NetFlow? Network protocol originally developed by Cisco

560 views • 21 slides
Netflow Malicious activities detection Cedric Foll @follc Goal Being able to detect (most of)

Netflow Malicious activities detection Cedric Foll @follc Goal Being able to detect (most of)

Netflow Malicious activities detection Cedric Foll @follc Goal Being able to detect (most of) malicious activities without having to read logs Logs are boring, reading them takes a lot of time Graphic visualisation is more effective, fast

855 views • 30 slides
Indicator Expansion Techniques Tracking Cyber Threats via DNS and Netflow Analysis United

Indicator Expansion Techniques Tracking Cyber Threats via DNS and Netflow Analysis United

Indicator Expansion Techniques Tracking Cyber Threats via DNS and Netflow Analysis United States Computer Emergency Readiness Team (US-CERT) Detection and Analysis January 2011 Background As the number or compromises escalates and our

182 views • 15 slides
NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using NetFlow data By: Joey Dreijer, Student OS3 5-07-14 1 NetFlow Analysis: Detecting covert channels on the network Gathering NetFlow data

346 views • 16 slides
nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri <deri@ntop.org>

nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri <deri@ntop.org>

nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri <deri@ntop.org> NetFlow Traffic Monitoring Cisco NetFlow is a commercial standard for network monitoring and accounting Many companies (e.g. Cisco, Juniper,

430 views • 14 slides
Autom atic anom aly detection using NfSen Wim Biemolt, SURFnet Werner Schram, SURFnet 14/ 12/

Autom atic anom aly detection using NfSen Wim Biemolt, SURFnet Werner Schram, SURFnet 14/ 12/

Autom atic anom aly detection using NfSen Wim Biemolt, SURFnet Werner Schram, SURFnet 14/ 12/ 2007 Autom atic anom aly detection using NfSen - SURFnet and netflow anomaly detection - NERD - NfSen - PeakFlow SP - Currently used detection

594 views • 26 slides
Building a better NetFlow (to appear in SIGCOMM 2004) Cristian Estan, Ken Keys, David Moore,

Building a better NetFlow (to appear in SIGCOMM 2004) Cristian Estan, Ken Keys, David Moore,

Building a better NetFlow (to appear in SIGCOMM 2004) Cristian Estan, Ken Keys, David Moore, George Varghese University of California, San Diego IETF60 Aug 4, 2004 IPFIX WG UCSD CSE Disclaimers "NetFlow" used

510 views • 26 slides
Milan ermk Daniel Tovark, Martin Latovika, Pavel eleda NetFlow/IPFIX Monitoring

Milan ermk Daniel Tovark, Martin Latovika, Pavel eleda NetFlow/IPFIX Monitoring

A Performance Benchmark for NetFlow Data Analysis on Distributed Stream Processing Systems NOMS 2016 Wednesday 27 th April, 2016 Milan ermk Daniel Tovark, Martin Latovika, Pavel eleda NetFlow/IPFIX Monitoring and Analysis

606 views • 23 slides
Protecting Sensitive Data Implementation of a Sensitive Data Manager Recommendation Briefed

Protecting Sensitive Data Implementation of a Sensitive Data Manager Recommendation Briefed

Protecting Sensitive Data Implementation of a Sensitive Data Manager Recommendation Briefed Presidents Executive Council on 13 Jan: recommended to proceed with deploying a Sensitive Data Manager tool on all UND owned computers to

321 views • 6 slides
See Plan Share Investor Presentation May 2017 www.pointerra.com ASX:3DP The

See Plan Share Investor Presentation May 2017 www.pointerra.com ASX:3DP The

See Plan Share Investor Presentation May 2017 www.pointerra.com ASX:3DP The Opportunity Rapid growth in global demand for 3D data driven by mix of asset management imperatives & emerging disruptive technology applications

359 views • 18 slides
Unmanned Aerial Vehicles James England NDF, BSc(Hons)For, MicFor GIS & Mobile Mapping

Unmanned Aerial Vehicles James England NDF, BSc(Hons)For, MicFor GIS & Mobile Mapping

South of Scotland Cluster Meeting Short Presentation about New technology in the Forest 12 th March 2014 James England Structure Overview of the presentations Introduction & background Unmanned Aerial Vehicles James England NDF,

388 views • 21 slides
The Leica BLK Family 3D Reality Capture for as-built and construction progress documentation

The Leica BLK Family 3D Reality Capture for as-built and construction progress documentation

The Leica BLK Family 3D Reality Capture for as-built and construction progress documentation Christian Schfers, Director Business Development BLK 1 st 2 nd of November 2018 Leica Geosystems is the industry leader in measurement and

559 views • 32 slides
Mission We accompany immigrants in their transition from poverty and isolation to workforce

Mission We accompany immigrants in their transition from poverty and isolation to workforce

Mission We accompany immigrants in their transition from poverty and isolation to workforce participation and prosperity. Day Laborer Program Goal Job matching services connecting employers with workers and to provide housing, educational,

489 views • 8 slides
Exploring Tradeoffs between Programmability and Efficiency in Data-Parallel Accelerators

Exploring Tradeoffs between Programmability and Efficiency in Data-Parallel Accelerators

EECS Electrical Engineering and Computer Sciences B ERKELEY P AR L AB P A R A L L E L C O M P U T I N G L A B O R A T O R Y Exploring Tradeoffs between

793 views • 55 slides
Child Safeguarding Statement of Presentation Secondary School Warrenmount Presentation Secondary

Child Safeguarding Statement of Presentation Secondary School Warrenmount Presentation Secondary

Child Safeguarding Statement of Presentation Secondary School Warrenmount Presentation Secondary School Warrenmount is a post-primary school providing post- primary education to pupils from First Year to Sixth Year Leaving Certificate. In

220 views • 3 slides
SURVEY RESULTS MAR C H 17, 2020 Revenue Loss To Date Region gion 13 13a a (152

SURVEY RESULTS MAR C H 17, 2020 Revenue Loss To Date Region gion 13 13a a (152

N O R T H E R N O N T A R I O COVID-19 19 SURVEY RESULTS MAR C H 17, 2020 Revenue Loss To Date Region gion 13 13a a (152 respondents) -$ 932,336 Region gion 13 13b b (59 respondents) -$ 3,368,265 Region gion 13 13c c (200

518 views • 8 slides

More recommend