Analyse technico-légale de la sécurité des réseaux

IDENTIFIEZ LES PROBLÈMES ET REMÉDIEZ-Y AVEC L’ASSURANCE POST-ÉVÉNEMENT

L’information est l’élément vital de votre entreprise. Transactions de carte de crédit, données relatives à vos employés, mémos d’entreprise confidentiels et secrets commerciaux garantissant à votre entreprise ses avantages concurrentiels transitent en toute liberté via votre infrastructure réseau, exposés à la tentation des pirates et des cybercriminels.

Sauvegarder les actifs stratégiques de l’entreprise

Récemment, des attaques très médiatisées ont mis en exergue le besoin de stratégies de sécurité plus solides, en particulier d’un filet de sécurité pour les analyses technico-légales des entreprises. Il peut falloir des mois pour détecter une violation de sécurité réussie et si vous n’avez pas capturé le trafic, vous n’arriverez pas toujours à connaître la méthode utilisée... ni l’étendue des dégâts.

  • Capacité d’exécution ?

    Exhaustivité de la vision ?

    VIAVI excelle dans tous ces domaines... et est distingué six ans d’affilée*
    L’un des leaders du Magic Quadrant 2019 pour le diagnostic et le suivi des performances

  • Testé par Tolly

    Seul VIAVI propose une surveillance réseau 60 Gbit/s avec capture des paquets sans aucune perte.

  • Packet Pushers Podcast

    Security Weekly Podcast Library

    Identify and Resolve Security Threats with High-Fidelity Wire Data

  • 2019 State of the Network Study

    NetOps and SecOps Converge

    Over 600 IT professionals weigh in on the workloads, challenges, data sources and team collaboration required to safeguard critical corporate assets.

  • Regardez la présentation de VIAVI aux experts du secteur

    L’enregistrement parle en détail de VIAVI et de sa place sur le marché ; il fournit aussi un aperçu de la plateforme Observer et de la vision de VIAVI pour l’avenir.

  • 4 Gaps to Fix in Your Security Detection and Response

    Strategies from expert threat hunters designed for NetOps & SecOps teams

  • Introducing Observer GigaFlow

    Master performance and security challenges with insight from every perspective.

  • Dépenses de sécurité

    Les entreprises consacrent un budget 50 fois plus important pour la prévention que pour l’étude de problèmes, mais est-ce bien efficace ?

Aucun paquet abandonné

Pour défendre de multiples points d’accès tout en maintenant une certaine convivialité au profit des utilisateurs légitimes, tout système de protection doit être multiforme. En plus des pare-feu et systèmes de détection des intrusions (IDS) et de prévention des pertes de données (DLP), une solution de sécurité efficace doit inclure des capacités d’analyses technico-légales, surtout pour contrer les APT et autres malwares ayant déjà franchi le périmètre de défense.

Les équipes qui exploitent cette capacité dans le cadre de leurs outils de diagnostic et de suivi des performances réseau (network performance monitoring and diagnostics, NPMD) peuvent collaborer avec les équipes de sécurité pour palier à ce problème, en fournissant des données technico-légales au niveau des paquets.

Avec la plateforme Observer de VIAVI Solutions, les équipes d’entreprise peuvent :

  • Capturer des données au niveau des paquets, ce qui est utile pour recréer le trafic réel et s’assurer de ne rien rater dans leurs investigations d’une violation ou d’un événement réseau ;
  • Choisir la configuration adaptée à leur organisation parmi plusieurs modèles, de quelques téraoctets à plus d’un pétaoctet de capacité de capture ;
  • Choisir entre des versions avec montage en rack, portables ou logicielles permettant de capturer et d’analyser le trafic en périphérie sur des sites distants ;
    Définir des bases de référence ou des alertes pour identifier le trafic anormal en temps réel ou rétroactivement grâce à des interfaces faciles à utiliser, fondées sur des algorithmes d’analyses sophistiqués ;
  • Saisir rapidement les détails clés d’une attaque, la façon dont elle a été perpétrée, les failles d’exploitation utilisées et les systèmes ou propriétés intellectuelles compromis ;
  • Se servir de l’extraction de traces Web pour l’intégration avec des outils de sécurité en temps réel tiers complémentaires. GigaStor est désormais certifié compatible avec la solution Cisco FirePOWER IDS et peut facilement fonctionner avec d’autres produits capables de communiquer par le biais de l’API REST.

Conclusion principale:
Pour être efficaces, les analyses technico-légales de la sécurité des réseaux et les investigations des violations doivent inclure l’accès post-événement à tous les paquets traversant le réseau.

La plateforme Observer contribue à garantir que chaque paquet sera saisi et disponible à des fins d’investigation post-événement. Les violations et les ressources compromises sont rapidement identifiées grâce à la relecture du trafic et à la mise en œuvre d’analyses étendues des paquets. La possession de ces fonctionnalités peut faire toute la différence entre la non détection d’une violation et l’identification précise d’un pirate.

"Although often separate, NetOps and SecOps teams share the common goal of maintaining secure, high-performance network infrastructures. Infrastructure and operations leaders can leverage shared data and solutions to optimize budgets, avoid duplication of effort and improve the end-user’s experience."
– "Align NetOps and SecOps Tool Objectives With Shared Use Cases" By Gartner analysts Sanjit Ganuli and Lawrence Orans, July 24, 2018


 

  • How can network security software help you get visibility into your network in the event of a breach?

    When there’s an incident, the first thing the SecOps team is tasked to do is to find all the information they can about an IP address. Traditionally this involves asking the NetOps team ask them to send over pcap files and this might take a long time. 

    With the Observer network security solution, we aggregate those network insights for you, proactively—that is, before the breach happens.

    The Observer application gives SecOps teams visibility into their network by interrogating the network’s devices, and not just routers, switches, and firewalls. We go a step further and talk to your proxy servers, load balancers, and even SD-WAN controllers. 

    We ask these devices the following questions:
    -    Have you seen this IP address?
    -    What decisions have you made with this IP address?
    -    How did you make that decision?

    Observer goes into the ARP table to get MAC addresses corresponding to the devices in the network. We find user IDs from Authentication Domains, NetFlow, jFlow, IPFix and distill that information.

  • How can the Observer platform complement the other solutions in your suite?

    The Observer application gives SecOps and NetOps teams layer 2 and layer 3 network visibility to existing security workflows by interrogating the devices in the network.

    We answer the critical questions of a) What’s connected?, and b) What’s communicating. We then stitch together this information – MAC addresses, userIDs, IP addresses and more—and compile them into interactive, intuitive workflows that let you navigate between these relationships.

  • What immediate business impact can Observer’s network security solution provide you with?
    • We can provide NetOps and SecOps teams with quicker, more accurate threat detection due to more complete forensic data
       
    • We can reduce the number of false positives with the more complete picture provided by Observer’s network visibility
       
    • We can foster collaboration between NetOps and SecOps teams, delivering increased efficiencies between them. 
       
    • We can streamline Root Cause Analysis especially when it comes to pinpointing why an application is not performing accurately
       
    • We can help NetOps teams resolve subjective end-user complaints
       
    • We can mitigate risk factors involved with the deploying of major IT initiatives
  • What is the power of having a flow-based network security solution?

    Many flow-based solutions claim to play in the security arena by providing a few “security reports.”  Our solution bridges and fills the gap between NetOps and SecOps with views designed SPECFICALLY for SecOps specialists.  
    Observer provides automated detection of suspicious and malicious behaviors leveraging multiple techniques and aggregates these techniques into an integrated threat map. 

    • IP Blacklisting: Observer continuously updates pre-configured and custom blacklists.
       
    • SYN Forensics: Observer can alert on suspicious volumes and patterns of SYN-only flow records, often associated with network and port sweeps. 
       
    • Traffic Profiling: A core capability of Observer to use the enriched-flow records to build a traffic profile of devices on the network. Profiles are maintained in real-time with all future network-generated device traffic evaluated against past behavior for unusual or anomalous activity.  
  • Common Network Security Solutions Concerns

    You may have some questions regarding the application of enriched flow in your network infrastructure. Here are some ways that Observer can help you by addressing these network security software concerns.

    1. My devices are not capable of sending flow data…
      Observer can parse log data to produce enriched-flow records that function just like flow data
    2. The most prevalent flow sources don’t have performance data…
      Observer applies advanced analysis functions to produce response time data from flows as part of the enriched flow
    3. Flow vendors aggregate and de-dup, so the forensic value is minimal…
      Observer offers “full-flow forensics” - ensuring that every flow is retained and available for the most detailed analysis. Because of this archiving capability, Observer can help with any retroactive reporting associated with an incident, powered by full-fidelity forensics. 
  • How is Observer’s flow-based solution different from other flow-based network security monitoring solutions?

    Traditional flow-based network security solutions aggregate flow from only some network infrastructure devices. We take this a step further and compile user sources from domain servers and authentication servers, SNMP, MAC addresses from ARP tables, and even cloud sources like AWS and Microsoft Azure.

    When coupled with VIAVI Observer’s third-party validated wire data capture solution, GigaStor, an organization can give themselves the most complete picture of their network: true network visibility.

  • What are some key differentiators of VIAVI Observer’s network security software and performance solutions?
    • End-User Experience Scoring
      VIAVI leverages machine learning to identify an issue and automatically isolate the problem domain in seconds. In three clicks, users can go from higher-level dashboards all the way down to network conversations, or wire data transactions, effectively streamlining root cause analysis and reducing mean time to resolution (MTTR).

      This can be helpful in a security setting because a low end-user experience score can be indicative of a Denial of Service attack, which can also be detected by other tools within Observer’s network security software.
       
    • Enriched-Flow Records
      Having visibility into your network is a critical component of any network security software, and one of the most long lasting, traditional pieces of network data is flow. Observer transforms traditional flow by stitching enriched-flow records that compile flow, SNMP, user identity, and session syslogs all together in one single “record”. These Layer 2 and Layer 3 insights, when aggregated yield unique, accessible visualizations, such as the IP Viewer. These interactive visualizations and reports allow a customer to drill as far as they want into IP to MAC to User relationships, interface and device type information, traffic control, quality of service marking, and more. 
       
    • Integrated Threat Map
      An integrated threat map accessible straight from Observer Apex provides visual ways to detect and monitor rogue activity. IP blacklisting, advanced traffic profiling going beyond basic whitelisting, and SYN Forensics.
       
    • Third-Party Validated Data Capture
      The VIAVI third-party validated wire data capture delivers from the GigaStor component of the Observer platform delivers industry leading stream-to-disk speeds and metadata production to give an organization complete packet forensic visibility into all network activity. This allows a SecOps user to drill into the packet level network conversations, in the event of any breach. When coupled with flow-based analysis, NetOps and SecOps teams alike can benefit from a near complete picture of their network.
       
    • Single Interface with Apex
      Traditionally, it can be difficult for SecOps teams to be granted timely visibility into the network, be it due to organizational silos regarding tool use or because it simply takes time to find the relevant network data. With Observer Apex, SecOps and NetOps teams alike can use the same interface to solve network security and performance related issues.
       
    • The Power of Flow and Packets Combined
      By combining the power of wire data capture with GigaStor and flow-based analysis and archiving with GigaFlow, Observer is able to provide you with information from the data center as well as the hypothetical router at the edge of the network to paint the full picture. The ability to store enriched-flow records in the form of full-fidelity forensics and the retention capabilities of network conversation data from GigaStor means that SecOps teams and NetOps teams can retroactively go back and drill into any transaction in the network. This gives SecOps and NetOps teams true network visibility.

Additional resources:

Ressources

Laissez-nous vous aider

Contactez-nous pour de plus amples informations, pour recevoir un devis ou pour consulter des vidéos de démonstration de produits. Nous sommes là pour vous aider à prendre une longueur d’avance.