Big Data in Network Security Management
Your company’s system administrators are smart but too technical for top management to understand. The sys ads lack training in presenting their findings. Your managers on the other hand don’t have the time to learn about packets, protocols and vectors of attacks - but they are the ones that decide on how much money is allocated for security concerns.
So how can your technical department present their findings that highlight the need to invest in more security? We will use Big Data Analytics technics to bridge this gap.
Security related data can come from a variety of sources. Some of which include Syslog, SNMP (simple network Management protocol) and packet capture. For this article, let us use packet capture as the data source.
A packet capture tool running on a PC like Wireshark is connected to the Local Area network and it starts recording all traffic that it ‘sees’. This is a sample output. As any C-Level executive will tell you, the output of Wireshark will look ‘Greek’ to them. Our technical guys need to present their findings in the executive’s lingua franca---graphs. So let us convert Wireshark data into visual graphs.
First step is to export this into a CSV format. Then import the CSV file into a data visualization tool like Tableau or Qlik. Finally using the tools, create graphs that summarize or aggregate the information for presentation.
Tableau can organize the captured data into a visual that highlights the patterns and trends. We can present the distribution of packet lengths:
This graph represents the packet size distribution of the recorded network traffic. The packet sizes are on the x axis, while the number of times each packet size was seen is on the Y axis.
Another informative graph shows the top sources of internet traffic further broken down by Internet protocols. In the graph below you will note that 74.125.164.105 (Google Network) is the top source of traffic INTO the network.
Next, your managers might want to pinpoint who the top users of internet bandwidth are. This graph shows the top 20 (by sum of length of packets). One of your internal PCs with the IP address of 10.20.79.233 eats up the lion’s share of traffic in the network. This is your bandwidth hog!
You can also use Tableau to create dashboards that are interactive as well. We can use this Packet Histogram to identify anomalies (outlier detection) in the network traffic. You may have a lot of packets that are either too big or too small. A large number of small packets (less than 100) would signal some penetration tests, reconnaissance or malware activity. While an excessive number of large packets (>2000) could signal a possible data leak (someone is stealing your data… aka. Comeleak?)
Looking at the Packet size distribution by protocol we see for example that there are several “chatty” devices (Wi-Fi routers) in the network. That is the light blue portions with “SSDP” protocol label. These devices have their uPnP (Plug and Play) discovery service turned on. If we don’t need this service, I suggest you disable it.
Your sys ads can make a case that your company peer with PhOpenIX to get access to the google caches (Google search, YouTube, Gmail, etc.) since the majority of your traffic goes to Google anyway. Send an email to info@ phopenix.net
As to the top users by destination graph, further investigation may be warranted as to why this single PC accounts for over 60% of total network traffic. Could it be infected? Could it be running bit torrent? Could the user be downloading movie files for their personal use?
The author will be presenting other detailed case studies at the ROOTCON 2016 in Taal Vista Tagaytay on Sept 23, 2016. Details here: https://www. rootcon.org/xml/rc10/register