Q & A with network behavior analysis software expert - Adam Powers

Lancope
Yesterday was a very big day for me as network behavior analysis software expert - Adam Powers, afforded me the unique opportunity to interview him in a Q&A session about his thoughts regarding the $1.3 billion network performance management software market. First, hats off to Cisco for creating this thriving industry!

Adam Powers
As CTO of Lancope - Adam Powers is a leading innovator in the development of next-generation network behavior anomaly detections solutions. Adam is a significant driver of Lancope's R&D of behavioral algorithms and analysis techniques for the StealthWatch System. With a decade of operational and engineering experience in enterprise IP security technologies, Adam commands considerable expertise in datacenter network design, IP flow analysis techniques, content delivery networks, and enterprise network security planning and management. During his tenure as a Sergeant with the US Marine Corps, Adam managed UNIX and IP networks across 5 operational datacenters and participated in several highly confidential information security initiatives.

1. What versions of NetFlow do you support? NetFlow v1, v5, v7, and v9 (sampled and non-sampled); cflow (sampled and non-sampled), and any other flow format adhering to the formats listed. 2. Do you support IPFIX? We do not currently. There is little to no demand at the moment given Nortel’s recent "v9 export format support." 3. What are you doing currently with Flexible Netflow? Flexible NetFlow FNF - represents a wide range of possibilities for the NetFlow analysis community. FNF in conjunction with NetFlow v9 enables a new world of analysis techniques not previously available with other NetFlow formats. Unfortunately, adoption of FNF has been somewhat slow due to lack of vendor support for the more advanced features such as Flexible Packet Matching FPM and the ability to export many additional fields not previously available. Cisco IOS Flexible Packet Matching (FPM) Video:

To date, Cisco has included over 160 FNF "monitors" that the operator can select from for export to the flow collector. Imagine exporting Flexible NetFlow that contains not only the usual source and destination IPs, ports, etc, but also the username associated with the flow. Flexible NetFlow can track a wide range of IP information:
Flexible NetFlow can track a wide range of IP information
Keep in mind that FNF is a Cisco proprietary technology. The real enabler here is NetFlow version 9. NetFlow v9 uses self defining flow templates which allow the exporter to send anything it wants to the collector. FNF is the technology included in Cisco’s IOS that allows the configuration of the data included in the templates. It is now up to the vendor community to make use of these new fields. Lancope will debut support for extended NetFlow v9 fields in the 5.7 release and further it’s FNF support in early ‘08. Due to the confidential and highly competitive nature of the work being performed by Lancope engineering, I can’t comment much on this topic at this time. 4. As we discussed earlier, you compete with Arbor Networks in the Service Provider space (which is a very small part of your business), NetQoS and Mazu in the enterprise (which is the majority part of your business), what makes you different? In terms of differences between Lancope and Mazu, we stress scalability and ease of use. Our GUI is highly advanced. Arguably the best in the industry. 5. Lancope touts "Deduplication" in the following "post link," does Mazu or NetQoS do this as well? http://seclists.org/focus-ids/2005/Jul/0109.html The above post link is still accurate. The only companies that have implemented deduplication are Arbor, Mazu and Lancope. In my opinion, this functionality is a requirement if you are even considering security analysis of NetFlow data. The diagram below explains why. As packets travel from 10.2.2.2 to 10.1.1.1 they traverse two routers, both of which will export the same NetFlow record to the flow collector. If the flow collector doesn’t know to reconcile the duplicates it will "double report." The larger the network the worse this problem becomes. For security analysis purposes, the difference between 1000 TCP connections and 2000 (or more depending on the number of duplicates) can be significant.
Duplicates Diagram
6. Why is Lancope’s StealthWatch different from the little guys like ManageEngine and Scrutinizer? The fundamental difference is in our "learning engine" and our behavioral algorithms. Network Behavior Analysis vendors such as Lancope have their roots in the security community. You can almost think of Lancope’s StealthWatch system as an "IDS/IPS for NetFlow." NetFlow is simply the "fuel" that StealthWatch uses to run its behavior-based engine. Consider an automobile. The fuel is far less important than the car itself. You can buy an inexpensive but feature / performance limited Hyundai or you can buy a high performance, feature-rich BMW. Lancope sells the BMW of NetFlow analysis platforms. In short, there are two fundamental differences between technologies such as Plixer, Crannog, or AdventNet and high-end NetFlow technologies from the likes of Lancope... 1. Performance and scalability. StealthWatch is designed to scale to the largest corporate networks in the world. Some highlights:

The system can baseline up to 12.8 million unique IP addresses.
StealthWatch Management Console (SMC) supports up to 25 appliance-based flow collectors.
Each collector can process a sustained 40,000 fps (flows per second) and burst to over 300,000 fps in times of need.
And each collector supports up to 1000 unique NetFlow "exporters" (router or other devices sending NetFlow to the collector).

This performance and scalability is achieved through a distributed processing model that keeps the heavy-weight "flow crunching" off the central StealthWatch manager. The diagram below describes a typical StealthWatch installation. Note this diagram shows not only NetFlow collection, but also "sFlow" and "NC" collectors. The diagram also shows Lancope’s identity tracking technology, the ID-1000, in action. More on these other technologies from Lancope in another Brad Reese on Cisco Blog.

Lancope StealthWatch Installation
2. Behavior-based flow analysis technology. Lancope owns several patents regarding the analysis of network flows, one of which is U.S. Patent Number 7,185,368 titled "FLOW-BASED DETECTION OF NETWORK INTRUSIONS." Since the company’s inception in 2000, Lancope engineering has been exploring the wide world of flow-based analysis for security application. The latest outcome of our research can be in the 5.7 version of the StealthWatch System due out in early December. Also, Lancope will be announcing it’s "Behavior Engine v2.0," although its too early to talk much about it now (but definitely later in another Brad Reese on Cisco Blog), suffice it to say we’re doing some amazing things with learning technology and visualization of network behaviors in the 5.7 release. It will certainly be nothing you’ll see from the "classic" Netflow collector providers. As an example of what can be done if you have the right algorithms in place, take this screenshot below showing the outbreak of a worm and propagation across the network. The StealthWatch flow analysis engine utilizes a technology called Work Tracker to detect and correlate flows from multiple NetFlow exporters to formulate a single view into the nature of an attack. The purple host (55.6.1.2) represents the start of the worm outbreak. The green hosts represent the subsequent infected hosts.
Outbreak of a worm and propagation across the network
7. Why would a customer choose Stealthwatch vs. Scrutinizer which I have written about in the below link? http://www.networkworld.com/community/node/20115 While the Scrutinizer product is impressive from a network operations perspective, security functionality is almost nonexistent. It’s the security analytics that provide the real value. See your previous #6 question for more info. 8. As we discussed, just how big do you feel the Behavior Analysis market is within NetFlow? "Most NBA vendors are small, private companies but Yankee Group estimates the 2007 market for pure-play NBA tools at approximately $125 million." Source: Yankee Group, "Adjust Your Behavior: Network Management Incorporates Behavioral Analysis to Optimize Performance," August 2007 Here’s the important part: the $125 million number above assumes “NBA” functionality only. That is, security application of NetFlow reporting and analysis. From the same report.... "2007 market for network performance management software is approximately $1.3 billion, or 43% of the nearly $3 billion market for network fault and performance management software. This is an increase from 2005 when performance management constituted 40% of network fault and performance management. Yankee Group estimates that passive, agentless monitoring tools and probes that capture flow data to analyze performance comprise $500 million of the $1.3 billion performance management market." So if you combine the $125 million companies are spending on security analysis of NetFlow with the $500 million they are spending on performance analysis using NetFlow, the actual market is around $650 million. NetFlow is still a largely untapped, unknown powerhouse waiting to be enabled within the enterprise. As more customers learn of the potential value and as publications such as Network World Cisco Subnet continue to champion the NetFlow cause, this number will grow. 9. How big do you feel the NetFlow industry is now that Cisco has increased its sales goal to $50 billion by 2010 (can Network World Cisco Subnet mention your 250% sales growth year over year)? All you really have to do is look at Cisco’s customer base. Anyone that has a large, distributed Cisco environment (most all the Global 5000) can benefit, often tremendously, from NetFlow technology in one way or another. Again, the challenge is getting the word out. Once engaged, most everyone agrees that this is a must have technology for any organization that has serious network and security operations. 10. Viewed the flash demo and have listed the following questions alphabetically: http://www.lancope.com/products/stealthwatch-demo/ A: How are 90 attributes and 120 algorithms different from traditional security signatures? StealthWatch uses behavioral learning, statistics, and mathematical equations to pick up on patterns of malicious activity in NetFlow messages. Signature-based systems such as Snort use pattern matching and protocol anomaly detection techniques to look for specific malicious payload within the packet. Both have their strengths and weaknesses. Signature-based systems require an actual probe or inline device be installed into the network to gain access to the packet payload. NetFlow-based systems only require a NetFlow capable router be present at the point in the network where observations are required. Signature systems require continuous updates to the signature database in order to detect the "latest and greatest" attacks. Behavior-driven systems such as StealthWatch detect attacks through behavior-baselining and algorithmic analysis. The StealthWatch System does not require signature updates. The diagram below shows a simple overview of the flow analysis process in the StealthWatch engine. Flows are collected from the network, processed into the StealthWatch behavior-based engine, and anomalies accumulated in an single leading indicator called the "Concern Index." As more algorithms match on the suspicious behavior, the Concern Index value for the attack increases until a tolerance-based threshold is breeched at which time an alarm is raised and action taken.
Lancope StealthWatch Flow Analysis Process
A weakness of flow-based systems is that they cannot be deployed "inline" and therefore cannot block attacks on a per-packet basis. Modern Intrusion Prevention Systems (IPS) sit inline with the packet stream and can usually block on a per packet basis. In my experience, a well rounded security posture entails both signature-based systems as well as flow driven, behavior-based technology. B: Can we accurately state that a low-end sale for Lancope is $30,000? Correction on this. A basic starter system retails for around $50,000. This includes three network appliances:

An integrated StealthWatch ID-1000 identity tracking appliance.
A StealthWatch Management Console (SMC) capable of managing up to 5 StealthWatch collector appliances.
A StealthWatch Xe-1000 for NetFlow Tier 1 capable of handling up to 3,000 flows per second and 10 unique exporters.

A more detailed product breakdown is shown below. Readers needing list pricing can email: Reggie@BradReese.Com

Lancope StealthWatch Products
C: $100,000 is an average sale? Yes. This number reflects Lancope’s focus on large-scale, Fortune 5000 enterprises. D: $750,000 is a high-end sale? Yes. This size deployment would easily cover most Fortune 1000s. E: What percentage of Lancope customers actually let Stealthwatch software make changes to the equipment on the network? Approximately 8% of Lancope’s 320 customers have enabled automated mitigation in one form or another.


Related Stories:

1 2 Page 1
Page 1 of 2