Transcription
Behaviour Based SecurityMatt Robertson, TME, CiscoApril 2013 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential1
At the end of the session, the participants should be able to:Understand the key challenges to complex threat visibilityDefine Cisco’s approach to solving this problemUnderstand how to instrument their network infrastructure to gain visibility and contextHow to use the increased level of visibility and context to identify cyber threats 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential22
2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential3
ILOVEYOUMelissaAnna KournikovaViruses (1990s)Defense: Anti-Virus, FirewallsNimdaSQL SlammerConfickerWorms (2000s)Defense: Intrusion Detection & PreventionBotnets (late 2000s to current)Defense: Reputation, DLP, App.-aware FirewallsDirected Attacks (APTs) (today)Strategy: Visibility and Context 2010 Cisco and/or its affiliates. All rights reserved.TedrooRustockConfickerAuroraShady RatDuquCisco Confidential4
Social Engineering 2010 Cisco and/or its affiliates. All rights reserved.Technical ExploitZero-day AttackCisco Confidential5
ReconnaissanceWeaponizationDelivery Identification and selection of targets Coupling exploit with backdoor intodeliverable payload Transmission of weapon to the intendedtargetExploitation Exploiting a vulnerability to execute code in victim systemInstallation RAT or other backdoor allows attacker to persist in systemCommand and ControlActions on Objectives Establish channel for remote manipulation of victim Intruders take action to accomplish their objective /security-intelligence-attacking-the-kill-chain/ ven-Defense.pdf 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential66
1. Command andControl 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential7
2. Reconnaissance1. Command andControl 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential8
2. Reconnaissance1. Command andControl3.Propagation 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential9
2. Reconnaissance1. Command andControl3.Propagation 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential10
2. Reconnaissance1. Command andControl3.Propagation 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential11
2. Reconnaissance1. Command andControl3.Propagation 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential12
2. Reconnaissance1. Command andControl3.Propagation 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential13
2. Reconnaissance1. Command andControl4. Data Theft3.Propagation 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential14
NetworkPerimeterNetworkInterior 2010 Cisco and/or its affiliates. All rights reserved.Signature/Reputation-basedThreat DetectionBehavioral-basedThreat DetectionFirewallsIPS/IDSHoneypotsEmail Content InspectionWeb Content InspectionCisco’s Cyber ThreatDefense SolutionCisco Confidential15
2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential16
2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential17
Users/Devices 2010 Cisco and/or its affiliates. All rights reserved.Cisco IdentityServices Engine(ISE)Network BasedApplicationRecognition (NBAR)NetFlow SecureEvent Logging(NSEL)Cisco Confidential18
WHEREWHATWHENHOWWHOHardware-enabledNetFlow SwitchDevicesVisibility, Context, and ControlInternal NetworkContextCisco ISECisco ASA NSELCisco ISR G2 NBARUse NetFlow Data to ExtendVisibility to the Access Layer 2010 Cisco and/or its affiliates. All rights reserved.Enrich Flow Data With Identity, Eventsand Application to Create ContextUnify Into a Single Pane of Glassfor Detection, Investigation andReportingCisco Confidential19
2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential202
2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential2121
httpshttpsCisco ealthWatchFlowSensor VEUsers/DevicesCisco Network 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential2222
thWatchFlowCollectorCatalyst 3750-XCollect, store and analyzeNetFlow RecordsISR-G2Access PointCatalyst 3750-XStackWLCAccess iteVPNCatalyst 3560-XCampusReal-time data correlation,traffic visualization andconsolidated reportingASACatalyst 4500IdentityCatalyst Catalyst 65006500Catalyst 4500Complete visibilitythroughout the networkNetFlow, AAA services, profilingand posture assessment 2010 Cisco and/or its affiliates. All rights reserved.CiscoISERemoteAccessCisco TrustSec: Access Control,Profiling and Posture AssessmentNetFlow CapableCisco Confidential23
X everyoneUser Interfacecustomizable views for Virtualization,Network, and Security Teams3 millionflows per secondscalabilityX2Managementand ReportingStealthWatchManagementConsoleFlow CollectorsStealthWatch FC forNetFlowfull redundancy between primaryand secondaryX 25up to 25 collectors perStealthWatch SystemX 2000Flow Exportersrouters and switchesFlowSensorPhysical 2010 Cisco and/or its affiliates. All rights reserved.FlowSensor VEup to 2000 exportersand/or 120,000flows per secondVirtualCisco Confidential24
2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential2525
High Concern Index indicates a significant number ofsuspicious events that deviate from establishedbaselinesHost 5,645,6698,656%High Concern indexPing, Ping Scan, TCP ScanMonitor and baseline activity for a host and within host groups. 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential2626
Leveraging an integration between Cisco ISE and Lancope StealthWatchPolicyStart ActiveTimeAlarmSourceSourceHostGroupSource UserNameTargetInside Hosts8-Feb-2012Suspect Data Loss10.34.74.123WiredDataBobMultiple Hosts 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential27
Initial InfectionSecondary InfectionTertiary Infection 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential2828
Flow Action field can provide additional context State-based NSEL reporting is taken into consideration in StealthWatch’s behavioral analysis Concern Index points accumulated for Flow Denied events NAT stitching 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential29
ReconnaissanceNetwork Reconnaissance(Scanning Behavior Alerts)WeaponizationDeliveryMalware Propagation d and Control(Beaconing, Host Lock, ThreatFeeds)Command and ControlData Loss (Exfiltration)Actions on Objectives 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential3030
Leverages Cisco Network for Security Telemetry Cisco NetworkNetFlow-enabled Cisco switches and routers become security telemetry sourcesCisco is the undisputed market leader in Hardware-enabled NetFlow devicesNetFlowProvides Rich ContextUnites NetFlow data with identity and application ID to provide security contextUser?Cisco ISRG2 NBARCisco ISEDevice?Posture?VulnerabilityAVPatchCisco ASAEvents?Application?65.32.7.45Provides Threat Visibility and Context FlowSensor FlowCollector 2010 Cisco and/or its affiliates. All rights reserved.Single pane of glass that unifies threat detection, visibility, forensics analysis, and reportingStealthWatchManagementConsoleCisco Confidential31
NetFlow-enabled Cisco switches and routers become security telemetry sources Cisco is the undisputed market leader in Hardware-enabled NetFlow devices Cisco ISE Cisco Network NetFlow Provides Threat Visibility and Context Single pane of glass that unifies threat detection, visibility, forensics analysis, and reporting Cisco ISR G2 NBAR
