Transcription
Threat Scenarios and TrafficDefenseC. K. Lin ��全事業部Nov. 28, 2018
Dissecting a Data BreachInfiltration pointTarget acquisitionExplorationReconnaissanceFootprint expansionStagingInformation monetized after breachData Exfiltration
Advanced Detection MethodsSignature Object against blacklist IPS, Antivirus, Content FilterSignatureBehavior Inspect Victim behavior against blacklist Malware Sandbox, NBAD, SIEMAnomaly Inspect Victim behavior against whitelist UEBA, NBAD, Quantity/Metric based — not Signature basedSignatureAnomalyBehaviorAnomalyKnown ExploitsBESTGoodLimited0-day ExploitsLimitedBESTGoodCredential AbuseLimitedLimitedBESTBehavior
�自己Internal Visibility from Edge to Access, Network Is Your SensorCat4k3850 Stack(s)VPC ssUCSISEReputation3560-XSan JoseACCESSInternetASAASR-1000WANDATACENTERNew YorkAtlanta3925 ISRNexus 7000 UCSwith Nexus 1000vCORECat6k
Visibility SIEM LogsCEF? LEEF? Free App? Latest version of security devices? Customized parser? All fields? Uncovered logs? License? Performance? Use Cases Compromise casesWhat kind of the logsDashboards/ReportsCorrelation rulesProfessional servicesAPTNetwork as aSensor(Next-Gen SOC)
Alarm vs. Response – 資安聯防 ResponseIPS? FireWall? API In-line IAM & SSOSIEM &Threat DefenseNet/AppPerformanceNetworkas aEnforcer?VulnerabilityAssessmentPacket Capture& Forensics(Next Gen SOC)Cisco pxGridIoTSecurityFirewall &Access ControlRapid ThreatContainment(RTC)SECURITY THRUINTEGRATIONCloud AccessSecurityDDICisco ISECisco WSACisco FirePOWER
Encryption is changing the threat landscapeGartner predicts that by 2019Percentage of malware80% of all traffic will be encrypted60%15%50%10%JulAugSepOctNov41%DecBased on cisco threat grid analysis, 23%23%FY08FY09FY1025%27%16%FY05Extensive deployment of encryptionFY11FY12Percentage of the IT budget earmarked for encryptionFY13FY14FY1520162017Source: Thales and Vormetric
Enhanced network as a sensorIndustry’s first network with the ability to find threats in encrypted traffic without decryptionAvoid, stop, or mitigate threats faster then ever before Real-time flow analysis for better visibilityEncrypted trafficNon-encrypted trafficSecure and manage your digital network in real time, all the time, everywhereC97-739122-02 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Network as a SensorContext InformationNetFlowpxGridCisco ISEMitigation ActionReal-time visibility at all network layers Data Intelligence throughout network Assets discovery Network profile Security policy monitoring Anomaly detection Accelerated incident response
Segmentation Auditing (Network Visibility)
伺服器群組存取關係流程與監控
RTT vs. SRT
惡意程式傳播與感染軌跡(Malware ��染 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
資安風險儀表板
原因 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
即時防禦 - Network as a Enforcer(Detection & Containment)EmployeeChange tchEvent: TCP SYN ScanSource IP: 10.4.51.5Role: SupplierResponse: QuarantineServerNetwork FabricQuarantineHigh RiskSegmentSharedServerInternetEmployee
Cisco Catalyst 9000 Family enables enhancednetwork as a sensor with ETA (Encrypted Traffic Analytics)Rapidly mitigate malware and vulnerabilities in encrypted traffic Industry’s most pervasively deployable solution forEncrypted Traffic AnalyticsStealthwatch pxGridISEMitigationMachine learning withenhanced behavioranalytics Complements other encrypted trafficmanagement solutionsEncrypted TrafficAnalyticsNetworktelemetry based(no ionSimplifiedmanagementGlobally correlatedthreat intel
加密流量的資安威脅分析Cognitive AnalyticsCognitive AnalyticsExpanded CTA dashboard view
NetFlow 提供網路可視性172.168.134.210.1.8.3NetFlow provides Trace of every conversation in your network An ability to collect record everywhere in yournetwork (switch, router, or firewall) Network usage measurement An ability to find north-south as well as eastwest communication Light weight visibility compared to SPAN basedtraffic analysis Indications of Compromise (IOC) Security Group InformationSwitchesRoutersInternet(How) Usage Packet count Byte count(When) Time Start sysUpTime End sysUpTime(Where) PortUtilizationQoS Input ifIndex Output ifIndex Type of Service TCP flags Protocol Source IP address Destination IP address Packet count Byte count Next hop addressSource AS numberDest. AS numberSource prefix maskDest. prefix maskFrom/To (Who)Application (What)Routing andPeering
Introducing Cisco Identity Services Engine (ISE)A centralized security solution that automates context-aware access to network resources and shares contextual dataPhysical or VMIdentity Profilingand PostureTraditionalWhoNetworkDoorWhatWhenWhereHow CompliantContextNetwork ResourcesAccess PolicyCisco TrustSec Guest AccessBYOD AccessRole-BasedAccessThreat ContainmentISE pxGridController
ISE as a Telemetry Source (Automatic Correlation)StealthWatchManagement ConsoleSyslog/PxGridCisco ISEAuthenticated Session Table Maintain historical session tableCorrelate NetFlow to usernameBuild User-centric reports
Behavioral and Anomaly Detection ModelBehavioral Algorithms Are Applied to Build “Security Events”SECURITYEVENTS (100 )COLLECT ANDANALYZE FLOWSFLOWSAddr Scan/tcpAddr Scan/udpBad Flag ACK**Beaconing HostBot Command Control ServerBot Infected Host - AttemptedBot Infected Host - SuccessfulFlow Denied.ICMP Flood.Max Flows InitiatedMax Flows Served.Suspect Long FlowSuspect UDP ActivitySYN FloodALARMCATEGORYConcernRESPONSEAlarm tableReconC&CExploitationData hoardingHost snapshotEmailSyslog / SIEMExfiltrationDDoS targetMitigation
ISE Mitigation Through the Stealthwatch interface a quarantine action can be initiated from the host dashboard
Stealthwatch Endpoint Visibility SolutionnvzFlowStealthwatchEndpoint ConcentratorAnyConnectwith Network VisibilityModuleAttributing a flow to: Process name Process hash Process account Parent process name Parent process hashStealthwatchFlow CollectorStealthwatchManagement ConsoleStealthwatch Deployment
Cryptomining is not RansomwareUnauthorizedMiner Software 2018 Cisco and/or its affiliates. All rights reserved.Quietly StealsCPU PowerGeneratesCryptocurrency
MaliciousCryptocurrencyMiningDetection 2018 Cisco and/or its affiliates. All rights reserved.Cisco Stealthwatch withEncrypted Traffic Analytics (ETA)
Thank You
Cisco pxGrid. Alarm vs. Response - 資安聯防. Vulnerability Assessment . Packet Capture & Forensics SIEM & Threat Defense IAM & SSO . SECURITY THRU INTEGRATION . Net/App Performance . IoT Security Cisco ISE Cisco WSA . Cloud Access Security ? Cisco FirePOWER . Firewall & Access Control . Rapid Threat Containment (RTC) DDI Network as a Enforcer
