Cisco Secure X

Cisco Cyber Threat Defense

Mikhail Rodionov

Business Development Manager

[email protected]

© Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 2

• Discuss the growing security problem customers are facing that is not addressed by traditional security products and technologies

• Define Cisco’s unique approach to this problem

• Describe the Cisco Cyber Threat Defense Solution and explain why Cisco can provide the security telemetry

• Show why the solution provides unique differentiated value

© Компания Cisco и (или) ее дочерние компании, 2012 г. Все права защищены. Конфиденциальная информация Cisco 3



Mobility Threat Cloud

Megatrends require innovative approach to

advanced cyber threats

Android malware increased by

2577% in 2012

SaaS & B2B apps 11x more

malicious than counterfeit

software

Threats are morphing


Defense: Anti-Virus, Firewalls

Viruses (1990s)

Defense: Intrusion Detection & Prevention

Worms (2000s)

Defense: Reputation, DLP, App.-aware Firewalls

Botnets (late 2000s to current)

Strategy: Visibility and Context

Directed Attacks (APTs) (today)

ILOVEYOUMelissaAnna Kournikova

NimdaSQL SlammerConficker

TedrooRustockConficker

AuroraShady RatDuqu


keep our doors locked to stop good people from coming in”

Firewall

IPS

Web Sec

N-AV

Email Sec

Customized Threat Bypasses

Security Gateways

Threat Spreads

Inside Perimeter

Once inside the perimeter, a command and control channel that'll open up

Only the network can have the appropriate level visibility and intelligence

to detect these threats

Servers


Network Reconnaissance Data Leakage

Internally Propagating

MalwareBotnet Command

And Control


Mandiant 2012 survey

Organizations were

compromised ~ 416

days before

attackers were

discovered

In 100% of cases,

the bad guys used

valid credentials

Each incident was

discovered by 3rd

party only

X X X X O X X X O

O


• What Our Customers are Telling Us:

• “We assume we’re already compromised”

• “Over 50% of threats are customized to my environment…”

• “We had a single actor gaining access by three different methods all in a days work…”

• “I have enough storage for 30 days, my adversary went to sleep for 31 days. When I increased my storage to 60 days, they figured it out and changed their attack to match my storage capability…”


• Страна? Конкуренты? Частные лица?Who?

• Что является целью?What?

• Когда атака наиболее активна и с чем это связано?When?

• Где атакующие? Где они наиболее успешны?Where?

• Зачем они атакуют – что конкретно их цель?Why?

• Как они атакуют – Zero-day? Известные уязвимости? Инсайдер? How?


• Кто в моей сети?Who?• Что делают пользователи? Приложения?

• Что считать нормальным поведением?What?

• Устройства в сети? Что считать нормальным состоянием?When?

• Где и откуда пользователи попадают в сеть?

• Внутренние? eCommerce? Внешние?Where?

• Зачем они используют конкретные приложения?Why?

• Как всё это попадает в сеть? How?


Workload

s

Apps /

Services

Infrastruc

ture

public

tenants

hybrid

private

Any-To-Any Network

Gloval and Local

Threat Detection

Blending of Personal

& Business Use

Access Assets through

Multiple MediansServices

Identity Awareness

Sees All Traffic

Routes All RequestsSources All Data

Controls All Flows

Handles All Devices

Touches All UsersShapes All Streams

Behavioral Analysis

Encryption

Device Visibility Policy Enforcement

Access Control

Threat Defense



Intrusion Detection System

• на основе сигнатур

• пассивный сбор

• первичный источник

оповещения

Syslog journal

• инструмент глубокого анализа

• возможность фильтрации

• ограниченное воздействие на

систему

Network Flow Analysis

• слабое воздействие на

устройства

• основной инструмент

исследования

• небольшой требуемый объем

памяти


Signature/Reputation

-based

Threat Detection

Behavioral-based

Threat Detection

Network

Perimeter

Firewalls

IPS/IDSHoneypots

Network

Interior

Email Content

Inspection

Web Content

Inspection

Cisco’s Cyber Threat

Defense Solution


Private

Cloud

Hybrid

Cloud

SaaS

ANY DEVICE ANY CLOUD

Secure

Access

Firewall IPS Web

Gateway

Email

Gateway

Policy

VPN

Data

Center

Next

Gen

Applia

nce

Cloud

#1 Market Share

Applia

nce

Attach

ed

Applia

nce

Hosted


A

B

C

CB

A

CA

B

We can see:

- source address,

- destination address,

- number of packets transferred during

that session,

- and a timestamp of the session



Sampled Net Flow –Incomplete Visibility

• Less than 5% of traffic

used to generate NetFlow

telemetry

• Insufficient telemetry for

threat detection

Full Unsampled Net Flow

– No Blind Spots

• All traffic is used to

generate NetFlow telemetry

• Pre-requisite for effective

threat detection

Only a Cisco Catalyst Switch Can Deliver Unsampled NetFlow at Line-Rate Without Any Data Plane Performance Impact


Cisco Cyber Threat Defense Solution Components

Identity and Policy

StealthWatch

Cisco ISE

Policy Enforcement

Flow Attribution

Security Analysis

Flow Monitoring


• The most complex, custom-written, dangerous security threats (e.g. APTs)

• Threats that lurk in networks for months or years stealing vital information and disrupting operations

• Data leakage

• Network reconnaissance

• Network interior malware proliferation

• Command and control traffic

Cisco Cyber Threat

Defense (CTD) focuses on:

Focus of this class of threats

and Cisco CTD use cases:


Netflow Telemetry

Cisco Switches, Routers

and ASA 5500

Internal Network &

Borders

Threat Context Data

Cisco Identity, Device, Posture,

NAT, Application

Unified View

Threat Analysis & Context in

Lancope StealthWatch

Leveraging NetFlow, Identity, Reputation and Application

Cisco SolutionsPlus product


Cisco Network

StealthWatch FlowCollector

StealthWatch Management

Console

NetFlow

StealthWatch FlowSensor

StealthWatch FlowSensor

VE Users/Devices

Cisco ISE

NetFlow

StealthWatch FlowReplicator

Другие коллекторы

https

https

NBAR NSEL


High Concern Index indicates

a significant number of

suspicious events that deviate

from established baselines

Host

Groups

Host CI CI% Alarms Alerts

Desktops 10.10.101.118 338,137,280 8,656

%

High Concern

index

Ping, Ping_Scan,

TCP_Scan

Monitor and baseline activity for a host and within host

groups.


What’s about

10.10.101.89?

Policy Start

Active time

Alarm Source Source Host

Groups

Target Details

Desktops

& Trusted

Wireless

Jan 3, 2013 Suspect Data

Loss

10.10.101.89 Atlanta,

Desktops

Multiple Hosts Observed 4.82 Gbytes.

Policy maximum allows up

to 500Mbytes.



CI2 I4A

Localintelligence

Who

What

How

Where

When

From your network

Cisco Security Intelligence Operations

From Cisco’s global threat analysis system

Репутация

Взаимо-

действия

APP Приложения

URL Сайты

Se

cu

rity

In

tellig

en

ce

Op

era

tio

ns


Users/Devices Cisco Identity Services Engine(ISE)

Network Based Application Recognition

(NBAR)

NetFlow Secure Event

Logging (NSEL)

Link flows with

user identity

Dig out key

application information

from a stream

while data

flows through it

A special form of

log event

helps identify

accepted and rejected

connections


Policy Start

Active

Time

Alarm Source Source

Host

Groups

Source

User Name

Device

Type

Target

Deskto

ps &

Trusted

Wireles

s

Jan 3,

2013

Suspect

Data Loss

10.10.101

.89

Atlanta,

Desktops

John

Chambers

Apple-

iPad

Multiple

Hosts

Attribute flows and behaviors to a user and device


• Flow Action field can provide additional context

• State-based NSEL reporting is taken into consideration in StealthWatch’s behavioral analysis

• Concern Index points accumulated for Flow Denied events



Обнаружение разных

типов атак, включая

DDoS

Детальная статистика о

всех атаках,

обнаруженных в сети


Devices Access

Catalyst® 3750-X

Bra

nc

hC

am

pu

s

Catalyst® 3560-X

Catalyst® 4500

Catalyst® 4500

Access Point

Access Point

Distribution

Catalyst®

3750-X Stack

WLC

Catalyst® 6500

Edge

Site-to-

Site VPN

ASA

ISR

Catalyst® 6500

Remote

Access

Cisco ISE

Management

StealthWatch Management

Console

StealthWatch FlowCollector

NetFlow

Capable

Correlate and display Flow and Identity Info

Cisco TrustSec: Access Control, Profiling and Posture

NetFlow

Identity

AAA services, profiling and posture assessment

Collect and analyze NetFlowRecords

Scalable NetFlowInfrastructure

3

6


CRISIS REGION

Impa

ct to

the

Bus

ines

s (

$ )

Time

credit card data

compromised

*

attack

identified*

vulnerability

closed

*

CRISIS REGION

Security Problems

“Worm outbreaks can impact

revenue by up to $250k per

hour. StealthWatch pays for

itself in 30 minutes.”

F500 Media Conglomerate

attack

onset

*

StealthWatch

Reduces

MTTK *attack

thwarted

*early

warning

*attack

identified

*vulnerability

closed

Company with

StealthWatch

Company with

Legacy

Monitoring Tools



• CEC website: wwwin.cisco.com/stg/cyber/

For EBC/TDM decks, design and how-to guides, and training VoD links

• CCO website: www.cisco.com/go/threatdefense/

Customer-facing versions of the DIG and how-to guides (Note: Need to scroll about halfway down the page)

• Cyber Threat Defense area on Highwire

For training decks, VMware images, other demo supporting information

• Demo pods available via http://securitytme.cisco.com

• Aliases: cyber-pm and cyber-tm

http://wwwin.cisco.com/stg/cyber/

http://www.cisco.com/go/threatdefense/

http://highwire.cisco.com/community/cyber_threat_defense

http://securitytme.cisco.com

mailto:[email protected]

mailto:[email protected]

Thank you!

[email protected]


• Identifying BotNet Command & Control Activity. BotNets are implanted in the enterprise to execute commands from their Bot herders to send SPAM, Denial of Service attacks, or other malicious acts.

• Revealing Data Loss. Code can be hidden in the enterprise to export of sensitive information back to the attacker. This Data Leakage may occur rapidly or over time.

• Detecting Sophisticated and Persistent Threats. Malware that makes it past perimeter security can remain in the enterprise waiting to strike as lurking threats. These may be zero day threats that do not yet have an antivirus signature or be hard to detect for other reasons.

• Finding Internally Spread Malware. Network interior malware proliferation can occur across hosts for the purpose gathering security reconnaissance data, data exfiltration or network backdoors.

• Uncovering Network Reconnaissance. Some attacks will probe the network looking for attack vectors to be utilized by custom-crafted cyber threats.


Devic

esInternal Network

Use NetFlow Data to

Extend Visibility to the

Access Layer

Unify Into a Single Pane

of Glass for Detection,

Investigation and

Reporting

Enrich Flow Data With

Identity, Events and

Application to Create

Context

WHO

WHATWHERE

WHEN

HOW

Hardware-

enabled

NetFlow

Switch

Cisco ISE

Cisco ISR G2 + NBAR

Cisco ASA + NSEL

Cont

ext

Technology

Cisco Secure X