Ict 2015 saga - cisco cybersecurity rešenja- Viktor Varga

BUDUĆNOSTCisco Cybersecurity

rešenja

IT/ICT SECURITY CONFERENCE KLADOVO 2015

Viktor VargaSAGA, Business Development Manager

Četvrt veka oblikujemo budućnost

SAGA

• Established 1989 – 25 years

• System Integrator No.1 in Serbia*

• Member of New Frontier Group

SecurityDepartment

*since 2005 by revenue


SAGA Security 360˚Core Values

Holistic approach

Trusted Advisor

Security = Risk

Security as Enabler


Saga Security 360˚


Saga Security References

Security Intelligence

Network Identity

WAF DLP

Infrastructure Security


Cybersecurity

Global Risk Report

67B / 475B

Zakon o BICERT

Nigerijska šemaRansomware


Cybersecurity

STRATEGIJA

Kontrole


IPS

IPS


NGFW / UTM


FirePOWER

Access Control

• Remote Access VPN• Gateway VPN

Switching• Routing• NAT• Stateful Inspection

Context Awareness

• Correlate host and user activity• Passive OS Fingerprinting• Passive Service Identification• Passive Vulnerability mapping• Passive Network Discovery• Auto Policy Recommendations• Auto Impact Assessment

Threat Prevention

• Vulnerability facing rules• Threat facing rules• Enterprise accuracy and

performance

App Control

• Detection of applications

• Allow/block apps and app sub-functions

• Allow/block apps by user

• Allow/block apps by type, tag, category, risk rating

Typical IPSTypical Firewall

Typical NGFWs

FirePOWER NGIPS

FirePOWER – NGFW


Context - Traffic Analysis

First packet : 2013-02-22 16:08:46Last packet : 2013-02-22 16:08:46Source IP : 10.2.1.51Destination IP : 10.2.1.121Protocol : TCPSource Port : 2314Destination Port : 3108

---------Service : HTTPApplication Type : HTTP BrowserWeb Application : ACME HRClient App : Internet Explorer 7Server App : Apache 2.3.32Initiator packets: 6Responder packets: 6Initiator bytes : 1096Responder bytes : 2269URL : /foo/sploits/plugins/Detection Engine : London Data Center

10.2.1.51 exists10.2.1.121 exists

10.2.1.121 Has a daemon :3108

10.2.1.121 Is a webserver

10.2.1.51 Has a web browser

10.2.1.51 Has IE 7 installed10.2.1.121 Needs updating: vulns


Impact Assessment

Correlates all intrusion events to an impact of the attack against the target

IMPACT FLAG

ADMINISTRATOR ACTION

WHY

Act Immediately, Vulnerable

Event corresponds to vulnerability mapped to host

Investigate, Potentially Vulnerable

Relevant port open or protocol in use, but no vuln mapped

Good to Know, Currently Not Vulnerable

Relevant port not open or protocol not in use

Good to Know, Unknown Target

Monitored network, but unknown host

Good to Know, Unknown Network

Unmonitored network


One Size Fits All ?

NSS IPS Test Key Findings:Protection varied widely between 31% and 98%. Tuning is required, and is most important for remote attacks against servers and their applications. Organizations that do not tune could be missing numerous “catchable” attacks.


One Size Fits All ?



One Size Fits All ?



Automation

Impact Assessment and Recommended Rules Automate Routine Tasks


Kako radi ?


Contextual Policy – Primer 1

Trust privileged users access to sshd on production servers (regardless of port)



Treat connections to unauthorized websites as highly hostile.




Treat connections to unauthorized websites as highly hostile.


Prevent any .exe downloads from untrusted client apps (e.g. Internet

Explorer)


Custom Block Response Pages

Simple update that can be leveraged for existing infrastructure.Example: Use a Google Docs Spreadsheet and Web form for user access requests.

• Created a Google Spreadsheet and added a web form to the spreadsheet.

• Added either the urlor the iframeto the default block page


Detekcija

Detects if new application appears or traffic profile changes

Identify Hacked Hosts

Useful in static environments: Scada, DMZ, MEDTEC...

Reduced Risk and Cost ALERT

Host has suddenly started to use SSH client and outgoing traffic volume has

increased by 3

ssh


Automatska remediacija

Use pre-defined or custom script to initiate automatic actions

E.g, Quarantine device with ISE API

Reduced Risk and Cost

Indications Of Compromise - IPS event impact 1- Malware- Communication with BOTNETQUARANTINE

ISE

change VLAN or

SGT


Integracija

eStreamer APIExport Events

Vulnerability API

Import Vulnerabilities

Remediation Modules

ISE

DatabaseAccess(JDBC)


Integracija 2

Platform Exchange Grid – pxGrid

LET’S ALL SHARE DATA VIA

PROPRIETARY APIs!

That Didn’t Work So

Well!

pxGrid ContextSharing

Single Framework

Direct, Secured Interfaces

I have NBAR info!I need identity…

I have firewall logs!I need identity…

Talos

I have sec events!I need reputation…

I have NetFlow!I need entitlement…

I have reputation info!I need threat data…

I have MDM info!I need location…

I have app inventory info!I need posture…

I have identity & device-type!I need app inventory & vulnerability…

I have application info!I need location & auth-group…

I have threat data!I need reputation…

I have location!I need identity…


Two of a kind

• Focused on Threat Detection

• Some Firewall functions, but likely not enough to meet perimeter use cases

• Ideal for passive deployments or augmenting firewalls

• Deployed on FirePOWER appliances

Different devices for different use cases

• Full ASA firewall capabilities

• Full threat detection stack

• Best for NGFW usage

• Delivered alongside ASA

FirePOWER Appliance & FirePOWER services


Value


Hvala na pažnji !

Technology

Ict 2015 saga - cisco cybersecurity rešenja- Viktor Varga