Network as a Sensor and Enforcer Leverage the Network to Protect Against and Mitigate Threats

Transcription

1 Network as a Sensor and Enforcer Leverage the Network to Protect Against and Mitigate Threats Dragan Novaković Consulting Systems Engineer Security November 2015.

2 New Networks Mean New Security Challenges Changing Business Models Dynamic Threat Landscape Complexity and Fragmentation ENTERPRISE MOBILITY ACQUISITIONS AND PARTNERSHIPS CLOUD Organizations lack visibility into which and how many devices are on their Network Acquisitions, joint ventures, and partnerships are increasing in regularity. Services are moving to the Cloud at a faster rate than IT can keep up INTERNET OF THINGS Over 50 billion connected smart objects by Expanded Enterprise Attack Surface It s Not IF You Will Be Breached It s WHEN. 2

3 Cisco s Covers the Threat-Centric Entire Attack Security Continuum Model BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall VPN NGIPS DDoS Advanced Malware Protection Application Control Policy Management Web Security Malware Sandboxing Secure Access Network + Identity Services Endpoint Mobile Security Virtual Network Behavior Cloud Analysis Point in Time Visibility and Automation Continuous 3

4 Because that s where the money is. Willie Sutton, Bank Robber - (allegedly) on why he robbed banks 4

5 You Can t Defend Against What You Can t See Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5

6 Solution Overview 6

7 Cisco Network as a Sensor (NaaS) Detect Anomalous Traffic Flows, Malware Identify User Access Policy Violations Obtain Broad Visibility into All Network Traffic

8 Visibility through NetFlow Switches Routers NetFlow provides Trace of every conversation in your network An ability to collect record everywhere in your network (switch, router, or firewall) Network usage measurement An ability to find north-south as well as east-west communication Light weight visibility compared to SPAN based traffic analysis Indications of Compromise (IOC) Security Group Information Flow Information Packets SOURCE ADDRESS DESTINATION ADDRESS SOURCE PORT DESTINATION PORT 443 INTERFACE Gi0/0/0 IP TOS 0x00 IP PROTOCOL 6 NEXT HOP TCP FLAGS 0x1A SOURCE SGT 100 : : Internet APPLICATION NAME NBAR SECURE-HTTP 8

9 Lancope StealthWatch: System Overview Non-NetFlow Capable Device SPAN StealthWatch FlowSensor Generate NetFlow StealthWatch FlowCollector NetFlow / NBAR / NSEL Network Devices Collect and analyze Up to 4,000 sources Up to 240,000 FPS sustained StealthWatch Management Console Management and reporting Up to 25 FlowCollectors Up 6 million FPS globally 9

10 Conversational Flow Record Who What Who When Where How More context Highly scalable (enterprise class) collection High compression => long term storage Months of data retention 10 10

11 NetFlow for Dynamic Network Awareness Understand Network Behavior and Establish a Network s Normal A Powerful Information Source for Every Network Conversation A Critical Tool to Identify a Security Breach Each and Every Network Conversation over an Extended Period of Time Source and Destination IP Address, IP Ports, Time, Data Transferred, and More Stored for Future Analysis Identify Anomalous Activity Reconstruct the Sequence of Events Forensic Evidence and Regulatory Compliance NetFlow for Full Details, NetFlow-Lite for 1/n Samples Network Flows Highlight Attack Signatures 11

12 Behavioral and Anomaly Detection Model Behavioral Algorithms Are Applied to Build Security Events SECURITY EVENTS (94 +) ALARM CATEGORY RESPONSE COLLECT AND ANALYZE FLOWS FLOWS Addr_Scan/tcp Addr_Scan/udp Bad_Flag_ACK** Beaconing Host Bot Command Control Server Bot Infected Host - Attempted Bot Infected Host - Successful Flow_Denied.. ICMP Flood.. Max Flows Initiated Max Flows Served. Suspect Long Flow Suspect UDP Activity SYN Flood. Concern Recon C&C Exploitation Data Hoarding Exfiltration DDoS Target Alarm Table Host Snapshot Syslog / SIEM Mitigation 12

13 StealthWatch Alarm Categories Each category accrues points. 13

14 Data Hoarding Suspect Data Hoarding: Unusually large amount of data inbound from other hosts Target Data Hoarding: Unusually large amount of data outbound from a host to multiple hosts 14 14

15 Suspect Data Hoarding Data Hoarding: Unusually large amount of data inbound to a host from other hosts Policy and behavioral 15 15

16 Lancope StealthWatch System Network Reconnaissance Using Dynamic NetFlow Analysis Monitor Detect Analyze Respond Ø Ø Understand your network normal Gain real-time situational awareness of all traffic Ø Ø Leverage Network Behavior Anomaly detection & analytics Detect behaviors linked to APTs, insider threats, DDoS, and malware Ø Ø Collect & Analyze holistic network audit trails Achieve faster root cause analysis to conduct thorough forensic investigations Ø Ø Accelerate network troubleshooting & threat mitigation Respond quickly to threats by taking action to quarantine through Cisco ISE 16

17 Cisco Network as an Enforcer (NaaE) Implement Access Controls to Secure Resources Contain the Scope of an Attack on the Network Quarantine Threats, Reduce Time-to-Remediation

18 Cisco Identity Services Engine (ISE) Adding Visibility and Context to NetFlow NETWORK / USER CONTEXT INTEGRATED PARTNER CONTEXT Who What When Where How SEND CONTEXTUAL DATA COLLECTED FROM USERS, DEVICES, AND NETWORKS TO LANCOPE FOR ADVANCED INSIGHTS AND NETFLOW ANALYTICS 18

19 access-list 102 deny tcp eq lt 848 access-list 102 deny ip eq gt 4878 access-list 102 permit icmp lt eq 1216 access-list 102 deny icmp gt gt 1111 access-list 102 deny ip eq eq 4175 access-list 102 permit tcp lt gt 1462 access-list 102 permit tcp gt lt 4384 access-list 102 permit icmp eq eq 878 access-list 102 permit ip gt eq 467 Cisco TrustSec Software-Defined Segmentation Provide Role-Based Segmentation to Control Access and Contain Threats Simplifies Firewall Rule, ACL, VLAN Management Traditional Security Policy Prevents Lateral Movement of Potential Threats Eliminates Costly Network Re-architecture TrustSec Security Policy Switch Router VPN & Firewall DC Switch Wireless Controller Segmentation Policy Enforced Across the Extended Network 19

20 Cisco TrustSec Software-Defined Segmentation ISE Classification Results: Device Type: Apple ipad User: Mary Group: Employee Corporate Asset: Yes Malware Detected Yes Data Center Firewall Campus Core Data Center Lancope/Netflow (SMC/FC) Access Layer ASA SSL VPN Voice Tag Employee Tag PCI POS Tag Voice Employee PCI POS Partner Non-Compliant Partner Tag Non-Compliant Tag Data VLAN 20 Quarantine Data VLAN 20 ( PCI Segmentation within the same VLAN) 20

21 Bringing It All Together Architecting Network as a Sensor and Network as an Enforcer Cisco Collective Security Intelligence NGIPS API Campus/DC Switches/WLC Threat ISE TrustSec Security Group Tag NGFW Confidential Data Network Sensor (Lancope) API (pxgrid) Cisco Routers / 3 rd Vendor Devices Network Sensors Policy & Context Sharing Network Enforcers 21

22 What Can Cisco NaaS and NaaE Offer You? Unmatched Visibility Consistent Control Advanced Threat Protection Complexity Reduction Global Intelligence With the Right Context Consistent Policies Across the Network and Data Center Detects and Stops Advanced Threats Fits and Adapts to Changing Business Models

23 Cisco s Threat-Centric Approach to Security ATTACK CONTINUUM BEFORE DURING AFTER Network as a Sensor Flexible NetFlow u Lancope StealthWatch u ISE Network as an Enforcer Flexible NetFlow u Lancope StealthWatch u Cisco TrustSec u ISE 23

24 Thank you.