IT Sicherheit im Web 2.0 Zeitalter

IT Sicherheit im Web 2.0 Zeitalter Dirk Beste Consulting System Engineer 1

IT Sicherheit im Web 2.0 Zeitalter Cisco SIO und Global Threat Correlation Nach dem Webinar sollte der Zuhörer in der Lage sein: Die Motivation für die Cisco Security Operations zu verstehen Den Mehrwert der Global-Correlation für die Analyse und Abwehr von Sicherheitsbedrohungen erkennen Die Implementierung & Arbeitsweise von Global- Correlation-Funktionen in den Web-, Email-, Firewall- und IPS-Produkten von Cisco verstehen 2

Agenda Cisco Security Intelligence Operation Einführung und Grundlagen Mehrwert für die Praxis Elemente für den Betrieb Implementierung & Arbeitsweise WEB- und Email-Security Firewall- und IPS-Appliances Zusammenfassung 3

The Challenge Today Countervailing Forces Globalization Threats Mobility Acceptable Use Collaboration Enterprise SaaS Data Loss 4

A Seismic Shift 2000-2008: IT Security Products Look Deeper 2009: Cisco Security Products Look Around and Respond Faster 5

Cisco Security Intelligence Operations Powerful Protection through Network Scanning Elements Cisco SensorBase Threat Operations Center Dynamic Updates Security Infrastructure that Dynamically Provides Intelligence to Network Scanning Elements 6

Cisco Global Correlation Unmatched Breadth LARGEST FOOTPRINT GREATEST BREADTH FULL CONTEXT ANALYSIS Email Security IPS Web Security Firewall Identifying a global botnet requires complete visibility across all threat vectors 7

Cisco SIO Cisco SensorBase Largest Network, Highest Data Quality, Unmatched Breadth 8

Cisco SensorBase Network Unmatched Visibility Into Global Threats Most Devices 1M security devices, 10M clients shipped per year Core Internet routers Cloud-based services Largest Footprint 30% of the world s email traffic 200+ parameters 368GB per day sensor feeds Diverse Sources Eight of the top ten ISPs Fortune 500, Global 2000, universities, SMBs 152 third-party feeds First to Combine Network and Application Layer Data 9

Cisco SensorBase Network Unmatched Breadth SensorBase Network Email Firewall / IPS Spam with Malicious Attachment Directed Attack Spam with Malicious Attachment Web Directed Attack Malware Distributing Site 10

Cisco SIO Cisco Threat Operations Center (TOC) Advanced Research and Development, Security Modeling, Experienced Analysts 11

Cisco Threat Operation Center Advanced Research and Development Millions in R&D investment Threat experts and statisticians Equipment and infrastructure Thought leadership, prevention and best practices expertise 76 patents Innovative services IPS Global Correlation ASA Botnet Traffic Filters Virus Outbreak Filters Reputation Filters (IPS, email, web, etc.) 12

Cisco Threat Operations Center Sophisticated Security Modeling and Remediation Advanced algorithms Dynamic real-time scoring Fast threat identification Automated rule and/or signature creation Human-aided rule creation White Hat engineers Penetration testing Botnet infiltration Malware reverse engineering Global Correlation Supervised Learning Unsupervised Learning Reputation Scoring Real-Time Anomaly Detection Product & Customer Feedback 13

Cisco Threat Operations Center Ensuring Accuracy and Responsiveness Experienced Analysts 500 analysts European and Asian languages 1 Cisco Fellow 80+ Ph.D.s, CCIEs, CISSPs, MSCEs 24x7x365 Operations 5 threat operations center locations around the globe San Jose, San Bruno, Austin, North Carolina, Shanghai Powerful Tools Dynamic updates Correlation and data mining Advanced rule approval, creation and publishing applications 14

Cisco SIO Broadest Enforcement Capabilities Fast Device Scanning Engines and Granular Policy 15

Advanced Protection Putting It All Together Cisco Products and Services: High-performance, flexible enforcement points www Adaptive Security Appliances Intrusion Prevention Solution Web Security Appliances Email Security Appliances Hosted Email Services Security Filters: Industry s most effective security features Virus Outbreak Filters Anti-Spam Email Reputation Filters Web Reputation Filters IPS Reputation and Signature Filters Firewall Botnet Traffic Filters Cisco SIO: Cloud-based intelligence to power Cisco security services Live New and Authored Reputation Dynamic Auto-Updates Updated Rule Scores Sets Rule Sets Every Signatures 5 minutes 16

Cisco SIO In Action 17

Cisco SIO In Action Obama Botnet 1. Baseline threat data installed in Cisco security devices 2. Spoofed email for Obama speech triggers alert to Cisco SIO 3. Rule update to: ASA firewall Web security appliances IPS 4. Botnet servers blocked rules rules rules SIO rules rules www 18

New President, New Malware Users receive an email inviting them to watch President-elect Barack Obama's victory speech Links users to a government themed botsite Subject Line Examples: - Election Results Winner - The New President s Cabinet? http://slapiservlet.encrypted.viewcontent.xxxxxxxxxxxxxxx.wconlinenrue.com/president.htm?/slapiservlet/slapiservlet/os L.htm?LOGIN=BfQd3Zno5H&VERIFY=0AHBgl9ixN7rvXm http://portalserver.viewcontent.memberverify.ewtloc5rc.xxxxxxxxxxxxxxx.bfiinwach.com/president.htm?/verifyonenet/ certificateupdate/osl.htm?login=zeuroewtlo&verify=c5rcwjj7qjsuveb http://actionvalidate.linkbrowse.servletdologin.qdffskkiw.xxxxxxxxxxxxxxx/president.htm?/exacttrget/memberverify/os L.htm?LOGIN=Tch0JQdfFS&VERIFY=KkiwFDDIWZhvVNJ *Still Active* Malicious URLs 19

Government Themed Botsite BOTSITE REAL SITE Users prompted to install an Adobe Flash Player update, which is actually data-stealing malware Steals screen shots, passwords and sends to a web server located in Kiev, Ukraine 20

Blocked by Web Reputation Filters All Malicious URLs were automatically blocked by Web Reputation Filters 3 URLs still active and serving malware 21

Web Reputation New Threat Alert THREAT: Fake Virus Scan & Software VECTOR: Web; Top 20 Google Search Results SITE: http://career-counseling.com/ 22

Google Search On Hurricane Jimena Top 20 Google search results 23

The Malicious Redirection Begins The user is notified that they need to run an immediate virus scan; possible virus infection! Step 1 of 5 24

http://megaspywarescan2.com The user is notified their computer is infected Step 2 of 5 25

http://megaspywarescan2.com Next, the user is shown a list of Trojans found on their computer Step 3 of 5 26

http://megaspywarescan2.com Then the user is prompted to download the Total Security software for protection Step 4 of 5 27

http://megaspywarescan2.com Malicious software gets installed Step 5 of 5 28

Infected! Look at the CPU consumption 29

New Domain, Same Malware! Same Google search, clicking on the same link, the user is redirect to a different domain (http://bewareofvirusattacks3.com) 30

The Actual Web Site 31

All Blocked by Web Reputation SITE: http://megaspywarescan2.com, -8.90; default block SITE: http://bewareofvirusattacks3.com, -8.90; default block 32

Principles & Configuration Cisco Email and Web-Security Appliances 33

How SensorBase Data Makes the Difference for Mail Works 150 Parameters Complaint Reports Threat Prevention in Realtime Spam Traps Message Composition Data Global Volume Data URL Lists Compromised Host Lists SensorBase Data Data Analysis/ Security Modeling SenderBase Reputation Scores -10 to +10 Web Crawlers IP Blacklists & Whitelists Additional Data 34

Preventive Anti-Spam Defense: Reputation Filters Known good is delivered Incoming Mail Good, Bad, and Grey or Unknown Email Reputation Filtering Anti-Spam Engine Suspicious is rate limited & spam filtered Known bad is deleted/tagged Stop 80% Hostile Mail at the Door. 35

Cisco IronPort Web Reputation Filters Data Makes the Difference Parameters URL Blacklists URL Whitelists URL Categorization Data HTML Content Data URL Behavior Global Volume Data Domain Registrar Information Dynamic IP Addresses Compromised Host Lists Web Crawler Data Network Owners Known Threats URLs Offline data (F500, G2000 ) Website History SensorBase Data THREAT PREVENTION IN REALTIME Data Analysis/ Security Modeling Web Reputation Scores (WBRS) -10 to +10 Addresses Known and Unknown Sites 36

Intelligent Scanning Known good sites aren t scanned Requested URLs IRONPORT WEB REPUTATION FILTERS Unknown sites are scanned by one or more engines ANTI-MALWARE SYSTEM DECRYPTION ENGINE Known bad sites are blocked IronPort Web Reputation technology determines need for scanning by - IronPort Anti-Malware System - Decryption Engine 37

Principles & Configuration Cisco Firewall-Appliances 38

Botnet Filtering Process Cisco Security Intelligence Operations (SIO) 2 Internet 1 Cisco ASA Botnet Filter 3 Step 1: Infected clients try to communicate with a command and control host on the Internet Step 2: Cisco SIO updates the Cisco ASA botnet filter list; the destination is a known attack site Step 3: Alerts go out to the security teams for prevention, mitigation, and remediation 39

Botnet Traffic Filters in ASA v8.2 Reliable Detection of Infected Clients Infected Clients Cisco ASA 5500 Series Malware Command and Control Scans all traffic, ports and protocols for rogue phone home traffic Provides visibility to infected clients within corporate network 40

Botnet Traffic Filter Enable Directly from Cisco ASDM Configuration Menus Cisco SIO data Custom lists Interface or global 41

Botnet Traffic Filter Reports Top Botnet Sites and Ports 42

Botnet Traffic Filter Reports Top Infected Hosts 43

Principles & Configuration Cisco Intrusion-Prevention-Appliances 44

Cisco IPS with Global Correlation Correlation of SensorBase Data Reputation Filters 1 st Automatically correlates SensorBase threat data Packets with negative Reputation are dropped Fast response to emergent threats Enhances detection capabilities Signature Inspection Anomaly Detection 1 st Global Correlation Decision Engine Reduces the window of exposure Pinpoint Accuracy Analyzes the attacker as well as the attack Leverages reputation filters to stop known attackers (40% of attackers are repeat offenders) Empowered Presentation_ID Branch 2009 Cisco Systems, Inc. All rights reserved. Cisco Cisco Confidential Public 45

Dynamic Protection Accurate Local Analysis Risk Rating Cisco Patent What is the Attack? Who is the Attacker? What is the Target? Risk Rating Engine 46

Defeating SQL Injection The Challenge of Traditional Signature-Based IPS What SIGNATURES Find Verdict: UNKNOWN What? SQL Command Fragments in Web Traffic This could be your billing system talking to your customer database. Or.. 47

IPS Reputation Enables Protection Powered By Global Correlation What CISCO IPS Finds Verdict: BLOCK What? How? SQL Command Fragments in Web Traffic First HTTP connection Who? Where? Dynamic IP Address Dynamic DNS History of Web Attacks Within Heavily Compromised.Asia Network History of Botnet Activity Clean Sources Only 48

Defeating SQL Injection Collaborate with Confidence Traditional Signature only IPS view without Reputation Global Correlation Enabled IPS allows Confident Deny Action 49

Cisco IPS 7.0 with Global Correlation Changing Network IPS to Global IPS Coverage Twice the effectiveness of signature-only IPS Accuracy Reputation analysis decreases false positives Timeliness 100x faster than traditional signature-only methods Results Averaged Over Two Week Period in Pre-release Deployments Harnessing the Power of Cisco Security Intelligence Operations 50

Vision 51

Cisco Security Intelligence Operations Vision More Cisco devices will be linked into the Cisco Shared Defense Network This will provide global analysis, and be more informative about how your Cisco network is defending itself 52

53