Cisco & Big Data Security

Cisco & Big Data Security 巨 量 資 料 的 傳 輸 保 護 Joey Kuo Borderless Networks Manager hskuo@cisco.com

The any-to-any world and the Internet of Everything is an evolution in connectivity and collaboration that is unfolding rapidly. It s the nexus of devices, clouds, and applications. Global cloud traffic will increase sixfold over the next five years, growing at a rate of 44 percent from 2011 to 2016. 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Every day I wake up and ask, how can I flow data better, manage data better, analyze data better? Rollin Ford (CIO, Walmart) 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

Every two days we create as much information as we did from the dawn of civilization up until 2003. Eric Schmidt (Chairman of Google) 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

Fraud detection Wire transfer alerts Traffic analysis Network optimization to support service levels Environment monitoring Security/ anti-terror Cyber Security Customer loyalty programs Subscriber data management Content monetization Store operation analysis Collaborative planning and forecasting Supply chain optimization 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6

22% Online video 36% search engines 20% Social networks 13% Advertisements Hits to Top Web Properties Social Network Ads Online Video Search Engine 0% 10% 20% 30% 40% 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Perscription Prescription Drugs Luxury Watches Credit Card Business Business Reviews Reviews Professional Network Professional Network Electronic Money Transfer Electronic Money Transfer Accounting Software Accounting Software Social Network Social Network Professional Associations Professional Associations Airline Airline Mail Mail Weight Loss Government Weight Loss Organization Windows Government Software Organization Cellular Windows Company Software Online Cellular Classifieds Company Taxes 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

Downloader 1.12% Infostealing 3.49% Exploit 9.86% Worm 0.89% Virus 0.48% Mobile 0.42% Scareware 0.16% Malscript/Iframe 83.43% 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9

2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11

Advanced Persistent Threat CNC Users & Applications Compromised Site & Exploit Server WWW 12

社 交 工 程 + Zero Day 攻 擊 植 入 後 門 擴 大 戰 果 資 料 收 集 打 包 上 傳 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13

13B WEB REQUESTS 150M GLOBALLY DEPLOYED ENDPOINTS 35% WORLDWIDE EMAIL TRAFFIC 75 TB DATA RECEIVED PER DAY 1.6M GLOBALLY DEPLOYED DEVICES SensorBase Threat Operations Center Dynamic Updates 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14

Leveraging Cisco SensorBase THREAT INDEX Very Good Bank A pborges@email.com Information Update Dear Mr. Paulo Roberto Borges, We are contacting you in order to inform about a mandatory update of your personal data, which is being conducted after Bank A and Bank B merge. To begin the update, please click on the link and download the protection program. Protection Module 3.0 (2011) Best regards, Bank A Email Sensor Data Web Sensor Data IPS Sensor Data Sender IP Address: 74.42.98.119 Unknown Verdict Very Bad 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15

Outbreak Filters in Action Internet Email Security Inbox Targeted Attack Filter Dynamic Quarantine Rule Sets Cisco Security Intelligence Operations 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16

Web Reputation 信 譽 評 等 Internet Explorer (IE) Zero-Day Vulnerability Blocked by Cisco Blocked by Cisco Day 0: Exploit Site Detected Day 8: Exploit Site Volume Up Malware Detected Day 14: IPS Sig Published C&C Server Blocked Day 16: A/V Vendor A Sig Published (Partial) Day 17: A/V Vendor B Sig Published Day 18: A/V Vendor A and C Full Sig Published Continuous Intelligence Security Advisory Issued IE Patched Competitive approaches: Endless race against hackers Zero-day threat & future attacks from 40+ parked domains prevented by reputation & cross-platform intelligence Cisco approach: Stop attacks at the source Disarm attackers 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18

Info about domains: Domain Name: ROOTADMIN2012.COM Creation Date: 23-jan-2013 Expiration Date: 23-jan-2014 Domain Name: Creation Date: Expiration Date: MYADMIN2012.COM 23-jan-2013 23-jan-2014 Both domains hosted in the following IP address in Japan: 61.196.247.51 (061196247051.cidr.odn.ne.jp) 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20

社 交 工 程 + Zero Day 攻 擊 植 入 後 門 擴 大 戰 果 資 料 收 集 打 包 上 傳 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21

http://www.crazyengineers.com/beware-of-the-botnet-the-zombie-can-be-dangerous/ 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22

Cisco Security Intelligence Operations Botnet Traffic Filters Infected Client Cisco ASA 5500 Series Command and Control Scans all traffic, ports, and protocols for rogue phone home traffic Provides visibility to infected clients within corporate network SensorBase provides visibility into dynamic IPs 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23

Live Dashboard Monitoring Integrated Reporting 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24

Enabling the Potential of Network-Wide Context Sharing I have reputation info! I need threat data I have sec events! I need reputation SIO I have application info! I need location & auth-group I have NBAR info! I need identity I have NetFlow! I need entitlement That Didn t Work So Well! I have location! I need identity I have MDM info! I need location I have threat data! I need reputation I have firewall logs! I need identity I have app inventory info! I need posture I have identity & device-type! I need app inventory & vulnerability 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25

Enabling the Potential of Network-Wide Context Sharing I have reputation info! I need threat data I have sec events! I need reputation SIO I have application info! I need location & auth-group I have NBAR info! I need identity I have NetFlow! I need entitlement pxgrid Context Sharing Single Framework Direct, Secured Interfaces I have location! I need identity I have MDM info! I need location I have threat data! I need reputation I have firewall logs! I need identity I have app inventory info! I need posture I have identity & device-type! I need app inventory & vulnerability 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26

Who What Where When How Security Policy Attributes Identity Context Cisco ISE Business-Relevant Policies Wired Wireless VPN Virtual machine client, IP device, guest, employee, and remote user Replaces AAA and RADIUS, NAC, guest management, and device identity servers 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27

Backed by Cisco SecureX MDM Manager Cisco Prime Cisco ISE Third-Party MDM Appliance Policy Cisco Catalyst Switches Cisco WLAN Controller Cisco Web Security Wired Network Devices Cisco CSM and ASDM Cisco ASA Firewall & IPS Cisco AnyConnect Office Wired Access Office Wireless Access Remote Access 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28

CISCO ISE ISE Provides Context Identity, Device-Type, Posture, Authorization Level, Location SIEM/TD Takes Action Network quarantine users & devices via ISE SIEM & Threat Defense Partners SIEM/TD System Quarantines Scott Smith TAKE NETWORK ACTION ISE Matches to Quarantine Policy Cisco Switch Executes Authorization Change Scott Smith Re-Assigned to Restricted Access 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29

Associate User to Event Associate User to Authorization IAM Check Endpoint Posture NAC?? Where is it on the Network? What Kind of Device is it? Potential Breach Event SIEM AAA Logs?? How Do I Mitigate??? MANY SCREENS, MISSING DATA COMPLICATED MITIGATION 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30

Potential Breach Event Associate User to Event Associate User to Authorization Check Endpoint Posture ONE SCREEN, ALL DATA INTEGRATED MITIGATION Check Network Location Check Device Type Mitigate in Network CISCO ISE Endpoint Network Action Security Event ISE User and Device Context Related to Security Event Integrated Mitigation SIEM & Threat Defense Partners 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31

SIEM & Threat Defense Prioritize Events, User/Device-Aware Analytics, Expedite Resolution ISE provides user and device context to SIEM and Threat Defense partners Partners utilize context to identify users, devices, posture, location and network privilege level associated with SIEM/TD security events Partners may take network action on users/devices via ISE Ensure Device Enrollment and Security Compliance Mobile Device Management ISE serves as policy gateway for mobile device network access MDM provides ISE mobile device security compliance context ISE assigns network access privilege based on compliance context 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32

Thank you.