Network as a Sensor and Enforcer Leverage the Network to Protect Against and Mitigate Threats Dragan Novaković Consulting Systems Engineer Security November 2015.
New Networks Mean New Security Challenges Changing Business Models Dynamic Threat Landscape Complexity and Fragmentation ENTERPRISE MOBILITY ACQUISITIONS AND PARTNERSHIPS CLOUD Organizations lack visibility into which and how many devices are on their Network Acquisitions, joint ventures, and partnerships are increasing in regularity. Services are moving to the Cloud at a faster rate than IT can keep up INTERNET OF THINGS Over 50 billion connected smart objects by 2020. Expanded Enterprise Attack Surface It s Not IF You Will Be Breached It s WHEN. 2
Cisco s Covers the Threat-Centric Entire Attack Security Continuum Model BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall VPN NGIPS DDoS Advanced Malware Protection Application Control Policy Management Web Security Malware Sandboxing Secure Access Network + Identity Services Endpoint Email Mobile Security Virtual Network Behavior Cloud Analysis Point in Time Visibility and Automation Continuous 3
Because that s where the money is. Willie Sutton, Bank Robber - (allegedly) on why he robbed banks 4
You Can t Defend Against What You Can t See 01010 10010 11 01010 10010 11 01010 10010 11 01010 10010 11 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Solution Overview 6
Cisco Network as a Sensor (NaaS) Detect Anomalous Traffic Flows, Malware Identify User Access Policy Violations Obtain Broad Visibility into All Network Traffic
Visibility through NetFlow 172.168.134.2 10.1.8.3 Switches Routers NetFlow provides Trace of every conversation in your network An ability to collect record everywhere in your network (switch, router, or firewall) Network usage measurement An ability to find north-south as well as east-west communication Light weight visibility compared to SPAN based traffic analysis Indications of Compromise (IOC) Security Group Information Flow Information Packets SOURCE ADDRESS 10.1.8.3 DESTINATION ADDRESS 172.168.134.2 SOURCE PORT 47321 DESTINATION PORT 443 INTERFACE Gi0/0/0 IP TOS 0x00 IP PROTOCOL 6 NEXT HOP 172.168.25.1 TCP FLAGS 0x1A SOURCE SGT 100 : : Internet APPLICATION NAME NBAR SECURE-HTTP 8
Lancope StealthWatch: System Overview Non-NetFlow Capable Device SPAN StealthWatch FlowSensor Generate NetFlow StealthWatch FlowCollector NetFlow / NBAR / NSEL Network Devices Collect and analyze Up to 4,000 sources Up to 240,000 FPS sustained StealthWatch Management Console Management and reporting Up to 25 FlowCollectors Up 6 million FPS globally 9
Conversational Flow Record Who What Who When Where How More context Highly scalable (enterprise class) collection High compression => long term storage Months of data retention 10 10
NetFlow for Dynamic Network Awareness Understand Network Behavior and Establish a Network s Normal A Powerful Information Source for Every Network Conversation A Critical Tool to Identify a Security Breach Each and Every Network Conversation over an Extended Period of Time Source and Destination IP Address, IP Ports, Time, Data Transferred, and More Stored for Future Analysis Identify Anomalous Activity Reconstruct the Sequence of Events Forensic Evidence and Regulatory Compliance NetFlow for Full Details, NetFlow-Lite for 1/n Samples Network Flows Highlight Attack Signatures 11
Behavioral and Anomaly Detection Model Behavioral Algorithms Are Applied to Build Security Events SECURITY EVENTS (94 +) ALARM CATEGORY RESPONSE COLLECT AND ANALYZE FLOWS FLOWS Addr_Scan/tcp Addr_Scan/udp Bad_Flag_ACK** Beaconing Host Bot Command Control Server Bot Infected Host - Attempted Bot Infected Host - Successful Flow_Denied.. ICMP Flood.. Max Flows Initiated Max Flows Served. Suspect Long Flow Suspect UDP Activity SYN Flood. Concern Recon C&C Exploitation Data Hoarding Exfiltration DDoS Target Alarm Table Host Snapshot Email Syslog / SIEM Mitigation 12
StealthWatch Alarm Categories Each category accrues points. 13
Data Hoarding Suspect Data Hoarding: Unusually large amount of data inbound from other hosts Target Data Hoarding: Unusually large amount of data outbound from a host to multiple hosts 14 14
Suspect Data Hoarding Data Hoarding: Unusually large amount of data inbound to a host from other hosts Policy and behavioral 15 15
Lancope StealthWatch System Network Reconnaissance Using Dynamic NetFlow Analysis Monitor Detect Analyze Respond Ø Ø Understand your network normal Gain real-time situational awareness of all traffic Ø Ø Leverage Network Behavior Anomaly detection & analytics Detect behaviors linked to APTs, insider threats, DDoS, and malware Ø Ø Collect & Analyze holistic network audit trails Achieve faster root cause analysis to conduct thorough forensic investigations Ø Ø Accelerate network troubleshooting & threat mitigation Respond quickly to threats by taking action to quarantine through Cisco ISE 16
Cisco Network as an Enforcer (NaaE) Implement Access Controls to Secure Resources Contain the Scope of an Attack on the Network Quarantine Threats, Reduce Time-to-Remediation
Cisco Identity Services Engine (ISE) Adding Visibility and Context to NetFlow NETWORK / USER CONTEXT INTEGRATED PARTNER CONTEXT Who What When Where How SEND CONTEXTUAL DATA COLLECTED FROM USERS, DEVICES, AND NETWORKS TO LANCOPE FOR ADVANCED INSIGHTS AND NETFLOW ANALYTICS 18
access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848 access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878 access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216 access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111 access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175 access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462 access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384 access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878 access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467 Cisco TrustSec Software-Defined Segmentation Provide Role-Based Segmentation to Control Access and Contain Threats Simplifies Firewall Rule, ACL, VLAN Management Traditional Security Policy Prevents Lateral Movement of Potential Threats Eliminates Costly Network Re-architecture TrustSec Security Policy Switch Router VPN & Firewall DC Switch Wireless Controller Segmentation Policy Enforced Across the Extended Network 19
Cisco TrustSec Software-Defined Segmentation ISE Classification Results: Device Type: Apple ipad User: Mary Group: Employee Corporate Asset: Yes Malware Detected Yes Data Center Firewall Campus Core Data Center Lancope/Netflow (SMC/FC) Access Layer ASA SSL VPN Voice Tag Employee Tag PCI POS Tag Voice Employee PCI POS Partner Non-Compliant Partner Tag Non-Compliant Tag Data VLAN 20 Quarantine Data VLAN 20 ( PCI Segmentation within the same VLAN) 20
Bringing It All Together Architecting Network as a Sensor and Network as an Enforcer Cisco Collective Security Intelligence NGIPS API Campus/DC Switches/WLC Threat ISE TrustSec Security Group Tag NGFW Confidential Data Network Sensor (Lancope) API (pxgrid) Cisco Routers / 3 rd Vendor Devices Network Sensors Policy & Context Sharing Network Enforcers 21
What Can Cisco NaaS and NaaE Offer You? Unmatched Visibility Consistent Control Advanced Threat Protection Complexity Reduction Global Intelligence With the Right Context Consistent Policies Across the Network and Data Center Detects and Stops Advanced Threats Fits and Adapts to Changing Business Models
Cisco s Threat-Centric Approach to Security ATTACK CONTINUUM BEFORE DURING AFTER Network as a Sensor Flexible NetFlow u Lancope StealthWatch u ISE Network as an Enforcer Flexible NetFlow u Lancope StealthWatch u Cisco TrustSec u ISE 23
Thank you.