Cyb T er h Threat D f e ense S l o uti tion Moritz Wenz, Lancope 1



Similar documents
BEFORE. DURING. AFTER. CISCO'S INTEGRATED SECURITY STRATEGY NIALL MOYNIHAN CISCO EMEAR

Network as a Sensor and Enforcer Leverage the Network to Protect Against and Mitigate Threats

Cisco Cyber Threat Defense Solution: Delivering Visibility into Stealthy, Advanced Network Threats

Cisco Advanced Malware Protection. Ross Shehov Security Virtual Systems Engineer March 2016

Invisible attacks visible in your network. How to see and follow the tracks?

Cisco Security: Moving to Security Everywhere. #TIGcyberSec. Stefano Volpi

The Critical Role of Netflow/IPFIX Telemetry in the Next- Generation Network Security Infrastructure

Cisco Cyber Threat Defense - Visibility and Network Prevention

Network Performance + Security Monitoring

Cisco Security Strategy Update Integrated Threat Defense. Oct 28, 2015

Cybersecurity Before - During - After An Integrated Security Strategy

Cisco Advanced Malware Protection for Endpoints

STEALTHWATCH MANAGEMENT CONSOLE

Cisco Advanced Malware Protection

RSA Security Analytics

The Hillstone and Trend Micro Joint Solution

Cisco dan Hotel Crowne Plaza Beograd, Srbija.

CONTENTS. Cisco Cyber Threat Defense v2.0 First Look Design Guide 2

Cisco & Big Data Security

Threat Defense with Full NetFlow

Cisco RSA Announcement Update

STEALTHWATCH MANAGEMENT CONSOLE

Protection Against Advanced Persistent Threats

Plugging Network Security Holes using NetFlow. Loopholes in todays network security solutions and how NetFlow can help

Threat Defense with Full NetFlow

Defending Against Data Beaches: Internal Controls for Cybersecurity

Requirements When Considering a Next- Generation Firewall

HUNTING ATTACKERS WITH NETWORK AUDIT TRAILS

BlackRidge Technology Transport Access Control: Overview

Using Lancope StealthWatch for Information Security Monitoring

Cisco and Sourcefire. AGILE SECURITY : Security for the Real World. Stefano Volpi

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

Delivering Control with Context Across the Extended Network

Intelligent Cybersecurity for the Real World

24/7 Visibility into Advanced Malware on Networks and Endpoints

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

Concierge SIEM Reporting Overview

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

The Art of Modern Threat Defense. Paul Davis Director, Advanced Threats Security Solution Architects

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

Glasnost or Tyranny? You Can Have Secure and Open Networks!

Cisco ASA und FirePOWER Services

Braindumps QA

Network as an Sensor & Enforcer

Addressing the Full Attack Continuum: Before, During, and After an Attack. It s Time for a New Security Model

Cisco Advanced Malware Protection for Endpoints

REVOLUTIONIZE THE WAY YOU VIEW YOUR NETWORK GAIN A UNIFIED VIEW OF SECURITY AND NETWORK OPERATIONS ACROSS PHYSICAL AND VIRTUAL NETWORKS

Cisco Cybersecurity Pocket Guide 2015

Content Security: Protect Your Network with Five Must-Haves

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

Threat-Centric Security Solutions. György Ács Security Consulting Systems Engineer 3 rd November 2015

Innovations in Network Security

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

Data Center security trends

SANS Top 20 Critical Controls for Effective Cyber Defense

THE EVOLUTION OF SIEM

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

Combating a new generation of cybercriminal with in-depth security monitoring

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Malicious Network Traffic Analysis

DYNAMIC DNS: DATA EXFILTRATION

Introducing IBM s Advanced Threat Protection Platform

Stop advanced targeted attacks, identify high risk users and control Insider Threats

Secure Cloud-Ready Data Centers Juniper Networks

Detecting Threats Via Network Anomalies. Paul Martini Cofounder and CEO iboss Cybersecurity

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Defending Against Cyber Attacks with SessionLevel Network Security

Hillstone Intelligent Next Generation Firewall

WEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World

Intrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS)

Section 12 MUST BE COMPLETED BY: 4/22

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

Breaking the Cyber Attack Lifecycle

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS. Junos WebApp Secure Junos Spotlight Secure

Network that Know. Rasmus Andersen Lead Security Sales Specialist North & RESE

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

Networking for Caribbean Development

WHITE PAPER. Protecting Your Network From the Inside-Out. Internal Segmentation Firewall (ISFW)

HUNTING ATTACKERS WITH NETWORK AUDIT TRAILS

Unknown threats in Sweden. Study publication August 27, 2014

Cisco ASA 5500 Series Adaptive Security Appliance 8.2 Software Release

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

Deploying Firewalls Throughout Your Organization

SourceFireNext-Generation IPS

Mapping to NIST and Exceeding the Standard with StealthWatch

Evolving Threat Landscape

On-Premises DDoS Mitigation for the Enterprise

Transcription:

C b Th Cyber Threatt Defense D f S Solution l ti Moritz Wenz, Lancope 1

The Threat Landscape is evolving Enterprise Response Antivirus (Host-Based) IDS/IPS (Network Perimeter) Reputation (Global) and Sandboxing Intelligence and Analytics (Cloud) Worms Spyware and Rootkits APTS Cyberware Increased Attack Surface 2000 2005 2010 Tomorrow 2

Kill Chain: Post Breach 1. Command and Control Threat Detection Switches Routers 2. Reconnaissance Firewall IPS N-AV Web Sec Email Sec 3.Propagation 4. Data Theft 3

Scalable Network Defense 1. Command and Control Threat Detection Switches Routers 2. Reconnaissance Firewall IPS N-AV Web Sec Email Sec 3.Propagation 4. Data Theft 4

The New Security Model BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Network Endpoint Mobile Virtual Cloud Point in Time Continuous 6

Cisco Solutions Covering the Entire Attack Continuum Attack Continuum BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall NGFW ASA VPN NGIPS UTM Meraki FirePower Web Security NAC + Identity Services Email Security NW Infra +ISE WSA ESA Visibility and Context Advanced Malware Protection Network Behavior Analysis AMP (SF) Lancope 7

Visibility, Context, and Control WHERE WHAT WHEN Hardware-enabled NetFlow Switch WHO HOW Devices Internal Network Context Cisco ISE Cisco ASA + NSEL Use NetFlow Data to Extend Visibility to the Access Layer Cisco ISR G2 + NBAR Enrich Flow Data With Identity, Events and Application to Create Context Unify Into a Single Pane of Glass for Detection, Investigation and Reporting 11

NetFlow Security Use Cases Detecting Sophisticated and Persistent Threats. Malware that makes it past perimeter security can remain in the enterprise waiting to strike as lurking threats. These may be zero dayy threats that do not yyet have an antivirus signature or be hard to detect for other g reasons. Identifying BotNet Command & Control Activity. BotNets are implanted in the enterprise to execute commands from their Bot herders to send SPAM, Denial of Service attacks, or other malicious acts. Uncovering Network Reconnaissance. Some attacks will probe the network looking for attack vectors to be utilized by custom-crafted cyber threats. Finding Internally Spread Malware. Network interior malware proliferation can occur across hosts for the purpose gathering security reconnaissance data, data exfiltration or network backdoors. Revealing Data Loss. Code can be hidden in the enterprise to export of sensitive information back to the attacker. This Data Leakage may occur rapidly or over time. 12

StealthWatch Solution Components Other tools/collectors StealthWatch Management Console StealthWatch FlowReplicator StealthWatch FlowCollector Cisco ISE NetFlow NetFlow StealthWatch FlowSensor NBAR Cisco Network NSEL StealthWatch FlowSensor VE Users/Devices 13

Behaviour Based Attack Detection Behaviour-Based High Concern Index indicates a significant number of suspicious events that deviate from established baselines Host Groups Host CI CI% Alarms Alerts Desktops 10.10.101.118 865,645,669 8,656% High Concern Index Ping, Ping_Scan, TCP_Scan 15

Detecting Command and Control Alarm indicating communication with known BotNet Controllers Source IP Address and username Target that trigged alarm Details Start Active Time Alarms Source User Name Source Source Host Groups Target Target Host Groups Details Dec 11, 2012 Bot Infected Host Attempted C&C Activity John Chambers 1.1.1.1 Sales and Marketing, Atlanta, Marketing Atlanta Desktops node1.bytecluster.com (209 190 85 12) (209.190.85.12) Optima, United Kingdom Attempted communication was detected between this inside host and C&C server using port 80 and the TCP protocol 17

Identifying Reconnaissance Activity High Concern Index indicates a significant number of suspicious events that deviate from established baselines Host Groups Host CI CI% Alarms Alerts Desktops 10.10.101.118 865,645,669 8,656% High Concern Index Ping, Ping_Scan, TCP_Scan 19

Infection Tracking Tertiary infection Secondary infection Initial infection 21

Detecting Suspect Data Loss Policy Inside Hosts Start Active Ti Time 8-Feb2012 Alarm Source Suspect Data Loss 10.34.74.123 Source Source Target Host Username G Group Wired John Multiple Data Chambers Hosts Details Observed 4.08G bytes. Policy Maximum allows up to 81 81.92M 92M bytes. bytes 22

Flow-based Anomaly Detection 1 2 # Concurrent flows Packets per second Bits per second New flows created Number of SYNs sent Time of day received Rate of connection resets Duration of the flow Over 80+ other attributes Number of SYNs 3 Collect & Analyze Flows threshold Establish Baseline of Behaviors Anomaly detected in host behavior threshold threshold threshold Critical Servers Exchange Server Web Servers Marketing Alarm on Anomalies & Changes in Behavior 23

24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information