Cisco Cyber Range. Paul Qiu Senior Solutions Architect June 2016

Transcription

1 Cisco Cyber Range Paul Qiu Senior Solutions Architect June 2016

2 What I hear, I forget What I see, I remember What I do, I understand ~ Confucius

3 Agenda

4 Agenda Cyber Range Highlights Cyber Range Overview & Architecture Cyber Range Threat Response Exercise Cyber Range Further Investigation 4

5 Cyber Range Highlights

6 Cyber Range Highlights Defence Organisations Enterprise NOC/SOC Teams. Oil and Gas Sectors Government Regulatory authorities Consulting and Auditing firms Large Service Providers Cyber Emergency Response Teams Information Security and Surveillance teams Partners, distributors, value added resellers, and security system integrators

7 Workshops all over the world

8 Cyber Range Overview

9 Cyber Range Service Delivery Platform A Platform for Service Delivery and Learning Deeper understanding of leading security methodologies, operations, and procedures Empower customers with the architecture and capability to combat modern cyber threats Over 100 Attack Cases for 12 Technology Solutions 100+ applications simultaneously merged with different Malware types Virtual environment accessible from any place in the world PEOPLE PROCESS DATA THINGS

10 Cisco Cyber Range Service Packages 3 or 5 day intensive real life experience reacting to and defending against rudimentary and Complex Cyber Attacks delivery to any location Cyber Range build on customer premise with updates via subscription Threat Intelligence Report Threat modelling for customers network environment and regular consulting on impact of latest threats to customer s security posture 3 or 5 day intensive real life experience, Rent Cyber Range Services Delivery Platform Including test engineer Local Cisco Services Lab

11 Cyber Range Capabilities can improve cyber defence operational capabilities, by way of: Architecture / Design validation Incident response playbook creation / validation War game exercises Hands-on training for individual technologies Threat mitigation process verification Simulating advanced threats (zero day / APT)

12 Cyber Range Architecture

13 Covering The Entire Attack Continuum Attack Continuum BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall VPN NGIPS Advanced Malware Protection NGFW UTM Web Security Network Behaviour Analysis NAC + Identity Services Security Visibility and Context

14 Cisco CSIRT Protection Model Prevent Detect Network IPS Host IPS Network IDS Advanced Malware Firewall Anti-Virus Web proxy Anti-Spam Behavioural anomaly NetFlow anomaly Collect NetFlow Event logs Web proxy logs Web firewall Analyse SIEM analysis NetFlow analysis Malware analysis Mitigate IP blackhole account disablement Foundation scalable load balancer device monitoring

15 Cyber Range Network Components Overview StealthWatch Management SMC Internet Cisco Talos Flow Collector Identity Services Engine FC Web Security Appliance Security Appliance Sourcefire IPS Wireless Security ASAv N1KV Cyber Threat Defence NetFlow AVC TrustSec ASA NGFW Fire SIGHT Cisco Prime Splunk Virtual Security IXIA Breaking Point Open Source Attack Tools Inside Host Data Analytics

16 Cyber Range Network 1

17 Meet the Teams Red Team Blue Team Green Team AGENDA: Infiltrate networks to steal data and/or cause damage for publicity or gain. AGENDA: Monitor and defend attacks against CyberRange Networks and their clients. AGENDA: Enhance knowledge of attack and defence strategies. Hopes to one day join the red or blue teams. Skill Set: High Skill Set: High Skill Set: Varied LOCATION: Everywhere LOCATION: Security Operations Centre LOCATION: This room

18 Cyber Range Networks Biggest Threats?

19 Cyber Range Threat Response Exercise

20 Incident Categories by CERT Category Title Description CAT 0 Exercise / Network Defence Testing Known vulnerability assessments, audits, Q/C incident tests, table-top exercises, etc CAT 1 CAT 2 CAT 3 CAT 4 CAT 5 CAT 6 Unauthorised Access Denial of Service (DoS) Malicious Code Improper Usage Scans/Probes/Attempted Access Investigation Logical or physical access without permission (regardless of awareness) to a network, system, application, data, or other resource from internal to external An attack that successfully prevents or impairs the normal authorised functionality of networks, systems or applications by exhausting resources. This activity includes being the victim or participating in the DoS. Successful installation of malicious software (e.g., virus, worm, Trojan horse, or other code-based malicious entity) that infects an operating system or application. Any acceptable-use, lab, minimum host, general insecurity, or other policy violations, unscheduled vulnerability assessments, external vulnerability notification, etc. An employee violates acceptable computing use polices. This category includes any activity that seeks to access or identify a company asset, including computer, open ports, protocols, service, or any combination for later exploit. This activity does not directly result in a compromise or denial of service. Unconfirmed incidents where evidence is inconclusive, or when supporting another team s investigation. Potentially malicious or anomalous activity deemed by the reporting entity to warrant further review.

21 Cyber Range Further Investigation

22 Additional Resources

23 Additional Resources Service Overview: Sales Collateral: Contact Us:

24 What I hear, I forget What I see, I remember What I do, I understand ~ Confucius

25