Cisco Techupdate November 17

Transcription

1 Cisco Techupdate November 17 Stealthwatch Cloud, ETA brief & Tue s tips & tricks Tue Frei Nørgaard & Jesper Rathsach Consulting systems engineers, Cisco Security North team 9th November 2017

2 Introduktion Stealthwatch Cloud Dagens Agenda Encrypted Traffic Analytics brief Pause Tue s tips og tricks Q & A med test!!! Tak For I dag og på gensyn 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

3 Stealthwatch Cloud

4 Effective security is dependent on the ability to see everything in your network KNOW every host RECORD every conversation Understand what is NORMAL Be alerted to CHANGE Respond to THREATS quickly HQ Network Branch Cloud Users Roaming Users Data Center Admin

5 Stealthwatch provides the security visibility you need Stealthwatch Cloud Stealthwatch Enterprise Public cloud monitoring Private network monitoring Enterprise network monitoring Public cloud monitoring On-premises network monitoring On-premises network monitoring Suitable for enterprises & commercial businesses using public cloud services Suitable for SMBs & commercial businesses Suitable for enterprises & large businesses Software as a Service (SaaS) Software as a Service (SaaS) On-premises virtual or hardware appliance

6 Quick and easy security for dynamic environments Stealthwatch Cloud Public Cloud VPC Flow Logs Other data sources NetFlow Mirror port Other data sources

7 Using modeling to detect security events Dynamic Entity Modeling Collect Input Perform Analysis Draw Conclusions IP Meta Data Role What is the role of the device? System Logs Security Events Passive DNS External Intel Vulnerability Scans Dynamic Entity Modeling Group Consistency Rules What ports/protocols does the device continually access? What connections does it continually make? Does it communicate internally only? What countries does it talk to? Config Changes Forecast How much data does the device normally send/receive?

8 Identify every entity in your network automatically Automated Endpoint Discovery X Detect Track Profile

9 Detailed visibility of every entity Automated Entity Discovery X Time of Day Usage Traffic Statistics Active Traffic Profiles

10 Traffic profiling on every entity Automated Entity Discovery X Connections by profile Traffic Statistics by profile

11 Profile entity behavior Dynamic Entity Modeling X Roles include: Android AWS Resource Wireless LAN Controller Citrix PVS Server Database Server DNS Server Domain Controller Apple ios Kerberos Node Mail Server Medical Imaging Client Remote Desktop Server Terminal Server VolP Client Legacy Windows Device Web Server and 20+ more

12 Detect abnormal activity using entity modeling? IP address detected Communicates with set of IPs Database server identified Data stays within environment Data access from regular location Existing IP accesses database server New External Connection osbservation New High Throughput Connection Classify roles Dynamically assign roles to entities 36 Day Baseline Monitor and model behavior Alert Triggers for Database Exfiltration

13 Detecting Observations Automatic event detection View observations for a a specific host See Observation details

14 Low-noise alerts help you solve problems Dynamic Entity Modeling Excessive failed access attempts DDoS and amplification attacks ALERT: Anomaly detected 96% of customers rated the alerts generated by Stealthwatch Cloud s entity modeling solutions as helpful Potential data exfiltration Geographically unusual remote access Suspected botnet interaction

15 Integrate easily with all your current systems SaaS Management Portal SIEM AWS Stealthwatch Cloud SQS SNS S3 Web Platforms And Other Platforms

16 Cloud security is a shared responsibility Amazon Web Services Microsoft Azure Google Cloud Platform Cloud Provider Responsible for security OF the cloud Hardware Storage Database Networking Regions Availability zones Cloud software Customer Responsible for security IN the cloud Customer data Applications Operating system, network & firewall configuration Identity & access management Client-side data encryption & data integrity authentication Server-side encryption Platforms

17 Public cloud security challenges Detect & Prevent Data Loss Gaps in security Do I have application vulnerabilities? Am I compliant? What are users doing in the account?

18 Stealthwatch Cloud makes it easy to address cloud security challenges Get complete visibility of activity in the public cloud Detect threats automatically Deploy and manage easily

19 Cover your entire cloud attack surface with ease AWS Flow Logs AWS VPC Flow Logs Stealthwatch Cloud Cloud Trail Inspector Config Cloud Watch IAM Lambda Additional AWS Data Sources

20 Detect threats and see network activity using existing telemetry sources Virtual Sensors Collect from all these sources Use DNS Lookups to link dynamics IPs to a host name Stealthwatch Cloud NetFlow SIEM IPFIX DNS Active Directory Gigamon Any Mirror/SPAN DNS Lookup IP Traffic Data Other Security Data Switches Firewalls Mirror/Span Ports Load Balancers Application Servers Threat Detection

21 Stealthwatch Cloud fits seamlessly into your existing network architecture with no messy reorganization Virtual Sensors Encrypted Private Tunnel Core Switching Data Center Segment Stealthwatch Cloud Mgmt Span NetFlow SW Cloud Virtual Appliance Syslog SNMP IPFIX Accounting Segment SIEM SaaS Portal

22 Get the full benefit of the cloud SaaS-based security Easy to use and deploy Centrally managed Flexible pricing Secure data storage Automatically scale

23 Stealthwatch is available across all deployment methods Stealthwatch Cloud Stealthwatch Enterprise Public cloud monitoring Private network monitoring Enterprise network monitoring Any business using public cloud infrastructure Monitors public cloud via SaaS Complements Cisco Enterprise and Private Network offering SMB & commercial companies Monitors private network via SaaS Complements Cisco public cloud offering Enterprise & commercial customers Monitor private network via onpremises virtual or hardware appliance Complements Cisco public cloud offering

24 Start today with a free 60-day trial Schedule consultation with a security specialist See results within hours Learn more: cisco.com/go/ stealthwatch-cloud

25 Encrypted Traffic Analytics 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

26 Network threats are getting smarter Motivated and targeted adversaries State sponsored Financial/espionage motives $1T cybercrime market Scale too many alerts Increased attack surface BYOD blurring perimeter Public cloud services Enterprise IOT Complexity securing everything Increased attack sophistication Advanced persistent threats Encrypted malware Zero-day exploits Sophistication Keeping up against attackers 200days Industry average detection time for a breach 60days Industry average time to contain a breach $3.8M Average cost of a data breach

27 Encryption is changing the threat landscape Percentage of malware Gartner predicts that by % of all traffic will be encrypted 60% 25% 10% 50% Dec Jan Feb Mar Apr May Based on Cisco threat grid analysis, % 41% Straight-line projection 16% 20% 19% 22% 23% 23% 25% 27% 30% FY05 FY06 FY07 FY08 FY09 FY10 FY11 FY12 FY13 FY14 FY Extensive deployment of encryption Percentage of the IT budget earmarked for encryption Source: Thales and Vormetric

28 New threat landscape Organizations are at risk 38% 81% 41% 64% 62% of organizations have been victims of a cyber attack of attackers used encryption to evade detection cannot detect malicious content in encrypted traffic Decrypt Do not decrypt New attack vectors Employees browsing over HTTPS: Malware infection, covert channel with command and control server, data exfiltration Employees on internal network connecting to DMZ servers: Lateral propagation of encrypted threats Source: Ponemon Report, 2016

29 Enhanced network as a sensor Industry s first network with the ability to find threats in encrypted traffic without decryption Avoid, stop, or mitigate threats faster then ever before Real-time flow analysis for better visibility Encrypted traffic Non-Encrypted traffic Secure and manage your digital network in real time, all the time, everywhere

30 Encrypted Traffic Analytics (ETA) Visibility and malware detection without decryption Malware in encrypted traffic Cryptographic compliance Is the payload within the TLS session malicious? End to end confidentiality Channel integrity during inspection Adapts with encryption standards How much of my digital business uses strong encryption? Audit for TLS policy violations Passive detection of Ciphersuite vulnerabilities Continuous monitoring of network opacity

31 Encrypted Traffic Analytics (ETA) Cisco research Known malware traffic Known benign traffic Extract observable features in the data Employ machine learning techniques to build detectors Known malware sessions detected in encrypted traffic with 99% accuracy Identifying encrypted malware traffic with contextual flow data AISec 16 Blake Anderson, David McGrew (Cisco Fellow)

32 ETA data features Cisco research TCP/IP DNS TLS SPLT Watchlist address c15c0.com afb32d75.com Unusual fingerprint Unusual cert C2 Message Data Exfiltration Malware traffic Self-Signed Certificate Bestafera Benign traffic Prevalent address cisco.com Typical fingerprint Typical cert Google search

33 How can we inspect encrypted traffic? Initial data packet Make the most of the unencrypted fields Sequence of packet lengths and times Identify the content type through the size and timing of packets Threat intelligence map Who s who of the Internet s dark side Data exfiltration Self-Signed certificate C2 message Broad behavioral information about the servers on the Internet.

34 Malware detection using Cognitive Analytics Initial data packet Cloud-based machine learning Threat Intelligence Map Sequence of packet lengths and times All three elements reinforce each other inside the analytics engine using them.

35 Finding malicious activity in encrypted traffic New Catalyst 9K* * Other devices will be supported soon NetFlow Telemetry for encrypted malware detection and cryptographic compliance Cisco Stealthwatch Metadata Cognitive Analytics Malware detection and cryptographic compliance Enhanced NetFlow Leveraged network Faster investigation Higher precision Stronger protection Enhanced NetFlow from Cisco s newest switches and routers Enhanced analytics and machine learning Global-to-local knowledge correlation Continuous Enterprise-wide compliance

36 The Cisco Catalyst 9000 Series enables enhanced network as a sensor with ETA Rapidly mitigate malware and vulnerabilities in encrypted traffic ISE pxgrid Mitigation Stealthwatch Machine learning with enhanced behavior analytics Industry s most pervasively deployable solution for Encrypted Traffic Analytics Complements other encrypted traffic management solutions Encrypted Traffic Analytics Network telemetry based (no decryption) Line-rate performance Investment optimization Simplified management Globally correlated threat intel

37 Cisco Stealthwatch with Cognitive Analytics Extended visibility and behavioral analytics Obtain additional visibility and context into global and local traffic. Use machine learning for continuous analysis and detection of command and control communications. Advanced threat detection Detect threats that have bypassed existing security controls. Identify insiders exfiltrating data to legitimate cloud services. Encrypted traffic analytics Pinpoint malicious patterns in encrypted traffic. Compromised host detection speeds incident response.

38 Cryptographic Compliance Flow search results

39 Encrypted Malware Detection Cognitive Analytics Expanded CTA dashboard view Cognitive Analytics

40

41 Encrypted Malware Detection: Example incident

42 Confirmed threats

43 What does the customer buy? Licensing, packaging Solution Element Software Version License Enterprise switches (Cisco Catalyst 9000 Series)* Branch routers (ASR 1000 Series, 4000 Series ISR, CSR, ISRv)** Cisco IOS XE (Jul) Cisco IOS XE (Oct) Included in Cisco DNA Advantage license/ Cisco ONE Advanced Included in SEC/k9 license Stealthwatch with CA Stealthwatch with CA and ETA v6.9.1 (Available now) v6.9.x Cryptographic compliance (Q3CY17) Malware Detection (Q4CY17) *C9300 series with (Jul), C9400 series available with (Oct) **Available for Proof of Concept (PoC) with , General availability in (Oct) Management Console, Flow Collector, Flow Rate License

44 Pause 15 minutter 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

45 ESA ISR API ASA ACS ISE FMC WSA ASR SDA Tue s T ips og Tricks FTD CSM MAC AAA IOS MAB ACL

46 Recommended software versions How to fight SSL traffic without decrypting it Firepower Customizing Dynamic Block with Reputation Simpler SafeSearch (Google, Youtube, Bing) ACL hitcount Custom Workflow OpenAppID Q & A

47 Firepower Recommended software versions

48 Ta Software Recommendation Overview Software selection is a highly tailored process Delicate balance between desired features and code stability Dependent on platform, traffic patterns, and other device interoperability Detailed bug scrubs across all enabled features are mandatory Advanced Services (AS) must provide a custom recommendation A comprehensive network overview and a thorough bug scrub Ongoing certification and re-evaluation process ownership TAC or BU may suggest an upgrade path for known defects only The final recommendation must be based on a customer deployment

49 Current Best Practices Use for Remote access vpn Move to latest code for NGFW FTD with Flow Preservation to eliminate Snort Restart impact Recommendation to use x as flow preservation is not available on FTD to balance Snort Restart impact against full inspection FMC for management Balance new features against code stability with ASA ASA 9.6(3.16) or wait for ASA 9.6(4) for conservative customers ASA 9.8(2) or ASA 9.8(2.8) for longevity and feature velocity Pick latest compatible FXOS based on Logical Device Support FXOS release ASA release FTD release FXOS 2.2(2.19) ASA 9.8(2) FTD , FTD FXOS 2.1(1.86) ASA 9.6(x)

50 Ta Current Best Practise for Firepower 2100 Released with Recommended HOTFIX D important (HA bug)

51 FXOS Upgrade path FP4100 / 9300

52 How to fight SSL traffic without decrypting it

53 SSL and TLS Decrypting challenges It requires deploying an intermediate certificate on all devices (servers, laptop, mobile and desktop) and this is not always easy to do. In certain cases browsers, applications or mobile applications do not work with intermediate certificate. Also, decrypting SSL could impact the performance of a security appliance by 50% to 90%. New protocols like HTTP2 and QUIC Solutions Inspect and control based on none encrypted elements. Look for bad certificate status. Look for bad CA. Look for bad cipher and SSL version. Look for bad public IP. Look for bad domain name.

54 Firepower SSL Policy rules Creating a rule to block (or monitor) certificate with bad status 1 Select the certificate status that you want to drop, example : Invalid Issuer, Invalid Signature, Server Mismatch,etc. 2 Be careful with the Self Signed validation, a lot of customer use Self Signed cert internally.

55 Firepower SSL DN Object in a rule Blocking (or monitoring) certificate signed by a BAD CA 1 Using you prefer browser find the CA or Intermediate CA you want to blacklist. Then you need to create a Distinguished Name to identify the CA in the Objects section. 3 2 Then create a rule to drop that specific DN (Certificate Authority)

56 Firepower SSL Policy rules Blocking old ciphers and SSL version 3 1 Select Cipher Suite that you want to drop based on your requirement. 2 Select the SSL or TLS version you want to drop.

57 WSA SSL configuration SSL configuration Select to Drop all Certificate Error 1 Select to Drop bad OCSP result Be careful if you enable this option End-User Notification devices will have to have our certificate install.

58 WSA SSL configuration Decryption Policy and Certificate Management 1 Update once in a while the Blacklist of certificate from Cisco Set all Category to Monitor 2 Drop request when the URL have a bad reputation and set to pass through for the good one. Make sure not to decrypt. 3 4

59 SSL IP blacklist Public IP associate with SSL Blacklist

60 Customizing Dynamic Block with Reputation Data

61 What is the challenge? Block page on Firepower Firepower only offer static block page. End-user do not get information on why they have been block. When the the Security Intelligence Domain Blacklist feature block a request the end user does not get a notification.

62 Solution? Sinkhole and senderbase.org We will go through a configuration on Firepower to redirect user to a web block page when Security Intelligence or URL filtering deny access to a domain name or URL. The solution will use a external server (could be internal as well) as a sinkhole to show the reputation and category of the requested URL to the user by redirecting the user to the public senderbase.org web site with requested web site embedded in the URL. Ex : If you choose to share this with your customer, make sure they build their own sinkhole. The external sinkhole «internetsinkhole.com» should only be use for demo or for your personal home network. (This is not approved by Cisco) Also there is still some issues with that solution. There will be no block page for HTTPS block by the URL monitoring feature on Firepower.

63 Firepower DNS sinkhole configuration 1 Create a new sinkhole Make sure to select «Log Connection to sinkhole» Name = internetsinkhole.com or your own server name running the sinkhole IPv4 = or IP of your own server running the sinkhole Create a Sinkhole rule in your DNS policy Select the sinkhole you have just created Select all DNS Feeds (blacklist) 2 Apply your DNS Policy to your Access Police 3

64 Firepower Security Intelligence & URL filtering Sinkhole and senderbase.org Make sure all URL Security Intelligence Blacklist all selected Select the web category to block in your Access Policy

65 Firepower Custom Block page Where the magic happen In your «Access Policy» under «HTTP Reponses» tab select «Custom» and edit. Add these lines to the html code : <meta http-equiv="refresh" content="1;url= <script type="text/javascript"> window.location.href = " </script> «internetsinkhole.com should be change with your own sinkhole» The external sinkhole «internetsinkhole.com» should only be used for demo.

66 Building a sinkhole You will need to build a apache web server with PHP. Download the Ubuntu server (or your favorite distro) How to install Apache2 on Ubuntu How to install PHP on Ubuntu. modify default.conf file to include «FallbackResource /index.php» Then modify the index file. The default index.html need to be change for a index.php file. Add to that file theses lines: <?php echo '<h1>'; $HOST = $_SERVER['HTTP_HOST']; $URI = $_SERVER['HTTP_REFERER']; if (isset($uri)) { print "{$URI}<br />"; $URL = $_SERVER['HTTP_REFERER']; } else { print "{$HOST}<br />"; $URL = $_SERVER['HTTP_HOST']; } echo '</h1>';?> <script type="text/javascript"> function Redirect() { window.location=" } settimeout('redirect()', 3000); </script>

67 The results What end-user will see Security Intelligence DNS sinkhole block Security Intelligence URL sinkhole block URL Filtering (Block based on category)

68 A Simpler SafeSearch Solution

69 SafeSearch The Firepower built-in option for SafeSearch requires TLS Decryption. How can you use this on a network where TLS Decryption cannot be used? SafeSearch is a common requirement, especially in education environments to prevent inappropriate images and videos from appearing on search engine results pages. Web Category Filtering can prevent access to pages, but not the search results, themselves. 69

70 SafeSearch Google and Microsoft provide a recommended solution for enabling SafeSearch that does NOT require SSL Decryption. Microsoft: Register the student network with Bing in the Classroom. Provides Ad-free browsing with SafeSearch enabled, by default. OR use a DNS CNAME record to direct searches to a SafeSearch site. Google: Use SafeSearch VIP, which uses DNS to direct searches to a SafeSearch site. This method also works for other Google-owned tools, like YouTube. This can be done using the customer s DNS servers, but we can also use Firepower to do the same. 70

71 Step 1 (Google Example): Define the target domains. Google makes this available at curl sed 's/^\.//' > google-domains.txt Creates a file that looks like this: (today it is 193 lines long) google.com google.ad google.ae google.com.af google.com.ag google.com.ai google.al 71

72 Step 2: Create DNS List in FMC Objects -> Security Intelligence -> DNS Lists and Feeds 72

73 Step 3: Create SafeSearch Sinkhole Objects -> Sinkhole Google searches targeted at forcesafesearch.google.com ( ) will have save image results. 73

74 Step 4: Add DNS Policy Policies -> DNS 74

75 Step 5: Associate DNS Policy to Access Control Policy Policies -> Access Control -> [Select Policy] -> Security Intelligence 75

76 YouTube Safe Mode Strict Safe Mode: Sinkhole to: forcesafesearch.google.com - or - restrict.youtube.com Moderate Safe Mode: Sinkhole to: restrictmoderate.youtube.com 76

77 YouTube Domains DNS List should contain: m.youtube.com youtubei.googleapis.com youtube.googleapis.com DO NOT ADD These: youtube.com s.ytimg.com youtu.be googleapis.com 77

78 Bing Safe Search Strict Safe Mode: Sinkhole to: strict.bing.com 78

79 Putting it all Together: 79

80 DEMO

81 ACL Hitcount Custom Workflow

82 The good old days

83

84 ACL Hitcounts honor the filter you re using in the Connection Events 84

85 OpenAppID

86 OpenAppID Cisco s Open Source Application Layer Plugin for Snort and Firepower OpenAppID uses the Lua programming language to identify applications. There are a number of attributes it can look at, including: ASCII or Hex patterns and offset HTTP User Agent HTTP URL HTTP Content Type SSL Host SSL Organization Unit SSL Common Name SIP Server SIP User Agent RTMP URL Pattern 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 86

87 OpenAppID Most internal Firepower Application Detectors are included in the Snort OpenAppID rules, including Lua source code Cisco and/or its affiliates. All rights reserved. Cisco Public 87

88 OpenAppID Application Coverage Website Visit this public site to find information about existing Firepower application detectors Cisco and/or its affiliates. All rights reserved. Cisco Public 88

89 OpenAppID within Firepower Application Detectors All Application Detectors in Firepower 6.0 and later use OpenAppID. Custom Application Detectors can be created here, as well Cisco and/or its affiliates. All rights reserved. Cisco Public 89

90 OpenAppID within Firepower Basic Application Detectors FMC provides a Wizard for creation of Basic detectors. Advanced detectors require you to upload the Lua file Cisco and/or its affiliates. All rights reserved. Cisco Public 90

91 OpenAppID within Firepower For Your Reference Advanced Application Detectors 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 91

92 DEMO 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

93 Q & A

94 Seminarkalender for 2018 Januar til marts 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 94

95 Seminarkalender for 2018 April til juni 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 95

96