Cisco dan Hotel Crowne Plaza Beograd, Srbija.

Transcription

1 Cisco dan Hotel Crowne Plaza Beograd, Srbija

2 Three Friends in Security : Identity, Visibility and Enforcement Stop the bad guys immediately György Ács IT Security Consulting Systems Engineer 31th March 2016

3 Agenda The Problem is Threats Network as a Sensor / Enforcer Identity Visibility Policy and Indication of Compromise, IoC Enforcement Summary

4 The Problem is Threats

5 Dissecting a Data Breach (Kill Chain) You Can t Protect What You Don t See! Infiltration point Target acquisition Exploration Reconnaissance Information monetized after breach Footprint expansion Staging Data Exfiltration New ransomware abuses Windows PowerShell, Word document macros

6 Network as a Sensor / Enforcer

7 Cisco StealthWatch: System Overview (Earlier : Lancope) Non-NetFlow Capable Device SPAN StealthWatch FlowSensor Generate NetFlow StealthWatch FlowCollector NetFlow / NBAR / NSEL Network Devices Collect and analyze Up to 4,000 sources Up to 240,000 FPS sustained StealthWatch Management Console (SMC) Management and reporting Up to 25 FlowCollectors Up 6 million FPS globally

8 Network as a Sensor: Cisco StealthWatch Context Information NetFlow Cisco ISE pxgrid Mitigation Action ISE pxgrid for Remediation Real-time visibility at all network layers Data Intelligence throughout network Assets discovery Network profile Security policy monitoring Anomaly detection Accelerated incident response

9 Identity

10 Cisco Identity Services Engine A centralized security solution that automates context-aware access to network resources and shares contextual data Physical or VM Identity Profiling and Posture Role-Based Policy Access Network Resources Who Traditional Cisco TrustSec Network Door What When Where How Guest Access BYOD Access Role-Based Access Context Compliant Secure Access ISE pxgrid Controller

11 Role-Based Access TACACS+ Device Administration Support for Cisco ISE 2.0 What s New for Cisco ISE 2.0? Customers can now use TACACS+ with Cisco ISE to simplify device administration and enhance security through flexible, granular control of access to network devices. Benefits Simplified, Centralized Device Administration Increase security, compliance, and auditing for a full range of administration use cases Flexible, Granular Control Control and audit the configuration of network devices Holistic, Centralized Visibility Get a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center Role-Based Access Control TACACS+ Work Center Security Admin Team TACACS+ Device Administration TACACS+ Work Center Network Admin Team Capabilities Role-based access control Flow-based user experience Command-level authorization with detailed logs for auditing Dedicated TACACS+ work center for network administrators Support for core Cisco Secure Access Control System 5 (ACS5) features

12 TACACS+ example: Wireless LAN Controllers

13 TACACS+ example: Cisco IOS

14 AnyConnect NVM : High Level Architecture WORK WWW Netflow/IPFIX Server Send Application and Network Telemetry Reports/analysis of application + data + user/endpoint information User, App, Device, Location/Network visibility Netflow/IPFIX Collector Lancope (TBD 6.8), LiveAction and Splunk(Enterprise 6.0 and Collector 64-bit Linux) New AnyConnect Module for Windows and OS X, Apex License Required

15 Network Visibility Module Context Application User Device Location Destination IPFIX Record (Source IP, Destination IP, etc IPv4 & IPv6) Unique Device ID (correlate records from same endpoint device) *Device Name (bsmith-win7) *Domain\User Name (AMER\bsmith) *Local DNS (starbucks.com), *Target DNS (-> amceco.box.com) Process Name (iexplore.exe) Process Identifier (iexplore.exe unique ID) Parent Process Name (process that launched iexplore.exe) Parent Process Identifier (launching process unique ID) * Admin can choose not to collect this data

16 NVM Configuration <?xml version="1.0" encoding="utf-8"?> <NVMProfile xsi:nonamespaceschemalocation="nvmprofile.xsd" xmlns:xsi=" <CollectorConfiguration> <CollectorIP>fc.ciscolive.demo</CollectorIP> <Port>2055</Port> </CollectorConfiguration> <Anonymize>false</Anonymize> <CollectionMode>all</CollectionMode> </NVMProfile>

17 NVM Configuration Module Deployed via ISE Requires ISE Posture

18 Visibility

19 Versions of NetFlow Version Major Advantage Limits/Weaknesses V5 V9 Flexible NetFlow (FNF) IP Flow Information Export (IPFIX) AKA NetFlow V10 NSEL (ASA only) Defines 18 exported fields Simple and compact format Most commonly used format Template-based IPv6 flows transported in IPv4 packets MPLS and BGP nexthop supported Defines 104 fields, including L2 fields Reports flow direction Template-based flow format (built on V9 protocol) Supports flow monitors (discrete caches) Supports selectable key fields and IPv6 Supports NBAR data fields Standardized RFC 5101, 5102, 6313 Supports variable length fields, NBAR2 Can export flows via IPv4 and IPv6 packets Built on NetFlow v9 protocol State-based flow logging (context) Pre and Post NAT reporting IPv4 only Fixed fields, fixed length fields only Single flow cache IPv6 flows transported in IPv4 packets Fixed length fields only Uses more memory Slower performance Single flow cache Less common Requires more sophisticated platform to produce Requires more sophisticated system to consume Even less common Only supported on a few Cisco platforms Missing many standard fields Limited support by collectors

20 Configuring Flexible NetFlow (FNF) 4 easy steps (Cat 3k-X): Configure Flow Records, Setting key and non key fields match => key record, collect => non key Configure Flow Exporter Configure Flow Monitor, tying the record to exporter Apply the Flow Monitor to the interface! flow record C3KX_FLOW_RECORD match datalink mac source-address match datalink mac destination-address match ipv4 tos match ipv4 ttl match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port collect interface input snmp collect interface output snmp collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last!

21 Configuring Flexible NetFlow (FNF) 4 easy steps (Cat 3k-X): Configure Flow Records, Setting key and non key fields match => key record, collect => non key Configure Flow Exporter Configure Flow Monitor, tying the record to exporter Apply the Flow Monitor to the interface! flow exporter exporter-name description description destination {hostname ip-address} export-protocol {netflow-v5 netflow-v9 ipfix} transport udp udp-port!! flow monitor flow-monitor-name description description exporter exporter-name record C3KX_FLOW_RECORD!

22 Configuring Flexible NetFlow (FNF) 4 easy steps (Cat 3k-X): Configure Flow Records, Setting key and non key fields match => key record, collect => non key Configure Flow Exporter Configure Flow Monitor, tying the record to exporter Apply the Flow Monitor to the interface! interface type number ip flow monitor flow-monitor-name input!

23 ASA NSEL Configuration! flow-export destination management <ip-address> 2055! policy-map global_policy class class-default flow-export event-type all destination <ip-address>! flow-export template timeout-rate 2 logging flow-export syslogs disable! NetFlow Security Event Logs (NSEL) tracks flow create, teardown, update and denied events (only when event occurs)

24 Visibility through NetFlow Switches Routers NetFlow provides Trace of every conversation in your network An ability to collect record everywhere in your network (switch, router, or firewall) Network usage measurement An ability to find north-south as well as eastwest communication Light weight visibility compared to SPAN based traffic analysis Indications of Compromise (IOC) Security Group Information Flow Information Packets SOURCE ADDRESS DESTINATION ADDRESS SOURCE PORT DESTINATION PORT 443 INTERFACE IP TOS Gi0/0/0 0x00 IP PROTOCOL 6 NEXT HOP TCP FLAGS 0x1A SOURCE SGT 100 APPLICATION NAME : : NBAR SECURE- HTTP Internet

25 eth0/1 eth0/2 NetFlow port port 80 Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent SGT DGT TCP Flags 10:20: eth0/ TCP SYN,ACK,PSH 10:20: eth0/ TCP SYN,ACK,FIN

26 NetFlow = Visibility A single NetFlow Record provides a wealth of information

27 NetFlow - The Network Phone Bill Telephone Bill Monthly Statement Bill At-A-Glance CHADWICK Q. SULLIVAN 2259 TECHNOLOGY DR ALPHARETTA, GA NetFlow = shows you the who, what, where and when. It s a phone bill, which we use to look for out of the ordinary behaviour. Flow Record

28 eth0/1 eth0/2 NetFlow Collection: Flow Stitching Uni-directional flow records port 1024 Start Time Interface Src IP Src Port Dest IP port 80 10:20: eth0/ TCP :20: eth0/ TCP Dest Port Proto Pkts Sent Bytes Sent SGT DGT Start Time Client IP Client Port Server IP Server Port Proto Client Bytes Client Pkts Server Bytes Server Pkts Client SGT Server SGT Interfaces 10:20: TCP eth0/1 eth0/2 Bi-directional: Conversation flow record Allows easy visualization and analysis

29 NetFlow Collection: De-duplication Start Time Client IP Client Port port 1024 Sw1 ASA port 80 Server IP Server Port Proto Client Bytes Client Pkts Server Bytes Server Pkts App Client SGT Server SGT Exporter, Interface, Direction, Action 10:20: TCP HTTP Sw1, eth0, in Sw1, eth1, out Sw2, eth0, in Sw2, eth1, out ASA, eth1, in ASA, eth0, out, Permitted ASA eth0, in, Permitted ASA, eth1, out Sw3, eth1, in Sw3, eth0, out Sw1, eth1, in Sw1, eth0, out Sw2 Sw3

30 Conversational Flow Record Who What Who When Where How More context Highly scalable (enterprise class) collection High compression => long term storage Months of data retention

31 Profiling a Host Host report for Behavior alarms Quick view of host group communication Summary information

32 New: StealthWatch to ThreatGrid External Lookup Dynamic Analysis lookup

33 Extrapolating to a User Username View Flows Active Directory Details Alarms Devices and Sessions

34 Adding Context and Situation Awareness NAT Events Known Command & Control Servers Application & URL StealthWatch Labs Intelligence Center (SLIC) Threat Feed -> TALOS Application User Identity URL & Username

35 Policy and Indication of Compromise IoC

36 Flow-based Anomaly Detection 1 2 # Concurrent flows Packets per second Bits per second New flows created Number of SYNs sent Time of day received Rate of connection resets Duration of the flow Over 80+ other attributes Number of SYNs Collect & Analyze Flows Establish Baseline of Behaviors 3 threshold Anomaly detected in host behavior threshold threshold threshold Critical Servers Exchange Server Web Servers Marketing Alarm on Anomalies & Changes in Behavior

37 Detecting Data Loss Intermediary resource used to obfuscate theft Data is exported off resource What to analyze: Historical data transfer behaviour Applications Time of day Countries Amount of data single and in aggregate Time frames Asymmetric traffic patterns Traffic between functional groups StealthWatch Method of Detection: Suspect Data Loss Alarm Suspect Long Flow Alarm Beaconing Host Alarm

38 Behavioral Algorithms Are Applied to Build Security Events SECURITY EVENTS (94 +) ALARM CATEGORY RESPONSE COLLECT AND ANALYZE FLOWS FLOWS Addr_Scan/tcp Addr_Scan/udp Bad_Flag_ACK** Beaconing Host Bot Command Control Server Bot Infected Host - Attempted Bot Infected Host - Successful Flow_Denied.. ICMP Flood.. Max Flows Initiated Max Flows Served. Suspect Long Flow Suspect UDP Activity SYN Flood. Concern Recon C&C Exploitation Data Hoarding Exfiltration DDoS Target Alarm Table Host Snapshot Syslog / SIEM Mitigation

39 HTTPS Unclassified now Known AnyConnect NVM with Cisco Stealthwatch Application Identified Dropbox Application Hash Who else is running? Identity nedzaldivar (even without ISE or Identity, from non domain asset)

40 Demo

41

42 Enforcement

43 Integrated Threat Defense (Detection & Containment) Employee ISE Change Authorization Quarantine Supplier Server Cisco StealthWatch Event: TCP SYN Scan Source IP: Role: Supplier Response: Quarantine Quarantine Network Fabric High Risk Segment Shared Server Internet Employee

44 Adaptive Network Control Quarantine/Unquarantine via pxgrid Identity Services Engine StealthWatch Management Console 2 pxgri d contr oller 3 Who What 1 When Where How ISE Cisco and Partner Ecosystem Context 5 Cisco Network 4

45 Authorization Policy in ISE using Quarantine Service Quarantine state as one of the conditions Quarantine definition in ISE

46 Monitoring Devices Quarantine state change => Quarantine authorization profile

47 Summary

48 Three Friends in Security : Identity, Visibility and Enforcement The network is a key asset for threat detection and control NetFlow and Cisco StealthWatch provides visibility and intelligence TrustSec provides software defined (micro) segmentation

49