Threat Detection and Mitigation for IoT Systems using Self Learning Networks (SLN)

Similar documents
Self Learning Networks An Overview

Securing Your Network with Anomaly Detection using Distributed Learning Architecture (Learning Networks)

Cisco Advanced Malware Protection. May 2016

Aby se z toho bezpečnostní správci nezbláznili Cisco security integrace. Milan Habrcetl Cisco CyberSecurity Specialist Mikulov, 5. 9.

Compare Security Analytics Solutions

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

Advanced Malware Protection. Dan Gavojdea, Security Sales, Account Manager, Cisco South East Europe

How Boards use the NIST Cybersecurity Framework as a Roadmap to oversee cybersecurity

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Cisco Cyber Range. Paul Qiu Senior Solutions Architect June 2016

Imperva Incapsula Website Security

Improved C&C Traffic Detection Using Multidimensional Model and Network Timeline Analysis

Internet Behavioral Analytics (IBA) using Self Learning Networks. JP Vasseur, PhD, Cisco Fellow BRKSEC-3056

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Service Provider Security Architecture

Cisco Firepower NGFW. Anticipate, block, and respond to threats

The Next Generation Security Platform. Domenico Stranieri Pre- Sales Engineer Palo Alto Networks EMEA Italy

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Intelligent Cybersecurity for the Real World Scott Lovett Vice President, Global Security Sales

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

The Internet of Everything is changing Everything

How to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption

Battle between hackers and machine learning. Alexey Lukatsky Cybersecurity Business Consultant April 03, 2019

The following describes an example Learning Network License deployment and example use cases.

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

SDN Security BRKSEC Alok Mittal Security Business Group, Cisco

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

Automated Threat Management - in Real Time. Vectra Networks

Cisco Security Exposed Through the Cyber Kill Chain

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

A New Security Model for the IoE World. Henry Ong SE Manager - ASEAN Cisco Global Security Sales Organization

Cisco Security. Advanced Malware Protection. Guillermo González Security Systems Engineer Octubre 2017

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Gladiator Incident Alert

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

The threat landscape is constantly

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Cisco Cyber Threat Defense Solution 1.0

SIEM Solutions from McAfee

Defending Against Unkown Automation is the Key. Rajesh Kumar Juniper Networks

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Cisco Ransomware Defense The Ransomware Threat Is Real

SRX als NGFW. Michel Tepper Consultant

From Managed Security Services to the next evolution of CyberSoc Services

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Security Automation. Challenge: Automatizzare le azioni di isolamento e contenimento delle minacce rilevate tramite soluzioni di malware analysis

Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

6 KEY SECURITY REQUIREMENTS

Enhancing Threat Intelligence Data. 05/24/2017 DC416

Innovative Cisco Security- Lösungen für den Endpoint Das Alpha und Omega unsere Next Gen Security

Key Security Measures to Enable Next-Generation Data Center Transformation

Artificial Intelligence Drives the next Generation of Internet Security

Visibility: The Foundation of your Cybersecurity Infrastructure. Marlin McFate Federal CTO, Riverbed

Software-Defined Secure Networks in Action

Borderless security engineered for your elastic hybrid cloud. Kaspersky Hybrid Cloud Security. #truecybersecurity

Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer

Evolution Of Cyber Threats & Defense Approaches

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

Intelligent Edge Protection

Encrypted Traffic Analytics

Best Practices in Healthcare Risk Management. Balancing Frameworks/Compliance and Practical Security

Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries

Seceon s Open Threat Management software

Maximum Security with Minimum Impact : Going Beyond Next Gen

ForeScout ControlFabric TM Architecture

Security Experts Webinar

How-To Threat Centric NAC Cisco AMP for Endpoints in Cloud and Cisco Identity Service Engine (ISE) Integration using STIX Technology

Monitoring and Threat Detection

ForeScout Extended Module for Splunk

Wireless and Network Security Integration Solution Overview

Stealthwatch ülevaade + demo ja kasutusvõimalused. Leo Lähteenmäki

Detect Cyber Threats with Securonix Proxy Traffic Analyzer

NETWORK DDOS PROTECTION STANDBY OR PERMANENT INFRASTRUCTURE PROTECTION VIA BGP ROUTING

First Look Showcase. Expanding our prevention, detection and response solutions. Sumedh Thakar Chief Product Officer, Qualys, Inc.

Supercharge Your SIEM: How Domain Intelligence Enhances Situational Awareness

Cisco ISE pxgrid App 1.0 for IBM QRadar SIEM. Author: John Eppich

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Business Strategy Theatre

Corrigendum 3. Tender Number: 10/ dated

SO YOU THINK YOU ARE PROTECTED? THINK AGAIN! NEXT GENERATION ENDPOINT SECURITY

Symantec Endpoint Protection Family Feature Comparison

Vectra Cognito. Brochure HIGHLIGHTS. Security analyst in software

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

A Unified Threat Defense: The Need for Security Convergence

Juniper Sky Advanced Threat Prevention

Cisco Secure Access Control

Abstract. The Challenges. ESG Lab Review Lumeta Spectre: Cyber Situational Awareness

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

JUNIPER SKY ADVANCED THREAT PREVENTION

DEFENCE IN DEPTH HOW ANTIVIRUS, TRADITIONAL FIREWALLS, AND DNS FIREWALLS WORK TOGETHER

Advanced Malware Protection: A Buyer s Guide

Cisco Firepower with Radware DDoS Mitigation

Cognitive Threat Analytics Tech update

How Vectra Cognito enables the implementation of an adaptive security architecture

Emerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan

Transcription:

Threat Detection and Mitigation for IoT Systems using Self Learning Networks (SLN) JP Vasseur, PhD - Cisco Fellow jpv@cisco.com Maik G. Seewald, CISSP Sr. Technical Lead maseewal@cisco.com June 2016

Cyber Security Trend: Increasing Threat Surface Threat Landscape 2016 (Cisco s ASR) Emerging Hacker Industry: Cybercrime is lucrative Threat Automation and Scripted Attacks: Malware sophistication and ease of use has grown exponentially Large DDoS networks Attacks based on DNS for command and control Malicious Browser Extensions Aging network and computer infrastructure Growing complexity For the success of IoT, it is essential to address an increasing threat surface! ASR = Cisco 2016 Annual Security Report 2013-2016 Cisco and/or its affiliates. All rights reserved. 2

Cyber Security Trend: Increasing Threat Surface Example: Botnets and Data Ex-Filtration Techniques Size can range from thousands to millions of compromised hosts Botnet can cause DDoS & other malicious traffic (e.g.: spam) to originate from the inside of the corporate network C&C (C2) servers become increasingly evasive Fast Flux Service Networks (FFSN), single or double Flux DGA-based malware (Domain Generation Algorithms) DNS/NTP Tunneling Peer-to-Peer (P2P) protocols Anonymized services (Tor) Steganography, potentially combined with Cryptography Social media updates or email messages Mixed protocols Timing Channels Internet C&C Server(s) 2013-2016 Cisco and/or its affiliates. All rights reserved. 3

Addressing the Threat Landscape The Network as Sensor and Enforcer Attack Continuum BEFORE Control Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate A more adaptive security architecture to address the complexity of increasing connectivity and digitalization Threat Intelligence, Detection and Awareness 2013-2016 Cisco and/or its affiliates. All rights reserved. 4

Addressing the Threat Landscape Visibility and Context Awareness Attack Continuum BEFORE Control Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall VPN NG IPS Network Behavior Analysis Network Access Control Anomaly Posture Assessment Detection SIEM Forensics Advanced Protection using Machine Learning 2013-2016 Cisco and/or its affiliates. All rights reserved. 5

Learning Machines A true paradigm shift Current Generation of Security Architectures and Products: Specialized Security gear connected to the network (FW, IPS, IDS) Heavily signature-based... to detect known Malware Hardly adaptive Does not address the dynamics of these days attacks SLN is Machine Learning based and pervasive Use of adaptive Machine Learning (AI) technology to detect advanced, evasive Malware: build a model of normal pattern and detect outlier (deviations) High focus on Zero-Day Attacks Use every node in the network as a security engine to detect attacks Complementary to all other technologies (FW, IPS, IDS) 2013-2016 Cisco and/or its affiliates. All rights reserved. 6

Self Learning Networks A true paradigm shift Signature-based (Firewalls): traffic is normal unless matching known characteristics SLN Dynamic Learning of anomalies (SLN): Outperform conventional algorithms in presence of uncertainty, when complexity is too large (scale) and when adaptation is required. This is a key requirement in IoT/IoE. We need predictive models for large scale networks to address: High performance and high resiliency Detection of disruptive subtle DDoS attacks New threats 2013-2016 Cisco and/or its affiliates. All rights reserved. 7

SLN Architecture Orchestration of Distributed Learning Agents (DLAs) Advanced Visualization of anomalies Centralized policy for mitigation Interaction with other security components such as ISE and Threat Intelligence Feeds North bound API to SIEM/Database Evaluation of anomaly relevancy SCA SCA Controller ISE Public/Private Internet Threat Intel Threat Grid, OpenDNS, Other TI feeds Internet Sensing (knowledge): granular data collection with knowledge extraction from NetFlow but also DPI on DLA control and data plane & local states Machine Learning: real-time embedded behavioral modeling & anomaly detection Control: autonomous embedded control, advanced networking control (police, shaper, recoloring, redirect,...) Branch 1 2013-2016 Cisco and/or its affiliates. All rights reserved. 8 DLA DLA Branch 2

Self Learning Network An Open Architecture (SCA) Identity Services Engine Context Enrichment: IP Address (key), Audit session ID, User AD Domain, MAC address, ESP Status, NAS IP & port, Posture, TrustSec information, Endpoint Profile Name ISE SCA Public/Private Internet Threat Intel Internet Various Source of Threat Intelligence: Talos (blacklists), Threat Grid (sandboxing), OpenDNS (AS, URL, historical association to domains) FW, IPS/IDS Syslog messages using both CEF/CIM formats pushing anomalies events into DB and SIEM SIEM/ Database DLA API triggering Mitigation from external Sources such as Firewall, IPS/IDS; Abstracting networking complexity 2013-2016 Cisco and/or its affiliates. All rights reserved. 9

SLN and Threat Detection Clusters, Self Organizing Learning Topology and Anomalies Modeling mixed-behaviors unavoidably leads to hiding anomalies... The fundamental idea of dynamic clustering is to group devices according to behavioral similarity Self Organizing Learning Topologies (SOLT): ability to build Virtual topologies used to learn models between dynamic clusters Example: find a model for the traffic from cluster A to cluster B, for HTTP traffic What is an anomaly? An anomaly is the detection of a flow that significantly deviates from a model locally computed by a Distributed Learning Agent, on premise. 2013-2016 Cisco and/or its affiliates. All rights reserved. 10

Threat Detection Anomaly Detection: A paradigm change Traditional Anomaly Detection Systems Focus on Detection (wrong) Core challenge is not Detection itself but Precision (avoid False Positive / Irrelevant alarms) SLN Approach Efficient detection and Precision Make the Network learn from its own mistakes and eliminate False Positive! Not a feature but an Architecture Dynamic Learning of anomalies (SLN): mathematical models built on-line and deviation from these (constantly adapted) models lead to detection of anomalies 2013-2016 Cisco and/or its affiliates. All rights reserved. 11

Conclusion SLN Network Security as sound basis for a scalable IoT Security Architecture Visibility and Context awareness are key requirements for IoT Networks Security Intelligence is needed to address Threat Automation and Malware Sophistication Behavior Based Security using Learning Machine Technologies as next step in Security Technology - Complementary to existing technologies (FW, IPS) SLN is fundamentally a hyper-distributed analytics platform: Goldmine of untouched data on networking gear (sensing) Network learns and computes models on premise (analytics) The Network adapts, modifies its behavior (control) 2013-2016 Cisco and/or its affiliates. All rights reserved. 12

Thank you.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback