Cisco Day Hotel Mons Wednesday

Similar documents
Cisco dan Hotel Crowne Plaza Beograd, Srbija.

Monitoring and Threat Detection

Stealthwatch ülevaade + demo ja kasutusvõimalused. Leo Lähteenmäki

Cyber Threat Defence. Cisco Public BRKSEC Cisco and/or its affiliates. All rights reserved.

Advanced Threat Defence using NetFlow and ISE

Compare Security Analytics Solutions

Cisco Stealthwatch. Internal Alarm IDs 7.0

Cisco Stealthwatch Endpoint License with Cisco AnyConnect NVM

Yes, You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

Stealthwatch System v6.9.0 Internal Alarm IDs

Cisco Cyber Threat Defense Solution 1.0

Subscriber Data Correlation

We re ready. Are you?

Security Events and Alarm Categories (for Stealthwatch System v6.9.0)

Security Monitoring with Stealthwatch:

Cisco Secure Access Control

Contents. Introduction

Detecting Internal Malware Spread with the Cisco Cyber Threat Defense Solution 1.0

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

How to securely connect user endpoints to network access wireless or wired. Gyorgy Acs Consulting Systems Engineer Cisco

Threat Defense with Full NetFlow

Identity Based Network Access

Detecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0

Intelligent WAN NetFlow Monitoring Deployment Guide

UDP Director Virtual Edition Installation and Configuration Guide (for Stealthwatch System v6.9.0)

How to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption

Network Security Monitoring with Flow Data

UDP Director Virtual Edition

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Stop Threats Before They Stop You

Digital Network Architecture for Securing Enterprise Networks

Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics

Listening to the Network: Leveraging Network Flow Telemetry for Security Applications Darren Anstee EMEA Solutions Architect

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

Data Center Security. Fuat KILIÇ Consulting Systems

TrustSec (NaaS / NaaE)

AVC Configuration. Unified Policy CLI CHAPTER

Cisco Security Exposed Through the Cyber Kill Chain

How-To Threat Centric NAC Cisco AMP for Endpoints in Cloud and Cisco Identity Service Engine (ISE) Integration using STIX Technology

Sourcefire Network Security Analytics: Finding the Needle in the Haystack

Cisco Stealthwatch Endpoint License

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Aby se z toho bezpečnostní správci nezbláznili Cisco security integrace. Milan Habrcetl Cisco CyberSecurity Specialist Mikulov, 5. 9.

Flow Measurement. For IT, Security and IoT/ICS. Pavel Minařík, Chief Technology Officer EMITEC, Swiss Test and Measurement Day 20 th April 2018

Network Element Configuration

Cisco IOS Flexible NetFlow Command Reference

Building Network Security Policy Through Data Intelligence

Encrypted Traffic Analytics

ExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

Monitoring network bandwidth on routers and interfaces; Monitoring custom traffic on IP subnets and IP subnets groups; Monitoring end user traffic;

Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer

Configuring Flexible NetFlow

Cisco Security. Advanced Malware Protection. Guillermo González Security Systems Engineer Octubre 2017

Stealthwatch and Cognitive Analytics Configuration Guide (for Stealthwatch System v6.10.x)

Cisco Advanced Malware Protection against WannaCry

Configuring Flexible NetFlow

Seceon s Open Threat Management software

Integrated McAfee and Cisco Fabrics Demolish Enterprise Boundaries

Business Resiliency Through Superior Threat Defense

ForeScout ControlFabric TM Architecture

Monitoring and diagnostics of data infrastructure problems in power engineering. Jaroslav Stusak, Sales Director CEE, Flowmon Networks

STEALTHWATCH SYSTEM VERSION RELEASE NOTES

SDN Security BRKSEC Alok Mittal Security Business Group, Cisco

Cisco Catalyst 6500 Supervisor Engine 2T: NetFlow Enhancements

Stealthwatch Flow Sensor Virtual Edition Installation and Configuration Guide (for Stealthwatch System v6.9.0)

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Cisco NetFlow Configuration

Optimizing Security for Situational Awareness

Flow Sampling for ASR1K

Configuring Data Export for Flexible NetFlow with Flow Exporters

A Unified Threat Defense: The Need for Security Convergence

Introduction to Netflow

Intelligent Edge Protection

CertKiller q

Service Provider Security Architecture

A Pragmatic Approach to HealthCare Security. Hans Mathys CSE, Cybersecurity, Cisco Switzerland

Network Management and Monitoring

Cisco Ransomware Defense The Ransomware Threat Is Real

Configuring AVC to Monitor MACE Metrics

Stealthwatch System Hardware Configuration Guide (for Stealthwatch System v6.10)

Implementing Cisco Network Security (IINS) 3.0

Configuring Flexible NetFlow

Cisco Security Monitoring, Analysis and Response System 4.2

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

BIG-IP otse vastu internetti. Kas tulemüüri polegi vaja?

Global vision. Local knowledge. Cisco Forum Kyiv Country Day Month Year

Borderless Networks. Tom Schepers, Director Systems Engineering

AlgoSec: How to Secure and Automate Your Heterogeneous Cisco Environment

Automated Threat Management - in Real Time. Vectra Networks

Key Security Measures to Enable Next-Generation Data Center Transformation

Configuring NetFlow. About NetFlow. This chapter describes how to configure the NetFlow feature on Cisco NX-OS devices.

Cisco ISE pxgrid App 1.0 for IBM QRadar SIEM. Author: John Eppich

Cisco Tetration Analytics

Cisco Cyber Range. Paul Qiu Senior Solutions Architect June 2016

Network Security: Firewall, VPN, IDS/IPS, SIEM

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

The Future of Threat Prevention

Access and Policy License Double Click

Transcription:

Cisco Day 2016 20.4.2016 Hotel Mons Wednesday

Three Friends in Security : Identity, Visibility and Enforcement Stop the bad guys immediately György Ács IT Security Consulting Systems Engineer 20 April 2016

Agenda The Problem is Threats Network as a Sensor / Enforcer Identity Visibility Policy and Indication of Compromise, IoC Enforcement Summary

The Problem is Threats

Dissecting a Data Breach (Kill Chain) You Can t Protect What You Don t See! Infiltration point Target acquisition Exploration Reconnaissance Footprint expansion New ransomware abuses Windows PowerShell, Word document macros Information monetized after breach Staging Data Exfiltration Manamecrypt, a new ransomware that sneaks through torrents

Network as a Sensor / Enforcer

Cisco StealthWatch: System Overview (Earlier : Lancope) Non-NetFlow Capable Device SPAN StealthWatch FlowSensor Generate NetFlow StealthWatch FlowCollector NetFlow / NBAR / NSEL Network Devices Collect and analyze Up to 4,000 sources Up to 240,000 FPS sustained StealthWatch Management Console (SMC) Management and reporting Up to 25 FlowCollectors Up 6 million FPS globally

Network as a Sensor: Cisco StealthWatch Context Information NetFlow Cisco ISE pxgrid Mitigation Action ISE pxgrid for Remediation Real-time visibility at all network layers Data Intelligence throughout network Assets discovery Network profile Security policy monitoring Anomaly detection Accelerated incident response

Identity

Cisco Identity Services Engine A centralized security solution that automates context-aware access to network resources and shares contextual data Physical or VM Identity Profiling and Posture Role-Based Policy Access Network Resources Who Traditional Cisco TrustSec Network Door What When Where How Guest Access BYOD Access Role-Based Access Context Compliant Secure Access ISE pxgrid Controller

AnyConnect NVM : High Level Architecture WORK WWW Netflow/IPFIX Server Send Application and Network Telemetry Reports/analysis of application + data + user/endpoint information User, App, Device, Location/Network visibility Netflow/IPFIX Collector Lancope (TBD 6.8), LiveAction and Splunk(Enterprise 6.0 and Collector 64-bit Linux) New AnyConnect Module for Windows and OS X, Apex License Required

Network Visibility Module Context Application User Device Location Destination IPFIX Record (Source IP, Destination IP, etc IPv4 & IPv6) Unique Device ID (correlate records from same endpoint device) *Device Name (bsmith-win7) *Domain\User Name (AMER\bsmith) *Local DNS (starbucks.com), *Target DNS (-> amceco.box.com) Process Name (iexplore.exe) Process Identifier (iexplore.exe unique ID) Parent Process Name (process that launched iexplore.exe) Parent Process Identifier (launching process unique ID) * Admin can choose not to collect this data

NVM Configuration <?xml version="1.0" encoding="utf-8"?> <NVMProfile xsi:nonamespaceschemalocation="nvmprofile.xsd" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"> <CollectorConfiguration> <CollectorIP>fc.ciscolive.demo</CollectorIP> <Port>2055</Port> </CollectorConfiguration> <Anonymize>false</Anonymize> <CollectionMode>all</CollectionMode> </NVMProfile>

NVM Configuration Module Deployed via ISE Requires ISE Posture

Visibility

Versions of NetFlow Version Major Advantage Limits/Weaknesses V5 V9 Flexible NetFlow (FNF) IP Flow Information Export (IPFIX) AKA NetFlow V10 NSEL (ASA only) Defines 18 exported fields Simple and compact format Most commonly used format Template-based IPv6 flows transported in IPv4 packets MPLS and BGP nexthop supported Defines 104 fields, including L2 fields Reports flow direction Template-based flow format (built on V9 protocol) Supports flow monitors (discrete caches) Supports selectable key fields and IPv6 Supports NBAR data fields Standardized RFC 5101, 5102, 6313 Supports variable length fields, NBAR2 Can export flows via IPv4 and IPv6 packets Built on NetFlow v9 protocol State-based flow logging (context) Pre and Post NAT reporting IPv4 only Fixed fields, fixed length fields only Single flow cache IPv6 flows transported in IPv4 packets Fixed length fields only Uses more memory Slower performance Single flow cache Less common Requires more sophisticated platform to produce Requires more sophisticated system to consume Even less common Only supported on a few Cisco platforms Missing many standard fields Limited support by collectors

Configuring Flexible NetFlow (FNF) 4 easy steps (Cat 3k-X): Configure Flow Records, Setting key and non key fields match => key record, collect => non key Configure Flow Exporter Configure Flow Monitor, tying the record to exporter Apply the Flow Monitor to the interface! flow record C3KX_FLOW_RECORD match datalink mac source-address match datalink mac destination-address match ipv4 tos match ipv4 ttl match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port collect interface input snmp collect interface output snmp collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last!

Configuring Flexible NetFlow (FNF) 4 easy steps (Cat 3k-X): Configure Flow Records, Setting key and non key fields match => key record, collect => non key Configure Flow Exporter Configure Flow Monitor, tying the record to exporter Apply the Flow Monitor to the interface! flow exporter exporter-name description description destination {hostname ip-address} export-protocol {netflow-v5 netflow-v9 ipfix} transport udp udp-port!! flow monitor flow-monitor-name description description exporter exporter-name record C3KX_FLOW_RECORD!

Configuring Flexible NetFlow (FNF) 4 easy steps (Cat 3k-X): Configure Flow Records, Setting key and non key fields match => key record, collect => non key Configure Flow Exporter Configure Flow Monitor, tying the record to exporter Apply the Flow Monitor to the interface! interface type number ip flow monitor flow-monitor-name input!

ASA NSEL Configuration! flow-export destination management <ip-address> 2055! policy-map global_policy class class-default flow-export event-type all destination <ip-address>! flow-export template timeout-rate 2 logging flow-export syslogs disable! NetFlow Security Event Logs (NSEL) tracks flow create, teardown, update and denied events (only when event occurs)

Visibility through NetFlow 172.168.134.2 10.1.8.3 Switches Routers NetFlow provides Trace of every conversation in your network An ability to collect record everywhere in your network (switch, router, or firewall) Network usage measurement An ability to find north-south as well as eastwest communication Light weight visibility compared to SPAN based traffic analysis Indications of Compromise (IOC) Security Group Information Flow Information Packets SOURCE ADDRESS 10.1.8.3 DESTINATION ADDRESS 172.168.134.2 SOURCE PORT 47321 DESTINATION PORT 443 INTERFACE IP TOS Gi0/0/0 0x00 IP PROTOCOL 6 NEXT HOP 172.168.25.1 TCP FLAGS 0x1A SOURCE SGT 100 APPLICATION NAME : : NBAR SECURE- HTTP Internet

eth0/1 eth0/2 NetFlow 10.2.2.2 port 1024 10.1.1.1 port 80 Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent SGT DGT TCP Flags 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH 10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100 SYN,ACK,FIN

NetFlow = Visibility A single NetFlow Record provides a wealth of information

NetFlow - The Network Phone Bill Telephone Bill Monthly Statement Bill At-A-Glance CHADWICK Q. SULLIVAN 2259 TECHNOLOGY DR ALPHARETTA, GA 30022 NetFlow = shows you the who, what, where and when. It s a phone bill, which we use to look for out of the ordinary behaviour. Flow Record

eth0/1 eth0/2 NetFlow Collection: Flow Stitching Uni-directional flow records 10.2.2.2 port 1024 Start Time Interface Src IP Src Port Dest IP 10.1.1.1 port 80 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100 Dest Port Proto Pkts Sent Bytes Sent SGT DGT Start Time Client IP Client Port Server IP Server Port Proto Client Bytes Client Pkts Server Bytes Server Pkts Client SGT Server SGT Interfaces 10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 100 1010 eth0/1 eth0/2 Bi-directional: Conversation flow record Allows easy visualization and analysis

NetFlow Collection: De-duplication Start Time Client IP Client Port 10.2.2.2 port 1024 Sw1 ASA 10.1.1.1 port 80 Server IP Server Port Proto Client Bytes Client Pkts Server Bytes Server Pkts App Client SGT Server SGT Exporter, Interface, Direction, Action 10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 HTTP 100 1010 Sw1, eth0, in Sw1, eth1, out Sw2, eth0, in Sw2, eth1, out ASA, eth1, in ASA, eth0, out, Permitted ASA eth0, in, Permitted ASA, eth1, out Sw3, eth1, in Sw3, eth0, out Sw1, eth1, in Sw1, eth0, out Sw2 Sw3

Conversational Flow Record Who What Who When Where How More context Highly scalable (enterprise class) collection High compression => long term storage Months of data retention

Profiling a Host Host report for 10.201.3.59 Behavior alarms Quick view of host group communication Summary information

New: StealthWatch to ThreatGrid External Lookup Dynamic Analysis lookup

Extrapolating to a User Username View Flows Active Directory Details Alarms Devices and Sessions

Adding Context and Situation Awareness NAT Events Known Command & Control Servers Application & URL StealthWatch Labs Intelligence Center (SLIC) Threat Feed -> TALOS Application User Identity URL & Username

Policy and Indication of Compromise IoC

Flow-based Anomaly Detection 1 2 # Concurrent flows Packets per second Bits per second New flows created Number of SYNs sent Time of day received Rate of connection resets Duration of the flow Over 80+ other attributes Number of SYNs Collect & Analyze Flows Establish Baseline of Behaviors 3 threshold Anomaly detected in host behavior threshold threshold threshold Critical Servers Exchange Server Web Servers Marketing Alarm on Anomalies & Changes in Behavior

Detecting Data Loss Intermediary resource used to obfuscate theft Data is exported off resource What to analyze: Historical data transfer behaviour Applications Time of day Countries Amount of data single and in aggregate Time frames Asymmetric traffic patterns Traffic between functional groups StealthWatch Method of Detection: Suspect Data Loss Alarm Suspect Long Flow Alarm Beaconing Host Alarm

Behavioral Algorithms Are Applied to Build Security Events SECURITY EVENTS (94 +) ALARM CATEGORY RESPONSE COLLECT AND ANALYZE FLOWS FLOWS Addr_Scan/tcp Addr_Scan/udp Bad_Flag_ACK** Beaconing Host Bot Command Control Server Bot Infected Host - Attempted Bot Infected Host - Successful Flow_Denied.. ICMP Flood.. Max Flows Initiated Max Flows Served. Suspect Long Flow Suspect UDP Activity SYN Flood. Concern Recon C&C Exploitation Data Hoarding Exfiltration DDoS Target Alarm Table Host Snapshot Email Syslog / SIEM Mitigation

HTTPS Unclassified now Known AnyConnect NVM with Cisco Stealthwatch Application Identified Dropbox Application Hash Who else is running? Identity nedzaldivar (even without ISE or Identity, from non domain asset)

Demo

Enforcement

Integrated Threat Defense (Detection & Containment) Employee ISE Change Authorization Quarantine Supplier Server Cisco StealthWatch Event: TCP SYN Scan Source IP: 10.4.51.5 Role: Supplier Response: Quarantine Quarantine Network Fabric High Risk Segment Shared Server Internet Employee

Adaptive Network Control Quarantine/Unquarantine via pxgrid Identity Services Engine StealthWatch Management Console 2 pxgri d contr oller 3 Who What 1 When Where How ISE Cisco and Partner Ecosystem Context 5 Cisco Network 4

Authorization Policy in ISE using Quarantine Service Quarantine state as one of the conditions Quarantine definition in ISE

Monitoring Devices Quarantine state change => Quarantine authorization profile

Summary

3 friends

Three Friends in Security : Identity, Visibility and Enforcement The network is a key asset for threat detection and control NetFlow and Cisco StealthWatch provides visibility and intelligence TrustSec provides software defined (micro) segmentation

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback