Cisco Cyber Threat Defense Solution 1.0
Contents 1. Introduction to the Cisco Cyber Threat Defense Solution 1.0 2. Technical overview of the Cisco Cyber Threat Defense Solution 1.0 3. Using the Cisco Cyber Threat Defense Solution to: 1. Detect suspect data loss 2. Identify reconnaissance activity 3. Detect command and control channels 4. Detect internally spreading malware 2
We Are All Under Attack Cyber threats impact the security and economic viability of nations and businesses alike Manipulation Theft & Espionage Disruption 3
The Impact of Complex Cyber Threats Sophisticated Attacks With Specific High-Stakes Intent 49% of threats are customized for target environment 1 $1T/year private sector revenue loss from cyber espionage 2 5X increase in attacks against US Government 2006 to 2009 3 Compromise Is Not If, but When 59% of organizations believe they have been cyber threat targets 4 46% believe they are still highly vulnerable despite increased prevention investments 5 Customers Investing to Respond 52% invested in network anomaly analysis/detection 6 77% increase investment in security solutions in reaction to cyber threats 7 1 Verizon Data Breach Report; 2 US House Intelligence; 3 Cyber Market Forecast; 4 ESG APT Report; 5 7 ESG 4
Key Challenges: Complex Threat Visibility Breached, but How, Where and Who? Often very difficult to find Attacks are hidden by day-to-day operations Context is Critical No single system provides all data to decipher an attack Attacks can span devices, individuals, time, etc. Disparate Data sources Multiple data sources required identity, reputation, vulnerability, device type, etc. Analysts collect and assemble contextual information from a variety of sources 5
Leverage the Network for Threat Defense WHAT WHERE WHEN NetFlow Capable WHO HOW Devices Visibility, Context, and Control Internal Network VPN Use NetFlow Data to Extend Visibility to the Access Layer Access Layer Use NetFlow Data to Extend Visibility to the Unite Flow Data With Identity and Application for Context Unite Flow Data With Identity and Application for Context 6
Cyber Threat Defense Solution Components Console Other tools/collectors https https FlowReplicator FlowCollector Cisco ISE NetFlow NetFlow FlowSensor Cisco Network FlowSensor VE Users/Devices 7
Visibility, Context, Control Control Leverage Cisco Network as enforcement points for increased control such as the remediation or quarantining of the affected host or user Cisco ISE Cisco Network Context Unite NetFlow analysis with identity and application services to provide context Console Visibility Device? User? Events? 65.32.7.45 Posture? Vulnerability AV Patch Use network infrastructure to identify users Cisco ISE Cisco NetFlow Monitor behavior through collecting and analyzing of access layer NetFlow data 8
Attack Detection Without Signatures Using Flow-Based Algorithms Inside Lancope High Concern Index indicates a significant number of suspicious events Host Group Host CI CI% Alarms Alerts Desktops 10.201.3.23 338,137,280 112,712% Ping_Oversized _Packet 9
Identify Threats and Assign Attribution Leveraging an integration between Cisco ISE and Lancope Policy Start Active Time Alarm Source Source Host Group Source User Name Target Inside Hosts 8-Feb-2012 Suspect Data Loss 10.34.74.123 Wired Data Bob Multiple Hosts 10
Easily Find All Traffic for a Given User Start Active Time End Active Time Host User Name Device Type Host Groups 13-Feb-2012 Current 10.34.141.64 Bob Microsoft- Workstation Catch All Network Access Device SJ-Access (10.10.10.10) Network Access Interface GigabitEther net1/20 11
Take Network Action Take action against offending client via ISE Console Endpoint Protection Services Quarantine or Port Shut 12
Contents 1. Introduction to the Cisco Cyber Threat Defense Solution 1.0 2. Technical overview of the Cisco Cyber Threat Defense Solution 1.0 3. Using the Cisco Cyber Threat Defense Solution to: 1. Detect suspect data loss 2. Identify reconnaissance activity 3. Detect command and control channels 4. Detect internally spreading malware 13
Devices Access Distribution Edge Cyber Threat Defense Solution Architecture Branch Campus Catalyst 3750-X Access Point Access Point Catalyst 3560-X Catalyst 4500 Catalyst 3750-X Stack WLC ISR NetFlow Siteto-Site VPN ASA Identity FlowCollector Collect and analyze NetFlow Records Console Correlate and display Flow and Identity Info Catalyst 6500 Catalyst 6500 Cisco ISE Catalyst 4500 Remote Access Cisco TrustSec: Access Control, Profiling and Posture AAA services, profiling and posture assessment Scalable NetFlow Infrastructure NetFlow Capable 14
Cyber Threat Defense Solution Components Component Hardware Release Image Type and License Catalyst 3500-X Version ID: 02 Revision 0x03 10GE Service Module 15.0(1)SE Universal and IP Services Catalyst 4500E Series Supervisor 7E IOS-XE 3.02.01.SG Universal and IP Base Supervisor 7L-E IOS-XE 3.02.00.XO Universal and IP Base Catalyst 6500 Series Supervisor 2T 12.2(50)SY Advanced Enterprise Services ISR G2 Any 15.1(2)T3 Universal and IP Base Adaptive Security Appliance Any 8.4.3 Any Identity Services Engine Any 1.1 Any Lancope Console Any 6.2 Any Lancope FlowCollector Any 6.2 Any Lancope FlowSensor Any 6.2 Any Lancope FlowReplicator Any 5.6.1 Any 15
FlowSensor Architecture Provides NetFlow Visibility in Areas of the Network Without NetFlow Support SPAN or TAP Devices Access L1/L2-Adjacent NetFlow Non-NetFlow Device FlowSensor FlowCollector Must be L1 or L2 Adjacent to the source Adds additional details not found in traditional NetFlow Devices Limited Layer-7 information Latency statistics 16
Cyber Threat Defense Components Collects, stores and analyzes NetFlow records from up to 2000 Flow sources at up to 120K Flows/second De-duplication of flow records Real-time traffic analysis FlowCollector Centralized management for multiple FlowCollectors Real-time data correlation, traffic visualization and consolidated reporting Graphical representation of network traffic Collect from up to 25 FlowCollectors for up to 3m Flows per second Cisco ISE Console Provides identity, profiling and context information 17
Optional Component: FlowReplicator FlowReplicator FlowCollector NetFlow High-speed UDP Packet Replicator Replicates and redistributes NetFlow, syslog or SNMP traps to various collectors All enterprise devices can have a single standardized NetFlow destination Other Traffic Analysis Software NetFlow Cisco ISE Console 18
Contents 1. Introduction to the Cisco Cyber Threat Defense Solution 1.0 2. Technical overview of the Cisco Cyber Threat Defense Solution 1.0 3. Using the Cisco Cyber Threat Defense Solution to: 1. Detect suspect data loss 2. Identify reconnaissance activity 3. Detect command and control channels 4. Detect internally spreading malware 19
Detecting Suspect Data Loss 3. Collection and analysis of NetFlow data FlowCollector Console Cisco ISE 5. Suspect Data Loss Alarm triggered 4. Contextual information added to NetFlow analysis Devices 2. Infrastructure generates a record of the event using NetFlow Internal Network 1. Infected host opens connection and exports data NetFlow Capable 21
Detecting Suspect Data Loss Policy Start Active Time Alarm Source Source Host Group Source Username Target Details Inside Hosts 8-Feb- 2012 Suspect Data Loss 10.34.74.123 Wired Data Bob Multiple Hosts Observed 4.08G bytes. Policy Maximum allows up to 81.92M bytes. 22
Identifying Reconnaissance Activity 3. Collection and analysis of NetFlow data FlowCollector Console Cisco ISE 5. Concern index increased Suspicious network scanning activity alarms generated 4. Contextual information added to NetFlow analysis Devices 2. Infrastructure generates records of the activity using NetFlow Internal Network 1. Infected host performs random pings and sweeps in the internal network NetFlow Capable 25
Identifying Reconnaissance Activity High Concern Index indicates a significant number of suspicious events Host Group Host CI CI% Alarms Alerts Desktops 10.201.3.23 338,137,280 112,712% Ping_Oversized _Packet 26
Detecting Command and Control 4. Collection and analysis of NetFlow data FlowCollector Console Cisco ISE 6. Concern Index increased Host Lock Violation alarm triggered 5. Contextual information added to NetFlow analysis 2. Commands are sent in return traffic Devices 3. Infrastructure generates a record of the communication using NetFlow Internal Network 1. Infected host opens connection from inside NetFlow Capable 28
Detecting Command and Control Alarm indicating communication with known BotNet Controllers IP Address Source user name Policy that triggered alarm Policy Start Active Time Alarms Source Source Host Groups Source User Name Target Target Host Group Inside Hosts Jan 27, 2012 Host Lock Violation 10.35.88.171 Remote VPN Bob ZeusServer.com Zeus BotNet Controllers 29
Detecting Internally Spreading Malware 5. Concern index increased Worm propagation Alarm generated 3. Collection and analysis of NetFlow data FlowCollector Console Cisco ISE 4. Contextual information added to NetFlow analysis Initial Infection Devices 2. Infrastructure generates records of the activity using NetFlow Secondary Infection Internal Network 1. Infection propagates throughout the internal network as attacker executes their objective NetFlow Capable 31
Detecting Internally Spreading Malware 3. Collection and analysis of NetFlow data FlowCollector Console Cisco ISE 5. Concern index increased Worm propagation Alarm generated 4. Contextual information added to NetFlow analysis Initial Infection Devices 2. Infrastructure generates records of the activity using NetFlow Secondary Infection Internal Network Tertiary Infection 1. Infection propagates throughout the internal network as attacker executes their objective NetFlow Capable 32
Detecting Internally Spreading Malware IP Address Alarm indicating this host touched another host which then began exhibiting the same suspicious behavior Suspicious activity that triggered the alarm 33
Infection Tracking Tertiary Infection Secondary Infection Initial Infection 34
Cisco Cyber Threat Defense Solution Perimeters are being breached Traditional fortified security approaches alone are no longer sufficient The Network takes a lead role in Threat Defense Visibility is provided through NetFlow Context is provided through identity and application services Control points are available in the network For more information: http://www.cisco.com/go/cybersecurity 35
Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center. Don t forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com. 36
Final Thoughts Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042 Come see demos of many key solutions and products in the main Cisco booth 2924 Visit www.ciscolive365.com after the event for updated PDFs, ondemand session videos, networking, and more! Follow Cisco Live! using social media: Facebook: https://www.facebook.com/ciscoliveus Twitter: https://twitter.com/#!/ciscolive LinkedIn Group: http://linkd.in/ciscoli 37