Cisco Cyber Threat Defense Solution 1.0

Similar documents
Detecting Internal Malware Spread with the Cisco Cyber Threat Defense Solution 1.0

Detecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0

Advanced Threat Defence using NetFlow and ISE

Cyber Threat Defence. Cisco Public BRKSEC Cisco and/or its affiliates. All rights reserved.

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

Business Decision Series

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Using Lancope StealthWatch for Information Security Monitoring

Monitoring and Threat Detection

Pervasive Security Accelerator

Compare Security Analytics Solutions

Cisco Stealthwatch Endpoint License with Cisco AnyConnect NVM

Seceon s Open Threat Management software

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

Cisco Day Hotel Mons Wednesday

UCS Technical Deep Dive: Getting to the Heart of the Matter

The Internet of Everything is changing Everything

Encrypted Traffic Analytics

Cisco Ransomware Defense The Ransomware Threat Is Real

Sourcefire Network Security Analytics: Finding the Needle in the Haystack

The Future of Threat Prevention

Borderless Networks. Tom Schepers, Director Systems Engineering

IBM Proventia Network Anomaly Detection System

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Cisco dan Hotel Crowne Plaza Beograd, Srbija.

Data Center/Virtualization and the Cloud: Impact on the Evolution of Training and Certification

Stealthwatch ülevaade + demo ja kasutusvõimalused. Leo Lähteenmäki

Agile Security Solutions

Wireless and Network Security Integration Solution Overview

Key Security Measures to Enable Next-Generation Data Center Transformation

Threat Defense with Full NetFlow

On-Site 911 Notification Using Cisco Unified Communications BRKUCC-2012

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

Radware: Anatomy of an IoT Botnet and Economics of Defense

Cisco Prime for Enterprise Innovative Network Management

CCNP Voice: Implementing CUCM 8.0 Josh Finke, CCIE#25707

A Unified Threat Defense: The Need for Security Convergence

Cisco ISE pxgrid App 1.0 for IBM QRadar SIEM. Author: John Eppich

Deploying Intrusion Prevention Systems

Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

SDN Security BRKSEC Alok Mittal Security Business Group, Cisco

Managed Endpoint Defense

Using Advanced Features on Cisco UCS Dan Hanson, Technical Marketing Manager, Data Center Group

Cisco Intrusion Prevention Solutions

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Visibility: The Foundation of your Cybersecurity Infrastructure. Marlin McFate Federal CTO, Riverbed

Cisco Network Admission Control (NAC) Solution

Securing Cisco s Network

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

RSA NetWitness Suite Respond in Minutes, Not Months

Features. HDX WAN optimization. QoS

Securing the Empowered Branch with Cisco Network Admission Control. September 2007

Automated Threat Management - in Real Time. Vectra Networks

How Boards use the NIST Cybersecurity Framework as a Roadmap to oversee cybersecurity

Cyber Threat Assessment and Mitigation for Power Grids Lloyd Wihl Director, Application Engineering Scalable Network Technologies

Passit4Sure (50Q) Cisco Advanced Security Architecture for System Engineers

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

WHITEPAPER ATTIVO NETWORKS DECEPTION TECHNOLOGY FOR MERGERS AND ACQUISITIONS

Klaudia Bakšová System Engineer Cisco Systems. Cisco Clean Access

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

Threat Detection and Mitigation for IoT Systems using Self Learning Networks (SLN)

Deep Instinct v2.1 Extension for QRadar

Integrating Juniper Sky Advanced Threat Prevention (ATP) and ForeScout CounterACT for Infected Host Remediation

Intercloud Fabric. Session ID 18PT. Michael Petersen, CCIE #39836 Systems Engineer, Cisco Danmark

UDP Director Virtual Edition

Integrated McAfee and Cisco Fabrics Demolish Enterprise Boundaries

Optimizing Security for Situational Awareness

ForeScout Agentless Visibility and Control

CIH

CertKiller q

Advanced Malware Protection. Dan Gavojdea, Security Sales, Account Manager, Cisco South East Europe

Novetta Cyber Analytics

FloCon Netflow Collection and Analysis at a Tier 1 Internet Peering Point. San Diego, CA. Fred Stringer

Hidden Figures: Securing what you cannot see

Trend Micro Deep Discovery and Custom Defence

Intelligent Cybersecurity for the Real World Scott Lovett Vice President, Global Security Sales

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

ForeScout ControlFabric TM Architecture

How to build a multi-layer Security Architecture to detect and remediate threats in real time

How to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption

Synchronized Security

A New Security Model for the IoE World. Henry Ong SE Manager - ASEAN Cisco Global Security Sales Organization

RSA INCIDENT RESPONSE SERVICES

Are we breached? Deloitte's Cyber Threat Hunting

How-To Threat Centric NAC Cisco AMP for Endpoints in Cloud and Cisco Identity Service Engine (ISE) Integration using STIX Technology

Stop Threats Before They Stop You

AMP for Endpoints & Threat Grid

Virtual Desktop Infrastructure Mercer University

RSA Security Analytics

Threat Control and Containment in Intelligent Networks. Philippe Roggeband - Product Manager, Security, Emerging Markets

Security. Risk Management. Compliance.

CyberArk Privileged Threat Analytics

THE ACCENTURE CYBER DEFENSE SOLUTION

SIEM Solution Integration With Control Manager

Transcription:

Cisco Cyber Threat Defense Solution 1.0

Contents 1. Introduction to the Cisco Cyber Threat Defense Solution 1.0 2. Technical overview of the Cisco Cyber Threat Defense Solution 1.0 3. Using the Cisco Cyber Threat Defense Solution to: 1. Detect suspect data loss 2. Identify reconnaissance activity 3. Detect command and control channels 4. Detect internally spreading malware 2

We Are All Under Attack Cyber threats impact the security and economic viability of nations and businesses alike Manipulation Theft & Espionage Disruption 3

The Impact of Complex Cyber Threats Sophisticated Attacks With Specific High-Stakes Intent 49% of threats are customized for target environment 1 $1T/year private sector revenue loss from cyber espionage 2 5X increase in attacks against US Government 2006 to 2009 3 Compromise Is Not If, but When 59% of organizations believe they have been cyber threat targets 4 46% believe they are still highly vulnerable despite increased prevention investments 5 Customers Investing to Respond 52% invested in network anomaly analysis/detection 6 77% increase investment in security solutions in reaction to cyber threats 7 1 Verizon Data Breach Report; 2 US House Intelligence; 3 Cyber Market Forecast; 4 ESG APT Report; 5 7 ESG 4

Key Challenges: Complex Threat Visibility Breached, but How, Where and Who? Often very difficult to find Attacks are hidden by day-to-day operations Context is Critical No single system provides all data to decipher an attack Attacks can span devices, individuals, time, etc. Disparate Data sources Multiple data sources required identity, reputation, vulnerability, device type, etc. Analysts collect and assemble contextual information from a variety of sources 5

Leverage the Network for Threat Defense WHAT WHERE WHEN NetFlow Capable WHO HOW Devices Visibility, Context, and Control Internal Network VPN Use NetFlow Data to Extend Visibility to the Access Layer Access Layer Use NetFlow Data to Extend Visibility to the Unite Flow Data With Identity and Application for Context Unite Flow Data With Identity and Application for Context 6

Cyber Threat Defense Solution Components Console Other tools/collectors https https FlowReplicator FlowCollector Cisco ISE NetFlow NetFlow FlowSensor Cisco Network FlowSensor VE Users/Devices 7

Visibility, Context, Control Control Leverage Cisco Network as enforcement points for increased control such as the remediation or quarantining of the affected host or user Cisco ISE Cisco Network Context Unite NetFlow analysis with identity and application services to provide context Console Visibility Device? User? Events? 65.32.7.45 Posture? Vulnerability AV Patch Use network infrastructure to identify users Cisco ISE Cisco NetFlow Monitor behavior through collecting and analyzing of access layer NetFlow data 8

Attack Detection Without Signatures Using Flow-Based Algorithms Inside Lancope High Concern Index indicates a significant number of suspicious events Host Group Host CI CI% Alarms Alerts Desktops 10.201.3.23 338,137,280 112,712% Ping_Oversized _Packet 9

Identify Threats and Assign Attribution Leveraging an integration between Cisco ISE and Lancope Policy Start Active Time Alarm Source Source Host Group Source User Name Target Inside Hosts 8-Feb-2012 Suspect Data Loss 10.34.74.123 Wired Data Bob Multiple Hosts 10

Easily Find All Traffic for a Given User Start Active Time End Active Time Host User Name Device Type Host Groups 13-Feb-2012 Current 10.34.141.64 Bob Microsoft- Workstation Catch All Network Access Device SJ-Access (10.10.10.10) Network Access Interface GigabitEther net1/20 11

Take Network Action Take action against offending client via ISE Console Endpoint Protection Services Quarantine or Port Shut 12

Contents 1. Introduction to the Cisco Cyber Threat Defense Solution 1.0 2. Technical overview of the Cisco Cyber Threat Defense Solution 1.0 3. Using the Cisco Cyber Threat Defense Solution to: 1. Detect suspect data loss 2. Identify reconnaissance activity 3. Detect command and control channels 4. Detect internally spreading malware 13

Devices Access Distribution Edge Cyber Threat Defense Solution Architecture Branch Campus Catalyst 3750-X Access Point Access Point Catalyst 3560-X Catalyst 4500 Catalyst 3750-X Stack WLC ISR NetFlow Siteto-Site VPN ASA Identity FlowCollector Collect and analyze NetFlow Records Console Correlate and display Flow and Identity Info Catalyst 6500 Catalyst 6500 Cisco ISE Catalyst 4500 Remote Access Cisco TrustSec: Access Control, Profiling and Posture AAA services, profiling and posture assessment Scalable NetFlow Infrastructure NetFlow Capable 14

Cyber Threat Defense Solution Components Component Hardware Release Image Type and License Catalyst 3500-X Version ID: 02 Revision 0x03 10GE Service Module 15.0(1)SE Universal and IP Services Catalyst 4500E Series Supervisor 7E IOS-XE 3.02.01.SG Universal and IP Base Supervisor 7L-E IOS-XE 3.02.00.XO Universal and IP Base Catalyst 6500 Series Supervisor 2T 12.2(50)SY Advanced Enterprise Services ISR G2 Any 15.1(2)T3 Universal and IP Base Adaptive Security Appliance Any 8.4.3 Any Identity Services Engine Any 1.1 Any Lancope Console Any 6.2 Any Lancope FlowCollector Any 6.2 Any Lancope FlowSensor Any 6.2 Any Lancope FlowReplicator Any 5.6.1 Any 15

FlowSensor Architecture Provides NetFlow Visibility in Areas of the Network Without NetFlow Support SPAN or TAP Devices Access L1/L2-Adjacent NetFlow Non-NetFlow Device FlowSensor FlowCollector Must be L1 or L2 Adjacent to the source Adds additional details not found in traditional NetFlow Devices Limited Layer-7 information Latency statistics 16

Cyber Threat Defense Components Collects, stores and analyzes NetFlow records from up to 2000 Flow sources at up to 120K Flows/second De-duplication of flow records Real-time traffic analysis FlowCollector Centralized management for multiple FlowCollectors Real-time data correlation, traffic visualization and consolidated reporting Graphical representation of network traffic Collect from up to 25 FlowCollectors for up to 3m Flows per second Cisco ISE Console Provides identity, profiling and context information 17

Optional Component: FlowReplicator FlowReplicator FlowCollector NetFlow High-speed UDP Packet Replicator Replicates and redistributes NetFlow, syslog or SNMP traps to various collectors All enterprise devices can have a single standardized NetFlow destination Other Traffic Analysis Software NetFlow Cisco ISE Console 18

Contents 1. Introduction to the Cisco Cyber Threat Defense Solution 1.0 2. Technical overview of the Cisco Cyber Threat Defense Solution 1.0 3. Using the Cisco Cyber Threat Defense Solution to: 1. Detect suspect data loss 2. Identify reconnaissance activity 3. Detect command and control channels 4. Detect internally spreading malware 19

Detecting Suspect Data Loss 3. Collection and analysis of NetFlow data FlowCollector Console Cisco ISE 5. Suspect Data Loss Alarm triggered 4. Contextual information added to NetFlow analysis Devices 2. Infrastructure generates a record of the event using NetFlow Internal Network 1. Infected host opens connection and exports data NetFlow Capable 21

Detecting Suspect Data Loss Policy Start Active Time Alarm Source Source Host Group Source Username Target Details Inside Hosts 8-Feb- 2012 Suspect Data Loss 10.34.74.123 Wired Data Bob Multiple Hosts Observed 4.08G bytes. Policy Maximum allows up to 81.92M bytes. 22

Identifying Reconnaissance Activity 3. Collection and analysis of NetFlow data FlowCollector Console Cisco ISE 5. Concern index increased Suspicious network scanning activity alarms generated 4. Contextual information added to NetFlow analysis Devices 2. Infrastructure generates records of the activity using NetFlow Internal Network 1. Infected host performs random pings and sweeps in the internal network NetFlow Capable 25

Identifying Reconnaissance Activity High Concern Index indicates a significant number of suspicious events Host Group Host CI CI% Alarms Alerts Desktops 10.201.3.23 338,137,280 112,712% Ping_Oversized _Packet 26

Detecting Command and Control 4. Collection and analysis of NetFlow data FlowCollector Console Cisco ISE 6. Concern Index increased Host Lock Violation alarm triggered 5. Contextual information added to NetFlow analysis 2. Commands are sent in return traffic Devices 3. Infrastructure generates a record of the communication using NetFlow Internal Network 1. Infected host opens connection from inside NetFlow Capable 28

Detecting Command and Control Alarm indicating communication with known BotNet Controllers IP Address Source user name Policy that triggered alarm Policy Start Active Time Alarms Source Source Host Groups Source User Name Target Target Host Group Inside Hosts Jan 27, 2012 Host Lock Violation 10.35.88.171 Remote VPN Bob ZeusServer.com Zeus BotNet Controllers 29

Detecting Internally Spreading Malware 5. Concern index increased Worm propagation Alarm generated 3. Collection and analysis of NetFlow data FlowCollector Console Cisco ISE 4. Contextual information added to NetFlow analysis Initial Infection Devices 2. Infrastructure generates records of the activity using NetFlow Secondary Infection Internal Network 1. Infection propagates throughout the internal network as attacker executes their objective NetFlow Capable 31

Detecting Internally Spreading Malware 3. Collection and analysis of NetFlow data FlowCollector Console Cisco ISE 5. Concern index increased Worm propagation Alarm generated 4. Contextual information added to NetFlow analysis Initial Infection Devices 2. Infrastructure generates records of the activity using NetFlow Secondary Infection Internal Network Tertiary Infection 1. Infection propagates throughout the internal network as attacker executes their objective NetFlow Capable 32

Detecting Internally Spreading Malware IP Address Alarm indicating this host touched another host which then began exhibiting the same suspicious behavior Suspicious activity that triggered the alarm 33

Infection Tracking Tertiary Infection Secondary Infection Initial Infection 34

Cisco Cyber Threat Defense Solution Perimeters are being breached Traditional fortified security approaches alone are no longer sufficient The Network takes a lead role in Threat Defense Visibility is provided through NetFlow Context is provided through identity and application services Control points are available in the network For more information: http://www.cisco.com/go/cybersecurity 35

Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center. Don t forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com. 36

Final Thoughts Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042 Come see demos of many key solutions and products in the main Cisco booth 2924 Visit www.ciscolive365.com after the event for updated PDFs, ondemand session videos, networking, and more! Follow Cisco Live! using social media: Facebook: https://www.facebook.com/ciscoliveus Twitter: https://twitter.com/#!/ciscolive LinkedIn Group: http://linkd.in/ciscoli 37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback