Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Lancope - Technical Alliance Manager/SE Southeast US
Leverage the Network to
Detect and Manage Threats
Cisco Connect Canad...
“The world is full of obvious things which
nobody by any chance observes.”
Sherlock Holmes, The Hound of the Baskervilles
Evolution of Cyber Conflict
War Dialing, Phone Phreaking …
Manual Attacks (1980s)
Viruses, Worms …
Mechanized Attacks (198...
Case Study: Retailer
The Insider Threat
What do these stories have in common?
Three Kinds of Insider Threats
Negligent Insiders:
• Employees who accidentally
expose data
Malicious Insiders:
• Employee...
Managing the Insider Threat
Access Controls
• Control who and what is on the
network
Segmentation
• Define what they can d...
Managing the Insider Threat
Control movement of malicious
content through inspection points
Content Controls
• Deep contex...
Once the walls are built
monitor for security visibility
NetFlow
10.2.2.2
port 1024
10.1.1.1
port 80
eth0/1
eth0/2
Start Time Interface Src IP Src
Port
Dest IP Dest
Port
Proto Pkt...
NetFlow = Visibility
Router# show flow monitor CYBER-MONITOR cache
…
IPV4 SOURCE ADDRESS: 192.168.100.100
IPV4 DESTINATION...
NetFlow Version 5 Fixed format
Versions of NetFlow
Version Major Advantage Limits/Weaknesses
V5 Defines 18 exported fields
Simple and compact format
Most...
NetFlow Deployment Architecture
Management/Reporting Layer:
• Run queries on flow data
• Centralize management and reporti...
NetFlow Deployment
Catalyst® 6500
Distribution
& Core
Catalyst® 4500
ASA
ISR
Edge
ASR
Each network layer offers unique Net...
Components for NetFlow Security Monitoring
Cisco Network
UDP Director
• UDP Packet copier
• Forward to multiple
collection...
NetFlow Collection: Flow Stitching
10.2.2.2
port 1024
10.1.1.1
port 80
eth0/1
eth0/2
Start Time Client
IP
Client
Port
Serv...
NetFlow Collection: De-duplication
Start Time Client
IP
Client
Port
Server
IP
Server
Port
Prot
o
Client
Bytes
Client
Pkts
...
Conversational Flow Record
Who
WhoWhat
When
How
Where
• Highly scalable (enterprise class) collection
• High compression =...
ISE as a Telemetry Source
Monitor Mode
• Open Mode, Multi-Auth
• Unobstructed Access
• No impact on productivity
• Profili...
NetFlow Analysis can help:
Identify Indicators of Compromise
• Policy & Segmentation
• Network Behaviour & Anomaly Detecti...
Host Groups: Applied Situational Awareness
Virtual container of multiple
IP Addresses/ranges that
have similar attributes
...
Locate Assets
Find hosts communicating on the network
• Pivot based on transactional data
Concept: Indicator of Compromise
IDS/IPS Alert
Log analysis (SIEM)
Raw flow analysis
Outside notification
Behavioural anal...
IoC’s from Traffic Analysis
Behavioural Analysis:
• Leverages knowledge of known bad behaviour
• Policy and segmentation
A...
StealthWatch NBAD Model
Algorithm Security
Event
Alarm
Track and/or measure behaviour/activity
Suspicious behaviour observ...
Alarm Categories
Each category accrues points.
Example Alarm Category: Concern Index
Concern Index: Track hosts that appear to be compromising network integrity
Security...
StealthWatch: Alarms
Alarms
• Indicate significant behaviour changes and policy violations
• Known and unknown attacks gen...
Watching for Data Theft
Data Exfiltration
• Identify suspect movement from Inside Network to Outside
• Single or multiple ...
Data Hoarding
Suspect Data Hoarding:
• Unusually large amount of data
inbound from other hosts
Target Data Hoarding:
• Unu...
Suspect Data Hoarding
Data Hoarding
• Unusually large amount of data inbound to a host from other hosts
• Policy and behav...
“The Science of Deduction.”
Chapter 1: The Sign of the Four
Investigating a Host
IOC: IDS Alert indicating a known worm operating inside your network
Host report for 10.201.3.59
Beha...
Investigating: Host Drilldown
User
information
Applications
Investigating: Applications
A lot of applications.
Some suspicious!
Investigating: Behaviour Alarms
Significant network activity
It Could Start with a User …
Alarms
Devices and
Sessions
Active Directory
Details
Username
View Flows
Key Takeaways
Insider threats are operating on the
network interior
Threat detection and response requires
visibility and ...
Links and Recommended Reading
More about the Cisco Cyber Threat Defense Solution:
http://www.cisco.com/go/threatdefense
ht...
“The game is afoot!”
Sherlock Holmes, The Adventure of the The Abbey Grange
Q & A
Leverage the Network to Detect and Manage Threats
Prochain SlideShare
Chargement dans…5
×

Leverage the Network to Detect and Manage Threats

502 vues

Publié le

Session: Leverage the Network to Detect and Manage Threats
Presenter: Michael Moriarta, Lancope - Technical Alliance Manager/SE Southeast US
Date: October 6, 2015

Publié dans : Technologie
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Leverage the Network to Detect and Manage Threats

  1. 1. Lancope - Technical Alliance Manager/SE Southeast US Leverage the Network to Detect and Manage Threats Cisco Connect Canada 2015 Michael Moriarta 10/6/2015
  2. 2. “The world is full of obvious things which nobody by any chance observes.” Sherlock Holmes, The Hound of the Baskervilles
  3. 3. Evolution of Cyber Conflict War Dialing, Phone Phreaking … Manual Attacks (1980s) Viruses, Worms … Mechanized Attacks (1988) Google, RSA … Talented Human / Mechanized Attackers (2009) Cyrptocurrency Ransoms, Store-bought Credentials ... DIY Human / Mechanized Attackers (2011) Intelligence Driven Human Defenders Manual Defenses Unplug Mechanized Defenses Firewall, IDS/IPS Targeted Human/Mechanized DefendersReputation, App-aware FirewallAPT, Multi-Step Attacks… Target, Neiman Marcus …
  4. 4. Case Study: Retailer
  5. 5. The Insider Threat What do these stories have in common?
  6. 6. Three Kinds of Insider Threats Negligent Insiders: • Employees who accidentally expose data Malicious Insiders: • Employees who intentionally expose data Compromised Insiders: • Employees whose access credentials or devices have been compromised by an outside attacker
  7. 7. Managing the Insider Threat Access Controls • Control who and what is on the network Segmentation • Define what they can do SGT
  8. 8. Managing the Insider Threat Control movement of malicious content through inspection points Content Controls • Deep contextual visibility at inspection points
  9. 9. Once the walls are built monitor for security visibility
  10. 10. NetFlow 10.2.2.2 port 1024 10.1.1.1 port 80 eth0/1 eth0/2 Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent SGT DGT TCP Flags 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH 10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100 SYN,ACK,FIN Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent SGT DGT TCP Flags 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH
  11. 11. NetFlow = Visibility Router# show flow monitor CYBER-MONITOR cache … IPV4 SOURCE ADDRESS: 192.168.100.100 IPV4 DESTINATION ADDRESS: 192.168.20.6 TRNS SOURCE PORT: 47321 TRNS DESTINATION PORT: 443 INTERFACE INPUT: Gi0/0/0 FLOW CTS SOURCE GROUP TAG: 100 FLOW CTS DESTINATION GROUP TAG: 1010 IP TOS: 0x00 IP PROTOCOL: 6 ipv4 next hop address: 192.168.20.6 tcp flags: 0x1A interface output: Gi0/1.20 counter bytes: 1482 counter packets: 23 timestamp first: 12:33:53.358 timestamp last: 12:33:53.370 ip dscp: 0x00 ip ttl min: 127 ip ttl max: 127 application name: nbar secure-http … A single NetFlow Record provides a wealth of information
  12. 12. NetFlow Version 5 Fixed format
  13. 13. Versions of NetFlow Version Major Advantage Limits/Weaknesses V5 Defines 18 exported fields Simple and compact format Most commonly used format IPv4 only Fixed fields, fixed length fields only Single flow cache V9 Template-based IPv6 flows transported in IPv4 packets MPLS and BGP nexthop supported Defines 104 fields, including L2 fields Reports flow direction IPv6 flows transported in IPv4 packets Fixed length fields only Uses more memory Slower performance Single flow cache Flexible NetFlow (FNF) Template-based flow format (built on V9 protocol) Supports flow monitors (discrete caches) Supports selectable key fields and IPv6 Supports NBAR data fields Less common Requires more sophisticated platform to produce Requires more sophisticated system to consume IP Flow Information Export (IPFIX) AKA NetFlow V10 Standardized – RFC 5101, 5102, 6313 Supports variable length fields, NBAR2 Can export flows via IPv4 and IPv6 packets Even less common Only supported on a few Cisco platforms NSEL (ASA only) Built on NetFlow v9 protocol State-based flow logging (context) Pre and Post NAT reporting Missing many standard fields Limited support by collectors
  14. 14. NetFlow Deployment Architecture Management/Reporting Layer: • Run queries on flow data • Centralize management and reporting Flow Collection Layer: • Collection, storage and analysis of flow records Flow Exporting Layer: • Enables telemetry export • As close to the traffic source as possible NetFlow
  15. 15. NetFlow Deployment Catalyst® 6500 Distribution & Core Catalyst® 4500 ASA ISR Edge ASR Each network layer offers unique NetFlow capabilities Access Catalyst® 3560/3750-X Catalyst® 4500 Catalyst® 3650/3850
  16. 16. Components for NetFlow Security Monitoring Cisco Network UDP Director • UDP Packet copier • Forward to multiple collection systems NetFlow StealthWatch FlowSensor (VE) • Generate NetFlow data • Additional contextual fields (ex. App, URL, SRT, RTT) StealthWatch FlowCollector • Collect and analyze • Up to 2000 sources • Up to sustained 240,000 fps StealthWatch Management Console • Management and reporting • Up to 25 FlowCollectors • Up 6 million fps globally Best Practice: Centralize collection globally
  17. 17. NetFlow Collection: Flow Stitching 10.2.2.2 port 1024 10.1.1.1 port 80 eth0/1 eth0/2 Start Time Client IP Client Port Server IP Server Port Proto Client Bytes Client Pkts Server Bytes Server Pkts Client SGT Server SGT Interfaces 10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 100 1010 eth0/1 eth0/2 Uni-directional flow records Bi-directional: • Conversation flow record • Allows easy visualization and analysis Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent SGT DGT 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100
  18. 18. NetFlow Collection: De-duplication Start Time Client IP Client Port Server IP Server Port Prot o Client Bytes Client Pkts Server Bytes Server Pkts App Client SGT Server SGT Exporter, Interface, Direction, Action 10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 HTTP 100 1010 Sw1, eth0, in Sw1, eth1, out Sw2, eth0, in Sw2, eth1, out ASA, eth1, in ASA, eth0, out, Permitted ASA eth0, in, Permitted ASA, eth1, out Sw3, eth1, in Sw3, eth0, out Sw1, eth1, in Sw1, eth0, out 10.2.2.2 port 1024 10.1.1.1 port 80 Sw1 Sw2 Sw3 ASA
  19. 19. Conversational Flow Record Who WhoWhat When How Where • Highly scalable (enterprise class) collection • High compression => long term storage • Months of data retention More context
  20. 20. ISE as a Telemetry Source Monitor Mode • Open Mode, Multi-Auth • Unobstructed Access • No impact on productivity • Profiling, posture assessment • Gain Visibility Authenticated Session Table Cisco ISE • Maintain historical session table • Correlate NetFlow to username • Build User-centric reports StealthWatch Management Console syslog
  21. 21. NetFlow Analysis can help: Identify Indicators of Compromise • Policy & Segmentation • Network Behaviour & Anomaly Detection (NBAD) Better understand / respond to an IOC: • Audit trail of all host-to-host communication Discovery • Identify business critical applications and services across the network
  22. 22. Host Groups: Applied Situational Awareness Virtual container of multiple IP Addresses/ranges that have similar attributes Lab servers Best Practice: classify all known IP Addresses in one or more host groups
  23. 23. Locate Assets Find hosts communicating on the network • Pivot based on transactional data
  24. 24. Concept: Indicator of Compromise IDS/IPS Alert Log analysis (SIEM) Raw flow analysis Outside notification Behavioural analysis Activity monitoring an artifact observed on a network or in operating system that with high confidence indicates a computer intrusion • http://en.wikipedia.org/wiki/Indicator_of_compromise Anomaly detection File hashes IP Addresses
  25. 25. IoC’s from Traffic Analysis Behavioural Analysis: • Leverages knowledge of known bad behaviour • Policy and segmentation Anomaly Detection: • Identify a change from “normal”
  26. 26. StealthWatch NBAD Model Algorithm Security Event Alarm Track and/or measure behaviour/activity Suspicious behaviour observed or anomaly detected Notification of security event generated
  27. 27. Alarm Categories Each category accrues points.
  28. 28. Example Alarm Category: Concern Index Concern Index: Track hosts that appear to be compromising network integrity Security events. Over 90+ different algorithms.
  29. 29. StealthWatch: Alarms Alarms • Indicate significant behaviour changes and policy violations • Known and unknown attacks generate alarms • Activity that falls outside the baseline, acceptable behaviour or established policies
  30. 30. Watching for Data Theft Data Exfiltration • Identify suspect movement from Inside Network to Outside • Single or multiple destinations from a single source • Policy and behavioral
  31. 31. Data Hoarding Suspect Data Hoarding: • Unusually large amount of data inbound from other hosts Target Data Hoarding: • Unusually large amount of data outbound from a host to multiple hosts
  32. 32. Suspect Data Hoarding Data Hoarding • Unusually large amount of data inbound to a host from other hosts • Policy and behavioral
  33. 33. “The Science of Deduction.” Chapter 1: The Sign of the Four
  34. 34. Investigating a Host IOC: IDS Alert indicating a known worm operating inside your network Host report for 10.201.3.59 Behavior alarms Quick view of host group communication Summary information
  35. 35. Investigating: Host Drilldown User information Applications
  36. 36. Investigating: Applications A lot of applications. Some suspicious!
  37. 37. Investigating: Behaviour Alarms Significant network activity
  38. 38. It Could Start with a User … Alarms Devices and Sessions Active Directory Details Username View Flows
  39. 39. Key Takeaways Insider threats are operating on the network interior Threat detection and response requires visibility and context into network traffic NetFlow and the Lancope StealthWatch System provide actionable security intelligence
  40. 40. Links and Recommended Reading More about the Cisco Cyber Threat Defense Solution: http://www.cisco.com/go/threatdefense http://www.lancope.com Recommended Reading Cyber Threat Defense Cisco Validated Design Guide: http://www.cisco.com/en/US/solutions/collateral/ns1015/ns1238/cyber_threat_defense_design_guide.pdf Cyber Threat Defense for the Data Center Cisco Validated Design Guide: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/ctd-first-look-design-guide.pdf Securing Cisco Networks with Threat Detection and Analysis (SCYBER) https://learningnetwork.cisco.com/community/certifications/security/cybersecurity/scyber_exam
  41. 41. “The game is afoot!” Sherlock Holmes, The Adventure of the The Abbey Grange
  42. 42. Q & A

×