Your SlideShare is downloading. ×
0
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Cisco Secure X
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cisco Secure X

193

Published on

Cisco Cyber Threat Defense …

Cisco Cyber Threat Defense
Mikhail Rodionov
Business Development Manager

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
193
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
35
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Cisco Cyber Threat Defense Mikhail Rodionov Business Development Manager mrodiono@cisco.com
  • 2. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 2 • Discuss the growing security problem customers are facing that is not addressed by traditional security products and technologies • Define Cisco’s unique approach to this problem • Describe the Cisco Cyber Threat Defense Solution and explain why Cisco can provide the security telemetry • Show why the solution provides unique differentiated value
  • 3. © Компания Cisco и (или) ее дочерние компании, 2012 г. Все права защищены. Конфиденциальная информация Cisco 3
  • 4. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 4
  • 5. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 5 Mobility Threat Cloud Megatrends require innovative approach to advanced cyber threats Android malware increased by 2577% in 2012 SaaS & B2B apps 11x more malicious than counterfeit software Threats are morphing
  • 6. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 6 Defense: Anti-Virus, Firewalls Viruses (1990s) Defense: Intrusion Detection & Prevention Worms (2000s) Defense: Reputation, DLP, App.- aware Firewalls Botnets (late 2000s to current) Strategy: Visibility and Context Directed Attacks (APTs) (today) ILOVEYOU Melissa Anna Kournikova Nimda SQL Slammer Conficker Tedroo Rustock Conficker Aurora Shady Rat Duqu
  • 7. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 7 keep our doors locked to stop good people from coming in” Firewall IPS Web Sec N-AV Email Sec Customized Threat Bypasses Security Gateways Threat Spreads Inside Perimeter Once inside the perimeter, a command and control channel that'll open up Only the network can have the appropriate level visibility and intelligence to detect these threats Servers
  • 8. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 8 Network Reconnaissance Data Leakage Internally Propagating Malware Botnet Command And Control
  • 9. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 9 Mandiant 2012 survey Organizations were compromised ~ 416 days before attackers were discovered In 100% of cases, the bad guys used valid credentials Each incident was discovered by 3rd party only X X X X O X X X O O
  • 10. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 10 • What Our Customers are Telling Us: • “We assume we’re already compromised” • “Over 50% of threats are customized to my environment…” • “We had a single actor gaining access by three different methods all in a days work…” • “I have enough storage for 30 days, my adversary went to sleep for 31 days. When I increased my storage to 60 days, they figured it out and changed their attack to match my storage capability…”
  • 11. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 11 • Страна? Конкуренты? Частные лица?Who? • Что является целью?What? • Когда атака наиболее активна и с чем это связано?When? • Где атакующие? Где они наиболее успешны?Where? • Зачем они атакуют – что конкретно их цель?Why? • Как они атакуют – Zero-day? Известные уязвимости? Инсайдер?How?
  • 12. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 12 • Кто в моей сети? Who? • Что делают пользователи? Приложения? • Что считать нормальным поведением?What? • Устройства в сети? Что считать нормальным состоянием?When? • Где и откуда пользователи попадают в сеть? • Внутренние? eCommerce? Внешние?Where? • Зачем они используют конкретные приложения?Why? • Как всё это попадает в сеть? How?
  • 13. © Компания Cisco и (или) ее дочерние компании, 2012 г. Все права защищены. Конфиденциальная информация Cisco 13
  • 14. Workload s Apps / Services Infrastruc ture public tenan hybrid private Any-To-Any Network Gloval and Local Threat Detection Blending of Personal & Business Use Access Assets through Multiple Medians Services Identity Awareness Sees All Traffic Routes All Requests Sources All Data Controls All Flows Handles All Devices Touches All UsersShapes All Streams Behavioral Analysis Encryption Device Visibility Policy Enforcement Access Control Threat Defense
  • 15. © Компания Cisco и (или) ее дочерние компании, 2012 г. Все права защищены. Конфиденциальная информация Cisco 15
  • 16. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 16 Intrusion Detection System • на основе сигнатур • пассивный сбор • первичный источник оповещения Syslog journal • инструмент глубокого анализа • возможность фильтрации • ограниченное воздействие на систему Network Flow Analysis • слабое воздействие на устройства • основной инструмент исследования • небольшой требуемый объем памяти
  • 17. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 17 Signature/Reputation -based Threat Detection Behavioral-based Threat Detection Network Perimeter Firewalls IPS/IDS Honeypots Network Interior Email Content Inspection Web Content Inspection Cisco’s Cyber Threat Defense Solution
  • 18. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 18 Private Cloud Hybrid Cloud SaaS ANY DEVICE ANY CLOUD Secure Access Firewall IPS Web Gateway Email Gateway Policy VPN Data Center Next Gen Applia nce Cloud #1 Market Share Applia nce Attach ed Applia nce Hosted
  • 19. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 19 A B C C B A CA B We can see: - source address, - destination address, - number of packets transferred during that session, - and a timestamp of the session
  • 20. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 20
  • 21. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 21 Sampled Net Flow – Incomplete Visibility • Less than 5% of traffic used to generate NetFlow telemetry • Insufficient telemetry for threat detection Full Unsampled Net Flow – No Blind Spots • All traffic is used to generate NetFlow telemetry • Pre-requisite for effective threat detection Only a Cisco Catalyst Switch Can Deliver Unsampled NetFlow at Line- Rate Without Any Data Plane Performance Impact
  • 22. © Компания Cisco и (или) ее дочерние компании, 2012 г. Все права защищены. Конфиденциальная информация Cisco 22
  • 23. Cisco Cyber Threat Defense Solution Components Identity and Policy StealthWatch Cisco ISE Policy Enforcement Flow Attribution Security Analysis Flow Monitoring
  • 24. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 24 • The most complex, custom-written, dangerous security threats (e.g. APTs) • Threats that lurk in networks for months or years stealing vital information and disrupting operations • Data leakage • Network reconnaissance • Network interior malware proliferation • Command and control traffic Cisco Cyber Threat Defense (CTD) focuses on: Focus of this class of threats and Cisco CTD use cases:
  • 25. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 25 Netflow Telemetry Cisco Switches, Routers and ASA 5500 Internal Network & Borders Threat Context Data Cisco Identity, Device, Posture, NAT, Application Unified View Threat Analysis & Context in Lancope StealthWatch Leveraging NetFlow, Identity, Reputation andApplication Cisco SolutionsPlus product
  • 26. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 26 Cisco Network StealthWatch FlowCollector StealthWatch Management Console NetFlow StealthWatch FlowSensor StealthWatch FlowSensor VE Users/Devices Cisco ISE NetFlow StealthWatch FlowReplicator Другие коллекторы https https NBAR NSEL
  • 27. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 27 High Concern Index indicates a significant number of suspicious events that deviate from established baselines Host Groups Host CI CI% Alarms Alerts Desktops 10.10.101.118 338,137,280 8,656 % High Concern index Ping, Ping_Scan, TCP_Scan Monitor and baseline activity for a host and within host groups.
  • 28. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 28 What’s about 10.10.101.89? Policy Start Active time Alarm Source Source Host Groups Target Details Desktops & Trusted Wireless Jan 3, 2013 Suspect Data Loss 10.10.101.89 Atlanta, Desktops Multiple Hosts Observed 4.82 Gbytes. Policy maximum allows up to 500Mbytes.
  • 29. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 29
  • 30. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 30 C I2 I4 A Local intelligence Who What How Where When From your network Cisco Security Intelligence Operations From Cisco’s global threat analysis system Репутация Взаимо- действия APP Приложения URL Сайты SecurityIntelligenceOperations
  • 31. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 31 Users/Devices Cisco Identity Services Engine (ISE) Network Based Application Recognition (NBAR) NetFlow Secure Event Logging (NSEL) Link flows with user identity Dig out key application information from a stream while data flows through it A special form of log event helps identify accepted and rejected connections
  • 32. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 32 Policy Start Active Time Alarm Source Source Host Groups Source User Name Device Type Target Deskto ps & Trusted Wireles s Jan 3, 2013 Suspect Data Loss 10.10.101 .89 Atlanta, Desktops John Chambers Apple- iPad Multiple Hosts Attribute flows and behaviors to a user and device
  • 33. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 33 • Flow Action field can provide additional context • State-based NSEL reporting is taken into consideration in StealthWatch’s behavioral analysis • Concern Index points accumulated for Flow Denied events
  • 34. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 34
  • 35. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 35 Обнаружение разных типов атак, включая DDoS Детальная статистика о всех атаках, обнаруженных в сети
  • 36. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 36 Devices Access Catalyst® 3750-X BranchCampus Catalyst® 3560-X Catalyst® 4500 Catalyst® 4500 Access Point Access Point Distribution Catalyst® 3750-X Stack WLC Catalyst ® 6500 Edge Site- to- Site VPN ASA ISR Catalyst ® 6500 Remote Access Cisco ISE Management StealthWatch Management Console StealthWatch FlowCollector NetFlow Capable Correlate and display Flow and Identity Info Cisco TrustSec: Access Control, Profiling and Posture NetFlow Identity AAA services, profiling and posture assessment Collect and analyze NetFlow Records Scalable NetFlow Infrastructure 3
  • 37. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 37 CRISIS REGION ImpacttotheBusiness($) Time credit card data compromised * attack identified * vulnerability closed * CRISIS REGION Security Problems “Worm outbreaks can impact revenue by up to $250k per hour. StealthWatch pays for itself in 30 minutes.” F500 Media Conglomerate attack onset * StealthWatch Reduces MTTK *attack thwarted *early warning *attack identified * vulnerability closed Company with StealthWatch Company with Legacy Monitoring Tools
  • 38. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 38
  • 39. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 39 • CEC website: wwwin.cisco.com/stg/cyber/ For EBC/TDM decks, design and how-to guides, and training VoD links • CCO website: www.cisco.com/go/threatdefense/ Customer-facing versions of the DIG and how-to guides (Note: Need to scroll about halfway down the page) • Cyber Threat Defense area on Highwire For training decks, VMware images, other demo supporting information • Demo pods available via http://securitytme.cisco.com • Aliases: cyber-pm and cyber-tm
  • 40. Thank you! mrodiono@cisco.com
  • 41. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 46 • Identifying BotNet Command & Control Activity. BotNets are implanted in the enterprise to execute commands from their Bot herders to send SPAM, Denial of Service attacks, or other malicious acts. • Revealing Data Loss. Code can be hidden in the enterprise to export of sensitive information back to the attacker. This Data Leakage may occur rapidly or over time. • Detecting Sophisticated and Persistent Threats. Malware that makes it past perimeter security can remain in the enterprise waiting to strike as lurking threats. These may be zero day threats that do not yet have an antivirus signature or be hard to detect for other reasons. • Finding Internally Spread Malware. Network interior malware proliferation can occur across hosts for the purpose gathering security reconnaissance data, data exfiltration or network backdoors. • Uncovering Network Reconnaissance. Some attacks will probe the network looking for attack vectors to be utilized by custom- crafted cyber threats.
  • 42. © Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 47 Devic es Internal Network Use NetFlow Data to Extend Visibility to the Access Layer Unify Into a Single Pane of Glass for Detection, Investigation and Reporting Enrich Flow Data With Identity, Events and Application to Create Context WHO WHAT WHERE WHEN HOW Hardware- enabled NetFlow Switch Cisco ISE Cisco ISR G2 + NBAR Cisco ASA + NSEL Cont ext

×