Exposing Risk Through Network Visibility | GSF 2012 | Session 4-3

Like this? Share it with your network

Share

Exposing Risk Through Network Visibility | GSF 2012 | Session 4-3

  • 1,076 views
Uploaded on

Cyber threats impact the security and economic viability of nations and businesses alike. These threats continue to increase exponentially. ...

Cyber threats impact the security and economic viability of nations and businesses alike. These threats continue to increase exponentially.

By: Chris Coleman

More in: Technology , Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,076
On Slideshare
1,075
From Embeds
1
Number of Embeds
1

Actions

Shares
Downloads
16
Comments
0
Likes
0

Embeds 1

http://www.linkedin.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Exposing Risk ThroughNetwork VisibilityChris ColemanDirector, Cyber Security U.S. Public Sector21 March 2012© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
  • 2. 1 Problem Definition 2 Solution Overview 3 Product Components and Availability© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
  • 3. Cyber threats impact the security and economic viability of nations and businesses alike Manipulation Theft & Espionage Disruption© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
  • 4. Cyber threats impact the security and economic viability of nations and businesses alike Target: Nasdaq OMX Target: Security and Target: Iranian Defense Contractors Nuclear Reactors Impact: “Flash Crash” of May 2010 Impact: Intellectual Impact: 2-5 Year Property Theft, 2009- Delay Exploit: Directors Desk 2010 Web-based Application Exploit: Siemens Exploit: Multiple PLC Software Zero-day Manipulation Theft & Espionage Disruption© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
  • 5. 5,700,000 attacks 624,000 2,600,000 attacks (projected) attacks 2007 2010 2013© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
  • 6. Sophisticated Attacks With Specific High-Stakes Intent • 49% of threats are customized for target environment1 • $1T/year private sector revenue loss from cyber espionage2 • 5X increase in attacks against US Government 2006 to 20093 Compromise Is Not “If,” but “When” • 59% of organizations believe they have been cyber threat targets4 • 46% believe they are still highly vulnerable despite increased prevention investments5 Customers Investing to Respond • 52% invested in network anomaly analysis/detection6 • 77% increase investment in security solutions in reaction to cyber threats71Verizon Data Breach Report; 2US House Intelligence; 3Cyber Market Forecast; 4ESG APT Report; 5–7ESG© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
  • 7. Threat Spreads Customized Threat Inside Perimeter Bypasses Security Gateways Firewall IPS N-AV Web Sec Email Sec Customized Cyber Threats Evade Existing Security Constructs Fingerprints of Threat are Found Only in Network Fabric© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
  • 8. Malware Customization Zeus A/V Detection RateSource: abuse.ch Zeus Tracker (3/19/2012) “Roughly half of the malware we discover is specifically targeted at our environment.” - U.S. Public Sector Customer “We’ve detected malware that was compiled 5 minutes prior Source: Verizon 2011 Data Breach Investigations to being injected into our user base.” - U.S. Public Sector Report Customer © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
  • 9. Disparate Data Disparate Data Breached, but How, Breached, but How, Context Is Critical Context Is Critical Sources, Manual Sources, Manual Where, and Who? Where, and Who? Assembly Assembly • Often very difficult • No single system • Analysts collect and to find provides all data to assemble contextual decipher an attack information from a • High-value assets— variety of systems major consequences • Related threats, identity, reputation, • Requires expensive • Network flow analysis vulnerability, device analysts is central to this type, etc. process—throughout the network© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
  • 10. WHERE WHAT WHEN Flow, Context, WHO and Control HOW NETWORK Reputation? Posture? Vulnerability AV Patch Device? User? Events? 65.32.7.45 Use NetFlow Data to Unite Flow Data With Network Switches as Extend Visibility to the Identity, Reputation, Enforcement Points for Access Layer Application for Context Increased Control© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
  • 11. Unified View Threat Analysis and Context in Lancope StealthWatch Internal Network and Borders C W O O FL N TE XT SIO NetFlow Telemetry Threat Context Data Cisco Switches, Routers, and ASA 5500 Cisco Identity, Device, Posture, Reputation, Application© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
  • 12. Example Patterns Detected by Lancope StealthWatch Using NetFlow Find Internally Find Internally Detect Botnet Detect Botnet Detect Recon Detect Recon Find Data Find Data Spreading Spreading and Command/ and Command/ Activity Activity Loss/Exfiltration Loss/Exfiltration Malware Malware Control Activity Control Activity • Unusual • Traffic destined • Asymmetric traffic • One-way application to a blackhole patterns—a lot of traffic— traffic to/from or blacklisted data going out constant hosts/subnets hosts • Communication beacons • Duplicate • Protocol with unusual or • Time of day traffic patterns sequence “watchlist” nations patterns • Devices anomalies • Unusual • Repeated low faking services (e.g. no application traffic volume (DHCP server SYN/FIN) to/from connections not on list) hosts/subnets • Unusual quantities or duration of traffic© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
  • 13. Example Patterns Detectedbeing targeted? • Who is by Lancope StealthWatch Using NetFlow Find Internally • Is the user a critical target? (title and what part of the Detect Botnet Find Internally Detect Recon are theyFind Data Detect Botnet Spreading Detect Recon organization Find Data in per AD/LDAPand Command/ information) Spreading Activity Loss/Exfiltration and Command/ Malware Activity Loss/Exfiltration Control Activity Malware Control Activity • What information does the user have access to? Threat (Network authorization group they belong to) • Unusual Context • Traffic destined • Asymmetric traffic • One-way application • What device is the traffic coming from? (coming from to a blackhole patterns—a lot of traffic— Provided by traffic to/from Cisco ISE, laptop, smartphone,data going out or blacklisted etc.) constant hosts/subnets hosts • Communication beacons Reputation, • Duplicate •• Has the user had security posture failures recently? Protocol with unusual or • Time of day Application traffic patterns (Quarantine and posture event status) sequence “watchlist” nations patterns Recognition • Devices anomalies • Unusual • Repeated low (NBAR) • Are there other relevant user session events? (Access (e.g. no faking services application traffic volume (DHCP server to all AAA events associated with the user) SYN/FIN) to/from connections not on list) hosts/subnets • What is the reputation of the host user is • Unusual communicating with? quantities or • What application is the traffic? duration of traffic© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
  • 14. NetFlow Telemetry Comes in Two Forms Sampled •A small subset of traffic, usually less than 5%, is sampled and used to generate NetFlow telemetry; this gives a snapshot view into network activity, like reading a book by skimming every 100th page Unsampled •All traffic is used to generate NetFlow telemetry, providing a comprehensive view into all activity on the network; using the book analogy, this is reading every word in the book The Customized, Stealthy Only a Cisco Catalyst Switch Nature of Advanced Cyber Can Deliver This Unsampled Threats Requires Full, NetFlow at Line-Rate Without Unsampled NetFlow Visibility Any Network Performance Impact© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
  • 15. Adds Cat 3K-X NetFlow Access With Service Module Access Line-Rate NetFlow Cat 4K Cat 6K Access/ Access/ Line-Rate Sup7E, Sup7L-E Sup2T Distribution Distribution NetFlow Scale ISR, ASR Edge and Borders Edge and Borders NetFlow NBAR2 ASA 5500 Network Perimeter Perimeter Security Event Logging© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
  • 16. • Developed and patented at Cisco® Systems in 1996 • NetFlow is the defacto standard for acquiring IP operational data • Provides network and security monitoring, network planning, traffic analysis, and IP accounting© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
  • 17. 1. Create and update flows in NetFlow cache Src Src Src Dst Dst Dst Bytes/Srclf SrclPadd Dstlf DstlPadd Protocol TOS Flgs Pkts NextHop Active Idle Port Msk AS Port Msk AS Pkt 00AFa1/0 173.100.21.2 Fa0/0 10.0.227.12 11 80 10 11000 /24 5 00A2 /24 15 10.0.23.2 1528 1745 4 2Fa1/0 173.100.3.2 Fa0/0 10.0.227.12 6 40 0 2491 15 /26 196 15 /24 15 10.0.23.2 740 41.5 1 00AFa1/0 173.100.20.2 Fa0/0 10.0.227.12 11 80 10 10000 /24 180 00A1 /24 15 10.0.23.2 1428 1145.5 3 1Fa1/0 173.100.6.2 Fa0/0 10.0.227.12 6 40 0 2210 19 /30 180 19 /24 15 10.0.23.2 1040 24.5 14 Inactive timer expired (15 sec is default) Active timer expired (30 min is default) 2. Expiration NetFlow cache is full (oldest flows are expired) RST or FIN TCP flag Src Src Src Dst Dst Dst Bytes/Srclf SrclPadd Dstlf DstlPadd Protocol TOS Flgs Pkts NextHop Active Idle Port Msk AS Port Msk AS PktFa1/0 173.100.21.2 Fa0/0 10.0.227.12 11 80 10 11000 00A2 /24 5 00A2 /24 15 10.0.23.2 1528 1800 4 Ye 3. Aggregation No s 4. Export version E.g., Protocol-Port Aggregation Non-aggregated flows—export version 5 or 9 Scheme Becomes Protocol Pkts SrcPort DstPort Bytes/Pkt 5. Transport protocol Export Header Payload 11 11000 00A2 00A2 1528 (UDP, SCTP) Packet (Flows) Aggregated Flows—Export Version 8 or 9 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
  • 18. Template 1 Template 2 Template FlowSet Data FlowSet Data FlowSet FlowSet ID #1 FlowSet ID #2 FlowSet ID #1 H Template Template E Record Record Data Data Data A Template Template Record Record Record D ID #1 ID #2 E (Field (Field (Field (Specific (Specific R Field Field Values) Values) Values) Types and Types and Lengths) Lengths)© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
  • 19. Interface Monitor “C” Monitor “A” Monitor “B” Exporter “M” Record “X” Exporter “M” Record “Z” Exporter “N” Record “Y” • A single record per monitor • Potentially multiple monitors per interface • Potentially multiple exporters per monitor© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
  • 20. 1. Configure the ExporterRouter(config)# flow exporter my-exporter Where do I want my data sent?Router(config-flow-exporter)# destination 1.1.1.1 2. Configure the Flow Record Router(config)# flow record my-record Router(config-flow-record)# What data do Router(config-flow-record)# Imatch ipv4 destination address want to meter? match ipv4 source address Router(config-flow-record)# collect counter bytes 3. Configure the Flow Monitor Router(config)# flow monitor my-monitor How do I want to cache information Router(config-flow-monitor)# exporter my-exporter Router(config-flow-monitor)# record my-record 4. Apply to an Interface Router(config)# interface s3/0 Which interface do I want to monitor? Router(config-if)# ip flow monitor my-monitor input© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
  • 21. Flow IPv4 IPv6 Sampler ID IP (Source or Payload Size IP (Source or Destination) Payload Size Direction Destination) Prefix (Source or Packet Section Prefix (Source or Packet Section Interface Destination) (Header) Destination) (Header) Input Mask (Source or Packet Section Mask (Source or Packet Section Destination) (Payload) Destination) (Payload) Output Minimum-Mask Minimum-Mask Layer 2 (Source or TTL (Source or DSCP Destination) Destination) Source VLAN Options Protocol Protocol Extension Headers Dest VLAN bitmapNEW Dot1q VLAN Fragmentation Version Traffic Class Hop-Limit Flags Dot1q priority Fragmentation Flow Label Length Precedence Offset Source MAC Option Header Next-header address Identification DSCP Header Length Version Header Length TOS Destination MAC address Total Length Payload Length © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
  • 22. NEW: 2 or NEW4 bytes Routing Transport Application src or dest AS Destination Port TCP Flag: ACK Application ID Peer AS Source Port TCP Flag: CWR Traffic Index ICMP Code TCP Flag: ECE Forwarding ICMP Type TCP Flag: FIN Multicast Status Replication IGMP Type* TCP Flag: PSH IGP Next Hop Factor* TCP ACK Number TCP Flag: RST BGP Next Hop RPF Check TCP Header Length TCP Flag: SYN Drop* Input VRF TCP Sequence Number TCP Flag: URG Name Is-Multicast TCP Window-Size UDP Message Length NEW TCP Source Port UDP Source Port TCP Destination Port UDP Destination Port TCP Urgent Pointer © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
  • 23. Counters Timestamp IPv4 IPv4 and IPv6 sysUpTime First Total Length Total Length Bytes Minimum (*) Minimum (**) Packet sysUpTime First Total Length Total Length Bytes Long Packet Maximum (*) Maximum (**) Bytes Square Sum TTL Minimum Bytes Square Sum Long TTL Maximum Packets Packets Long • Plus any of the potential “key” fields: will be the value from the first packet in the flow (*) IPV4_TOTAL_LEN_MIN, IPV4_TOTAL_LEN_MAX (**)IP_LENGTH_TOTAL_MIN, IP_LENGTH_TOTAL_MAX© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
  • 24. Prevent Threats by Complexity of Cyber Detecting During Threats Drives Need for “Recon” Phase Greater Flow Visibility Prevent Port/Network Within the Access Layer Scan…Threat Recon for Finding Networks, etc. Need Granular Data Available at Sampling and Local Network Edge to Capture Granularity Detection Required to Customized Threats Better at Edge… Prevent Widespread Threats Run “Low and Slow” Fewer False Positives Local Host Infection and Cover Their Own Tracks© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
  • 25. Attack Bypasses Attack Traversing Network Analyst Manually Perimeter and Generates Macro NetFlow Collects Context Traverses Network Reputation? Device? ACTIVE FLOWS: 728,345 SRC/65.32.7.45 DST/171.54.9.2/US : HTTP User? Events? DST/34.1.5.78/Venus : HTTPS DST/165.1.4.9/Mars : FTP 65.32.7.45 DST/123.21.2.5/US : AIM DST/91.25.1.1/US : FACEBOOK Posture? Vulnerability AV Patch© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
  • 26. Attack Bypasses NetFlow at the Single Pane of Glass: Perimeter and Access Layer Provides Automating Context Traverses Network Greater Granularity Collection ACTIVE FLOWS: 23,892 SRC/65.32.7.45 SRC/65.32.7.45 DST/165.1.4.9/Mars : FTP DST/171.54.9.2/US : HTTP Context: DST/34.1.5.78/Venus : HTTPS User /ORG = Pat Smith, R&D DST/165.1.4.9/Mars : FTP Client = IBM XYZ100 DST = Poor Reputation DST/123.21.2.5/US : AIM DST/91.25.1.1/US : FACEBOOK© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
  • 27. Pull Up Identity Information From Cisco ISE Drill Into Event Detail Customable “Data Loss” Alarm Query Cisco SenderBase for Host Reputation Information Customizable Volume With Username, Auth Group, Posture, Device Profile Note Screen of Traffic Exfiltrated and % Outgoing Traffic Alarm Delivers Alerts Prioritized by Severity Level© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
  • 28. Visualize Communications ActivityType “Who’s Talking Threat Patternsby Severity With a Threat View to Who” Visualization Among Hosts Or by Threat Associated© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
  • 29. Visibility and Management • Aggregate up to 25 FlowCollectors— Up to 1.5 million flows per section Flow Aggregation, Analysis, Content • Stores and analyzes flows up to 2,000 flow Threat Context Threat Context sources at up to 120K flows per seconds • ISE, SIO, NBAR provide threat content Identity: Cisco ISE SIO Reputation: Cisco SIO Flow Exporters Application: NBAR on NetFlow Is Generated By: Cisco •Cisco switches, routers, ASA 5500 Routers •FlowSensors in areas without flow support NetFlow: Cisco Switches, Routers, and ASA 5500© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
  • 30. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
  • 31. Generating NetFlow Telemetry Generating NetFlow Telemetry Gathering Identity Context Gathering Identity Context Lowest Cost, Fewest Boxes Complete AAA, Device •Option 1: Generate NetFlow Profiling, Posture Context from Cisco infrastructure •Option 1: Deploy Cisco ISE as User/Device Policy Infrastructure Overlay for Legacy Integration With Existing Infrastructure, Separate AAA Infrastructure Operations •Option 2: Cisco ISE and AAA/AD •Option 2: Use StealthWatch proxy into existing AAA infrastructure; FlowSensors to Generate NetFlow no device profiling or posture context© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
  • 32. NetFlow v5 NetFlow v5 NetFlow v9 NetFlow v9 NetFlow v5 Captures Essential NetFlow v9 Extends Information Regarding Traffic NetFlow v5 by Adding: Patterns •Numerous TCP flags/counters •Source/dest IP and port •Flow direction •Packet counts •Fragmentation flags •Byte counts •ICMP and IGMP info •Flow duration •Header stats •I/O interfaces •Time-to-live •DSCP/TOS info Useful for Layers 3 and 4 •Destination routing info Traffic Pattern Analysis Provides Insight to Malformed Packets, Protocol Manipulation, and Direction of Traffic NetFlow v5 Is Useful, but NetFlow v9 Delivers Greater Insight© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
  • 33. Cisco Cyber Threat Defense 1.1: Summer 2012 New Threat High-Availability New Validated Dashboards for ISE Context Platforms •Command/control •ASR1000 traffic detection •Cisco WLAN •Recon detection (Unified) •Cisco NetFlow Generator© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
  • 34. • Cisco NetFlow Generator delivers superior price/performance• Lancope FlowSensor provides better application visibility and management integrated in StealthWatch Management Console Lancope Cisco NetFlow FlowSensor Generator # OF MODELS 5 1 HIGHEST SCALE 5 Gbps 40 Gpbs PRICE $4,695 to $82,995 NTE $20,000 APPLICATION DETECTION Dedicated App DPI IPFIX App IDs VM FLOW GENERATION Yes No Unified— MANAGEMENT StealthWatch Device GUI TESTED FOR CISCO CYBER THREAT DEFENSE Yes Summer 2012 AVAILABILITY Now Summer 2012© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34