• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Cisco Cyber Threat Defense Solution 1.0 (2012 San Diego)
 

Cisco Cyber Threat Defense Solution 1.0 (2012 San Diego)

on

  • 939 views

The Cisco Cyber Threat Defense Solution 1.0 provides a proactive capability in identifying threats operating on the internal network. The solution extensively leverages network intelligence to provide ...

The Cisco Cyber Threat Defense Solution 1.0 provides a proactive capability in identifying threats operating on the internal network. The solution extensively leverages network intelligence to provide deep and pervasive visibility across the entire network allowing the security analyst to understand the “who, what, when, where, why and how” of network traffic to identify suspicious activity. This approach provides the operator greater visibility into the nature of suspicious activity in the access and distribution layers where traditional network security platforms are usually not present. Deploying the Cisco Cyber Threat Defense Solution 1.0 pervasively across the entire network can provide the information and necessary visibility to support the security analyst in a number of tasks including the ability to detect the occurrence of a data loss event, detect network reconnaissance activity on the internal network, detect and monitor the spread of malware throughout the internal network and detect botnet command and control channels on the internal network.

Cisco Live 365: https://www.ciscolive365.com/connect/sessionDetail.ww?SESSION_ID=4559

Statistics

Views

Total Views
939
Views on SlideShare
939
Embed Views
0

Actions

Likes
1
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Cisco Cyber Threat Defense Solution 1.0 (2012 San Diego) Cisco Cyber Threat Defense Solution 1.0 (2012 San Diego) Presentation Transcript

    • Cisco Cyber Threat Defense Solution 1.0 PSOSEC-3824PSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
    • Contents1. Introduction to the Cisco Cyber Threat Defense Solution 1.02. Technical overview of the Cisco Cyber Threat Defense Solution 1.03. Using the Cisco Cyber Threat Defense Solution to: 1. Detect suspect data loss 2. Identify reconnaissance activity 3. Detect command and control channels 4. Detect internally spreading malwarePSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
    • We Are All Under Attack Cyber threats impact the security and economic viability of nations and businesses alike Manipulation Theft & Espionage DisruptionPSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
    • The Impact of Complex Cyber Threats Sophisticated Attacks With Specific High-Stakes Intent • 49% of threats are customized for target environment1 • $1T/year private sector revenue loss from cyber espionage2 • 5X increase in attacks against US Government 2006 to 20093 Compromise Is Not If, but When • 59% of organizations believe they have been cyber threat targets4 • 46% believe they are still highly vulnerable despite increased prevention investments5 Customers Investing to Respond • 52% invested in network anomaly analysis/detection6 • 77% increase investment in security solutions in reaction to cyber threats71Verizon Data Breach Report; 2US House Intelligence; 3Cyber Market Forecast; 4ESG APT Report; 5–7ESG PSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
    • Key Challenges: Complex Threat Visibility Breached, but How, Disparate Data Context is Critical Where and Who? sources • Often very difficult to • No single system • Multiple data find provides all data to sources required – • Attacks are hidden decipher an attack identity, reputation, by day-to-day • Attacks can span vulnerability, device operations devices, individuals, type, etc. time, etc. • Analysts collect and assemble contextual information from a variety of sourcesPSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
    • Leverage the Network for Threat Defense WHERE NetFlow Capable WHAT WHEN WHO HOW Visibility, Context, and Control VPN Devices Internal Network Use NetFlow Data toto Use NetFlow Data Unite Flow Data With Unite Flow Data With Extend Visibility to the Identity and Application Identity and Application Extend Visibility to the Access Layer for Context for Context Access LayerPSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
    • Cyber Threat Defense Solution Components StealthWatch Management Console Other tools/collectors https https Cisco ISE StealthWatch StealthWatchFlowReplicator FlowCollector NetFlow NetFlow StealthWatch StealthWatch FlowSensor FlowSensor VE Users/Devices Cisco NetworkPSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
    • Visibility, Context, Control Control Leverage Cisco Network as enforcement points for increased control such as the remediation or quarantining of the affected host or user Cisco ISE Cisco Network Context Unite NetFlow analysis with identity and application services to provide context Device? User? Events? Posture? StealthWatch Vulnerability Management AV Console 65.32.7.45 Patch Visibility Use network infrastructure to identify users Monitor behavior through collecting and analyzing of access Cisco ISE Cisco NetFlow layer NetFlow dataPSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
    • Attack Detection Without SignaturesUsing Flow-Based Algorithms Inside Lancope StealthWatch High Concern Index indicates a significant number of suspicious events Host Group Host CI CI% Alarms Alerts Desktops 10.201.3.23 338,137,280 112,712% Ping_Oversized _PacketPSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
    • Identify Threats and Assign Attribution Leveraging an integration between Cisco ISE and Lancope StealthWatchPolicy Start Active Alarm Source Source User Source Target Time Host Name GroupInside 8-Feb-2012 Suspect 10.34.74.123 Wired Bob MultipleHosts Data Loss Data Hosts PSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
    • Easily Find All Traffic for a Given UserStart Active End Active Host User Name Device Type Host Network Network Time Time Groups Access Access Device Interface13-Feb-2012 Current 10.34.141.64 Bob Microsoft- Catch All SJ-Access GigabitEther Workstation (10.10.10.10) net1/20 PSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
    • Take Network ActionTake action against offending client via ISE ConsoleEndpoint Protection Services Quarantine or Port ShutPSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
    • Contents1. Introduction to the Cisco Cyber Threat Defense Solution 1.02. Technical overview of the Cisco Cyber Threat Defense Solution 1.03. Using the Cisco Cyber Threat Defense Solution to: 1. Detect suspect data loss 2. Identify reconnaissance activity 3. Detect command and control channels 4. Detect internally spreading malwarePSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
    • Cyber Threat Defense Solution Architecture Devices Access Distribution Edge Management Collect and analyze Branch StealthWatch Catalyst® 3750-X FlowCollector NetFlow Records Catalyst® ISR 3750-X Stack Access Point NetFlow Site- WLC to-Site StealthWatch VPN Management Access Point Console Catalyst® 3560-X Correlate and display Campus ASA Flow and Identity Info Catalyst® 4500 Identity Cisco Catalyst® Catalyst® ISE 6500 6500 Cisco TrustSec: Catalyst® 4500 Remote Access Control, Access Profiling and Posture NetFlow Capable AAA services, profiling Scalable NetFlow and posture assessment InfrastructurePSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
    • Cyber Threat Defense Solution Components Component Hardware Release Image Type and License Version ID: 02 Catalyst 3500-X Revision 0x03 15.0(1)SE Universal and IP Services 10GE Service Module Supervisor 7E IOS-XE 3.02.01.SG Universal and IP Base Catalyst 4500E Series Supervisor 7L-E IOS-XE 3.02.00.XO Universal and IP Base Catalyst 6500 Series Supervisor 2T 12.2(50)SY Advanced Enterprise Services ISR G2 Any 15.1(2)T3 Universal and IP Base Adaptive Security Appliance Any 8.4.3 Any Identity Services Engine Any 1.1 Any Lancope StealthWatch Management Any 6.2 Any Console Lancope StealthWatch FlowCollector Any 6.2 Any Lancope StealthWatch FlowSensor Any 6.2 Any Lancope StealthWatch FlowReplicator Any 5.6.1 AnyPSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
    • StealthWatch FlowSensor Architecture Provides NetFlow Visibility in Areas of the Network Without NetFlow Support SPAN or TAP Devices Access L1/L2-Adjacent NetFlow Management Non-NetFlow StealthWatch StealthWatch Device FlowSensor FlowCollector Adds additional details not Must be L1 or L2 Adjacent to the found in traditional NetFlow source Devices • Limited Layer-7 information • Latency statisticsPSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
    • Cyber Threat Defense Management Components • Collects, stores and analyzes NetFlow Management records from up to 2000 Flow sources at up to 120K Flows/second StealthWatch FlowCollector • De-duplication of flow records • Real-time traffic analysis StealthWatch Management • Centralized management for multiple Console StealthWatch FlowCollectors • Real-time data correlation, traffic visualization and consolidated reporting • Graphical representation of network traffic • Collect from up to 25 FlowCollectors for up to 3m Flows per second Cisco ISE • Provides identity, profiling and context informationPSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
    • Optional Management Component:StealthWatch FlowReplicator Management StealthWatch StealthWatch FlowReplicator FlowCollector NetFlow NetFlow StealthWatch Management Console • High-speed UDP Packet Replicator • Replicates and redistributes NetFlow, Other Traffic syslog or SNMP traps to Analysis various collectors Software • All enterprise devices can have a single standardized Cisco NetFlow destination ISEPSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
    • Contents1. Introduction to the Cisco Cyber Threat Defense Solution 1.02. Technical overview of the Cisco Cyber Threat Defense Solution 1.03. Using the Cisco Cyber Threat Defense Solution to: 1. Detect suspect data loss 2. Identify reconnaissance activity 3. Detect command and control channels 4. Detect internally spreading malwarePSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
    • Detecting Suspect Data Loss Management 5. Suspect Data Loss Alarm triggered StealthWatch StealthWatch Management Cisco FlowCollector Console ISE3. Collection and analysis of NetFlow data 4. Contextual information added to NetFlow analysis 2. Infrastructure generates a record of the event using NetFlow Devices Internal Network 1. Infected host opens connection and exports data NetFlow CapablePSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
    • Detecting Suspect Data Loss Policy Start Alarm Source Source Source Target Details Active Host Username Time GroupInside Hosts 8-Feb- Suspect 10.34.74.123 Wired Bob Multiple Observed 4.08G bytes. 2012 Data Loss Data Hosts Policy Maximum allows up to 81.92M bytes. PSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
    • Identifying Reconnaissance Activity 5. Concern index increased Management Suspicious network scanning StealthWatch StealthWatch activity alarms generated FlowCollector Management Cisco 3. Collection and analysis Console ISE of NetFlow data 4. Contextual information added to NetFlow analysis 2. Infrastructure generates records of the activity using NetFlow Devices Internal Network 1. Infected host performs random pings and sweeps in the internal network NetFlow CapablePSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
    • Identifying Reconnaissance Activity High Concern Index indicates a significant number of suspicious events Host Group Host CI CI% Alarms Alerts Desktops 10.201.3.23 338,137,280 112,712% Ping_Oversized _PacketPSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
    • Detecting Command and Control Management 6. Concern Index increased StealthWatch StealthWatch Host Lock Violation alarm triggered Management Cisco ISE FlowCollector Console4. Collection and analysis of NetFlow data 5. Contextual information added to NetFlow analysis 2. Commands are sent in return traffic 3. Infrastructure generates a record of the communication using NetFlow Devices Internal Network 1. Infected host opens connection from inside NetFlow CapablePSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
    • Detecting Command and Control Alarm indicating communication IP Address Source user name Policy that with known BotNet Controllers triggered alarmPolicy Start Alarms Source Source Source Target Target Active Host User Host Time Groups Name GroupInside Jan 27, Host Lock 10.35.88.171 Remote Bob ZeusServer.com ZeusHosts 2012 Violation VPN BotNet Controllers PSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
    • Detecting Internally Spreading Malware 5. Concern index increased Worm Management propagation Alarm generated StealthWatch StealthWatch Management3. Collection and analysis FlowCollector Console Cisco ISE of NetFlow data 4. Contextual information added to NetFlow analysis Initial 2. Infrastructure generates records Infection of the activity using NetFlow Devices Secondary Infection Internal Network 1. Infection propagates throughout the internal network as attacker executes their objective NetFlow CapablePSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
    • Detecting Internally Spreading Malware 5. Concern index increased Worm Management propagation Alarm generated StealthWatch StealthWatch Management3. Collection and analysis FlowCollector Console Cisco ISE of NetFlow data 4. Contextual information added to NetFlow analysis Initial Infection 2. Infrastructure generates records of the activity using NetFlow Devices Secondary Infection Internal Network Tertiary Infection 1. Infection propagates throughout the internal network as attacker executes their objective NetFlow CapablePSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
    • Detecting Internally Spreading Malware IP Address Alarm indicating this host touched another host which then began exhibiting the same suspicious behavior Suspicious activity that triggered the alarmPSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
    • Infection Tracking Tertiary Infection Secondary Infection Initial InfectionPSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
    • Cisco Cyber Threat Defense Solution Perimeters are being breached ‒ Traditional fortified security approaches alone are no longer sufficient The Network takes a lead role in Threat Defense ‒ Visibility is provided through NetFlow ‒ Context is provided through identity and application services ‒ Control points are available in the network For more information: http://www.cisco.com/go/cybersecurityPSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
    • Complete Your OnlineSession Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our Don’t forget to activate your portal) or visit one of the Internet Cisco Live Virtual account for access to stations throughout the Convention all session material, communities, and on-demand and live activities throughout Center. the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com.PSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
    • Final Thoughts Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042 Come see demos of many key solutions and products in the main Cisco booth 2924 Visit www.ciscoLive365.com after the event for updated PDFs, on- demand session videos, networking, and more! Follow Cisco Live! using social media: ‒ Facebook: https://www.facebook.com/ciscoliveus ‒ Twitter: https://twitter.com/#!/CiscoLive ‒ LinkedIn Group: http://linkd.in/CiscoLIPSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
    • PSOSEC-3824 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public