Local Edition
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Edition
Network Monitoring, Malware, And
respo...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Edition
Agenda
• Goals for Threat Detection & ...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Security Monitoring
4
The collection, analys...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Know your Attack Continuum
5
AFTER
Scope
Contain
Rem...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Know your Attack Continuum
6
AFTER
Scope
Contain
Rem...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Know your Attack Continuum
7
AFTER
Scope
Contain
Rem...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Know your Attack Continuum
8
AFTER
Scope
Contain
Rem...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tools We Need
9
AFTER
Scope
Contain
Remediate
Attack...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Edition
Agenda
• Goals for Threat Detection & ...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Gain Visibility
• NGIPS Placement
‒ On the Perimeter...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Traffic
Data Acquisition
Stream Re-assembly
IP Defra...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
How data can be leveraged BEFORE
• Application Data ...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Edition
Agenda
• Goals for Threat Detection & ...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
The “Easy” Stuff
• Impact 1 Events NOT stopped
• Ind...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
More Subtle Indicators of Compromise
• Hosts with Po...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Edition
Agenda
• Goals for Threat Detection & ...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Scope, Contain, Remediate
• Everywhere the problem’s...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
File Trajectory
19
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Edition
Agenda
• Goals for Threat Detection & ...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Have you Dashboard put your concerns up front
21
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Organize by Tabs
22
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Quickly Build (or automate) Your Reports
23
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Feedback
• Give us your feedback. Fill out your surv...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Register for Cisco Live - Orlando
Cisco Live - Orlan...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
R: 242
G: 112
B: 33
R: 255
G: 161
B: 0
R: 190
G: ...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
“Optional quote slide option two has text that is le...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Edition
Divider Slide
Source Fire Handling Network Threat
Upcoming SlideShare
Loading in …5
×

Source Fire Handling Network Threat

1,374 views

Published on

Network Security monitoring (Mike Mercier)

Published in: Technology, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,374
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
112
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • 1 – We process traffic from bottom to top2 – Right up front we do Security Intelligence : IP Reputation : EVENTS!!!Application ID : Port Agnostic Application Protocol, Web application, Client Application
  • Source Fire Handling Network Threat

    1. 1. Local Edition
    2. 2. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Local Edition Network Monitoring, Malware, And responding to Advanced Cyber Threats Mike Mercier <SESSION ID>
    3. 3. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Local Edition Agenda • Goals for Threat Detection & Response / Challenges • Preparing for the Threat • Real-Time Detection and Response • Finding the Unexpected • Completing the Threat “Kill Chain”
    4. 4. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Network Security Monitoring 4 The collection, analysis, and escalation of indications and warnings to detect (or block) and respond to the wide range of attacks that are in your network. GOAL: To find and resolve every security relevant condition.
    5. 5. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Know your Attack Continuum 5 AFTER Scope Contain Remediate Attack Continuum DURING Detect Block Defend BEFORE Discover Enforce Harden
    6. 6. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Know your Attack Continuum 6 AFTER Scope Contain Remediate Attack Continuum DURING Detect Block Defend BEFORE Discover Enforce Harden DISCOVER: Network Visibility – Asset Awareness – Vulnerability Intelligence
    7. 7. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Know your Attack Continuum 7 AFTER Scope Contain Remediate Attack Continuum DURING Detect Block Defend BEFORE Discover Enforce Harden DISCOVER: Network Visibility – Asset Awareness – Vulnerability Intelligence DETECT & BLOCK: Threat Detection & Change Awareness
    8. 8. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Know your Attack Continuum 8 AFTER Scope Contain Remediate Attack Continuum DURING Detect Block Defend BEFORE Discover Enforce Harden DISCOVER: Network Visibility – Asset Awareness – Vulnerability Intelligence DETECT & BLOCK: Threat Detection & Change Awareness AFTER: Forensics – Remediation – Building a Story
    9. 9. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Tools We Need 9 AFTER Scope Contain Remediate Attack Continuum DURING Detect Block Defend BEFORE Discover Enforce Harden Network IPS Real-Time Asset Info (Vulnerability & Risk) File Detection / Tracking Traffic / Flow Monitoring Correlation Tools Detail Logging / Visualization
    10. 10. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Local Edition Agenda • Goals for Threat Detection & Response / Challenges • Preparing for the Threat • Real-Time Detection and Response • Finding the Unexpected • Telling the Story BEFORE Discover Enforce Harden
    11. 11. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Gain Visibility • NGIPS Placement ‒ On the Perimeter ‒ Inside the Network ‒ Know where the import • Network Intelligence ‒ Collecting Data from the wire ‒ Best places to get this data • Inline, Tap or SPAN ? • Know what type of data is relevant and where to find it Deploying Visibility of the Network 11
    12. 12. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Traffic Data Acquisition Stream Re-assembly IP Defragmentation Packet Decode Security Intelligence Application Identification NGFW Rules Network Discovery IPS NetworkAMP URL Reputation User IP Mapping The More you Know the Better Off You Are Packet Collection Reputation Normalization Application Content Operating Systems Vulnerability Services / Client Apps Users, GEO, Devices Traffic and Application Flow File Data (Type or Malware) Trajectory Real-Time Change Current State Information
    13. 13. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public How data can be leveraged BEFORE • Application Data tells you where you need to refine enforcement policies ‒ Show the breadth of visible application information • Host Profiles Tell you about Risk / Vulnerabilities ‒ Can Auto Tune – Removing the FALSE NEGATIVE • So Many Events! ‒ Impact Analysis – Pocus only on what can exploit you or already HAS exploited you • White Listing for Real-Time change 13
    14. 14. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Local Edition Agenda • Goals for Threat Detection & Response / Challenges • Preparing for the Threat • Real-Time Detection and Response • Finding the Unexpected • Telling the Story DURING Detect Block Defend
    15. 15. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public The “Easy” Stuff • Impact 1 Events NOT stopped • Indicators of Compromise (Often Outbound) • Malware Detections 15
    16. 16. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public More Subtle Indicators of Compromise • Hosts with Policy Violations 16 • Network Changes (New Hosts or Unexpected Services) • Unsafe Reputation Connections
    17. 17. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Local Edition Agenda • Goals for Threat Detection & Response / Challenges • Preparing for the Threat • Real-Time Detection and Response • Finding the Unexpected • Telling the Story AFTER Scope Contain Remediate
    18. 18. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Scope, Contain, Remediate • Everywhere the problem’s we KNOW Are: • Known Malware Detections • Endpoint Cleanup ‒ IPS Event Documentation ‒ Host Profiles 18
    19. 19. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public File Trajectory 19
    20. 20. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Local Edition Agenda • Goals for Threat Detection & Response / Challenges • Preparing for the Threat • Real-Time Detection and Response • Finding the Unexpected • Telling the Story AFTER Scope Contain Remediate
    21. 21. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Have you Dashboard put your concerns up front 21
    22. 22. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Organize by Tabs 22
    23. 23. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Quickly Build (or automate) Your Reports 23
    24. 24. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Feedback • Give us your feedback. Fill out your surveys. • Don’t forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year. 24
    25. 25. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Register for Cisco Live - Orlando Cisco Live - Orlando June 23 – 27, 2013 www.ciscolive.com/us 2525
    26. 26. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 R: 242 G: 112 B: 33 R: 255 G: 161 B: 0 R: 190 G: 214 B: 0 R: 0 G: 185 B: 228 R: 22 G: 138 B: 203 R: 177 G: 0 B: 157 R: 154 G: 155 B: 156 Title Only Slide - Primary Colour Pallette
    27. 27. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public “Optional quote slide option two has text that is left aligned, set in Arial Regular with a point size of 36pts. The maximum quote length should not be more than six lines of text per quote.” Source Name Company XY 28
    28. 28. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Local Edition Divider Slide

    ×