The Critical Security Controls and the StealthWatch System


Published on

As today’s cyber-attackers become more sophisticated and nefarious, organizations must adopt the right mix of conventional and next-generation security tools to effectively defend their infrastructure from advanced threats. The Critical Security Controls effort is a growing movement that has been helping government agencies and large enterprises prioritize their cyber security spending accordingly.

By leveraging NetFlow and other types of flow data, Lancope’s StealthWatch System delivers continuous network visibility to fulfill a number of the highest priority controls, enhancing timely detection of targeted threats and improving incident response.

Learn the latest about the Critical Security Controls and hear how the StealthWatch System fits in.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The Critical Security Controls and the StealthWatch System

  1. 1. Ask the Expert Webcast: The Critical Security Controls and the StealthWatch System John Pescatore, Director, SANS Charles Herring, Lancope 1111
  2. 2. Obligatory Agenda Slide • Housekeeping info • Here’s what we will do – 1:05 – 1:20 The Critical Security Controls– John Pescatore, SANS – 1:20 – 1:45 StealthWatch - Charles Herring, Lancope – 1:45 – 2:00 – Q&A 2
  3. 3. Bios John Pescatore joined SANS in January 2013 with 35 years experience in computer, network and information security. He was Gartner’s lead security analyst for 13 years, Prior to joining Gartner Inc. in 1999, he was Senior Consultant for Entrust Technologies and Trusted Information Systems. Before that, John spent 11 years with GTE developing secure computing and telecommunications systems. Mr. Pescatore began his career at the National Security Agency and the United States Secret Service, He holds a Bachelor's degree in Electrical Engineering from the University of Connecticut and is a NSA Certified Cryptologic Engineer. 3
  4. 4. Bios Charles Herring is Senior Systems Engineer at Lancope and longtime StealthWatch user. While on active duty in the US Navy, Charles leveraged StealthWatch in his role as Lead Network Security Analyst for the Naval Postgraduate School. He was tasked with staffing and training Network Security Group personnel, building the security architecture and developing incident response procedures. After leaving the Navy, he spent six years consulting with Federal government, disaster relief organizations and enterprise on network security, communication and process improvement. 4
  5. 5. Focus on protecting the mission first Effectively and efficiently and quickly Advanced targeted attacks are happening now Compliance must follow security Break the Breach Chain 5555
  6. 6. Disrupting the Breach chain DMZ Monitoring Advanced Threat Detect Source: Neusentry 2012 Monitor internal flows © 2013 The SANS™ Institute – Monitor external flows 6
  7. 7. Critical Security Controls 20) Penetration Tests and Red Team Exercises 19) Secure Network Engineering 18) Incident Response Capability 17) Data Protection 16) Account Monitoring and Control 15) Controlled Access Based on Need to Know 19 1) Inventory of Authorized and Unauthorized Devices 20 1 2 2) Inventory of Authorized and Unauthorized Software 3 3) Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4 18 17 4) Continuous Vulnerability Assessment and Remediation 5 16 6 7 15 14) Maintenance, Monitoring and Analysis of Audit Logs 5) Malware Defense 14 13) Boundary Defense 13 12) Controlled Use of Administrative Privileges 12 11 10 11) Limitation and Control of Network Ports, Protocols and Services 9 8 6) Application Software Security 7) Wireless Access Control 8) Data Recovery Capability 9) Security Skills Assessment and Appropriate Training to Fill Gaps 10) Secure Configuration of Devices such as Firewalls, Routers, and Switches 7
  8. 8. Other Benchmarking systemic improvements Detecting advanced attacks Incident response Threat mitigation Compliance to mandates and regulations Situational awareness/gap analysis Improvements to overall risk posture Risk reduction/vulnerability mitigation Benefits: Risk Reduction and Visibility Where have the Controls you implemented made the most improvement and/or helped you close your gaps? (Check all that apply.) 70.0% 60.0% 50.0% 40.0% 30.0% 20.0% 10.0% 0.0%
  9. 9. Critical Security Controls Update • Now maintained by the Council On CyberSecurity • Version 5.0 in public review • Updated prioritization and definitions of subcontrols 9
  10. 10. Getting to Continuous Security Action Threats Regulations Requirements OTT Dictates Discovery/Inventory Vuln Assessment/Pen Test Baseline Security Configuration Policy • SIEM • Situational Awareness • Incident Response • • • • Monitor/ Report Assess Risk Shield Eliminate Root Software Vuln Test Cause Mitigate Training Network Arch Privilege Mgmt • FW/IPS/ATD • Anti-malware • NAC • Patch Management • Config Management • Change Management
  11. 11. The Critical Security Controls and the StealthWatch System Charles Herring Senior Systems Engineer 11
  12. 12. Lancope: The Market Leader in Network Visibility Technology Leadership • Powerful threat intelligence • Patented behavioral analysis • Scalable monitoring up to 3M flows per second • 150+ algorithms Best of Breed • 650 Enterprise Clients • Key to Cisco’s Cyber Threat Defense • Gartner recommended • NBA market leader • Flow-based monitoring © 2013 Lancope, Inc. All rights reserved. 12
  13. 13. Your Infrastructure Provides the Source... 3560-X Atlanta San Jose NetFlow Internet NetFlow NetFlow NetFlow 3925 ISR WAN NetFlow New York NetFlow ASR-1000 NetFlow NetFlow Cat6k ASA NetFlow NetFlow Datacenter NetFlow UCS with Nexus 1000v Cat4k Cat6k NetFlow DMZ NetFlow Access NetFlow NetFlow NetFlow 3850 Stack(s) © 2013 Lancope, Inc. All rights reserved. 13
  14. 14. …for Total Visibility from Edge to Access. 3560-X Internet Atlanta ASR-1000 San Jose WAN 3925 ISR Cat6k New York Datacenter UCS with Nexus 1000v © 2013 Lancope, Inc. All rights reserved. Cat4k Cat6k ASA DM Z Access 3850 Stack(s) 14
  15. 15. SANS Critical Controls Boundary Defense Defense Type L3, L4, Signature Emerging L7 Detection Threat Blocking Detection Targeted Threat Detection Firewalls Yes Limited No No Signature IDS Limited Yes No No Malware Sandbox No No Yes Limited StealthWatch No Limited Yes Yes 15
  16. 16. Flow Statistical Analysis © 2013 Lancope, Inc. All rights reserved. 16 16
  17. 17. SANS Critical Controls Monitoring & Audit Defense Type Detection Mechanism Data Source SIEM Boolean Syslog StealthWatch Algorithmic NetFlow 17
  18. 18. SANS Critical Controls Incident Response and Management Logging Type Data Stored Endpoint Hard Drive/Memory Packet Capture Raw PCAP Log Collection Syslog StealthWatch NetFlow 18
  19. 19. Transactional Audits of ALL activities © 2013 Lancope, Inc. All rights reserved. 19
  20. 20. SANS Critical Controls Secure Network Engineering Monitor Type Data Monitored Firewall Change Control Changes in FW Configuration records Configuration Polling SNMP StealthWatch NetFlow against Policy 20
  21. 21. Thank You Charles Herring Senior Systems Engineer Lancope @Lancope (company) @netflowninjas (company blog) © 2013 Lancope, Inc. All rights reserved. 21
  22. 22. 22
  23. 23. Resources • SANS Reading Room: • Blog – • Sponsor link: • Questions: 23