Tvr malware gtri


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • A memetic combination, is a picture of reputation built by a combination of weighted pieces of data, from many parties
  • All reputation is not created equal. Cisco Security Intelligence Operation and the SensorBase network drive Web Reputation. Cisco is differentiated byQuantity and diversity of data: visibility into 100,000s of networks; Cisco IPS, 30% of the world’s email, live traffic insights from customer participation.Sophistication of algorithms to analyze and correlate threats: over 200 different Web traffic and network-related parameters to accurately evaluate a URL’s trustworthiness and generate a granular +10 to -10 scoreHumans to augment automated analysis: hundreds of analysts working in a follow-the sun model Depending on the policy implemented by the corporationknown bad sites are rejected based on their reputation known good are routed around subsequent scanning stages. We only do that for URLs that we are very sure of and monitor constantly.unknown are sent for the next layer of filtering.(Note to speaker: It is important to call out the fundamental difference between traditional URL filtering and Web Reputation. Traditional URL black and white lists are reactive. With Web Reputation we examine a broad set of parameters (over 200) that are hard to manipulate, the scoring is proactive and dynamic and the scoring is very granular covering both positive and negative reputation. )
  • A key feature of Cisco SIO is the threat data (or telemetry) that is pulled from Cisco device instrumentation throughout this broad footprint, and placed into SensorBase. SensorBase is the world's largest traffic monitoring network. It looks at traffic across all protocols, using data pushed from these devices here. The threat data is then processed by the Threat Operations Center, using sophisticated computer security modeling in addition to expert human processing. The threat operations center generates alerts and new rule sets which are automatically pushed as dynamic updates to customers and their devices. This massive ecosystem enables Cisco security products to respond faster, detect a broader range of threats and detect those threats more accurately.
  • Reputation Security delivers a numeric score about an object, which allows a security device to take a policy-based action.Reputation is built on three things:Our own assessment (e.g., using SensorBase data)Assessment by trusted 3rd partiesSophisticated models that produce a score in real-time
  • Reputation Security delivers a numeric score about an object, which allows a security device to take a policy-based action.Reputation is built on three things:Our own assessment (e.g., using SensorBase data)Assessment by trusted 3rd partiesSophisticated models that produce a score in real-time
  • Running a local ISP Wanted to know details of what was going on:Deployed:SNMP NetflowSniffersIPS/IDS probes
  • Tvr malware gtri

    1. 1. Cybersecurity: <br />Malware Defense<br />
    2. 2. Malware Defense<br />Whatis Cisco’s Role?<br />
    3. 3. “Over the past year the amount of unique malware has doubled”<br />-Chris Coleman, Cisco Cyber Architect<br />
    4. 4. Systems Approach to Security<br />Best-of-breed security technologies embedded into infrastructure components<br />Benefits<br />
    5. 5. What is Reputation Security?<br />Reputation Security delivers a numeric score about an object, which allows a security device to take a policy-based action.<br />Reputation is built on three things:<br />Our own assessment (e.g., using SensorBase data)<br />Assessment by trusted 3rd parties<br />Sophisticated models that produce a score in real-time<br />
    6. 6. Cisco IronPort Web and Email Security<br />Cisco Security Intelligence Operations<br />Cisco IronPort <br />Client<br />Email/Web Traffic (malicious and benign)<br />Cisco IronPort Web Security Safe Client Browsing with Web Reputation and URL Filtering<br />Cisco IronPort Email Security Spam filters, Virus Outbreak Filters, Email Reputation Filters <br /> Hosted and Appliance Options<br />
    7. 7. Examples of Reputation in Action<br />Firewall: Who on my network is currently infected?<br />Web Security: What do we know BEYOND the top level domain?<br />IPS: more accuracy, less admin hands on to deal with “yellow alerts”<br />
    8. 8. Reputation<br />Filters<br />Reputation FiltersHow are they Scored?<br />Cisco Security Intelligence Operations<br />200+ Parameters<br />URL Blacklists<br />URL Whitelists<br />Dynamic IP Addresses<br />Bot Networks<br />URL Behavior<br />Global Volume Data<br />Domain Registrar Information<br />Compromised Host List<br />Real-Time Cloud Analysis<br />Network Owners<br />Known Threat URLs<br />Reputation Score)<br />-10 to +10<br />SensorBase<br />Network<br />Security<br />Modeling<br />
    9. 9. Gathering Reputation DataSensorBase: World’s Largest Traffic Monitoring Network<br />Data gathering points rapidly accelerating<br />Cisco SensorBase<br />700,000+ sensors deployed globally<br />Over 500GB of data per day<br />8 of the top 10 global ISPs<br />Over 30% of the world’s email traffic<br />152 third party feeds<br />
    10. 10. How Effective is Reputation?<br />Ironport was a strategic acquisition for Cisco<br />Security Systems need to react as fast as threats – on all fronts<br />Blocking at lower layers is fast, and can provide great security intelligence to otherwise unaware devices<br />Blocked at Layer 3!<br />Cisco on Cisco<br />Our CorporateEmail Experience<br />
    11. 11. What is Cisco Doing Today with Reputation?<br />Broadening Reach, increasing visibility to full threat lifecycle<br />Sensorbase Cloud Based Reputation DB<br />Global Threat Telemetry<br />Global Threat Telemetry<br />Dynamic Updates and<br />Actionable Intelligence<br />Adaptive Security Appliances<br />Intrusion Prevention Solution<br />Email Security Appliances <br />Web Security Appliances <br />
    12. 12. ASABotnet Traffic Filters<br />
    13. 13. Botnet Traffic Filters in Cisco ASA<br />Cisco Security Intelligence Operations<br />Botnet Traffic Filters<br />Cisco ASA 5500 Series <br />Command and Control<br />Infected Client<br />Scans all traffic, ports, and protocols for rogue “phone home” traffic<br />Provides visibility to infected clients within corporate network<br />SensorBase provides visibility into dynamic IPs<br />
    14. 14. Botnet Traffic Filter<br />3 Main Components<br />• Domain Name System (DNS) Snooping<br /> • Traffic Classification and Reporting<br /> • Dynamic and Administrator Blacklist Data<br />
    15. 15. Botnet Traffic Filter ReportsTop Botnet Sites and Ports<br />
    16. 16. Botnet Traffic Filter ReportsTop Infected Hosts<br />
    17. 17. Cisco IPS<br />
    18. 18. Cisco IPS 7.0: Network IPS to Global IPS<br />Cisco SIOGlobal Correlation<br />Global Threat<br />Telemetry<br />Global Threat<br />Telemetry<br />8:10 GMTCisco IPS Update Applied<br />Ad Agency HQ <br />in London<br />ISP Data Center in Moscow<br />Bank Branch<br />in Chicago<br />8:07 GMT<br />8:00 GMT<br />8:03 GMT<br />Sensor Detects New Malware<br />Sensor Detects New Botnet<br />Sensor Detects Hacker Probing<br />Coverage: Twice the Effectiveness of Signature-Only IPS<br />Accuracy: Full Context Analysis Reduces False Positives<br />Timeliness: Proactive Coverage<br />
    19. 19. Security Intelligence <br />Operations (SIO)<br />
    20. 20. Foundation of Cisco Security<br />Eyes and Ears of our Threat Intelligence<br />Hundreds of Analysts<br />700,000+ Sensors Globally<br />8 of 10 Top Global ISPs<br />152 Third-party Feeds<br />Over 30% of the World’s Email Traffic<br />
    21. 21. Cisco SensorBase<br />Real-Time Cloud Analysis<br />Compromised Host List<br />The Brain of Cisco Intelligence Operations<br />Massive Database of Threat Telemetry<br />Integrated Throughout Cisco Products<br />Decision-Making Based on Reputation Data<br />200+ Parameters for Reputation<br />Scored from -10 to +10<br />URL Blacklists<br />Dynamic IP Addresses<br />URL Whitelists<br />Bot Networks<br />URL Behavior<br />Global Volume Data<br />Domain Registrar Information<br />
    22. 22. 01000011011010010111<br />00110110001101101111<br />Cisco Security Solutions<br />The Nervous System<br />Secure Routing/Switching<br />Email/Web Security<br />IDS/IPS<br />Access Control<br />Visibility & Management<br />Firewalls/VPN<br />Secure Voice<br />Secure Wireless<br />
    23. 23. Service Control Engine<br />
    24. 24. I needed a tool that would… <br />
    25. 25. Visibility: Prevent and DetectSupporting Trust through Transparency<br />Service Control Engine and Visibility<br />High Speed flow reconstruction through Application Layer (Layer 7)<br />Identify flows through Application Layer and provide service control: block, mark, redirect, mirror, packet capture, alarm, report. <br />Collection of data records for reporting and extension into other systems (situational awareness)<br />Rapid insertion of new protocols and applications through custom signature interface<br />Enforce policy through detailed protocol analysis tied to user awareness<br />Identify anomalous network behavior<br />Detailed network visibility to help identify possible covert communication channels<br />Detailed network visibility to help identify means of information loss<br />Identify non-approved applications <br />
    26. 26. Resilience: Respond and RecoverCommanding Positive Network Control<br />Service Control Engine and Resilience<br />Identify flows through Application Layer and provide service control: block, mark, redirect, set QoS, alarm, report<br />Ensure bandwidth availability to critical assets <br />Scale from 2M concurrent flows and 200K subscribers to 16M concurrent flows and 1M subscribers<br />Scalable up to 240Gbps <br />High Availability <br />
    27. 27. Why the SCE?<br />An enterprise security posture must consider network analysis and visibility<br />The SCE provides detailed visibility into every network transaction available<br />Tying users to specific protocol and application transactions<br />Enforcing policy of user and network transactions <br />Granular policy to control bandwidth and user resources<br />Ability to mirror and redirect transactions based on policy into additional security devices<br />Extensible back-end that can be integrated into customers with robust security analysis systems<br />
    28. 28. Cisco SCE - Key Benefits<br />Service Provider experience and lessons learned for complex, large scale deployments<br />Predictable performance<br />Address asymmetric routing issues<br />Protocol packs and signature editor<br />Separate processors for control and management<br />Hardware flow bypass & hardware fast path for delay sensitive traffic<br />Multi-packet, bi-directional signature detection<br />Application aware flow mirroring<br />Packet capture facility<br />Superior classification<br />No performance impact from policy and reporting configurations<br />Value-added-services (VAS) architecture for 3rd party support<br />Mobile 3GPP support<br />System-wide management and policy control<br />Network design expertise<br />COTS system with the ability to feed GOTS technologies<br />
    29. 29. Cisco Service Control Engine<br />Application recognition<br /><ul><li>Signature matching
    30. 30. Heuristic matching
    31. 31. Behavioral matching
    32. 32. Zone matching
    33. 33. URL /SIP / SMTP parameter matching
    34. 34. Worm detection*
    35. 35. Custom signature</li></ul>Subscriber awareness<br /><ul><li>RADIUS / DHCP parameter extraction
    36. 36. LDAP and SOAP queries
    37. 37. Anonymous IP-to-ID mapping
    38. 38. Static user definitions</li></ul>Reporting<br /><ul><li>Reporting on multiple levels
    39. 39. Application parameter reporting
    40. 40. Attack / SPAM reporting
    41. 41. Flow signaling </li></ul>Control<br /><ul><li>Control on multiple levels
    42. 42. Support complex policy decision trees
    43. 43. Multiple actions </li></ul>Control<br />Reporting<br />Subscriber<br />Application<br />Service Control Engine<br />
    44. 44. Service Control Engines<br />Cisco offers 2 generations of SCEs<br />SCE1010 / SCE2020 – fixed configuration, Gigabit Ethernet model<br />SCE8000 – modular configuration, Gigabit or TenGigabit Ethernet model<br />
    45. 45. Common properties<br />All SCE platforms share some common properties: <br />Stand-alone appliances – can be inserted into any Ethernet/IP network<br />L2-L3 transparent – no MAC / IP address on data port<br />Data / Control plane separation – data and control planes are completely separate and don’t influence each others performance<br />Dedicated hardware – data plane is a combination of fast FPGAs and powerful CPU, backed up by lots of memory<br />IOS-like CLI – CLI for configuring low-level properties is based on IOS-like interpreter<br />Low latency – all platforms introduce low latency (~32S) and almost no jitter. Hardware fast-path is separate hardware path for delay-sensitive traffic, ensuring very low latency (~10S)<br />Open APIs – for integration into OSS/BSS/Security<br />
    46. 46. Platform comparison<br />
    47. 47. Classification<br />Protocols Coverage<br />600 Protocols – 950 L7 based signatures. <br />900 Protocols - port-based.<br />~1200 customers, Multiple geographies, Multiple SP segments<br />Application groups: Voice, Video, File-Sharing, File-Hosting, Gaming, News-Groups, Instant-Messaging, Web-based services, etc.<br />Zero Day Classification – Behavioral /Heuristic Algorithms<br />Classification engine supports customer generated signatures <br />Supports classification modifiers: <br />Zones – collection of network side prefixes<br />Application parameters – URL, User-Agent, Calling/ Called Number, Domain name, Content-type…<br />
    48. 48. Reporting<br />SCE exports 30 types of Raw Data Records<br />Link Usage RDR<br />Zone RDR<br />Virtual Link RDR<br />Package Usage RDR<br />Subscriber Usage RDR<br />Real-time Subscriber Usage RDR<br />Transaction RDR<br />Transaction Usage RDR<br />HTTP / VoIP / Video Tran. Usage RDR<br />Flow RDR<br />Malicious Traffic RDR<br />SPAM RDR<br />Quota RDR<br />[…]<br />Depending on the type, RDRs include:<br />Source / Destination IP/Port<br />Timestamp, duration, volume<br />Application ID<br />Requested URL, User-agent, Cookie<br />Delivered content type<br />Called / Calling Numbers<br />Video Codec and bitrate<br />Filename<br />P2P file hash<br />Attack type<br />List of email recipients<br />OS type*<br />[…]<br />
    49. 49. Control<br /><ul><li>Policy decision can be made based on multiple criteria:</li></ul>Application usage (all levels)<br />Subscriber quota<br />Priority (application or subscriber)<br />Time of day<br />State of attack<br />Presence of other applications<br /><ul><li>Complex policies include multiple chained rules
    50. 50. Actions can be chained too*
    51. 51. Once decision is made, control can be established on many levels: </li></ul>Link<br />Application per link<br />Subscriber group<br />Subscriber total bandwidth<br />Application per subscriber<br />Application flow<br /><ul><li>Connections can be:</li></ul>Allowed<br />Dropped<br />Policed (CIR and PIR)<br />Redirected (Layer 2)<br />Redirected (Layer 7, HTTP and RTMP)<br />Mirrored<br />Captured <br />
    52. 52. Event correlation engine<br />Portal<br />Data retention<br />AAA<br />Subscriber<br />and Quota <br />manager<br />Collection Manager<br />SCA-BB<br />Console<br />Cisco Insight<br />Network<br />Service ControlEngine<br />Users<br />1. SCE Appliance to view and act on the packets<br />2. Collection Manager to collect data records for Reporting & external DB’s<br />3. Subscriber Manager to coordinate sub info w/ AAA and control sub-level policies<br />4. Cisco Insightto provide business intelligence and network trending reports<br />SCE ecosystem<br />
    53. 53. Cisco Insight<br />
    54. 54. Cisco Insight – Business intelligence<br /><ul><li>150+ report types
    55. 55. Custom dashboard
    56. 56. Scheduled reports
    57. 57. Email notification of reports
    58. 58. Report comparison and trend analysis reports (Traffic analysis, trend studies, comparisons)
    59. 59. Report export in different formats: pdf, excel, image</li></li></ul><li>Cisco Insight – User privilege separation<br /><ul><li>Operators can create many users and assign different view rights
    60. 60. Restrict access based on:</li></ul>Report type<br />Topology<br />Object type<br /><ul><li>Full auditing </li></li></ul><li>Cisco Insight – Advanced network topology<br /><ul><li>Objects are organized in tree-like structure</li></ul>Devices<br />Links <br />Parts of networks<br />Groups of subscribers<br />Subscribers<br /><ul><li>Graphical Topology View, customizable by user</li></li></ul><li>
    61. 61. How I got to DPI?<br />Data Centre<br />Internet<br />Business<br />Network topology tools:<br /><ul><li>CDP
    62. 62. Route monitor
    63. 63. STP monitor</li></ul>Performance and general <br />awareness tools:<br /><ul><li>SNMP
    64. 64. Netflow</li></ul>Internal network<br />Residential<br />Security tools:<br /><ul><li>Firewalls
    65. 65. IPS/IDS probes
    66. 66. Honeypots</li></ul>Marketing: What are subscribers doing? How do we monetize that?<br />Security: Obvious attacks? Malicious traffic? Suspicious traffic?<br />Stats of our network?<br />What’s causing congestion? Where?<br />Protocol analyzers:<br /><ul><li>Replay tools
    67. 67. Dissectors</li></ul>Operations<br />
    68. 68. Network visibility<br />Netflow<br /><ul><li>Statistics
    69. 69. Layer 3-4</li></ul>SNMP<br /><ul><li>Statistics
    70. 70. Layer 2</li></ul>Net security<br /><ul><li>Details of critical points
    71. 71. Semantics of details
    72. 72. Layer 7</li></ul>Protocol analyzers<br /><ul><li>Details
    73. 73. Semantics
    74. 74. Layer 7</li></li></ul><li>DPI – filling the visibility gap<br />Netflow<br /><ul><li>Statistics
    75. 75. Layer 3-4</li></ul>DPI<br /><ul><li>Statistics and details
    76. 76. Layer 3-7</li></ul>SNMP<br /><ul><li>Statistics
    77. 77. Layer 2</li></ul>Security<br /><ul><li>Details of critical points
    78. 78. Semantics of details
    79. 79. Layer 7</li></ul>Protocol analyzers<br /><ul><li>Details
    80. 80. Semantics
    81. 81. Layer 7</li></li></ul><li>Cisco Insight – Advanced UI<br />New easy-to-use GUI leveraging Adobe FLEX™ technology to improve usability and maximize the user experience<br />Advanced graphical widgets (time sliders, tree views, dynamic selection controllers, etc.)<br />Wizard-like guide through the process of report creation<br />
    82. 82. DPI – filling the visibility gap<br />Netflow<br /><ul><li>Statistics
    83. 83. Layer 3-4</li></ul>DPI<br /><ul><li>Statistics and details
    84. 84. Layer 3-7</li></ul>SNMP<br /><ul><li>Statistics
    85. 85. Layer 2</li></ul>Security<br /><ul><li>Details of critical points
    86. 86. Semantics of details
    87. 87. Layer 7</li></ul>Protocol analyzers<br /><ul><li>Details
    88. 88. Semantics
    89. 89. Layer 7</li></li></ul><li>Cisco Service Control Engine<br />Application recognition<br /><ul><li>Signature matching
    90. 90. Heuristic matching
    91. 91. Behavioral matching
    92. 92. Zone matching
    93. 93. URL /SIP / SMTP parameter matching
    94. 94. Worm detection*
    95. 95. Custom signature</li></ul>Subscriber awareness<br /><ul><li>RADIUS / DHCP parameter extraction
    96. 96. LDAP and SOAP queries
    97. 97. Anonymous IP-to-ID mapping
    98. 98. Static user definitions</li></ul>Reporting<br /><ul><li>Reporting on multiple levels
    99. 99. Application parameter reporting
    100. 100. Attack / SPAM reporting
    101. 101. Flow signaling </li></ul>Control<br /><ul><li>Control on multiple levels
    102. 102. Support complex policy decision trees
    103. 103. Multiple actions </li></ul>Control<br />Reporting<br />Subscriber<br />Application<br />Service Control Engine<br />