Upload
trinhdieu
View
218
Download
1
Embed Size (px)
Citation preview
Januar 2017
Threat Defense mit Hilfe des Netzwerks und Cisco StealthWatchCisco Enterprise SecurityThomas SpiegelConsulting Systems Engineer
Perimeter Security Controls
Typical BOGON list at the perimeter
NGIPS and Firewall protecting the Data Center
Perimeter Firewalls
NGIPS Protecting the DMZ
NGIPS Protecting the Internal Zone
Enterprise Network
Network as a Sensor and EnforcerData Breach Example
Attacker
Perimeter(Inbound)
Perimeter(Outbound)
Infiltration and Backdoor establishment1
C2 Server
Admin Node
Reconnaissance and Network Traversal
2
Exploitation and Privilege Elevation
3
Staging and Persistence (Repeat 2,3,4)
4
Data Exfiltration5
Network Security
Stealthwatch Adds to Cisco’s Security Portfolio
StealthWatch
Detect breaches and insider threats faster
Accelerate analysisand understanding
of incidents
Discover and monitor traffic baseline for the network
Enable the deployment of granular, software-based
segmentation
StealthWatch
BEFOREDetect Block
Defend
DURING AFTERControlEnforce Harden
ScopeContain
Remediate
Attack Continuum
NetFlow – was es ist
10.1.8.3
172.168.134.2
InternetFlow Information PacketsSOURCE ADDRESS 10.1.8.3
DESTINATION ADDRESS 172.168.134.2
SOURCE PORT 47321
DESTINATION PORT 443
INTERFACE Gi0/0/0
IP TOS 0x00
IP PROTOCOL 6
NEXT HOP 172.168.25.1
TCP FLAGS 0x1A
SOURCE SGT 100
: :
APPLICATION NAME NBAR SECURE-HTTP
RoutersSwitches
NetFlow ermöglicht
• Tracing jeder Konversation im Netzwerk• Netzwerk-Komponenten: Switch, Router,
Firewall• Erfassung der Netzwerk-Nutzung• Verfolgen von Verkehrsflüssen• Indications of Compromise (IOC)• Security Group Information
Eingebaut in den aktuellenCisco Netzwerk-Komponenten
NetFlow liefert komplette IP-Visibilität im Netzwerk:
192.168.19.3
10.85.232.4
10.4.51.5
192.168.132.99
10.43.223.221
10.200.21.110
10.51.51.0/2410.51.52.0/2410.51.53.0/24
Internet
IP Adressen ändern sich oft
Schwer zu managen, wenn man keinen Bezug zur Identität hinter der IP-Adresse hat
Aber:
Context-basierte Visibilität und Kontrolle
Employee
Employee
Supplier
Quarantine
SharedServer
Server
High RiskSegment
Internet
Network Fabric
Allowed Traffic
Denied Traffic
Leicht nachvollziehbareVerkehrsbeziehungen
Regeln auf Basis der Identitäteinfacher zu definieren
Network as a Sensor: StealthWatch System
pxGrid
Real-Time Visibility into All Network Layers• Monitor• Detect• Analyze• Respond
Cisco® Identity Services Engine Mitigation Action
Context InformationNetFlow
StealthWatch
Network Devices
pxGrid = API
Behaviour Analysis• Works with a complex- dynamically learned
baselines and manual thresholds.• Unique processing that results in Concern IndexTM
metrics:• Concern Index: host might have become infected;• Target Index: host might have become target of an attack;• File sharing Index: host might be involved in Peer-to-Peer file
sharing activity or leaking data out from the organization.• Exfiltration Index: host might leaking data out.• Command&Control Points: host trying to connect to a Botnet
C&C server.
• Other activities that the system can recognize:• Data Hoarding;• Quite- Long Flows;• Custom User defined Threat Criteria or Threshold violations.
• If concern indexes and manual thresholds are exceeded or policies are violated, Alarms would be generated.
Behavioral and Anomaly Detection ModelBehavioral Algorithms Are Applied to Build “Security Events”
SECURITYEVENTS (94 +)
ALARMCATEGORY RESPONSE
Addr_Scan/tcpAddr_Scan/udpBad_Flag_ACK**Beaconing HostBot Command Control ServerBot Infected Host - Attempted Bot Infected Host - SuccessfulFlow_Denied..ICMP Flood..Max Flows InitiatedMax Flows Served.Suspect Long FlowSuspect UDP ActivitySYN Flood
Concern
Exfiltration
C&C
Recon
Data hoarding
Exploitation
DDoS target
Alarm table
Host snapshot
Syslog / SIEM
Mitigation
COLLECT AND ANALYZE FLOWS
FLOWS
Example Algorithm: Data Hoarding
40
Target Data Hoarding• Unusually large amount of data
outbound from a host to multiple hosts
Suspect Data Hoarding• Unusually large amount of data
inbound from other hosts
Network Behavior and Anomaly Detection
4
Alarm Model• Monitor activity and alarm on suspicious conditions• Policy and behavioral
StealthWatch: Netzwerk-Anomalien erkennenConversational Flow Record
When Who
Where
WhatWho
Security Group
More Context
Is this communication permissible?
Tune
Yes
Respond
No
Adaptive Network Control
Quarantine or unquarantine via pxGrid
StealthWatch Management Console
Cisco® IdentityServices Engine
SMC
NaaS – Solution ComponentsCisco Switching Portfolio with Full Flexible NetFlow
Catalyst 3850/3650
Access Layer
Catalyst 4500Sup7E/LESup8E/LE
Catalyst 6800/6500Sup2T, Sup6T
Distribution Layer
NexusFull Flexible NetFlow v9 and IPFIX*
NetFlow is supported on the 7K M series (full / sampled), 1000V (Full Flow) and 7k (I/O Module Dependent)
Core Layer
IP Base or Higher License Requirement
Catalyst 2960X
Base NaaS on Catalyst 2960-X/XR
Full NetFlow
DNS-AS 50+ Apps
StealthWatch
25 FPS/Switch License
Physical2 or Virtual ApplianceC1-based License Only (New)
Cisco Unique Solution for Network Security
Reduce Threat Attack Surface with Network Sensing
Improved Protection for Customers and Employees
Implementing NaaS brings over 200% ROI1
NEW!!
Forrester Report for StealthWatch1 2Purchase Separately
Full NaaS on Catalyst 3650/3850
Full NetFlow
NBAR2 1500 Apps
ERSPAN
ETTA2
Stealthwatch
50 FPS/Switch License
Physical1 or Virtual Appliance
C1 Foundation LicenseSee Software Packaging
Cisco Unique Solution for Network Security
Reduce Threat Attack Surface with Network Sensing
Improved Protection for Customers and Employees
Implementing NaaS brings over 200% ROI1
NEW!!
Forrester Report for StealthWatch1
Packetwatch1
1Purchase separately 2Available 1HC17
Schlüsselfragen, die Sie sich stellen sollten:
• Kennen Sie das Normalverhalten Ihres Netzwerks? • Nutzer/ Endgeräte• Anwendungen• Typische Verkehrs-Volumina
• Wie entdecken Sie ungewöhnlichen Netzwerk-Verkehr?
• Wie stellen sie sicher, dass die Sicherheitsregeln in jeder Komponente umgesetzt sind?
• Wie effektiv können Sie auf Sicherheitsprobleme reagieren?
Network as a Sensor and Enforcer Summary
TrustSec provides software defined (micro)
segmentation
NetFlow and LancopeStealthWatch provides
visibility and intelligence
The network is a key asset for threat detection and control