Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved.
Driving Greater Event Clarity
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
• Solution Overview
• LogRhythm Overview
• Cisco ISE Overview
• ISE+LogRhythm = Taking Security Visibility to a New Level!
• Demo
• Q&A
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Visibility & Policy is More than Just an IP Address
NETWORK ALERT!
SRC/65.32.7.45
DST/165.1.4.9 : HTTP
Is this event important?
I need more info…
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Visibility & Policy is More than Just an IP Address
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Visibility & Policy is More than Just an IP Address
Cisco ISE Network Access Policy
LogRhythm Threat Visibility
Clarity Among the Threat Noise
Associate Users, Roles, Devices with Security Events
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Identity User
Posture Privilege
Device type
External Context Threat Intelligence
IP Reputation GeoLocation
Application Access
Transactions Error
Behavior
Host Process Access
File Activity Resources
Internal Context Business Value
Asset Classification Risk Rating Vulnerability
Network Connection Direction Content Volume
Manual discovery of what’s
normal network activity is
impractical due to the sheer
volume of data across multiple
types of dimensions.
An unmanageable volume of
false positives based on benign
anomalies
Significant blind spots / false
negatives
Need an automated technology
to learn behavioral attributes
across multiple dimensions
Normal
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Networking Devices Security Devices Systems & Applications Industry Specific Devices
FORENSIC DATA
ANALYSIS CONDITIONING
ANALYSIS
Identity Services
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Correlation and Pattern
Matching
• User account is created and deleted
• Process is killed and not restarted
• Multiple authentication failures followed by success
Whitelisting
• Create whitelist of processes on web servers.
• Create whitelist of countries with VPN logins
• Create whitelist of logins to production systems
Trending –Average
• Monitor average bytes per packet sent to a web server
• Monitor average authentications over time
Trending - Rate
• Monitor rate of logs per log source.
• Monitor rate of failed VPN logins
Trending – Histogram
• Monitor the number of unique server connections.
• Monitor the number of guest access and access denies during the day
Corroborated
Activities
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Cisco ISE: Controlling Who, What and How Users & Devices Access the Network
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 Identity (802.1X)-Enabled Network
IDENTITY
CONTEXT
WHO WHAT WHERE WHEN HOW
Guest Access
Profiling
Posture
802.1X
MAB
WebAuth CISCO SWITCHES, ROUTERS, WIRELESS ACCESS POINTS
Vicky Sanchez Frank Lee
Security Camera G/W Francois Didier Personal iPad
Employee, Marketing
Wireline
3 p.m.
Guest
Wireless
9 a.m.
Agentless Asset
Chicago Branch
Consultant
HQ—Strategy
Remote Access
6 p.m.
Employee Owned
Wireless HQ
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
All-in-One Enterprise Policy Control
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Who What Where When How
Virtual machine client, IP device, guest, employee, and remote user
Cisco ISE
Wired Wireless VPN
Business-Relevant
Policies
Policy Management Increases Operational Efficiency
Onboarding & Remediation
Increases Productivity and
Improves User Experience
Device Profiling & Posture Provides Comprehensive Secure
Access
Network Enforcement Decreases Operational Costs
Intelligent Identity Ensures Consistent Policies
Cisco® ISE
IT Infrastructure
NET
MGMT
Cisco Network
Network Control Cisco ISE
Context Sharing
• Consistent source of identity
• Endpoint device-type awareness
• Posture, access level, network location context
• Enable ecosystem partner platform to share context for use in ISE network policy
• Enable ecosystem partner to take network actions via ISE
The Unified Directory of User/Device Context & Network Control
Identity & Device Context
Unified Context/Control Makes IT Platforms More Effective
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
CISCO ISE
ISE Provides Context Identity, Device-Type, Posture,
Authorization Level, Location
LogRhythm Takes Action Network quarantine users & devices via ISE
IDENTITY & DEVICE-AWARE SECURITY ANALYTICS
“Increase severity of security alarms associated with mobile devices access
finance data”
“Create security dashboard for guest user security
activity”
“Monitor IT admin groups accessing directory services
databases”
CORRELATE IDENTITY & DEVICE TO SECURITY EVENTS
“This breach event is associated with
Scott Smith”
“…and it is from Scott Smith’s MacBook with OSX
v10.6.2”
“…and Scott Smith has access to our IT admin
systems”
TAKE NETWORK MITIGATION ACTION
LogRhythm Quarantines Scott Smith
ISE Matches to “Quarantine”
Policy
Cisco Switch Executes Authorization
Change
Scott Smith Re-Assigned to
“Restricted Access”
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
CISCO ISE
ISE Provides Context Identity, Device-Type, Posture,
Authorization Level, Location
LogRhythm Takes Action Network quarantine users & devices via ISE
BENEFITS
• Clarify what security events to focus on
• Device, user and group driven security analytics enable LogRhythm to
scrutinize specific environments like BYOD or high-risk user groups
• Make security events actionable in the network
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Potential Breach Event
Associate User to Event
Check Endpoint Posture
How Do I Mitigate?
Where is it on the Network?
What Kind of Device is it?
Associate User to Authorization
MANY SCREENS, MISSING DATA
COMPLICATED MITIGATION
SIEM
AAA Logs
IAM NAC ??
??
??
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Potential Breach Event
Associate User to Event
Mitigate in Network
Check Network Location
Check Device Type
CISCO ISE
LogRhythm
Security Event
ISE User and Device Context Related to
Security Event
Check Endpoint Posture
Associate User to Authorization
Endpoint Network Action
USER
DEVICE – IP or MAC ADDRESS
Quarantine
Integrated Mitigation
ONE SCREEN, ALL DATA
INTEGRATED MITIGATION
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
1. All data collected from Cisco Identity Services Engine SE via Syslog
2. LogRhythm:
Collects
Normalizes
GeoTags
Recognizes Events
Assigns Risk Prioritization
Stores log and event data for long term retention
3. Applies behavioral analysis techniques
4. Performs correlation across data sources
5. Triggers SmartResponse™ actions back to Cisco ISE when applicable
Use Cases:
• Sophisticated Intrusions
• Mobile and Guest Device
Access Violations
• Enhanced Investigation and
root cause analysis
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Identify Rogue Mobile Device
Identify Suspicious
Guest Activity
Identify Compromised User Accounts
Identify Operational
Issues
Identifies Device Type:
Mobile
Histogram of Peer Group
Activity Alert on
Deviation from Group
Identifies User Role: Guest
Model Access Attempts Alert on
excessive failed access attempts
Reports Network
Access Switch
Geolocates each
Authentication
Alerts when same account
used in different Geos
Audits authentication
process
Learns standard
authentication
Recognizes unusual amount
of errors or warnings
DEMO
Q&A
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
ISE Integration for Threat Defense Whitepaper: bit.ly/ise-siem-whitepaper
ISE+SIEM Integration Video to Share with Your Colleagues: bit.ly/ISE-SIEM-Video
More on LogRhythm’s Security Intelligence: http://www.logrhythm.com