Effective Security:

Defending against Encrypted threatsWilliam Young – Global Security Solutions Architect

willyou@cisco.com

#williamdyoung

Encryption is the Bad

Guys Friend

Expect 70% of attacks to

be encrypted by 2019

75% of Web Traffic will be encrypted by 2019–NSS Labs, Nov 2016

Google Research

SSL/TLS Decrypt:• Expensive

• Defeats the purpose

• Doesn’t always work

• Many applications will break.. (Certificate Pinning, HPKP, etc)

• New protocols (TLS 1.3, SPDY, HTTP2, QUIC)

• Vendors pushing TLS (Microsoft, Apple, Google, Facebook, etc)

• Privacy and compliance

• Decryption is computationally expensive!

Challenges with hardware / software decryption

Certificate Pinning Example – Dropbox Client

HTTP/2 challenges on proxy/ngfw/<insert nw-device here>

• HTTP/2 encrypted with TLS

• Binary Format & Header Compressions need to be parsed (no more cleartext)

• Single TCP connection reuse

QUIC challenges on proxy/ngfw/<insert nw-device here…>

• QUIC is always encrypted

• QUIC is using multiplexed streams

• ..and most likely soon also across multiple paths (IETF..)

• Can use IPv4 and IPv6 concurrently to same client

• If QUIC is not understood, connections look like unrelated UDP connections

• QUIC can be initiated from client and from server• Where is now inbound and where is outbound?

Network:

What can we do in the Firewall?

NGFW Policy decisions for traffic decryption

8

Decryption

SSL-Policy

Access-Policy

IPS, App, etc.

Detecting the requested Host

The requested hostname is usually detected by one of several methods:

Transparent Request (Transparent proxy, FW)

1. Check the SNI Name in the TLS Client hello

2. Check the CN Field in the Subject of the Server Certificate

Partial TLS Handshake (TLS 1.0 – 1.2)

TLS Client TLS Server

TLS ClientHelloSNI=www.example.com

TLS ServerHelloCertificate for www.example.netSession key (encrypted with private key)

Desired server

Actual server

Server certificate can avoid decrypting if entire site is blacklisted or whitelisted

TLS ServerHelloServer’s Diffie-Hellman key{ Certificate for www.example.net }{ Session key (encrypted with private key) }

Partial TLS Handshake (TLS 1.3)

TLS Client TLS Server

TLS ClientHelloSNI=www.example.comClient’s Diffie-Hellman key

Desired server

Actual server{Encrypted by DH}

SSL Policy Rule Actions

For internal Traffic

going outside

For external Traffic

going to internal

server (via passive

interface)

SSL Inspection on Passive Interface

If the TLS connection uses PFS, traffic inspection is not possible…

Client ServerTAP

NGFW withcopy of Server key and cert

ABC

ABC

ABC#$*#$*

Inspect Outgoing Traffic

Action: Decrypt and

resign It replaces the key ONLY in the

Self-Signed Certificate, instead

of the whole certificate.

It causes the client browser does

warn that the certificate is self-

signed.

Certificate to be used

Rule matching criteria

• Multiple criteria for matching the rule

DN of the destination

certificate

Some predefined sites

that are undecryptable

Settings per SSL Policy Rules

• Certificate Status:• Revoked, self-signed, not yet valid, expired,

invalid issuer, invalid signature, valid.

• Cipher suite

• SSL version

If the certificate matches any of

the selected statuses, the rule

matches the traffic.

Example Rules for certificate checking

Block

Certificate

Errors

Exclude

Self-

signed

Certificate

Errors

Example Rules – Checking Self-Signed

BLOCK or whatever Action you

want...

Include

Self-

signedIgnore all

others

Further firewall actions with TLS Decryption

• SNI is always enabled

• No automatic download of missing intermediate certificates• Manual upload required

• No action on certificate check for undecrypted HTTPS connection in the default settings

• Client is responsible for any error message

• Can not prompt the client in case you have an error

• SSL Policy needs to be attached to an access policy

Security Service Gateway

Users

Radware

ADC

Cisco

Firepower

Radware

ADC

Data Center

Visibility for inbound and outbound encrypted traffic

Chain multiple inspections services

- Load-balance service elements within a group

- Bypass failed groups

Bypass URLS/Sites, IP addresses based on categories/policy

Mix/match inspection elements, i.e., passive/active inspection elements

Inspection elements can be L2/L3

- Bump in the wire, routed, transparent, opaque.

Up to 45 Gbps of SSL/TLS throughput, and 100K CPS

- TLS 1.3 Support

FIPS 140-2 Compliant

Fully patent protected

- More details at: http://www.google.com/patents/US7769994

Network:

What can be done without Encryption?

Firepower Management

Center

Threat Intelligence Director

Ingest Security IntelligenceGenerate Rich Incident

ReportsCorrelate Observations Refine Security Posture

Ingests

“flat files”

STIX Observations

Third-Party Sources

• Threat intelligence feeds

• Threat intelligence platforms

Cisco Security Appliances

• Cisco Firepower NGFW

• Cisco FirePOWER NGIPSThreat Intelligence

Director

Assimilates Third-Party Security Intelligence

Leverage Security Intelligence Feeds

• IP Address, DNS, and URL Feeds

• Multiple categories: Malware, Phishing, Command and Control and more

• Black/White-list URL with one click

• Fast-flux domain support

• TALOS and 3rd party feeds

“Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.”

Gartner’s Top 10 Security Predictions 2016

Current decryption methods are becoming obsolete

Encrypted Traffic

Non-Encrypted

Traffic

How do you Analyze threats without decrypting traffic flows?

Can We Actually Solve This?

Encrypted Traffic Analytics (ETA)Visibility and malware detection without decryptionUsing the Network as a Sensor

Malware in

encrypted traffic

Cryptographic

compliance

• End to end confidentiality

• Channel integrity during inspection

• Adapts with encryption standards

Is the payload within the TLS

session malicious?

• Audit for TLS policy violations

• Passive detection of Ciphersuite

vulnerabilities

• Continuous monitoring of network

opacity

How much of my digital business

uses strong encryption?

Encrypted Traffic Analytics (ETA) Technical solution overview

Enhanced analytics and machine learning

Integration with ISE and TrustsecEnhanced NetFlow from Cisco’s

newest switches and routers

Cisco® Cloud Services

Encrypted

traffic

exporters

Stealthwatch/ETA

Netflow collector(s)

Malware

detection and

cryptographic

compliance

Higher VisibilityInnovative detectionLeveraged network

Catalyst 9k

ISR, ASR*

Global-to-local knowledge

correlation results in higher

precision of threat findings

Stealthwatch enhanced analytics

and machine learning reduces

threat investigation time

Enhanced NetFlow with encrypted

traffic analytics from Cisco’s

newest switches and routers

Network Sensors

SPLTIDP

srcIP, dstIP, srcPort, dstPort, prot, startTime, stopTime,

numBytes, numPackets, IDP, SPLT

Sequence of Packet Lengths and Times

The SPLT field gives us visibility beyond the first packet of the

encrypted flows.

Initial Data Packet

The first packets of any connection contain valuable

data about the content.

Encrypted Traffic Analytics (ETA)The Technology

NetFlow Analytics with Cloud Intelligence

Enhanced analytics and machine learning

Global-to-local knowledge correlation

Higher Precision Faster Investigation Leveraged Network

Enhanced NetFlow from Cisco’s newest switches and routers

Cisco

Cloud

Network

Meta-Data

Cisco

Stealthwatch 99% Threat

Detection

Accuracy

0.01% False

Positives*

*Cisco research findings

Encrypted Traffic Analytics (ETA)

29

Visibility Through NetFlow

10.1.8.3

172.168.134.2

InternetFlow Information Packets

SOURCE ADDRESS 10.1.8.3

DESTINATION ADDRESS

172.168.134.2

SOURCE PORT 47321

DESTINATION PORT 443

INTERFACE Gi0/0/0

IP TOS 0x00

IP PROTOCOL 6

NEXT HOP 172.168.25.1

TCP FLAGS 0x1A

SOURCE SGT 100

: :

APPLICATION NAMENBAR SECURE-

HTTP

RoutersSwitches

NetFlow Provides• A trace of every conversation in your network

• An ability to collect records everywhere in your

network (switch, router, or firewall)

• Network usage measurements

• An ability to find north-south as well as

east-west communication

• Lightweight visibility compared to Switched Port

Analyzer (SPAN)-based traffic analysis

• Indications of compromise (IOC)

• Security group information

Behavioral and Anomaly Detection ModelBehavioral Algorithms Are Applied to Build “Security Events”

SECURITY

EVENTS (94 +)ALARM

CATEGORY RESPONSE

Addr_Scan/tcp

Addr_Scan/udp

Bad_Flag_ACK**

Beaconing Host

Bot Command Control Server

Bot Infected Host - Attempted

Bot Infected Host - Successful

Flow_Denied

.

.

ICMP Flood

.

.

Max Flows Initiated

Max Flows Served

.

Suspect Long Flow

Suspect UDP Activity

SYN Flood

Concern

Exfiltration

C&C

Recon

Data hoarding

Exploitation

DDoS target

Alarm table

Host snapshot

Email

Syslog / SIEM

Mitigation

COLLECT AND

ANALYZE FLOWS

FLOWS

Investigating a Host

Summary

Communication

patterns

Cloud:

What services can be delivered?

What about DNS protection?Cisco Umbrella

Umbrella Cloud Service

Enterprise-wide

deployment in minutes

Malware

C2 Callbacks

Phishing

Intelligence to see

attacks before launched

Visibility and

protection everywhere

Stop threats before

connections are made

Authoritative DNS logs

Used to find:

Newly staged infrastructures

Malicious domains, IPs, ASNs

DNS hijacking

Fast flux domains

Related domains

User request patterns

Used to detect:

Compromised systems

Command and control callbacks

Malware and phishing attempts

Algorithm-generated domains

Domain co-occurrences

Newly registered domains

Gather intelligence and enforce security at the DNS layer

Any device

Recursive DNS

root

com.

domain.com.

Authoritative DNS

Cisco Talos feeds

Partner feeds

Custom URL block list

Requests for “risky” domainsIntelligent proxy

URL inspection

File inspectionAV Engines

Cisco AMP

Intelligent proxy

Deeper inspection

Decryption and inspection when needed

Safe

Original destinations

Security controls

DNS and IP enforcement

Risky domain inspection

through proxy

Selective SSL decryption

File inspection (AMP and AV)

Blocked

Modified destination

Internet trafficOn and off-network

DestinationsOriginal destination or block page

Cisco Umbrella and ThreatGrid integration

Suspect Domain Protection

Dynamic Analysis

Static Analysis

Threat Intelligence

AMP Threat Grid

Domain Based IOC Data

File

Sample

ASA /FP

Mobile

AMPFIREPOWERFIREPOWER Web

SecESA

Firewall Appliance Web

Security

E-Mail

Security

Security

Analyst

AMP ThreatGrid Enabled Security Solutions

Protected Clients

Immediate Protection from domain based IOCs

Benefits

Automated integration

Full AMP Solution Coverage

Enterprise-wide deployment in minutes

Off-network protection

No additional agents to

deploy with AnyConnect

Or Umbrella roaming client

works alongside other VPNs

for DNS and IP redirection

AnyConnectWLAN

ControllerISR 4K

Cisco networking

Out-of-the-box integration

Use of tags for granular

filtering and reporting

Policies per VLAN/SSID

On-network protection

DNS/DHCP serversWireless APs

Simple configuration change

to redirect DNS

Policies for corporate

and guests

Roaming client

Endpoint:

First (and last!) line of defense

Security in the Endpoint

Network

Visibility

Threat

Protection

Roaming

Protection

NETWORK VISIBILITY

MODULE

• NETFLOW DATA FROM

ENDPOINT

• DEVICE + USERNAME

• APPLICATION AND PROCESS

DATA

UMBRELLA ROAMING

AGENT

• PROTECTS ENDPOINT

INTERNET TRAFFIC

• OFF PREM DNS PROTECTION

• PER USER / GROUP

REPORTING & POLICY

ADVANCED MALWARE

PREVENTION

• ON AND OFF PREM FILE / MALWARE

BLOCKING

On Premise

Secure Access On and Off PremiseAlways-On and transparent connectivity with Trusted Network Detection

Off Premise

Untrusted

ASA

No VPN Required

User

VPN Required

User

Flow Analytics security from the endpointWith the AnyConnect Network Visibility Module (NVM)

Endpoint Context• IPFIX-Based NetFlow Record

• Unique Device ID

• Device Name (bsmith-WIN) and OS

Version

• Domain\User Name (Amer\bsmith)

• Local DNS (starbucks.com)

• Target DNS ( amceco.box.com)

• Interface (Intel ® Dual Band Wireless)

• Process/Container Name (iexplorer.exe)

Process ID (hash)

• Parent Process Name (foobar.exe)

Parent ID (hash)

Collection &

Analytics ServicesNetFlow Collector

AMP Continuous Analysis and Retrospective Security

0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110

1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

Web

WWW

Endpoints NetworkEmail DevicesIPS

File Fingerprint and Metadata

Process Information

Continuous feed

Continuous analysis

File and Network I/O

Breadth and Control points:

Telemetry Stream

Talos + Threat Grid Intelligence

TrajectoryBehavioral

Indications

of Compromise

Threat

Hunting

Retrospective

Detection

Mobile device security solutions are disruptive and leave gaps

PROBLEM

Custom

browser

app

VPN profile

(always-on

or on-demand)

Global

HTTP

proxy

END-USERS

ADMIN-USERS

iOS Security Connector:

SOLUTION

No user

behavior

changes

All network

activity is

seen

Works with

ALL apps

Best visibility

and performance

ADMIN-USERS

Work as

usual

END-USERS

iOS Security ConnectorOne iOS app – two extensions

AUDITING & CORRELATION

ENCRYPTION & ENFORCEMENT

AMP

UMBRELLA

Umbrella app extension

Clarityapp extension

UMBRELLA EXTENSION

• Visibility and

control for all

applications

• Defends

against attacks

and data

exfiltration

CLARITY EXTENSION

• Audits

encrypted and

clear text

flows by

users, apps,

and devices

Supervised

iPhone / iPad

Intelligence Matters

TALOS – Unmatched Visibility, Research, and Analytics

Threats Across the Internet

Threats Inside your Network

Hundreds of Thousands Customers

7.3T Threats Blocked Annually

250+ Threat Researchers

Tens of Millions Users

Hundreds of Threat Analytic

Engines

Build an Architecture –Security that works together

Endpoint CloudNetwork

Integrated Best of Breed

Endpoint

Cisco WSAor Firepower

Cisco Stealthwatch

Cisco WSA, Firepower, or Umbrella

Cisco Umbrella

Cisco ISE

Cisco Firepower Threat Defense

Cisco AMP

Internal Users to InternetProtecting the Employees

AdvancedMalware Protection

Application Control

Anti-Virus

NGIPS

Identity Authorization

Employee

Segmentation/ TrustSec

Firewall

Internet

GeoFiltering

LoggingReporting

Recursive DNS Security

Flow AnalyticsURLFiltering

SSLDecryption

SIEM

NetworkAnti-Malware

WebProxy

Data LeakageProtection (DLP)

250+Full Time Threat Intel Researchers

MILLIONSOf Telemetry Agents

4Global Data Centers

1100+Threat Traps

100+Threat Intelligence Partners

THREAT INTEL

1.5 MILLIONDaily Malware Samples

600 BILLIONDaily Email Messages

16 BILLIONDaily Web Requests

Honeypots

Open Source Communities

Vulnerability Discovery (Internal)

Product Telemetry

Internet-Wide Scanning

20 BILLION

Threats Blocked

INTEL SHARING

Talos Intel Background

Customer Data Sharing Programs

Provider Coordination Program

Open Source Intel Sharing

3rd Party Programs (MAPP)

Industry Sharing Partnerships (ISACs)

500+Participants

Cisco secure access solutions – focus areas

Network and security analytics

• Stealthwatch

• ISE

• Encrypted Traffic Analysis

VisibilityThreat protection

• NGFW/NGIPS

• Advanced Malware Protection (AMP)

• Umbrella / CloudLock

Threat preventionFirewall and access control

• DNA

• ISE

• NGFW

Segmentation

Integrated

Cisco Security Architecture

Cisco Security Homepage

Cisco.com/go/security

The Only Way

Rapid Threat Containment & Threat Centric NACCisco Firepower Management Center (FMC) and Cisco Identity Service Engine (ISE)

Benefits

Detect Threats Early

Firepower scans activity and publishes events

to ISE

Automate Endpoint Containment

ISE alerts the network of suspicious activity according

to policy

Integrate Best-of-Breed Security

Growing ecosystem of threat defense partners

integrate with ISE

MnT

FMC

Rapid Threat Containment with Firepower Management Center and ISE

Controller

WWW

NGFW

2. Correlation

Rules Trigger

Remediation Action

3. pxGrid EPS

Action: Quarantine

+ Re-Auth

1. Security

Events / IOCs

Reported

i-Net

58

MnT

FMC

Rapid Threat Containment with Firepower Management Center and ISE

Controller

WWW

NGFW

4. Endpoint Assigned

Quarantine + CoA-

Reauth Sent

i-Net

59

ISE

Switches Routers Wireless

EndpointsIOT PhonesPrinters

WSA ESAFMC SMC

TALOS AMP/TG UmbrellaCTA

SIEM

VMC

Net Protocols

pxGrid

AMP/TG API

Firepower API

Syslog

Talos API

Cloud Services

Infrastructure & Devices

pxGrid

Generic APIRadius

Netflow

DNS

Legend

60

https://developer.cisco.com/site/security/

Cisco API Resources

Tetration answers your Critical Questions

What was out of Policy?

Network DVR VisibilityAut. Policy Discovery

Policy Enforcement

Application Dependency

Who talks with who? Audit & Compliancy

Cisco Segmentation with Active Threat Response

Step3 Dynamic Enforcement

Step1: Control policy and audit Step2: Anomaly Detection

• Comprehensive,

contextual network flow

visibility

• Real-time situational

awareness of traffic

Monitor

• Detect anomalous

network behavior

• Detect network

behaviors indicative of

threats: worms, insider

threats, DDoS and

malware

Detect

• Quickly scope an incident

• Network troubleshooting

• One click quarantine

Respond

Detect Data Center threats with Stealthwatch

Analyze

• Holistic network audit trail

• Threat hunting and

forensic investigations

Switch Router Router Firewall Data Center

Switch

ServerUser

WAN

ServerDevice

End-to-End

Network

Visibility

Threat

detection and hunting

Application traffic

modeling &

visibility

Access control

policy and audit

Anomalous

behavior

Integrated with other security solutions 1+1=3

Greater visibility and security togetherCisco Tetration and Stealthwatch

Cisco Tetration Connection ManagerAutomated security policy recommendation

Step2: Auto-generation of whitelist policies

Whitelist policy recommendation

• Identifies application intent

• Generates 4 tuple policies

Export into Cisco solutions

• Export in JSON, XML and YAML

• Import into ACI, ASA, NGFW

Step1: Behavior analysis

Application conversations Conversation details/

process bindings

Legacy Rule

Cleanup

TrustSec Functions

Endpoint

Group tag management

Group policy management

Security

Group

Tags

Enforcement

EnforcementThreat

Defense

Propagation

Inline tagging or data plane

(many options)

Classification

Static

classification

Endpoint

identification

Dynamic

classification

SGT-enabled network

Central management

Software-Defined Segmentation

Open technology

Heterogeneous environment

Control plane

(SXP or pxGrid)

Switch

Router

Firewall

Wireless

TrustSec integration – ACI (Data Center)

ACI Policy DomainTrustSec Policy Domain

Switch Router Router Firewall Nexus9000 Nexus9000 ServerUser

SGT

over

Ethernet

IPSec / DMVPN /

GETVPN / SXPClassification

WAN(GETVPN

DMVPN

IPSEC)

ISE creates matching Security

Groups for Endpoint Groups

ISE exchanges IP-SGT/EPG

‘Name bindings’

IP-ClassId, VNI bindingsIP-Security Group bindings

exchanged with network

Spine Leaf

Cisco ISE 2.1 Cisco APIC-DC

Security Groups End Point Groups