Januar 2017

Threat Defense mit Hilfe des Netzwerks und Cisco StealthWatchCisco Enterprise SecurityThomas SpiegelConsulting Systems Engineer

Die Herausforderung

What is the typical method to protect against a breach ?

Perimeter Security Controls

Typical BOGON list at the perimeter

NGIPS and Firewall protecting the Data Center

Perimeter Firewalls

NGIPS Protecting the DMZ

NGIPS Protecting the Internal Zone

What is being overlooked by this method ?

Focus must also be on the Inside LAN

Enterprise Network

Network as a Sensor and EnforcerData Breach Example

Attacker

Perimeter(Inbound)

Perimeter(Outbound)

Infiltration and Backdoor establishment1

C2 Server

Admin Node

Reconnaissance and Network Traversal

2

Exploitation and Privilege Elevation

3

Staging and Persistence (Repeat 2,3,4)

4

Data Exfiltration5

Network Security

Stealthwatch Adds to Cisco’s Security Portfolio

StealthWatch

Detect breaches and insider threats faster

Accelerate analysisand understanding

of incidents

Discover and monitor traffic baseline for the network

Enable the deployment of granular, software-based

segmentation

StealthWatch

BEFOREDetect Block

Defend

DURING AFTERControlEnforce Harden

ScopeContain

Remediate

Attack Continuum

Network as a Sensor (NaaS)Visibility

NetFlow – was es ist

10.1.8.3

172.168.134.2

InternetFlow Information PacketsSOURCE ADDRESS 10.1.8.3

DESTINATION ADDRESS 172.168.134.2

SOURCE PORT 47321

DESTINATION PORT 443

INTERFACE Gi0/0/0

IP TOS 0x00

IP PROTOCOL 6

NEXT HOP 172.168.25.1

TCP FLAGS 0x1A

SOURCE SGT 100

: :

APPLICATION NAME NBAR SECURE-HTTP

RoutersSwitches

NetFlow ermöglicht

• Tracing jeder Konversation im Netzwerk• Netzwerk-Komponenten: Switch, Router,

Firewall• Erfassung der Netzwerk-Nutzung• Verfolgen von Verkehrsflüssen• Indications of Compromise (IOC)• Security Group Information

Eingebaut in den aktuellenCisco Netzwerk-Komponenten

NetFlow liefert komplette IP-Visibilität im Netzwerk:

192.168.19.3

10.85.232.4

10.4.51.5

192.168.132.99

10.43.223.221

10.200.21.110

10.51.51.0/2410.51.52.0/2410.51.53.0/24

Internet

IP Adressen ändern sich oft

Schwer zu managen, wenn man keinen Bezug zur Identität hinter der IP-Adresse hat

Aber:

Context-basierte Visibilität und Kontrolle

Employee

Employee

Supplier

Quarantine

SharedServer

Server

High RiskSegment

Internet

Network Fabric

Allowed Traffic

Denied Traffic

Leicht nachvollziehbareVerkehrsbeziehungen

Regeln auf Basis der Identitäteinfacher zu definieren

Network as a Sensor: StealthWatch System

pxGrid

Real-Time Visibility into All Network Layers• Monitor• Detect• Analyze• Respond

Cisco® Identity Services Engine Mitigation Action

Context InformationNetFlow

StealthWatch

Network Devices

pxGrid = API

Network as a Sensor (NaaS)Network Behavior Anomaly Detection

Behaviour Analysis• Works with a complex- dynamically learned

baselines and manual thresholds.• Unique processing that results in Concern IndexTM

metrics:• Concern Index: host might have become infected;• Target Index: host might have become target of an attack;• File sharing Index: host might be involved in Peer-to-Peer file

sharing activity or leaking data out from the organization.• Exfiltration Index: host might leaking data out.• Command&Control Points: host trying to connect to a Botnet

C&C server.

• Other activities that the system can recognize:• Data Hoarding;• Quite- Long Flows;• Custom User defined Threat Criteria or Threshold violations.

• If concern indexes and manual thresholds are exceeded or policies are violated, Alarms would be generated.

Behavioral and Anomaly Detection ModelBehavioral Algorithms Are Applied to Build “Security Events”

SECURITYEVENTS (94 +)

ALARMCATEGORY RESPONSE

Addr_Scan/tcpAddr_Scan/udpBad_Flag_ACK**Beaconing HostBot Command Control ServerBot Infected Host - Attempted Bot Infected Host - SuccessfulFlow_Denied..ICMP Flood..Max Flows InitiatedMax Flows Served.Suspect Long FlowSuspect UDP ActivitySYN Flood

Concern

Exfiltration

C&C

Recon

Data hoarding

Exploitation

DDoS target

Alarm table

Host snapshot

Email

Syslog / SIEM

Mitigation

COLLECT AND ANALYZE FLOWS

FLOWS

Demo

Example Algorithm: Data Hoarding

40

Target Data Hoarding• Unusually large amount of data

outbound from a host to multiple hosts

Suspect Data Hoarding• Unusually large amount of data

inbound from other hosts

Network Behavior and Anomaly Detection

4

Alarm Model• Monitor activity and alarm on suspicious conditions• Policy and behavioral

StealthWatch: Netzwerk-Anomalien erkennenConversational Flow Record

When Who

Where

WhatWho

Security Group

More Context

Is this communication permissible?

Tune

Yes

Respond

No

StealthwatchConversational Flow RecordIntegrations e.g. openDNS

Lets look up in Investigate!

Investigate Knows:

Network as a Sensor (NaaS)Incident Response

Investigating a Host

Summary

Communication patterns

Investigating: Host Drill-Down

4

User information

Adaptive Network Control

Quarantine or unquarantine via pxGrid

StealthWatch Management Console

Cisco® IdentityServices Engine

SMC

Cisco Netzwerk-Komponentenfür NaaS & NaaE

NaaS – Solution ComponentsCisco Switching Portfolio with Full Flexible NetFlow

Catalyst 3850/3650

Access Layer

Catalyst 4500Sup7E/LESup8E/LE

Catalyst 6800/6500Sup2T, Sup6T

Distribution Layer

NexusFull Flexible NetFlow v9 and IPFIX*

NetFlow is supported on the 7K M series (full / sampled), 1000V (Full Flow) and 7k (I/O Module Dependent)

Core Layer

IP Base or Higher License Requirement

Catalyst 2960X

Base NaaS on Catalyst 2960-X/XR

Full NetFlow

DNS-AS 50+ Apps

StealthWatch

25 FPS/Switch License

Physical2 or Virtual ApplianceC1-based License Only (New)

Cisco Unique Solution for Network Security

Reduce Threat Attack Surface with Network Sensing

Improved Protection for Customers and Employees

Implementing NaaS brings over 200% ROI1

NEW!!

Forrester Report for StealthWatch1 2Purchase Separately

Full NaaS on Catalyst 3650/3850

Full NetFlow

NBAR2 1500 Apps

ERSPAN

ETTA2

Stealthwatch

50 FPS/Switch License

Physical1 or Virtual Appliance

C1 Foundation LicenseSee Software Packaging

Cisco Unique Solution for Network Security

Reduce Threat Attack Surface with Network Sensing

Improved Protection for Customers and Employees

Implementing NaaS brings over 200% ROI1

NEW!!

Forrester Report for StealthWatch1

Packetwatch1

1Purchase separately 2Available 1HC17

Zusammenfassung

Schlüsselfragen, die Sie sich stellen sollten:

• Kennen Sie das Normalverhalten Ihres Netzwerks? • Nutzer/ Endgeräte• Anwendungen• Typische Verkehrs-Volumina

• Wie entdecken Sie ungewöhnlichen Netzwerk-Verkehr?

• Wie stellen sie sicher, dass die Sicherheitsregeln in jeder Komponente umgesetzt sind?

• Wie effektiv können Sie auf Sicherheitsprobleme reagieren?

Network as a Sensor and Enforcer Summary

TrustSec provides software defined (micro)

segmentation

NetFlow and LancopeStealthWatch provides

visibility and intelligence

The network is a key asset for threat detection and control