cyber security 2016 - data.eventworld.cz · cisco systems [email protected] cse security, ccie...
TRANSCRIPT
Cyber Security 2016 Využití aplikačních rozhraní pro analýzu malwaru a automatizovanou odezvu na hrozby
Jiří Tesař Cisco Systems [email protected] CSE Security, CCIE #14558, SFCE #124266
Internet
Endpoint User
NGFW/UTM
Filter
URL
DATACENTER
I00I
00I
0II0
II
00
0II
0 0
0II
0II
0I0
00
0I0
0I 0
0I0
I II0
00
0I0
I0I0
00
I0I0
00
I0I0
I
0II I
I0I0
II00
I0I0
000
0000
II0I
I0 0
0II0
I 000
000I
I
0II I
I0I0
II00
I0I0
000
0000
II0I
I0 0
0II0
I 000
000I
II
I0II0I II0II0 0I 0 I
000II000I0I
000II000I0I
0I 0I 00 II 0II 0I 0I0I0
0II I0II00I0 II00I0
NGFW
NGIPS/AMP
00I0II0I0II0I00II0I
NGIPSv NGFWv
00 III 0 II0I0 II 0I0 00 III0I0 0 II 000
NGIPS/ AMP
NGIPSv
Roaming User
BEFORE Discover
Enforce
Harden
DURING Detect
Block
Defend
AFTER Scope
Contain
Remediate
Before During After Internet
NGFW
NGIPS
AMP
NG..
Management
Client SW
SSL
802.1x
AVC
URL SIEM
Data Sources
DC
Internet
ASA/Firepower
Firepower MC
AnyConnect
SSL
802.1x
DC
NGFW
NGIPS
AMP
AVC
URL
Before During After
What does their traffic look like over time?
What operating systems?
View all application traffic… Look for risky applications…
Geolocation for source and destination
URL …
Intrusion events by impact, priority, hosts, users …
File analysis
Malware detection
Identify Where to Start
If this is all there was then the “Order of Investigation” is easy.
From the FMC Dashboard
Identify Where to Start
Indications of Compromise Is often a better place to start. If it was always so easy.
From the FMC Context Explorer
An unknown file is present on IP: 10.4.10.183, having been downloaded from Firefox
At 10:57, the unknown file is from IP 10.4.10.183 to IP: 10.5.11.8
Seven hours later the file is then transferred to a third device (10.3.4.51) using an SMB application
The file is copied yet again onto a fourth device (10.5.60.66) through the same SMB application a half hour later
The Cisco Collective Security Intelligence Cloud has learned this file is malicious and a retrospective event is raised for all four devices immediately.
At the same time, a device with the FireAMP endpoint connector reacts to the retrospective event and immediately stops and quarantines the newly detected malware
AMP
Internet
ASA/Firepower
Firepower MC
AnyConnect
SSL
802.1x
NAC
CWS
DC
NGFW
NGIPS
AMP
AVC
URL
Before During After
Internet
AnyConnect
AMP
ASA/Firepower
Firepower MC NGFW
NGIPS
AMP
AVC
URL
DC SSL
802.1x
NAC
CWS
Before During After
Internet
AnyConnect
AMP
ASA/Firepower
Firepower MC NGFW
NGIPS
AMP
AVC
URL
DC SSL
802.1x
NAC
CWS
TALOS Before During After
Internet
AnyConnect
AMP
ASA/Firepower
Firepower MC NGFW
NGIPS
AMP
AVC
URL
DC SSL
802.1x
NAC
CWS
TALOS Before During After
Device Trajectory
• Gives you deep visibility into file activity on a single device/endpoint
Looks DEEP into a device and helps answer:
• How did the threat get onto the system?
• How bad is my infection on a given device?
• What communications were made?
• What don’t I know? • What is the chain of events?
Internet
AnyConnect
AMP
ASA/Firepower
Firepower MC NGFW
NGIPS
AMP
AVC
URL
DC SSL
802.1x
NAC
CWS
TG
TALOS Before During After
Internet
AnyConnect
AMP
ASA/Firepower
Firepower MC NGFW
NGIPS
AMP
AVC
URL
DC SSL
802.1x
NAC
CWS
TG
TALOS Before During After
Internet
AnyConnect
AMP
ASA/Firepower
Firepower MC NGFW
NGIPS
AMP
AVC
URL
DC SSL
802.1x
NAC
CWS
TG
TALOS Before During After
8 hours after the first attack, the Malware tries to re-enter the system through the original point of entry but is recognized and blocked.
802.1x
Internet
Switch WLC
Cisco Access Layer
AnyConnect
AMP
SSL
NAC
CWS
ASA/Firepower
NGFW
NGIPS
AMP
AVC
URL
TG
TALOS
FPMC
Before During After
Internet
Switch WLC
Cisco Access Layer
AnyConnect
AMP
SSL
802.1x
NAC
CWS
ASA/Firepower
NGFW
NGIPS
AMP
AVC
URL
TG
TALOS
FPMC
Before During After
Identity Services Engine
AAA
Network Resources Role-based policy
access
Traditional TrustSec
BYOD Access
Secure Access
Guest Access
Role-based Access
Identity Profiling
and Posture
Who
Compliant
What
When
Where
How
Quick Reminder – What is ISE?
A centralized security solution that automates context-aware access
to network resources and shares contextual data
Network
Door
Context ISE pxGrid
controller
Internet
Switch WLC
Cisco Access Layer
AnyConnect
AMP
SSL
802.1x
NAC
CWS
ASA/Firepower
NGFW
NGIPS
AMP
AVC
URL
TG
TALOS
FPMC
Before During After
Identity Services Engine
AAA Guest PROF POST
AD
Internet
Switch WLC
Cisco Access Layer
AnyConnect
AMP
SSL
802.1x
NAC
CWS
ASA/Firepower
NGFW
NGIPS
AMP
AVC
URL
TG
TALOS
FPMC
Before During After
Identity Services Engine
AAA Guest PROF POST
AD
PxGrid
Internet
Identity Services Engine
AAA Guest PROF POST
AD
Lancope
MDM
Switch WLC
PxGrid
Cisco Access Layer
AnyConnect
AMP
SSL
802.1x
NAC
CWS
ASA/Firepower
NGFW
NGIPS
AMP
AVC
URL
TG
TALOS
FPMC
Before During After
Internet
Identity Services Engine
AAA Guest PROF POST
AD
Lancope
MDM
Switch WLC
PxGrid
Cisco Access Layer
AnyConnect
AMP
SSL
802.1x
NAC
CWS
ASA/Firepower
NGFW
NGIPS
AMP
AVC
URL
TG
TALOS
FPMC
Before During After
Access denied
per security
policy
Based on the new
tag, ISE enforces
policy on
FMC detects
suspicious file and
alerts ISE using pxGrid
by changing the
Security Group Tag
(SGT) to suspicious
FMC scans the
user activity and
file
Enable Rapid Threat Containment With Cisco Firepower Management Center (FMC) and Identity Service Engine (ISE)
Corporate user
downloads file
Internet
Identity Services Engine
AAA Guest PROF POST
AD
Lancope
MDM
Switch WLC
PxGrid
Cisco Access Layer
AnyConnect
AMP
SSL
802.1x
NAC
CWS
ASA/Firepower
NGFW
NGIPS
AMP
AVC
URL
TG
TALOS
FPMC
Before During After
ESA WSA
AMP
AMP AMP
Internet
Identity Services Engine
AAA Guest PROF POST
AD
Lancope
MDM
Switch WLC
ESA WSA
PxGrid
Cisco Access Layer
AnyConnect
AMP
SSL
802.1x
NAC
CWS
ASA/Firepower
NGFW
NGIPS
AMP
AVC
URL
TG
TALOS
FPMC
Before During After
Internet
Identity Services Engine
AAA Guest PROF POST
AD
Lancope
MDM
Switch WLC
ESA WSA
PxGrid
Cisco Access Layer
AnyConnect
AMP
SSL
802.1x
NAC
CWS
ASA/Firepower
NGFW
NGIPS
AMP
AVC
URL
TG
TALOS
FPMC
Before During After
AMP AMP
CWS
Internet
Identity Services Engine
AAA Guest PROF POST
AD
Lancope
MDM
Switch WLC
ESA WSA
PxGrid
Cisco Access Layer
AnyConnect
AMP
SSL
802.1x
NAC
ASA/Firepower
NGFW
NGIPS
AMP
AVC
URL
TG
TALOS
FPMC
Before During After
AMP AMP
AMP/CTA
CWS OpenDNS
Internet
Identity Services Engine
AAA Guest PROF POST
AD
Lancope
MDM
Switch WLC
ESA WSA
PxGrid
Cisco Access Layer
AnyConnect
AMP
SSL
802.1x
NAC
CWS
ASA/Firepower
NGFW
NGIPS
AMP
AVC
URL
TG
TALOS
FPMC
Before During After
AMP AMP
AMP/CTA
CWS OpenDNS
53 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VPN
WiFi/LAN
Content GW
Firewall
IPS
Threat Management
Meraki
Secure Access
Secure Transfer
Secure Inside
Meraki
TrustSec
Encryption
01001
110
TALOS
ISE
Security
Policy Management
& Monitoring
S2S VPN
DMVPN
GET VPN
Flex VPN
MacSec
SGT/SGACL
SourceFire
ASA/IPS
Switches
WLC
ASA 5500-X
ASA 5585-X
ASA-SM
ASAv
ASR
ISR, CSR
FireAMP
AMP for mobile
LanCope
AMP
AMP
AMP
ISE
AMP
TG
TG
TG
CWS
WSA/VM
SMA/VM
ESA/VM
ASA-SFR
CWS
CWS
AnyConnect
ASA
CWS
AMP
TG
CWS
AMP
TG
TG
Děkuji za pozornost