exposing risk through network visibility | gsf 2012 | session 4-3

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1Cisco Confidential© 2012 Cisco and/or its affiliates. All rights reserved. 1

Exposing Risk Through Network VisibilityChris ColemanDirector, Cyber Security U.S. Public Sector

21 March 2012

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Problem Definition

Solution Overview

Product Components and Availability

1

2

3


Manipulation Theft & Espionage Disruption

Cyber threats impact the security and economicviability of nations and businesses alike


Manipulation Theft & Espionage Disruption

Cyber threats impact the security and economicviability of nations and businesses alike

Target: Target: Nasdaq OMXNasdaq OMX

Impact: Impact: ““Flash CrashFlash Crash””of May 2010of May 2010

Exploit: Exploit: Directors Desk Directors Desk WebWeb--based Applicationbased Application

Target: Target: Security and Security and Defense ContractorsDefense Contractors

Impact: Impact: Intellectual Intellectual Property Theft, 2009Property Theft, 2009--20102010

Exploit: Exploit: Multiple Multiple ZeroZero--dayday

Target: Target: Iranian Iranian Nuclear ReactorsNuclear Reactors

Impact: Impact: 22--5 Year 5 Year DelayDelay

Exploit: Exploit: Siemens Siemens PLC Software PLC Software


624,000 624,000 attacksattacks

2,600,000 attacks2,600,000 attacks5,700,000 attacks5,700,000 attacks

(projected)(projected)

2007 2010 2013


Customers Investing to RespondCustomers Investing to Respond

Compromise Is Not “If,” but “When”Compromise Is Not “If,” but “When”

Sophisticated Attacks With Specific High-Stakes IntentSophisticated Attacks With Specific High-Stakes Intent

• 49% of threats are customized for target environment1

• $1T/year private sector revenue loss from cyber espionage2

• 5X increase in attacks against US Government 2006 to 20093

• 52% invested in network anomaly analysis/detection6

• 77% increase investment in security solutions in reaction to cyber threats7

• 59% of organizations believe they have been cyber threat targets4

• 46% believe they are still highly vulnerable despite increased prevention investments5

1Verizon Data Breach Report; 2US House Intelligence; 3Cyber Market Forecast; 4ESG APT Report; 5–7ESG


Firewall

IPS

Web Sec

N-AV

Email Sec

Customized Threat Bypasses Security

Gateways

Threat Spreads Inside Perimeter

Customized Cyber Threats Evade Existing Security Constructs

Fingerprints of Threat are Found Only in Network Fabric


� Zeus A/V Detection Rate

Source: abuse.ch Zeus Tracker (3/19/2012)

� Malware Customization

“Roughly half of the malware we discover is specifically targeted at our environment.” - U.S. Public Sector Customer

“We’ve detected malware that was compiled 5 minutes prior to being injected into our user base.” - U.S. Public Sector Customer

Source: Verizon 2011 Data Breach Investigations

Report


Breached, but How, Where, and Who?

Breached, but How, Where, and Who? Context Is CriticalContext Is Critical

Disparate Data Sources, Manual

Assembly

Disparate Data Sources, Manual

Assembly

• Often very difficult to find

• High-value assets—major consequences

• Network flow analysis is central to this process—throughout the network

• No single system provides all data to decipher an attack

• Related threats, identity, reputation, vulnerability, device type, etc.

• Analysts collect and assemble contextual information from a variety of systems

• Requires expensive analysts


Use NetFlow Data to Extend Visibility to the

Access Layer

Unite Flow Data With Identity, Reputation,

Application for Context

Network Switches as Enforcement Points for

Increased Control

WHEREWHEN

HOW

WHAT

WHOFlow, Context,

and Control

NETWORK

Reputation? Posture?

Device? User? Events?

65.32.7.45

VulnerabilityAVPatch


SIO

Unified ViewThreat Analysis and Context in Lancope StealthWatch

Threat Context DataCisco Identity, Device, Posture, Reputation, Application

FLOWCONTEXT

NetFlow TelemetryCisco Switches, Routers, and ASA 5500

Internal Network and Borders


Find Internally Spreading Malware


Detect Recon Activity


Find Data Loss/Exfiltration


Detect Botnet and Command/ Control Activity


Example Patterns Detected by Lancope StealthWatch Using NetFlow

• Unusual application traffic to/from hosts/subnets

• Duplicate traffic patterns

• Devices faking services (DHCP server not on list)

• Traffic destined to a blackhole or blacklisted hosts

• Protocol sequence anomalies(e.g. no SYN/FIN)

• Asymmetric traffic patterns—a lot of data going out

• Communication with unusual or “watchlist” nations


• Unusual quantities or duration of traffic

• One-way traffic—constant beacons

• Time of day patterns

• Repeated low volume connections










Example Patterns Detected by Lancope StealthWatch Using NetFlow


• Duplicate traffic patterns

• Devices faking services (DHCP server not on list)

• Traffic destined to a blackhole or blacklisted hosts

• Protocol sequence anomalies(e.g. no SYN/FIN)

• Asymmetric traffic patterns—a lot of data going out

• Communication with unusual or “watchlist” nations


• Unusual quantities or duration of traffic

• One-way traffic—constant beacons

• Time of day patterns

• Repeated low volume connections

Threat Context Provided by Cisco ISE, Reputation, Application Recognition (NBAR)

Threat Context Provided by Cisco ISE, Reputation, Application Recognition (NBAR)

• Who is being targeted?

• Is the user a critical target? (title and what part of the organization are they in per AD/LDAP information)

• What information does the user have access to? (Network authorization group they belong to)

• What device is the traffic coming from? (coming from laptop, smartphone, etc.)

• Has the user had security posture failures recently? (Quarantine and posture event status)

• Are there other relevant user session events? (Access to all AAA events associated with the user)

• What is the reputation of the host user is communicating with?

• What application is the traffic?


NetFlow Telemetry Comes in Two FormsNetFlow Telemetry Comes in Two Forms

Sampled

•A small subset of traffic, usually less than 5%, is sampled and used to generate NetFlow telemetry; this gives a snapshot view into network activity, like reading a book by skimming every 100th page

Unsampled

•All traffic is used to generate NetFlow telemetry, providing a comprehensive view into all activity on the network; using the book analogy, this is reading every word in the book

The Customized, Stealthy Nature of Advanced Cyber

Threats Requires Full, Unsampled NetFlow Visibility

Only a Cisco Catalyst Switch Can Deliver This Unsampled NetFlow at Line-Rate Without

Any Network Performance Impact


AccessAccess

Edge and BordersEdge and Borders

Access/DistributionAccess/Distribution

Cat 3K-XWith Service Module

Line-RateNetFlow

AddsNetFlow

Line-RateNetFlow

Scale NetFlow NBAR2

Cat 4KSup7E, Sup7L-E

Cat 6KSup2T

ISR, ASR

PerimeterPerimeterASA 5500

Network Security

Event Logging


• Developed and patented at Cisco® Systems in 1996

• NetFlow is the defacto standard for acquiring IP operational data

• Provides network and security monitoring, network planning, traffic analysis, and IP accounting


1. Create and update flows in NetFlow cache

Srclf SrclPadd Dstlf DstlPadd Protocol TOS Flgs Pkts SrcPort

SrcMsk

SrcAS

DstPort

DstMsk

DstAS NextHop Bytes/

Pkt Active Idle

Fa1/0 173.100.21.2 Fa0/0 10.0.227.12 11 80 10 11000 00A2 /24 5 00A2 /24 15 10.0.23.2 1528 1745 4

Fa1/0 173.100.3.2 Fa0/0 10.0.227.12 6 40 0 2491 15 /26 196 15 /24 15 10.0.23.2 740 41.5 1

Fa1/0 173.100.20.2 Fa0/0 10.0.227.12 11 80 10 10000 00A1 /24 180 00A1 /24 15 10.0.23.2 1428 1145.5 3

Fa1/0 173.100.6.2 Fa0/0 10.0.227.12 6 40 0 2210 19 /30 180 19 /24 15 10.0.23.2 1040 24.5 14

3. Aggregation

5. Transport protocol(UDP, SCTP)

ExportPacket

Payload(Flows)

Hea

der

Aggregated Flows—Export Version 8 or 9

E.g., Protocol-Port Aggregation Scheme Becomes

Yes

Protocol Pkts SrcPort DstPort Bytes/Pkt

11 11000 00A2 00A2 1528

No

4. Export versionNon-aggregated flows—export version 5 or 9

2. Expiration

Srclf SrclPadd Dstlf DstlPadd Protocol TOS Flgs Pkts SrcPort

SrcMsk

SrcAS

DstPort

DstMsk

DstAS NextHop Bytes/

Pkt Active Idle

Fa1/0 173.100.21.2 Fa0/0 10.0.227.12 11 80 10 11000 00A2 /24 5 00A2 /24 15 10.0.23.2 1528 1800 4

� Inactive timer expired (15 sec is default)�Active timer expired (30 min is default)�NetFlow cache is full (oldest flows are expired)�RST or FIN TCP flag


Template Record

Template ID #1

(Specific Field

Types and Lengths)

Template Record

Template ID #2

(Specific Field

Types and Lengths)

Template FlowSet

Template 1

Data Record

(Field Values)

Data Record

(Field Values)

Data FlowSetFlowSet ID #1

HEADER

FlowSet ID #1

Template 2

Data Record

(Field Values)

FlowSet ID #2Data FlowSet


• A single record per monitor

• Potentially multiple monitors per interface

• Potentially multiple exporters per monitor

Interface

Monitor “A” Monitor “B”

Record “X” Exporter “M”

Record “Y”

Exporter “N”

Monitor “C”

Exporter “M”

Record “Z”


How do I want to cache information

Which interface do I want to monitor?

What data do I want to meter?Router(config)# flow record my-recordRouter(config-flow-record)# match ipv4 destination addressRouter(config-flow-record)# match ipv4 source addressRouter(config-flow-record)# collect counter bytes

Where do I want my data sent?Router(config)# flow exporter my-exporter

Router(config-flow-exporter)# destination 1.1.1.1

Router(config)# flow monitor my-monitor

Router(config-flow-monitor)# exporter my-exporter

Router(config-flow-monitor)# record my-record

Router(config)# interface s3/0

Router(config-if)# ip flow monitor my-monitor input

1. Configure the Exporter

2. Configure the Flow Record

3. Configure the Flow Monitor

4. Apply to an Interface


IPv4IP (Source or Destination) Payload Size

Prefix (Source or Destination)

Packet Section (Header)

Mask (Source or Destination)

Packet Section (Payload)

Minimum-Mask (Source or Destination)

TTL

Protocol Options bitmap

Fragmentation Flags Version

Fragmentation Offset Precedence

Identification DSCP

Header Length TOS

Total Length

Interface Input

Output

FlowSampler ID

Direction

Source MAC address

Destination MAC address

Dot1q VLAN

Source VLAN

Layer 2

IPv6

IP (Source or Destination) Payload Size

Prefix (Source or Destination)

Packet Section (Header)

Mask (Source or Destination)

Packet Section (Payload)

Minimum-Mask (Source or Destination)

DSCP

Protocol Extension Headers

Traffic Class Hop-Limit

Flow Label Length

Option Header Next-header

Header Length Version

Payload Length

Dest VLAN

Dot1q priority

NEW


MulticastReplication Factor*

RPF Check Drop*

Is-MulticastInput VRF Name

BGP Next Hop

IGP Next Hop

src or dest AS

Peer AS

Traffic Index

Forwarding Status

Routing TransportDestination Port TCP Flag: ACK

Source Port TCP Flag: CWR

ICMP Code TCP Flag: ECE

ICMP Type TCP Flag: FIN

IGMP Type* TCP Flag: PSH

TCP ACK Number TCP Flag: RST

TCP Header Length TCP Flag: SYN

TCP Sequence Number TCP Flag: URG

TCP Window-Size UDP Message Length

TCP Source Port UDP Source Port

TCP Destination Port UDP Destination Port

TCP Urgent Pointer

Application

Application ID

NEW

NEW

NEW: 2 or 4 bytes


• Plus any of the potential “key” fields: will be the value from the first packet in the flow

Counters

Bytes

Bytes Long

Bytes Square Sum

Bytes Square Sum Long

Packets

Packets Long

Timestamp

sysUpTime First Packet

sysUpTime First Packet

IPv4

Total Length Minimum (*)

Total Length Maximum (*)

TTL Minimum

TTL Maximum

(*) IPV4_TOTAL_LEN_MIN, IPV4_TOTAL_LEN_MAX (**)IP_LENGTH_TOTAL_MIN, IP_LENGTH_TOTAL_MAX

IPv4 and IPv6

Total Length Minimum (**)

Total Length Maximum (**)


Complexity of Cyber Threats Drives Need for Greater Flow Visibility

Within the Access Layer

Prevent Threats by Detecting During “Recon” Phase

Prevent Port/Network Scan…Threat Recon for Finding Networks, etc.

Need Granular Data Available at Edge to Capture

Customized Threats

Threats Run “Low and Slow”and Cover Their Own Tracks

Sampling and Granularity

Better at Edge…Fewer False Positives

Local Network Detection Required to Prevent Widespread Local Host Infection


Analyst Manually Collects Context

Attack Bypasses Perimeter and

Traverses Network

Attack Traversing Network Generates Macro NetFlow

Reputation? Device?

User? Events?

65.32.7.45

Posture?VulnerabilityAVPatch

ACTIVE FLOWS: 728,345

SRC/65.32.7.45DST/171.54.9.2/US : HTTPDST/34.1.5.78/Venus : HTTPSDST/165.1.4.9/Mars : FTPDST/123.21.2.5/US : AIMDST/91.25.1.1/US : FACEBOOK


Single Pane of Glass: Automating Context

Collection

Attack Bypasses Perimeter and

Traverses Network

NetFlow at the Access Layer Provides

Greater Granularity

ACTIVE FLOWS: 23,892

SRC/65.32.7.45DST/171.54.9.2/US : HTTPDST/34.1.5.78/Venus : HTTPSDST/165.1.4.9/Mars : FTPDST/123.21.2.5/US : AIMDST/91.25.1.1/US : FACEBOOK

SRC/65.32.7.45DST/165.1.4.9/Mars : FTP

Context:User /ORG = Pat Smith, R&DClient = IBM XYZ100DST = Poor Reputation


Customable “Data Loss” AlarmAlarm Delivers Alerts Prioritized by Severity Level

Drill Into Event DetailNote Volume of Traffic Exfiltrated and % Outgoing T raffic

Pull Up Identity Information From Cisco ISECustomizable Screen With Username, Auth Group, Post ure, Device Profile

Query Cisco SenderBase for Host Reputation Informat ion


View Threat Activity by SeverityOr by Threat Type“Who’s Talking to Who” Visualization Among HostsVisualize Communications Patterns Associated With a Threat


NetFlow:Cisco Switches, Routers,

and ASA 5500

Flow ExportersFlow Exporters

Visibility and ManagementVisibility and Management

• Aggregate up to 25 FlowCollectors—Up to 1.5 million flows per section

• Stores and analyzes flows up to 2,000 flow sources at up to 120K flows per seconds

• ISE, SIO, NBAR provide threat content

NetFlow Is Generated By:•Cisco switches, routers, ASA 5500•FlowSensors in areas without flow support

Flow Aggregation, Analysis, ContentFlow Aggregation, Analysis, Content

Threat Context

Identity:Cisco ISE

Application:NBAR on Cisco Routers

Reputation:Cisco SIO

SIO

Threat ContextThreat Context


Generating NetFlow TelemetryGenerating NetFlow Telemetry Gathering Identity ContextGathering Identity Context

Lowest Cost, Fewest Boxes•Option 1 : Generate NetFlow from Cisco infrastructure

Overlay for Legacy Infrastructure, Separate Operations•Option 2 : Use StealthWatch FlowSensors to Generate NetFlow

Complete AAA, Device Profiling, Posture Context•Option 1 : Deploy Cisco ISE as User/Device Policy Infrastructure

Integration With Existing AAA Infrastructure•Option 2 : Cisco ISE and AAA/AD proxy into existing AAA infrastructure; no device profiling or posture context


NetFlow v5NetFlow v5

NetFlow v5 Captures Essential Information Regarding Traffic Patterns•Source/dest IP and port•Packet counts•Byte counts•Flow duration•I/O interfaces

Useful for Layers 3 and 4 Traffic Pattern Analysis

NetFlow v9 Extends NetFlow v5 by Adding:•Numerous TCP flags/counters•Flow direction•Fragmentation flags•ICMP and IGMP info•Header stats•Time-to-live•DSCP/TOS info•Destination routing info

Provides Insight to Malformed Packets, Protocol Manipulation, and Direction of Traffic

NetFlow v5 Is Useful, but NetFlow v9 Delivers Great er Insight

NetFlow v9NetFlow v9


Cisco Cyber Threat Defense 1.1: Summer 2012

New Threat Dashboards

•Command/control traffic detection

•Recon detection

High-Availability for ISE Context

New Validated Platforms

•ASR1000

•Cisco WLAN (Unified)

•Cisco NetFlow Generator


• Cisco NetFlow Generator delivers superior price/performance

• Lancope FlowSensor provides better application visibility and management integrated in StealthWatch Management Console

# OF MODELS

HIGHEST SCALE

PRICE

APPLICATION DETECTION

VM FLOW GENERATION

MANAGEMENT

TESTED FOR CISCO CYBER THREAT DEFENSE

AVAILABILITY

Cisco NetFlow Generator

Lancope FlowSensor

5

5 Gbps

$4,695 to $82,995

1

40 Gpbs

NTE $20,000

Dedicated App DPI

Yes

IPFIX App IDs

No

Unified—StealthWatch

Device GUI

Yes

Now

Summer 2012

Summer 2012

exposing risk through network visibility | gsf 2012 | session 4-3

Technology

cisco andor

cisco confidential

cisco identity

cyber security

theyfind data

use netflow data

cyber threat targets4

cyber espionage2