threat prevention based on network visibility & behavioral ... · security analytics with...
TRANSCRIPT
Luc Billot
Cyber Security Technical Architect - Cisco
April 2019
Threat Prevention based on Network Visibility & Behavioral Analytics
© 2019 Cisco and/or its affiliates. All rights reserved.
What if …..
© 2019 Cisco and/or its affiliates. All rights reserved.
Encrypted traffic growing rapidly due to increased total amount of traffic and % of traffic encrypted
Source: Google Transparency Report, Forbes, Cisco VNI
0
10
20
30
40
50
60
2017 2018 2019 2020 2021 2022
EB
per
month
Business IP Traffic
Business internet traffic Business managed IP traffic Business mobile data
© 2019 Cisco and/or its affiliates. All rights reserved.
Browsers and applications investigated
Browser users with the new protocols by default1 Websites that offer new protocols2
Browsers are quickly adopting the emerging standards; many will become the default settings on
in next releases. Applications are moving slower, but are beginning to adopt these standards.
TLS 1.3
66.7%
ESNI
Experimental
Only
DoH
Experimental
Only
HTTP/2
86.9%
QUIC3
28.8%
TLS 1.3
10.7%
ESNI
<1%
DoH4
<1%
HTTP/2
33.2%
QUIC3
1.4%
As of January 2019 1Based on % of users per browser version that supports standard by default 2SSL Labs’ review of the top 150K sites 3gQUIC 4DNS traffic
Source: caniuse.com, Cloudflare blog, Chromium blog, Mozilla blog, ZDNet
© 2019 Cisco and/or its affiliates. All rights reserved.
TLS website adoption
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
90.00%
100.00%
TLS 1.1 (ratified 4/2006) TLS 1.2 (ratified 8/2008) TLS 1.3 (ratified 8/2018)
Source: SSL Labs
© 2019 Cisco and/or its affiliates. All rights reserved.
HTTP/2 and HTTP/3 website adoption
0%
5%
10%
15%
20%
25%
30%
35%
22-Apr-12 22-Apr-13 22-Apr-14 22-Apr-15 22-Apr-16 22-Apr-17 22-Apr-18
SPDY HTTP/2
Source: SSL Labs, W3Tech
© 2019 Cisco and/or its affiliates. All rights reserved.
Architecture in Cyber Security
© 2019 Cisco and/or its affiliates. All rights reserved. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
3rd Party Vuln Data
Security is an Integration Game
8
NGIPS
NGFW
Firepower Management Center
ISE
AMP for Endpoints
AMP
DataThreatgrid
Stealthwatch
Web Security
Umbrella
EmailSecurity
DNS
LoggingSEIM
Orchestration
Investigate
TetrationAD
Sending Datato SEIM
API transaction
Identity from ISE
3rd Party ThreatIntelligence
© 2019 Cisco and/or its affiliates. All rights reserved.
Network
Users
HQ
Data Center
Admin
Branch
SEE
every conversation
Understand what
is NORMAL
Be alerted to
CHANGE
KNOW
every host
Respond to
THREATS quickly
Effective security depends on total visibility
Roaming Users
Cloud
© 2019 Cisco and/or its affiliates. All rights reserved.
Understand ThreatDetection using Flows
© 2019 Cisco and/or its affiliates. All rights reserved.
Routers
Switches
10.1.8.3
172.168.134.2Internet
The network is a valuable data source
What it provides:
• A trace of every conversation
in your network
• Collection of records all across the
network (routers, switches, firewalls)
• Network usage metrics
• Ability to view north-south as well as east-
west communication
• Lightweight visibility compared to Switched
Port Analyzer (SPAN)-based traffic
analysis
• Indications of compromise (IOC)
• Security group information
Flow Information Packets
SOURCE ADDRESS 10.1.8.3
DESTINATION ADDRESS
172.168.134.2
SOURCE PORT 47321
DESTINATION PORT 443
INTERFACE Gi0/0/0
IP TOS 0x00
IP PROTOCOL 6
NEXT HOP 172.168.25.1
TCP FLAGS 0x1A
SOURCE SGT 100
: :
APPLICATION NAMENBAR SECURE-
HTTP
© 2019 Cisco and/or its affiliates. All rights reserved.
Router A
10.1.1.1 port 80
10.2.2.2 port 240
Router B
Router C
Scaling and optimization: deduplication
Deduplication
• Avoid false positives and misreported traffic volume
• Enable efficient storage of telemetry data
• Necessary for accurate host-level reporting
• No data is discarded
Router A: 10.1.1.1:80 10.2.2.2:1024
Router B: 10.2.2.2:1024 10.1.1.1:80
Router C: 10.2.2.2:1024 10.1.1.1:80Router C: 10.2.2.2:1024 10.1.1.1:80
Duplicates
© 2019 Cisco and/or its affiliates. All rights reserved.
eth
0/1
eth
0/2
10.2.2.2 port 1024 10.1.1.1 port 80
Scaling and optimization : stitching
Start Time Interface Src IP Src Port Dest IPDest
PortProto
Pkts
Sent
Bytes
Sent
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025
10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712
UnidirectionalTelemetry
Records
Start Time Client IPClient
Port
Server
IP
Server
PortProto
Client
Bytes
Client
Pkts
Server
Bytes
Server
PktsInterfaces
10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17eth0/1
eth0/2
Bidirectional Telemetry Record
Conversation record
Easy visualization and analysis
© 2019 Cisco and/or its affiliates. All rights reserved.
Enriched with data from other sources
Stealthwatch Enterprise also enables telemetry ingestion from many third-party exporters
Nexus switch
Tetration
Data Center
Catalyst
IE
ETA enabled Catalyst
Switch
Web Security Appliance
(WSA)
Web
ISR
CSR
ASR
WLC
Router
AnyConnect
Endpoint
ASA
FTD
Meraki
Firewall
Identity Services Engine
(ISE)
Policy and User Info
Stealthwatch Flow
Sensor
Other
Switch Router Router Firewall ServerUserCisco Identity
Services EngineWANServerDevice
© 2019 Cisco and/or its affiliates. All rights reserved.
The general ledger
Client Server Translation Service User Application Traffic Group Mac SGT
Encryption
TLS/SSL
version
1.1.1.1 2.2.2.2 3.3.3.3 80/tcp Doug http 20M location 00:2b:1f 10 TLS 1.2
Session Data | 100% network accountability
Visibility
Interface
Information
Policy
Information
Network
Telemetry
User
Information
Threat
Intelligence
NAT/Proxy LAYER 7Group /
Segment
Encrypted
Traffic
Analytics
Endpoint Cloud
10 101 10
© 2019 Cisco and/or its affiliates. All rights reserved.
Security Analytics
© 2019 Cisco and/or its affiliates. All rights reserved.
Anomaly detection using behavioral modeling
Create a baseline
of normal behavior
Alarm on anomalies
and behavioral changes
Collect and
analyze telemetry
Flows
Number of
concurrent flows
Time of dayBits per second
Packet
per second
Number of
SYNs sent
New flows
created
Number of
SYNs received
Rate of
connection resets
Duration
of the flow
~100 Security Events
Exchange Servers
Threshold
Anomaly detected in
host behavior
Comprehensive data set optimized to
remove redundancies
Security events to detect anomalies
and known bad behavior
Alarm categories for high-risk,
low-noise alerts for faster response
© 2019 Cisco and/or its affiliates. All rights reserved.
Power of multilayered machine learning
Increase fidelity of detection using best-in-class security analytics
Global Risk Map
Network telemetry
Prioritized high fidelity
incidents
Anomaly detection
Trust modeling
Event classification
Entity Modeling
Relationshipmodeling
Anomalous Traffic
Malicious Events
Confirmed Incidents
Incidents
© 2019 Cisco and/or its affiliates. All rights reserved.
Encrypted Traffic Analytics
Ensure cryptographic
compliance
Detect malware
in encrypted traffic
Cisco Stealthwatch Enterprise is the only solution providing
visibility and malware detection without decryption
© 2019 Cisco and/or its affiliates. All rights reserved. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Initial Data Packet (IDP)
• HTTPS header contains several information-rich fields
• Server name provides domain information
• Crypto information educates us on client and server behavior and application identity
• Certificate information is similar to whois information for a domain
• And much more can be understood when we combine the information with global data
20
© 2019 Cisco and/or its affiliates. All rights reserved. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Sequence of Packet Lengths and Times (SPLT)
Client Server
Sent
Packets
Received
Packets
Exfiltration &
Keylogging
Google search
Page
Download
Initiate
Command
& Control
Model
Packet lengths, arrival times and
durations tend to be inherently
different for malware than benign
traffic.
21
© 2019 Cisco and/or its affiliates. All rights reserved.
Deployment
© 2019 Cisco and/or its affiliates. All rights reserved.
Stealthwatch Enterprise Architecture
Comprehensive
visibility and
security analytics
Endpoint License
ISE
Flow Collector
Management Console
Threat Intelligence
License
Global ThreatAnalytics
Security Packet Analyzer
Packet Data & Storage
Flow Sensor
Hypervisor with Flow Sensor VEVMVM
Non-NetFlow enabled equipment
Proxy Data
Stealthwatch Cloud
UDP
Director
Other Traffic
Analysis Software
NetFlow enabled routers, switches, firewalls
NetFlow
10 101 10
Telemetry for Encrypted Traffic Analytics
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Example of Detection
© 2019 Cisco and/or its affiliates. All rights reserved. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Behavior and Anomaly Detection
25
Alarm Model
• Monitor activity and alarm on suspicious
conditions
• Policy and behavioral
© 2019 Cisco and/or its affiliates. All rights reserved.
Scoped Worm activity
26
Found 15 scanning systems
Scoped the investigation systems
© 2019 Cisco and/or its affiliates. All rights reserved.
Passive DNS attribution &
Global Risk Map tracks
servers likely to become
part of an attack
Original URL request
extracted from the new
ETA telemetry (IDP)
Sequence of Packet
Lengths and Times (SPLT)
Example Detection: Malware with encrypted C&C
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Policy Violation Detection
© 2019 Cisco and/or its affiliates. All rights reserved.
Segmentation Monitoring with StealthWatch
PCI Zone Map
Define communication
policy between zones
Monitor for violations
© 2019 Cisco and/or its affiliates. All rights reserved.
Modeling Policy: Alarm Occurrence
Alarm dashboard showing
all policy alarms
Details of “Employee to
Production Servers”
alarm occurrences
© 2019 Cisco and/or its affiliates. All rights reserved.
From Visibility toRapid Threat Containement
© 2019 Cisco and/or its affiliates. All rights reserved.
Alarms tied to specific entities
Quick snapshot
of malicious
activity
Suspicious
behavior
linked to logical
alarms
Risks
prioritized to
take immediate
action
© 2019 Cisco and/or its affiliates. All rights reserved.
Top security events
Investigating a host
Understand why the
alarm was triggered
Easily determine if the
host is the source or
target of an attack
Drill down into associated
telemetry with just one click
© 2019 Cisco and/or its affiliates. All rights reserved.
Apply machine learning to investigate threats
Threat propagation details
Malware behavior detected in encrypted traffic
Correlation
of global
threat
behaviors
Threats ranked by overall severity to environment
© 2019 Cisco and/or its affiliates. All rights reserved.
StealthwatchManagement Console
Cisco®
Identity Services Engine
Rapid Threat ContainmentWithout any business disruption
PX Grid Mitigation
Quarantine or Unquarantine infected hostContext
Information shared
with other network and
security products
© 2019 Cisco and/or its affiliates. All rights reserved.
Closing
© 2019 Cisco and/or its affiliates. All rights reserved.
Data collectionRich telemetry from the existing
network infrastructure
Security Analytics with Stealthwatch Enterprise
Global threat intelligence
(powered by Talos)
Intelligence of global threat campaigns
mapped to local alarms for faster mitigation
Behavioral modelingBehavioral analysis of every activity within
the network to pinpoint anomalies
Multilayered machine learningCombination of supervised and unsupervised techniques
to convict advanced threats with high fidelity
Encrypted Traffic AnalyticsMalware detection without any decryption using
enhanced telemetry from the new Cisco devices
Stealthwatch