Defense Against Emerging Threatsd2zmdbbm9feqrf.cloudfront.net/2014/usa/pdf/BRKSEC-1010.pdf · Defense Against Emerging Threats BRKSEC-1010 Neil Lovering CCIE #1772 Consulting Systems

Defense Against Emerging Threats

BRKSEC-1010

Neil Lovering

CCIE #1772

Consulting Systems Engineer – Security [email protected] @NeilLovering

mailto:[email protected]

© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public

Preview

• The Cyber Security Landscape

• Common Cyber Security Themes

• Cisco Cyber Solutions

• Cyber Futures

• Q&A


About the Host

• Active CCIE (#1772)

– First earned 18 years ago

– Recertified (again) summer ’13

• Fluent on Bostonian

• Used to jump out of “perfectly good” airplanes

• Can judge a swim meet but cannot swim half the strokes

• Do my best to fight the pains of age

• Run, lift, hike, drink beer, etc.

4

The Cyber Security Landscape

:10


The Ultimate Cyber Protection

• If you are connected, you are vulnerable

– The only true way to protect yourself is to disconnect

– But what about Stuxnet?

• Problem – ‘Off the grid’ is unlikely in today’s world

• Realistic alternative –Understand the environment and create layers of defense

6


Cyber Security

• One of the Top 5 ‘Most Likely’ risks to global development

• Security is and always has been an integral part of any network

– Captain Spock voice

• Today’s networks are more critical and almost always online

– Utilities

– Healthcare

– Financial

– Government

– Military

7


Cyber Security Motivation – Laws

• Sarbanes-Oxley Act (SOX)

– Monitoring / Visibility

– Risk Management

• Payment Card Industry Data Security Standard (PCI DSS)

– Access control

– Role-based access


Laws and Regulations

8

• Gramm-Leach-Bliley Act (GLB) Act

– Access control

– Role-based access


• Customs-Trade Partnership Against Terrorism (C-TPAT)

– Accountability



Cyber Security Motivation – Industry

• Federal Information Security Management Act (FISMA)


• North American Electric Reliability Corp. (NERC) Standards


– Access Control

– Differentiated Access

– Reputation

Industry Guidelines and Requirements

9

• Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records



– Access Control

• Health Insurance Portability and Accountability Act (HIPAA)

– Access Control




Cyber Security Motivation – Government

• DoD Information Assurance Certification Accreditation Process (DIACAP)

• National Institute of Standards and Technology (NIST)

– Advance … standards and technology in ways that enhance economic security

– Federal Information Processing Standards (FIPS) • FIPS 140 = Security for cryptography

• National Information Assurance Partnership (NIAP)

– NIST + NSA

– Uses Protection Profiles like Common Criteria does

Government Guidelines

10


Cyber Security Motivation – International

• Common Criteria

– Target of Evaluation (TOE) – the product or system under evaluation

– Protection Profile (PP) – security requirements for a class of security devices

– Security Target (ST) – security properties of the target of evaluation • May reference one or more Protection Profiles

– Security Functional Requirements (SFRs) – individual security functions provided by a product

International Standards

11


A Network is a Busy Place

• How do you know what to look for?

• How do you know where to look?

• How do you know what is good or bad?

• How do you know an event has occurred?

• How do you know the event is over?

12


The Threat Landscape Evolution

13

Th

rea

ts

Resp

on

se

Worms

Spyware / Rootkits

APTs / Cyberware

Increased Attack

Surface (Mobility & Cloud)

INTELLIGENCE & ANALYTICS

Today

GLOBAL REPUTATION & SANDBOXING

2010

HOST-BASED (ANTI-VIRUS)

2000

NETWORK PERIMETER (IDS/IPS)

2005


Threat Intelligence

• Attacks are targeting significant resources across the entire Internet

• Malicious actors are using untrusted applications to exploit gaps

• Penetrations may go undetected for long periods

– Advanced Persistent Threats (APTs)

– Mean Time to Know (MTTK)

14


Think Outside the Box

• For Advanced Threats (APT) you need advanced people to detect

• Security was, is and will be a process that never ends

• Attack continuum – Before, During, After

• Perimeter Security Devices are not obsolete, they are just the first line of defense

• Use advanced behavior based detection tools (e.g. Cyber Threat Defense, Sourcefire AMP) for botnet detection

15


Attack Chain

Survey

Obtain a full picture of an environment: network, endpoint, mobile, and virtual,

including the technologies deployed to secure the environment

Write

Create targeted, context-aware malware

Test

Ensure the malware works as intended, specifically so it can evade security tools

in place

Execute

Navigate through the extended network—being environmentally aware, evading

detection, and moving laterally until reaching the target

Accomplish the Mission

Gather data, create disruption, or cause destruction

16


Us vs. Them

• How an attacker thinks

– Courtesy of DoD and Lockheed Martin

• Defense in depth across a time spectrum

17

Recon Weapon-

ization Delivery Exploitation Installation

Command

& Control Actions

Protect Survive Detect

React

Intrusion Kill Chain

Threat Counter-measures

BEFORE DURING AFTER


The Modern Security Model

18

Attack Continuum

Network Endpoint Mobile Virtual Cloud

Point in time Continuous

Control

Enforce

Harden

Detect

Block

Defend

Scope

Contain

Remediate

BEFORE DURING AFTER


Repeat As Needed

Continuous Monitoring and Risk Management

Step #1

Categorize Information System

Step #2

Select Security Controls

Step #3

Implement Security Controls Step #4

Access Security Controls

Step #5

Authorize Information System

Step #6

Monitor Security Controls

Risk Management Framework

Architecture Description

Architecture Reference Models

Segment and Solution Architectures

Mission and Business Processes

Information System Boundaries

Organization Inputs

Laws, Directives, Policy Guidance

Strategic Goals and Objectives

Priorities and Resource Availability

Supply Chain Considerations

*NIST 800-37

19


Continuous Monitoring Functional Areas

20

Continuous Monitoring Tools and Capabilities

1. Hardware Asset Management 9. Manage Account Access

2. Software Asset Management 10. Prepare for Contingencies and Incidents

3. Configuration Management 11. Respond to Contingencies and Incidents

4. Vulnerability Management 12. Design and Build in Requirements Policy

and Planning

5. Manage Network Access Controls 13. Design and Build in Quality

6. Manage Trust and People Granted Access 14. Manage Audit Information

7. Manage Security Related Behavior 15. Manage Operational Security

8. Manage Credentials and Authentication CMaaS – Additional Functional Areas

*DHS Continuous Diagnostics and Mitigation


Monitoring the Monitors

21

• Control access

– Know who and what gets in

– Levels of security controls

• Examine what roams around

– Observe from many points in the network

• Be able to react

– Keep a history of network actions

– Multiple data sources helps with validation

• Have a sixth sense

– Add metrics such as ‘reputation’


Sources of Issues

• Network security is responsible for

– User access to the network

– Applications that may access the network

• Compromise includes

– A local or network application

– Data used within an application or stored locally

– A remote site accessed

• Sensitive data exfiltration

22


Indicators of Compromise

23

Raw Flow Analysis

Log Analysis (SIEM)

IDS Alert

Outside Notification

Behavioral Analysis

Activity Monitoring


Visibility Reduces Exposure

• Typical crisis begins without warning

• Network visibility allows reaction before compromise

• Insight increases security posture

24

Impact

to the B

usin

ess (

$ )

Time

credit card data

compromised

*

attack

identified *

vulnerability

closed

*

CRISIS

REGION

attack

onset

*

* attack

thwarted

* early

warning

* attack

identified

* vulnerability

closed

INSIGHT

REGION

MTTK

Common Cyber Security Themes

:30


Mapping Technologies to the Security Model

26

BEFORE Control

Enforce

Harden

DURING AFTER Detect

Block

Defend

Scope

Contain

Remediate

Attack Continuum

Firewall

App Control

VPN

Patch Mgmt

Vuln Mgmt

IAM / NAC

IPS

Anti-Virus

Email/Web

IDS

FPC

Forensics

AMP

Log Mgmt

SIEM

Visibility and Context


Host-Based Intrusion Prevention

27


Overall Cyber Security

• An effective cyber security solution is implemented at many layers

– Host • Anti-virus / anti-malware

• Training and education

– Network • Firewall / Next-generation firewall

• IPS / IDS

• Web / URL / Reputation filtering

• Identity tracking

• Differentiated / role-based network access

• Visibility and monitoring

• Training and education

28


What Defines Success?

29


Defense in Depth

• Network security is like an Ogre

• Information Assurance

– Availability

– Integrity

– Authentication

– Confidentiality

– Non-Repudiation

• The application of these services should be based on

– Protect – Before – Trust

– Detect – During – Insight

– React – After – Resiliency

*NSA Systems and Network Attack Center (SNAC)

30


Cyber Trust

• Assumption – nothing in the cyber world can or should be trusted

• Two forms of trust erosion

– Decline in customer product confidence

– Malicious actors are defeating trust mechanisms

• Recommendations

– Examine security models holistically

– Gain visibility across the entire attack continuum • Before

• During

• After

31


Network Log Tools

• Log collection can quickly become overwhelming

• Configuration validation is also key to overall network security

• There are a variety of network log and config collection tools available

• Need a tool that parses all the available data for specific events and anomalies

32


Network Log Collection

• Device logs

– Windows, Apple, Linux

– ASA, Router, IPS, Switch, ISE, etc.

• Cisco Security Suite for Splunk

– Log collection from ASA, WSA, ESA and IPS

– Flexible and scalable security investigations

– Real-time forensics operationalized

– Data is more meaningful to more users

– Metrics and operational visibility

– Real-time correlation and alerting

33


Network Log Analysis

• Graphical interface simplifies the investigative process

34


NetFlow Tracks Conversations

• NetFlow was introduced on Cisco routers

– Now possible on multiple platforms and multiple vendors

• Network devices export NetFlow data

• NetFlow collectors retrieve and analyze the data

• Each network layer offers unique NetFlow capabilities

35

Catalyst® 6500

Distribution

& Core

Catalyst® 4500

ASA

ISR

Edge

ASR

Access

Catalyst® 3560/3750-X

Catalyst® 4500

Catalyst® 3850


gig

0/2

gig

0/1

gig

0/1

gig

0/2

NetFlow Collection Duties

• Flow stitching

– The complete conversation

– Rarely successive packets in logs

• Flow de-duplication

– Two network devices see the same packet stream

– Remove apparent duplicate flows

36

10.2.2.2 port 1024

10.1.1.1 port 80

gig

0/1

gig

0/2

20.2.2.2 port 1024

20.1.1.1 port 80

gig

0/1

gig

0/2


Security Information and Event Management

• Forensics and Instrumentation

– Aggregate logs from many sources • Routers

• Firewalls

• IDS/IPS

• Servers (DNS, SMTP, WWW, Fileserver)

• Applications

• Databases

• Antivirus

• Host Based Intrusion Detection

• A “better picture”

37


SIEM Ecosystem

• Cisco has created a SIEM ecosystem

– Seven different security vendors

– Correlate network and security events

– Integrate with Cisco ISE for network identity

• Increased effectiveness of SIEM and threat defense deployments

• Decreased time to detect, assess, and respond to security events

• Complete user/device visibility and control

38


Solution Concepts for Cyber Security

• Trust

– Identify and Manage

• Insight

– Protect and Defend

• Resilience

– Respond and Recover

• Intelligence

– Plan and Prepare

39



Resilience AFTER

Trust BEFORE

Intelligence

Insight DURING

Cisco Cyber Solutions

:50


Cyber Product vs. Cyber Architecture

• Security product created as an afterthought

• Integration with various network components often not considered

• Custom solutions do not play nice with others

• Very expensive to maintain

Point Products

41

Cyber Security

Widget #1

Cyber Security

Widget #2

Cyber Security

Widget #3


Cyber Product vs. Cyber Architecture

• Security products designed to work with each other and network components

• Enhanced visibility with identity and reputation

• Overlapping functionality provides enhanced security posture

Integrated Network Security

42


Mapping Technologies – Reminder

43

BEFORE Control

Enforce

Harden

DURING AFTER Detect

Block

Defend

Scope

Contain

Remediate

Attack Continuum

Firewall

App Control

VPN

Patch Mgmt

Vuln Mgmt

IAM / NAC

IPS

Anti-Virus

Email/Web

IDS

FPC

Forensics

AMP

Log Mgmt

SIEM

Visibility and Context


Cisco Security Architecture

BEFORE Control

Enforce

Harden

DURING AFTER Detect

Block

Defend

Scope

Contain

Remediate

Attack Continuum

SIO Visibility and Context VRT

ASA

NGFW

AnyConnect

CSM / DC / Prime

CTD / Lancope

ISE

NG-IPS

WSA

ESA

NG-IDS

NetFlow / FPC

CTD / Lancope

AMP

Log Mgmt

SIEM

44


Cisco Solutions for Cyber Security – Trust

• Identity Services Engine

– Identity and Context

– Security Group Access

– 802.1AE MACsec Encryption

• ASA and NGFW

• Security Management

– Cisco Security Manager

– Defense Center

– Prime Infrastructure

• AnyConnect

• Cisco Threat Defense

45



Resilience AFTER

Trust BEFORE

Visibility & Content = Intelligence

Insight DURING


Cisco Identity Services Engine All-in-One Enterprise Policy Control

46

Who What

Where When How

VM Client, IP Device, Guest, Employee, Remote User

Wired Wireless VPN

Business-Relevant

Policies

Replaces AAA & RADIUS, NAC, Guest Mgmt & Device Identity Servers

Security Policy Attributes

Identity

Context


• Simplified Access Management

• Accelerated Security Operations

• Consistent Policy Anywhere

access-list 102 permit ip 178.97.113.59 255.255.255.255 gt 178 111.184.163.103 255.255.255.255 gt 959 access-list 102 deny ip 164.149.136.73 0.0.0.127 gt 1624 163.41.181.145 0.0.0.255 eq 810 access-list 102 permit icmp 207.221.157.104 0.0.0.255 eq 1979 99.78.135.112 0.255.255.255 gt 3231 access-list 102 permit tcp 100.126.4.49 0.255.255.255 lt 1449 28.237.88.171 0.0.0.127 lt 3679 access-list 102 deny icmp 157.219.157.249 255.255.255.255 gt 1354 60.126.167.112 0.0.31.255 gt 1025 access-list 102 deny icmp 76.176.66.41 0.255.255.255 lt 278 169.48.105.37 0.0.1.255 gt 968 access-list 102 permit ip 8.88.141.113 0.0.0.127 lt 2437 105.145.196.67 0.0.1.255 lt 4167 access-list 102 permit udp 60.242.95.62 0.0.31.255 eq 3181 33.191.71.166 255.255.255.255 lt 2422 access-list 102 permit icmp 186.246.40.245 0.255.255.255 eq 3508 191.139.67.54 0.0.1.255 eq 1479 access-list 102 permit ip 209.111.254.187 0.0.1.255 gt 4640 93.99.173.34 255.255.255.255 gt 28 access-list 102 permit ip 184.232.88.41 0.0.31.255 lt 2247 186.33.104.31 255.255.255.255 lt 4481 access-list 102 deny ip 106.79.247.50 0.0.31.255 gt 1441 96.62.207.209 0.0.0.255 gt 631 access-list 102 permit ip 39.136.60.170 0.0.1.255 eq 4647 96.129.185.116 255.255.255.255 lt 3663 access-list 102 permit tcp 30.175.189.93 0.0.31.255 gt 228 48.33.30.91 0.0.0.255 gt 1388 access-list 102 permit ip 167.100.52.185 0.0.1.255 lt 4379 254.202.200.26 255.255.255.255 gt 4652 access-list 102 permit udp 172.16.184.148 0.255.255.255 gt 4163 124.38.159.247 0.0.0.127 lt 3851 access-list 102 deny icmp 206.107.73.252 0.255.255.255 lt 2465 171.213.183.230 0.0.31.255 gt 1392 access-list 102 permit ip 96.174.38.79 0.255.255.255 eq 1917 1.156.181.180 0.0.31.255 eq 1861 access-list 102 deny icmp 236.123.67.53 0.0.31.255 gt 1181 31.115.75.19 0.0.1.255 gt 2794 access-list 102 deny udp 14.45.208.20 0.0.0.255 lt 419 161.24.159.166 0.0.0.255 lt 2748 access-list 102 permit udp 252.40.175.155 0.0.31.255 lt 4548 87.112.10.20 0.0.1.255 gt 356 access-list 102 deny tcp 124.102.192.59 0.0.0.255 eq 2169 153.233.253.100 0.255.255.255 gt 327 access-list 102 permit icmp 68.14.62.179 255.255.255.255 lt 2985 235.228.242.243 255.255.255.255 lt 2286 access-list 102 deny tcp 91.198.213.34 0.0.0.255 eq 1274 206.136.32.135 0.255.255.255 eq 4191 access-list 102 deny udp 76.150.135.234 255.255.255.255 lt 3573 15.233.106.211 255.255.255.255 eq 3721 access-list 102 permit tcp 126.97.113.32 0.0.1.255 eq 4644 2.216.105.40 0.0.31.255 eq 3716 access-list 102 permit icmp 147.31.93.130 0.0.0.255 gt 968 154.44.194.206 255.255.255.255 eq 4533 access-list 102 deny tcp 154.57.128.91 0.0.0.255 lt 1290 106.233.205.111 0.0.31.255 gt 539 access-list 102 deny ip 9.148.176.48 0.0.1.255 eq 1310 64.61.88.73 0.0.1.255 lt 4570 access-list 102 deny ip 124.236.172.134 255.255.255.255 gt 859 56.81.14.184 255.55.255.255 gt 2754 access-list 102 deny icmp 227.161.68.159 0.0.31.255 lt 3228 78.113.205.236 255.55.255.255 lt 486 access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165 access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428 access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511 access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945 access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116 access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959 access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993 access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848 access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878 access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216 access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111 access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175 access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462 access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384 access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878 access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467

Cisco ISE – Security Group Access

Traditional Security Policy

47


• Traffic can be encrypted per-user, per-hop

• ISE can control the encryption policy

• Traffic is still available for ‘additional policy’ throughout the network

Cisco ISE – MACsec Encryption

48


Cisco ASA & NGFW

• Application Visibility and Control (AVC), Intrusion Prevention (IPS), and Web Security Essentials (WSE)

• End-to-End Network Intelligence

• Granular Application Control

• Proactive, Intelligent Threat Protection

• Many Devices, Total Control

49


Cisco/Sourcefire NGFW – Better Together

• Includes the world’s most powerful NGIPS

• Granular application control

• Advanced firewall functionality in a flexible, high-performance security appliance

• Optional Advanced Malware Protection license

50

Cisco Sourcefire Typical NGFW

NSS NGFW Security Value

Map, Gartner IPS MQ Superior Available

Reputation based proactive

protection Superior Available Not available

Intelligent security automation Superior Not available

File reputation, File trajectory,

Retrospective alerts Superior Partial

Application Visibility & Control Available Superior Available

Acceptable use / URL filtering Superior Available Available

Remote access VPN Superior Not enterprise-

grade

Stateful firewall, HA Superior Available Available


Security Management – Cisco Security Manager

• Manage Cisco security devices and functionality

• Security Operations Dashboard

• Policy and Object Management

• Event and Image Management

• Reporting and Troubleshooting

• Health and Performance Monitoring

51


Security Management – Prime Security Manager

• Greater visibility and control

• Enhanced threat response and mitigation

• Unified management for core ASA firewall and NGFW services

• Straightforward migration to ASA 5500-X NGFW

52

Navigate Down to Events

Dashboard

Map Events to Policies

View Event Details

Visibility

&

Control


Security Management – Defense Center

• Centrally manage Cisco/Sourcefire IPS appliances and virtual devices

• Analyze events

• Automate threat prevention updates

• Configure policies

• Generate reports and custom dashboards

53


Cisco Solutions for Cyber Security – Insight

• Cisco Next-Generation Intrusion Prevention System

• Content Security

– WSA

– ESA

• IOS Security

– Botnet filter

54



Insight DURING


Trust BEFORE

Resilience AFTER


Cisco/Sourcefire NG-IPS

55

Categories Examples Cisco/Sourcefire NGIPS Typical IPS

Threats Attacks, Anomalies ✔ ✔

Users AD, LDAP, POP3 ✔

Web Apps and App Protocols Facebook, Ebay, HTTP, SSH ✔

File Transfers PDF, Office, EXE, JAR ✔

Malware and Command & Control Conficker, Flame, C&C Intelligence ✔

Client Applications Firefox, IE6, BitTorrent ✔

Operating Systems and Servers Windows, Linux, Apache, IIS4 ✔

Mobile Devices iPhone, Android, Jail-Broken ✔

Printers HP, Xerox, Canon ✔

VoIP Phones Cisco, Avaya, Polycom ✔

Virtual Machines VMware, Xen, RHEV ✔


Cisco Solutions for Cyber Security – Resilience

• NetFlow / CTD

• AMP

• NGIDS

• Log Management

• SIEM

56



Trust BEFORE

Resilience AFTER


Insight DURING


Cyber Threat Defense Architecture

• Flow Replicator

• Flow Sensor

• Flow Collector

• Management Console

57

SMC

FR FC

NetFlow

FS

FS

VE

FC

Other NetFlow Collector (SIEM)


Cyber Threat Defense Visibility

• Visibility and Security Intelligence

• Advanced Targeted Threats

• Performance Bottlenecks

• Compliance Validation

58


Advanced Malware Protection (AMP)

• Comprehensive

– Network and Endpoint

• Continuous Analysis

– File and Device Trajectory

• Integrated Response

• Big Data Analytics

• Control & Remediation

Retrospective Security

59


Cisco Solutions for Cyber Security – Intelligence

• Cisco Security Intelligence Operations (SIO)

– Cisco SensorBase

– Cisco Threat Operations Center

– Dynamic updates

• Sourcefire Vulnerability Research Team (VRT)

60



Trust BEFORE

Resilience AFTER

Insight DURING



SIO – Defend With Intelligence

61

WWW

Reputation Signatures

Signatures

Threat

Research

Domain

Registration

Content

Inspection

Spam Traps,

Honeypots,

Crawlers

Blocklists &

Reputation

3rd Party

Partnerships

Platform-specific Rules & Logic

Cisco Security Intelligence Operations


Global Context – Data Makes a Difference

62

Threat Operations Center Advanced Algorithms Cisco SensorBase

Global Threat

Telemetry

Global Threat Telemetry

8:10 GMT All Cisco Customers Protected

Bank Branch in Chicago ISP Datacenter in Moscow Ad Agency HQ in London

8:03 GMT IPS Detects Hacker Probing

8:07 GMT Web Security Detects

New Botnet

8:00 GMT Email Security Detects Compromised Server


Private & Public

Threat Feeds

Advanced Microsoft

& Industry Disclosures

Snort® & ClamAV™

Open Source Communities

IPS Rules

Malware Protection

Reputation Feeds Vulnerability

Database Updates

Sandboxing Machine Learning

Big Data Infrastructure

SPARK

Program

Honeypots Sandnets

Cisco Vulnerability Research Team (VRT)

• Comprehensive

• Continuous Analysis

• Integrated Response

• Big Data Analytics

• Control & Remediation

63

Vulnerability

Research

Team Sourcefire AEGIS™

Program

FireAMP™ Community

File Samples (>180,000 per day)


Continuous Monitoring Cisco Solutions

64

Continuous Monitoring Tools

HW Asset Mgmt Mnge Acct Access

SW Asset Mgmt Prep for Contingency/Incidents

Config Mgmt Resp to Contingency/Incidents

Vul Mgmt Design/Build Rqmts Policy and Planning

Mnge NAC Design/Build Quality

Mnge Access Mnge Audit Info

Mnge Sec Behav Mnge Operational Security

Mnge Creds/Auth CMaaS – Add Func Areas Cisco AS, TAC, SmartNet

Cyber Futures - pxGrid

1:15


Platform Exchange Grid – pxGrid

66

I have firewall logs! I need identity…

I have threat data! I need reputation…

I have sec events! I need reputation…

I have NetFlow! I need entitlement…

I have reputation info! I need threat data…

That Didn’t

Work So Well!

I have NBAR info! I need identity…

SIO

I have location! I need identity…

I have MDM info! I need location…

I have app inventory info! I need posture…

I have identity & device-type! I need app inventory & vulnerability…

I have application info! I need location & auth-group…


The Potential of Network-Wide Context Sharing

67

I have NBAR info! I need identity…

SIO

I have location! I need identity…

I have MDM info! I need location…

I have app inventory info! I need posture…

I have identity & device-type! I need app inventory & vulnerability…

I have firewall logs! I need identity…

I have threat data! I need reputation…

I have sec events! I need reputation…

I have NetFlow! I need entitlement…

I have reputation info! I need threat data…

I have application info! I need location & auth-group…

pxGrid Context Sharing

Single Framework

Direct, Secured Interfaces


pxGrid Benefits and Availability

BENEFITS

• Single framework – develop once

• Customize and secure what context gets shared and with which platforms

• Bi-directional – share and consume context

• Enables and pxGrid partner to share with any other pxGrid partner

• Integrates with Cisco ONE for broad network control functions

68

AVAILABILITY

• First instantiation is on ISE

• Available now for adoption by ISE integration partners

• pxGrid partner integrations delivered for customer use in 1Q14

• Pursuing options for industry standardization in CY14


Fully Integrated, Pervasive Security Architecture

Identity Services

Engine

Lancope

NetFlow Analysis

Data Center / Cloud

Centralized Policy and Visibility

External

Network Security

Tag

Security

Tag

Policy Control

Pervasive Network Security

Access Core

ISE pxGrid

NG-IPS

69

WHO WHAT WHERE WHEN HOW

• Use NetFlow data to extend visibility to the access layer

• Enrich flow data with identity, events and application to create context

• Intelligent sharing of pertinent security information and events

NetFlow

RADIUS

Context


Review

• The Cyber Security Landscape

• Common Cyber Security Themes

• Cisco Cyber Solutions

• Cyber Futures


Participate in the “My Favorite Speaker” Contest

• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)

• Send a tweet and include

– Your favorite speaker’s Twitter handle: @NeilLovering

– Two hashtags: #CLUS #MyFavoriteSpeaker

• You can submit an entry for more than one of your “favorite” speakers

• Don’t forget to follow @CiscoLive and @CiscoPress

• View the official rules at http://bit.ly/CLUSwin

Promote Your Favorite Speaker and You Could be a Winner

71

http://bit.ly/CLUSwin


Complete Your Online Session Evaluation

• Give us your feedback and you could win fabulous prizes. Winners announced daily.

• Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center.

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

72

https://www.ciscolive.com/online


Continue Your Education

• Demos in the Cisco Campus

• Walk-in Self-Paced Labs

• Table Topics

• Meet the Engineer 1:1 meetings

73

Neil Lovering

[email protected]

@NeilLovering

mailto:[email protected]

Backup Slides


Indicators of Compromise – By Type (2013)

• Java was the dominant concern

• Where practical, disable Java in browsers

• Telemetry tools like Cisco NetFlow can monitor Java-associated traffic

• Comprehensive patch management can close many security holes

• Continuous monitoring can track infections that spread later

Cisco FireAMP

77


Cumulative Annual Alert Totals – 2010-2013

• 2013 showed a 14% increase over 2012

• 2013 were the highest levels since IntelliShield began recording in 2000

Cisco IntelliShield

78


Comprehensive Network Security

79

Cloud-Based Threat

Intelligence & Defense

Common Policy,

Management & Context

Connect

Branch

Campus

Cellular

Internet

Comm. / SMB / Branch

WWW

Campus | Edge

WWW

SP Core/ Edge

ASR

CSR

WWW

SaaS

Data Center/V

UCS

Global Orchestra

tion

SP Cloud

SP-1

SP-2

Cloud

Security

Gateway

1

2

4

5

3


Application Centric Infrastructure

80

ACI Fabric

Non-Blocking Penalty Free Overlay

App DB Web

Outside

(Tenant VRF)

QoS

Filter

QoS

Service

QoS

Filter

Application Policy

Infrastructure

Controller

APIC

Documents

Defense Against Emerging Threatsd2zmdbbm9feqrf.cloudfront.net/2014/usa/pdf/BRKSEC-1010.pdf · Defense Against Emerging Threats BRKSEC-1010 Neil Lovering CCIE #1772 Consulting Systems