�ݺ�ߣ

Cisco Cyber Threat Defense
Mikhail Rodionov
Business Development Manager
mrodiono@cisco.com

© Компания Cisco и (или) ее дочерние компании, 2013 г. Все права защищены. 2
• Discuss the growing security problem customers
are facing that is not addressed by traditional
security products and technologies
• Define Cisco’s unique approach to this problem
• Describe the Cisco Cyber Threat Defense Solution
and explain why Cisco can provide the security
telemetry
• Show why the solution provides unique
differentiated value

Mobility Threat Cloud
Megatrends require innovative approach to
advanced cyber threats
Android malware increased by
2577% in 2012
SaaS & B2B apps 11x more
malicious than counterfeit
software
Threats are morphing

Defense: Anti-Virus,
Firewalls
Viruses (1990s)
Defense: Intrusion Detection &
Prevention
Worms (2000s)
Defense: Reputation, DLP, App.-
aware Firewalls
Botnets (late 2000s to current)
Strategy: Visibility and
Context
Directed Attacks (APTs)
(today)
ILOVEYOU
Melissa
Anna Kournikova
Nimda
SQL Slammer
Conficker
Tedroo
Rustock
Conficker
Aurora
Shady Rat
Duqu

keep our doors locked to stop good people from coming in”
Firewall
IPS
Web Sec
N-AV
Email Sec
Customized Threat Bypasses
Security Gateways
Threat Spreads
Inside Perimeter
Once inside the perimeter, a command and control channel that'll open up
Only the network can have the appropriate level visibility and intelligence
to detect these threats
Servers

Network Reconnaissance Data Leakage
Internally Propagating
Malware
Botnet Command
And Control

Mandiant 2012 survey
Organizations were
compromised ~ 416
days before
attackers were
discovered
In 100% of cases,
the bad guys used
valid credentials
Each incident was
discovered by 3rd
party only
X X X
X O X
X X O
O

• What Our Customers are Telling Us:
• “We assume we’re already compromised”
• “Over 50% of threats are customized to my environment…”
• “We had a single actor gaining access by three different methods all in a
days work…”
• “I have enough storage for 30 days, my adversary went to sleep for 31
days. When I increased my storage to 60 days, they figured it out and
changed their attack to match my storage capability…”

• Страна? Конкуренты? Частные лица?Who?
• Что является целью?What?
• Когда атака наиболее активна и с чем
это связано?When?
• Где атакующие? Где они наиболее
успешны?Where?
• Зачем они атакуют – что конкретно их
цель?Why?
• Как они атакуют – Zero-day?
Известные уязвимости? Инсайдер?How?

• Кто в моей сети?
Who?
• Что делают пользователи? Приложения?
• Что считать нормальным поведением?What?
• Устройства в сети? Что считать нормальным
состоянием?When?
• Где и откуда пользователи попадают в сеть?
• Внутренние? eCommerce? Внешние?Where?
• Зачем они используют конкретные
приложения?Why?
• Как всё это попадает в сеть?
How?

Workload
s
Apps /
Services
Infrastruc
ture
public
tenan
hybrid
private
Any-To-Any Network
Gloval and Local
Threat Detection
Blending of Personal
& Business Use
Access Assets through
Multiple Medians Services
Identity Awareness
Sees All Traffic
Routes All Requests
Sources All Data
Controls All Flows
Handles All Devices
Touches All UsersShapes All Streams
Behavioral Analysis
Encryption
Device Visibility Policy Enforcement
Access Control
Threat Defense

Intrusion Detection System
• на основе сигнатур
• пассивный сбор
• первичный источник
оповещения
Syslog journal
• инструмент глубокого анализа
• возможность фильтрации
• ограниченное воздействие на
систему
Network Flow Analysis
• слабое воздействие на
устройства
• основной инструмент
исследования
• небольшой требуемый объем
памяти

Signature/Reputation
-based
Threat Detection
Behavioral-based
Threat Detection
Network
Perimeter
Firewalls
IPS/IDS
Honeypots
Network
Interior
Email Content
Inspection
Web Content
Inspection
Cisco’s Cyber Threat
Defense Solution

Private
Cloud
Hybrid
Cloud
SaaS
ANY DEVICE ANY CLOUD
Secure
Access
Firewall IPS Web
Gateway
Email
Gateway
Policy
VPN
Data
Center
Next
Gen
Applia
nce
Cloud
#1 Market Share
Applia
nce
Attach
ed
Applia
nce
Hosted

A
B
C
C
B
A
CA
B
We can see:
- source address,
- destination address,
- number of packets transferred during
that session,
- and a timestamp of the session

Sampled Net Flow –
Incomplete Visibility
• Less than 5% of traffic
used to generate NetFlow
telemetry
• Insufficient telemetry for
threat detection
Full Unsampled Net Flow
– No Blind Spots
• All traffic is used to
generate NetFlow telemetry
• Pre-requisite for effective
threat detection
Only a Cisco Catalyst Switch Can Deliver Unsampled NetFlow at Line-
Rate Without Any Data Plane Performance Impact

Cisco Cyber Threat Defense Solution Components
Identity and Policy
StealthWatch
Cisco ISE
Policy
Enforcement
Flow Attribution
Security
Analysis
Flow
Monitoring

• The most complex,
custom-written,
dangerous security
threats (e.g. APTs)
• Threats that lurk in
networks for months or
years stealing vital
information and
disrupting operations
• Data leakage
• Network
reconnaissance
• Network interior
malware
proliferation
• Command and
control traffic
Cisco Cyber Threat
Defense (CTD) focuses on:
Focus of this class of threats
and Cisco CTD use cases:

Netflow Telemetry
Cisco Switches, Routers
and ASA 5500
Internal Network &
Borders
Threat Context Data
Cisco Identity, Device, Posture,
NAT, Application
Unified View
Threat Analysis & Context in
Lancope StealthWatch
Leveraging NetFlow, Identity, Reputation andApplication
Cisco SolutionsPlus product

Cisco Network
StealthWatch
FlowCollector
StealthWatch
Management
Console
NetFlow
StealthWatch
FlowSensor
StealthWatch
FlowSensor
VE Users/Devices
Cisco ISE
NetFlow
StealthWatch
FlowReplicator
Другие
коллекторы
https
https
NBAR NSEL

High Concern Index indicates
a significant number of
suspicious events that deviate
from established baselines
Host
Groups
Host CI CI% Alarms Alerts
Desktops 10.10.101.118 338,137,280 8,656
%
High Concern
index
Ping, Ping_Scan,
TCP_Scan
Monitor and baseline activity for a host and within host
groups.

What’s about
10.10.101.89?
Policy Start
Active time
Alarm Source Source Host
Groups
Target Details
Desktops
& Trusted
Wireless
Jan 3, 2013 Suspect Data
Loss
10.10.101.89 Atlanta,
Desktops
Multiple Hosts Observed 4.82 Gbytes.
Policy maximum allows up
to 500Mbytes.

C
I2 I4
A
Local
intelligence
Who
What
How
Where
When
From your network
Cisco Security
Intelligence
Operations
From Cisco’s global
threat analysis system
Репутация
Взаимо-
действия
APP Приложения
URL Сайты
SecurityIntelligenceOperations

Users/Devices Cisco
Identity
Services
Engine
(ISE)
Network Based
Application
Recognition
(NBAR)
NetFlow
Secure
Event
Logging
(NSEL)
Link flows with
user identity
Dig out key
application information
from a stream
while data
flows through it
A special form of
log event
helps identify
accepted and rejected
connections

Policy Start
Active
Time
Alarm Source Source
Host
Groups
Source
User Name
Device
Type
Target
Deskto
ps &
Trusted
Wireles
s
Jan 3,
2013
Suspect
Data Loss
10.10.101
.89
Atlanta,
Desktops
John
Chambers
Apple-
iPad
Multiple
Hosts
Attribute flows and behaviors to a user and device

• Flow Action field can provide additional context
• State-based NSEL reporting is taken into consideration in
StealthWatch’s behavioral analysis
• Concern Index points accumulated for Flow Denied events

Обнаружение разных
типов атак, включая
DDoS
Детальная статистика о
всех атаках,
обнаруженных в сети

Devices Access
Catalyst® 3750-X
BranchCampus
Catalyst® 3560-X
Catalyst® 4500
Catalyst® 4500
Access Point
Access Point
Distribution
Catalyst®
3750-X
Stack
WLC
Catalyst
® 6500
Edge
Site-
to-
Site
VPN
ASA
ISR
Catalyst
® 6500
Remote
Access
Cisco
ISE
Management
StealthWatch
Management
Console
StealthWatch
FlowCollector
NetFlow
Capable
Correlate and
display Flow and
Identity Info
Cisco TrustSec:
Access Control,
Profiling and
Posture
NetFlow
Identity
AAA services,
profiling and posture
assessment
Collect and
analyze NetFlow
Records
Scalable
NetFlow
Infrastructure
3

CRISIS REGION
ImpacttotheBusiness($)
Time
credit card data
compromised
*
attack
identified
*
vulnerability
closed
*
CRISIS REGION
Security Problems
“Worm outbreaks can impact
revenue by up to $250k per
hour. StealthWatch pays for
itself in 30 minutes.”
F500 Media Conglomerate
attack
onset
*
StealthWatch
Reduces
MTTK
*attack
thwarted
*early
warning
*attack
identified
*
vulnerability
closed
Company with
StealthWatch
Company with
Legacy
Monitoring Tools

• CEC website: wwwin.cisco.com/stg/cyber/
For EBC/TDM decks, design and how-to guides, and training VoD links
• CCO website: www.cisco.com/go/threatdefense/
Customer-facing versions of the DIG and how-to guides (Note: Need to scroll
about halfway down the page)
• Cyber Threat Defense area on Highwire
For training decks, VMware images, other demo supporting information
• Demo pods available via http://securitytme.cisco.com
• Aliases: cyber-pm and cyber-tm

• Identifying BotNet Command & Control Activity. BotNets are
implanted in the enterprise to execute commands from their Bot
herders to send SPAM, Denial of Service attacks, or other
malicious acts.
• Revealing Data Loss. Code can be hidden in the enterprise to
export of sensitive information back to the attacker. This Data
Leakage may occur rapidly or over time.
• Detecting Sophisticated and Persistent Threats. Malware that
makes it past perimeter security can remain in the enterprise
waiting to strike as lurking threats. These may be zero day threats
that do not yet have an antivirus signature or be hard to detect for
other reasons.
• Finding Internally Spread Malware. Network interior malware
proliferation can occur across hosts for the purpose gathering
security reconnaissance data, data exfiltration or network
backdoors.
• Uncovering Network Reconnaissance. Some attacks will probe
the network looking for attack vectors to be utilized by custom-
crafted cyber threats.

Devic
es
Internal Network
Use NetFlow Data to
Extend Visibility to the
Access Layer
Unify Into a Single Pane
of Glass for Detection,
Investigation and
Reporting
Enrich Flow Data With
Identity, Events and
Application to Create
Context
WHO
WHAT
WHERE
WHEN
HOW
Hardware-
enabled
NetFlow
Switch
Cisco ISE
Cisco ISR G2
+ NBAR
Cisco ASA +
NSEL
Cont
ext

�ݺ�ߣ

Cisco Secure X

More Related Content

Cisco Secure X