Академический Документы
Профессиональный Документы
Культура Документы
Security Approach
BRKSEC-2061
#clmel
Agenda
• Today’s Security Challenges
• A Threat-Centric and Operational
Security Model
• Next Generation Firewall & IPS
• Content security & Advanced
Malware Prevention
• Network as a Distributed Firewall
• Network as a Visibility Sensor
• Reducing Complexity and
Increasing Capability
• It takes an Architecture
• Summary
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Session Objective
Provide a quick review of today’s
dynamic threat landscape and
outline the Cisco threat-centric
and operational security model
that spans a range of attack
vectors to address the full attack
continuum – before, during, and
after an attack.
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Security Perspective
5
The Problem is THREATS
Today’s Advanced Malware is Not Just a Single Entity
Missed by Point-in-time
100 percent of companies surveyed by Cisco Detection
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Top Cyber Risks for Users
Untrustworthy sources
Sophisticated Complicit
Attackers Users
Dynamic Boardroom
Threats Engagement
Defenders
Complex Misaligned
Geopolitics Policies
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco 2015 Annual Security Report
Now available:
cisco.com/go/asr2015
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Impact of a Breach
Breach occurs data in of breaches remain Information of up to
breaches is stolen undiscovered for individuals
in on the black market
over last three
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public Source: Verizon Data Breach Report 2014
Breach/Detection Time Delta is Not Improving
Percent of beaches where time to compromise
(red)/time to discovery (blue) was days or less
100%
Time to compromise
75%
50%
25%
Time to discovery
2005
2008
2004
2006
2007
2009
2010
2012
2013
2011
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public Source: Verizon 2014 Data Breach Investigations Report
Why?
The Configuration Problem
• Poor awareness of true operational environment
• Change to environment requiring configuration/posture
changes unrecognised
• Detection content unavailable
– 0-day
• No anomaly detection mechanisms in place
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
14
The Organisational Problem
• False positive rates too high
– Operator overload due to mass of equally meaningless events that
must be contextualised
• Frequently technologies are deployed but not properly
operationalised
– Check-box security
• In 2014, the average cost of an organisational
data breach was US$3.5 million
Source: The Ponemon Institute
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
15
Defenders
Less than half of security practitioners
leverage known effective practices
SecOps
Identity Administration and Provisioning 43%
Pentesting 39%
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Addressing The Organisational Problem
• Contextualisation
– Event loads are high due to misconfiguration
– Even when well tuned, raw events must be contextualized automatically when possible
• Operationalisation
– That’s your job…
• Engagement from corporate boards is crucial
in setting security priorities and
expectations
– Boards need to know what the cybersecurity
risks to the business are and their potential
impact
– CIOs must ask tough questions about security
controls that are meaningful to the board and outline the business implications
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
19
A Threat-Centric and Operational Security Model
Attack Continuum
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
A Threat-Centric and Operational Approach
Attack Continuum
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco: Covering the Entire Continuum
Attack Continuum
Attack Continuum
Next Generation Firewall and Intrusion
Prevention System
24
Cisco NGFW / NGIPS Offerings
Embedded Advanced Cisco NGFW ASA w/
FirePOWER NGIPS Malware Prevention (AMP) FirePOWER Services
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Flexible Deployment Appliance Virtual Cloud
New ASA
ASA with FirePOWER Services Best-in-Class NGFW Capabilities
WWW
Advanced Malware
Clustering &
Intrusion Prevention Protection URL Filtering
High Availability (subscription) (subscription) (subscription)
FireSIGHT
Analytics & Automation
27
Email and Web are the Most Prevalent Attack Vectors
…And most successful! Risks
• Java exploits represented 93% of all
• App development has moved to 2014 Indications of Compromise*
web and mobile • Blended attacks combine social
• Explosion of engineering, Phishing and web
• Cloud Services malware
• Social Networking • Social Networking users increasingly
being targeted for data theft and
• Email still one of the most critical social engineering attacks
business applications
• Loss of productivity due to social
networking, gaming, etc.
*Cisco BRKSEC-2061
2014 mid-year security report
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Content Security Can Help
Cisco Advanced Malware
Cisco Email Security Prevention (AMP) Cisco Web Security
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Email Outbreak Filters http://www.senderbase.org/static/malware/
Outbreak Filters Advantage
• More protection than just AV alone
• Leverages CSI Telemetry to detect outbreaks Cisco® Dynamic Virus
• Average AV signature lead time: Over 13 hours CSI Quarantine Filter
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Web
WebPages
PagesContain
ContainHidden
HiddenThreats
Threats
Real-time
Real-timeSandbox
SandboxAnalysis
Analysisfor
forZero-day
Zero-dayDefense
Defence
Detects
Detects ~20%
~20% moremore
threats*threats*
Every object
Every on the
object page
on the is analysed
page is analyzed Real-time Emulation
Real-time Emulation
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Outstanding Blended Attack Defence
Cisco Email & Web work as a system
Cisco Security
Intelligence BLOCKEDwww.playboy.comBLOCKED
URL Analytics Neutralise BLOCKEDwww.proxy.orgBLOCKED
34
Protection Against Advanced Persistent Threats
Network Segmentation is critical
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Secure Access
Making segmentation easy and dynamic
Business Data
App / Storage • Massive Firewall rule simplification
Firewall Rules • Policy Enforcement regardless of IP address/vlan
Source Destination Action Result: Accelerated service provisioning
Firewall
IP SGT IP SGT Service Action
Any Employee Any Biz Server HTTPS Allow
Any Suspicious Any Biz Server Any Deny
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Empower BYOD with ISE & TrustSec Empowering the User
without sacrificing security
• Reduced Burden on IT Staff
– Device On-Boarding
Blacklisting & re-instating Multiple Device – MDM / Posture compliance
of devices Support – Self Registration
– Supplicant Provisioning
– Certificate Provisioning
• Self Service Model
– myDevice Portal for registration
Multiple – Guest Sponsorship Portal
• Device Black Listing
Network – User initiated control for their
Topologies devices, black-listing, re-instate, etc
Simple • Support for:
– iOS (post 4.x)
Certificate
– MAC OSX (10.6 – 10.9)
Provisioning – Android (2.2 and onward)
Self Registration – Windows (XP, Vista, win7, win8)
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco 38
Enabling Network-Wide Identity & Context Sharing
Cisco Platform Exchange Grid – pxGrid
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
40
Network as a Visibility Sensor
41
NetFlow Analysis Can Help: Data Intelligence
Incident Response
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Behavioural Detection Model
As flows are collected, behavioural algorithms are applied to build “Security
Events”. Security Events will add points to an alarm category to allow for easy
summarisation higher degree of confidence of the type of activity detected:
Security Alarm
Response
Events (94 +) Category
Addr_Scan/tcp
Addr_Scan/udp Concern Alarm Table
Bad_Flag_ACK**
Beaconing Host
Bot Command Control
Recon
Server
Bot Infected Host -
Host
Attempted
Bot Infected Host - C&C Snapshot
Successful
Flow_Denied
. Exploitation Email
.
ICMP Flood
.
Data Hoarding Syslog /
.
Max Flows Initiated
Max Flows Served SIEM
. Exfiltration
Suspect Long Flow
Suspect UDP Activity
Mitigation
SYN Flood DDoS Target
.
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cyber Threat Defence (CTD) Solution
Threat Detection
Advanced Visibility & Investigation
Switches Visibility
NetFlow • Partner with Lancope (StealthWatch) to deliver network visibility, security context
Routers and intelligence.
• Enhance with Identity, device, application awareness
Firewall
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Reducing Complexity and Increasing
Capability
45
Visibility is the Foundation
APIs
Control Set policy to reduce surface area of attack
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Visibility Must Be Pervasive
BEFORE DURING AFTER
Scope AMP
Breach Contain
Remediate
ThreatGRID
NGIPS
Detect
Threat Block
Defend
ESA/WSA
Reputation
APIs
ASA Meraki
Control
Control Enforce
Harden
NGFW ISE
VPN NAC
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Today’s Security Appliances
WWW
Context-
VPN Aware IPS
Traditional Functions Functions Malware
Functions
Firewall Functions
Functions
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
We must integrate more effectively to make
more effective security solutions
49
Two Kinds of Integration
• Front-end integration
– Most security technologies have information about the environment that they are
defending but do not share it
– Build a Visibility Architecture to collect information about the composition, configuration
and change in the environment being defended
• Back-end integration
– Collect and centralise information about what’s happening to the environment and try to
figure out what is happening
– Traditional integration model
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
50
Building a Visibility Architecture
• Why?
– Automation
– Contextualisation
– Anomaly Detection
– Event-driven Security
• What visibility is important?
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
51
Types of Visibility
• Asset/Network • File/Data/Process
– Network topology – Motion
– Asset profiles – Execution
• Address – Metadata
• Hardware platform/class
– Origination
• Operating System
• Open Ports/Services – Parent
• Vendor/Version of client or server
software • Security
• Attributes – Point-in-time events
– Vulnerabilities – Telemetry
– Retrospection
• User
– Location
– Access profile
– Behaviours
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
52
Platform Exchange Grid – pxGrid
I have reputation info!
I have application info!
I need threat data… Talos
I need location & auth-group…
pxGrid Context
Sharing I have location!
I have NetFlow!
I need entitlement…
That Didn’t I need identity…
Single Framework
Work So
Well!
Direct, Secured
Interfaces I have MDM info!
I need location…
I have threat data!
I need reputation…
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco FireSIGHT Fuels Automation
Impact Assessment and Recommended Rules Automate Routine Tasks
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Impact Assessment IMPACT
FLAG
ADMINISTRATOR
ACTION
WHY
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
FireSIGHT Brings Visibility
TYPICAL TYPICAL
CATEGORIES EXAMPLES Cisco FireSIGHT IPS NGFW
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Event Horizon Problem
• Point-in-time
– Events generated as they’re
discovered
– Discovery (detection) failure =
false negative
– Brittle.
• Continuous (Telemetry)
– Specific event types are
continuously recorded and
analysed
– Structural (signatures)
– Behavioural (activities)
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
59
The Event Horizon
X
Firewall
X
IDS/IPS
X
AMD
X
Antivirus
‘Event Horizon’
Device
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Beyond The Event Horizon
• Continuous Capability is needed for the
world in which you will be
compromised
– Streaming telemetry
– Continuous analysis
– Real-time and retrospective security with
the full spectrum of controls available at
any time
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
61
The Threat-Centric Model
APIs
Control Set policy to reduce surface area of attack
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Visibility Layer Concept
RNA & RUA AD 3rd Party
ISE AnyConnect
RUA Connector Context Src
PXGrid API
Control
Auto-Config Impact Policy & APIC
Layer
(R3) Assessment Response Engine
Security
Platforms
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
63
Control
• Control is about defining & managing the
interactions between users, applications,
devices, and data
• Access control & segmentation
• Policy enforcement
• Asset hardening & management
• User management
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
64
Control Layer Concept
Mobile Endpoint Endpoint Endpoint Endpoint
Endpoint +
Device +
AnyConnect
VPN
User Environment
ISE
Route/S
APIC FireSIGHT
witch
ASA/VP
N
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Threat and Breach
• Detection & Response are critical functions today
• Being able to detect in a “relevant timeframe”
• Timeframe of response
– “The Golden Hour”
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
66
Integrated Threat Defence Architecture Concept
Cognitive
CSI
Endpoint +
AnyConnect
Threat
Environment
Endpoint Endpoint Endpoint
NGIPS
Mobile device
& AnyConnect User Environment
Control ESA
Layer
Hyperviso Hyperviso
CWS WSA
Server r r
Endpoint +
AMP & Threat
AnyConnect
Environment Endpoint Endpoint Endpoint
NGIPS + AMP + AMP + AMP + AMP
Mobile device
+ AMP & User Environment
AnyConnect Control ESA + AMP
CWS Layer
Server + Hyperviso Hyperviso
+ WSA + AMP AMP r + AMP r + AMP
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
69
Reduce Complexity and Increase Capability
Collective Security Intelligence
Centralised Management
Appliances, Virtual
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Collective Security Intelligence
Malware Reputation
Protection Feeds
Cisco Talos
(Talos Security Vulnerability
IPS Rules
Intelligence and Database Updates
Research Group)
Sandboxing
Machine Learning
Big Data Infrastructure
72
Start with Best-of-breed Products
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Working Together to Create a Security Architecture
Malware Prevention / Context-aware Common Identity, Policy
Sandboxing Segmentation and Context Sharing Wired/Wireless and VPN
Cisco Cisco
Cisco AMP Cisco Identity
100I II0I III00II 0II00II I0I000 0II0 00Network
TrustSec Services
101000 0II0 00 0III000 III0I00II II II0000I II0 Integration
10I000 0II0 00 0III000 II1010011 101 1100001 110
Cisco Collective
10I000 0II0 00 0III000 II1010011110000III000III0
101 1100001 110I00I II0I III0011 0110011 101000 0110 00
ISE Security Intelligence
Security Intelligence
Advanced Microsoft
100 TB 13 billion and Industry Disclosures
of data received per day w eb requests
Snort and ClamAV Open Source Communities
150 million+ 24x7x365 WWW
deployed endpoints operations Honeypots
Email AMP Web Netw ork NGIPS NGFW Sourcefire AEGIS™ Program
600+ 40+
engineers, technicians,
and researchers
languages Pervasive across Portfolio Private and Public Threat Feeds
Dynamic Analysis
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enhance with Cisco Security Services
Advisory Integration Managed
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Only Cisco Delivers
Global Intelligence Consistent Policies Detects and Stops Fits and Adapts
With the Right Across the Advanced Threats to Changing
Context Network and Business Models
Data Centre
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Related Sessions
• BRKSEC-1030 - Introduction to the Cisco Sourcefire NGIPS – Gary Spiteri
• BRKSEC-2021 - Firewall Architectures in the Data Centre and Internet Edge - Goran Saradzic
• BRKSEC-2028 - Deploying Next Generation Firewall with ASA and Firepower Services – Jeff Fanelli
• BRKSEC-2044 - Building an Enterprise Access Control Architecure Using ISE and TrustSec – Imran
Bashir
• BRKSEC-2664 - Cisco Sourcefire Advanced Malware Protection (AMP) - Jay Tecksingani
• BRKSEC-2690 - Deploying Security Group Tags – Kevin Regan
• BRKSEC-2691 - Identity Based Networking: IEEE 802.1X and Beyond – Hari Prasad Holla
• BRKSEC-2902 - Embrace Cloud Web Security With Your Cisco Network – Hideyuki Kobayashi
• BRKSEC-3770 - Advanced Email Security with ESA – Joe Montes
• BRKSEC-3771 - Web Security Deployment with WSA – ChooKai Kang
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
78
Continue Your Education
• Demos in the Cisco Campus
• Walk-in Self-Paced Labs
• Meet the Expert 1:1 meetings
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
79
Q&A
Complete Your Online Session Evaluation
Give us your feedback and receive a
Cisco Live 2015 T-Shirt!
Complete your Overall Event Survey and 5 Session
Evaluations.
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Thank you.
Session Abstract
BRKSEC-2061: Cisco + SourceFire: Threat-Centric Security Approach
Jatin Sachdeva, Security Architect, Cisco ANZ
To truly protect against all possible attack vectors, IT professionals must accept the nature
of modern networked environments and devices and start defending them by thinking like
defenders responsible for securing their infrastructure. Critical to accomplishing this is first
understanding the modern threat landscape and how a threat-centric approach to security
can increase the effectiveness of threat prevention. This technical session will provide a
"how to" with the Cisco Security portfolio, provide an update on the Cisco and Sourcefire
security architectures and integrations, and also detail current threats based on research
from Cisco’s Talos Security Intelligence & Research Group. By attending this session,
Security, Network and IT architects, will benefit from learning approaches that protect their
environments across the attack continuum - before, during and after an attack.
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public