Securing the Enterprise with Network Intelligence
BRKGS-2541
Matt Robertson Security Technical Marketing Engineer Crown Jewels
Imperial State Crown of the United Kingdom Jewel House, Tower of London
BRKGS-2541 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Crown Jewels
Iron Crown of Lombardy
Duomo of Monza
BRKGS-2541 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public Crown Jewels Data that is valuable to attackers
• Card holder data (PCI) • Competitive information (M&A) • Patient records (HIPAA) • Employee data (PII) • Trade secrets • State Secrets
BRKGS-2541 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Thinking beyond the perimeter
Once the walls are built monitor for security visibility
BRKGS-2541 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
NetFlow
eth0/1 eth0/2
10.2.2.2 10.1.1.1 port 1024 port 80
Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Bytes TCP Flags Sent Sent 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 SYN,ACK,PSH 10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 SYN,ACK,FIN
BRKGS-2541 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 NetFlow = Visibility A single NetFlow Record provides a wealth of information Router# show flow monitor CYBER-MONITOR cache … IPV4 SOURCE ADDRESS: 192.168.100.100 IPV4 DESTINATION ADDRESS: 192.168.20.6 TRNS SOURCE PORT: 47321 TRNS DESTINATION PORT: 443 INTERFACE INPUT: Gi0/0/0 IP TOS: 0x00 IP PROTOCOL: 6 ipv4 next hop address: 192.168.20.6 tcp flags: 0x1A interface output: Gi0/1.20 counter bytes: 1482 counter packets: 23 timestamp first: 12:33:53.358 timestamp last: 12:33:53.370 ip dscp: 0x00 ip ttl min: 127 ip ttl max: 127 application name: nbar secure-http …
BRKGS-2541 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Components for NetFlow Security Monitoring
StealthWatch Management Console • Management and reporting StealthWatch FlowCollector • Up to 25 FlowCollectors • Collect and analyze • Up 3 million fps globally • Up to 2000 sources • Up to sustained 120,000 fps
Best Practice: Centralize collection globally StealthWatch FlowReplicator • UDP Packet copier NetFlow StealthWatch FlowSensor • Forward to multiple • Generate NetFlow data collection systems StealthWatch FlowSensor VE • Virtual environment • Visibility into ESX Cisco Network
BRKGS-2541 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Conversational Flow Record Who Who What How
More context Where When
• Highly scalable (enterprise class) collection • High compression => long term storage • Months of data retention
BRKGS-2541 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public NetFlow Analysis can help:
Discovery • Identify business critical applications and services across the network
Identify additional IOCs • Policy & Segmentation • Network Behaviour Anomaly Detection (NBAD)
Better understand / respond to an IOC: • Audit trail of all host-to-host communication
BRKGS-2541 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 Discovery: Finding your Jewels
• Identify assets and data • Top Peers and Flow Tables • Expected traffic profile • Create Host Groups • Tune Host Group policies to lower tolerance
BRKGS-2541 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Map the Segmentation
• Identify relationships Not Allowed • Monitor policy
Allowed
BRKGS-2541 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Custom Security Events and Host Locking
Peer conditions Object conditions
Time range
Connection conditions
BRKGS-2541 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public Data Anomaly Alarms
• Suspect Data Hoarding • Target Data Hoarding • Total Traffic • Suspect Data Loss
BRKGS-2541 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 Suspect Data Hoarding
Unusually large amount of data inbound from other hosts
Default Policy
BRKGS-2541 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public Target Data Hoarding
Unusually large amount of data outbound from a host to multiple hosts
Default Policy
BRKGS-2541 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public Summary
18 Related Sessions
• BRKSEC-2136 – Preventing Armageddon: Finding the threat before its too late • Matt Robertson – Wednesday, Jan 28 2:30-4:00 • BRKCRS-1449 - Introductory - Threat Defense for Enterprise Networks with Unified Access • Vaibhav Katkade, Anoop Vetteth – Tuesday, Jan 27 11:15-12:45 • BRKSEC-3068 – Intermediate - Red Team, Blue Team: Lessons Learned for Real World Attacks • Jamey Heary, Eddie Mize – Tuesday Jan 27, 2:15-4:15 • BRKSEC-3128 - Secure your network with distributed behavioural analytics • JP Vasseur – Tuesday Jan 27, 4:45-6:15
BRKGS-2541 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Call to Action
• Visit the World of Solutions for – Cisco Campus: • Lancope Booth – Booth #G8 • Cisco Security - Cyber Threat Defence Demo • Cisco Enterprise Networking – Network as a Sensor & Enforcer – Technical Solution Clinics • Meet the Engineer • Lunch time Table Topics • DevNet zone related labs and sessions • Recommended Reading: for reading material and further resources for this session, please visit www.pearson-books.com/CLMilan 2015
BRKGS-2541 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Complete Your Online Session Evaluation
• Please complete your online session evaluations after each session. Complete 4 session evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt.
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
BRKGS-2541 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Protect the Crown Jewels!
NetFlow and the Lancope StealthWatch System provide actionable security intelligence
BRKGS-2541 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 22