Implementing Cisco Cyber Security Operations

Implementing Cisco Cyber Security Operations

<p>2019 CLUS </p><p>Implementing </p><p>Cisco Cyber Security Operations </p><p>Paul Ostrowski / Patrick Lao / James Risler Cisco Security Content Development Engineers </p><p>LTRCRT-2222 </p><p>2019 CLUS </p><p>Cisco Webex Teams </p><p>Questions? </p><p>Use Cisco Webex Teams to chat </p><p>with the speaker after the session </p><p>How </p><p>Find this session in the Cisco Live Mobile App </p><p>12</p><p>3</p><p>Click “Join the Discussion” </p><p>Install Webex Teams or go directly to the team space </p><p>4 Enter messages/questions in the team space </p><p>Webex Teams will be moderated by the speaker until June 16, 2019. </p><p></p><ul style="display: flex;"><li style="flex:1">cs.co/ciscolivebot# </li><li style="flex:1">LTRCRT-2222 </li></ul><p></p><p>3</p><p>2019 CLUS </p><p>© 2019&nbsp;Cisco and/or its affiliates. All rights reserved.&nbsp;Cisco Public </p><p>Agenda </p><p>• Goals and Objectives </p><p>• Prerequisite Knowledge &amp; Skills (PKS) </p><p>• Introduction to Security Onion • SECOPS Labs and Topologies • Access SECFND / SECOPS eLearning Lab Training <br>Environment </p><p>• Lab Evaluation • Cisco Cybersecurity Certification and Education <br>Offerings </p><p>4</p><p>2019 CLUS </p><p></p><ul style="display: flex;"><li style="flex:1">LTRCRT-2222 </li><li style="flex:1">© 2019&nbsp;Cisco and/or its affiliates. All rights reserved.&nbsp;Cisco Public </li></ul><p></p><p>Goals and Objectives: </p><p>•</p><p>Today's organizations are challenged with rapidly detecting cybersecurity breaches in order to </p><p>effectively respond to security incidents. Cybersecurity provides the critical foundation </p><p>organizations require to protect themselves, enable trust, move faster, add greater value and </p><p>grow. </p><p>•</p><p>Teams of cybersecurity analysts within Security Operations Centers (SOC) keep a vigilant eye </p><p>on network security monitoring systems designed to protect their organizations by detecting </p><p>and responding to cybersecurity threats. </p><p>•</p><p>•</p><p>The goal of <strong>Cisco’s CCNA Cyber OPS </strong>(<strong>SECFND / SECOPS</strong>) courses is to teach the fundamental skills required to begin a career working as an associate/entry-level cybersecurity analyst within a </p><p>threat centric security operations center. This session will provide the student with an understanding of <strong>Security Onion </strong>as an open source </p><p>network security monitoring tool (NSM).&nbsp;The student will also explore common attack vectors, </p><p>malicious activities, and patterns of suspicious behaviors typically encountered within a threatcentric Security Operation Center (SOC). </p><p>••</p><p>We will provide you 30 days of continued access to the SECFND and SECOPS Training Portal. </p><p>This training is NOT focused on Cisco’s family of security products and solutions. </p><p>5</p><p>2019 CLUS </p><p></p><ul style="display: flex;"><li style="flex:1">LTRCRT-2222 </li><li style="flex:1">© 2019&nbsp;Cisco and/or its affiliates. All rights reserved.&nbsp;Cisco Public </li></ul><p></p><p>Prerequisite Knowledge &amp; Skills (PKS) </p><p>• This topic lists the skill, knowledge, and attitudes that students must possess to benefit fully from </p><p>the labs. It includes recommended Cisco learning offerings that the learner may complete to </p><p>benefit fully from the labs. <br>• <strong>Recommended Prerequisite Skills </strong>• The knowledge, skills, and attitudes that a student is expected to have before attending this </p><p>course are as follows: </p><p>•</p><p>Understanding Cisco Cybersecurity Fundamentals (<strong>SECFND</strong>) <br>• <strong>Learning Resources for Prerequisite Skills </strong>• Cisco learning offerings that contribute to recommended knowledge, skills, and attitudes: </p><p>• <strong>CCNA Cyber Ops SECFND #210-250 Official Cert Guide</strong>, by Omar Santos, Joseph Muniz, </p><p>Stefano De Crescenzo </p><p>• <strong>CCNA Cyber Ops SECOPS #210-255 Official Cert Guide</strong>, by Omar Santos, Joseph Muniz </p><p>6</p><p>2019 CLUS </p><p></p><ul style="display: flex;"><li style="flex:1">LTRCRT-2222 </li><li style="flex:1">© 2019&nbsp;Cisco and/or its affiliates. All rights reserved.&nbsp;Cisco Public </li></ul><p></p><p>Introduction to Security Onion </p><p>Video </p><p><strong>Cisco 2018 Annual Cybersecurity Report Highlights </strong></p><p>The <a href="/goto?url=https://www.cisco.com/c/en/us/products/security/security-reports.html?CCID=cc000160&amp;DTID=esootr000875&amp;OID=anrsc005983" target="_blank">Cisco 2018 Annual Cybersecurity Report</a>, highlights findings and insights derived from </p><p>threat intelligence and cybersecurity trends observed over the past 12-18 months from threat researches and six technology partners: Anomali, Lumeta, Qualys, Radware, SAINT, and TrapX. </p><p>Also, included in the report are results of the annual Security Capabilities Benchmark Study (SCBS), which this year surveyed 3,600 chief security officers (CSOs) and security </p><p>operations (SecOps) managers from 26 countries about the state of cybersecurity in their organizations. </p><p><strong>The financial cost of attacks is no longer a hypothetical number: </strong></p><p>• According to study respondents, more than half of all attacks resulted in financial damages of more </p><p>than US $500,000, including, but not limited to, lost revenue, customers, opportunities, and out- </p><p>of-pocket costs. </p><p>Source: <a href="/goto?url=https://newsroom.cisco.com/press-release-content?type=webcontent&amp;articleId=1911494" target="_blank">https://newsroom.cisco.com/press-release-content?type=webcontent&amp;articleId=1911494 </a></p><p>10 </p><p>2019 CLUS </p><p></p><ul style="display: flex;"><li style="flex:1">LTRCRT-2222 </li><li style="flex:1">© 2019&nbsp;Cisco and/or its affiliates. All rights reserved.&nbsp;Cisco Public </li></ul><p></p><p><strong>Cisco 2018 Annual Cybersecurity Report Highlights </strong></p><p><strong>Supply chain attacks are increasing in velocity, complexity </strong></p><p>These attacks can impact computers on a massive scale and can persist for months or even years. Defenders should be aware of the potential risk of using software or hardware from organizations that </p><p>do not appear to have a responsible security posture. </p><p>• Two such supply chain attacks in 2017, Nyetya and Ccleaner, infected users by attacking trusted </p><p>software. </p><p>o <strong>Nyetya </strong>(also known as NotPetya) arrived in June 2017&nbsp;This wiper malware also masqueraded </p><p>as ransomware and it used the remote code execution vulnerability nicknamed “EternalBlue,” </p><p>as well as the remote code execution vulnerability “EternalRomance” (also leaked by Shadow </p><p>Brokers), and other vectors involving credential harvesting o <strong>Ccleaner </strong>arrived in September 2017, involved the download servers used by a software vendor to distribute a legitimate software package known as CCleaner.7&nbsp;CCleaner’s </p><p>binaries, which contained a Trojan backdoor, were signed using a valid certificate, giving </p><p>users false confidence that the software they were using was secure. </p><p>Source: <a href="/goto?url=https://newsroom.cisco.com/press-release-content?type=webcontent&amp;articleId=1911494" target="_blank">https://newsroom.cisco.com/press-release content?type=webcontent&amp;articleId=1911494 </a></p><p>11 </p><p>2019 CLUS </p><p></p><ul style="display: flex;"><li style="flex:1">LTRCRT-2222 </li><li style="flex:1">© 2019&nbsp;Cisco and/or its affiliates. All rights reserved.&nbsp;Cisco Public </li></ul><p></p><p><strong>Cisco 2018 Annual Cybersecurity Report Highlights </strong></p><p><strong>Security is getting more complex, scope of breaches is expanding </strong></p><p>Defenders are implementing a complex mix of products from a cross-section of vendors to protect against breaches. This complexity and growth in breaches have many downstream effects on an </p><p>organization's ability to defend against attacks, such as increased risk of losses. </p><p>• In 2017, 25 percent of security professionals said they used products from 11 to 20 vendors, compared with </p><p>18 percent of security professionals in 2016. <br>• Security professionals said 32 percent of breaches affected more than half of their systems, compared </p><p>with 15 percent in 2016. </p><p><strong>Trends in malware volume have an impact on defenders' time to detection (TTD) </strong></p><p>• The Cisco median TTD of about 4.6 hours for the period from November 2016 to October 2017 — well below </p><p>the 39-hour median TTD reported in November 2015, and the 14-hour median reported in the Cisco 2017 </p><p>o Annual Cybersecurity Report for the period from November 2015 to October 2016. </p><p>• The use of cloud-based security technology has been a key factor in helping Cisco to drive and keep its median </p><p>TTD to a low level. Faster TTD helps defenders move sooner to resolving breaches. </p><p>Source: <a href="/goto?url=https://www.cisco.com/c/dam/m/digital/elq-" target="_blank">https://www.cisco.com/c/dam/m/digital/elq- </a></p><p><a href="/goto?url=https://www.cisco.com/c/dam/m/digital/elq-cmcglobal/witb/acr2018/acr2018final.pdf?dtid=odicdc000016&amp;ccid=cc000160&amp;oid=anrsc005679&amp;ecid=8196&amp;elqTrackId=686210143d34494fa27ff73da9690a5b&amp;elqaid=9452&amp;elqat=2" target="_blank">c</a><a href="/goto?url=https://www.cisco.com/c/dam/m/digital/elq-cmcglobal/witb/acr2018/acr2018final.pdf?dtid=odicdc000016&amp;ccid=cc000160&amp;oid=anrsc005679&amp;ecid=8196&amp;elqTrackId=686210143d34494fa27ff73da9690a5b&amp;elqaid=9452&amp;elqat=2" target="_blank">m</a><a href="/goto?url=https://www.cisco.com/c/dam/m/digital/elq-cmcglobal/witb/acr2018/acr2018final.pdf?dtid=odicdc000016&amp;ccid=cc000160&amp;oid=anrsc005679&amp;ecid=8196&amp;elqTrackId=686210143d34494fa27ff73da9690a5b&amp;elqaid=9452&amp;elqat=2" target="_blank">c</a><a href="/goto?url=https://www.cisco.com/c/dam/m/digital/elq-cmcglobal/witb/acr2018/acr2018final.pdf?dtid=odicdc000016&amp;ccid=cc000160&amp;oid=anrsc005679&amp;ecid=8196&amp;elqTrackId=686210143d34494fa27ff73da9690a5b&amp;elqaid=9452&amp;elqat=2" target="_blank">global/witb/acr2018/acr2018final.pdf?dtid=odicdc000016&amp;ccid=cc000160&amp;oid=anrsc005 </a></p><p>679&amp;ecid=8196&amp;elqTrackId=686210143d34494fa27ff73da9690a5b&amp;elqaid=9452&amp;elqat=2 </p><p>12 </p><p>2019 CLUS </p><p></p><ul style="display: flex;"><li style="flex:1">LTRCRT-2222 </li><li style="flex:1">© 2019&nbsp;Cisco and/or its affiliates. All rights reserved.&nbsp;Cisco Public </li></ul><p></p><p>Network Security Monitoring Tool </p><p>• A Network Security Monitoring (NSM) tool is software that collects, maintains, processes, and presents network security monitoring data (security related events). </p><p>• The Security Operations Center (SOC) analyst will examine data produced by the network security monitoring tool. Without NSM data, SOC analysts could not perform their job effectively. Without </p><p>NSM tools, SOC analysts would not have network data to analyze. </p><p>• An NSM can enhance network visibility by using context-rich telemetry and threat-based intelligence collected from within the </p><p>network infrastructure. </p><p>13 </p><p>2019 CLUS </p><p></p><ul style="display: flex;"><li style="flex:1">LTRCRT-2222 </li><li style="flex:1">© 2019&nbsp;Cisco and/or its affiliates. All rights reserved.&nbsp;Cisco Public </li></ul><p></p><p>Network Security Monitoring Using Security Onion </p><p>• Security Onion is an open source Linux distribution that focuses on NSM.&nbsp;Security </p><p>Onion is used for log management, intrusion detection and network security event </p><p>monitoring. The distribution is managed by Security Onion Solutions. Many of the tools that comprise the Security Onion NSM have broad community support. </p><p>• Security Onion Solutions provides a straightforward package to install the network </p><p>security monitoring space. Security Onion Solutions also offers training and support </p><p>services for the distribution. </p><p>• Security Onion can be deployed as a simple standalone system where one network </p><p>interface card (NIC) is used for management and one or more additional NICs are used for monitoring security events on the network. </p><p>• Security Onion can also scale using a distributed deployment where one system acts </p><p>as the master server and the monitoring duties are spread across multiple sensor </p><p>systems. </p><p>14 </p><p>2019 CLUS </p><p></p><ul style="display: flex;"><li style="flex:1">LTRCRT-2222 </li><li style="flex:1">© 2019&nbsp;Cisco and/or its affiliates. All rights reserved.&nbsp;Cisco Public </li></ul><p></p><p>Security Onion Core Components </p><p>• <strong>Core Primary Functions: </strong></p><p>• <strong>Full packet captures: </strong></p><p>• <strong>Netsniff-ng </strong></p><p>• <strong>Network-based(NIDS) and Host-based(HIDS)Intrusion Detection Systems: </strong></p><p>• NIDS: </p><p>• Rules-driven NIDS Alerts from <strong>Snort </strong>or <strong>Suricata</strong>in passivemode (not NIPS inline mode) </p><p>• Analysis-drivenNIDS from <strong>Zeek(Bro)</strong>Network Security Monitor (traffic is captured via SPAN, TAP port or packet broker) </p><p>- <strong>Zeek v2.6.2 (Bro) </strong>is a protocol parsing engine that provides three key network security capabilities: </p><p><strong>Traffic Logging </strong>(generates comprehensive, protocol specific network traffic logs for 35+ protocols: DNS, HTTP, files), <strong>Automated Analysis </strong>(traffic analysis using Bro scripts), and <strong>FileExtraction </strong>(extracts &amp; re-assembles any file type off the wire) </p><p>• HIDS: <strong>Wazuh </strong>(wah-zoo) replaced <strong>OSSEC </strong>and is used to monitor/defendSecurity Onion. Add <strong>Wazuh </strong>agents to endpoint hosts </p><p>• <strong>Syslog data received by Zeek (Bro)</strong>or <strong>syslog-ng </strong></p><p>• <strong>Powerful DataAnalysisTools: </strong></p><p>• <strong>Sguil </strong>Analyst Console / <strong>Squert </strong>PHP Web Interface / <strong>Kibana </strong>(Squert &amp; Kibana can pivot to <strong>CapMe</strong>to retrieve full packet captures) • <strong>Wireshark </strong></p><p>• <strong>NetworkMiner </strong>• <strong>ELSA / ElasticStack®(ELK) </strong></p><p>• <strong>CyberChef </strong></p><p>Source: <a href="/goto?url=https://github.com/Security-Onion-Solutions/security-onion/wiki/IntroductionToSecurityOnion" target="_blank">https://github.com/Security-Onion-Solutions/security-onion/wiki/IntroductionToSecurityOnion </a></p><p>15 </p><p>2019 CLUS </p><p></p><ul style="display: flex;"><li style="flex:1">LTRCRT-2222 </li><li style="flex:1">© 2019&nbsp;Cisco and/or its affiliates. All rights reserved.&nbsp;Cisco Public </li></ul><p></p><p>Simplified Security Onion Architecture </p><p>The Security Onion architecture is more robust than is conveyed in the figure above. The figure serves to </p><p>introduce the complexity of and interactions between the NSM tools in Security Onion. The tools in the </p><p>bottom row are largely dedicated to the collection and production of raw NSM data. The tools/components in the middle row are associated with the optimization and maintenance of the data. For example, <strong>Zeek </strong></p><p><strong>(Bro)</strong>, <strong>Wazuh (OSSEC)</strong>, and <strong>syslog-ng </strong>all produce flat files with one log entry per line. The <strong>ELSA </strong>system </p><p>takes this raw data and organizes it into a relational MySQL database, using high-performance Sphinx indexing. The tools listed in the top row are responsible for the presentation of the data to the SOC analyst. </p><p>16 </p><p>2019 CLUS </p><p></p><ul style="display: flex;"><li style="flex:1">LTRCRT-2222 </li><li style="flex:1">© 2019&nbsp;Cisco and/or its affiliates. All rights reserved.&nbsp;Cisco Public </li></ul><p></p><p>Security Onion with Elastic Stack® </p><p><strong>Security Onion Migrated from ELSA to the Elastic Stack® (“Hybrid Hunter”) </strong>The new Elastic Stack® components are comprised from Docker container images </p><p>based on CentOS 7: </p><p><strong>Elastic Stack® Core Components: </strong></p><p><a href="/goto?url=https://www.elastic.co/products/beats" target="_blank"><strong>Beats</strong></a>® - lightweight data shipper server agent </p><p>that sends specific types of operational data </p><p>to <strong>Logstash </strong>and <strong>Elasticsearch </strong></p><p><strong>Elastic Stack® Auxiliary Components: </strong></p><p><a href="/goto?url=https://github.com/Security-Onion-Solutions/security-onion/wiki/Curator" target="_blank"><strong>Curator </strong></a>- Manage indices through scheduled maintenance. <a href="/goto?url=https://github.com/Security-Onion-Solutions/security-onion/wiki/ElastAlert" target="_blank"><strong>ElastAlert </strong></a>- Query Elasticsearch and alert on user-defined </p><p>anomalous behavior or other interesting bits of information. </p><p><a href="/goto?url=https://github.com/Security-Onion-Solutions/security-onion/wiki/Logstash" target="_blank"><strong>Logstash</strong></a>® - Data ingestion engine, parsing and format logs. </p><p><a href="/goto?url=https://github.com/Security-Onion-Solutions/security-onion/wiki/FreqServer" target="_blank"><strong>FreqServer </strong></a>-Detect DGAs and find random file names, script </p><p>names, process names, service names, workstation names, </p><p>TLS certificate subjects and issuer subjects, etc. </p><p><a href="/goto?url=https://github.com/Security-Onion-Solutions/security-onion/wiki/Elasticsearch" target="_blank"><strong>Elasticsearch</strong></a>® - Ingest and index logs, large </p><p>scalable search engine based on Apache Lucene. </p><p><a href="/goto?url=https://github.com/Security-Onion-Solutions/security-onion/wiki/DomainStats" target="_blank"><strong>DomainStats </strong></a>- Get additional info about a domain by providing additional context, such as creation time, age, reputation, etc. </p><p><a href="/goto?url=https://github.com/Security-Onion-Solutions/security-onion/wiki/Kibana" target="_blank"><strong>Kibana</strong></a>® - offers web based visualizations of </p><p>ingested log data and data exploration. </p><p><strong>ELSA </strong>reached End Of Life status on October 9, 2018.&nbsp;Security Onion will not provide any updates or </p><p>support for ELSA. </p><p>Source: <a href="/goto?url=https://github.com/Security-Onion-Solutions/security-onion/wiki/Elastic-Architecture" target="_blank">https://github.com/Security-Onion-Solutions/security-onion/wiki/Elastic-Architecture </a></p><p>17 </p><p>2019 CLUS </p><p></p><ul style="display: flex;"><li style="flex:1">LTRCRT-2222 </li><li style="flex:1">© 2019&nbsp;Cisco and/or its affiliates. All rights reserved.&nbsp;Cisco Public </li></ul><p></p><p>Security Onion with Elastic Stack® </p><p><strong>A Very Brief Introduction to Linux (Docker) Containers </strong></p><p>Linux containers are standalone, lighter virtualization alternatives to virtual machines that include code, </p><p>system tool libraries, and settings in a ‘portable’ capsule or bottle. </p><p>• Containers are isolated from each other and bundle their own application, tools, libraries, and </p><p>configuration files. <br>• Containers can communicate with each other through overlay network subsystems. </p><p>• All containers are run by a single host operating-system kernel and are thus, more lightweight </p><p>than virtual machine images. Containers rely on the host kernel's functionality and use resource isolation for CPU and memory resources and separate namespaces to isolate the application's view of </p><p>the operating system. </p><p>• Unlike a virtual machine image, which requires a hypervisor (VMware, Virtual Box), containers do not </p><p>utilize a hypervisor.&nbsp;Containers are created from images that can either be stateful (using persistent storage) or stateless. </p><p>• Why the change from Ubuntu DEB packages (used in Security Onion) to Docker images? </p><p>o Docker images are easier to build &amp; maintain and will allow support for other distros, like CentOS. </p><p><strong>Fun Fact</strong>: there is no formal definition of a Linux “container.” Most people identify a Linux container with </p><p>keywords like: LXC, libvirt, Docker, Kubernetes, namespaces, cgroups, CoreOS rkt, BDS jails, Zones </p><p>Source: <a href="/goto?url=https://en.wikipedia.org/wiki/Docker_(software)" target="_blank">https://en.wikipedia.org/wiki/Docker_(software) </a></p><p>18 </p><p>2019 CLUS </p><p></p><ul style="display: flex;"><li style="flex:1">LTRCRT-2222 </li><li style="flex:1">© 2019&nbsp;Cisco and/or its affiliates. All rights reserved.&nbsp;Cisco Public </li></ul><p></p><p>Security Onion with Elastic Stack® </p><p>Security Onion Architecture using Elastic Stack® (ELK) </p><p>19 </p><p>2019 CLUS </p><p></p><ul style="display: flex;"><li style="flex:1">LTRCRT-2222 </li><li style="flex:1">© 2019&nbsp;Cisco and/or its affiliates. All rights reserved.&nbsp;Cisco Public </li></ul><p></p><p>Security Onion / Open Source Tools </p><p>• <strong>argus - </strong><a href="/goto?url=http://www.qosient.com/argus/" target="_blank">http://www.qosient.com/argus/ </a></p><p>"Argus is a data network transaction auditing tool that categorizes network packets that match the </p><p>libpcap filter expression into a protocol-specific network flow transaction model. Argus reports on the </p><p>transactions that it discovers, as periodic network flow data, that is suitable for historical and near real- </p><p>time processing for forensics, trending and alarm/alerting." </p><p>• <strong>barnyard2 - </strong><a href="/goto?url=http://www.securixlive.com/barnyard2/" target="_blank">http://www.securixlive.com/barnyard2/ </a></p><p>"Barnyard2 is an open source interpreter for Snort unified2 binary output files. Its primary use is </p><p>allowing Snort to write to disk in an efficient manner and leaving the task of parsing binary data into various formats to a separate process that will not cause Snort to miss network traffic." </p><p>• <strong>Bro (Zeek) </strong>- <a href="/goto?url=http://zeek.org/" target="_blank">http://zeek.org/ </a></p><p>”Zeek (Bro) provides a comprehensive HIDS/NIDS platform for network traffic analysis." </p><p><a href="/goto?url=https://github.com/Security-Onion-Solutions/security-onion/wiki/Bro" target="_blank">https://github.com/Security-Onion-Solutions/security-onion/wiki/Bro </a><br>• <strong>CapME </strong>- <a href="/goto?url=http://chaosreader.sourceforge.net/" target="_blank">http://chaosreader.sourceforge.net/ </a></p><p>CapMe will download a pcap file and view a pcap transcript rendered with tcpflow and Zeek </p><p>(Bro) (especially helpful for dealing with gzip encoding) </p><p>Source: <a href="/goto?url=https://github.com/Security-Onion-Solutions/security-onion/wiki/Tools" target="_blank">https://github.com/Security-Onion-Solutions/security-onion/wiki/Tools </a></p><p>20 </p><p>2019 CLUS </p><p></p><ul style="display: flex;"><li style="flex:1">LTRCRT-2222 </li><li style="flex:1">© 2019&nbsp;Cisco and/or its affiliates. All rights reserved.&nbsp;Cisco Public </li></ul><p></p>

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    65 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us