Transcript
Cybersecurity: Malware Defense
Malware Defense
What is Cisco’s Role?
“Over the past year the amount of unique malware has doubled”-Chris Coleman, Cisco Cyber Architect
Systems Approach to Security• Best-of-breed security technologies
embedded into infrastructure components• Benefits
Lower TCO Easier to Manage – Similar HW/SW platforms and design
Easier to Deploy Less Training Requirements
Single Support Model Fully Integrated Rather than Bolted-On
Ability to support customers on classified networks Commitment to certifications – Global Certification Team (GCT)
What is Reputation Security?
• Reputation Security delivers a numeric score about an object, which allows a security device to take a policy-based action.
• Reputation is built on three things:1. Our own assessment (e.g., using SensorBase
data)2. Assessment by trusted 3rd parties3. Sophisticated models that produce a score in
real-time
Cisco IronPort Web and Email Security
Cisco IronPort Web Security Safe Client Browsing with Web Reputation and URL Filtering
Cisco IronPort Email Security Spam filters, Virus Outbreak Filters, Email Reputation Filters
Hosted and Appliance Options
Email/Web Traffic (malicious and benign)
Cisco IronPort Client
Cisco Security Intelligence Operations
Examples of Reputation in Action
Web Security: What do we know BEYOND the top level domain?
IPS: more accuracy, less admin hands on to deal with “yellow alerts”
Firewall: Who on my network is currently infected?
How Effective is Reputation?
• Ironport was a strategic acquisition for Cisco• Security Systems need to react as fast as
threats – on all fronts• Blocking at lower layers is fast, and can
provide great security intelligence to otherwise unaware devicesCisco on Cisco
Our CorporateEmail Experience
Message Category % Messages
Stopped by Reputation Filtering 93.1% 700,876,217
Stopped as Invalid recipients 0.3% 2,280,104
Spam Detected 2.5% 18,617,700
Virus Detected 0.3% 2,144,793
Stopped by Content Filter 0.6% 4,878,312
Total Threat Messages: 96.8% 728,797,126
Clean Messages 3.2% 24,102,874
Total Attempted Messages: 752,900,000
Blocked at Layer 3!
ASA Botnet Traffic Filters
Botnet Traffic Filters in Cisco ASA
• Scans all traffic, ports, and protocols for rogue “phone home” traffic• Provides visibility to infected clients within corporate network• SensorBase provides visibility into dynamic IPs
Infected Client Cisco ASA 5500 Series Command and Control
Botnet Traffic Filters
Cisco Security Intelligence Operations
Botnet Traffic Filter
• 3 Main Components
• Domain Name System (DNS) Snooping• Traffic Classification and Reporting• Dynamic and Administrator Blacklist Data
Botnet Traffic Filter ReportsTop Botnet Sites and Ports
Botnet Traffic Filter ReportsTop Infected Hosts
Cisco IPS
Global ThreatTelemetry
8:10 GMT Cisco IPS Update Applied
Cisco IPS 7.0: Network IPS to Global IPS
Global ThreatTelemetry
Cisco SIOGlobal Correlation
Coverage: Twice the Effectiveness of Signature-Only IPS
Accuracy: Full Context Analysis Reduces False Positives
Timeliness: Proactive Coverage
Ad Agency HQ in London
ISP Data Center in Moscow
Bank Branchin Chicago
Sensor Detects New Malware Sensor Detects New Botnet Sensor Detects Hacker Probing
8:07 GMT8:00 GMT 8:03 GMT
Security Intelligence Operations (SIO)
Foundation of Cisco SecurityEyes and Ears of our Threat Intelligence
Hundreds of Analysts
700,000+ Sensors Globally
8 of 10 Top Global ISPs
152 Third-party Feeds
Over 30% of the World’s Email Traffic
Cisco SensorBaseThe Brain of Cisco Intelligence Operations
Massive Database of Threat Telemetry
Integrated Throughout Cisco Products
Decision-Making Based on Reputation Data
200+ Parameters for Reputation
Scored from -10 to +10
URL Blacklists
Real-Time Cloud Analysis
Compromised Host List
Domain Registrar Information
Global Volume Data
URL Behavior
Bot Networks
Dynamic IP Addresses
URL Whitelists
Cisco Security SolutionsThe Nervous System
0100001101101001011100110110001101101111
Firewalls/VPN
Secure Routing/Switching Email/Web
SecurityIDS/IPS Access Control
Secure Voice Secure WirelessVisibility & Management
Service Control Engine
I needed a tool that would… • Go deeper into the
packet and tell the application rather than ports it’s using
• Reference users by their IDs, not by IP addresses
• Full and comprehensive report about anything possible
• Breadth of techniques and mechanisms to influence and control traffic
Application
recognition
User awarene
ss
Visibility and
reportingControl
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25
Visibility: Prevent and DetectSupporting Trust through Transparency
Service Control Engine and Visibility• High Speed flow reconstruction through Application Layer (Layer 7)• Identify flows through Application Layer and provide service control: block, mark,
redirect, mirror, packet capture, alarm, report. • Collection of data records for reporting and extension into other systems (situational
awareness)• Rapid insertion of new protocols and applications through custom signature interface• Enforce policy through detailed protocol analysis tied to user awareness• Identify anomalous network behavior• Detailed network visibility to help identify possible covert communication channels• Detailed network visibility to help identify means of information loss• Identify non-approved applications
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26
Resilience: Respond and RecoverCommanding Positive Network Control
Service Control Engine and Resilience• Identify flows through Application Layer and provide service control: block, mark,
redirect, set QoS, alarm, report• Ensure bandwidth availability to critical assets • Scale from 2M concurrent flows and 200K subscribers to 16M concurrent flows and
1M subscribers• Scalable up to 240Gbps • High Availability
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27
Why the SCE?
• An enterprise security posture must consider network analysis and visibility
• The SCE provides detailed visibility into every network transaction available
• Tying users to specific protocol and application transactions• Enforcing policy of user and network transactions • Granular policy to control bandwidth and user resources• Ability to mirror and redirect transactions based on policy into
additional security devices• Extensible back-end that can be integrated into customers with robust
security analysis systems
Cisco SCE - Key Benefits
• Service Provider experience and lessons learned for complex, large scale deployments• Predictable performance• Address asymmetric routing issues• Protocol packs and signature editor• Separate processors for control and management• Hardware flow bypass & hardware fast path for delay sensitive traffic• Multi-packet, bi-directional signature detection• Application aware flow mirroring• Packet capture facility• Superior classification• No performance impact from policy and reporting configurations• Value-added-services (VAS) architecture for 3rd party support• Mobile 3GPP support• System-wide management and policy control• Network design expertise• COTS system with the ability to feed GOTS technologies
Cisco Service Control Engine
Service Control Engine
Applicat
ion
Subscrib
er
Repor
ting
Contro
l
Application recognition• Signature matching• Heuristic matching• Behavioral matching• Zone matching• URL /SIP / SMTP
parameter matching• Worm detection*• Custom signature
Subscriber awareness• RADIUS / DHCP
parameter extraction• LDAP and SOAP
queries• Anonymous IP-to-ID
mapping• Static user definitions
Reporting• Reporting on multiple
levels• Application parameter
reporting• Attack / SPAM reporting• Flow signaling
Control• Control on multiple levels• Support complex
policy decision trees• Multiple actions
Service Control Engines
• Cisco offers 2 generations of SCEs– SCE1010 /
SCE2020 – fixed configuration, Gigabit Ethernet model
– SCE8000 – modular configuration, Gigabit or TenGigabit Ethernet model
Common properties
• All SCE platforms share some common properties: – Stand-alone appliances – can be inserted into any
Ethernet/IP network– L2-L3 transparent – no MAC / IP address on data port– Data / Control plane separation – data and control
planes are completely separate and don’t influence each others performance
– Dedicated hardware – data plane is a combination of fast FPGAs and powerful CPU, backed up by lots of memory
– IOS-like CLI – CLI for configuring low-level properties is based on IOS-like interpreter
– Low latency – all platforms introduce low latency (~32S) and almost no jitter. Hardware fast-path is separate hardware path for delay-sensitive traffic, ensuring very low latency (~10S)
– Open APIs – for integration into OSS/BSS/Security
Platform comparison
SCE1010 SCE2020 SCE8000
Data plane interfaces
2x GE 4x GE Modular 2x or 4x 10GE8x or 16x GE
DPI performance
2 Gbps 2.8 – 3.2 Gbps
15 Gbps 30 Gbps
Maximum Concurrent subscribers
40K – 200K 80K – 200K 250K – 1M
Maximum open flows
1M – 400K 8M – 5M 16M – 10M
Insertion modes
Recv-onlyInline
MG-SCP
Recv-onlyInline
CascadeMG-SCP
Recv-onlyInline
CascadeMG-SCP
Classification• Protocols Coverage
–600 Protocols – 950 L7 based signatures. –900 Protocols - port-based.
• ~1200 customers, Multiple geographies, Multiple SP segments
• Application groups: Voice, Video, File-Sharing, File-Hosting, Gaming, News-Groups, Instant-Messaging, Web-based services, etc.
• Zero Day Classification – Behavioral /Heuristic Algorithms
• Classification engine supports customer generated signatures
• Supports classification modifiers: – Zones – collection of network side prefixes
– Application parameters – URL, User-Agent, Calling/ Called Number, Domain name, Content-type…
Reporting• SCE exports 30 types of Raw Data
Records– Link Usage RDR
– Zone RDR
– Virtual Link RDR
– Package Usage RDR
– Subscriber Usage RDR
– Real-time Subscriber Usage RDR
– Transaction RDR
– Transaction Usage RDR
– HTTP / VoIP / Video Tran. Usage RDR
– Flow RDR
– Malicious Traffic RDR
– SPAM RDR
– Quota RDR
– […]
• Depending on the type, RDRs include:– Source / Destination IP/Port
– Timestamp, duration, volume
– Application ID
– Requested URL, User-agent, Cookie
– Delivered content type
– Called / Calling Numbers
– Video Codec and bitrate
– Filename
– P2P file hash
– Attack type
– List of email recipients
– OS type*
– […]
Control• Policy decision can be made based on
multiple criteria:– Application usage (all levels)
– Subscriber quota
– Priority (application or subscriber)
– Time of day
– State of attack
– Presence of other applications
• Complex policies include multiple chained rules
• Actions can be chained too*
• Once decision is made, control can be established on many levels:
– Link
– Application per link
– Subscriber group
– Subscriber total bandwidth
– Application per subscriber
– Application flow
• Connections can be:– Allowed
– Dropped
– Policed (CIR and PIR)
– Redirected (Layer 2)
– Redirected (Layer 7, HTTP and RTMP)
– Mirrored
– Captured
Subscriberand Quota manager
AAAData
retention
Cisco Insight SCA-BBConsole
Portal
Collection Manager
Event correlation
engine
Service ControlEngineUsers
NetworkNetwork
1. SCE Appliance to view and act on the packets
2. Collection Manager to collect data records for Reporting & external DB’s
3. Subscriber Manager to coordinate sub info w/ AAA and control sub-level policies
4. Cisco Insightto provide business intelligence and network trending reports
SCE ecosystem
Cisco Insight
Cisco Insight – Business intelligence• 150+ report types
• Custom dashboard
• Scheduled reports
• Email notification of reports
• Report comparison and trend analysis reports (Traffic analysis, trend studies, comparisons)
• Report export in different formats: pdf, excel, image
Cisco Insight – User privilege separation• Operators can create many
users and assign different view rights
• Restrict access based on:– Report type– Topology– Object type
• Full auditing
Cisco Insight – Advanced network topology• Objects are organized in
tree-like structure– Devices– Links – Parts of networks– Groups of subscribers– Subscribers
• Graphical Topology View, customizable by user
How I got to DPI?
Internet
Data Centre
Residential
Business
Stats of our network?
What’s causing congestion?
Where?
Stats of our network?
What’s causing congestion?
Where?
Internal network
Security: Obvious attacks? Malicious traffic? Suspicious
traffic?
Security: Obvious attacks? Malicious traffic? Suspicious
traffic?
Marketing: What are subscribers doing? How do we monetize that?
Marketing: What are subscribers doing? How do we monetize that?
Operations
Network topology tools:• CDP• Route monitor• STP monitor
Performance and general awareness tools:• SNMP• Netflow
Security tools:• Firewalls• IPS/IDS probes• HoneypotsProtocol analyzers:• Replay tools• Dissectors
Network visibility
SNMP• Statisti
cs• Layer 2
Netflow• Statisti
cs• Layer 3-
4
Net security• Details
of critical points
• Semantics of details
• Layer 7
Protocol analyzers• Details• Semant
ics• Layer 7
DPI – filling the visibility gap
SNMP• Statisti
cs• Layer 2
Netflow• Statisti
cs• Layer 3-
4
DPI• Statisti
cs and details
• Layer 3-7
Security• Details
of critical points
• Semantics of details
• Layer 7
Protocol analyzers• Details• Semant
ics• Layer 7
Cisco Insight – Advanced UI• New easy-to-use GUI
leveraging Adobe FLEX™ technology to improve usability and maximize the user experience
• Advanced graphical widgets (time sliders, tree views, dynamic selection controllers, etc.)
• Wizard-like guide through the process of report creation
DPI – filling the visibility gap
SNMP• Statisti
cs• Layer 2
Netflow• Statisti
cs• Layer 3-
4
DPI• Statisti
cs and details
• Layer 3-7
Security• Details
of critical points
• Semantics of details
• Layer 7
Protocol analyzers• Details• Semant
ics• Layer 7
Cisco Service Control Engine
Service Control Engine
Applicat
ion
Subscrib
er
Repor
ting
Contro
l
Application recognition• Signature matching• Heuristic matching• Behavioral matching• Zone matching• URL /SIP / SMTP
parameter matching• Worm detection*• Custom signature
Subscriber awareness• RADIUS / DHCP
parameter extraction• LDAP and SOAP
queries• Anonymous IP-to-ID
mapping• Static user definitions
Reporting• Reporting on multiple
levels• Application parameter
reporting• Attack / SPAM reporting• Flow signaling
Control• Control on multiple levels• Support complex
policy decision trees• Multiple actions
top related