Slide 1
Welcome To SIOCisco Security Intelligence Operations
http://www.networkworld.com/community/blog/cisco-security-intelligence-operations-explaihttp://www.wedomarketing.com/portfolio/playbook_c96-632812.pdfhttp://www.ciol.com/ciol/news/50193/cisco-security-intelligence-operationshttp://www.webtorials.com/main/resource/papers/cisco/paper167/reputation-filtering.pdfhttp://www.cisco.com/E-Learning/quickstart/security/cdc_bulk/Additional_Resources/resources/CSIO_At-a-Glance.pdfhttp://technicafe.net/2012/06/junipers-new-mykonos-security-software_08.html
COMPONENTS OF SIO
DIFFERENT REPUTATION FILTERS
HOW SIO IMPLEMENTED
WHERE SIO INCORPORATED
SIO AGENDA
Cisco SensorBase, a comprehensive threat database;
Threat Operations Center with 500 security analysts and
constant dynamic updates fed to Cisco security devices.Cisco SIO
is composed of three parts:
Sensor Base includes:
More than 700,000 (and growing) globally deployed Cisco
intrusion prevention system (IPS), email security, web security,
firewall devices
Cisco IntelliShield, a historical threat database of 40,000
vulnerabilities and 3300 tuned IPS signatures
More than 600 third-party threat intelligence sources, which
track over 500 thirdparty data feeds and 100 security news feeds
around the clockMore than 1000 threat collection servers process
500 GB of data a day. The Cisco Threat Operations Center processes
this global, real-time threat intelligence and incorporates it into
the security services available on Cisco security devices.
Email Reputation Filtering
Cisco email security appliances retrieve reputation information
in real time, as incoming messages arrive.
These Cisco devices query DNS text records in SensorBase and
retrieve a reputation score associated with the IP address of the
sending server.
The score can range from 10.0 for the worst email senders to
+10.0 for the best. The reputation score is based on more than 200
aggregated and weighted parameters
Email Reputation Filtering Cisco email security appliances
reject email from servers with low scores (below 3.0.) and
rate-limit senders that have medium to low reputation scores.
They can also white-list high reputation senders, such as IP
addresses with +9.0 scores from Fortune 1000 organizations.
Because spam is so prevalent, most of our customers report that
our default settings block more than 90 percent of incoming message
attempts.
Cisco web security appliances connect to Cisco SIO every five
minutes for database updates. These rulesets contain lists of
compromised web hosts as well as information about infected URLs
and pages.
Rapid, granular scanning of each object on a requested webpage,
rather than just URLs and initial HTML requests, significantly
reduces the chance of infection.
The appliances dynamically calculate the risk of each web
request and response using reputation data to block high-risk
transactions and safeguard users from attacks such as IFrame and
cross-site scripting.
Web reputation filtering is used in conjunction with signature
and behavior-based scanners to provide much faster and stronger
multi-layered web protection.
Web Reputation Filtering
IPS Reputation Filtering Cisco intrusion prevention systems
connect to Cisco SIO every 30 minutes and retrieve updated
reputation data based on parameters such as whether the IP address
is a Dynamic Host Configuration Protocol (DHCP) address, whether
the IP address has a Domain Name System (DNS) entry, and how often
that information changes
For example, the IPS sensor may detect an event that is often
but not always associated with malicious activity. Without Global
Correlation, the sensor will send an alert about the activity, but
no action is taken on the network traffic.
With Global Correlation, however, the sensor can access a wealth
of historical data on the source of the traffic. If the reputation
is low, the sensor can take direct action and thwart the potential
attack without the risk of blocking valid traffic.
The sensor can also use reputation data to pre-filter traffic
from sources with extremely low reputations, saving processing
power for additional inspection
Layer 4 Traffic Monitor Cisco Web Security Appliances include a
Layer 4 Traffic Monitor, in addition to web reputation filters and
multiple malware scanning engines, which detect website malware
activity. It scans all ports at wire speed, detecting and blocking
spyware phone-home activity. By tracking all 65,535 network ports
at the network data center, the Layer 4 Traffic Monitor effectively
stops malware that attempts to proliferate through the network.
In addition, the Layer 4 Traffic Monitor can dynamically add IP
addresses of known malware domains to its list of ports and IP
addresses to detect and block.
Using this dynamic discovery capability, the Layer 4 Traffic
Monitor can monitor the movement of malware in real timeeven as the
malware host tries to avoid detection by migrating from one IP
address to another.
Cisco SIO produces reputation scores for various traffic sources
(networks) and then downloads the scores to Cisco IPS sensors that
have been configured to receive them. These scores form the basis
of the Cisco IPS Global Correlation feature.
Thus, bad traffic denied by a Cisco IPS sensor falls into three
categories:Global Correlation Reputation Filtering:Based on
reputation alone. Flow is not passed to the traditional inspection
engines.Global Correlation Inspection:Based on a combination of
traditional inspection and network reputation information. The risk
rating mechanism combines the two threat signals.Traditional IPS
Detection:Based on traditional inspection techniques, including
protocol decoding engines, signature based inspection, and anomaly
detection via statistical analysis of network traffic. In this
case, network reputation information for the traffic flow is not
available or does not have an effect on the flow.
Rather than collecting data from network security devices,
Sensor Base also collect raw data from 600 third party news and
data feeds, this collected information are like DNS registry
information, global public blacklist/white list etc.
Global Correlation on Cisco IPS
The operations arm of Cisco SIO is a combination of people and
automated algorithms that process Cisco Sensor Base data in real
time. These teams create machine generated and manually generated
rules for protection against new and dynamic threats.
creating 95% of rules that Ciscos network security devices use.
Rules are published to Cisco products in form of automated rules
and signatures, also these rules are published to customers through
alerts and bulletin.
Threat Operation Center is consist of : Applied Security
Research (ASR):ASRs main work is to look for vulnerability in key
technology area and provide threat indication and analysis to the
customers.
Cisco IPS Signature team:Its main work is to research on
exploits and writing vulnerability signatures for IPS products.
Threat Operations Center
Threat Operations Center Cisco IronPort Email and Web Threat
Research Teams: Provide the latest protection for SMTP and
Web-based attacks.
Cisco Malware Research Lab: A centralized malware lab focused on
researching the latest malicious activity.
Intrusion Protection Signature Team: Researches and develops
vulnerability and exploit-specific signatures that are used by IPS
product lines.
Cisco Product Security Incident Response Team (PSIRT): Evaluates
and works across Cisco to mitigate vulnerabilities reported in
Cisco products.
Strategic Assessment Technology Team (STAT): Advanced,
area-specific security research and product vulnerability
testing.
Threat Operations Center Infrastructure Security Research &
Development (ISRD): A research-oriented, business enablement
function that maintains strong expertise in the area of security
and creates security solutions for customers engaged in emerging
industries and infrastructures.
Remote Management Services (RMS): Provides 24x7x365 remote
monitoring and management of Cisco security devices that are
deployed on your network.
IntelliShield Security Analysts: Collect, research, and provide
information about security events that have the potential for
widespread impact on customer networks, applications, and
devices.
Dynamic UpdatesCisco SIOs dynamic updates deliver current and
complete security information to Cisco customers and devices.
Threat mitigation data is provided through: Automatic rule
updates for Cisco products, such as firewall, web, IPS, or email
devices delivered every 3 to 5 minutes Cisco IntelliShield Alert
Manager Service Security best-practice recommendations and
community outreach services
It is a communication hub responsible for streaming updates to
Cisco devices and customers. There are two major part involved in
Dynamic update,
one is to generate real time updates which are automatically
delivered to security devices and other is to helping customers to
track and analyse threat to improve their overall security
arrangement.
Examples of the other forms of Cisco security intelligence
include:
Cisco IntelliShield Alerts, including Malicious Code Alerts,
Security Activity Bulletins, Security Issue Alerts, Threat Outbreak
Alerts, and Geopolitical Security Reports Cisco Annual Security
Reports Cisco PSIRT Security Advisories and Security Responses
Applied Mitigation Bulletins Cyber Risk Reports Security
Intelligence Best Practices Service Provider Security Best
Practices Cisco IPS Active Update Bulletins IntelliShield Event
Responses Annual Security Report Cisco IronPort Virus Outbreak
Reports
Advanced Cisco SIO protection is available on the following
Cisco products: CiscoAdaptiveSecurityAppliances Cisco IronPort
EmailSecurity Appliances, Hosted Email Security, and Hybrid Hosted
Email Security Cisco IronPortWebSecurity Appliances Cisco
IntrusionPreventionSystems Cisco IntegratedServices Modules Cisco
IntelliShieldAlertServices
These devices and hosted services are licensed with one or more
security filters that are powered by Cisco SIO, including: Cisco
IronPortVirusOutbreak Filters Cisco IronPortAnti-Spam Cisco
IronPort EmailReputation Filters Cisco IronPortWebReputation
Filters Cisco IPS Reputation and Signature Filters Cisco
FirewallBotnet Traffic Filters
14 2009 Cisco Systems, Inc. All rights reserved. Cisco
Confidential
Thank You By Prem Kumar Viswanathan
21