Mikael Grotrian, CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified Consulting Systems Engineer, Cyber Security, Denmark Leveraging the network to detect and control threats Network as a Sensor & Enforcer Tech Update
Mikael Grotrian, CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified
Consulting Systems Engineer, Cyber Security, Denmark
Leveraging the network to detect and control threats
Network as a Sensor & EnforcerTech Update
StealthWatch for Visibility, Context, and Control
Your Network Is Your Sensor
Use netw ork data to extend
visibility to the access layer
Internal Network
Identity
Routers and Switches
Firewall
Context
Enrich f low of data w ith identity, events, proxy,
and application to create context Accelerated detection,
investigation and response.
WHO WHAT WHERE WHEN HOW
Proxy Server
Devices
Stealthwatch
Management
Console
UDP Director
Flow Collector
NetFlow,
syslog, SNMP NetFlow enabled
infrastructure
Flow Sensor Web Proxies
User and Device
Information
Cisco ISE
Feeds of emerging threat
information
The Stealthwatch System Components
www
Conversational Flow Record
• Highly scalable (enterprise class) collection
• High compression => long term storage• Months of data retention
When Who
Where
What
Who
Security Group
More Context
Leverage the Network: Detect and Control Threats
Network Sensor
(Lancope)
Campus/DC
Switches/WLC
Cisco Routers /
3rd Vendor Devices
Threat
pxGRID
Network Sensors Network EnforcersPolicy & Context
Sharing
TrustSec
Software-Defined
Segmentation
Cisco
Collective
SecurityIntelligence
Confidential
Data
NGIPS
pxGRID
ISE
NGFW
ISE Provides Device Visibility via ProfilingActive Endpoint
ScanningIntegrated Profiling:
Visibility in Scale
Network infrastructure provides local sensing function
Device Feed —
Identity in Scale
Manufacturers and ecosystem provide constant updates to new devices
Active Scanning:
Enhanced Accuracy
Cisco® ISE augments passive network insight with active endpoint data
CiscoISE
CDP/LLDP
DHCP
RADIUS
DNS
SNMP
NetFlow
HTTP
NMAP
Device Feed*
Cisco Device Sensor(Network Based)
Prof iler Design Guide: http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-30-ISE_Prof iling_Design_Guide.pdf
Visibility through NetFlow
10.1.8.3
172.168.134.2
InternetFlow Information Packets
SOURCE ADDRESS 10.1.8.3
DESTINATION ADDRESS
172.168.134.2
SOURCE PORT 47321
DESTINATION PORT 443
INTERFACE Gi0/0/0
IP TOS 0x00
IP PROTOCOL 6
NEXT HOP 172.168.25.1
TCP FLAGS 0x1A
SOURCE SGT 100
: :
APPLICATION NAMENBAR SECURE-
HTTP
RoutersSwitches
NetFlow provides
• Trace of every conversation in your network• An ability to collect record everywhere in
your network (switch, router, or firewall)• Network usage measurement
• An ability to find north-south as well as east-west communication
• Light weight visibility compared to SPAN based traffic analysis
• Indications of Compromise (IOC)• Security Group Information
Network as a Sensor: Lancope StealthWatch
pxGrid
Real-time visibility at all network layers
• Data Intelligence throughout network• Assets discovery
• Network profile• Security policy monitoring
• Anomaly detection• Accelerated incident response
Cisco ISE
Mitigation Action
Context Information
NetFlow
access-list 102 den y ip 167 .17.174. 35 0.0.1 .255 eq 3914 140 .119.154 .142 255 .255.255 .255 eq 4175access-list 102 per mit tcp 37.85.17 0.24 0.0 .0.127 l t 3146 7 7.26.232 .98 0.0. 0.127 gt 1462access-list 102 per mit tcp 155.237. 22.232 0 .0.0.127 gt 1843 239.16. 35.19 0. 0.1.255 lt 4384access-list 102 per mit icmp 136.237 .66.158 255.255. 255.255 eq 946 1 19.186.1 48.222 0 .255.255 .255 eq 878
access-list 102 per mit ip 1 29.100.4 1.114 25 5.255.25 5.255 gt 3972 47 .135.28. 103 0.0. 0.255 eq 467
Network as an EnforcerSoftware-Defined Segmentation with TrustSec
Traditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Netw ork Fabric
Switch Router DC FW DC SwitchWireless
Flexible and Scalable Policy Enforcement
TrustSec Common Deployment Scenarios
User to Data Center
Access ControlData Center
Segmentation
Campus and Branch
Segmentation
• Context--based access control
• Compliance requirements PCI,
HIPAA, export controlled
information
• Merger & acquisition integration,
divestments
• Server zoning & Micro-segmentation
• Production vs. Development Server
segmentation
• Compliance requirements, PCI, HIPAA
• Firew all rule automation
• Line of business segregation
• PCI, HIPAA and other compliance
regulations
• Malw are propagation
control/quarantine
Behavioral and Anomaly Detection ModelBehavioral Algorithms Are Applied to Build “Security Events”
SECURITY
EVENTS (94 +)ALARM
CATEGORY RESPONSE
Addr_Scan/tcp
Addr_Scan/udp
Bad_Flag_ACK**
Beaconing Host
Bot Command Control Server
Bot Infected Host - Attempted
Bot Infected Host - Successful
Flow_Denied
.
.
ICMP Flood
.
.
Max Flows Initiated
Max Flows Served
.
Suspect Long Flow
Suspect UDP Activity
SYN Flood
.
Concern
Exfiltration
C&C
Recon
Data Hoarding
Exploitation
DDoS Target
Alarm Table
Host Snapshot
Syslog / SIEM
Mitigation
COLLECT AND ANALYZE FLOWS
FLOWS
Integrated Threat Defense (Detection & Containment)
Employee
Employee
Supplier
Quarantine
Shared
Server
Server
High Risk
Segment
Internet
Lancope
StealthWatch
Event: TCP SYN Scan
Source IP: 10.4.51.5
Role: Supplier
Response: Quarantine
ISE
Change Authorization
Quarantine
Network FabricDemo
Network as a Sensor and Enforcer Summary
TrustSec provides software defined (micro)
segmentation
NetFlow and LancopeStealthWatch provides
visibility and intelligence
The network is a key
asset for threat detection
and control
Læs og lær i pausen
www.cisco.com/go/networksecuritywww.cisco.com/go/ISEwww.cisco.com/go/TrustSecwww.cisco.com/go/ctd