Network as a Sensor & EnforcerTech Update - Cisco · Network as a Sensor and Enforcer Summary TrustSec provides software defined (micro) segmentation NetFlow and Lancope StealthWatch

Mikael Grotrian, CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified

Consulting Systems Engineer, Cyber Security, Denmark

Leveraging the network to detect and control threats

Network as a Sensor & EnforcerTech Update

StealthWatch for Visibility, Context, and Control

Your Network Is Your Sensor

Use netw ork data to extend

visibility to the access layer

Internal Network

Identity

Routers and Switches

Firewall

Context

Enrich f low of data w ith identity, events, proxy,

and application to create context Accelerated detection,

investigation and response.

WHO WHAT WHERE WHEN HOW

Proxy Server

Devices

Stealthwatch

Management

Console

UDP Director

Flow Collector

NetFlow,

syslog, SNMP NetFlow enabled

infrastructure

Flow Sensor Web Proxies

User and Device

Information

Cisco ISE

Feeds of emerging threat

information

The Stealthwatch System Components

www

Conversational Flow Record

• Highly scalable (enterprise class) collection

• High compression => long term storage• Months of data retention

When Who

Where

What

Who

Security Group

More Context

Leverage the Network: Detect and Control Threats

Network Sensor

(Lancope)

Campus/DC

Switches/WLC

Cisco Routers /

3rd Vendor Devices

Threat

pxGRID

Network Sensors Network EnforcersPolicy & Context

Sharing

TrustSec

Software-Defined

Segmentation

Cisco

Collective

SecurityIntelligence

Confidential

Data

NGIPS

pxGRID

ISE

NGFW

ISE Provides Device Visibility via ProfilingActive Endpoint

ScanningIntegrated Profiling:

Visibility in Scale

Network infrastructure provides local sensing function

Device Feed —

Identity in Scale

Manufacturers and ecosystem provide constant updates to new devices

Active Scanning:

Enhanced Accuracy

Cisco® ISE augments passive network insight with active endpoint data

CiscoISE

CDP/LLDP

DHCP

RADIUS

DNS

SNMP

NetFlow

HTTP

NMAP

Device Feed*

Cisco Device Sensor(Network Based)

Prof iler Design Guide: http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-30-ISE_Prof iling_Design_Guide.pdf

Visibility through NetFlow

10.1.8.3

172.168.134.2

InternetFlow Information Packets

SOURCE ADDRESS 10.1.8.3

DESTINATION ADDRESS

172.168.134.2

SOURCE PORT 47321

DESTINATION PORT 443

INTERFACE Gi0/0/0

IP TOS 0x00

IP PROTOCOL 6

NEXT HOP 172.168.25.1

TCP FLAGS 0x1A

SOURCE SGT 100

: :

APPLICATION NAMENBAR SECURE-

HTTP

RoutersSwitches

NetFlow provides

• Trace of every conversation in your network• An ability to collect record everywhere in

your network (switch, router, or firewall)• Network usage measurement

• An ability to find north-south as well as east-west communication

• Light weight visibility compared to SPAN based traffic analysis

• Indications of Compromise (IOC)• Security Group Information

Network as a Sensor: Lancope StealthWatch

pxGrid

Real-time visibility at all network layers

• Data Intelligence throughout network• Assets discovery

• Network profile• Security policy monitoring

• Anomaly detection• Accelerated incident response

Cisco ISE

Mitigation Action

Context Information

NetFlow

access-list 102 den y ip 167 .17.174. 35 0.0.1 .255 eq 3914 140 .119.154 .142 255 .255.255 .255 eq 4175access-list 102 per mit tcp 37.85.17 0.24 0.0 .0.127 l t 3146 7 7.26.232 .98 0.0. 0.127 gt 1462access-list 102 per mit tcp 155.237. 22.232 0 .0.0.127 gt 1843 239.16. 35.19 0. 0.1.255 lt 4384access-list 102 per mit icmp 136.237 .66.158 255.255. 255.255 eq 946 1 19.186.1 48.222 0 .255.255 .255 eq 878

access-list 102 per mit ip 1 29.100.4 1.114 25 5.255.25 5.255 gt 3972 47 .135.28. 103 0.0. 0.255 eq 467

Network as an EnforcerSoftware-Defined Segmentation with TrustSec

Traditional Security Policy

TrustSec Security Policy

Security Control Automation

Simplified Access Management

Improved Security Efficacy

Netw ork Fabric

Switch Router DC FW DC SwitchWireless

Flexible and Scalable Policy Enforcement

TrustSec Common Deployment Scenarios

User to Data Center

Access ControlData Center

Segmentation

Campus and Branch

Segmentation

• Context--based access control

• Compliance requirements PCI,

HIPAA, export controlled

information

• Merger & acquisition integration,

divestments

• Server zoning & Micro-segmentation

• Production vs. Development Server

segmentation

• Compliance requirements, PCI, HIPAA

• Firew all rule automation

• Line of business segregation

• PCI, HIPAA and other compliance

regulations

• Malw are propagation

control/quarantine

Behavioral and Anomaly Detection ModelBehavioral Algorithms Are Applied to Build “Security Events”

SECURITY

EVENTS (94 +)ALARM

CATEGORY RESPONSE

Addr_Scan/tcp

Addr_Scan/udp

Bad_Flag_ACK**

Beaconing Host

Bot Command Control Server

Bot Infected Host - Attempted

Bot Infected Host - Successful

Flow_Denied

.

.

ICMP Flood

.

.

Max Flows Initiated

Max Flows Served

.

Suspect Long Flow

Suspect UDP Activity

SYN Flood

.

Concern

Exfiltration

C&C

Recon

Data Hoarding

Exploitation

DDoS Target

Alarm Table

Host Snapshot

Email

Syslog / SIEM

Mitigation

COLLECT AND ANALYZE FLOWS

FLOWS

Integrated Threat Defense (Detection & Containment)

Employee

Employee

Supplier

Quarantine

Shared

Server

Server

High Risk

Segment

Internet

Lancope

StealthWatch

Event: TCP SYN Scan

Source IP: 10.4.51.5

Role: Supplier

Response: Quarantine

ISE

Change Authorization

Quarantine

Network FabricDemo

Network as a Sensor and Enforcer Summary

TrustSec provides software defined (micro)

segmentation

NetFlow and LancopeStealthWatch provides

visibility and intelligence

The network is a key

asset for threat detection

and control

Læs og lær i pausen

www.cisco.com/go/networksecuritywww.cisco.com/go/ISEwww.cisco.com/go/TrustSecwww.cisco.com/go/ctd