The Critical Security Controls and the StealthWatch System

1111

Ask the Expert Webcast: The Critical Security Controls and the

StealthWatch System

John Pescatore, Director, SANS Charles Herring, Lancope

Obligatory Agenda Slide

• Housekeeping info • Here’s what we will do

– 1:05 – 1:20 The Critical Security Controls– John Pescatore, SANS

– 1:20 – 1:45 StealthWatch - Charles Herring, Lancope

– 1:45 – 2:00 – Q&A

2

Bios John Pescatore joined SANS in January 2013 with 35 years experience in computer, network and information security. He was Gartner’s lead security analyst for 13 years, Prior to joining Gartner Inc. in 1999, he was Senior Consultant for Entrust Technologies and Trusted Information Systems. Before that, John spent 11 years with GTE developing secure computing and telecommunications systems. Mr. Pescatore began his career at the National Security Agency and the United States Secret Service, He holds a Bachelor's degree in Electrical Engineering from the University of Connecticut and is a NSA Certified Cryptologic Engineer.

3

Bios

Charles Herring is Senior Systems Engineer at Lancope and longtime StealthWatch user. While on active duty in the US Navy, Charles leveraged StealthWatch in his role as Lead Network Security Analyst for the Naval Postgraduate School. He was tasked with staffing and training Network Security Group personnel, building the security architecture and developing incident response procedures. After leaving the Navy, he spent six years consulting with Federal government, disaster relief organizations and enterprise on network security, communication and process improvement.

4

5555

Focus on protecting the mission first Effectively and efficiently and quickly

Advanced targeted attacks are happening now

Break the Breach Chain

Compliance must follow security

Disrupting the Breach chain

Source: Neusentry 2012 © 2013 The SANS™ Institute – www.sans.org 6

DMZ Monitoring

Advanced Threat Detect

Monitor internal flows

Monitor external flows

Presenter

Presentation Notes

Targeted attacks aim to achieve a specific impact against specific enterprises, and have three major goals: Denial of service: disrupting business operations Theft of service: obtaining use of the business product or service without paying for it Information compromise: stealing, destroying or modifying business-critical information The motivation is usually financial gain, such as through extortion during a denial-of-service attack, trying to obtain "ransom" for stolen information, or selling stolen identity information to criminal groups. Although, recently, we have seen a rash of disclosures as companies publicly announce losses of customer-sensitive data, most targeted attacks do not get any publicity because enterprises do not want to expose the extent of the damage an attack may have caused. Targeted attacks can use custom-created executables that are rarely detected by signature-based techniques. To be successful, such attacks generally require some means of communication back to an outside party, whether out of band — as when an insider puts information onto removable media and physically carries it outside of enterprise control — or in band — as when Internet mechanisms are used.

Critical Security Controls

7 7

1 2 3

4

5

6

7

8 9

10 11 12 13

14

15

16

17

18

19 20

1) Inventory of Authorized and

Unauthorized Devices

11) Limitation and Control of Network Ports,

Protocols and Services

2) Inventory of Authorized and Unauthorized Software

3) Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers

4) Continuous Vulnerability Assessment and Remediation

5) Malware Defense

6) Application Software Security

7) Wireless Access Control

8) Data Recovery Capability

9) Security Skills Assessment and Appropriate Training to Fill Gaps 10) Secure Configuration of Devices such as Firewalls,

Routers, and Switches

20) Penetration Tests and Red Team Exercises

19) Secure Network Engineering

18) Incident Response Capability

17) Data Protection

15) Controlled Access Based on Need to Know

14) Maintenance, Monitoring and Analysis of Audit Logs

13) Boundary Defense

12) Controlled Use of Administrative Privileges

16) Account Monitoring and Control

Benefits: Risk Reduction and Visibility

0.0%10.0%20.0%30.0%40.0%50.0%60.0%70.0%

Risk

redu

ctio

n/vu

lner

abili

tym

itiga

tion

Impr

ovem

ents

to o

vera

llris

k po

stur

e

Situ

atio

nal

awar

enes

s/ga

p an

alys

is

Com

plia

nce

to m

anda

tes

and

regu

latio

ns

Thre

at m

itiga

tion

Inci

dent

resp

onse

Dete

ctin

g ad

vanc

edat

tack

s

Benc

hmar

king

syst

emic

impr

ovem

ents O

ther

Where have the Controls you implemented made the most improvement and/or helped you close your gaps? (Check all that

apply.)

Critical Security Controls Update

• Now maintained by the Council On CyberSecurity

• Version 5.0 in public review • Updated prioritization and definitions of

subcontrols

9

Getting to Continuous Security Action

Shield

Eliminate Root Cause

Monitor/ Report

Policy Assess Risk

Baseline Vuln Assessment/Pen Test Security Configuration

Mitigate

• FW/IPS/ATD • Anti-malware • NAC

• Patch Management • Config Management • Change Management

• Software Vuln Test • Training • Network Arch • Privilege Mgmt

Discovery/Inventory

• SIEM • Situational Awareness • Incident Response

Threats Regulations Requirements OTT Dictates

Presenter

Presentation Notes

Gartner's vulnerability management life cycle defines the operational processes and technologies that are needed to discover and remediate security weaknesses before they are exploited. Policies that define a secure IT infrastructure are used as the reference for a baseline to discover vulnerabilities and security configuration policy compliance issues. Security weaknesses should be assessed with respect to the vulnerability, the current threat environment and the business use of the asset to to prioritize the shielding and remediation tasks that follow. Remediation is facilitated through cross-organizational processes and workflow. Remediation activity is also driven through monitoring of privileged user access, of compliance with technical controls and for new vulnerabilities. Vulnerability management operationally implements a subset of the controls that are defined within a security program. The life cycle implements many of the basic security controls that auditors seek when evaluating compliance. Organizations that take the extra step of mapping the policies that are implemented by vulnerability management to control standards and best practices can strengthen their posture with auditors and reduce the cost of compliance reporting through automation. Action Item: Link vulnerability management and compliance projects to ensure that compliance spending results in lower security operations costs and a more secure environment. Action Item: IT security organizations must work with IT operations to develop and implement the operational processes that are needed for effective vulnerability mitigation.

The Critical Security Controls and the StealthWatch System

11

Charles Herring Senior Systems Engineer [email protected]

Lancope: The Market Leader in Network Visibility Technology Leadership • Powerful threat intelligence • Patented behavioral analysis • Scalable monitoring up to 3M flows per second • 150+ algorithms

12

Best of Breed • 650 Enterprise Clients • Key to Cisco’s Cyber Threat Defense • Gartner recommended

• NBA market leader • Flow-based monitoring

© 2013 Lancope, Inc. All rights reserved.

Your Infrastructure Provides the Source...

Internet Atlanta

San Jose

New York

ASR-1000

Cat6k

UCS with Nexus 1000v

ASA Cat6k

3925 ISR

3560-X

3850 Stack(s)

Cat4k Datacenter

WAN

DMZ

Access

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow NetFlow

© 2013 Lancope, Inc. All rights reserved. 13

…for Total Visibility from Edge to Access.

Internet Atlanta

San Jose

New York

ASR-1000

Cat6k

UCS with Nexus 1000v

ASA Cat6k

3925 ISR

3560-X

3850 Stack(s)

Cat4k Datacenter

WAN

DMZ

Access

© 2013 Lancope, Inc. All rights reserved. 14

SANS Critical Controls Boundary Defense

15

Defense Type L3, L4, L7 Blocking

Signature Detection

Emerging Threat Detection

Targeted Threat Detection

Firewalls Yes Limited No No

Signature IDS Limited Yes No No

Malware Sandbox

No No Yes Limited

StealthWatch No Limited Yes Yes

16

Flow Statistical Analysis

16 © 2013 Lancope, Inc. All rights reserved.

SANS Critical Controls Monitoring & Audit

17

Defense Type Detection Mechanism

Data Source

SIEM Boolean Syslog

StealthWatch Algorithmic NetFlow

SANS Critical Controls Incident Response and Management

18

Logging Type Data Stored

Endpoint Hard Drive/Memory

Packet Capture Raw PCAP

Log Collection Syslog

StealthWatch NetFlow

Transactional Audits of ALL activities


SANS Critical Controls Secure Network Engineering

20

Monitor Type Data Monitored

Firewall Change Control

Changes in FW Configuration records

Configuration Polling SNMP

StealthWatch NetFlow against Policy

http://www.lancope.com

@Lancope (company) @netflowninjas (company blog)

https://www.facebook.com/Lancope

http://www.linkedin.com/groups/NetFlow-Ninjas-2261596/about

https://plus.google.com/u/0/103996520487697388791/posts

http://feeds.feedburner.com/NetflowNinjas

Thank You


Charles Herring Senior Systems Engineer Lancope

http://www.lancope.com








https://plus.google.com/u/0/103996520487697388791/posts



22

Resources

• SANS Reading Room: http://www.sans.org/reading_room/

• Blog – www.sans.org/security-trends/ • Sponsor link: http://www.lancope.com • Questions: [email protected]

23

http://www.sans.org/reading_room/

http://www.sans.org/security-trends/

The Critical Security Controls and the StealthWatch System

Technology

information security

security architecture

lead network security

national security agency

gartners lead security

secure network engineering

sans charles herring

stealthwatch charles