Top Banner
Cybersecur ity: Malware Defense
44
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Tvr malware gtri

Cybersecurity: Malware Defense

Page 2: Tvr malware gtri

Malware Defense

What is Cisco’s Role?

Page 3: Tvr malware gtri

“Over the past year the amount of unique malware has doubled”-Chris Coleman, Cisco Cyber Architect

Page 4: Tvr malware gtri

Systems Approach to Security• Best-of-breed security technologies

embedded into infrastructure components• Benefits

Lower TCO Easier to Manage – Similar HW/SW platforms and design

Easier to Deploy Less Training Requirements

Single Support Model Fully Integrated Rather than Bolted-On

Ability to support customers on classified networks Commitment to certifications – Global Certification Team (GCT)

Page 5: Tvr malware gtri

What is Reputation Security?

• Reputation Security delivers a numeric score about an object, which allows a security device to take a policy-based action.

• Reputation is built on three things:1. Our own assessment (e.g., using SensorBase

data)2. Assessment by trusted 3rd parties3. Sophisticated models that produce a score in

real-time

Page 6: Tvr malware gtri

Cisco IronPort Web and Email Security

Cisco IronPort Web Security Safe Client Browsing with Web Reputation and URL Filtering

Cisco IronPort Email Security Spam filters, Virus Outbreak Filters, Email Reputation Filters

Hosted and Appliance Options

Email/Web Traffic (malicious and benign)

Cisco IronPort Client

Cisco Security Intelligence Operations

Page 7: Tvr malware gtri

Examples of Reputation in Action

Web Security: What do we know BEYOND the top level domain?

IPS: more accuracy, less admin hands on to deal with “yellow alerts”

Firewall: Who on my network is currently infected?

Page 8: Tvr malware gtri

How Effective is Reputation?

• Ironport was a strategic acquisition for Cisco• Security Systems need to react as fast as

threats – on all fronts• Blocking at lower layers is fast, and can

provide great security intelligence to otherwise unaware devicesCisco on Cisco

Our CorporateEmail Experience

Message Category % Messages

Stopped by Reputation Filtering 93.1% 700,876,217

Stopped as Invalid recipients 0.3% 2,280,104

Spam Detected 2.5% 18,617,700

Virus Detected 0.3% 2,144,793

Stopped by Content Filter 0.6% 4,878,312

Total Threat Messages: 96.8% 728,797,126

Clean Messages 3.2% 24,102,874

Total Attempted Messages: 752,900,000

Blocked at Layer 3!

Page 9: Tvr malware gtri

ASA Botnet Traffic Filters

Page 10: Tvr malware gtri

Botnet Traffic Filters in Cisco ASA

• Scans all traffic, ports, and protocols for rogue “phone home” traffic• Provides visibility to infected clients within corporate network• SensorBase provides visibility into dynamic IPs

Infected Client Cisco ASA 5500 Series Command and Control

Botnet Traffic Filters

Cisco Security Intelligence Operations

Page 11: Tvr malware gtri

Botnet Traffic Filter

• 3 Main Components

• Domain Name System (DNS) Snooping• Traffic Classification and Reporting• Dynamic and Administrator Blacklist Data

Page 12: Tvr malware gtri

Botnet Traffic Filter ReportsTop Botnet Sites and Ports

Page 13: Tvr malware gtri

Botnet Traffic Filter ReportsTop Infected Hosts

Page 14: Tvr malware gtri

Cisco IPS

Page 15: Tvr malware gtri

Global ThreatTelemetry

8:10 GMT Cisco IPS Update Applied

Cisco IPS 7.0: Network IPS to Global IPS

Global ThreatTelemetry

Cisco SIOGlobal Correlation

Coverage: Twice the Effectiveness of Signature-Only IPS

Accuracy: Full Context Analysis Reduces False Positives

Timeliness: Proactive Coverage

Ad Agency HQ in London

ISP Data Center in Moscow

Bank Branchin Chicago

Sensor Detects New Malware Sensor Detects New Botnet Sensor Detects Hacker Probing

8:07 GMT8:00 GMT 8:03 GMT

Page 16: Tvr malware gtri

Security Intelligence Operations (SIO)

Page 17: Tvr malware gtri

Foundation of Cisco SecurityEyes and Ears of our Threat Intelligence

Hundreds of Analysts

700,000+ Sensors Globally

8 of 10 Top Global ISPs

152 Third-party Feeds

Over 30% of the World’s Email Traffic

Page 18: Tvr malware gtri

Cisco SensorBaseThe Brain of Cisco Intelligence Operations

Massive Database of Threat Telemetry

Integrated Throughout Cisco Products

Decision-Making Based on Reputation Data

200+ Parameters for Reputation

Scored from -10 to +10

URL Blacklists

Real-Time Cloud Analysis

Compromised Host List

Domain Registrar Information

Global Volume Data

URL Behavior

Bot Networks

Dynamic IP Addresses

URL Whitelists

Page 19: Tvr malware gtri

Cisco Security SolutionsThe Nervous System

0100001101101001011100110110001101101111

Firewalls/VPN

Secure Routing/Switching Email/Web

SecurityIDS/IPS Access Control

Secure Voice Secure WirelessVisibility & Management

Page 20: Tvr malware gtri

Service Control Engine

Page 21: Tvr malware gtri

I needed a tool that would… • Go deeper into the

packet and tell the application rather than ports it’s using

• Reference users by their IDs, not by IP addresses

• Full and comprehensive report about anything possible

• Breadth of techniques and mechanisms to influence and control traffic

Application

recognition

User awarene

ss

Visibility and

reportingControl

Page 22: Tvr malware gtri

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25

Visibility: Prevent and DetectSupporting Trust through Transparency

Service Control Engine and Visibility• High Speed flow reconstruction through Application Layer (Layer 7)• Identify flows through Application Layer and provide service control: block, mark,

redirect, mirror, packet capture, alarm, report. • Collection of data records for reporting and extension into other systems (situational

awareness)• Rapid insertion of new protocols and applications through custom signature interface• Enforce policy through detailed protocol analysis tied to user awareness• Identify anomalous network behavior• Detailed network visibility to help identify possible covert communication channels• Detailed network visibility to help identify means of information loss• Identify non-approved applications

Page 23: Tvr malware gtri

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26

Resilience: Respond and RecoverCommanding Positive Network Control

Service Control Engine and Resilience• Identify flows through Application Layer and provide service control: block, mark,

redirect, set QoS, alarm, report• Ensure bandwidth availability to critical assets • Scale from 2M concurrent flows and 200K subscribers to 16M concurrent flows and

1M subscribers• Scalable up to 240Gbps • High Availability

Page 24: Tvr malware gtri

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27

Why the SCE?

• An enterprise security posture must consider network analysis and visibility

• The SCE provides detailed visibility into every network transaction available

• Tying users to specific protocol and application transactions• Enforcing policy of user and network transactions • Granular policy to control bandwidth and user resources• Ability to mirror and redirect transactions based on policy into

additional security devices• Extensible back-end that can be integrated into customers with robust

security analysis systems

Page 25: Tvr malware gtri

Cisco SCE - Key Benefits

• Service Provider experience and lessons learned for complex, large scale deployments• Predictable performance• Address asymmetric routing issues• Protocol packs and signature editor• Separate processors for control and management• Hardware flow bypass & hardware fast path for delay sensitive traffic• Multi-packet, bi-directional signature detection• Application aware flow mirroring• Packet capture facility• Superior classification• No performance impact from policy and reporting configurations• Value-added-services (VAS) architecture for 3rd party support• Mobile 3GPP support• System-wide management and policy control• Network design expertise• COTS system with the ability to feed GOTS technologies

Page 26: Tvr malware gtri

Cisco Service Control Engine

Service Control Engine

Applicat

ion

Subscrib

er

Repor

ting

Contro

l

Application recognition• Signature matching• Heuristic matching• Behavioral matching• Zone matching• URL /SIP / SMTP

parameter matching• Worm detection*• Custom signature

Subscriber awareness• RADIUS / DHCP

parameter extraction• LDAP and SOAP

queries• Anonymous IP-to-ID

mapping• Static user definitions

Reporting• Reporting on multiple

levels• Application parameter

reporting• Attack / SPAM reporting• Flow signaling

Control• Control on multiple levels• Support complex

policy decision trees• Multiple actions

Page 27: Tvr malware gtri

Service Control Engines

• Cisco offers 2 generations of SCEs– SCE1010 /

SCE2020 – fixed configuration, Gigabit Ethernet model

– SCE8000 – modular configuration, Gigabit or TenGigabit Ethernet model

Page 28: Tvr malware gtri

Common properties

• All SCE platforms share some common properties: – Stand-alone appliances – can be inserted into any

Ethernet/IP network– L2-L3 transparent – no MAC / IP address on data port– Data / Control plane separation – data and control

planes are completely separate and don’t influence each others performance

– Dedicated hardware – data plane is a combination of fast FPGAs and powerful CPU, backed up by lots of memory

– IOS-like CLI – CLI for configuring low-level properties is based on IOS-like interpreter

– Low latency – all platforms introduce low latency (~32S) and almost no jitter. Hardware fast-path is separate hardware path for delay-sensitive traffic, ensuring very low latency (~10S)

– Open APIs – for integration into OSS/BSS/Security

Page 29: Tvr malware gtri

Platform comparison

SCE1010 SCE2020 SCE8000

Data plane interfaces

2x GE 4x GE Modular 2x or 4x 10GE8x or 16x GE

DPI performance

2 Gbps 2.8 – 3.2 Gbps

15 Gbps 30 Gbps

Maximum Concurrent subscribers

40K – 200K 80K – 200K 250K – 1M

Maximum open flows

1M – 400K 8M – 5M 16M – 10M

Insertion modes

Recv-onlyInline

MG-SCP

Recv-onlyInline

CascadeMG-SCP

Recv-onlyInline

CascadeMG-SCP

Page 30: Tvr malware gtri

Classification• Protocols Coverage

–600 Protocols – 950 L7 based signatures. –900 Protocols - port-based.

• ~1200 customers, Multiple geographies, Multiple SP segments

• Application groups: Voice, Video, File-Sharing, File-Hosting, Gaming, News-Groups, Instant-Messaging, Web-based services, etc.

• Zero Day Classification – Behavioral /Heuristic Algorithms

• Classification engine supports customer generated signatures

• Supports classification modifiers: – Zones – collection of network side prefixes

– Application parameters – URL, User-Agent, Calling/ Called Number, Domain name, Content-type…

Page 31: Tvr malware gtri

Reporting• SCE exports 30 types of Raw Data

Records– Link Usage RDR

– Zone RDR

– Virtual Link RDR

– Package Usage RDR

– Subscriber Usage RDR

– Real-time Subscriber Usage RDR

– Transaction RDR

– Transaction Usage RDR

– HTTP / VoIP / Video Tran. Usage RDR

– Flow RDR

– Malicious Traffic RDR

– SPAM RDR

– Quota RDR

– […]

• Depending on the type, RDRs include:– Source / Destination IP/Port

– Timestamp, duration, volume

– Application ID

– Requested URL, User-agent, Cookie

– Delivered content type

– Called / Calling Numbers

– Video Codec and bitrate

– Filename

– P2P file hash

– Attack type

– List of email recipients

– OS type*

– […]

Page 32: Tvr malware gtri

Control• Policy decision can be made based on

multiple criteria:– Application usage (all levels)

– Subscriber quota

– Priority (application or subscriber)

– Time of day

– State of attack

– Presence of other applications

• Complex policies include multiple chained rules

• Actions can be chained too*

• Once decision is made, control can be established on many levels:

– Link

– Application per link

– Subscriber group

– Subscriber total bandwidth

– Application per subscriber

– Application flow

• Connections can be:– Allowed

– Dropped

– Policed (CIR and PIR)

– Redirected (Layer 2)

– Redirected (Layer 7, HTTP and RTMP)

– Mirrored

– Captured

Page 33: Tvr malware gtri

Subscriberand Quota manager

AAAData

retention

Cisco Insight SCA-BBConsole

Portal

Collection Manager

Event correlation

engine

Service ControlEngineUsers

NetworkNetwork

1. SCE Appliance to view and act on the packets

2. Collection Manager to collect data records for Reporting & external DB’s

3. Subscriber Manager to coordinate sub info w/ AAA and control sub-level policies

4. Cisco Insightto provide business intelligence and network trending reports

SCE ecosystem

Page 34: Tvr malware gtri

Cisco Insight

Page 35: Tvr malware gtri

Cisco Insight – Business intelligence• 150+ report types

• Custom dashboard

• Scheduled reports

• Email notification of reports

• Report comparison and trend analysis reports (Traffic analysis, trend studies, comparisons)

• Report export in different formats: pdf, excel, image

Page 36: Tvr malware gtri

Cisco Insight – User privilege separation• Operators can create many

users and assign different view rights

• Restrict access based on:– Report type– Topology– Object type

• Full auditing

Page 37: Tvr malware gtri

Cisco Insight – Advanced network topology• Objects are organized in

tree-like structure– Devices– Links – Parts of networks– Groups of subscribers– Subscribers

• Graphical Topology View, customizable by user

Page 38: Tvr malware gtri
Page 39: Tvr malware gtri

How I got to DPI?

Internet

Data Centre

Residential

Business

Stats of our network?

What’s causing congestion?

Where?

Stats of our network?

What’s causing congestion?

Where?

Internal network

Security: Obvious attacks? Malicious traffic? Suspicious

traffic?

Security: Obvious attacks? Malicious traffic? Suspicious

traffic?

Marketing: What are subscribers doing? How do we monetize that?

Marketing: What are subscribers doing? How do we monetize that?

Operations

Network topology tools:• CDP• Route monitor• STP monitor

Performance and general awareness tools:• SNMP• Netflow

Security tools:• Firewalls• IPS/IDS probes• HoneypotsProtocol analyzers:• Replay tools• Dissectors

Page 40: Tvr malware gtri

Network visibility

SNMP• Statisti

cs• Layer 2

Netflow• Statisti

cs• Layer 3-

4

Net security• Details

of critical points

• Semantics of details

• Layer 7

Protocol analyzers• Details• Semant

ics• Layer 7

Page 41: Tvr malware gtri

DPI – filling the visibility gap

SNMP• Statisti

cs• Layer 2

Netflow• Statisti

cs• Layer 3-

4

DPI• Statisti

cs and details

• Layer 3-7

Security• Details

of critical points

• Semantics of details

• Layer 7

Protocol analyzers• Details• Semant

ics• Layer 7

Page 42: Tvr malware gtri

Cisco Insight – Advanced UI• New easy-to-use GUI

leveraging Adobe FLEX™ technology to improve usability and maximize the user experience

• Advanced graphical widgets (time sliders, tree views, dynamic selection controllers, etc.)

• Wizard-like guide through the process of report creation

Page 43: Tvr malware gtri

DPI – filling the visibility gap

SNMP• Statisti

cs• Layer 2

Netflow• Statisti

cs• Layer 3-

4

DPI• Statisti

cs and details

• Layer 3-7

Security• Details

of critical points

• Semantics of details

• Layer 7

Protocol analyzers• Details• Semant

ics• Layer 7

Page 44: Tvr malware gtri

Cisco Service Control Engine

Service Control Engine

Applicat

ion

Subscrib

er

Repor

ting

Contro

l

Application recognition• Signature matching• Heuristic matching• Behavioral matching• Zone matching• URL /SIP / SMTP

parameter matching• Worm detection*• Custom signature

Subscriber awareness• RADIUS / DHCP

parameter extraction• LDAP and SOAP

queries• Anonymous IP-to-ID

mapping• Static user definitions

Reporting• Reporting on multiple

levels• Application parameter

reporting• Attack / SPAM reporting• Flow signaling

Control• Control on multiple levels• Support complex

policy decision trees• Multiple actions