effective security: defending against encrypted threats€¦ · tls serverhello server’s...
Post on 05-Jul-2020
3 Views
Preview:
TRANSCRIPT
Effective Security:
Defending against Encrypted threatsWilliam Young – Global Security Solutions Architect
willyou@cisco.com
#williamdyoung
Encryption is the Bad
Guys Friend
Expect 70% of attacks to
be encrypted by 2019
75% of Web Traffic will be encrypted by 2019–NSS Labs, Nov 2016
Google Research
SSL/TLS Decrypt:• Expensive
• Defeats the purpose
• Doesn’t always work
• Many applications will break.. (Certificate Pinning, HPKP, etc)
• New protocols (TLS 1.3, SPDY, HTTP2, QUIC)
• Vendors pushing TLS (Microsoft, Apple, Google, Facebook, etc)
• Privacy and compliance
• Decryption is computationally expensive!
Challenges with hardware / software decryption
Certificate Pinning Example – Dropbox Client
HTTP/2 challenges on proxy/ngfw/<insert nw-device here>
• HTTP/2 encrypted with TLS
• Binary Format & Header Compressions need to be parsed (no more cleartext)
• Single TCP connection reuse
QUIC challenges on proxy/ngfw/<insert nw-device here…>
• QUIC is always encrypted
• QUIC is using multiplexed streams
• ..and most likely soon also across multiple paths (IETF..)
• Can use IPv4 and IPv6 concurrently to same client
• If QUIC is not understood, connections look like unrelated UDP connections
• QUIC can be initiated from client and from server• Where is now inbound and where is outbound?
Network:
What can we do in the Firewall?
NGFW Policy decisions for traffic decryption
8
Decryption
SSL-Policy
Access-Policy
IPS, App, etc.
Detecting the requested Host
The requested hostname is usually detected by one of several methods:
Transparent Request (Transparent proxy, FW)
1. Check the SNI Name in the TLS Client hello
2. Check the CN Field in the Subject of the Server Certificate
Partial TLS Handshake (TLS 1.0 – 1.2)
TLS Client TLS Server
TLS ClientHelloSNI=www.example.com
TLS ServerHelloCertificate for www.example.netSession key (encrypted with private key)
Desired server
Actual server
Server certificate can avoid decrypting if entire site is blacklisted or whitelisted
TLS ServerHelloServer’s Diffie-Hellman key{ Certificate for www.example.net }{ Session key (encrypted with private key) }
Partial TLS Handshake (TLS 1.3)
TLS Client TLS Server
TLS ClientHelloSNI=www.example.comClient’s Diffie-Hellman key
Desired server
Actual server{Encrypted by DH}
SSL Policy Rule Actions
For internal Traffic
going outside
For external Traffic
going to internal
server (via passive
interface)
SSL Inspection on Passive Interface
If the TLS connection uses PFS, traffic inspection is not possible…
Client ServerTAP
NGFW withcopy of Server key and cert
ABC
ABC
ABC#$*#$*
Inspect Outgoing Traffic
Action: Decrypt and
resign It replaces the key ONLY in the
Self-Signed Certificate, instead
of the whole certificate.
It causes the client browser does
warn that the certificate is self-
signed.
Certificate to be used
Rule matching criteria
• Multiple criteria for matching the rule
DN of the destination
certificate
Some predefined sites
that are undecryptable
Settings per SSL Policy Rules
• Certificate Status:• Revoked, self-signed, not yet valid, expired,
invalid issuer, invalid signature, valid.
• Cipher suite
• SSL version
If the certificate matches any of
the selected statuses, the rule
matches the traffic.
Example Rules for certificate checking
Block
Certificate
Errors
Exclude
Self-
signed
Certificate
Errors
Example Rules – Checking Self-Signed
BLOCK or whatever Action you
want...
Include
Self-
signedIgnore all
others
Further firewall actions with TLS Decryption
• SNI is always enabled
• No automatic download of missing intermediate certificates• Manual upload required
• No action on certificate check for undecrypted HTTPS connection in the default settings
• Client is responsible for any error message
• Can not prompt the client in case you have an error
• SSL Policy needs to be attached to an access policy
Security Service Gateway
Users
Radware
ADC
Cisco
Firepower
Radware
ADC
Data Center
Visibility for inbound and outbound encrypted traffic
Chain multiple inspections services
- Load-balance service elements within a group
- Bypass failed groups
Bypass URLS/Sites, IP addresses based on categories/policy
Mix/match inspection elements, i.e., passive/active inspection elements
Inspection elements can be L2/L3
- Bump in the wire, routed, transparent, opaque.
Up to 45 Gbps of SSL/TLS throughput, and 100K CPS
- TLS 1.3 Support
FIPS 140-2 Compliant
Fully patent protected
- More details at: http://www.google.com/patents/US7769994
Network:
What can be done without Encryption?
Firepower Management
Center
Threat Intelligence Director
Ingest Security IntelligenceGenerate Rich Incident
ReportsCorrelate Observations Refine Security Posture
Ingests
“flat files”
STIX Observations
Third-Party Sources
• Threat intelligence feeds
• Threat intelligence platforms
Cisco Security Appliances
• Cisco Firepower NGFW
• Cisco FirePOWER NGIPSThreat Intelligence
Director
Assimilates Third-Party Security Intelligence
Leverage Security Intelligence Feeds
• IP Address, DNS, and URL Feeds
• Multiple categories: Malware, Phishing, Command and Control and more
• Black/White-list URL with one click
• Fast-flux domain support
• TALOS and 3rd party feeds
“Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.”
Gartner’s Top 10 Security Predictions 2016
Current decryption methods are becoming obsolete
Encrypted Traffic
Non-Encrypted
Traffic
How do you Analyze threats without decrypting traffic flows?
Can We Actually Solve This?
Encrypted Traffic Analytics (ETA)Visibility and malware detection without decryptionUsing the Network as a Sensor
Malware in
encrypted traffic
Cryptographic
compliance
• End to end confidentiality
• Channel integrity during inspection
• Adapts with encryption standards
Is the payload within the TLS
session malicious?
• Audit for TLS policy violations
• Passive detection of Ciphersuite
vulnerabilities
• Continuous monitoring of network
opacity
How much of my digital business
uses strong encryption?
Encrypted Traffic Analytics (ETA) Technical solution overview
Enhanced analytics and machine learning
Integration with ISE and TrustsecEnhanced NetFlow from Cisco’s
newest switches and routers
Cisco® Cloud Services
Encrypted
traffic
exporters
Stealthwatch/ETA
Netflow collector(s)
Malware
detection and
cryptographic
compliance
Higher VisibilityInnovative detectionLeveraged network
Catalyst 9k
ISR, ASR*
Global-to-local knowledge
correlation results in higher
precision of threat findings
Stealthwatch enhanced analytics
and machine learning reduces
threat investigation time
Enhanced NetFlow with encrypted
traffic analytics from Cisco’s
newest switches and routers
Network Sensors
SPLTIDP
srcIP, dstIP, srcPort, dstPort, prot, startTime, stopTime,
numBytes, numPackets, IDP, SPLT
Sequence of Packet Lengths and Times
The SPLT field gives us visibility beyond the first packet of the
encrypted flows.
Initial Data Packet
The first packets of any connection contain valuable
data about the content.
Encrypted Traffic Analytics (ETA)The Technology
NetFlow Analytics with Cloud Intelligence
Enhanced analytics and machine learning
Global-to-local knowledge correlation
Higher Precision Faster Investigation Leveraged Network
Enhanced NetFlow from Cisco’s newest switches and routers
Cisco
Cloud
Network
Meta-Data
Cisco
Stealthwatch 99% Threat
Detection
Accuracy
0.01% False
Positives*
*Cisco research findings
Encrypted Traffic Analytics (ETA)
29
Visibility Through NetFlow
10.1.8.3
172.168.134.2
InternetFlow Information Packets
SOURCE ADDRESS 10.1.8.3
DESTINATION ADDRESS
172.168.134.2
SOURCE PORT 47321
DESTINATION PORT 443
INTERFACE Gi0/0/0
IP TOS 0x00
IP PROTOCOL 6
NEXT HOP 172.168.25.1
TCP FLAGS 0x1A
SOURCE SGT 100
: :
APPLICATION NAMENBAR SECURE-
HTTP
RoutersSwitches
NetFlow Provides• A trace of every conversation in your network
• An ability to collect records everywhere in your
network (switch, router, or firewall)
• Network usage measurements
• An ability to find north-south as well as
east-west communication
• Lightweight visibility compared to Switched Port
Analyzer (SPAN)-based traffic analysis
• Indications of compromise (IOC)
• Security group information
Behavioral and Anomaly Detection ModelBehavioral Algorithms Are Applied to Build “Security Events”
SECURITY
EVENTS (94 +)ALARM
CATEGORY RESPONSE
Addr_Scan/tcp
Addr_Scan/udp
Bad_Flag_ACK**
Beaconing Host
Bot Command Control Server
Bot Infected Host - Attempted
Bot Infected Host - Successful
Flow_Denied
.
.
ICMP Flood
.
.
Max Flows Initiated
Max Flows Served
.
Suspect Long Flow
Suspect UDP Activity
SYN Flood
Concern
Exfiltration
C&C
Recon
Data hoarding
Exploitation
DDoS target
Alarm table
Host snapshot
Syslog / SIEM
Mitigation
COLLECT AND
ANALYZE FLOWS
FLOWS
Investigating a Host
Summary
Communication
patterns
Cloud:
What services can be delivered?
What about DNS protection?Cisco Umbrella
Umbrella Cloud Service
Enterprise-wide
deployment in minutes
Malware
C2 Callbacks
Phishing
Intelligence to see
attacks before launched
Visibility and
protection everywhere
Stop threats before
connections are made
Authoritative DNS logs
Used to find:
Newly staged infrastructures
Malicious domains, IPs, ASNs
DNS hijacking
Fast flux domains
Related domains
User request patterns
Used to detect:
Compromised systems
Command and control callbacks
Malware and phishing attempts
Algorithm-generated domains
Domain co-occurrences
Newly registered domains
Gather intelligence and enforce security at the DNS layer
Any device
Recursive DNS
root
com.
domain.com.
Authoritative DNS
Cisco Talos feeds
Partner feeds
Custom URL block list
Requests for “risky” domainsIntelligent proxy
URL inspection
File inspectionAV Engines
Cisco AMP
Intelligent proxy
Deeper inspection
Decryption and inspection when needed
Safe
Original destinations
Security controls
DNS and IP enforcement
Risky domain inspection
through proxy
Selective SSL decryption
File inspection (AMP and AV)
Blocked
Modified destination
Internet trafficOn and off-network
DestinationsOriginal destination or block page
Cisco Umbrella and ThreatGrid integration
Suspect Domain Protection
Dynamic Analysis
Static Analysis
Threat Intelligence
AMP Threat Grid
Domain Based IOC Data
File
Sample
ASA /FP
Mobile
AMPFIREPOWERFIREPOWER Web
SecESA
Firewall Appliance Web
Security
Security
Security
Analyst
AMP ThreatGrid Enabled Security Solutions
Protected Clients
Immediate Protection from domain based IOCs
Benefits
Automated integration
Full AMP Solution Coverage
Enterprise-wide deployment in minutes
Off-network protection
No additional agents to
deploy with AnyConnect
Or Umbrella roaming client
works alongside other VPNs
for DNS and IP redirection
AnyConnectWLAN
ControllerISR 4K
Cisco networking
Out-of-the-box integration
Use of tags for granular
filtering and reporting
Policies per VLAN/SSID
On-network protection
DNS/DHCP serversWireless APs
Simple configuration change
to redirect DNS
Policies for corporate
and guests
Roaming client
Endpoint:
First (and last!) line of defense
Security in the Endpoint
Network
Visibility
Threat
Protection
Roaming
Protection
NETWORK VISIBILITY
MODULE
• NETFLOW DATA FROM
ENDPOINT
• DEVICE + USERNAME
• APPLICATION AND PROCESS
DATA
UMBRELLA ROAMING
AGENT
• PROTECTS ENDPOINT
INTERNET TRAFFIC
• OFF PREM DNS PROTECTION
• PER USER / GROUP
REPORTING & POLICY
ADVANCED MALWARE
PREVENTION
• ON AND OFF PREM FILE / MALWARE
BLOCKING
On Premise
Secure Access On and Off PremiseAlways-On and transparent connectivity with Trusted Network Detection
Off Premise
Untrusted
ASA
No VPN Required
User
VPN Required
User
Flow Analytics security from the endpointWith the AnyConnect Network Visibility Module (NVM)
Endpoint Context• IPFIX-Based NetFlow Record
• Unique Device ID
• Device Name (bsmith-WIN) and OS
Version
• Domain\User Name (Amer\bsmith)
• Local DNS (starbucks.com)
• Target DNS ( amceco.box.com)
• Interface (Intel ® Dual Band Wireless)
• Process/Container Name (iexplorer.exe)
Process ID (hash)
• Parent Process Name (foobar.exe)
Parent ID (hash)
Collection &
Analytics ServicesNetFlow Collector
AMP Continuous Analysis and Retrospective Security
0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110
1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
Web
WWW
Endpoints NetworkEmail DevicesIPS
File Fingerprint and Metadata
Process Information
Continuous feed
Continuous analysis
File and Network I/O
Breadth and Control points:
Telemetry Stream
Talos + Threat Grid Intelligence
TrajectoryBehavioral
Indications
of Compromise
Threat
Hunting
Retrospective
Detection
Mobile device security solutions are disruptive and leave gaps
PROBLEM
Custom
browser
app
VPN profile
(always-on
or on-demand)
Global
HTTP
proxy
END-USERS
ADMIN-USERS
iOS Security Connector:
SOLUTION
No user
behavior
changes
All network
activity is
seen
Works with
ALL apps
Best visibility
and performance
ADMIN-USERS
Work as
usual
END-USERS
iOS Security ConnectorOne iOS app – two extensions
AUDITING & CORRELATION
ENCRYPTION & ENFORCEMENT
AMP
UMBRELLA
Umbrella app extension
Clarityapp extension
UMBRELLA EXTENSION
• Visibility and
control for all
applications
• Defends
against attacks
and data
exfiltration
CLARITY EXTENSION
• Audits
encrypted and
clear text
flows by
users, apps,
and devices
Supervised
iPhone / iPad
Intelligence Matters
TALOS – Unmatched Visibility, Research, and Analytics
Threats Across the Internet
Threats Inside your Network
Hundreds of Thousands Customers
7.3T Threats Blocked Annually
250+ Threat Researchers
Tens of Millions Users
Hundreds of Threat Analytic
Engines
Build an Architecture –Security that works together
Endpoint CloudNetwork
Integrated Best of Breed
Endpoint
Cisco WSAor Firepower
Cisco Stealthwatch
Cisco WSA, Firepower, or Umbrella
Cisco Umbrella
Cisco ISE
Cisco Firepower Threat Defense
Cisco AMP
Internal Users to InternetProtecting the Employees
AdvancedMalware Protection
Application Control
Anti-Virus
NGIPS
Identity Authorization
Employee
Segmentation/ TrustSec
Firewall
Internet
GeoFiltering
LoggingReporting
Recursive DNS Security
Flow AnalyticsURLFiltering
SSLDecryption
SIEM
NetworkAnti-Malware
WebProxy
Data LeakageProtection (DLP)
250+Full Time Threat Intel Researchers
MILLIONSOf Telemetry Agents
4Global Data Centers
1100+Threat Traps
100+Threat Intelligence Partners
THREAT INTEL
1.5 MILLIONDaily Malware Samples
600 BILLIONDaily Email Messages
16 BILLIONDaily Web Requests
Honeypots
Open Source Communities
Vulnerability Discovery (Internal)
Product Telemetry
Internet-Wide Scanning
20 BILLION
Threats Blocked
INTEL SHARING
Talos Intel Background
Customer Data Sharing Programs
Provider Coordination Program
Open Source Intel Sharing
3rd Party Programs (MAPP)
Industry Sharing Partnerships (ISACs)
500+Participants
Cisco secure access solutions – focus areas
Network and security analytics
• Stealthwatch
• ISE
• Encrypted Traffic Analysis
VisibilityThreat protection
• NGFW/NGIPS
• Advanced Malware Protection (AMP)
• Umbrella / CloudLock
Threat preventionFirewall and access control
• DNA
• ISE
• NGFW
Segmentation
Integrated
Cisco Security Architecture
Cisco Security Homepage
Cisco.com/go/security
The Only Way
Rapid Threat Containment & Threat Centric NACCisco Firepower Management Center (FMC) and Cisco Identity Service Engine (ISE)
Benefits
Detect Threats Early
Firepower scans activity and publishes events
to ISE
Automate Endpoint Containment
ISE alerts the network of suspicious activity according
to policy
Integrate Best-of-Breed Security
Growing ecosystem of threat defense partners
integrate with ISE
MnT
FMC
Rapid Threat Containment with Firepower Management Center and ISE
Controller
WWW
NGFW
2. Correlation
Rules Trigger
Remediation Action
3. pxGrid EPS
Action: Quarantine
+ Re-Auth
1. Security
Events / IOCs
Reported
i-Net
58
MnT
FMC
Rapid Threat Containment with Firepower Management Center and ISE
Controller
WWW
NGFW
4. Endpoint Assigned
Quarantine + CoA-
Reauth Sent
i-Net
59
ISE
Switches Routers Wireless
EndpointsIOT PhonesPrinters
WSA ESAFMC SMC
TALOS AMP/TG UmbrellaCTA
SIEM
VMC
Net Protocols
pxGrid
AMP/TG API
Firepower API
Syslog
Talos API
Cloud Services
Infrastructure & Devices
pxGrid
Generic APIRadius
Netflow
DNS
Legend
60
https://developer.cisco.com/site/security/
Cisco API Resources
Tetration answers your Critical Questions
What was out of Policy?
Network DVR VisibilityAut. Policy Discovery
Policy Enforcement
Application Dependency
Who talks with who? Audit & Compliancy
Cisco Segmentation with Active Threat Response
Step3 Dynamic Enforcement
Step1: Control policy and audit Step2: Anomaly Detection
• Comprehensive,
contextual network flow
visibility
• Real-time situational
awareness of traffic
Monitor
• Detect anomalous
network behavior
• Detect network
behaviors indicative of
threats: worms, insider
threats, DDoS and
malware
Detect
• Quickly scope an incident
• Network troubleshooting
• One click quarantine
Respond
Detect Data Center threats with Stealthwatch
Analyze
• Holistic network audit trail
• Threat hunting and
forensic investigations
Switch Router Router Firewall Data Center
Switch
ServerUser
WAN
ServerDevice
End-to-End
Network
Visibility
Threat
detection and hunting
Application traffic
modeling &
visibility
Access control
policy and audit
Anomalous
behavior
Integrated with other security solutions 1+1=3
Greater visibility and security togetherCisco Tetration and Stealthwatch
Cisco Tetration Connection ManagerAutomated security policy recommendation
Step2: Auto-generation of whitelist policies
Whitelist policy recommendation
• Identifies application intent
• Generates 4 tuple policies
Export into Cisco solutions
• Export in JSON, XML and YAML
• Import into ACI, ASA, NGFW
Step1: Behavior analysis
Application conversations Conversation details/
process bindings
Legacy Rule
Cleanup
TrustSec Functions
Endpoint
Group tag management
Group policy management
Security
Group
Tags
Enforcement
EnforcementThreat
Defense
Propagation
Inline tagging or data plane
(many options)
Classification
Static
classification
Endpoint
identification
Dynamic
classification
SGT-enabled network
Central management
Software-Defined Segmentation
Open technology
Heterogeneous environment
Control plane
(SXP or pxGrid)
Switch
Router
Firewall
Wireless
TrustSec integration – ACI (Data Center)
ACI Policy DomainTrustSec Policy Domain
Switch Router Router Firewall Nexus9000 Nexus9000 ServerUser
SGT
over
Ethernet
IPSec / DMVPN /
GETVPN / SXPClassification
WAN(GETVPN
DMVPN
IPSEC)
ISE creates matching Security
Groups for Endpoint Groups
ISE exchanges IP-SGT/EPG
‘Name bindings’
IP-ClassId, VNI bindingsIP-Security Group bindings
exchanged with network
Spine Leaf
Cisco ISE 2.1 Cisco APIC-DC
Security Groups End Point Groups
top related