cisco incident control system...ics (opsig) 4–6+ hrs. typical response time cisco ics (opacl)...
TRANSCRIPT
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1© 2005 Cisco Systems, Inc. All rights reserved. The Cisco Incident Control System includes embedded software and support from Trend Micro. Point of sale and registration data will be provided to both Cisco and Trend Micro.
Cisco Incident Control System
Jørgen GammelgaardSystem Engineer, Cisco Denmark
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Dollar Amount of Losses by Type of Incident
Outbreaks Continue to Plague Businesses
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
Which drives demand for…Expertise, resources & scaleSpeed of responseBreadth of mitigation
VPN
Threats on the Rise
Increasing…Number of viruses & wormsSpeed of infection & propagationSources/entry points of infection
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
Cisco-Trend Micro Security Alliance
Market Leader in Network Security Solutions
111© 2003 Cisco Systems, Inc. All rights reserved.
Cisco’s Self-Defending Network
SYSTEM LEVEL SOLUTIONS
SYSTEM LEVEL SOLUTIONS
• Endpoints +Networks + Policies
• Partnerships• Services
• Endpoints +Networks + Policies
• Partnerships• Services
ADVANCED SECURITY
TECHNOLOGIES
ADVANCED SECURITY
TECHNOLOGIES• Endpoint Security• Application Firewall• SSL VPN• Network Anomaly
• Endpoint Security• Application Firewall• SSL VPN• Network Anomaly
SECURE INFRASTRUCTURE
SECURE INFRASTRUCTURE
• Secure Connectivity• Threat Defense• Trust & Identity
• Secure Connectivity• Threat Defense• Trust & Identity
Cisco strategy to dramatically improve the
network’s ability to identify, prevent, and
adapt to threats
Cisco strategy to dramatically improve the
network’s ability to identify, prevent, and
adapt to threats
Market Leader in Worm and Anti-Virus Solutions+
Innovative, complementary marriage of non-overlapping solutions to deliver unique network virus and worm prevention capabilities
Copyright 2004 - Trend Micro, Inc.
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineTrend Micro - Enterprise Protection Strategy (EPS)
Out
brea
kM
gmt.
Net
wor
kLa
yer
Malicious Code Eliminated
App
licat
ion
Laye
r
Trend Micro Vulnerability Assessment
Outbreak Prevention Services
Virus ResponseServices
Damage Cleanup Services
TREND MICRO CONTROL MANAGER
Outbreak Prevention
Virus Response
Assessment and Restoration
Malicious Code Attack
VulnerabilityPrevention
Vulnerability Discovered
Proactive Outbreak Lifecycle Management
Malicious Code Attack
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
Cisco Incident Control System (Cisco ICS)
Addresses the protection from OUTBREAKS, a key part of the network virus/worm life cycle
Prevents threats from entering networkRapid: Response times unmatched in the industryTimely: New, late-breaking threatsEffective: Broad deployment of mitigation pointsEconomical: Leverages existing Cisco infrastructure
Flexible managementGranular control over outbreak defense policiesResponse can be automatically or manually triggered
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
6+ hours(typical)
SignatureDeployed
SignatureReleased
No.
of I
nfec
tions
Time
The Costs of Infection
Cost and Effort Incurred
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
Cisco ICS Reduces the Costs of Infection
Reduces costs of infectionRapid deployment of mitigation measures
Broad near-real-time (15 min.) ACLHigh fidelity (90 min.) signature
Highly effective mitigation measuresBroadly applied mitigation measures
Across network infrastructure
Net effectFar fewer nodes affected means:
Less disruption and lost productivityGreatly reduced remediation effort
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
ICSACL
Deployed
ICSSignatureReleased
No.
of I
nfec
tions
Time
ICSACL
Released
ICSSignatureDeployed
15 minutes(typical)
90 minutes(typical)
Cost and Effort Incurred
Cisco ICS Reduces the Costs of Infection
Cost and Effort Savings
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
WORM_MYTOB.ED05.17.05
WORM_FATSO.A03.15.05
WORM_MYTOB.MX11.24.05WORM_SOBER.AG11.22.05WORM_SOBER.AC10.12.05WORM_RBOT.CBQ08.24.05WORM_ZOTOB.D08.24.05WORM_WURMARK.J06.09.05WORM_MYTOB.AR06.09.05WORM_MYTOB.BI06.09.05WORM_BOBAX.P06.09.05WORM_MYTOB.EG05.17.05
WORM_SOBER.S05.11.05
WORM_KELVIR.B03.15.05WORM_BAGLE.BE03.08.05WORM_MYDOOM.BB 02.21.05WORM_BROPIA.F02.10.05WORM_BAGLE.AZ02.04.05
NameNameDateDate
Jan Feb MarQty 6
Apr May JunQty 7
Jul Aug SepQty 2
Oct Nov DecQty 3
Outbreak History for Calendar Year 2005—TrendLabs
Frequency of Actual Outbreaks - 2005
TOTAL: 18
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
Cisco Incident Control Server
(ICS server)
Cisco IPS 4200
Series Sensor
Cisco Catalyst® 6500 Series IPS Blade
Route-Based IPSin Software
Cisco CatalystBlade
Router
Enterprise Network
Primary Components of Cisco ICS
Outbreak intelligence:TrendLabs’ worldwide, real-time monitoring and signature development infrastructure
Policy control: Cisco Incident Control Server administers and delivers virus- and worm-related solutions
Line of defense: Broad set of Cisco® devices that can become rapid-response mitigation nodes
Cisco ASA 5500 Series Adaptive
Security Appliance IPS Blade
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
Cisco Incident Control Server
(ICS server)
Cisco IPS 4200
Series Sensor
Cisco® Catalyst® 6500 Series IPS Blade
Router-Based IPSin Software
Cisco CatalystBlade
Router
Cisco ASA 5500 Series Adaptive
Security Appliance IPS Blade
Enterprise Network
Outbreak Declaration and Outbreak Prevention ACL (OPACL)
t=0OPACL
t=15 min (typical)
Policy/exceptionsManual or automaticFull control: Devices, groups, etc.Recommended or modified OPACL
Outbreak & threat information•Threat level•Detailed description•Typical impact/vectors•Recommended OPACL
MalwareOutbreak!
OPACL(HTTPS)
OPACL(SSH or HTTPS)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
Cisco Incident Control Server
(ICS server)
Cisco IPS 4200
Series Sensor
Cisco® Catalyst® 6500 Series IPS Blade
Route-Based IPSin Software
Cisco CatalystBlade
Router
Cisco ASA 5500 Series Adaptive
Security Appliance IPS Blade
Enterprise Network
Outbreak Prevention Signature (OPSig)Replaces OPACL
t=0
OPSig(HTTPS)
OPSig(HTTPS)
OPSigt=90 min (typical)
OPACL
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
Incident Lifecycle Services by Trend Micro
Premier level of virus, worm, and malware expertise in the industry
Honeypots deployed in Japan, China, Korea, Taiwan, New Jersey, California, France, Germany and Philippines
Honeypots monitored 24x7 to identify and process malware threatsbefore they affect customersMost effective in capturing network-based threats (e.g.—Bot malware and Code Red-type malware)
Multi-Tiered 24 x 7 Support Services
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
Incident Lifecycle Services by Trend Micro (cont.)
Service CentricAssures prompt and efficient response to threatsAntivirus solutions available within the first hours of each outbreak
Information CentricHigh quality virus information through several publishing points, including the Virus Encyclopedia. Provide time-critical information through notifications. First wave of notifications are sent within 15 minutes of an outbreak.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
TrendLabs Timeline–WORM_ZOTOB.D
+00:31
Virus blocked(OPSig)
WORM_ZOTOB.DExploit/BackdoorExploit/Backdoor
00:00 +00:03
Worm e-mail blocked(OPACL)
Cisco IPS 4200Series Sensor Cisco Catalyst® Switch
with IPS Blade
Cisco Routerwith IPS Software
Cisco®
Switch
Cisco RouterCisco ASA 5500 Series
with AIP module
Declared yellow alertAugust 16, 200505:12 PM (PDT)
Cisco IPS 4200Series Sensor
Cisco Catalyst® Switchwith IPS Blade
Cisco Routerwith IPS Software
Cisco ASA 5500 Serieswith AIP module
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
ACL Coverage for Cisco IOS® Software Devices
Cisco ICS—ACL Coverage
Outbreak Prevention ACL (OPACL) within 15 min. (typical)
Mitigation devices: Cisco IOS routers, Cisco IOS switches
May require further action by admin due to OPACL’s coarse, potentially restrictive nature
OPACL examples:WORM_MSBLAST.A (TCP Port 4444):
deny tcp any any eq 4444WORM_NACHI.A (ICMP):
deny icmp any anyWORM_BAGLE.B (TCP/UDP Port 8866):
deny tcp any any eq 8866deny udp any any eq8866
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17
Cisco® IPS Coverage for IPS-Capable Devices
Cisco ICS—IPS Coverage
OPACL within 15 minutes (typical)OPACL removed and replaced with OPSig within 90 minutes (typical)Mitigation devices: All IPS-enabled devices
Cisco IPS 4200 Series sensorsCisco Intrusion Detection System Module (IDSM2) for Cisco Catalyst®6500 Series switchesCisco IOS® routers with security image (Cisco IOS Intrusion Protection System)Cisco ASA-5500 Series Adaptive Security Appliances with AIP-SSM module
No further action required by admin due to coarse ACL (OPACL) being automatically followed-up with fine-grained high fidelity signature (OPSig)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18
Cisco® Incident Control Server Functions
Strong Policy Control over OPACLs
Logical naming and grouping of devicesAutomatic vs. manual modes
Notify and push OPACLs automaticallyNotify, wait for OPACL review/modification and manual push
Active vs. monitor modesWhen pushed, OPACLs have drop/block actionWhen pushed, OPACLs have log/monitor action
Undo functionPull back all active OPACLs
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19
Manual Mode Policy Control
Broad Policy Control over OPACLs
Set OPACL expirationEnable/disable capabilities
Individual OPACL basisIndividual device basisGroup basis
Exception listsPrevent modifications to specific devices and/or groupsPrevent modifications to specific protocols/ports
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
Fide
lity
of S
igna
ture
Low
High
CiscoICS
(OPSig)
4–6+ hrs.Typical Response Time
Cisco ICS
(OPACL)
CiscoServices For IPS
(Multi-SigDatabase)
15 min.
Standard ServiceStandard response timesBroad vulnerability-basedcoverage
Premium ServiceUnmatched response timesOutbreak focused coverage
90 min.
OtherCompetitive
Solutions
Cisco ICS Enhances Cisco Services for IPS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
Comprehensive onboard managementThreat informationConfiguration of policiesEvent reporting and statistics
Supported by Cisco® Security Monitoring, Analysis and Response System (CS-MARS)Syslog client support for use with other reporting tools
Cisco ICS Management & Monitoring
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
• Parse, normalize and correlate events from Cisco® ICS Server
• Correlate Cisco ICS virus outbreak(s) with unusual activities coming from all routers and firewalls, such as ACL match events received
• Correlate Cisco ICS virus outbreak(s) with alerts from Cisco IPSsolutions
• Full reporting—showing virus outbreaks, infected hosts, protecting device….
• Quickly identify host location and suggest mitigation action
• Correlate detected outbreak with deviation against normal traffic patterns
CS-MARS paints the complete end-to-end security activities picture by relating an outbreak to all PRE/POST activities
Cisco ICS CS-MARS Support
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23
Cisco ICS Product Components and Licensing
Cisco® ICS serverPlatform for administration of Cisco ICS server coverage and mitigation device licensesIs not itself licensed, but does require registration and key activation
Cisco® ICS Mitigation Device LicensesRequire registration and key installation/activation in Cisco ICS server.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24
The following specifications/versions (or greater) are required:
Cisco ICS Server System Requirements
Operating system (one of the following):Windows 2000 Server or Advanced Server with SP3(English and Japanese)Windows 2003 Server Standard Edition or Enterprise Edition (English and Japanese)
Web Server:IIS: Windows 2000 IIS 5.0 or Windows 2003 IIS 6.0Apache: 2.0
Web Browser (for Web console access):Internet Explorer version 5.5 SP2
Hardware:866 MHz Intel Pentium III processor or equivalent 512 MB of RAM 350 MB of disk space
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25
Cisco ICS Mitigation Device License Types
ACL Coverage LicensesCisco® products that do not have IDS/IPS capabilities but support Access Control Lists (ACLs)
Cisco routers800, 1700, 1800. 2600XM, 2800, 3600, 3800, 7200, 7301 Series
Cisco switches3550, 6500, 7600 Series
IPS Coverage LicensesCisco® products with full loadable IPS signature capabilities
Cisco IPS 4200 Series appliancesCisco ASA 5500 Series appliances with the SSM-AIP moduleCisco Catalyst® 6500 IDSM2 bladesCisco IOS routers with Cisco IOS Security Image (870 & above)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26
Cisco ICS Mitigation Device License Types
Two Types of IPS Coverage LicensesIPS high-end license: Midrange and high-end Cisco IPS devicesCisco 3800 and 7200 Series routersCisco IPS 4235, 4240, 4250, 4250XL, and 4255 appliancesCisco IDSM2 blades for Cisco Catalyst 6500 Series switchesCisco ASA-5500 Series appliances with an AIP-SSM-20
IPS low-end license: Low-end Cisco IPS devicesCisco IPS 4215 sensorsCisco ASA 5500 Series appliances with an AIP-SSM-10Cisco 870, 1800, 1700, 2600XM, 3700 Series routers
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27
Cisco Incident Control System vs. Services for IPS
Trend MicroCisco and Trend MicroSignature Source
Direct: Bundled Cisco IDS/IPS sensors in a Cisco SmartNet Subscription Service
Direct: None*(*Cisco IDS/IPS sensors in a Cisco SMARTnet®Subscription Service bundled)
Recommended
Pre-Requisites
IPS-enabled deviceCisco® Services for IPS contract for device
IDS/IPS-enabled deviceEnforced
Pre-Requisites
Individual ACLs and signaturesBroad databaseScope & Coverage
MinutesHoursDelivery Timeframe
Temporary(Removed when signatures become available in a signature update package)
Permanent(With periodic updates)Relative Life Span
Automatically pulled from TrendLabsAutomatically* pulled from Cisco* With availability of CiscoWorks Management Center for IPS Sensors (IPS MC) v2.2 (target Sept05)
Delivery Mechanism
Outbreak-focused single ACLs & signaturesAll threats known by CiscoMedium- & high-level threats known by Trend Micro since August 2004
Threat/s addressed
Premium annualized product solutionAnnualized CA serviceProduct Type
Incident Control SystemServices for IPS Signature Updates
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 29
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 30
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 31
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 32
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 33
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 34