cisco incident control system...ics (opsig) 4–6+ hrs. typical response time cisco ics (opacl)...

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1© 2005 Cisco Systems, Inc. All rights reserved. The Cisco Incident Control System includes embedded software and support from Trend Micro. Point of sale and registration data will be provided to both Cisco and Trend Micro.

Cisco Incident Control System

Jørgen GammelgaardSystem Engineer, Cisco Denmark

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2

Dollar Amount of Losses by Type of Incident

Outbreaks Continue to Plague Businesses


Which drives demand for…Expertise, resources & scaleSpeed of responseBreadth of mitigation

VPN

Threats on the Rise

Increasing…Number of viruses & wormsSpeed of infection & propagationSources/entry points of infection


Cisco-Trend Micro Security Alliance

Market Leader in Network Security Solutions

111© 2003 Cisco Systems, Inc. All rights reserved.

Cisco’s Self-Defending Network

SYSTEM LEVEL SOLUTIONS

SYSTEM LEVEL SOLUTIONS

• Endpoints +Networks + Policies

• Partnerships• Services

• Endpoints +Networks + Policies

• Partnerships• Services

ADVANCED SECURITY

TECHNOLOGIES

ADVANCED SECURITY

TECHNOLOGIES• Endpoint Security• Application Firewall• SSL VPN• Network Anomaly

• Endpoint Security• Application Firewall• SSL VPN• Network Anomaly

SECURE INFRASTRUCTURE

SECURE INFRASTRUCTURE

• Secure Connectivity• Threat Defense• Trust & Identity

• Secure Connectivity• Threat Defense• Trust & Identity

Cisco strategy to dramatically improve the

network’s ability to identify, prevent, and

adapt to threats

Cisco strategy to dramatically improve the

network’s ability to identify, prevent, and

adapt to threats

Market Leader in Worm and Anti-Virus Solutions+

Innovative, complementary marriage of non-overlapping solutions to deliver unique network virus and worm prevention capabilities

Copyright 2004 - Trend Micro, Inc.

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineTrend Micro - Enterprise Protection Strategy (EPS)

Out

brea

kM

gmt.

Net

wor

kLa

yer

Malicious Code Eliminated

App

licat

ion

Laye

r

Trend Micro Vulnerability Assessment

Outbreak Prevention Services

Virus ResponseServices

Damage Cleanup Services

TREND MICRO CONTROL MANAGER

Outbreak Prevention

Virus Response

Assessment and Restoration

Malicious Code Attack

VulnerabilityPrevention

Vulnerability Discovered

Proactive Outbreak Lifecycle Management

Malicious Code Attack


Cisco Incident Control System (Cisco ICS)

Addresses the protection from OUTBREAKS, a key part of the network virus/worm life cycle

Prevents threats from entering networkRapid: Response times unmatched in the industryTimely: New, late-breaking threatsEffective: Broad deployment of mitigation pointsEconomical: Leverages existing Cisco infrastructure

Flexible managementGranular control over outbreak defense policiesResponse can be automatically or manually triggered


6+ hours(typical)

SignatureDeployed

SignatureReleased

No.

of I

nfec

tions

Time

The Costs of Infection

Cost and Effort Incurred


Cisco ICS Reduces the Costs of Infection

Reduces costs of infectionRapid deployment of mitigation measures

Broad near-real-time (15 min.) ACLHigh fidelity (90 min.) signature

Highly effective mitigation measuresBroadly applied mitigation measures

Across network infrastructure

Net effectFar fewer nodes affected means:

Less disruption and lost productivityGreatly reduced remediation effort


ICSACL

Deployed

ICSSignatureReleased

No.

of I

nfec

tions

Time

ICSACL

Released

ICSSignatureDeployed

15 minutes(typical)

90 minutes(typical)

Cost and Effort Incurred

Cisco ICS Reduces the Costs of Infection

Cost and Effort Savings


WORM_MYTOB.ED05.17.05

WORM_FATSO.A03.15.05

WORM_MYTOB.MX11.24.05WORM_SOBER.AG11.22.05WORM_SOBER.AC10.12.05WORM_RBOT.CBQ08.24.05WORM_ZOTOB.D08.24.05WORM_WURMARK.J06.09.05WORM_MYTOB.AR06.09.05WORM_MYTOB.BI06.09.05WORM_BOBAX.P06.09.05WORM_MYTOB.EG05.17.05

WORM_SOBER.S05.11.05

WORM_KELVIR.B03.15.05WORM_BAGLE.BE03.08.05WORM_MYDOOM.BB 02.21.05WORM_BROPIA.F02.10.05WORM_BAGLE.AZ02.04.05

NameNameDateDate

Jan Feb MarQty 6

Apr May JunQty 7

Jul Aug SepQty 2

Oct Nov DecQty 3

Outbreak History for Calendar Year 2005—TrendLabs

Frequency of Actual Outbreaks - 2005

TOTAL: 18


Cisco Incident Control Server

(ICS server)

Cisco IPS 4200

Series Sensor

Cisco Catalyst® 6500 Series IPS Blade

Route-Based IPSin Software

Cisco CatalystBlade

Router

Enterprise Network

Primary Components of Cisco ICS

Outbreak intelligence:TrendLabs’ worldwide, real-time monitoring and signature development infrastructure

Policy control: Cisco Incident Control Server administers and delivers virus- and worm-related solutions

Line of defense: Broad set of Cisco® devices that can become rapid-response mitigation nodes

Cisco ASA 5500 Series Adaptive

Security Appliance IPS Blade



(ICS server)

Cisco IPS 4200

Series Sensor

Cisco® Catalyst® 6500 Series IPS Blade

Router-Based IPSin Software

Cisco CatalystBlade

Router



Enterprise Network

Outbreak Declaration and Outbreak Prevention ACL (OPACL)

t=0OPACL

t=15 min (typical)

Policy/exceptionsManual or automaticFull control: Devices, groups, etc.Recommended or modified OPACL

Outbreak & threat information•Threat level•Detailed description•Typical impact/vectors•Recommended OPACL

MalwareOutbreak!

OPACL(HTTPS)

OPACL(SSH or HTTPS)



(ICS server)

Cisco IPS 4200

Series Sensor

Cisco® Catalyst® 6500 Series IPS Blade

Route-Based IPSin Software

Cisco CatalystBlade

Router



Enterprise Network

Outbreak Prevention Signature (OPSig)Replaces OPACL

t=0

OPSig(HTTPS)

OPSig(HTTPS)

OPSigt=90 min (typical)

OPACL


Incident Lifecycle Services by Trend Micro

Premier level of virus, worm, and malware expertise in the industry

Honeypots deployed in Japan, China, Korea, Taiwan, New Jersey, California, France, Germany and Philippines

Honeypots monitored 24x7 to identify and process malware threatsbefore they affect customersMost effective in capturing network-based threats (e.g.—Bot malware and Code Red-type malware)

Multi-Tiered 24 x 7 Support Services


Incident Lifecycle Services by Trend Micro (cont.)

Service CentricAssures prompt and efficient response to threatsAntivirus solutions available within the first hours of each outbreak

Information CentricHigh quality virus information through several publishing points, including the Virus Encyclopedia. Provide time-critical information through notifications. First wave of notifications are sent within 15 minutes of an outbreak.


TrendLabs Timeline–WORM_ZOTOB.D

+00:31

Virus blocked(OPSig)

WORM_ZOTOB.DExploit/BackdoorExploit/Backdoor

00:00 +00:03

Worm e-mail blocked(OPACL)

Cisco IPS 4200Series Sensor Cisco Catalyst® Switch

with IPS Blade

Cisco Routerwith IPS Software

Cisco®

Switch

Cisco RouterCisco ASA 5500 Series

with AIP module

Declared yellow alertAugust 16, 200505:12 PM (PDT)

Cisco IPS 4200Series Sensor

Cisco Catalyst® Switchwith IPS Blade

Cisco Routerwith IPS Software

Cisco ASA 5500 Serieswith AIP module


ACL Coverage for Cisco IOS® Software Devices

Cisco ICS—ACL Coverage

Outbreak Prevention ACL (OPACL) within 15 min. (typical)

Mitigation devices: Cisco IOS routers, Cisco IOS switches

May require further action by admin due to OPACL’s coarse, potentially restrictive nature

OPACL examples:WORM_MSBLAST.A (TCP Port 4444):

deny tcp any any eq 4444WORM_NACHI.A (ICMP):

deny icmp any anyWORM_BAGLE.B (TCP/UDP Port 8866):

deny tcp any any eq 8866deny udp any any eq8866


Cisco® IPS Coverage for IPS-Capable Devices

Cisco ICS—IPS Coverage

OPACL within 15 minutes (typical)OPACL removed and replaced with OPSig within 90 minutes (typical)Mitigation devices: All IPS-enabled devices

Cisco IPS 4200 Series sensorsCisco Intrusion Detection System Module (IDSM2) for Cisco Catalyst®6500 Series switchesCisco IOS® routers with security image (Cisco IOS Intrusion Protection System)Cisco ASA-5500 Series Adaptive Security Appliances with AIP-SSM module

No further action required by admin due to coarse ACL (OPACL) being automatically followed-up with fine-grained high fidelity signature (OPSig)


Cisco® Incident Control Server Functions

Strong Policy Control over OPACLs

Logical naming and grouping of devicesAutomatic vs. manual modes

Notify and push OPACLs automaticallyNotify, wait for OPACL review/modification and manual push

Active vs. monitor modesWhen pushed, OPACLs have drop/block actionWhen pushed, OPACLs have log/monitor action

Undo functionPull back all active OPACLs


Manual Mode Policy Control

Broad Policy Control over OPACLs

Set OPACL expirationEnable/disable capabilities

Individual OPACL basisIndividual device basisGroup basis

Exception listsPrevent modifications to specific devices and/or groupsPrevent modifications to specific protocols/ports


Fide

lity

of S

igna

ture

Low

High

CiscoICS

(OPSig)

4–6+ hrs.Typical Response Time

Cisco ICS

(OPACL)

CiscoServices For IPS

(Multi-SigDatabase)

15 min.

Standard ServiceStandard response timesBroad vulnerability-basedcoverage

Premium ServiceUnmatched response timesOutbreak focused coverage

90 min.

OtherCompetitive

Solutions

Cisco ICS Enhances Cisco Services for IPS


Comprehensive onboard managementThreat informationConfiguration of policiesEvent reporting and statistics

Supported by Cisco® Security Monitoring, Analysis and Response System (CS-MARS)Syslog client support for use with other reporting tools

Cisco ICS Management & Monitoring


• Parse, normalize and correlate events from Cisco® ICS Server

• Correlate Cisco ICS virus outbreak(s) with unusual activities coming from all routers and firewalls, such as ACL match events received

• Correlate Cisco ICS virus outbreak(s) with alerts from Cisco IPSsolutions

• Full reporting—showing virus outbreaks, infected hosts, protecting device….

• Quickly identify host location and suggest mitigation action

• Correlate detected outbreak with deviation against normal traffic patterns

CS-MARS paints the complete end-to-end security activities picture by relating an outbreak to all PRE/POST activities

Cisco ICS CS-MARS Support


Cisco ICS Product Components and Licensing

Cisco® ICS serverPlatform for administration of Cisco ICS server coverage and mitigation device licensesIs not itself licensed, but does require registration and key activation

Cisco® ICS Mitigation Device LicensesRequire registration and key installation/activation in Cisco ICS server.


The following specifications/versions (or greater) are required:

Cisco ICS Server System Requirements

Operating system (one of the following):Windows 2000 Server or Advanced Server with SP3(English and Japanese)Windows 2003 Server Standard Edition or Enterprise Edition (English and Japanese)

Web Server:IIS: Windows 2000 IIS 5.0 or Windows 2003 IIS 6.0Apache: 2.0

Web Browser (for Web console access):Internet Explorer version 5.5 SP2

Hardware:866 MHz Intel Pentium III processor or equivalent 512 MB of RAM 350 MB of disk space


Cisco ICS Mitigation Device License Types

ACL Coverage LicensesCisco® products that do not have IDS/IPS capabilities but support Access Control Lists (ACLs)

Cisco routers800, 1700, 1800. 2600XM, 2800, 3600, 3800, 7200, 7301 Series

Cisco switches3550, 6500, 7600 Series

IPS Coverage LicensesCisco® products with full loadable IPS signature capabilities

Cisco IPS 4200 Series appliancesCisco ASA 5500 Series appliances with the SSM-AIP moduleCisco Catalyst® 6500 IDSM2 bladesCisco IOS routers with Cisco IOS Security Image (870 & above)


Cisco ICS Mitigation Device License Types

Two Types of IPS Coverage LicensesIPS high-end license: Midrange and high-end Cisco IPS devicesCisco 3800 and 7200 Series routersCisco IPS 4235, 4240, 4250, 4250XL, and 4255 appliancesCisco IDSM2 blades for Cisco Catalyst 6500 Series switchesCisco ASA-5500 Series appliances with an AIP-SSM-20

IPS low-end license: Low-end Cisco IPS devicesCisco IPS 4215 sensorsCisco ASA 5500 Series appliances with an AIP-SSM-10Cisco 870, 1800, 1700, 2600XM, 3700 Series routers


Cisco Incident Control System vs. Services for IPS

Trend MicroCisco and Trend MicroSignature Source

Direct: Bundled Cisco IDS/IPS sensors in a Cisco SmartNet Subscription Service

Direct: None*(*Cisco IDS/IPS sensors in a Cisco SMARTnet®Subscription Service bundled)

Recommended

Pre-Requisites

IPS-enabled deviceCisco® Services for IPS contract for device

IDS/IPS-enabled deviceEnforced

Pre-Requisites

Individual ACLs and signaturesBroad databaseScope & Coverage

MinutesHoursDelivery Timeframe

Temporary(Removed when signatures become available in a signature update package)

Permanent(With periodic updates)Relative Life Span

Automatically pulled from TrendLabsAutomatically* pulled from Cisco* With availability of CiscoWorks Management Center for IPS Sensors (IPS MC) v2.2 (target Sept05)

Delivery Mechanism

Outbreak-focused single ACLs & signaturesAll threats known by CiscoMedium- & high-level threats known by Trend Micro since August 2004

Threat/s addressed

Premium annualized product solutionAnnualized CA serviceProduct Type

Incident Control SystemServices for IPS Signature Updates

cisco incident control system...ics (opsig) 4–6+ hrs. typical response time cisco ics (opacl)...

Documents