exposing risk through network visibility | gsf 2012 | session 4-3
DESCRIPTION
Cyber threats impact the security and economic viability of nations and businesses alike. These threats continue to increase exponentially. By: Chris ColemanTRANSCRIPT
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1Cisco Confidential© 2012 Cisco and/or its affiliates. All rights reserved. 1
Exposing Risk Through Network VisibilityChris ColemanDirector, Cyber Security U.S. Public Sector
21 March 2012
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Problem Definition
Solution Overview
Product Components and Availability
1
2
3
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Manipulation Theft & Espionage Disruption
Cyber threats impact the security and economicviability of nations and businesses alike
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Manipulation Theft & Espionage Disruption
Cyber threats impact the security and economicviability of nations and businesses alike
Target: Target: Nasdaq OMXNasdaq OMX
Impact: Impact: ““Flash CrashFlash Crash””of May 2010of May 2010
Exploit: Exploit: Directors Desk Directors Desk WebWeb--based Applicationbased Application
Target: Target: Security and Security and Defense ContractorsDefense Contractors
Impact: Impact: Intellectual Intellectual Property Theft, 2009Property Theft, 2009--20102010
Exploit: Exploit: Multiple Multiple ZeroZero--dayday
Target: Target: Iranian Iranian Nuclear ReactorsNuclear Reactors
Impact: Impact: 22--5 Year 5 Year DelayDelay
Exploit: Exploit: Siemens Siemens PLC Software PLC Software
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
624,000 624,000 attacksattacks
2,600,000 attacks2,600,000 attacks5,700,000 attacks5,700,000 attacks
(projected)(projected)
2007 2010 2013
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Customers Investing to RespondCustomers Investing to Respond
Compromise Is Not “If,” but “When”Compromise Is Not “If,” but “When”
Sophisticated Attacks With Specific High-Stakes IntentSophisticated Attacks With Specific High-Stakes Intent
• 49% of threats are customized for target environment1
• $1T/year private sector revenue loss from cyber espionage2
• 5X increase in attacks against US Government 2006 to 20093
• 52% invested in network anomaly analysis/detection6
• 77% increase investment in security solutions in reaction to cyber threats7
• 59% of organizations believe they have been cyber threat targets4
• 46% believe they are still highly vulnerable despite increased prevention investments5
1Verizon Data Breach Report; 2US House Intelligence; 3Cyber Market Forecast; 4ESG APT Report; 5–7ESG
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Firewall
IPS
Web Sec
N-AV
Email Sec
Customized Threat Bypasses Security
Gateways
Threat Spreads Inside Perimeter
Customized Cyber Threats Evade Existing Security Constructs
Fingerprints of Threat are Found Only in Network Fabric
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
� Zeus A/V Detection Rate
Source: abuse.ch Zeus Tracker (3/19/2012)
� Malware Customization
“Roughly half of the malware we discover is specifically targeted at our environment.” - U.S. Public Sector Customer
“We’ve detected malware that was compiled 5 minutes prior to being injected into our user base.” - U.S. Public Sector Customer
Source: Verizon 2011 Data Breach Investigations
Report
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Breached, but How, Where, and Who?
Breached, but How, Where, and Who? Context Is CriticalContext Is Critical
Disparate Data Sources, Manual
Assembly
Disparate Data Sources, Manual
Assembly
• Often very difficult to find
• High-value assets—major consequences
• Network flow analysis is central to this process—throughout the network
• No single system provides all data to decipher an attack
• Related threats, identity, reputation, vulnerability, device type, etc.
• Analysts collect and assemble contextual information from a variety of systems
• Requires expensive analysts
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Use NetFlow Data to Extend Visibility to the
Access Layer
Unite Flow Data With Identity, Reputation,
Application for Context
Network Switches as Enforcement Points for
Increased Control
WHEREWHEN
HOW
WHAT
WHOFlow, Context,
and Control
NETWORK
Reputation? Posture?
Device? User? Events?
65.32.7.45
VulnerabilityAVPatch
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
SIO
Unified ViewThreat Analysis and Context in Lancope StealthWatch
Threat Context DataCisco Identity, Device, Posture, Reputation, Application
FLOWCONTEXT
NetFlow TelemetryCisco Switches, Routers, and ASA 5500
Internal Network and Borders
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Find Internally Spreading Malware
Find Internally Spreading Malware
Detect Recon Activity
Detect Recon Activity
Find Data Loss/Exfiltration
Find Data Loss/Exfiltration
Detect Botnet and Command/ Control Activity
Detect Botnet and Command/ Control Activity
Example Patterns Detected by Lancope StealthWatch Using NetFlow
• Unusual application traffic to/from hosts/subnets
• Duplicate traffic patterns
• Devices faking services (DHCP server not on list)
• Traffic destined to a blackhole or blacklisted hosts
• Protocol sequence anomalies(e.g. no SYN/FIN)
• Asymmetric traffic patterns—a lot of data going out
• Communication with unusual or “watchlist” nations
• Unusual application traffic to/from hosts/subnets
• Unusual quantities or duration of traffic
• One-way traffic—constant beacons
• Time of day patterns
• Repeated low volume connections
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Find Internally Spreading Malware
Find Internally Spreading Malware
Detect Recon Activity
Detect Recon Activity
Find Data Loss/Exfiltration
Find Data Loss/Exfiltration
Detect Botnet and Command/ Control Activity
Detect Botnet and Command/ Control Activity
Example Patterns Detected by Lancope StealthWatch Using NetFlow
• Unusual application traffic to/from hosts/subnets
• Duplicate traffic patterns
• Devices faking services (DHCP server not on list)
• Traffic destined to a blackhole or blacklisted hosts
• Protocol sequence anomalies(e.g. no SYN/FIN)
• Asymmetric traffic patterns—a lot of data going out
• Communication with unusual or “watchlist” nations
• Unusual application traffic to/from hosts/subnets
• Unusual quantities or duration of traffic
• One-way traffic—constant beacons
• Time of day patterns
• Repeated low volume connections
Threat Context Provided by Cisco ISE, Reputation, Application Recognition (NBAR)
Threat Context Provided by Cisco ISE, Reputation, Application Recognition (NBAR)
• Who is being targeted?
• Is the user a critical target? (title and what part of the organization are they in per AD/LDAP information)
• What information does the user have access to? (Network authorization group they belong to)
• What device is the traffic coming from? (coming from laptop, smartphone, etc.)
• Has the user had security posture failures recently? (Quarantine and posture event status)
• Are there other relevant user session events? (Access to all AAA events associated with the user)
• What is the reputation of the host user is communicating with?
• What application is the traffic?
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
NetFlow Telemetry Comes in Two FormsNetFlow Telemetry Comes in Two Forms
Sampled
•A small subset of traffic, usually less than 5%, is sampled and used to generate NetFlow telemetry; this gives a snapshot view into network activity, like reading a book by skimming every 100th page
Unsampled
•All traffic is used to generate NetFlow telemetry, providing a comprehensive view into all activity on the network; using the book analogy, this is reading every word in the book
The Customized, Stealthy Nature of Advanced Cyber
Threats Requires Full, Unsampled NetFlow Visibility
Only a Cisco Catalyst Switch Can Deliver This Unsampled NetFlow at Line-Rate Without
Any Network Performance Impact
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
AccessAccess
Edge and BordersEdge and Borders
Access/DistributionAccess/Distribution
Cat 3K-XWith Service Module
Line-RateNetFlow
AddsNetFlow
Line-RateNetFlow
Scale NetFlow NBAR2
Cat 4KSup7E, Sup7L-E
Cat 6KSup2T
ISR, ASR
PerimeterPerimeterASA 5500
Network Security
Event Logging
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
• Developed and patented at Cisco® Systems in 1996
• NetFlow is the defacto standard for acquiring IP operational data
• Provides network and security monitoring, network planning, traffic analysis, and IP accounting
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
1. Create and update flows in NetFlow cache
Srclf SrclPadd Dstlf DstlPadd Protocol TOS Flgs Pkts SrcPort
SrcMsk
SrcAS
DstPort
DstMsk
DstAS NextHop Bytes/
Pkt Active Idle
Fa1/0 173.100.21.2 Fa0/0 10.0.227.12 11 80 10 11000 00A2 /24 5 00A2 /24 15 10.0.23.2 1528 1745 4
Fa1/0 173.100.3.2 Fa0/0 10.0.227.12 6 40 0 2491 15 /26 196 15 /24 15 10.0.23.2 740 41.5 1
Fa1/0 173.100.20.2 Fa0/0 10.0.227.12 11 80 10 10000 00A1 /24 180 00A1 /24 15 10.0.23.2 1428 1145.5 3
Fa1/0 173.100.6.2 Fa0/0 10.0.227.12 6 40 0 2210 19 /30 180 19 /24 15 10.0.23.2 1040 24.5 14
3. Aggregation
5. Transport protocol(UDP, SCTP)
ExportPacket
Payload(Flows)
Hea
der
Aggregated Flows—Export Version 8 or 9
E.g., Protocol-Port Aggregation Scheme Becomes
Yes
Protocol Pkts SrcPort DstPort Bytes/Pkt
11 11000 00A2 00A2 1528
No
4. Export versionNon-aggregated flows—export version 5 or 9
2. Expiration
Srclf SrclPadd Dstlf DstlPadd Protocol TOS Flgs Pkts SrcPort
SrcMsk
SrcAS
DstPort
DstMsk
DstAS NextHop Bytes/
Pkt Active Idle
Fa1/0 173.100.21.2 Fa0/0 10.0.227.12 11 80 10 11000 00A2 /24 5 00A2 /24 15 10.0.23.2 1528 1800 4
� Inactive timer expired (15 sec is default)�Active timer expired (30 min is default)�NetFlow cache is full (oldest flows are expired)�RST or FIN TCP flag
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Template Record
Template ID #1
(Specific Field
Types and Lengths)
Template Record
Template ID #2
(Specific Field
Types and Lengths)
Template FlowSet
Template 1
Data Record
(Field Values)
Data Record
(Field Values)
Data FlowSetFlowSet ID #1
HEADER
FlowSet ID #1
Template 2
Data Record
(Field Values)
FlowSet ID #2Data FlowSet
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
• A single record per monitor
• Potentially multiple monitors per interface
• Potentially multiple exporters per monitor
Interface
Monitor “A” Monitor “B”
Record “X” Exporter “M”
Record “Y”
Exporter “N”
Monitor “C”
Exporter “M”
Record “Z”
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
How do I want to cache information
Which interface do I want to monitor?
What data do I want to meter?Router(config)# flow record my-recordRouter(config-flow-record)# match ipv4 destination addressRouter(config-flow-record)# match ipv4 source addressRouter(config-flow-record)# collect counter bytes
Where do I want my data sent?Router(config)# flow exporter my-exporter
Router(config-flow-exporter)# destination 1.1.1.1
Router(config)# flow monitor my-monitor
Router(config-flow-monitor)# exporter my-exporter
Router(config-flow-monitor)# record my-record
Router(config)# interface s3/0
Router(config-if)# ip flow monitor my-monitor input
1. Configure the Exporter
2. Configure the Flow Record
3. Configure the Flow Monitor
4. Apply to an Interface
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
IPv4IP (Source or Destination) Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
TTL
Protocol Options bitmap
Fragmentation Flags Version
Fragmentation Offset Precedence
Identification DSCP
Header Length TOS
Total Length
Interface Input
Output
FlowSampler ID
Direction
Source MAC address
Destination MAC address
Dot1q VLAN
Source VLAN
Layer 2
IPv6
IP (Source or Destination) Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
DSCP
Protocol Extension Headers
Traffic Class Hop-Limit
Flow Label Length
Option Header Next-header
Header Length Version
Payload Length
Dest VLAN
Dot1q priority
NEW
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
MulticastReplication Factor*
RPF Check Drop*
Is-MulticastInput VRF Name
BGP Next Hop
IGP Next Hop
src or dest AS
Peer AS
Traffic Index
Forwarding Status
Routing TransportDestination Port TCP Flag: ACK
Source Port TCP Flag: CWR
ICMP Code TCP Flag: ECE
ICMP Type TCP Flag: FIN
IGMP Type* TCP Flag: PSH
TCP ACK Number TCP Flag: RST
TCP Header Length TCP Flag: SYN
TCP Sequence Number TCP Flag: URG
TCP Window-Size UDP Message Length
TCP Source Port UDP Source Port
TCP Destination Port UDP Destination Port
TCP Urgent Pointer
Application
Application ID
NEW
NEW
NEW: 2 or 4 bytes
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
• Plus any of the potential “key” fields: will be the value from the first packet in the flow
Counters
Bytes
Bytes Long
Bytes Square Sum
Bytes Square Sum Long
Packets
Packets Long
Timestamp
sysUpTime First Packet
sysUpTime First Packet
IPv4
Total Length Minimum (*)
Total Length Maximum (*)
TTL Minimum
TTL Maximum
(*) IPV4_TOTAL_LEN_MIN, IPV4_TOTAL_LEN_MAX (**)IP_LENGTH_TOTAL_MIN, IP_LENGTH_TOTAL_MAX
IPv4 and IPv6
Total Length Minimum (**)
Total Length Maximum (**)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Complexity of Cyber Threats Drives Need for Greater Flow Visibility
Within the Access Layer
Prevent Threats by Detecting During “Recon” Phase
Prevent Port/Network Scan…Threat Recon for Finding Networks, etc.
Need Granular Data Available at Edge to Capture
Customized Threats
Threats Run “Low and Slow”and Cover Their Own Tracks
Sampling and Granularity
Better at Edge…Fewer False Positives
Local Network Detection Required to Prevent Widespread Local Host Infection
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Analyst Manually Collects Context
Attack Bypasses Perimeter and
Traverses Network
Attack Traversing Network Generates Macro NetFlow
Reputation? Device?
User? Events?
65.32.7.45
Posture?VulnerabilityAVPatch
ACTIVE FLOWS: 728,345
SRC/65.32.7.45DST/171.54.9.2/US : HTTPDST/34.1.5.78/Venus : HTTPSDST/165.1.4.9/Mars : FTPDST/123.21.2.5/US : AIMDST/91.25.1.1/US : FACEBOOK
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Single Pane of Glass: Automating Context
Collection
Attack Bypasses Perimeter and
Traverses Network
NetFlow at the Access Layer Provides
Greater Granularity
ACTIVE FLOWS: 23,892
SRC/65.32.7.45DST/171.54.9.2/US : HTTPDST/34.1.5.78/Venus : HTTPSDST/165.1.4.9/Mars : FTPDST/123.21.2.5/US : AIMDST/91.25.1.1/US : FACEBOOK
SRC/65.32.7.45DST/165.1.4.9/Mars : FTP
Context:User /ORG = Pat Smith, R&DClient = IBM XYZ100DST = Poor Reputation
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Customable “Data Loss” AlarmAlarm Delivers Alerts Prioritized by Severity Level
Drill Into Event DetailNote Volume of Traffic Exfiltrated and % Outgoing T raffic
Pull Up Identity Information From Cisco ISECustomizable Screen With Username, Auth Group, Post ure, Device Profile
Query Cisco SenderBase for Host Reputation Informat ion
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
View Threat Activity by SeverityOr by Threat Type“Who’s Talking to Who” Visualization Among HostsVisualize Communications Patterns Associated With a Threat
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
NetFlow:Cisco Switches, Routers,
and ASA 5500
Flow ExportersFlow Exporters
Visibility and ManagementVisibility and Management
• Aggregate up to 25 FlowCollectors—Up to 1.5 million flows per section
• Stores and analyzes flows up to 2,000 flow sources at up to 120K flows per seconds
• ISE, SIO, NBAR provide threat content
NetFlow Is Generated By:•Cisco switches, routers, ASA 5500•FlowSensors in areas without flow support
Flow Aggregation, Analysis, ContentFlow Aggregation, Analysis, Content
Threat Context
Identity:Cisco ISE
Application:NBAR on Cisco Routers
Reputation:Cisco SIO
SIO
Threat ContextThreat Context
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Generating NetFlow TelemetryGenerating NetFlow Telemetry Gathering Identity ContextGathering Identity Context
Lowest Cost, Fewest Boxes•Option 1 : Generate NetFlow from Cisco infrastructure
Overlay for Legacy Infrastructure, Separate Operations•Option 2 : Use StealthWatch FlowSensors to Generate NetFlow
Complete AAA, Device Profiling, Posture Context•Option 1 : Deploy Cisco ISE as User/Device Policy Infrastructure
Integration With Existing AAA Infrastructure•Option 2 : Cisco ISE and AAA/AD proxy into existing AAA infrastructure; no device profiling or posture context
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
NetFlow v5NetFlow v5
NetFlow v5 Captures Essential Information Regarding Traffic Patterns•Source/dest IP and port•Packet counts•Byte counts•Flow duration•I/O interfaces
Useful for Layers 3 and 4 Traffic Pattern Analysis
NetFlow v9 Extends NetFlow v5 by Adding:•Numerous TCP flags/counters•Flow direction•Fragmentation flags•ICMP and IGMP info•Header stats•Time-to-live•DSCP/TOS info•Destination routing info
Provides Insight to Malformed Packets, Protocol Manipulation, and Direction of Traffic
NetFlow v5 Is Useful, but NetFlow v9 Delivers Great er Insight
NetFlow v9NetFlow v9
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Cisco Cyber Threat Defense 1.1: Summer 2012
New Threat Dashboards
•Command/control traffic detection
•Recon detection
High-Availability for ISE Context
New Validated Platforms
•ASR1000
•Cisco WLAN (Unified)
•Cisco NetFlow Generator
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
• Cisco NetFlow Generator delivers superior price/performance
• Lancope FlowSensor provides better application visibility and management integrated in StealthWatch Management Console
# OF MODELS
HIGHEST SCALE
PRICE
APPLICATION DETECTION
VM FLOW GENERATION
MANAGEMENT
TESTED FOR CISCO CYBER THREAT DEFENSE
AVAILABILITY
Cisco NetFlow Generator
Lancope FlowSensor
5
5 Gbps
$4,695 to $82,995
1
40 Gpbs
NTE $20,000
Dedicated App DPI
Yes
IPFIX App IDs
No
Unified—StealthWatch
Device GUI
Yes
Now
Summer 2012
Summer 2012