the critical security controls and the stealthwatch system
DESCRIPTION
As today’s cyber-attackers become more sophisticated and nefarious, organizations must adopt the right mix of conventional and next-generation security tools to effectively defend their infrastructure from advanced threats. The Critical Security Controls effort is a growing movement that has been helping government agencies and large enterprises prioritize their cyber security spending accordingly. By leveraging NetFlow and other types of flow data, Lancope’s StealthWatch System delivers continuous network visibility to fulfill a number of the highest priority controls, enhancing timely detection of targeted threats and improving incident response. Learn the latest about the Critical Security Controls and hear how the StealthWatch System fits in.TRANSCRIPT
![Page 1: The Critical Security Controls and the StealthWatch System](https://reader034.vdocuments.us/reader034/viewer/2022042813/54b6f3fc4a7959f5698b4581/html5/thumbnails/1.jpg)
1111
Ask the Expert Webcast: The Critical Security Controls and the
StealthWatch System
John Pescatore, Director, SANS Charles Herring, Lancope
![Page 2: The Critical Security Controls and the StealthWatch System](https://reader034.vdocuments.us/reader034/viewer/2022042813/54b6f3fc4a7959f5698b4581/html5/thumbnails/2.jpg)
Obligatory Agenda Slide
• Housekeeping info • Here’s what we will do
– 1:05 – 1:20 The Critical Security Controls– John Pescatore, SANS
– 1:20 – 1:45 StealthWatch - Charles Herring, Lancope
– 1:45 – 2:00 – Q&A
2
![Page 3: The Critical Security Controls and the StealthWatch System](https://reader034.vdocuments.us/reader034/viewer/2022042813/54b6f3fc4a7959f5698b4581/html5/thumbnails/3.jpg)
Bios John Pescatore joined SANS in January 2013 with 35 years experience in computer, network and information security. He was Gartner’s lead security analyst for 13 years, Prior to joining Gartner Inc. in 1999, he was Senior Consultant for Entrust Technologies and Trusted Information Systems. Before that, John spent 11 years with GTE developing secure computing and telecommunications systems. Mr. Pescatore began his career at the National Security Agency and the United States Secret Service, He holds a Bachelor's degree in Electrical Engineering from the University of Connecticut and is a NSA Certified Cryptologic Engineer.
3
![Page 4: The Critical Security Controls and the StealthWatch System](https://reader034.vdocuments.us/reader034/viewer/2022042813/54b6f3fc4a7959f5698b4581/html5/thumbnails/4.jpg)
Bios
Charles Herring is Senior Systems Engineer at Lancope and longtime StealthWatch user. While on active duty in the US Navy, Charles leveraged StealthWatch in his role as Lead Network Security Analyst for the Naval Postgraduate School. He was tasked with staffing and training Network Security Group personnel, building the security architecture and developing incident response procedures. After leaving the Navy, he spent six years consulting with Federal government, disaster relief organizations and enterprise on network security, communication and process improvement.
4
![Page 5: The Critical Security Controls and the StealthWatch System](https://reader034.vdocuments.us/reader034/viewer/2022042813/54b6f3fc4a7959f5698b4581/html5/thumbnails/5.jpg)
5555
Focus on protecting the mission first Effectively and efficiently and quickly
Advanced targeted attacks are happening now
Break the Breach Chain
Compliance must follow security
![Page 6: The Critical Security Controls and the StealthWatch System](https://reader034.vdocuments.us/reader034/viewer/2022042813/54b6f3fc4a7959f5698b4581/html5/thumbnails/6.jpg)
Disrupting the Breach chain
Source: Neusentry 2012 © 2013 The SANS™ Institute – www.sans.org 6
DMZ Monitoring
Advanced Threat Detect
Monitor internal flows
Monitor external flows
![Page 7: The Critical Security Controls and the StealthWatch System](https://reader034.vdocuments.us/reader034/viewer/2022042813/54b6f3fc4a7959f5698b4581/html5/thumbnails/7.jpg)
Critical Security Controls
7 7
1 2 3
4
5
6
7
8 9
10 11 12 13
14
15
16
17
18
19 20
1) Inventory of Authorized and
Unauthorized Devices
11) Limitation and Control of Network Ports,
Protocols and Services
2) Inventory of Authorized and Unauthorized Software
3) Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
4) Continuous Vulnerability Assessment and Remediation
5) Malware Defense
6) Application Software Security
7) Wireless Access Control
8) Data Recovery Capability
9) Security Skills Assessment and Appropriate Training to Fill Gaps 10) Secure Configuration of Devices such as Firewalls,
Routers, and Switches
20) Penetration Tests and Red Team Exercises
19) Secure Network Engineering
18) Incident Response Capability
17) Data Protection
15) Controlled Access Based on Need to Know
14) Maintenance, Monitoring and Analysis of Audit Logs
13) Boundary Defense
12) Controlled Use of Administrative Privileges
16) Account Monitoring and Control
![Page 8: The Critical Security Controls and the StealthWatch System](https://reader034.vdocuments.us/reader034/viewer/2022042813/54b6f3fc4a7959f5698b4581/html5/thumbnails/8.jpg)
Benefits: Risk Reduction and Visibility
0.0%10.0%20.0%30.0%40.0%50.0%60.0%70.0%
Risk
redu
ctio
n/vu
lner
abili
tym
itiga
tion
Impr
ovem
ents
to o
vera
llris
k po
stur
e
Situ
atio
nal
awar
enes
s/ga
p an
alys
is
Com
plia
nce
to m
anda
tes
and
regu
latio
ns
Thre
at m
itiga
tion
Inci
dent
resp
onse
Dete
ctin
g ad
vanc
edat
tack
s
Benc
hmar
king
syst
emic
impr
ovem
ents O
ther
Where have the Controls you implemented made the most improvement and/or helped you close your gaps? (Check all that
apply.)
![Page 9: The Critical Security Controls and the StealthWatch System](https://reader034.vdocuments.us/reader034/viewer/2022042813/54b6f3fc4a7959f5698b4581/html5/thumbnails/9.jpg)
Critical Security Controls Update
• Now maintained by the Council On CyberSecurity
• Version 5.0 in public review • Updated prioritization and definitions of
subcontrols
9
![Page 10: The Critical Security Controls and the StealthWatch System](https://reader034.vdocuments.us/reader034/viewer/2022042813/54b6f3fc4a7959f5698b4581/html5/thumbnails/10.jpg)
Getting to Continuous Security Action
Shield
Eliminate Root Cause
Monitor/ Report
Policy Assess Risk
Baseline Vuln Assessment/Pen Test Security Configuration
Mitigate
• FW/IPS/ATD • Anti-malware • NAC
• Patch Management • Config Management • Change Management
• Software Vuln Test • Training • Network Arch • Privilege Mgmt
Discovery/Inventory
• SIEM • Situational Awareness • Incident Response
Threats Regulations Requirements OTT Dictates
![Page 11: The Critical Security Controls and the StealthWatch System](https://reader034.vdocuments.us/reader034/viewer/2022042813/54b6f3fc4a7959f5698b4581/html5/thumbnails/11.jpg)
The Critical Security Controls and the StealthWatch System
11
Charles Herring Senior Systems Engineer [email protected]
![Page 12: The Critical Security Controls and the StealthWatch System](https://reader034.vdocuments.us/reader034/viewer/2022042813/54b6f3fc4a7959f5698b4581/html5/thumbnails/12.jpg)
Lancope: The Market Leader in Network Visibility Technology Leadership • Powerful threat intelligence • Patented behavioral analysis • Scalable monitoring up to 3M flows per second • 150+ algorithms
12
Best of Breed • 650 Enterprise Clients • Key to Cisco’s Cyber Threat Defense • Gartner recommended
• NBA market leader • Flow-based monitoring
© 2013 Lancope, Inc. All rights reserved.
![Page 13: The Critical Security Controls and the StealthWatch System](https://reader034.vdocuments.us/reader034/viewer/2022042813/54b6f3fc4a7959f5698b4581/html5/thumbnails/13.jpg)
Your Infrastructure Provides the Source...
Internet Atlanta
San Jose
New York
ASR-1000
Cat6k
UCS with Nexus 1000v
ASA Cat6k
3925 ISR
3560-X
3850 Stack(s)
Cat4k Datacenter
WAN
DMZ
Access
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow NetFlow
© 2013 Lancope, Inc. All rights reserved. 13
![Page 14: The Critical Security Controls and the StealthWatch System](https://reader034.vdocuments.us/reader034/viewer/2022042813/54b6f3fc4a7959f5698b4581/html5/thumbnails/14.jpg)
…for Total Visibility from Edge to Access.
Internet Atlanta
San Jose
New York
ASR-1000
Cat6k
UCS with Nexus 1000v
ASA Cat6k
3925 ISR
3560-X
3850 Stack(s)
Cat4k Datacenter
WAN
DMZ
Access
© 2013 Lancope, Inc. All rights reserved. 14
![Page 15: The Critical Security Controls and the StealthWatch System](https://reader034.vdocuments.us/reader034/viewer/2022042813/54b6f3fc4a7959f5698b4581/html5/thumbnails/15.jpg)
SANS Critical Controls Boundary Defense
15
Defense Type L3, L4, L7 Blocking
Signature Detection
Emerging Threat Detection
Targeted Threat Detection
Firewalls Yes Limited No No
Signature IDS Limited Yes No No
Malware Sandbox
No No Yes Limited
StealthWatch No Limited Yes Yes
![Page 16: The Critical Security Controls and the StealthWatch System](https://reader034.vdocuments.us/reader034/viewer/2022042813/54b6f3fc4a7959f5698b4581/html5/thumbnails/16.jpg)
16
Flow Statistical Analysis
16 © 2013 Lancope, Inc. All rights reserved.
![Page 17: The Critical Security Controls and the StealthWatch System](https://reader034.vdocuments.us/reader034/viewer/2022042813/54b6f3fc4a7959f5698b4581/html5/thumbnails/17.jpg)
SANS Critical Controls Monitoring & Audit
17
Defense Type Detection Mechanism
Data Source
SIEM Boolean Syslog
StealthWatch Algorithmic NetFlow
![Page 18: The Critical Security Controls and the StealthWatch System](https://reader034.vdocuments.us/reader034/viewer/2022042813/54b6f3fc4a7959f5698b4581/html5/thumbnails/18.jpg)
SANS Critical Controls Incident Response and Management
18
Logging Type Data Stored
Endpoint Hard Drive/Memory
Packet Capture Raw PCAP
Log Collection Syslog
StealthWatch NetFlow
![Page 19: The Critical Security Controls and the StealthWatch System](https://reader034.vdocuments.us/reader034/viewer/2022042813/54b6f3fc4a7959f5698b4581/html5/thumbnails/19.jpg)
Transactional Audits of ALL activities
19 © 2013 Lancope, Inc. All rights reserved.
![Page 20: The Critical Security Controls and the StealthWatch System](https://reader034.vdocuments.us/reader034/viewer/2022042813/54b6f3fc4a7959f5698b4581/html5/thumbnails/20.jpg)
SANS Critical Controls Secure Network Engineering
20
Monitor Type Data Monitored
Firewall Change Control
Changes in FW Configuration records
Configuration Polling SNMP
StealthWatch NetFlow against Policy
![Page 21: The Critical Security Controls and the StealthWatch System](https://reader034.vdocuments.us/reader034/viewer/2022042813/54b6f3fc4a7959f5698b4581/html5/thumbnails/21.jpg)
http://www.lancope.com
@Lancope (company) @netflowninjas (company blog)
https://www.facebook.com/Lancope
http://www.linkedin.com/groups/NetFlow-Ninjas-2261596/about
https://plus.google.com/u/0/103996520487697388791/posts
http://feeds.feedburner.com/NetflowNinjas
Thank You
21 © 2013 Lancope, Inc. All rights reserved.
Charles Herring Senior Systems Engineer Lancope
![Page 22: The Critical Security Controls and the StealthWatch System](https://reader034.vdocuments.us/reader034/viewer/2022042813/54b6f3fc4a7959f5698b4581/html5/thumbnails/22.jpg)
22
![Page 23: The Critical Security Controls and the StealthWatch System](https://reader034.vdocuments.us/reader034/viewer/2022042813/54b6f3fc4a7959f5698b4581/html5/thumbnails/23.jpg)
Resources
• SANS Reading Room: http://www.sans.org/reading_room/
• Blog – www.sans.org/security-trends/ • Sponsor link: http://www.lancope.com • Questions: [email protected]
23