SlideShare a Scribd company logo

NetFlow Monitoring for Cyber Threat Defense

Cisco Canada
Cisco Canada

Recent trends have led to the erosion of the security perimeter and increasingly attackers are gaining operational footprints on the network interior. For more information, please visit our website: http://www.cisco.com/web/CA/index.html

TechnologyEducation
1 of 89
Download to read offline
NetFlow Monitoring for Cyber Threat Defense T-SEC-10-I Matthew Robertson Security Technical Marketing Engineer
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public 3 “The whole art of war consists of guessing at what is on the other side of the hill.” Arthur Wellesley, 1st Duke of Wellington
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Defending against Humans 4 http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Evolution of Cyber Conflict War Dialing, Phone Phreaking … Manual Attacks (1980s) Viruses, Worms … Mechanized Attacks (1988) Google, RSA … Talented Human / Mechanized Attackers (2009) Cyrptocurrency Ransoms, Store-bought Credentials ... DIY Human / Mechanized Attackers (2011) Intelligence Driven Human Defenders 5 Manual Defenses Unplug Mechanized Defenses Firewall, IDS/IPS Targeted Human/Mechanized DefendersReputation, App-aware FirewallAPT, Multi-Step Attacks… Target, Neiman Marcus …
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Agenda 6 Introduction Understanding the Landscape Introduction to NetFlow Design and Deployment Working with NetFlow Flow ExportAdding Context Summary Organizing the data Running Queries and Investigations Flow Collection
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public About this session 7 https://learningnetwork.cisco.com/community/certifications/s ecurity/cybersecurity/scyber_exam http://www.cisco.com/go/securedatacenter http://www.cisco.com/go/threatdefense
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public About the Speaker Matthew Robertson  Security Technical Marketing Engineer  ½ year at Lancope  5½ years at Cisco – Development and Technical Marketing  Focused on advanced threat detection  Author of 2 CVD’s  I am Canadian! 8
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Thinking beyond the perimeter 9 Once the walls are built monitor for security visibility
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Signals Intelligence 10 Traffic Analysis: • Deduce information from communication patterns
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public NetFlow 11 10.2.2.2 port 1024 10.1.1.1 port 80 eth0/1 eth0/2 Start Time Interfac e Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent TCP Flags 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 SYN,ACK,PSH 10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 SYN,ACK,FIN Start Time Interfac e Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent TCP Flags 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 SYN,ACK,PSH
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public NetFlow = Visibility Router# show flow monitor CYBER-MONITOR cache … IPV4 SOURCE ADDRESS: 192.168.100.100 IPV4 DESTINATION ADDRESS: 192.168.20.6 TRNS SOURCE PORT: 47321 TRNS DESTINATION PORT: 443 INTERFACE INPUT: Gi0/0/0 IP TOS: 0x00 IP PROTOCOL: 6 ipv4 next hop address: 192.168.20.6 tcp flags: 0x1A interface output: Gi0/1.20 counter bytes: 1482 counter packets: 23 timestamp first: 12:33:53.358 timestamp last: 12:33:53.370 ip dscp: 0x00 ip ttl min: 127 ip ttl max: 127 application name: nbar secure-http … A single NetFlow Record provides a wealth of information 12
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Agenda 13 Introduction Understanding the Landscape Introduction to NetFlow Design and Deployment Flow Export
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public NetFlow Deployment Architecture 14 Management/Reporting Layer: • Run queries on flow data • Centralize management and reporting Flow Collection Layer: • Collection, storage and analysis of flow records Flow Exporting Layer: • Enables telemetry export • As close to the traffic source as possible NetFlow
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Considerations: Flow Exporting Layer 15 1. NetFlow support 2. Which version of NetFlow to use 3. How to configure/what to measure 4. Where in the network to enable NetFlow export
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Cisco NetFlow Support Cisco 2900 Cisco 7200 VXR Cisco Nexus 7000 Cisco XR 12000 Cisco 2800 Cisco 7600 Cisco 1700 Cisco Catalyst 6500 Cisco 3560/3750-X/3850 Cisco ASR Cisco ASA Cisco ISR G2 Hardware Supported Cisco Catalyst 4500 Cisco NGA 16 Cisco Nexus 1000v
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Versions of NetFlow Version Major Advantage Limits/Weaknesses V5 Defines 18 exported fields Simple and compact format Most commonly used format IPv4 only Fixed fields, fixed length fields only Single flow cache V9 Template-based IPv6 flows transported in IPv4 packets MPLS and BGP nexthop supported Defines 104 fields, including L2 fields Reports flow direction IPv6 flows transported in IPv4 packets Fixed length fields only Uses more memory Slower performance Single flow cache Flexible NetFlow (FNF) Template-based flow format (built on V9 protocol) Supports flow monitors (discrete caches) Supports selectable key fields and IPv6 Supports NBAR data fields Less common Requires more sophisticated platform to produce Requires more sophisticated system to consume IP Flow Information Export (IPFIX) AKA NetFlow V10 Standardised – RFC 5101, 5102, 6313 Supports variable length fields, NBAR2 Can export flows via IPv4 and IPv6 packets Even less common Only supported on a few Cisco platforms NSEL (ASA only) Built on NetFlow v9 protocol State-based flow logging (context) Pre and Post NAT reporting Missing many standard fields Limited support by collectors 17
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public How do I want to cache information Which interface do I want to monitor? What data do I want to meter? Router(config)# flow record my-record Router(config-flow-record)# match ipv4 destination address Router(config-flow-record)# match ipv4 source address Router(config-flow-record)# collect counter bytes Where do I want my data sent? Router(config)# flow exporter my-exporter Router(config-flow-exporter)# destination 1.1.1.1 Router(config)# flow monitor my-monitor Router(config-flow-monitor)# exporter my-exporter Router(config-flow-monitor)# record my-record Router(config)# interface s3/0 Router(config-if)# ip flow monitor my-monitor input 1. Configure the Exporter 2. Configure the Flow Record 3. Configure the Flow Monitor 4. Apply to an Interface Configuring Flexible NetFlow 18 Best Practice: include all v5 fields
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public NetFlow Deployment 19 Access Catalyst® 3560/3750-X Catalyst® 4500 Catalyst® 6500 Distribution & Core Catalyst® 4500 ASA ISR Edge ASR Each network layer offers unique NetFlow capabilities
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public NetFlow Deployment 20 Access Catalyst® 3560/3750-X Catalyst® 4500 Access: • New network edge • Detect threats as the enter the network • Detect threats inside the switch • east-west • Layer 2 traffic • Fewer false positives • Higher-granular visibility • Identify the endpoint • collect MAC Address
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Catalyst 3650-X,3750-X Flow Record 21 ! flow record CYBER_3KX_FLOW_RECORD
 match datalink mac source- address match datalink mac destination-address match datalink mac source-vlan-id match ipv4 tos match ipv4 ttl match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port
 collect interface input snmp
 collect interface output snmp
 collect counter bytes
 collect counter packets
 collect timestamp sys-uptime first collect timestamp sys-uptime last !
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Catalyst 4500 Flow Record 22 ! flow record CYBER_4K_FLOW_RECORD match ipv4 tos match ipv4 protocol match ipv4 source address
 match ipv4 destination address match transport source-port match transport destination-port collect ipv4 dscp collect ipv4 ttl minimum collect ipv4 ttl maximum collect transport tcp flags collect interface output collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last !
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public NetFlow Deployment - Converged Access 23 Converged Access: • NetFlow for the first time on Wireless • Visibility in BYOD environments • Consistent configuration for wired and wireless • Single flow monitor can be applied to wired ports and SSID • Natively available in the UADP ASIC • Can monitor East-West and North-South flows • 48k flows on the 48 port model
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public NetFlow Deployment 24 Catalyst® 6500 Distribution & Core Catalyst® 4500 Distribution & Core: • Traditional deployment • Minimal recommended deployment • Enable at critical points/bottle necks • Typically done on a Layer 3 boundary • Detect threats internal to the VLAN • When deployed on an SVI interface • Detect threats as they traverse the internal network • Move between subnets
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Catalyst 6500 (Sup 2T) Flow Record 25 ! flow record CYBER_6K_FLOW_RECORD match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input collect transport tcp flags collect interface output collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last !
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public NetFlow Deployment 26 ASA ISR Edge ASR Edge: • Detect threats as they enter and leave the network • Monitor communication between branches • Gain context from edge devices • Application - NBAR • Events & User-ID - NSEL
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public ISR Flow Record 27 !
flow record CYBER_ISR_RECORD match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input collect routing next-hop address ipv4 collect ipv4 dscp collect ipv4 ttl minimum collect ipv4 ttl maximum collect transport tcp flags collect interface output collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last collect application name ! Enable NBAR
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public ASA NSEL Configuration 28 ! flow-export destination management <ip-address> 2055 ! policy-map global_policy class class-default flow-export event-type all destination <ip-address> ! flow-export template timeout-rate 2 logging flow-export syslogs disable !
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Flow Monitor Configuration 29 ! flow monitor CYBER_MONITOR
 record CYBER_RECORD exporter CYBER_EXPORTER cache timeout active 60 cache timeout inactive 15 ! Active Timeout: • Longest amount of time a flow can be in cache without exporting a Flow Record • Recommended 60 seconds • All exporters should have the same timeout Inactive Timeout: • How long a flow can be inactive before being removed from cache • Recommended 15 seconds • All exporters should have the same timeout
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Aside: Myths about NetFlow Generation 30 Myth #1: NetFlow impacts performance • Hardware implemented NetFlow has no performance impact • Software implementation is typically significantly <15% processing overhead Myth #2: NetFlow has bandwidth overhead • NetFlow is a summary protocol • Traffic overhead is typically significantly <1% of total traffic per exporting device
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Agenda 31 Introduction Understanding the Landscape Introduction to NetFlow Design and Deployment Flow ExportFlow Collection
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Flow Collection Considerations 32 Flow Handling • De-duplication • Stitching • Replication Scalability & Performance • # of NetFlow sources • # of users • Flows per second • Sustained vs. burst Your time, resources and budget Feature set • Reporting • Drill down • Retention • Analysis NetFlow NetFlow NetFlow
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Components for NetFlow Security Monitoring 33 Cisco Network StealthWatch FlowReplicator • UDP Packet copier • Forward to multiple collection systems NetFlow StealthWatch FlowSensor • Generate NetFlow data StealthWatch FlowSensor VE • Virtual environment • Visibility into ESX StealthWatch FlowCollector • Collect and analyze • Up to 2000 sources • Up to sustained 120,000 fps StealthWatch Management Console • Management and reporting • Up to 25 FlowCollectors • Up 3 million fps globally Best Practice: Centralize collection globally
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public NetFlow Collection: Flow Stitching 34 10.2.2.2 port 1024 10.1.1.1 port 80 eth0/1 eth0/2 Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 Start Time Client IP Client Port Server IP Server Port Proto Client Bytes Client Pkts Server Bytes Server Pkts Interfaces 10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 eth0/1 eth0/2 Uni-directional flow records Bi-directional: • Conversation flow record • Allows easy visualization and analysis
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public NetFlow Collection: De-duplication 35 Router A Router B Router C Router A: 10.2.2.2:1024 -> 10.1.1.1:80 Router B: 10.2.2.2:1024 -> 10.1.1.1:80 Router C: 10.1.1.1:80 -> 10.2.2.2:1024 • Without de-duplication: • Traffic volume can be misreported • False positive would occur • Allows for the efficient storage of flow data • Necessary for accurate host-level reporting • Does not discard data 10.2.2.2 port 1024 10.1.1.1 port 80 Duplicates
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Conversational Flow Record 36 Who WhoWhat More Details When How
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Integrating with a SIEM 37 Log alarms and summary info to SIEM • Complete visibility throughout network • Leverage specialty data handling NetFlowSyslog SDEE SIEM Security Events API API’s to access database • Directly access flow data (ex. getFlows) • Improved scale - collection and retention • Decreased cost
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Agenda 38 Introduction Understanding the Landscape Introduction to NetFlow Design and Deployment Flow ExportAdding Context Flow Collection
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Context is Critical 39
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public ISE as a Telemetry Source 40 Monitor Mode • Open Mode, Multi-Auth • Unobstructed Access • No impact on productivity • Profiling, posture assessment • Gain Visibility Authenticated Session Table Cisco ISE • Maintain historical session table • Correlate NetFlow to username • Build User-centric reports StealthWatch Management Console syslog
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Configuration: Logging on ISE 41 1. Create Remote Logging Target on ISE 2. Add Target to Logging Categories 1 2 Required Logging categories: • AAA Audit • RADIUS Accounting • Profiler • Administrative and Operational Audit
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Configuration: Add ISE to SMC 42 3 3 4. Add additional ISE nodes 1. (Not Shown) Create Admin User on ISE 2. (Not Shown) Configure ISE or CA certificate on SMC 3. (Shown) Add Cisco ISE to SMC Configuration 4. (Shown) Add additional ISE nodes
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Global Intelligence 43 List of known Command and Control Servers
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Adding Situational Awareness 44 Client Host Client Host Group Server Host Server Host Groups Application Duratio n Total Traffic Start Active Time 10.201.3.149 Sales and Marketing, End User Devices 89.108.67.143 Russian Federation HTTP 23s 256.56K Jan 11, 2014
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Adding Situational Awareness 45 Client User Name Client Host Client Host Group Server Host Server Host Groups Application Duratio n Total Traffic Start Active Time Ken 10.201.3.14 9 Sales and Marketing, End User Devices 89.108.67.143 Russian Federation, Zeus HTTP 23s 256.56K Jan 11, 2014
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Agenda 46 Introduction Understanding the Landscape Introduction to NetFlow Design and Deployment Working with NetFlow Flow ExportAdding Context Organizing the data Running Queries and Investigations Flow Collection
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Behavioural Analysis & Anomaly Detection 47 Behavioural Analysis: • Leverages knowledge of known bad behaviour Anomaly Detection: • Identify a change from “normal”
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public StealthWatch: Indices 48 Concern Index: Track hosts that appear to compromising network integrity Target Index: Track hosts that appear to be victims of the suspicious behaviour of other hosts File Sharing Index: Tracks behaviour that is indicative of peer-to-peer activity
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public StealthWatch: Alarms 49 Alarms • Indicate significant behaviour changes and policy violations • Known and unknown attacks generate alarms • Activity that falls outside the baseline, acceptable behaviour or established policies
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Host Groups 50 Virtual container of multiple IP Addresses/ranges that have similar attributes Lab servers Best Practice: classify all known IP Addresses in one or more host groups
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Policy Tuning 51 Policies can be created for individual host groups Tune alarm thresholds Default policy for Inside and Outside hosts
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Flow Query Basics – The Flow Table 52 Filter Filter conditions Details More details
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Flow Query Basics - Filtering 53 Select host to investigate All flows in which this host was a client or server
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Flow Query Basics - Filtering 54 All flows for 10.10.200.79 in the last hour
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Flow Table: Visibility across NAT 55 Inside local Outside global Server User
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Querying Events - Leveraging NSEL 56 Flow denied events over many ports
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Flow Table – IPv6 57
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Host Groups – Targeted Monitoring 58 Suspiciously behaving hosts Alarms Host Group Dashboard for Engineers
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Host Groups – Application Report 59 Applications outbound Applications inbound
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Host Groups – Targeted Reporting 60 Geo-IP-based Host Group Summary chart of traffic inbound and outbound from this Host Group
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Host Groups – Targeted Reporting 61 Traffic inbound Traffic outbound
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Host Groups – Discovering Rogue Hosts 62 Catch All: All unclassified RFC1918 addresses Table of all individual hosts
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Host Groups – Discovering Rogue Hosts 63 Rogue Hosts
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Indicator of Compromise 64 Raw flow analysis Log analysis (SIEM) IDS Alert Outside notification Behavioural analysis Activity monitoring an artifact observed on a network or in operating system that with high confidence indicates a computer intrusion • http://en.wikipedia.org/wiki/Indicator_of_compromise
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public 65 Attack Lifecycle Model Exploratory Actions Footprint Expansion Execution Theft Disruption Staging Initial Compromise Initial Recon Infiltration (C&C)
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public 66 Attack Lifecycle Model Exploratory Actions Footprint Expansion Execution Theft Disruption Staging Initial Compromise Initial Recon Infiltration (C&C) IOC Found: Investigate forwards and backward
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Concept: OODA Loop 67 Observe Orient Decide Act Feedback Feedback • Unfolding circumstances • Implicit guidance • Outside information • Unfolding interaction with environment • Cultural Traditions • Genetic Heritage • Analysis & Synthesis • New information • Previous Experiences Unfolding interaction with environment http://en.wikipedia.org/wiki/OODA_loop
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Identifying the Culprit Indicator of Compromise Is a worm indicated? • Alarm • Alarm Table • Alarm Summary • IDS Alert • Other Host IP Address Worm Tracker Yes Host Snapshot Supplemental Information: • Most recent flows/Active flows • Traffic volume/type • Other Alarms • Exporter interfaces • Activity – scanning? • Thresholds • Touches Identity: • Username • Device type and OS • Access location • Organization/Geo • Role – Client or Server • Hosts affected • Host Groups Affected • Subnets Affected • Ports Used • Protocols Used Is the behaviour normal or permissible? Tune Yes Respond No No 68
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Responding to an IOC 69 Create a Host Group for BlackPOS Servers IOC: Crowdstrike publishes list of IP addresses identified as BlackPOS servers IP Addresses
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public BlackPOS – Host Locking Violation Alarm 70 Create a Host Lock Violation Alarm for communication to BlackPOS servers Set client hosts to POS terminals Set server hosts to BlackPOS Servers Alarm on FTP traffic Trigger alarm on unsuccessful connections
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public BlackPOS - Investigate You know today what you didn’t know yesterday 71 Run a Flow Query Over the last 90 days Server or client includes the known bad BlackPOS IP Addresses Configure application to be FTP
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public BlackPOS – Returned Flows 72 Infected hosts BlackPOS Servers FTP Transfers
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Investigating Malware Spread: Worm Tracker 73 IOC: IDS Alert indicating a known worm operating inside your network Worm tracker Initial infection Secondary infections Subnets being scanned
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Investigating Malware Spread: Host Snapshot 74 Everything the system knows about 10.10.200.59 Start with CI Events. We notice significant scanning activity
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Investigating Malware Spread: Identity 75 Telemetry from the ISE Username Infected machine
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Investigating Malware Spread: Touched Hosts 76 This infected host has established a connection with another host
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Investigating Malware Spread: Touched Hosts 77 All hosts touched by 10.10.200.59
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public High Concern Index 78 Baseline deviated by 2,432%!
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public What was this Host up to? 79 Target – entire subnet? Scanning on TCP-445
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public NetFlow and (D)DoS Detection 80 Identify targets • Target of suspicious activity • Abnormal traffic volume • Decrease in performance Identify attackers
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Volumetric DDoS 81 Traffic Spikes
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Identifying a DDoS Participant 82 IOC: Notification from 3rd party that your IP Address is participating in a DDoS Public IP address Target server Time of reported attack
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Identifying a DDoS Participant 83 Time of reported attack Inside local Outside global Target Server Validate attack activity User
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Identify a DDoS Participant 84 Host snapshot Other suspicious activity
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Agenda 85 Introduction Understanding the Landscape Introduction to NetFlow Design and Deployment Working with NetFlow Flow ExportAdding Context Summary Organising the data Running Queries and Investigations Flow Collection
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Links and Recommended Reading More about the Cisco Cyber Threat Defense Solution: http://www.cisco.com/go/threatdefense http://www.lancope.com 86 Recommended Reading Cyber Threat Defense Cisco Validated Design Guide: http://www.cisco.com/en/US/solutions/collateral/ns1015/ns1238/cyber_threat_defense_design_guide.pdf Cyber Threat Defense Cisco Validated Design Guide: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/ctd-first-look-design-guide.pdf Securing Cisco Networks with Threat Detection and Analysis (SCYBER) https://learningnetwork.cisco.com/community/certifications/security/cybersecurity/scyber_exam
Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Key Takeaways 87 Modern threats are consistently bypassing the security perimeter Threat Detection requires visibility and context into network traffic NetFlow and the Lancope StealthWatch System provide actionable security intelligence
Q & A
NetFlow Monitoring for Cyber Threat Defense

Recommended

Network Traffic Search using Apache HBase
Network Traffic Search using Apache HBaseNetwork Traffic Search using Apache HBase
Network Traffic Search using Apache HBaseEvans Ye
 
Netflow slides
Netflow slidesNetflow slides
Netflow slidesJose Manuel Vega Monroy
 
How to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco RoutersHow to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco RoutersSolarWinds
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkPavel Odintsov
 
BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionAPNIC
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Thomas Graf
 
Short Introduction to IPv6
Short Introduction to IPv6Short Introduction to IPv6
Short Introduction to IPv6Martin Schütte
 
IPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP ExplainedIPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP ExplainedAndriy Berestovskyy
 

Recommended

Network Traffic Search using Apache HBase
Network Traffic Search using Apache HBaseNetwork Traffic Search using Apache HBase
Network Traffic Search using Apache HBaseEvans Ye
 
Netflow slides
Netflow slidesNetflow slides
Netflow slidesJose Manuel Vega Monroy
 
How to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco RoutersHow to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco RoutersSolarWinds
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkPavel Odintsov
 
BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionAPNIC
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Thomas Graf
 
Short Introduction to IPv6
Short Introduction to IPv6Short Introduction to IPv6
Short Introduction to IPv6Martin Schütte
 
IPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP ExplainedIPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP ExplainedAndriy Berestovskyy
 
NetBSD syslogd with IETF Syslog Protocols
NetBSD syslogd with IETF Syslog ProtocolsNetBSD syslogd with IETF Syslog Protocols
NetBSD syslogd with IETF Syslog ProtocolsMartin Schütte
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)Martin Schütte
 
Linux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityLinux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityThomas Graf
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowLancope, Inc.
 
Make the internet safe with DNS Firewall
Make the internet safe with DNS FirewallMake the internet safe with DNS Firewall
Make the internet safe with DNS FirewallBangladesh Network Operators Group
 
Stun turn poc_pilot
Stun turn poc_pilotStun turn poc_pilot
Stun turn poc_pilotMihály Mészáros
 
MUM Middle East 2016 - System Integration Analyst
MUM Middle East 2016 - System Integration AnalystMUM Middle East 2016 - System Integration Analyst
MUM Middle East 2016 - System Integration AnalystFajar Nugroho
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec APNIC
 
Silverlight Wireshark Analysis
Silverlight Wireshark AnalysisSilverlight Wireshark Analysis
Silverlight Wireshark AnalysisYoss Cohen
 
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePROIDEA
 
Preventing Traffic with Spoofed Source IP address
Preventing Traffic with Spoofed Source IP addressPreventing Traffic with Spoofed Source IP address
Preventing Traffic with Spoofed Source IP addressBangladesh Network Operators Group
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS DefenseJames Dickenson
 
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...Shuichi Ohkubo
 
MUM Europe 2017 - Traffic Generator Case Study
MUM Europe 2017 - Traffic Generator Case StudyMUM Europe 2017 - Traffic Generator Case Study
MUM Europe 2017 - Traffic Generator Case StudyFajar Nugroho
 
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux KernelAccelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux KernelThomas Graf
 
Implementing MPLS Services using Openflow
Implementing MPLS Services using OpenflowImplementing MPLS Services using Openflow
Implementing MPLS Services using OpenflowAPNIC
 
SDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center NetworkingSDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center NetworkingThomas Graf
 
Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Juniper Networks
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewallsphanleson
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlowLancope, Inc.
 
Manageengine Netflow analyzer - An Insight
Manageengine Netflow analyzer - An InsightManageengine Netflow analyzer - An Insight
Manageengine Netflow analyzer - An InsightSai Sundhar Padmanabhan
 

More Related Content

What's hot

NetBSD syslogd with IETF Syslog Protocols
NetBSD syslogd with IETF Syslog ProtocolsNetBSD syslogd with IETF Syslog Protocols
NetBSD syslogd with IETF Syslog ProtocolsMartin Schütte
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)Martin Schütte
 
Linux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityLinux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityThomas Graf
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowLancope, Inc.
 
MUM Middle East 2016 - System Integration Analyst
MUM Middle East 2016 - System Integration AnalystMUM Middle East 2016 - System Integration Analyst
MUM Middle East 2016 - System Integration AnalystFajar Nugroho
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec APNIC
 
Silverlight Wireshark Analysis
Silverlight Wireshark AnalysisSilverlight Wireshark Analysis
Silverlight Wireshark AnalysisYoss Cohen
 
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePROIDEA
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS DefenseJames Dickenson
 
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...Shuichi Ohkubo
 
MUM Europe 2017 - Traffic Generator Case Study
MUM Europe 2017 - Traffic Generator Case StudyMUM Europe 2017 - Traffic Generator Case Study
MUM Europe 2017 - Traffic Generator Case StudyFajar Nugroho
 
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux KernelAccelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux KernelThomas Graf
 
Implementing MPLS Services using Openflow
Implementing MPLS Services using OpenflowImplementing MPLS Services using Openflow
Implementing MPLS Services using OpenflowAPNIC
 
SDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center NetworkingSDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center NetworkingThomas Graf
 
Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Juniper Networks
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewallsphanleson
 

What's hot (20)

NetBSD syslogd with IETF Syslog Protocols
NetBSD syslogd with IETF Syslog ProtocolsNetBSD syslogd with IETF Syslog Protocols
NetBSD syslogd with IETF Syslog Protocols
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)
 
Linux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityLinux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network Security
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
 
Make the internet safe with DNS Firewall
Make the internet safe with DNS FirewallMake the internet safe with DNS Firewall
Make the internet safe with DNS Firewall
 
Stun turn poc_pilot
Stun turn poc_pilotStun turn poc_pilot
Stun turn poc_pilot
 
MUM Middle East 2016 - System Integration Analyst
MUM Middle East 2016 - System Integration AnalystMUM Middle East 2016 - System Integration Analyst
MUM Middle East 2016 - System Integration Analyst
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
 
Silverlight Wireshark Analysis
Silverlight Wireshark AnalysisSilverlight Wireshark Analysis
Silverlight Wireshark Analysis
 
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
 
Preventing Traffic with Spoofed Source IP address
Preventing Traffic with Spoofed Source IP addressPreventing Traffic with Spoofed Source IP address
Preventing Traffic with Spoofed Source IP address
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long Period
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS Defense
 
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...
 
MUM Europe 2017 - Traffic Generator Case Study
MUM Europe 2017 - Traffic Generator Case StudyMUM Europe 2017 - Traffic Generator Case Study
MUM Europe 2017 - Traffic Generator Case Study
 
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux KernelAccelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux Kernel
 
Implementing MPLS Services using Openflow
Implementing MPLS Services using OpenflowImplementing MPLS Services using Openflow
Implementing MPLS Services using Openflow
 
SDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center NetworkingSDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center Networking
 
Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewalls
 

Viewers also liked

Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlowLancope, Inc.
 
Manageengine Netflow analyzer - An Insight
Manageengine Netflow analyzer - An InsightManageengine Netflow analyzer - An Insight
Manageengine Netflow analyzer - An InsightSai Sundhar Padmanabhan
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security ArchitectureCisco Canada
 
Plugging Network Security Holes Using NetFlow
Plugging Network Security Holes Using NetFlowPlugging Network Security Holes Using NetFlow
Plugging Network Security Holes Using NetFlowNetFlow Analyzer
 
Application Visibility and Experience through Flexible Netflow
Application Visibility and Experience through Flexible NetflowApplication Visibility and Experience through Flexible Netflow
Application Visibility and Experience through Flexible NetflowCisco DevNet
 
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08NetFlowAuditor
 

Viewers also liked (6)

Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlow
 
Manageengine Netflow analyzer - An Insight
Manageengine Netflow analyzer - An InsightManageengine Netflow analyzer - An Insight
Manageengine Netflow analyzer - An Insight
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security Architecture
 
Plugging Network Security Holes Using NetFlow
Plugging Network Security Holes Using NetFlowPlugging Network Security Holes Using NetFlow
Plugging Network Security Holes Using NetFlow
 
Application Visibility and Experience through Flexible Netflow
Application Visibility and Experience through Flexible NetflowApplication Visibility and Experience through Flexible Netflow
Application Visibility and Experience through Flexible Netflow
 
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08
 

Similar to NetFlow Monitoring for Cyber Threat Defense

Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPKrzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPPROIDEA
 
Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data DATA SECURITY SOLUTIONS
 
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginTakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginEC-Council
 
Analise NetFlow in Real Time
Analise NetFlow in Real TimeAnalise NetFlow in Real Time
Analise NetFlow in Real TimePiotr Perzyna
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsCisco Canada
 
How to configure flexible netflow export on cisco routers
How to configure flexible netflow export on cisco routersHow to configure flexible netflow export on cisco routers
How to configure flexible netflow export on cisco routersIT Tech
 
2014/09/02 Cisco UCS HPC @ ANL
2014/09/02 Cisco UCS HPC @ ANL2014/09/02 Cisco UCS HPC @ ANL
2014/09/02 Cisco UCS HPC @ ANLdgoodell
 
Go with the Flow-v2
Go with the Flow-v2Go with the Flow-v2
Go with the Flow-v2Zobair Khan
 
Session Initiation Protocol
Session Initiation ProtocolSession Initiation Protocol
Session Initiation ProtocolMatt Bynum
 
Open Source Tools for the Systems Administrator
Open Source Tools for the Systems AdministratorOpen Source Tools for the Systems Administrator
Open Source Tools for the Systems AdministratorCharles Profitt
 
PLNOG 13: P. Kupisiewicz, O. Pelerin: Make IOS-XE Troubleshooting Easy – Pack...
PLNOG 13: P. Kupisiewicz, O. Pelerin: Make IOS-XE Troubleshooting Easy – Pack...PLNOG 13: P. Kupisiewicz, O. Pelerin: Make IOS-XE Troubleshooting Easy – Pack...
PLNOG 13: P. Kupisiewicz, O. Pelerin: Make IOS-XE Troubleshooting Easy – Pack...PROIDEA
 
How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.Naoto MATSUMOTO
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutionseroglu
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptIwan89629
 

Similar to NetFlow Monitoring for Cyber Threat Defense (20)

Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPKrzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
 
Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data
 
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginTakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
 
Analise NetFlow in Real Time
Analise NetFlow in Real TimeAnalise NetFlow in Real Time
Analise NetFlow in Real Time
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage Threats
 
How to configure flexible netflow export on cisco routers
How to configure flexible netflow export on cisco routersHow to configure flexible netflow export on cisco routers
How to configure flexible netflow export on cisco routers
 
NFA - Middle East Workshop
NFA - Middle East WorkshopNFA - Middle East Workshop
NFA - Middle East Workshop
 
RAZORPOINT TCP/UDP PORTS LIST
RAZORPOINT TCP/UDP PORTS LISTRAZORPOINT TCP/UDP PORTS LIST
RAZORPOINT TCP/UDP PORTS LIST
 
2014/09/02 Cisco UCS HPC @ ANL
2014/09/02 Cisco UCS HPC @ ANL2014/09/02 Cisco UCS HPC @ ANL
2014/09/02 Cisco UCS HPC @ ANL
 
Go with the Flow-v2
Go with the Flow-v2Go with the Flow-v2
Go with the Flow-v2
 
Go with the Flow
Go with the Flow Go with the Flow
Go with the Flow
 
Session Initiation Protocol
Session Initiation ProtocolSession Initiation Protocol
Session Initiation Protocol
 
Open Source Tools for the Systems Administrator
Open Source Tools for the Systems AdministratorOpen Source Tools for the Systems Administrator
Open Source Tools for the Systems Administrator
 
Advanced Topics in IP Multicast Deployment
Advanced Topics in IP Multicast DeploymentAdvanced Topics in IP Multicast Deployment
Advanced Topics in IP Multicast Deployment
 
PLNOG 13: P. Kupisiewicz, O. Pelerin: Make IOS-XE Troubleshooting Easy – Pack...
PLNOG 13: P. Kupisiewicz, O. Pelerin: Make IOS-XE Troubleshooting Easy – Pack...PLNOG 13: P. Kupisiewicz, O. Pelerin: Make IOS-XE Troubleshooting Easy – Pack...
PLNOG 13: P. Kupisiewicz, O. Pelerin: Make IOS-XE Troubleshooting Easy – Pack...
 
How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutions
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
TCP/IP Basics
TCP/IP BasicsTCP/IP Basics
TCP/IP Basics
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.ppt
 

More from Cisco Canada

Cisco connect montreal 2018 net devops
Cisco connect montreal 2018 net devopsCisco connect montreal 2018 net devops
Cisco connect montreal 2018 net devopsCisco Canada
 
Cisco connect montreal 2018 iot demo kinetic fr
Cisco connect montreal 2018 iot demo kinetic frCisco connect montreal 2018 iot demo kinetic fr
Cisco connect montreal 2018 iot demo kinetic frCisco Canada
 
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco connect montreal 2018 - Network Slicing: Horizontal VirtualizationCisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco connect montreal 2018 - Network Slicing: Horizontal VirtualizationCisco Canada
 
Cisco connect montreal 2018 secure dc
Cisco connect montreal 2018 secure dcCisco connect montreal 2018 secure dc
Cisco connect montreal 2018 secure dcCisco Canada
 
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla nsCisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla nsCisco Canada
 
Cisco connect montreal 2018 vision mondiale analyse locale
Cisco connect montreal 2018 vision mondiale analyse localeCisco connect montreal 2018 vision mondiale analyse locale
Cisco connect montreal 2018 vision mondiale analyse localeCisco Canada
 
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec CiscoCisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec CiscoCisco Canada
 
Cisco connect montreal 2018 collaboration les services webex hybrides
Cisco connect montreal 2018 collaboration les services webex hybridesCisco connect montreal 2018 collaboration les services webex hybrides
Cisco connect montreal 2018 collaboration les services webex hybridesCisco Canada
 
Integration cisco et microsoft connect montreal 2018
Integration cisco et microsoft connect montreal 2018Integration cisco et microsoft connect montreal 2018
Integration cisco et microsoft connect montreal 2018Cisco Canada
 
Cisco connect montreal 2018 compute v final
Cisco connect montreal 2018 compute v finalCisco connect montreal 2018 compute v final
Cisco connect montreal 2018 compute v finalCisco Canada
 
Cisco connect montreal 2018 saalvare md-program-xr-v2
Cisco connect montreal 2018 saalvare md-program-xr-v2Cisco connect montreal 2018 saalvare md-program-xr-v2
Cisco connect montreal 2018 saalvare md-program-xr-v2Cisco Canada
 
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...Cisco Canada
 
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...Cisco Canada
 
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Canada
 
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...Cisco Canada
 
Cisco Connect Toronto 2018 DevNet Overview
Cisco Connect Toronto 2018 DevNet OverviewCisco Connect Toronto 2018 DevNet Overview
Cisco Connect Toronto 2018 DevNet OverviewCisco Canada
 
Cisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018 DNA assuranceCisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018 DNA assuranceCisco Canada
 
Cisco Connect Toronto 2018 network-slicing
Cisco Connect Toronto 2018 network-slicingCisco Connect Toronto 2018 network-slicing
Cisco Connect Toronto 2018 network-slicingCisco Canada
 
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Connect Toronto 2018 the intelligent network with cisco merakiCisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Connect Toronto 2018 the intelligent network with cisco merakiCisco Canada
 
Cisco Connect Toronto 2018 sixty to zero
Cisco Connect Toronto 2018 sixty to zeroCisco Connect Toronto 2018 sixty to zero
Cisco Connect Toronto 2018 sixty to zeroCisco Canada
 

More from Cisco Canada (20)

Cisco connect montreal 2018 net devops
Cisco connect montreal 2018 net devopsCisco connect montreal 2018 net devops
Cisco connect montreal 2018 net devops
 
Cisco connect montreal 2018 iot demo kinetic fr
Cisco connect montreal 2018 iot demo kinetic frCisco connect montreal 2018 iot demo kinetic fr
Cisco connect montreal 2018 iot demo kinetic fr
 
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco connect montreal 2018 - Network Slicing: Horizontal VirtualizationCisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
 
Cisco connect montreal 2018 secure dc
Cisco connect montreal 2018 secure dcCisco connect montreal 2018 secure dc
Cisco connect montreal 2018 secure dc
 
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla nsCisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
 
Cisco connect montreal 2018 vision mondiale analyse locale
Cisco connect montreal 2018 vision mondiale analyse localeCisco connect montreal 2018 vision mondiale analyse locale
Cisco connect montreal 2018 vision mondiale analyse locale
 
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec CiscoCisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
 
Cisco connect montreal 2018 collaboration les services webex hybrides
Cisco connect montreal 2018 collaboration les services webex hybridesCisco connect montreal 2018 collaboration les services webex hybrides
Cisco connect montreal 2018 collaboration les services webex hybrides
 
Integration cisco et microsoft connect montreal 2018
Integration cisco et microsoft connect montreal 2018Integration cisco et microsoft connect montreal 2018
Integration cisco et microsoft connect montreal 2018
 
Cisco connect montreal 2018 compute v final
Cisco connect montreal 2018 compute v finalCisco connect montreal 2018 compute v final
Cisco connect montreal 2018 compute v final
 
Cisco connect montreal 2018 saalvare md-program-xr-v2
Cisco connect montreal 2018 saalvare md-program-xr-v2Cisco connect montreal 2018 saalvare md-program-xr-v2
Cisco connect montreal 2018 saalvare md-program-xr-v2
 
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
 
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
 
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
 
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
 
Cisco Connect Toronto 2018 DevNet Overview
Cisco Connect Toronto 2018 DevNet OverviewCisco Connect Toronto 2018 DevNet Overview
Cisco Connect Toronto 2018 DevNet Overview
 
Cisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018 DNA assuranceCisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018 DNA assurance
 
Cisco Connect Toronto 2018 network-slicing
Cisco Connect Toronto 2018 network-slicingCisco Connect Toronto 2018 network-slicing
Cisco Connect Toronto 2018 network-slicing
 
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Connect Toronto 2018 the intelligent network with cisco merakiCisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
 
Cisco Connect Toronto 2018 sixty to zero
Cisco Connect Toronto 2018 sixty to zeroCisco Connect Toronto 2018 sixty to zero
Cisco Connect Toronto 2018 sixty to zero
 

Recently uploaded

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Recently uploaded (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

NetFlow Monitoring for Cyber Threat Defense

  • 1.
  • 2. NetFlow Monitoring for Cyber Threat Defense T-SEC-10-I Matthew Robertson Security Technical Marketing Engineer
  • 3. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public 3 “The whole art of war consists of guessing at what is on the other side of the hill.” Arthur Wellesley, 1st Duke of Wellington
  • 4. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Defending against Humans 4 http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html
  • 5. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Evolution of Cyber Conflict War Dialing, Phone Phreaking … Manual Attacks (1980s) Viruses, Worms … Mechanized Attacks (1988) Google, RSA … Talented Human / Mechanized Attackers (2009) Cyrptocurrency Ransoms, Store-bought Credentials ... DIY Human / Mechanized Attackers (2011) Intelligence Driven Human Defenders 5 Manual Defenses Unplug Mechanized Defenses Firewall, IDS/IPS Targeted Human/Mechanized DefendersReputation, App-aware FirewallAPT, Multi-Step Attacks… Target, Neiman Marcus …
  • 6. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Agenda 6 Introduction Understanding the Landscape Introduction to NetFlow Design and Deployment Working with NetFlow Flow ExportAdding Context Summary Organizing the data Running Queries and Investigations Flow Collection
  • 7. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public About this session 7 https://learningnetwork.cisco.com/community/certifications/s ecurity/cybersecurity/scyber_exam http://www.cisco.com/go/securedatacenter http://www.cisco.com/go/threatdefense
  • 8. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public About the Speaker Matthew Robertson  Security Technical Marketing Engineer  ½ year at Lancope  5½ years at Cisco – Development and Technical Marketing  Focused on advanced threat detection  Author of 2 CVD’s  I am Canadian! 8
  • 9. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Thinking beyond the perimeter 9 Once the walls are built monitor for security visibility
  • 10. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Signals Intelligence 10 Traffic Analysis: • Deduce information from communication patterns
  • 11. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public NetFlow 11 10.2.2.2 port 1024 10.1.1.1 port 80 eth0/1 eth0/2 Start Time Interfac e Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent TCP Flags 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 SYN,ACK,PSH 10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 SYN,ACK,FIN Start Time Interfac e Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent TCP Flags 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 SYN,ACK,PSH
  • 12. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public NetFlow = Visibility Router# show flow monitor CYBER-MONITOR cache … IPV4 SOURCE ADDRESS: 192.168.100.100 IPV4 DESTINATION ADDRESS: 192.168.20.6 TRNS SOURCE PORT: 47321 TRNS DESTINATION PORT: 443 INTERFACE INPUT: Gi0/0/0 IP TOS: 0x00 IP PROTOCOL: 6 ipv4 next hop address: 192.168.20.6 tcp flags: 0x1A interface output: Gi0/1.20 counter bytes: 1482 counter packets: 23 timestamp first: 12:33:53.358 timestamp last: 12:33:53.370 ip dscp: 0x00 ip ttl min: 127 ip ttl max: 127 application name: nbar secure-http … A single NetFlow Record provides a wealth of information 12
  • 13. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Agenda 13 Introduction Understanding the Landscape Introduction to NetFlow Design and Deployment Flow Export
  • 14. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public NetFlow Deployment Architecture 14 Management/Reporting Layer: • Run queries on flow data • Centralize management and reporting Flow Collection Layer: • Collection, storage and analysis of flow records Flow Exporting Layer: • Enables telemetry export • As close to the traffic source as possible NetFlow
  • 15. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Considerations: Flow Exporting Layer 15 1. NetFlow support 2. Which version of NetFlow to use 3. How to configure/what to measure 4. Where in the network to enable NetFlow export
  • 16. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Cisco NetFlow Support Cisco 2900 Cisco 7200 VXR Cisco Nexus 7000 Cisco XR 12000 Cisco 2800 Cisco 7600 Cisco 1700 Cisco Catalyst 6500 Cisco 3560/3750-X/3850 Cisco ASR Cisco ASA Cisco ISR G2 Hardware Supported Cisco Catalyst 4500 Cisco NGA 16 Cisco Nexus 1000v
  • 17. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Versions of NetFlow Version Major Advantage Limits/Weaknesses V5 Defines 18 exported fields Simple and compact format Most commonly used format IPv4 only Fixed fields, fixed length fields only Single flow cache V9 Template-based IPv6 flows transported in IPv4 packets MPLS and BGP nexthop supported Defines 104 fields, including L2 fields Reports flow direction IPv6 flows transported in IPv4 packets Fixed length fields only Uses more memory Slower performance Single flow cache Flexible NetFlow (FNF) Template-based flow format (built on V9 protocol) Supports flow monitors (discrete caches) Supports selectable key fields and IPv6 Supports NBAR data fields Less common Requires more sophisticated platform to produce Requires more sophisticated system to consume IP Flow Information Export (IPFIX) AKA NetFlow V10 Standardised – RFC 5101, 5102, 6313 Supports variable length fields, NBAR2 Can export flows via IPv4 and IPv6 packets Even less common Only supported on a few Cisco platforms NSEL (ASA only) Built on NetFlow v9 protocol State-based flow logging (context) Pre and Post NAT reporting Missing many standard fields Limited support by collectors 17
  • 18. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public How do I want to cache information Which interface do I want to monitor? What data do I want to meter? Router(config)# flow record my-record Router(config-flow-record)# match ipv4 destination address Router(config-flow-record)# match ipv4 source address Router(config-flow-record)# collect counter bytes Where do I want my data sent? Router(config)# flow exporter my-exporter Router(config-flow-exporter)# destination 1.1.1.1 Router(config)# flow monitor my-monitor Router(config-flow-monitor)# exporter my-exporter Router(config-flow-monitor)# record my-record Router(config)# interface s3/0 Router(config-if)# ip flow monitor my-monitor input 1. Configure the Exporter 2. Configure the Flow Record 3. Configure the Flow Monitor 4. Apply to an Interface Configuring Flexible NetFlow 18 Best Practice: include all v5 fields
  • 19. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public NetFlow Deployment 19 Access Catalyst® 3560/3750-X Catalyst® 4500 Catalyst® 6500 Distribution & Core Catalyst® 4500 ASA ISR Edge ASR Each network layer offers unique NetFlow capabilities
  • 20. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public NetFlow Deployment 20 Access Catalyst® 3560/3750-X Catalyst® 4500 Access: • New network edge • Detect threats as the enter the network • Detect threats inside the switch • east-west • Layer 2 traffic • Fewer false positives • Higher-granular visibility • Identify the endpoint • collect MAC Address
  • 21. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Catalyst 3650-X,3750-X Flow Record 21 ! flow record CYBER_3KX_FLOW_RECORD
 match datalink mac source- address match datalink mac destination-address match datalink mac source-vlan-id match ipv4 tos match ipv4 ttl match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port
 collect interface input snmp
 collect interface output snmp
 collect counter bytes
 collect counter packets
 collect timestamp sys-uptime first collect timestamp sys-uptime last !
  • 22. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Catalyst 4500 Flow Record 22 ! flow record CYBER_4K_FLOW_RECORD match ipv4 tos match ipv4 protocol match ipv4 source address
 match ipv4 destination address match transport source-port match transport destination-port collect ipv4 dscp collect ipv4 ttl minimum collect ipv4 ttl maximum collect transport tcp flags collect interface output collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last !
  • 23. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public NetFlow Deployment - Converged Access 23 Converged Access: • NetFlow for the first time on Wireless • Visibility in BYOD environments • Consistent configuration for wired and wireless • Single flow monitor can be applied to wired ports and SSID • Natively available in the UADP ASIC • Can monitor East-West and North-South flows • 48k flows on the 48 port model
  • 24. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public NetFlow Deployment 24 Catalyst® 6500 Distribution & Core Catalyst® 4500 Distribution & Core: • Traditional deployment • Minimal recommended deployment • Enable at critical points/bottle necks • Typically done on a Layer 3 boundary • Detect threats internal to the VLAN • When deployed on an SVI interface • Detect threats as they traverse the internal network • Move between subnets
  • 25. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Catalyst 6500 (Sup 2T) Flow Record 25 ! flow record CYBER_6K_FLOW_RECORD match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input collect transport tcp flags collect interface output collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last !
  • 26. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public NetFlow Deployment 26 ASA ISR Edge ASR Edge: • Detect threats as they enter and leave the network • Monitor communication between branches • Gain context from edge devices • Application - NBAR • Events & User-ID - NSEL
  • 27. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public ISR Flow Record 27 !
flow record CYBER_ISR_RECORD match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input collect routing next-hop address ipv4 collect ipv4 dscp collect ipv4 ttl minimum collect ipv4 ttl maximum collect transport tcp flags collect interface output collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last collect application name ! Enable NBAR
  • 28. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public ASA NSEL Configuration 28 ! flow-export destination management <ip-address> 2055 ! policy-map global_policy class class-default flow-export event-type all destination <ip-address> ! flow-export template timeout-rate 2 logging flow-export syslogs disable !
  • 29. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Flow Monitor Configuration 29 ! flow monitor CYBER_MONITOR
 record CYBER_RECORD exporter CYBER_EXPORTER cache timeout active 60 cache timeout inactive 15 ! Active Timeout: • Longest amount of time a flow can be in cache without exporting a Flow Record • Recommended 60 seconds • All exporters should have the same timeout Inactive Timeout: • How long a flow can be inactive before being removed from cache • Recommended 15 seconds • All exporters should have the same timeout
  • 30. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Aside: Myths about NetFlow Generation 30 Myth #1: NetFlow impacts performance • Hardware implemented NetFlow has no performance impact • Software implementation is typically significantly <15% processing overhead Myth #2: NetFlow has bandwidth overhead • NetFlow is a summary protocol • Traffic overhead is typically significantly <1% of total traffic per exporting device
  • 31. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Agenda 31 Introduction Understanding the Landscape Introduction to NetFlow Design and Deployment Flow ExportFlow Collection
  • 32. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Flow Collection Considerations 32 Flow Handling • De-duplication • Stitching • Replication Scalability & Performance • # of NetFlow sources • # of users • Flows per second • Sustained vs. burst Your time, resources and budget Feature set • Reporting • Drill down • Retention • Analysis NetFlow NetFlow NetFlow
  • 33. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Components for NetFlow Security Monitoring 33 Cisco Network StealthWatch FlowReplicator • UDP Packet copier • Forward to multiple collection systems NetFlow StealthWatch FlowSensor • Generate NetFlow data StealthWatch FlowSensor VE • Virtual environment • Visibility into ESX StealthWatch FlowCollector • Collect and analyze • Up to 2000 sources • Up to sustained 120,000 fps StealthWatch Management Console • Management and reporting • Up to 25 FlowCollectors • Up 3 million fps globally Best Practice: Centralize collection globally
  • 34. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public NetFlow Collection: Flow Stitching 34 10.2.2.2 port 1024 10.1.1.1 port 80 eth0/1 eth0/2 Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 Start Time Client IP Client Port Server IP Server Port Proto Client Bytes Client Pkts Server Bytes Server Pkts Interfaces 10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 eth0/1 eth0/2 Uni-directional flow records Bi-directional: • Conversation flow record • Allows easy visualization and analysis
  • 35. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public NetFlow Collection: De-duplication 35 Router A Router B Router C Router A: 10.2.2.2:1024 -> 10.1.1.1:80 Router B: 10.2.2.2:1024 -> 10.1.1.1:80 Router C: 10.1.1.1:80 -> 10.2.2.2:1024 • Without de-duplication: • Traffic volume can be misreported • False positive would occur • Allows for the efficient storage of flow data • Necessary for accurate host-level reporting • Does not discard data 10.2.2.2 port 1024 10.1.1.1 port 80 Duplicates
  • 36. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Conversational Flow Record 36 Who WhoWhat More Details When How
  • 37. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Integrating with a SIEM 37 Log alarms and summary info to SIEM • Complete visibility throughout network • Leverage specialty data handling NetFlowSyslog SDEE SIEM Security Events API API’s to access database • Directly access flow data (ex. getFlows) • Improved scale - collection and retention • Decreased cost
  • 38. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Agenda 38 Introduction Understanding the Landscape Introduction to NetFlow Design and Deployment Flow ExportAdding Context Flow Collection
  • 39. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Context is Critical 39
  • 40. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public ISE as a Telemetry Source 40 Monitor Mode • Open Mode, Multi-Auth • Unobstructed Access • No impact on productivity • Profiling, posture assessment • Gain Visibility Authenticated Session Table Cisco ISE • Maintain historical session table • Correlate NetFlow to username • Build User-centric reports StealthWatch Management Console syslog
  • 41. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Configuration: Logging on ISE 41 1. Create Remote Logging Target on ISE 2. Add Target to Logging Categories 1 2 Required Logging categories: • AAA Audit • RADIUS Accounting • Profiler • Administrative and Operational Audit
  • 42. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Configuration: Add ISE to SMC 42 3 3 4. Add additional ISE nodes 1. (Not Shown) Create Admin User on ISE 2. (Not Shown) Configure ISE or CA certificate on SMC 3. (Shown) Add Cisco ISE to SMC Configuration 4. (Shown) Add additional ISE nodes
  • 43. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Global Intelligence 43 List of known Command and Control Servers
  • 44. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Adding Situational Awareness 44 Client Host Client Host Group Server Host Server Host Groups Application Duratio n Total Traffic Start Active Time 10.201.3.149 Sales and Marketing, End User Devices 89.108.67.143 Russian Federation HTTP 23s 256.56K Jan 11, 2014
  • 45. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Adding Situational Awareness 45 Client User Name Client Host Client Host Group Server Host Server Host Groups Application Duratio n Total Traffic Start Active Time Ken 10.201.3.14 9 Sales and Marketing, End User Devices 89.108.67.143 Russian Federation, Zeus HTTP 23s 256.56K Jan 11, 2014
  • 46. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Agenda 46 Introduction Understanding the Landscape Introduction to NetFlow Design and Deployment Working with NetFlow Flow ExportAdding Context Organizing the data Running Queries and Investigations Flow Collection
  • 47. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Behavioural Analysis & Anomaly Detection 47 Behavioural Analysis: • Leverages knowledge of known bad behaviour Anomaly Detection: • Identify a change from “normal”
  • 48. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public StealthWatch: Indices 48 Concern Index: Track hosts that appear to compromising network integrity Target Index: Track hosts that appear to be victims of the suspicious behaviour of other hosts File Sharing Index: Tracks behaviour that is indicative of peer-to-peer activity
  • 49. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public StealthWatch: Alarms 49 Alarms • Indicate significant behaviour changes and policy violations • Known and unknown attacks generate alarms • Activity that falls outside the baseline, acceptable behaviour or established policies
  • 50. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Host Groups 50 Virtual container of multiple IP Addresses/ranges that have similar attributes Lab servers Best Practice: classify all known IP Addresses in one or more host groups
  • 51. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Policy Tuning 51 Policies can be created for individual host groups Tune alarm thresholds Default policy for Inside and Outside hosts
  • 52. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Flow Query Basics – The Flow Table 52 Filter Filter conditions Details More details
  • 53. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Flow Query Basics - Filtering 53 Select host to investigate All flows in which this host was a client or server
  • 54. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Flow Query Basics - Filtering 54 All flows for 10.10.200.79 in the last hour
  • 55. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Flow Table: Visibility across NAT 55 Inside local Outside global Server User
  • 56. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Querying Events - Leveraging NSEL 56 Flow denied events over many ports
  • 57. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Flow Table – IPv6 57
  • 58. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Host Groups – Targeted Monitoring 58 Suspiciously behaving hosts Alarms Host Group Dashboard for Engineers
  • 59. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Host Groups – Application Report 59 Applications outbound Applications inbound
  • 60. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Host Groups – Targeted Reporting 60 Geo-IP-based Host Group Summary chart of traffic inbound and outbound from this Host Group
  • 61. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Host Groups – Targeted Reporting 61 Traffic inbound Traffic outbound
  • 62. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Host Groups – Discovering Rogue Hosts 62 Catch All: All unclassified RFC1918 addresses Table of all individual hosts
  • 63. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Host Groups – Discovering Rogue Hosts 63 Rogue Hosts
  • 64. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Indicator of Compromise 64 Raw flow analysis Log analysis (SIEM) IDS Alert Outside notification Behavioural analysis Activity monitoring an artifact observed on a network or in operating system that with high confidence indicates a computer intrusion • http://en.wikipedia.org/wiki/Indicator_of_compromise
  • 65. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public 65 Attack Lifecycle Model Exploratory Actions Footprint Expansion Execution Theft Disruption Staging Initial Compromise Initial Recon Infiltration (C&C)
  • 66. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public 66 Attack Lifecycle Model Exploratory Actions Footprint Expansion Execution Theft Disruption Staging Initial Compromise Initial Recon Infiltration (C&C) IOC Found: Investigate forwards and backward
  • 67. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Concept: OODA Loop 67 Observe Orient Decide Act Feedback Feedback • Unfolding circumstances • Implicit guidance • Outside information • Unfolding interaction with environment • Cultural Traditions • Genetic Heritage • Analysis & Synthesis • New information • Previous Experiences Unfolding interaction with environment http://en.wikipedia.org/wiki/OODA_loop
  • 68. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Identifying the Culprit Indicator of Compromise Is a worm indicated? • Alarm • Alarm Table • Alarm Summary • IDS Alert • Other Host IP Address Worm Tracker Yes Host Snapshot Supplemental Information: • Most recent flows/Active flows • Traffic volume/type • Other Alarms • Exporter interfaces • Activity – scanning? • Thresholds • Touches Identity: • Username • Device type and OS • Access location • Organization/Geo • Role – Client or Server • Hosts affected • Host Groups Affected • Subnets Affected • Ports Used • Protocols Used Is the behaviour normal or permissible? Tune Yes Respond No No 68
  • 69. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Responding to an IOC 69 Create a Host Group for BlackPOS Servers IOC: Crowdstrike publishes list of IP addresses identified as BlackPOS servers IP Addresses
  • 70. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public BlackPOS – Host Locking Violation Alarm 70 Create a Host Lock Violation Alarm for communication to BlackPOS servers Set client hosts to POS terminals Set server hosts to BlackPOS Servers Alarm on FTP traffic Trigger alarm on unsuccessful connections
  • 71. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public BlackPOS - Investigate You know today what you didn’t know yesterday 71 Run a Flow Query Over the last 90 days Server or client includes the known bad BlackPOS IP Addresses Configure application to be FTP
  • 72. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public BlackPOS – Returned Flows 72 Infected hosts BlackPOS Servers FTP Transfers
  • 73. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Investigating Malware Spread: Worm Tracker 73 IOC: IDS Alert indicating a known worm operating inside your network Worm tracker Initial infection Secondary infections Subnets being scanned
  • 74. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Investigating Malware Spread: Host Snapshot 74 Everything the system knows about 10.10.200.59 Start with CI Events. We notice significant scanning activity
  • 75. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Investigating Malware Spread: Identity 75 Telemetry from the ISE Username Infected machine
  • 76. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Investigating Malware Spread: Touched Hosts 76 This infected host has established a connection with another host
  • 77. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Investigating Malware Spread: Touched Hosts 77 All hosts touched by 10.10.200.59
  • 78. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public High Concern Index 78 Baseline deviated by 2,432%!
  • 79. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public What was this Host up to? 79 Target – entire subnet? Scanning on TCP-445
  • 80. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public NetFlow and (D)DoS Detection 80 Identify targets • Target of suspicious activity • Abnormal traffic volume • Decrease in performance Identify attackers
  • 81. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Volumetric DDoS 81 Traffic Spikes
  • 82. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Identifying a DDoS Participant 82 IOC: Notification from 3rd party that your IP Address is participating in a DDoS Public IP address Target server Time of reported attack
  • 83. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Identifying a DDoS Participant 83 Time of reported attack Inside local Outside global Target Server Validate attack activity User
  • 84. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Identify a DDoS Participant 84 Host snapshot Other suspicious activity
  • 85. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Agenda 85 Introduction Understanding the Landscape Introduction to NetFlow Design and Deployment Working with NetFlow Flow ExportAdding Context Summary Organising the data Running Queries and Investigations Flow Collection
  • 86. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Links and Recommended Reading More about the Cisco Cyber Threat Defense Solution: http://www.cisco.com/go/threatdefense http://www.lancope.com 86 Recommended Reading Cyber Threat Defense Cisco Validated Design Guide: http://www.cisco.com/en/US/solutions/collateral/ns1015/ns1238/cyber_threat_defense_design_guide.pdf Cyber Threat Defense Cisco Validated Design Guide: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/ctd-first-look-design-guide.pdf Securing Cisco Networks with Threat Detection and Analysis (SCYBER) https://learningnetwork.cisco.com/community/certifications/security/cybersecurity/scyber_exam
  • 87. Cisco and/or its affiliates. All rights reserved.T-SEC-10-I Cisco Public Key Takeaways 87 Modern threats are consistently bypassing the security perimeter Threat Detection requires visibility and context into network traffic NetFlow and the Lancope StealthWatch System provide actionable security intelligence
  • 88. Q & A