Solving the Visibility Gap for Effective Security

1. Jeff Moncrief Systems Engineering Manager, Cisco Systems, Security Business Group March 2017 Solving the Visibility Gap for Effective Security

2. Can you show me DNS traffic moving within and out of my network? What if the question was turned around… Could YOU show me DNS traffic moving within and out of YOUR network? A Simple Customer Question:

3. • Malware Propagation • 24x7 Recon against US DoD Network • Rogue Servers at Branch Offices • Rogue Cloud VMs • DNS Scrubbing Circumvention • Application Tunneling of TOR, Torrent and FTP • Perimeter Routers breached by Foreign Entities What do all of these Indicators of Compromise (IoCs) have in common? Bad Guys

4. Actual House Protection Measures? Walls Fence Windows Alarm System Back door Doors

5. Ideal Visibility Protection?

6. • Visibility gaps • Blind spots • Doors wide open • Walkways cracked • Adversary persistence • Not enough bodies • Priorities Unfortunate Reality for Houses…

7. • Flat and non-segmented • Attrition and turnover • Mergers and acquisitions • IoT • BYOD • Point solutions only illuminate specific choke-points How Do Today’s Networks Compare?

8. A Stranger in the Room…

9. Global trends and associated complexity have contributed to a lack of visibility You Can’t Protect What You Can’t See 01010 10010 11 01010 10010 11 01010 10010 11 01010 10010 11 Laptop Tablet Phone Desktop / VDI WLAN LAN On Premise Public Internet Public Cloud Router / Switch

10. • Dark network segments • Access layer unknowns • Budgets • Limited staff • Adversarial cat & mouse • Compliance & audit struggles • Lack of staff expertise • Priorities • Ignorance is bliss What does this mean for you? • Forensic incapability • APTs & insider threats • Audit exposure • Employee misuse • Direct accountability The Frightening Reality… DDoS APT Malware BYOD Insider Threat IPS IDSFW Ransomware Internal External C&C

11. Story Time…

12. • DNS scrubbing circumvention • Malware Actual Use Case – DNS Client Risk

13. An ICMP Flood Alarm shows 10.200.4.248 scanning 3 internal class c’s within a 10-minute period: Ping Scanning

14. • Stealthwatch was leveraged to query an entire organization’s network for visibility into hosts communicating with a legacy DNS server. • This query enabled the organization’s staff the visibility and awareness that over 2000 endpoints were still relying on these DNS servers. • An appropriate migration planning strategy was now possible with complete awareness of the remaining legacy DNS clients. Server Migration Planning

15. Remote Desktop Connections from a global perspective were found to be talking bi- directionally to a vending machine over RDP. This vending machine had full access to the internal network due to a lack of segmentation. Perimeter Compromise

16. • A top conversations report revealed a 192.x.x.x subnet that the organization didn’t have documentation on. • Bi-directional flow-stitching was able to illustrate a 2-way conversation that had taken place between this subnet and another known subnet. • Organization confirmed the existence of this rogue network. Rogue Network Detection

17. • RIAA copyright infringement notice was received by organization. • With just an IP address, port, and a timestamp, the organization was able to easily query all traffic communicating to and from the suspect IP address at that exact period of time. Copyright Infringement

18. • An infrastructure device was accessed and a change was made on the system. • Stealthwatch was leveraged to query the network for the exact hour that the change occurred to reveal all internal/external communications involving the endpoint, 10.0.144.221. Breach Response

19. A pivot to Top Conversations from the above spike shows the following hosts transferring data: Suspicious Spike of TCP Lateral Traffic:

20. A pivot into the outbound SWL spike from the above dashboard: Monitoring for Specific Application Traffic

21. • RDP (TCP/3389) to a public residential server from a machine wired network. Suspicious Remote Desktop Activity

22. • A prominent media company who was going through an acquisition requested a security assessment. • Stealthwatch quickly revealed a rogue virtual server in the customer’s datacenter, which was compromised and attempting to access sensitive segments. Rogue Virtual Server

23. • A High Concern Index host triggered automatically within Stealthwatch at a national healthcare provider. • Investigation revealed host was X-ray machine controller and was scanning a Class B range on the Internet owned by DISA. Compromised Host

24. Bi-directional telnet on multiple perimeter routers associated with Russia. Telnet Risk

25. Legacy Windows 2003 Server at remote location was compromised and DDOS’ing inside-out. Rogue Server

26. • No need for packet capture and probes globally • Get 1:1 conversational visibility • Know who is responsible for conversations • Leverage your existing network investment The Solution – Visibility Incident reported by CISO WHO did this? HOW long? WHAT was accessed? WHEN will we know? WHEN did it happen?

27. Full packet capture or IDS everywhere…? What Would Be the Ideal Visibility Situation? InternetShasta Lompoc Chandler ASR-1000 Cat6k UCS with Nexus 1000v ASA Cat6k 3925 ISR 3560-X 3850 Stack(s) Cat4k Datacenter WAN DMZ Access

28. Traditional Monitoring

29. … Your infrastructure is the source: End-to-end Visibility via Flow Telemetry InternetShasta Lompoc Chandler ASR-1000 Cat6k UCS with Nexus 1000v ASA Cat6k 3925 ISR 3560-X 3850 Stack(s) Cat4k Datacenter WAN DMZ Access NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow

30. What Can NetFlow Show Us? Telephone Bill NetFlow

31. Visibility and Prevention • Know what’s there • Plan segmentation • Reinforce boundaries • Locate unknown assets • Instant alarming • Deploy globally quickly • See everything! Now What? Detection • Firewall manipulation • Rogue servers • Rogue daemons • Security circumvention • Credential misuse • Endpoint anomalies • Suspicious protocols

32. • Lack of visibility in today’s networks is a dangerous gamble • Simple, basic configurations are putting organizations at great risk • The solution is already there in your network today • Invest minimally, enable NetFlow and you’re off to the races • Mimic your firewall rules, compliance policies and hardening standards • Focus your attention elsewhere and let the 24x7 monitoring do it’s job • Be alerted instantly to the most obvious or benign network events that could lead to a greater exploitation • Job security: Be the hero… not the other way around In Summary…

33. Next Steps

34. Free Visibility Assessment http://www.cisco.com/c/m/en_us/products/security/stealt hwatch/free-visibility-assessment.html

35. Actionable Security Visibility Report

Solving the Visibility Gap for Effective Security

Solving the Visibility Gap for Effective Security

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados(20)

Similar a Solving the Visibility Gap for Effective Security

Similar a Solving the Visibility Gap for Effective Security(20)

Mais de Lancope, Inc.

Mais de Lancope, Inc.(20)

Último

Último(20)

Solving the Visibility Gap for Effective Security