Network visibility is a vital component of an effective security strategy, but many organizations lack the ability to identify threat activity in their environment. At Cisco, we have assessed the networks of thousands of organizations, and in nearly every instance, we discovered undocumented hosts, risky user behavior, or malicious activity.
Whether it is rogue servers, unauthorized connections, or ongoing data breaches, we’ve harnessed the power of network visibility to identify a variety of suspicious and malicious activity. Now let us share our knowledge with you.
Join Jeff Moncrief, Systems Engineering Manager at Cisco, to learn:
- The reality of how vulnerable enterprise networks are from endpoint to edge
- The security benefits of end-to-end network visibility
- Common problems solved with network visibility
- Stories of real-life threats hidden on networks we’ve assessed
- How to turn your network into a security sensor to gain critical visibility and threat detection capabilities
1. Jeff Moncrief
Systems Engineering Manager, Cisco Systems, Security Business Group
March 2017
Solving the Visibility Gap
for Effective Security
2. Can you show me DNS traffic moving
within and out of my network?
What if the question was turned around…
Could YOU show me DNS traffic moving
within and out of YOUR network?
A Simple Customer Question:
3. • Malware Propagation
• 24x7 Recon against US DoD Network
• Rogue Servers at Branch Offices
• Rogue Cloud VMs
• DNS Scrubbing Circumvention
• Application Tunneling of TOR, Torrent and FTP
• Perimeter Routers breached by Foreign Entities
What do all of these Indicators of
Compromise (IoCs) have in common?
Bad Guys
6. • Visibility gaps
• Blind spots
• Doors wide open
• Walkways cracked
• Adversary persistence
• Not enough bodies
• Priorities
Unfortunate Reality for Houses…
7. • Flat and non-segmented
• Attrition and turnover
• Mergers and acquisitions
• IoT
• BYOD
• Point solutions only illuminate
specific choke-points
How Do Today’s Networks Compare?
9. Global trends and associated complexity have contributed to a lack of visibility
You Can’t Protect What You Can’t See
01010
10010
11
01010
10010
11
01010
10010
11
01010
10010
11
Laptop
Tablet
Phone
Desktop / VDI
WLAN
LAN
On
Premise
Public
Internet
Public
Cloud
Router /
Switch
10. • Dark network segments
• Access layer unknowns
• Budgets
• Limited staff
• Adversarial cat & mouse
• Compliance & audit struggles
• Lack of staff expertise
• Priorities
• Ignorance is bliss
What does this mean for you?
• Forensic incapability
• APTs & insider threats
• Audit exposure
• Employee misuse
• Direct accountability
The Frightening Reality…
DDoS
APT
Malware
BYOD
Insider Threat
IPS
IDSFW
Ransomware
Internal
External
C&C
12. • DNS scrubbing circumvention
• Malware
Actual Use Case – DNS Client Risk
13. An ICMP Flood Alarm shows 10.200.4.248 scanning 3 internal class c’s
within a 10-minute period:
Ping Scanning
14. • Stealthwatch was leveraged to query an
entire organization’s network for visibility
into hosts communicating with a legacy
DNS server.
• This query enabled the organization’s
staff the visibility and awareness that over
2000 endpoints were still relying on these
DNS servers.
• An appropriate migration planning
strategy was now possible with complete
awareness of the remaining legacy DNS
clients.
Server Migration Planning
15. Remote Desktop Connections from a global perspective were found to be talking bi-
directionally to a vending machine over RDP. This vending machine had full access to the
internal network due to a lack of segmentation.
Perimeter Compromise
16. • A top conversations report revealed
a 192.x.x.x subnet that the
organization didn’t have
documentation on.
• Bi-directional flow-stitching was able
to illustrate a 2-way conversation
that had taken place between this
subnet and another known subnet.
• Organization confirmed the
existence of this rogue network.
Rogue Network Detection
17. • RIAA copyright infringement notice was received by
organization.
• With just an IP address, port, and a timestamp, the
organization was able to easily query all traffic
communicating to and from the suspect IP address at
that exact period of time.
Copyright Infringement
18. • An infrastructure device was
accessed and a change was made
on the system.
• Stealthwatch was leveraged to
query the network for the exact
hour that the change occurred to
reveal all internal/external
communications involving the
endpoint, 10.0.144.221.
Breach Response
19. A pivot to Top Conversations from the above spike shows the following hosts transferring
data:
Suspicious Spike of TCP Lateral Traffic:
20. A pivot into the outbound SWL spike from the above dashboard:
Monitoring for Specific Application Traffic
21. • RDP (TCP/3389) to a public residential server from a machine wired network.
Suspicious Remote Desktop Activity
22. • A prominent media company who was going through an acquisition requested a
security assessment.
• Stealthwatch quickly revealed a rogue virtual server in the customer’s datacenter,
which was compromised and attempting to access sensitive segments.
Rogue Virtual Server
23. • A High Concern Index host triggered automatically within Stealthwatch at a national
healthcare provider.
• Investigation revealed host was X-ray machine controller and was scanning a Class B
range on the Internet owned by DISA.
Compromised Host
25. Legacy Windows 2003 Server at remote location was compromised and DDOS’ing
inside-out.
Rogue Server
26. • No need for packet capture and probes globally
• Get 1:1 conversational visibility
• Know who is responsible for conversations
• Leverage your existing network investment
The Solution – Visibility
Incident
reported
by CISO
WHO
did this?
HOW
long?
WHAT was
accessed?
WHEN will
we know?
WHEN
did it
happen?
27. Full packet capture or IDS everywhere…?
What Would Be the Ideal Visibility Situation?
InternetShasta
Lompoc
Chandler
ASR-1000
Cat6k
UCS with
Nexus
1000v
ASA
Cat6k
3925 ISR
3560-X
3850
Stack(s)
Cat4k
Datacenter
WAN
DMZ
Access
32. • Lack of visibility in today’s networks is a dangerous gamble
• Simple, basic configurations are putting organizations at great risk
• The solution is already there in your network today
• Invest minimally, enable NetFlow and you’re off to the races
• Mimic your firewall rules, compliance policies and hardening standards
• Focus your attention elsewhere and let the 24x7 monitoring do it’s job
• Be alerted instantly to the most obvious or benign network events that could lead to a
greater exploitation
• Job security: Be the hero… not the other way around
In Summary…