Post on 20-Aug-2015
Local Edition
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Edition
Network Monitoring, Malware, And responding to Advanced Cyber ThreatsMike Mercier
<SESSION ID>
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Edition
Agenda• Goals for Threat Detection & Response / Challenges
• Preparing for the Threat
• Real-Time Detection and Response
• Finding the Unexpected
• Completing the Threat “Kill Chain”
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Security Monitoring
4
The collection, analysis, and escalation of indications and warnings to detect (or block) and respond to the wide range of attacks that are in your network.
GOAL:To find and resolve every security relevant condition.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Know your Attack Continuum
5
AFTERScope
ContainRemediate
Attack Continuum
DURINGDetectBlock
Defend
BEFOREDiscoverEnforceHarden
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Know your Attack Continuum
6
AFTERScope
ContainRemediate
Attack Continuum
DURINGDetectBlock
Defend
BEFOREDiscoverEnforceHarden
DISCOVER: Network Visibility – Asset Awareness – Vulnerability Intelligence
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Know your Attack Continuum
7
AFTERScope
ContainRemediate
Attack Continuum
DURINGDetectBlock
Defend
BEFOREDiscoverEnforceHarden
DISCOVER: Network Visibility – Asset Awareness – Vulnerability Intelligence
DETECT & BLOCK: Threat Detection & Change Awareness
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Know your Attack Continuum
8
AFTERScope
ContainRemediate
Attack Continuum
DURINGDetectBlock
Defend
BEFOREDiscoverEnforceHarden
DISCOVER: Network Visibility – Asset Awareness – Vulnerability Intelligence
DETECT & BLOCK: Threat Detection & Change Awareness
AFTER: Forensics – Remediation – Building a Story
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tools We Need
9
AFTERScope
ContainRemediate
Attack Continuum
DURINGDetectBlock
Defend
BEFOREDiscoverEnforceHarden
Network IPS
Real-Time Asset Info (Vulnerability & Risk)
File Detection / Tracking
Traffic / Flow Monitoring
Correlation Tools
Detail Logging / Visualization
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Edition
Agenda• Goals for Threat Detection & Response / Challenges
• Preparing for the Threat
• Real-Time Detection and Response
• Finding the Unexpected
• Telling the Story
BEFOREDiscoverEnforceHarden
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Gain Visibility
• NGIPS Placement
‒ On the Perimeter
‒ Inside the Network
‒ Know where the import
• Network Intelligence
‒ Collecting Data from the wire
‒ Best places to get this data
• Inline, Tap or SPAN ?
• Know what type of data is relevant and where to find it
Deploying Visibility of the Network
11
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tra
ffic
Data Acquisition
Stream Re-assembly
IP Defragmentation
Packet Decode
Security Intelligence
Application Identification
NGFW Rules
Network Discovery IPS NetworkAMP URLReputation
User IPMapping
The More you Know the Better Off You Are
Packet Collection
Reputation
Normalization
Application ContentOperating Systems
VulnerabilityServices / Client AppsUsers, GEO, Devices
Traffic and Application FlowFile Data (Type or Malware)
TrajectoryReal-Time Change
Current State Information
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
How data can be leveraged BEFORE
• Application Data tells you where you need to refine enforcement policies‒ Show the breadth of visible application information
• Host Profiles Tell you about Risk / Vulnerabilities
‒ Can Auto Tune – Removing the FALSE NEGATIVE
• So Many Events!
‒ Impact Analysis – Pocus only on what can exploit you or already HAS exploited you
• White Listing for Real-Time change
13
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Edition
Agenda• Goals for Threat Detection & Response / Challenges
• Preparing for the Threat
• Real-Time Detection and Response
• Finding the Unexpected
• Telling the Story
DURINGDetectBlock
Defend
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
The “Easy” Stuff
• Impact 1 Events NOT stopped
• Indicators of Compromise (Often Outbound)
• Malware Detections
15
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
More Subtle Indicators of Compromise• Hosts with Policy Violations
16
• Network Changes (New Hosts or Unexpected Services)
• Unsafe Reputation Connections
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Edition
Agenda• Goals for Threat Detection & Response / Challenges
• Preparing for the Threat
• Real-Time Detection and Response
• Finding the Unexpected
• Telling the Story
AFTERScope
ContainRemediate
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Scope, Contain, Remediate• Everywhere the problem’s we KNOW Are:
• Known Malware Detections
• Endpoint Cleanup‒ IPS Event Documentation‒ Host Profiles
18
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
File Trajectory
19
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Edition
Agenda• Goals for Threat Detection & Response / Challenges
• Preparing for the Threat
• Real-Time Detection and Response
• Finding the Unexpected
• Telling the Story
AFTERScope
ContainRemediate
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Have you Dashboard put your concerns up front
21
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Organize by Tabs
22
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Quickly Build (or automate) Your Reports
23
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Feedback
• Give us your feedback. Fill out your surveys.
• Don’t forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year.
24
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Register for Cisco Live - Orlando
Cisco Live - OrlandoJune 23 – 27, 2013
www.ciscolive.com/us
2525
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
R: 242
G: 112
B: 33
R: 255
G: 161
B: 0
R: 190
G: 214
B: 0
R: 0
G: 185
B: 228
R: 22
G: 138
B: 203
R: 177
G: 0
B: 157
R: 154
G: 155
B: 156
Title Only Slide - Primary Colour Pallette
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
“Optional quote slide option two has text that is left aligned, set in Arial Regular with a point size of 36pts. The maximum quote length should not be more than six lines of text per quote.”
Source Name
Company XY
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Edition
Divider Slide