Network as a Sensor Detect the Undetected Proactively with Network as a Sensor Marko Haarala NaaS/E Lead EMEAR Global Security Sales Organization
Topic we’ll cover today •
Threat-Centric Approach
•
Understand the NaaS deeply
•
Understand the NaaE briefly
•
Behavior based anomaly detection 101
•
Use Cases, Concepts and Demos
(Why) Threat-Centric Approach?
Enterprise Attack Surface Is Massive Driven by Increase in Mobility, Cloud Services, and IoT
Per IP Traffic Mobile Mobile 3.3 Devices 55% Knowledge Worker* by 2017**
77B
App Downloads in 2014***
* Cisco IBSG, ** Cisco 2013 VNI, *** IDC
Cloud
Apps 545 Cloud Per Organization*
Traffic 3X Cloud Growth by 2017**
44%
Annual Cloud Workload Growth***
* Skyhigh Networks Industry Report, ** Cisco Global Cloud Index, *** Cisco VNI Global Mobile Data Traffic Forecast,
IoT
“Smart Objects” 50B Connected by 2020*
* Cisco IBSG, ** Cisco VNI: Global Mobile Data Traffic Forecast 2013-2018
in M2M IP Traffic 36X Growth 2013–18**
Why break in if you can simply login?
https://haveibeenpwned.com/
Cisco’s Threat-Centric Approach to Security ATTACK CONTINUUM
BEFORE
AFTER
DURING
Network as a Sensor Flexible NetFlow Lancope StealthWatch ISE
Network as an Enforcer Flexible NetFlow Lancope StealthWatch
Cisco TrustSec ISE
Better Security Visibility
Securing the Mobile Enterprise
Protect Against Advanced Malware
Improve Results with Security Services
Harden and Segment the Network
Security as a Network Driver
Security Ecosystem Effective Security Is Delivered When The Pieces Work Together. Seamlessly. Our goal is to make security less complex by providing a best of breed portfolio that’s deeply integrated and delivers solutions that are superb individually, but vastly more powerful when used together.
NetFlow You most likely have it already so why not use it then?
Introduction to NetFlow •
•
• •
Developed by Cisco in 1996 as a packet forwarding mechanism • Outdated by CEF • Statistical Reporting became relevant to customers Reporting is based on Flow and not necessarily per-packet (Full Flow vs. Sampled) Various versions exist version 1 through 9, with 5 being the most popular and 9 being the most functional Other flow statistic gathering technologies exist with various vendors (sFlow, IPFIX, JFLOW, RFLOW, NetStream)
NetFlow IPFIX © 2013-2014 Cisco and/or its affiliates. All rights reserved.
NetStream
JFlow
RFlow
cflow Cisco Confidential
10
Introduction to NetFlow (cont.)
Understand Network Behavior and Establish a Network’s Normal
A Powerful Information Source
A Critical Tool
for Every Network Conversation
to Identify a Security Breach
Each and Every Network Conversation over an Extended Period of Time
Identify Anomalous Activity
Source and Destination IP Address, IP Ports, Time, Data Transferred, and More Stored for Future Analysis
Reconstruct the Sequence of Events Forensic Evidence and Regulatory Compliance NetFlow for Full Details, NetFlow-Lite for 1/n Samples
Visibility and Advanced Behavior Based Security
NetFlow v5 and NetFlow v9 NetFlow v5 NetFlow v5 Captures Essential Information Regarding Traffic Patterns • • • • •
Source/Dest IP and port Packet counts Byte counts Flow duration I/O interfaces
Useful for Layers 3 and 4 Traffic Pattern Analysis
NetFlow v9 NetFlow v9 Extends NetFlow v5 by Adding: • • • • • • • •
Numerous TCP flags/counters Flow direction Fragmentation flags ICMP and IGMP info Header stats Time-to-live DSCP/TOS info Destination routing info
Layer 2 support (S/D MAC, VLAN, EtherType) within Catalyst Switches
Provides Insight to Malformed Packets, Protocol Manipulation, and Direction of Traffic
NetFlow v5 Is Useful, However, NetFlow v9 Delivers Deeper Insight © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
12
NaaS (and bit of NaaE) As networks always sees everything
Network as a Sensor (NaaS) Detect Anomalous Traffic Flows, Malware
Identify User Access Policy Violations
Obtain Broad Visibility into All Network Traffic
NaaS Components: Cisco’s Netflow Interweb
Cisco Router
NetFlow Data
Usage
• Packet count • Byte count
• Source IP address • Destination IP address
From/To
Time
• Start sysUpTime • End sysUpTime
• Packet count • Byte count
Application
Port Utilization
• Input ifIndex • Output ifIndex
• • • • •
QoS
• Type of Service • TCP flags • Protocol
Next hop address Source AS number Dest. AS number Source prefix mask Dest. prefix mask
Routing and Peering
Key NetFlow Fields
Internal Network NetFlow Collector
Unsampled Netflow @ Cisco allows all traffic to be collected and provides a comprehensive view into all activity on the network. It is equivalent to reading every word on every page of a book.
Key and non-key fields needed Required
NetFlow v9 Security Flow Record
Description
Yes
Source IP Address
Yes
Destination IP Address
Yes
Source Port
Yes
Destination Port
Yes
Layer 3 Protocol
Yes
TOS Byte (DSCP)
Yes
Input Interface
Yes
Output Interface
Establish if the traffic is leaving the LAN
Yes
Packet Count
Identify the number of packets in the flow
Yes
Byte Count
Identify high volume flows; identify anomalies
Yes
Start and End Times
Establish time frame, time of day and establish the baselines used to identify anomalies.
Yes
Next Hop Routing Address
Used to determine pathing
Source and Dest MAC Address
Valuable in the access layer - Identify the source host and if the traffic is leaving the switch
Time To Live Field (min and max)
Identify crafted packets; provides pathing information
TCP Flags
Detect malicious behaviour based on TCP protocol. Ex. Number of SYN packets seen; Number of embryonic connections (DOS detection)
Application Name
Provided through Deep Packet Inspection on some platforms.
Key Fields – Used to define the flow
NetFlow Configuration Example 1.
Configure the Flow Record
2.
Configure the Flow Exporter
3.
Configure the Flow Monitor
4.
Configure the interface(s)
flow record CYBER_FLOW_RECORD match ipv4 tos match ipv4 protocol … collector timestamp sys-uptime last
flow exporter CYBER_EXPORTER destination source loopback 1
flow monitor CYBER_MONITOR record CYBER_4k_FLOW_RECORD CYBER_EXPORTER cache timeout active 60 cache timeout inactive 15
exporter
interface GigabitEthernet1/1 ip flow monitor CYBER_MONITOR input
NaaS Components: StealthWatch System - Dynamic NetFlow Analysis Detect
Monitor
Understand your network normal
Gain real-time situational awareness of all traffic
Analyze
Respond
Leverage Network Behavior Anomaly detection & analytics
Collect & Analyze holistic network audit trails
Accelerate network troubleshooting & threat mitigation
Detect behaviors linked to APTs, insider threats, DDoS, and malware
Achieve faster root cause analysis to conduct thorough forensic investigations
Respond quickly to threats by taking action to quarantine through Cisco ISE
StealthWatch Architecture (minimum) StealthWatch Management Console
FlowCollector
NetFlow enabled infrastructure
StealthWatch Architecture Overview Unified View: Security and Network Monitoring
StealthWatch Management Console
FlowCollector
Cisco ISE
UDP Director
User and Device Information
FlowSensor NetFlow, syslog, SNMP
StealthWatch IDentity
NetFlow enabled infrastructure
VMware ESX with FlowSensor VE
Feeds of emerging threat information
Scalability The SMC numbers
The Flow Collector numbers
The Flow Sensor numbers
Physical and Virtual
Physical and Virtual
Physical and Virtual
Up to 2TB of storage
Up to 6TB of storage
From 1Gbps to 20 Gbps Throughput
From 5 up to 25 FC’s
Up to 240.000 FPS
Up to 6M FPS
3 Monitoring ports 10/100/1000 Copper
Monitoring ports from 1GB copper to 10 GB Fiber
1 MGMT port 10/100/1000 Copper
1 Management port 10/100/1000 Copper Close to 100 Algorithms
1 Management port 10/100/1000 Copper Supports 900+ Application fingerprints
Some important notes Visibility depends on where the data is coming from North-South: from access layer L3 to Internet East-West: On the access layer.
SteathWatch only monitors devices that sends Flow to the Flow Collector Flow is OSI Layer 4. No Application data Complement Flow with App data from NBAR etc. Flow does not have user information Complement Flow with Identities Services Engine data
Egress is better than Ingress and Unsampled Flow is better than Sampled
Just Google
Cisco CSIRT: Security Analytics and Forensics with NetFlow
Network as an Enforcer (NaaE) Implement Access Controls to Secure Resources
Contain the Scope of an Attack on the Network
Quarantine Threats, Reduce Time-to-Remediation
NaaE Components: Context Powered by ISE Remote VPN User
Wireless User
Wired User
Devices
Virtual Desktop
ISE Provides… • Policy Bases Access Control • Scalable Enforcement • Senses Devices • Drives Control through Access Control Lists
IDENTITY and CONTEXT AWARE NETWORK
Data Center
Intranet
Internet
Security Zones
NaaE Components: Cisco TrustSec technology Cisco TrustSec technology uses software-defined segmentation to simplify the provisioning of network access, accelerate security operations, and consistently enforce policy anywhere in the network. Cisco TrustSec is embedded technology in Cisco switches, routers, and wireless and security devices.
NaaE Components: Cisco TrustSec (cont.) Software and Role-Based Segmentation to Control Access and Contain Threats Simplifies Firewall Rule, ACL, VLAN Management Prevents Lateral Movement of Potential Threats Traditional Security Policy
Eliminates Costly Network Re-architecture
Switch
TrustSec Security Policy
Router
VPN & Firewall
DC Switch
Wireless Controller
Segmentation Policy Enforced Across the Extended Network
A Solution Providing Deeper Visibility and Greater Network as a Sensor (NaaS) Cisco Networking Portfolio Cisco NetFlow Lancope StealthWatch (optional) Cisco Identity Services Engine (ISE) Network as an Enforcer (NaaE) Cisco Networking Portfolio Cisco NetFlow Lancope StealthWatch Cisco Identity Services Engine (ISE) Cisco TrustSec Software-Defined Segmentation
If having 1:1 complete visibility in not enough 259% ROI
Impact to the Business ($)
“Worm outbreaks impact revenue by up to $250k / hour. StealthWatch pays for itself in 30 minutes.”
vulnerability closed
F500 Media Conglomerate
attack identified
Company with Legacy Monitoring Tools
credit card data compromised STEALTHWATCH REDUCES MTTK attack onset
early warning
attack identified
Company with StealthWatch attack thwarted
vulnerability closed
Time MTTK
~70% of Incident Response is spent on MTTK
How does the magic work? Behavior based anomaly detection 101
StealthWatch Deep Statistical Analysis (Big Data) Group by IP: • •
IP is called Host Group of IP’s is called Host Group
Segment by Host Group: • • • •
By functionality By Location By department By ……
Baseline by: • •
Host Host Group
How to Baseline: Use e.g. Thresholds How does your SatNav works? •
Shortest trip •
•
Mileage + speed (could also include historic data)
Fastest trip •
•
Like shortest + penalties for traffic lights, roundabouts, etc.
Dynamic planning •
Like Fastest + information like traffic jams and road works
Steathwatch “gives” points based on behavior •
Bad behavior • •
•
Like DDoS, Malware, xx Floods etc. No baseline on this. Always triggers an alert.
Normal behavior • •
•
Like DNS, Mail, browsing etc. The more normal the less points
Abnormal behavior • • •
Like rouge devices, deviations on volume from normal etc. The more frequent, volume or different the more points. Historical information included. The more often it happens, the higher the points each time.
Baselining and Tolerance High Threshold C
100
Scaled between behavior and high threshold
B
A 0 Low Treshold
Baseline is: Previous 7 days + Same day of the 3 weeks before (in total 28 days)
Last 7 days Wk 2
Wk 3 Wk 4
Tolerance Behavior
Security Events (“Algorithms”)
Categories (“Indexes”)
Alarms (“Notifications”)
Security Event
CI
Alarm
Security Event
TI
Alarm
Security Event
C&C
Alarm
Security Event
Recon
Alarm
Security Event
Alarm
Use Cases and Demos Main concepts explained
NaaS in Action: As an Attack Progresses
1 2
Breach Stages
Detection
Vulnerability Exploration
NetFlow Can Detect on Scans Across IP Address Ranges NetFlow Can Detect on Scans Down IP Ports on Every IP Address
Attacker Scans IP Addresses and Ports to Explore Vulnerabilities (OS, User, App.) Install Malware on 1st Host Attacker Installs Software to Gain Access Connection to “Command and Control”
3
Malware Creates Outbound Connection With C&C System for Further Instructions Spreading Malware to Other Hosts
4 5
Attack Other Systems on the Intranet Through Vulnerability Exploitation
Data Exfiltration Export Data to a 3rd Party Server
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
NetFlow Can Detect on Inbound Admin Traffic From an Unexpected Location
NetFlow Can Detect Outbound Connections to Known C&C IP Addresses NetFlow Can Detect Scans Across IP Address Ranges by Internal Hosts NetFlow Can Detect Scans Down IP Ports on Every IP Address by Internal Hosts NetFlow Can Detect Extended Flows (HTTP, FTP, GETMAIL, MAPIGET and More) and Data Transfer to New External Hosts Cisco Confidential
38
Demos (Main concepts) “Don't teach what the product can do - teach how to use it” •
Concern Index (and Target Index)
•
Dashboards & Maps
•
Quickly identify what I must address immediately
•
Software Defined (soft) Network Segmentation
•
Challenging scenarios (shared workstations, WLAN visitors etc.)
Youtube - Lancope