Cisco Rapid Threat Containmnet
-
Upload
cisco-public-sector -
Category
Technology
-
view
732 -
download
3
Transcript of Cisco Rapid Threat Containmnet
Jim KotantoulasConsulting Systems Engineer – Security May 2016
Cisco RapidThreat Containment
2C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Rapid Threat Containment: Agenda
RTC Overview
Cisco pxGrid – secure information sharing
Dynamic Segmentation using TrustSec
RTC using Netflow/Stealthwatch and FirePower
RTC with Nessus
Demo
3C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Malware Threats Are Growing in…
• Organizations often have 40 to 60+ disparate security solutions
• But they don’t – and often can’t – work together
• 17,000 alerts received onaverage per week
• 19% prove reliable
• Security teams have time to investigate just 4% of warnings1
• The longer threats stay undetected, the greater for damage
• But current industry average detection time: 200 days
• Average cost per data breach: $3.8 million2
Stealth SpeedSophistication
Office
Breach
4C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Malware Preys on Dis-Integrated Security Infrastructure
Too Little TimeToo Much Manual Effort
Too Much Information
5C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Advanced Malware Requires Advanced Threat Detection and Response
Malware defense should be:
Automated Advanced Scalable Accelerated
6C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What If You Could…?
Improve Threat Visibility and Detection Across the Network
Speed Time to Containment
Lower Operational Overhead and Costs
7C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Protect Automatically with Rapid Threat Containment Cisco FireSIGHT Management Center (FMC) and Cisco Identity Service Engine (ISE)
Benefits
Detect Threats EarlyFireSIGHT scans activity and publishes eventsto ISE
Automate Endpoint ContainmentISE alerts the network of suspicious activity according to policy
Integrate Best-of-Breed SecurityGrowing ecosystem of threat defense partners integrate with ISE
8C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Rapid Threat Containment in Action
Cisco security sensors scan the user activity and downloaded file. FMC aggregates and correlates sensor data
Device is quarantined for remediation or mitigation—access is denied per security policy
Based on the new policy, network enforcers automatically restrict access
FMC detects flagrantly suspicious file and alerts ISE. ISE then changes the user’s/device’s access policy to suspicious
Corporate user downloads file, not knowing it’s actually malicious
Automatically Defend Against Threats with FMC and ISE
9C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Differentiated Threat Defense
Advanced, AutomatedMalware Detection
Contextual Visibilityto Understand and
Contain Threats Faster
Continually UpdatedThreat Intelligence
PervasiveNetwork Enforcement
Your Cisco Network asSecurity Sensor and Enforcer
10C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What You Gain
Improved Threat Visibility and Detection Effectiveness
Faster Time-to-Containment
Lower Costs
11C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Rapid Threat Containment Solution
• Cisco ASA with Firepower Services
• Firepower NGIPS Appliances
• Cisco AMP for Networks
• Firepower on Cisco ISR
• Cisco FireSIGHTManagement Center
• Automated Contextual Analysis and Threat Qualification
• Continuous Threat Intelligence Updates to Threat Sensors
• Cisco FireSIGHT and Cisco ISE Automate Containment
• Policy Enforcement from Cisco TrustSec, Downloadable ACL,or VLAN
Threat Visibility Automated Enforcement
AdvancedThreat Sensors
12C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco RTC protects across the full attack continuum
DURINGDetect Block Defend
AFTERScope
ContainRemediate
BEFOREDiscoverEnforceHarden
NGFW
AnyConnect
ISE & TrustSec
NGIPS ISE & TrustSec
NGISR Cloud Access Security
TalosAdvanced Malware Protection
Under the Covers with Cisco pxGrid (Platform Exchange Grid)
Cisco RapidThreat Containment
14C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Context is the Currency of the Solution Integration Realm…but it’s not easy to execute
I have NBAR info!I need identity…
I have firewall logs!I need identity…
I have sec events!I need reputation…
I have NetFlow!I need entitlement…
I have MDM info!I need location…
I have app inventory info!I need posture…
I have identity & device-type!I need app inventory & vulnerability…
I have threat data!I need reputation…
I have location!I need identity…
But Integration Burden is on IT
Departments
We Need to Share
Context & Take Network
Actions
I have reputation info!I need threat data…
I have application info!I need location & auth-group…SIO
15C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
I have reputation info!I need threat data…
I have MDM info!I need location…
I have app inventory info!I need posture…
I have application info!I need location & auth-group…SIO
pxGridContext SharingEvent Response
Context is the Currency of the Solution Integration Realm…but it’s not easy to execute…but pxGrid accomplishes this
I have NBAR info!I need identity…
I have firewall logs!I need identity…
I have sec events!I need reputation…
I have NetFlow!I need entitlement…
I have identity & device-type!I need app inventory & vulnerability…
I have threat data!I need reputation…
I have location!I need identity…
16C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco pxGrid: Overview
Solve integration nightmare by using a single secure framework for “contextual” data sharing.
Provide contextual information to Cisco platforms, SIEM & 3rd party applications to increase accuracy and collaboration of security events.
Provide contextual data to Cisco platforms to identify policy, take proactive actions or share common policy objects, which greatly extends policy management.
A scalable and secure means to share information (i.e. Pub/Sub/Query) in network ecosystem
What is pxGrid?• pxGrid is a common method for network and security devices to share data with
other devices through a secure publish and subscribe mechanism.
Why do we need pxGrid?
17C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
BENEFITS
ISE Ecosystem – Built Using Cisco pxGridThe 1-2-3 Formula… ISE Integrates with IT Platforms to do 3 Things
ISE Makes Customer IT Platforms User/Identity,
Device and Network Aware
ISE Shares User/Device & Network Context with IT
Infrastructure
1ISE ECO-PARTNER
CONTEXT
Puts “Who, What Device, What Access” with Events. Way Better than Just IP Addresses!
Make ISE a Better Network Policy Platform for Customers
ISE Receives Context from Eco-Partners to Make Better
Network Access Policy
2ISE ECO-PARTNER
Creates a Single Place for Comprehensive Network Access Policy thru Integration
CONTEXT
3 Help Customer IT Environments Reach into the Cisco Network
ECO-PARTNER ISE
CISCO NETWORK
MITIGATE
Decreases Time, Effort and Cost to Responding to Security and Network Events
ACTION
18C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
pxGrid – Industry Adoption Critical Mass30 Partner Product Integrations and 12 Technology Areas in First Year of Release
pxGrid-Enabled ISE Partners:• RTC: Cisco FirePower, Bayshore, E8, Elastica,
Hawk, Huntsman, Infoblox, Invincea, Lancope, LogRhythm, NetIQ, Rapid7, SAINT, Splunk, Tenable
• Firewall: Check Point, Infoblox, Bayshore• DDI: Infoblox• Cloud: Elastica, SkyHigh Networks• Net/App: LiveAction, Savvius• SIEM/TD: Splunk, Lancope, NetIQ, LogRhythm,
FortScale, Rapid7• IAM: Ping, NetIQ, SecureAuth• Vulnerability: Rapid7, Tenable, SAINT• IoT Security: Bayshore Networks• P-Cap/Forensics: Emulex• Cisco: WSA, FirePower, ISE
Other ISE Partners:• SIEM/TD: ArcSight, IBM QRadar, Tibco LogLogic,
Symantec • MDM/EMM: Cisco Meraki, MobileIron, AirWatch,
JAMF, SOTI, Symantec, Citrix, IBM, Good, SAP, Tangoe, Globo, Absolute
Firewall & Access Control
VulnerabilityAssessment
Packet Capture& Forensics
SIEM &Threat Defense
IAM & SSO
Cisco pxGridSECURITY THRU
INTEGRATION
Net/App Performance
IoT Security
Cisco ISECisco WSA
Cloud AccessSecurity
Cisco FirePOWER
Rapid Threat Containment (RTC)
DDI
?
19C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ISE as pxGrid Controller
pxGrid – How it Works, Why It Matters…Authenticate Authorize Publish Discover Subscribe Query
I have sec events!I need identity & device…
I have MDM info!I need location…
pxGridContextSharing
Authorize Authorize
Publish PublishDiscover TopicI have location!
I need app & identity… Discover Topic
I have application info!I need location & device-type
Continuous FlowDirected Query
Authorize
Publish
Discover TopicI have identity & device!I need geo-location & MDM…
Continuous Flow
Directed Query
Continuous FlowDirected Query
20C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
pxGrid Architecture & Components
pxGrid Controller
pxGrid Controller Responsible for Control Plane:• Establishing the “grid” instance• Authenticating clients on to the grid• Authorizing what clients can do on the grid• Maintaining directory of context information “topics”
available on the grid
pxGrid Client
pxGrid Clients (Eco-Partner Platforms) Responsible for:• Utilizing pxGrid Client Libraries (in SDK) to communicate with the
pxGrid Controller• If sharing contextual information, publishing it to a “topic”• If consuming contextual information, subscribing to appropriate “topic”• Filtering “topics” to exclude unwanted information• Ad-hoc query to “topics”
pxGrid Client
GCL GCL
GCL
21C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Quarantine devices or spawn investigations of events from:o Cisco FirePower and 3rd party products, such as SIEM and vulnerability management systems
• Enlist other Cisco infrastructure in the network response – such as dynamic ACLs on switches and ASA or increase IPS inspection levels
Network mitigation action – from 3rd party console
pxGrid ANC API
ISE as unifiedpolicy point
SGT
CoA
User/Device Quarantine
Dynamic ACLs, Increase Inspection
pxGrid Adaptive Network Control – Enables Rapid Threat ContainmentNetwork-as-an-Enforcer - Makes Cisco Infrastructure a Unified Event Response Network
Dynamic Segmentation using TrustSec
Cisco RapidThreat Containment
23C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Segmentation is a Powerful Security Tool
“Network segmentation… is one of the most effective controls an agency can implement to mitigate the second stage of a network intrusion, propagation or lateral movement”
“Good network and role segmentation will do wonders for containing an incident.”“Effective network segmentation… reduces the extent to which an adversary can move across the network”
“Segregate Networks, limit allowed protocols usage and limit users’ excessive privileges.”
2014 DATA BREACHINVESTIVATIONS REPORT
The Untold Story of the Target AttackStep by StepAortato Labs, August 2014
24C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Policy and Segmentation (The Challenge)
Voice FN Suppliers Guest
Access Layer
Core \ Aggregation LayerVLAN Addressing DHCP Scope
Redundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors, buildings, offices, and other facilities. TCO can be extremely high ACL
Employees
25C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SGT TrustSec Solution SGT (The Solution)Data Center Firewall
Voice FN Researchers Guest
Retaining Initial VLAN / IP Subnet Design
Benefits of TrustSec Deployment
Every Packet has Embedded Identity No L2 VLAN or L3 IP Dependencies Regardless of Topology or Location
Policy stays with Users, Devices, and Applications
Operational Efficiency Reduces Firewall Policy Changes Simplified ACL and Firewall Rule
Management Optimizes Firewall for Improved
Throughput & Performance Uses both SGACL and SGFW for Policy
and Segmentation
Threat Containment Prevents Lateral Movement of
Malware Changes a User or App Role based on
3rd Party Threat Entail received
Staff
26C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Drivers for TrustSec Adoption
Mitigate Risk Reducing attack surface with segmentation
Preventing lateral movement of threats
Increase SecOps efficiency
Manage security using logical groupsnot IP addresses/VLANs
Meet Compliance Objectives
Authorize access tocompliance-critical apps
27C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ATTACK CONTINUUM
BEFORE AFTERDURING
TrustSec ISE
Network as an Enforcer
Segment to limit attack surface
Quarantine based on detection transparently to the host
Control lateral movementAllow remediation of quarantined systems
28C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
TrustSecBeneath The Surface
29C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The TrustSec Concept
Users, Devices
Switch Router DC FW DC Switch HR Apps
SGT Propagation
PCI Apps SGT = 4
SGT = 10
ISE DirectoryClassification
SGT:5
Enforcement
NK1V
Classification of systems/users based on context (user role, device, location, access method)
Context (user role) manifests as a Security Group Tag (SGT) Firewalls, routers and switches use SGT to make packet blocking decisions Classify once & reuse the result multiple times
30C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
TrustSec Classification
31C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
TrustSec Classification Types
Dynamic Classification Static Classification• IP Address• VLANs• Subnets• L2 Interface• L3 Interface• Virtual Port Profile• Layer 2 Port
Lookup
Common Classification for User Devices
Common Classification for Servers, Topology-based policy, etc.
802.1X Auth
MAC Auth Bypass
Web AuthSGT
32C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Dynamic Classification with ISENETWORK / USER
CONTEXT
How
WhatWho
WhereWhen
Access Policy
CompromisedDevice
CXO LevelSecure Access
BYOD Employee
User
Guest Visitor
INTEGRATED PARTNER ECOSYSTEM
MINIMIZE NETWORK UNKNOWNS REDUCE YOUR ATTACK SURFACE
ENFORCE THE RIGHT LEVEL OF ACCESS CONTROL CONTAIN MALICIOUS NETWORK THREATS
33C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Dynamic Classification with ISE Policy
Employee AccessMatch Condition- SSID = Corporate-WiFi- Certificate-based
Authentication- Posture Status = Compliant- Profile = Corp Laptop- Windows AD Group =
Employee
Classification Result: Employee_SGT
Built-in attribute dictionary to create detailed condition statements, deriving security group assignments based on context
34C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
TrustSec Propagation
35C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Propagating Security Group Tags via the Network
WAN(GETVPNDMVPN
IPSEC, OTP) Switch Router Router Firewall DC Switch vSwitch ServerUser
SGT over Ethernet SGT over EthernetSGT over WAN
ClassificationSGACLClassification
WAN Switch Router Router Firewall DC Switch vSwitch ServerUser
ClassificationSGFWClassification
SXP SXP
TrustSec Enabled -
on Legacy Networks using
SXP
End to End TrustSec -Capable
Networks using Inline Tagging
SXP and inline tagging submitted to the IETF: https://datatracker.ietf.org/doc/draft-smith-kandula-sxp/Open Source SXP implementation now available: https://github.com/opendaylight/sxp
36C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SGT Transport Mechanism
WLC FW
Campus AccessNon-SGT capable
Core DC CoreEnterprise Backbone
DC Access
Hypervisor SW
TOR
IP Address SGT SRC
10.1.100.98 50 Local
SXP IP-SGT Binding Table
SXP
SGT=50
ASIC ASICOptionally Encrypted
Inline SGT Tagging
SGT=50
ASIC
L2 Ethernet FrameSRC: 10.1.100.98
IP Address SGT
10.1.100.98 50SXP
10.1.100.98
Inline Tagging (data plane):If Device supports SGT in its ASIC
SXP (control plane):Shared between devices that do not have
SGT-capable hardware
37C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Faster, and most scalable way to propagate SGT within LAN or Data Center
SGT embedded within Cisco Meta Data (CMD) in Layer 2 frame
Capable switches understands and process SGT in line-rate
Protected by enabling MACsec (IEEE802.1AE) – optional for capable hardware
No impact to QoS, IP MTP/Fragmentation
L2 Frame Impact: ~20 bytes 16 bits field gives ~ 64,000 tag space Non-capable device drops frame
with unknown Ethertype
Inline SGT Tagging – Data Plane Propagation
CRC
PAYLOAD
ETHTYPE
CMD
802.1QSource MAC
Destination MACEthernet Frame
EtherType:0x8909SGT Value:16bits
CMD EtherType
Version
Length
SGT Option Type
Cisco Meta Data
SGT Value
Other CMD Option
CRC
PAYLOAD
ETHTYPE
CMD
802.1Q
Source MACDestination MACMACsec Frame
802.1AE Header
802.1AE Header
AES-
GCM
128
bit
Encr
yptio
n
38C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SGT Exchange Protocol (SXP) – Control Plane Propagation
38
SXP very simple to enable SGT propagation without hardware dependencies Propagation from access edge to enforcement device Can be deployed side by side with Inline SGT’s
Uses TCP for transport protocol Two roles: Speaker (initiator) and Listener (receiver) Developed for migration to support 3rd vendor network
devices as well as Cisco’s legacy infrastructure
SW
SW RT
SW
SXP(Aggregation)SXP
SXP
Speaker Listener
39C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SXP Connection Types – Speaker & Listener Roles
Single-Hop SXP
Non-TrustSec Domain
SXP
SXP Enabled Switch/WLCSGT Capable HW
Multi-Hop SXP SXP
SGT Capable HWSXPEnabled SW
Speaker -Classifier
Listener –
Enforcer
SXP
SXP
SXP Enabled SW/WLC
SXP Enabled SW/WLC
Speaker -Classifier
Speaker -Classifier
Listener –Enforcer/
Propagator
Speaker–Enforcer/
Propagator
Listener –
Enforcer
40C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SXP WAN Aggregation Option
SGT Capable EnforcementSwitch or Firewall
Speakers & Listeners
SXP Listeners
SGT Capable EnforcementSwitch or Firewall
SXP Speakers
IP Address SGT
10.1.10.1 Production User – 10
10.1.10.10 Developer - 20
IP Address SGT
10.1.254.1 Production User – 10
10.1.254.10 Developer – 20
IP Address SGT
10.1.10.1 Production User – 10
10.1.10.10 Developer - 20
10.1.254.1 Production User – 10
10.1.254.10 Developer - 20
IP Address SGT
10.1.10.1 Production User – 10
10.1.10.10 Developer - 20
10.1.254.1 Production User – 10
10.1.254.10 Developer - 20
Aggregators handling SXP control planeNot in the traffic path
All bindings received at DC EdgePeer only with the aggregators
41C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
TrustSec Enforcement
42C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Group Access Control List (SGACL) SGACL is an access
control list to filter traffic based on security group
SGACL’s enforce policy based on Egress Data Flow
No IP address in syntax IP version agnostic
(supports IPv4 & IPv6)
permit tcp dst eq 110permit tcp dst eq 143permit tcp dst eq 25permit tcp dst eq 465permit tcp dst eq 585permit tcp dst eq 993permit tcp dst eq 995deny all log
Permit_Mail_Traffic
43C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Can still use Network Object (Host, Range, Network (subnet), or
FQDN)AND / OR the SGT
Switches inform the ASA of Security Group membership
Security Group definitions from ISE
Trigger FirePower services by SGT
policies
Security Group Firewall (SGFW)
Reduces Firewall Policy Changes
Simplified ACL and Firewall Rule Management
44C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
TrustSec Platform Support
45C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
TrustSec Platform Support Classification SGT Propagation Policy Enforcement
Catalyst 2960-S/-C/-Plus/-X/-XRCatalyst 3560-E/-C/-XCatalyst 3750-E/-X
Catalyst 4500E (Sup6E/7E)Catalyst 4500E (Sup8)Catalyst 6500E (Sup720/2T)
Catalyst 3850/3650WLC 5760
Wireless LAN Controller 2500/5500/WiSM2
Nexus 7000
Nexus 5500
Nexus 1000v (Port Profile)
ISR G2 Router, CGR2000
Catalyst 2960-S/-C/-Plus/-X/-XRCatalyst 3560-E/-C/, 3750-ECatalyst 3560-X, 3750-XCatalyst 3850/3650Catalyst 4500E (Sup6E)Catalyst 4500E (7E, 8), 4500XCatalyst 6500E (Sup720)Catalyst 6500E (2T), 6800WLC 2500, 5500, WiSM2WLC 5760Nexus 1000vNexus 6000/5600 Nexus 5500/22xx FEXNexus 7000/22xx FEX ISRG2, CGS2000 ASR1000ASA5500 Firewall
SXP
SXP
IE2000/3000, CGS2000
ASA5500 (VPN RAS)
SXP SGT
SXP
SXP SGT
SXP
SXP SGT
SXP
SXP
SXP SGT
SXP SGT
SXP SGT
SXP
GETVPN. DMVPN, IPsec
• Inline SGT on all ISRG2 except 800 series:
Catalyst 3560-XCatalyst 3750-X
Catalyst 4500E (7E)Catalyst 4500E (8E)Catalyst 6500E (2T)Catalyst 6800
Catalyst 3850/3650WLC 5760
Nexus 7000
Nexus 5600
Nexus 1000v
ISR G2 Router, CGR2000
ASA 5500 FirewallASAv Firewall
ASR 1000 RouterCSR-1000v Router
SXP
SGT
SGFW
SGFW
SGFW
SGACL
SGACL
SGACL
SGACL
SGACL
SGACL
SXP SGT
SXP SGT
Nexus 6000
Nexus 6000 Nexus 5500
Nexus 5600SXP SGT
SGT
GETVPN. DMVPN, IPsec
SGT
46C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
TrustSec Main Deployment Scenarios
User to Data Center Access
ControlData Center
Segmentation
Campus and Branch
Segmentation
• Context-based access control• Compliance requirements PCI,
HIPAA, export controlled information
• Merger & acquisition integration, divestments
• Server zoning & Micro-segmentation• Production vs. Development Server
segmentation• Compliance requirements, Classified
Systems, PCI, HIPAA• Firewall rule automation
• Line of business segregation• PCI, HIPAA and other compliance
regulations• Malware Propagation
control/quarantine
47C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialVLAN: Data-1VLAN: Data-2
User to Data Center Access Control using SGACL on Cisco Switches
Switch
Data Center
DC Switch
ApplicationServers
ISEEnterpriseBackbone
Remediation
Switch
Voice Employee Supplier Non-CompliantVoiceEmployeeNon-Compliant
SharedServices
Employee TagSupplier TagNon-Compliant Tag
Regardless of topology or location, policy (Security Group Tag) stays with users, devices, and servers
TrustSec simplifies ACL management for intra/inter-VLAN traffic
48C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialVLAN: Data-1VLAN: Data-2
User to Data Center Access Control using SGFW on Cisco ASA’s
Switch
Data Center
DC Firewall
ApplicationServers
ISEEnterpriseBackbone
Inspection
Switch
Voice Employee Supplier Non-CompliantVoiceEmployeeNon-Compliant
SharedServices
Employee TagSupplier TagNon-Compliant Tag
Regardless of topology or location, policy (Security Group Tag) stays with users, devices, and servers
TrustSec simplifies ACL management for intra/inter-VLAN traffic
49C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Data Center Segmentation with TrustSecWeb
Servers
DatabaseServers
MiddlewareServers Storage
50C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Micro-Segmentation using SGACLs on Nexus 1000v
VMVM VM VM
Nexus1000V VEM
Server
VMVM VM VM
Nexus1000V VEM
Server
Hypervisor Hypervisor
Finance Application
Nexus 1000V VSM
ISE
PAC
N1000V:Assigns SGT based
on Port-profile
Assignments
Finance Application
PCI PCI
PCI
Dev Dev
N1000v with Inline tagging/SXP and SGACL Enforcement
51C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Campus & Branch Segmentation with TrustSec
VLAN: Data-1VLAN: Data-2
Switch
Data Center
DC Switch
ApplicationServers
ISEEnterpriseBackbone
Switch
Voice Employee Supplier Non-CompliantVoiceEmployeeNon-Compliant
SharedServices
Employee Tag
Supplier Tag
Non-Compliant Tag
If access-layer devices understand SGTs:
Segment traffic based on classified group (SGT), not based on topology (VLAN, IP subnet)
Micro-Segmentation in LAN (segment devices even in same VLAN)
Using Cisco Netflow and Stealthwatch
Cisco RapidThreat Containment
Cisco Confidential 53© 2015 Cisco and/or its affiliates. All rights reserved.
Visibility and Containment through NetFlow
10.1.8.3
172.168.134.2
InternetFlow Information PacketsSOURCE ADDRESS 10.1.8.3
DESTINATION ADDRESS 172.168.134.2
SOURCE PORT 47321
DESTINATION PORT 443
INTERFACE Gi0/0/0
IP TOS 0x00
IP PROTOCOL 6
NEXT HOP 172.168.25.1
TCP FLAGS 0x1A
SOURCE SGT 100
: :
APPLICATION NAME NBAR SECURE-HTTP
RoutersSwitches
NetFlow provides• Trace of every conversation in your
network• An ability to collect record everywhere
in your network (switch, router, or firewall)
• Network usage measurement• An ability to find north-south as well
as east-west communication• Light weight visibility compared to
SPAN based traffic analysis• Indications of Compromise (IOC)• Security Group Information
Cisco Confidential 54© 2015 Cisco and/or its affiliates. All rights reserved.
StealthWatch: System Overview
NetFlow / NBAR / NSEL
NetworkDevices
StealthWatchFlowCollector
• Collect and analyze• Up to 4,000 sources• Up to 240,000 FPS
sustained
SPANStealthWatchFlowSensor
GenerateNetFlow
Non-NetFlowCapable Device
• Management and reporting
• Up to 25 FlowCollectors• Up 6 million FPS globally
StealthWatchManagement
Console
Cisco Confidential 55© 2015 Cisco and/or its affiliates. All rights reserved.
Conversational Flow RecordWho
WhoWhat
When
How
Where
• Highly scalable (enterprise class) collection
• High compression => long term storage
• Months of data retention
55
More context
Cisco Confidential 56© 2015 Cisco and/or its affiliates. All rights reserved.
Behavioral and Anomaly Detection ModelBehavioral Algorithms Are Applied to Build “Security Events”
SECURITYEVENTS (94 +)
ALARMCATEGORY RESPONSE
Addr_Scan/tcpAddr_Scan/udpBad_Flag_ACK**Beaconing HostBot Command Control ServerBot Infected Host - Attempted Bot Infected Host - SuccessfulFlow_Denied..ICMP Flood..Max Flows InitiatedMax Flows Served.Suspect Long FlowSuspect UDP ActivitySYN Flood.
Concern
Exfiltration
C&C
Recon
Data Hoarding
Exploitation
DDoS Target
Alarm Table
Host Snapshot
Syslog / SIEM
Mitigation
COLLECT AND ANALYZE FLOWS
FLOWS
Cisco Confidential 57© 2015 Cisco and/or its affiliates. All rights reserved.
StealthWatch Alarm Categories
Each category accrues points.
Cisco Confidential 58© 2015 Cisco and/or its affiliates. All rights reserved.
Data Hoarding
58
Target Data Hoarding:• Unusually large amount of data
outbound from a host to multiple hosts
Suspect Data Hoarding:• Unusually large amount of
data inbound from other hosts
Cisco Confidential 59© 2015 Cisco and/or its affiliates. All rights reserved. 59
Suspect Data Hoarding
Data Hoarding:• Unusually large amount of data inbound to a host from
other hosts• Policy and behavioral
Cisco Confidential 60© 2015 Cisco and/or its affiliates. All rights reserved.
Network as a Sensor: Cisco StealthWatch
pxGridReal-time visibility at all network layers
• Data Intelligence throughout network
• Assets discovery• Network profile• Security policy monitoring• Anomaly detection• Accelerated incident response
Cisco ISEMitigation Action
Context InformationNetFlow
Cisco Confidential 61© 2015 Cisco and/or its affiliates. All rights reserved.
Rapid Threat Containment
Employee
Employee
Supplier
Quarantine
SharedServer
Server
High RiskSegment
Internet
StealthWatch
Event: TCP SYN ScanSource IP: 10.4.51.5Role: SupplierResponse: Quarantine
ISEChange Authorization
PxGr
id
Quarantine
Network Fabric
Cisco Confidential 62© 2015 Cisco and/or its affiliates. All rights reserved.
Quarantine from StealthWatch
Cisco Confidential 63© 2015 Cisco and/or its affiliates. All rights reserved.
AnyConnect NVM (4.2) Extending network visibility to the endpoint
Expected StealthWatch support June 2016
IPFIX record to include:• Unique Device ID• Device Name• Domain\User Name• Local/Target DNS• Process Name• Process Identifier• Parent Process Name• Parent Process Identifier
Cisco Confidential 64© 2015 Cisco and/or its affiliates. All rights reserved.
ProxyWatch (StealthWatch 6.7)Collection of logs from Web Proxies:• Cisco WSA, Blue Coat, Squid,
McAfee
Visibility through the proxy
Collect contextual data and associate with the flow:• URL • User name
Required fields: • timestamp• x-elapsed-time• c-ip• c-port• cs-bytes• s-ip• s-port• sc-bytes• cs-username• s-computerName• cs-url
Using Cisco FirePower NGFW/NGIPS
Cisco RapidThreat Containment
66C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Enable Rapid Threat Containment With Cisco Firepower Management Center (FMC) and Identity Service Engine (ISE)
Rapid Threat Containment with FMC and ISEBenefits
• Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
• Trigger quarantine actions, per policy with Cisco FireSight and ISE integration
• Admit or deny access to classified portals
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Access denied per security policy
Automate alertsLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
FMC scans the user activity and file
Based on the new tag, ISE enforces policy on the network
67C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Remediation Module from Talos Labs
68C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Quarantine- quarantines an endpoint based on source ip address
• portBounce- temporarily bounces the endpoint or host port
• Terminate- terminates the end-user session
• Shutdown- initiates a host port shutdown, this will insert a “shutdown” command on the switch port configuration
• reAuthenticate- reAuthenticates the end-user
• UnQuarantine- unquarantines the endpoint
Remediation Options
69C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Fully Supported on FMC 5.4 and ISE 1.3+ • Uses pxGrid + Endpoint Protection Services (EPS)
• Note: ANC is Next Gen version of the older EPS• EPS functions are still there for Backward Compatibility
• Loads as a Remediation Module on FMC • Remediation Module Takes Action via the EPS call through pxGrid
• Supported on FMC 6.1as an integrated solution. No more remediation module
Rapid Threat Containment with Firepower Management Center and ISE
70C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
FireSIGHT Management Center + pxGrid Workflow
71C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
FMC
Sensor
PC
ISE+pxGrid
www.yahooo.com/cmd.exe
intrusion event
User Authenticates (log-on, log-off)
triggers intrusion event and correlation event
matches quarantineremediation response
FireSIGHT Management CenterCorrelation pxGrid QuarantinePolicy
ANC Quarantine Mitigation ActionRequest
FireSIGHT Management Center (FMC) + pxGrid ANC Quarantine Mitigation Workflow Action
72C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
FMC
Sensor
PC
ISE+pxGrid
RemediationServer
connection event remediation URL
User Authenticates (log-on, log-off)
triggers connection event rule
matches unquarantinemitigation response
FireSIGHT Management CenterCorrelation pxGrid UnQuarantinePolicy
ANC UnQuarantine Mitigation ActionRequest
FireSIGHT Management Center (FMC) + pxGrid ANC UnQuarantine Mitigation Workflow Action
Using Tenable Nessus
Cisco RapidThreat Containment
74C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
RTC with Tenable Nessus
75C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
76C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Use cases
Cisco RapidThreat Containment
78© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Data Breach Anatomy
Enterprise Network
Attacker
Perimeter(Inbound)
Perimeter(Outbound)
Research targets(SNS)
1
C2 Server
Spear Phishing([email protected])
2
http://welcome.to.jangle.com/exploit.php
Victim clicks link unwittingly 3
Bot installed, back door established and receives commands from C2 server
4
Scan LAN for vulnerable hosts to exploit & retain alternative back door + find privileged users
5
Privileged account found. Occupy directory service. Access to database backup, then copy them to staging server
6
Admin Node
Zip data, slice it to multiple files, and send those out to external site over HTTPS
7
System compromised and data breached. Retain backdoor to collect more targeted data, otherwise erase all traces or wipe whole disk (e.g. Shamoon malware)
8
79© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Threat Defense with TrustSec
Enterprise Network
Attacker
Perimeter(Inbound)
Perimeter(Outbound)
Research targets(SNS)
1
C2 Server
Spear Phishing([email protected])
2
http://welcome.to.jangle.com/exploit.php
Victim clicks link unwittingly 3
Bot installed, back door established and receives commands from C2 server
4
TrustSec prevents workstation-to-workstation scanning, OS Finger printing, exploitation, and privilege escalation
5
Admin NodeLeverage TrustSec to slow
down attack activities
80© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Workstation-to-Workstation Traffic Control
1 Scan for open ports / OS
Distribution Switch
Access Switch
BYOD Device PC
AP
Wireless Segment Wired Segment
2 Exploits vulnerability
Pawned PC
Employee Tag
Anti-Malware-ACL deny icmp deny udp src dst eq domain deny tcp src dst eq 3389 deny tcp src dst eq 1433 deny tcp src dst eq 1521 deny tcp src dst eq 445 deny tcp src dst eq 137 deny tcp src dst eq 138 deny tcp src dst eq 139 deny udp src dst eq snmp deny tcp src dst eq telnet deny tcp src dst eq www deny tcp src dst eq 443 deny tcp src dst eq 22 deny tcp src dst eq pop3 deny tcp src dst eq 123
Sample ACEs to block PtH (SMB over TCP) used for privilege escalation
SGACL Policy
Replaces Private Isolated / Community VLAN functionality with centrally provisioned policy
Supports mobile devices (with DHCP address). Statically defined ACL cannot support same level of policy
81© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
RTC Use CasesDynamic Segmentation using TrustSec
1100
0011
1000
110000111000
110000111000
Ops
Backbone
ThreatDetection
SIEM
Floor 1 SW
Floor 2 SW
Data Center
DC FW
Sinkhole
High Security
DB
ISE
OS Type: Windows XP EmbeddedUser: MaryAD Group: EmployeeAsset Registration: YesMAC Address: aa:bb:cc:dd:ee:ff
TSServer
GFEWorkstation
PxGrid/EPS
Change SGT to:Non-Compliant
Source: SourcefireEvent: TCP SYNC ScanSource IP: 1.2.3.4Response: Quarantine
Security Group = Non-Compliant
Contain and/or use Non-Compliant
tag for further forensics
Non-Complianttag follows compromised endpoint
Anti-Malware-ACL deny icmp deny udp src dst eq domain deny tcp src dst eq 3389 deny tcp src dst eq 1433 deny tcp src dst eq 1521 deny tcp src dst eq 445 deny tcp src dst eq 137 deny tcp src dst eq 138 deny tcp src dst eq 139 deny udp src dst eq snmp deny tcp src dst eq telnet deny tcp src dst eq www deny tcp src dst eq 443 deny tcp src dst eq 22 deny tcp src dst eq pop3 deny tcp src dst eq 123
SGACL Policy
Demo
Cisco RapidThreat Containment
83C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Demo Network Architecture