Defense-in-depth how and where Cisco productspalo/Rozne/cisco-expo... · Defense-in-depth How and...

1© 2004 Cisco Systems, Inc. All rights reserved.Session B10

Intelligent Information Network

2© 2004 Cisco Systems, Inc. All rights reserved.Session B10

Defense-in-depth

How and where Cisco products and services play in helping secure your organizationDavid Williamson, CISSP

333© 2004 Cisco Systems, Inc. All rights reserved.

Agenda

• The top security issues

• What can you do?

• How can Cisco help?

• Summary

• Q & A


Goal

• Understand more about the threatscape

• Understand more about ‘best practice’ for securing your organisation

• Understand more about Cisco’s product and service offerings working together to mitigate information security risk in today’s connected enterprise


The top security issues


“Network security directly affects network availability…the way we are measured is by network availability, period.”

CIO of a Fortune 100 Financial Services company



• There have been successes in identifying and apprehending culprits…

The US DoJ’s Operation Firewall against ShadowCrew –see http://www.ustreas.gov/usss/press/pub2304.pdf

Arrest of Sven Jaschan

Arrest of Michael Haephrati and his wife Ruth

Foiling of the SMBC keylogger attack by the UK NHTCU

Arrest of Lynn Htun at InfoSec London 2003

Mixed messages



• A German teenager, Sven lives with his mother in Waffensen, in northern Germany

• Sven wrote the Sasser worm and Netsky-PAlone these items of malcode account for over 50% of allmalcode activity seen by Sophos to in 2004Counting the other released variants of the Netsky worm, the total figure is over 70%

• Sven was sentenced to one year and nine months on probation and 30 hours community service

• He now works for Securepoint in northern Germany, writing firewalls…

A little about our ‘friends’ Sven Jaschan…



• In May/June 2005 Israeli police arrested 18 people in connection with a huge industrial espionage ring

• A root kit was used to infiltrate systemsThe software was designed by London-based Michael Haephrati, 42 and his wife, Ruth Brier-Haephrati, 29

• An excellent article on this story can be found at http://www.haaretz.com/hasen/spages/581718.html

• March 2006, plea bargain with four (Ruth) and two (Michael) years in jail respectively, and two million shekels fine

…and the Haephratis



• 1,896 new vulnerabilitiesA 34% increase year-on-year, itself a 13% increase from the same period year before that – a 40% increase from 2004 to 2005 as a whole

Average of 42 days from release of an exploit to release of patch vs. an average of 6.8 days to develop an exploit

79% easily exploitable (up from 73%)

Vulnerability-to-exploit window is now just 6.4 days

Despite those successes the situation is still bad

Source: Symantec ITR 2H2005 – see http://ses.symantec.com/ITR



• An 51% increase in DoS attacks to 1,402 per day

• Excluding Sober.X, 80% of malcode threatened confidential information

• An increase in crimeware

• An increase in malcode using rootkit techniques

• A clear trend towards malcode and attacks designed to compromise confidentiality and integrity rather than just replicate and impact availability

Despite those successes the situation is still bad

Source: Symantec ITR 2H2005 – see http://ses.symantec.com/ITR



• Proceeds from cyber crime in 2005 estimated at more than that from illegal drug trafficking – $105B

• Of 2,066 polled organizations, almost 90% experienced a computer security incident over the past 12 months

Over 64% of the respondents incurred a financial loss as a result of the incident, at an average $24,000 per case

According to the FBI, online crime caused $67.2B in damages in the US alone in 2005

Does crime pay?

Source: Valerie McNiven, US Treasury Department, 4Q2005



• Viruses, Worms, Trojans, Botnets, Malware penetrating defenses

Viruses still #1 cause of financial loss*

• Most security protects the host, but doesn’t preserve network integrity or resiliency

• Non-compliant servers/desktops common, difficult to detect and contain

• Locating and isolating infected systems time and resource intensive

#1 CHALLENGE

Source: 2005 CSI/FBI report



• New variant: worm with “bot” capabilities Can propagate via, or become part of, a zombie network

• Could have hundreds or thousands of variants

• Creates backdoor, allows remote code execution, elevation of privilege

• Reactive technologies ineffectiveWorm blocks access to all major AVdownload sites

• Exploits Microsoft Win32 Plug-n-Play featureHit systems less than five days after vulnerability announced

• Affected CNN, ABC, New York Times, Visa and many others

“This is a new, different worm altogether

and...one of the fastest-spreading infections in

history “ – slashdot.com


What can you do?


What can you do?

• While appropriate security products are required along with design and configuration of the network, security is a process

This isn’t just about technology

SECURE

MONITORandRESPOND

TEST

MANAGEand

IMPROVE


What can you do?

• It’s a moving target – both the evolving threatscape, and the needs of your organisation

• Uncomfortable facts#1: The ‘magic bullet’ doesn’t exist

#2: 100% security is impossible – there will always besome residual risk

#3: The hard exterior / soft interior paradigm is history –perimeter security alone is simply not enough

Applying defense-in-depth


What can you do?

• Education, configuration, process and technology all working together to provide security all the way to the data

• Use frameworks to helpITIL – the IT Infrastructure Library is ‘best practice’ for IT Service Management, supported by BS 15000

COBIT – from ISACA, “Good IT security and control practices that provides a reference framework for management, users, and IS audit, control and security practitioners”

ISO/IEC 27001 (formerly BS7799 & ISO/IEC 17799) – the ‘gold standard’ for an ISMS

Applying defense-in-depth


What can you do?

• “Best practices” for implementing integrated network security – see www.cisco.com/go/safe

The SAFE Blueprint from Cisco

Blueprints available for• Enterprise

• Small Business

• IPSec VPNs

• Voice

• Wireless

• E-Business (with content security)

Blueprints available for• Enterprise

• Small Business

• IPSec VPNs

• Voice

• Wireless

• E-Business (with content security)


What can you do?

• What is the vision for information security in your organisation?

Risk analysis – quantify and qualify business objectives,and understand where security is needed

• Where are you starting from?Audit current environment, then identify assets and controls

Gap analysis of reality vs. vision

• How are you going to close the gap?Use the Cisco SAFE Blueprints and other frameworks…

Sounds good… so how do I do this?


What can you do?

• What are your organisation’s assets?I contend they are primarily data, information and knowledge

• Where are they located?

• What risks do those assets face?

• How are they protected?

• Is this protection appropriate and sufficient to mitigate the risk?

• What can you do to close this gap – if anything?

The ‘quick’ risk assessment process


What can you do?

• Risk ≠ threatRisk can be quantified as Annualised Loss Expectation

ALE = T * V * Ec

Where T = threat rate, or frequency

V = likelihood of success of a threat

E = event cost

• For each risk area, calculate ALE and use that as the basis for security budgeting

• Remember that controls overlap!

How much should I spend?


What can you do?

• Most organisations spend 3-6% of their total IT budget on security

Add strategic risk management, BC/DR and compliance and then this figure rises to 10-14%

• Spending varies by verticalFinancial Services and Service Providers spend more than the average…

• And by level of heterogeneitySo-called ‘best of breed’ is more complex and costly to manage than solutions from a single vendor

Nice idea… but how much is actually being spent?

Source: Gartner Group


What can you do?

ProcessLayer

Application Layer

Host/Server LayerMonitor and Maintenance

Network Infrastructure Layer Configuration Monitor and

Maintenance

Process &PolicyProcess &Policy

Accounting Audits

Accounting Audits

ComplianceGovernanceComplianceGovernance

LaptopsDesktopsLaptops

DesktopsHosts/ServersConfiguration

Monitoring

Hosts/ServersConfiguration

Monitoring NetworkNetwork

ConfigurationsConfigurations

MonitoringMonitoring

Routers/ IDS/Firewalls

Routers/ IDS/Firewalls

Application/Web Servers

Desktop/System Software

Application/Web Servers

Desktop/System Software

Physical Connectivity Layer Implement and Validate

WAN/LAN Connections

WAN/LAN Connections

Operational Integrity

Operational Integrity

AssuranceAssurance


How can Cisco help?


Enabling everyelement to be a pointof defense and policy

enforcement

IntegratedProactive security technologies that

automatically prevent threats

AdaptiveCollaboration among

the services and devices throughout

the network to thwart attacks

Collaborative

How can Cisco help?

Cisco Self-Defending Network


How can Cisco help?

• Cisco’s product portfolio is the broadest in the industry

• To deliver the vision of the self-defending network complement, Cisco offers lifecycle services to help you secure your organisation, including:

Advanced Services for Network Security – across the whole full PPDIOO lifecycleSecurity Intelligence – MySDN, Intellishield

FirewallFirewallCisco PIX & FWSMCisco PIX & FWSM

IPS and DDoSIPS and DDoSCisco IPS and GuardCisco IPS and Guard

Remote Access VPNRemote Access VPNCisco VPNCisco VPN

Endpoint SecurityEndpoint SecurityCisco Security AgentCisco Security Agent

Router SecurityRouter SecurityCisco ISR FamilyCisco ISR Family

Switch SecuritySwitch SecurityCatalyst EnginesCatalyst Engines

Security ManagementSecurity ManagementCSM / MARSCSM / MARS

Security SystemsSecurity SystemsNACNAC

Converged SecurityConverged SecurityCisco ASA 5500Cisco ASA 5500


How can Cisco help?

The network as a platform for securityIntegrated Services Routers• Integrate Cisco® IOS® Firewall, VPN, and

Intrusion Prevention System (IPS) services across the Cisco router portfolio

• Deploy new security features on your existing routers using Cisco IOS Software

• NAC-enabled

Adaptive Security Appliances• ASA-55xx series – high-performance firewall,

IPS, network antivirus, and IPSec/SSL VPN technologies all in one unified architecture

• Device consolidation reduces overall deployment and operations costs and complexities

• NAC-enabled

Cisco Catalyst® Switches• Denial-of-service (DoS)

attack mitigation

• Integrated security service modules for high-performance threat protection and secure connectivity

• Man-in-the-middle attack mitigation

• NAC-enabled


How can Cisco help?

Security management requirements

Branch

Branch

SOHO

DataCenter

DataCenter

DataCenter

Branch

Partner

Partner

MonitoringNeed to monitor

Multi-vendor Networks…

ConfigurationHow to rapidly deploy

new policies…

MitigationHow to use network

to eliminate threats…

Patch ManagementImage, Inventory,

Signature…

AnalysisToo much meaningless

raw data...

IdentityHow to control access to

network assets…Who can do what


How can Cisco help?

Security management requirements

CISCO®

SECURITY MARS

Simplified policy administration

End-to-end configuration

Network-wide or device-specific

CISCO®

SECURITY MANAGER

Rapid threat identification and mitigation

Topology awareness

Data correlation


How can Cisco help?

Collect & Evaluate

Analyze & Correlate

Publish

Comprehensive, Actionable Intelligence:Vulnerabilities, Breaking Threats, Anti-X Signatures, Security Trends Intellishield

Customer Notification

Worldwide Content Sources

Customer ChallengeHow does one determine what threats and vulnerabilities are really important?

Cisco Security Intelligence Operations

Vendors & Open Source

Security OrganisationsGovernment Sources

Cisco Internal Sources: Cisco Remote Operation Services, Critical Infrastructure Assurance Group, Network Optimization Support group, Technical Assistance Center, Security Labs, Advanced Security Services group


How can Cisco help?

Cisco Network Admission Control

The best technological approach for Enterprise

Begin long-term enterprise solution with integrated product and services

The best turnkey appliance product

Address immediatepain-points using CCA

11

22

NAC FrameworkREMEDIATION

(VENDOR)

CiscoTrustAgent

AAA(ACS)

ENFORCEMENT

Cisco Clean Access

ENFORCEMENT

REMEDIATION

CleanAccessAgent DISCOVERY AUTHENTICATION

POLICY

DISCOVERY AUTHENTICATIONPOLICY


Summary


Summary

• The threatscape is evolving…

• Businesses and business practices are evolving…

• The network is increasingly vital to the 21st century organisation – yet often remains poorly protected

• An integrated and holistic approach to information security, based on proven conceptual frameworks, with defense-in-depth is absolutely the best way to protect your organisation


Q & A

Defense-in-depth how and where Cisco productspalo/Rozne/cisco-expo... · Defense-in-depth How and...

Documents

Transcript of Defense-in-depth how and where Cisco productspalo/Rozne/cisco-expo... · Defense-in-depth How and...