Defense-in-depth how and where Cisco productspalo/Rozne/cisco-expo... · Defense-in-depth How and...
Transcript of Defense-in-depth how and where Cisco productspalo/Rozne/cisco-expo... · Defense-in-depth How and...
1© 2004 Cisco Systems, Inc. All rights reserved.Session B10
Intelligent Information Network
2© 2004 Cisco Systems, Inc. All rights reserved.Session B10
Defense-in-depth
How and where Cisco products and services play in helping secure your organizationDavid Williamson, CISSP
333© 2004 Cisco Systems, Inc. All rights reserved.
Agenda
• The top security issues
• What can you do?
• How can Cisco help?
• Summary
• Q & A
444© 2004 Cisco Systems, Inc. All rights reserved.
Goal
• Understand more about the threatscape
• Understand more about ‘best practice’ for securing your organisation
• Understand more about Cisco’s product and service offerings working together to mitigate information security risk in today’s connected enterprise
555© 2004 Cisco Systems, Inc. All rights reserved.
The top security issues
666© 2004 Cisco Systems, Inc. All rights reserved.
“Network security directly affects network availability…the way we are measured is by network availability, period.”
CIO of a Fortune 100 Financial Services company
777© 2004 Cisco Systems, Inc. All rights reserved.
The top security issues
• There have been successes in identifying and apprehending culprits…
The US DoJ’s Operation Firewall against ShadowCrew –see http://www.ustreas.gov/usss/press/pub2304.pdf
Arrest of Sven Jaschan
Arrest of Michael Haephrati and his wife Ruth
Foiling of the SMBC keylogger attack by the UK NHTCU
Arrest of Lynn Htun at InfoSec London 2003
Mixed messages
888© 2004 Cisco Systems, Inc. All rights reserved.
The top security issues
• A German teenager, Sven lives with his mother in Waffensen, in northern Germany
• Sven wrote the Sasser worm and Netsky-PAlone these items of malcode account for over 50% of allmalcode activity seen by Sophos to in 2004Counting the other released variants of the Netsky worm, the total figure is over 70%
• Sven was sentenced to one year and nine months on probation and 30 hours community service
• He now works for Securepoint in northern Germany, writing firewalls…
A little about our ‘friends’ Sven Jaschan…
999© 2004 Cisco Systems, Inc. All rights reserved.
The top security issues
• In May/June 2005 Israeli police arrested 18 people in connection with a huge industrial espionage ring
• A root kit was used to infiltrate systemsThe software was designed by London-based Michael Haephrati, 42 and his wife, Ruth Brier-Haephrati, 29
• An excellent article on this story can be found at http://www.haaretz.com/hasen/spages/581718.html
• March 2006, plea bargain with four (Ruth) and two (Michael) years in jail respectively, and two million shekels fine
…and the Haephratis
101010© 2004 Cisco Systems, Inc. All rights reserved.
The top security issues
• 1,896 new vulnerabilitiesA 34% increase year-on-year, itself a 13% increase from the same period year before that – a 40% increase from 2004 to 2005 as a whole
Average of 42 days from release of an exploit to release of patch vs. an average of 6.8 days to develop an exploit
79% easily exploitable (up from 73%)
Vulnerability-to-exploit window is now just 6.4 days
Despite those successes the situation is still bad
Source: Symantec ITR 2H2005 – see http://ses.symantec.com/ITR
111111© 2004 Cisco Systems, Inc. All rights reserved.
The top security issues
• An 51% increase in DoS attacks to 1,402 per day
• Excluding Sober.X, 80% of malcode threatened confidential information
• An increase in crimeware
• An increase in malcode using rootkit techniques
• A clear trend towards malcode and attacks designed to compromise confidentiality and integrity rather than just replicate and impact availability
Despite those successes the situation is still bad
Source: Symantec ITR 2H2005 – see http://ses.symantec.com/ITR
121212© 2004 Cisco Systems, Inc. All rights reserved.
The top security issues
• Proceeds from cyber crime in 2005 estimated at more than that from illegal drug trafficking – $105B
• Of 2,066 polled organizations, almost 90% experienced a computer security incident over the past 12 months
Over 64% of the respondents incurred a financial loss as a result of the incident, at an average $24,000 per case
According to the FBI, online crime caused $67.2B in damages in the US alone in 2005
Does crime pay?
Source: Valerie McNiven, US Treasury Department, 4Q2005
131313© 2004 Cisco Systems, Inc. All rights reserved.
The top security issues
• Viruses, Worms, Trojans, Botnets, Malware penetrating defenses
Viruses still #1 cause of financial loss*
• Most security protects the host, but doesn’t preserve network integrity or resiliency
• Non-compliant servers/desktops common, difficult to detect and contain
• Locating and isolating infected systems time and resource intensive
#1 CHALLENGE
Source: 2005 CSI/FBI report
141414© 2004 Cisco Systems, Inc. All rights reserved.
The top security issues
• New variant: worm with “bot” capabilities Can propagate via, or become part of, a zombie network
• Could have hundreds or thousands of variants
• Creates backdoor, allows remote code execution, elevation of privilege
• Reactive technologies ineffectiveWorm blocks access to all major AVdownload sites
• Exploits Microsoft Win32 Plug-n-Play featureHit systems less than five days after vulnerability announced
• Affected CNN, ABC, New York Times, Visa and many others
“This is a new, different worm altogether
and...one of the fastest-spreading infections in
history “ – slashdot.com
151515© 2004 Cisco Systems, Inc. All rights reserved.
What can you do?
161616© 2004 Cisco Systems, Inc. All rights reserved.
What can you do?
• While appropriate security products are required along with design and configuration of the network, security is a process
This isn’t just about technology
SECURE
MONITORandRESPOND
TEST
MANAGEand
IMPROVE
171717© 2004 Cisco Systems, Inc. All rights reserved.
What can you do?
• It’s a moving target – both the evolving threatscape, and the needs of your organisation
• Uncomfortable facts#1: The ‘magic bullet’ doesn’t exist
#2: 100% security is impossible – there will always besome residual risk
#3: The hard exterior / soft interior paradigm is history –perimeter security alone is simply not enough
Applying defense-in-depth
181818© 2004 Cisco Systems, Inc. All rights reserved.
What can you do?
• Education, configuration, process and technology all working together to provide security all the way to the data
• Use frameworks to helpITIL – the IT Infrastructure Library is ‘best practice’ for IT Service Management, supported by BS 15000
COBIT – from ISACA, “Good IT security and control practices that provides a reference framework for management, users, and IS audit, control and security practitioners”
ISO/IEC 27001 (formerly BS7799 & ISO/IEC 17799) – the ‘gold standard’ for an ISMS
Applying defense-in-depth
191919© 2004 Cisco Systems, Inc. All rights reserved.
What can you do?
• “Best practices” for implementing integrated network security – see www.cisco.com/go/safe
The SAFE Blueprint from Cisco
Blueprints available for• Enterprise
• Small Business
• IPSec VPNs
• Voice
• Wireless
• E-Business (with content security)
Blueprints available for• Enterprise
• Small Business
• IPSec VPNs
• Voice
• Wireless
• E-Business (with content security)
202020© 2004 Cisco Systems, Inc. All rights reserved.
What can you do?
• What is the vision for information security in your organisation?
Risk analysis – quantify and qualify business objectives,and understand where security is needed
• Where are you starting from?Audit current environment, then identify assets and controls
Gap analysis of reality vs. vision
• How are you going to close the gap?Use the Cisco SAFE Blueprints and other frameworks…
Sounds good… so how do I do this?
212121© 2004 Cisco Systems, Inc. All rights reserved.
What can you do?
• What are your organisation’s assets?I contend they are primarily data, information and knowledge
• Where are they located?
• What risks do those assets face?
• How are they protected?
• Is this protection appropriate and sufficient to mitigate the risk?
• What can you do to close this gap – if anything?
The ‘quick’ risk assessment process
222222© 2004 Cisco Systems, Inc. All rights reserved.
What can you do?
• Risk ≠ threatRisk can be quantified as Annualised Loss Expectation
ALE = T * V * Ec
Where T = threat rate, or frequency
V = likelihood of success of a threat
E = event cost
• For each risk area, calculate ALE and use that as the basis for security budgeting
• Remember that controls overlap!
How much should I spend?
232323© 2004 Cisco Systems, Inc. All rights reserved.
What can you do?
• Most organisations spend 3-6% of their total IT budget on security
Add strategic risk management, BC/DR and compliance and then this figure rises to 10-14%
• Spending varies by verticalFinancial Services and Service Providers spend more than the average…
• And by level of heterogeneitySo-called ‘best of breed’ is more complex and costly to manage than solutions from a single vendor
Nice idea… but how much is actually being spent?
Source: Gartner Group
242424© 2004 Cisco Systems, Inc. All rights reserved.
What can you do?
ProcessLayer
Application Layer
Host/Server LayerMonitor and Maintenance
Network Infrastructure Layer Configuration Monitor and
Maintenance
Process &PolicyProcess &Policy
Accounting Audits
Accounting Audits
ComplianceGovernanceComplianceGovernance
LaptopsDesktopsLaptops
DesktopsHosts/ServersConfiguration
Monitoring
Hosts/ServersConfiguration
Monitoring NetworkNetwork
ConfigurationsConfigurations
MonitoringMonitoring
Routers/ IDS/Firewalls
Routers/ IDS/Firewalls
Application/Web Servers
Desktop/System Software
Application/Web Servers
Desktop/System Software
Physical Connectivity Layer Implement and Validate
WAN/LAN Connections
WAN/LAN Connections
Operational Integrity
Operational Integrity
AssuranceAssurance
252525© 2004 Cisco Systems, Inc. All rights reserved.
How can Cisco help?
262626© 2004 Cisco Systems, Inc. All rights reserved.
Enabling everyelement to be a pointof defense and policy
enforcement
IntegratedProactive security technologies that
automatically prevent threats
AdaptiveCollaboration among
the services and devices throughout
the network to thwart attacks
Collaborative
How can Cisco help?
Cisco Self-Defending Network
272727© 2004 Cisco Systems, Inc. All rights reserved.
How can Cisco help?
• Cisco’s product portfolio is the broadest in the industry
• To deliver the vision of the self-defending network complement, Cisco offers lifecycle services to help you secure your organisation, including:
Advanced Services for Network Security – across the whole full PPDIOO lifecycleSecurity Intelligence – MySDN, Intellishield
FirewallFirewallCisco PIX & FWSMCisco PIX & FWSM
IPS and DDoSIPS and DDoSCisco IPS and GuardCisco IPS and Guard
Remote Access VPNRemote Access VPNCisco VPNCisco VPN
Endpoint SecurityEndpoint SecurityCisco Security AgentCisco Security Agent
Router SecurityRouter SecurityCisco ISR FamilyCisco ISR Family
Switch SecuritySwitch SecurityCatalyst EnginesCatalyst Engines
Security ManagementSecurity ManagementCSM / MARSCSM / MARS
Security SystemsSecurity SystemsNACNAC
Converged SecurityConverged SecurityCisco ASA 5500Cisco ASA 5500
282828© 2004 Cisco Systems, Inc. All rights reserved.
How can Cisco help?
The network as a platform for securityIntegrated Services Routers• Integrate Cisco® IOS® Firewall, VPN, and
Intrusion Prevention System (IPS) services across the Cisco router portfolio
• Deploy new security features on your existing routers using Cisco IOS Software
• NAC-enabled
Adaptive Security Appliances• ASA-55xx series – high-performance firewall,
IPS, network antivirus, and IPSec/SSL VPN technologies all in one unified architecture
• Device consolidation reduces overall deployment and operations costs and complexities
• NAC-enabled
Cisco Catalyst® Switches• Denial-of-service (DoS)
attack mitigation
• Integrated security service modules for high-performance threat protection and secure connectivity
• Man-in-the-middle attack mitigation
• NAC-enabled
292929© 2004 Cisco Systems, Inc. All rights reserved.
How can Cisco help?
Security management requirements
Branch
Branch
SOHO
DataCenter
DataCenter
DataCenter
Branch
Partner
Partner
MonitoringNeed to monitor
Multi-vendor Networks…
ConfigurationHow to rapidly deploy
new policies…
MitigationHow to use network
to eliminate threats…
Patch ManagementImage, Inventory,
Signature…
AnalysisToo much meaningless
raw data...
IdentityHow to control access to
network assets…Who can do what
303030© 2004 Cisco Systems, Inc. All rights reserved.
How can Cisco help?
Security management requirements
CISCO®
SECURITY MARS
Simplified policy administration
End-to-end configuration
Network-wide or device-specific
CISCO®
SECURITY MANAGER
Rapid threat identification and mitigation
Topology awareness
Data correlation
313131© 2004 Cisco Systems, Inc. All rights reserved.
How can Cisco help?
Collect & Evaluate
Analyze & Correlate
Publish
Comprehensive, Actionable Intelligence:Vulnerabilities, Breaking Threats, Anti-X Signatures, Security Trends Intellishield
Customer Notification
Worldwide Content Sources
Customer ChallengeHow does one determine what threats and vulnerabilities are really important?
Cisco Security Intelligence Operations
Vendors & Open Source
Security OrganisationsGovernment Sources
Cisco Internal Sources: Cisco Remote Operation Services, Critical Infrastructure Assurance Group, Network Optimization Support group, Technical Assistance Center, Security Labs, Advanced Security Services group
323232© 2004 Cisco Systems, Inc. All rights reserved.
How can Cisco help?
Cisco Network Admission Control
The best technological approach for Enterprise
Begin long-term enterprise solution with integrated product and services
The best turnkey appliance product
Address immediatepain-points using CCA
11
22
NAC FrameworkREMEDIATION
(VENDOR)
CiscoTrustAgent
AAA(ACS)
ENFORCEMENT
Cisco Clean Access
ENFORCEMENT
REMEDIATION
CleanAccessAgent DISCOVERY AUTHENTICATION
POLICY
DISCOVERY AUTHENTICATIONPOLICY
333333© 2004 Cisco Systems, Inc. All rights reserved.
Summary
343434© 2004 Cisco Systems, Inc. All rights reserved.
Summary
• The threatscape is evolving…
• Businesses and business practices are evolving…
• The network is increasingly vital to the 21st century organisation – yet often remains poorly protected
• An integrated and holistic approach to information security, based on proven conceptual frameworks, with defense-in-depth is absolutely the best way to protect your organisation
353535© 2004 Cisco Systems, Inc. All rights reserved.
Q & A