Touch Cisco IT Sicherheit im Web 2.0 Zeitalter · Touch Cisco IT Sicherheit im Web 2.0 Zeitalter...

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 1

Touch Cisco

IT Sicherheit imWeb 2.0 Zeitalter

Dirk BesteMichael VassighConsulting System Engineers


IT Sicherheit im Web 2.0 ZeitalterCisco SIO und Global Threat Correlation

Nach dem Webinar sollte der Zuhörer in der Lage sein:� Die Motivation für die Cisco Security Operations zuverstehen

� Den Mehrwert der Global-Correlation für die Analyseund Abwehr von Sicherheitsbedrohungen zu erkennen

� Die Implementierung & Arbeitsweise von Global-Correlation-Funktionen in den Web-, Email-, Firewall- und IPS-Produkten von Cisco zu verstehen


Agenda

� Cisco Security Intelligence OperationEinführung und GrundlagenMehrwert für die PraxisElemente für den Betrieb

� Implementierung & ArbeitsweiseWEB- und Email-SecurityFirewall- und IPS-Appliances

� Zusammenfassung


The Challenge TodayCountervailing Forces

Globalization

Collaboration

Data Loss

Acceptable UseMobility

Enterprise SaaS

Threats


A Seismic Shift2000-2008: IT Security

Products Look Deeper2009:

Cisco Security Products Look Around and Respond Faster


Cisco SensorBase

Threat Operations Center

DynamicUpdates

Cisco Security Intelligence OperationsPowerful Protection through Network Scanning Elements

Security Infrastructure that Dynamically Provides Intelligence to Network Scanning Elements


Cisco Global CorrelationUnmatched Breadth

Email Security

Web Security

IPS

Firewall

Identifying a global botnet requires complete visibility across all threat vectors

LARGEST FOOTPRINT | GREATEST BREADTH GREATEST BREADTH | FULL CONTEXT ANALYSIS


Cisco SIOCisco SensorBase

Largest Network, Highest Data Quality, Unmatched Breadth


Cisco SensorBase NetworkUnmatched Visibility Into Global Threats

Most Devices1M security devices, 10M clients shipped per yearCore Internet routersCloud-based services

Largest Footprint30% of the world’s

email traffic200+ parameters

368GB per day sensor feeds

Diverse SourcesEight of the top ten ISPsFortune 500, Global 2000,

universities, SMBs152 third-party feeds

First to Combine Network and Application Layer Data


Spam with MaliciousAttachment

Malware Distributing Site

Email

Web

Directed Attack

Firewall / IPS

Cisco SensorBase NetworkUnmatched Breadth

Directed AttackSpam with MaliciousAttachment

SensorBase Network


Cisco SIOCisco Threat Operations Center (TOC)

Advanced Research and Development, Security Modeling, Experienced Analysts


Cisco Threat Operations CenterEnsuring Accuracy and Responsiveness

Experienced Analysts500 analysts

European and Asian languages1 Cisco Fellow

80+ Ph.D.s, CCIEs, CISSPs, MSCEs

Powerful ToolsDynamic updates

Correlation and data miningAdvanced rule approval, creation and publishing

applications24x7x365 Operations5 threat operations center locations around the globe

San Jose, San Bruno, Austin, North Carolina, Shanghai


Cisco SIOBroadest Enforcement Capabilities

Fast Device Scanning Engines and Granular Policy


Advanced ProtectionPutting It All Together

Live Reputation Scores

Live Reputation Scores

Authored Rule SetsAuthored Rule Sets

New and Updated Signatures

New and Updated Signatures

Web Reputation Filters

Web Reputation Filters

Anti-SpamAnti-SpamEmail

Reputation Filters

Email Reputation Filters

Virus Outbreak Filters

Virus Outbreak Filters

IPS Reputation and Signature

Filters

IPS Reputation and Signature

FiltersFirewall BotnetTraffic FiltersFirewall BotnetTraffic Filters

Adaptive Security Appliances

Intrusion Prevention Solution

Email Security Appliances

Web Security Appliances

Hosted Email Services

Cisco Products and Services: High-performance, flexible enforcement points

Cisco SIO: Cloud-based intelligence to power Cisco security services

Security Filters: Industry’s most effective security features

wwwwww

Auto-Updates Every 5 minutesAuto-Updates Every 5 minutes

Dynamic Rule SetsDynamic Rule Sets


Cisco SIO In Action


rulesrulesrules

rulesrulesrules

rules

wwwwww

Cisco SIO In ActionObama Botnet1. Baseline threat data installed in Cisco security devices2. Spoofed email for Obama speech triggers alert to Cisco SIO3. Rule update to:

� ASA firewall� Web security appliances� IPS

4. Botnet servers blocked

SIO


New President, New Malware…� Users receive an email inviting them to watch President-elect Barack Obama's victory speech� Links users to a government

themed botsite� Subject Line Examples:

- Election Results Winner

- The New President’s Cabinet?

http://slapiservlet.encrypted.viewcontent.XXXXXXXXXXXXXXX.wconlinenrue.com/president.htm?/slapiservlet/slapiservlet/OSL.htm?LOGIN=BfQd3Zno5H&VERIFY=0AHBgl9ixN7rvXm

http://portalserver.viewcontent.memberverify.EwTLOC5Rc.XXXXXXXXXXXXXXX.bfiinwach.com/president.htm?/verifyonenet/certificateupdate/OSL.htm?LOGIN=ZeuroEwTLO&VERIFY=C5Rcwjj7qjsuVeb

http://actionvalidate.linkbrowse.servletdologin.QdfFSKkiw.XXXXXXXXXXXXXXX/president.htm?/exacttrget/memberverify/OSL.htm?LOGIN=Tch0JQdfFS&VERIFY=KkiwFDDIWZhvVNJ

*Still Active* Malicious URLs


Government Themed Botsite

� Users prompted to install an Adobe Flash Player update, which is actually data-stealing malware

� Steals screen shots, passwords and sends to a web server located in Kiev, Ukraine

BOTSITE REAL SITE


Blocked by Web Reputation Filters

� All Malicious URLs were automatically blocked by Web Reputation Filters

� 3 URLs still active and serving malware


Web ReputationNew Threat Alert

THREAT: Fake Virus Scan & SoftwareVECTOR: Web; Top 20 Google Search ResultsSITE: http://career-counseling.com/


Google Search On Hurricane Jimena

‘Top 20’ Google search results


The Malicious Redirection Begins…

The user is notified that they need to run an immediate virus scan; possible virus infection!

Step 1 of 5


http://megaspywarescan2.com

Step 2 of 5

The user is notified their computer is infected



Step 3 of 5Next, the user is shown a list of Trojans found on their computer



Step 4 of 5Then the user is prompted to download the ‘Total Security’

software for protection



Step 5 of 5Malicious software gets installed


Infected!

Look at the CPU consumption


New Domain, Same Malware!

Same Google search, clicking on the same link, the user is redirect to a different domain

(http://bewareofvirusattacks3.com)


The Actual Web Site


All Blocked by Web Reputation

� SITE: http://megaspywarescan2.com, -8.90; default block� SITE: http://bewareofvirusattacks3.com, -8.90; default block


Principles & Configuration

Cisco Email and Web-Security Appliances


How SensorBase® for Mail WorksData Makes the Difference

• Complaint Reports• Spam Traps• Message

Composition Data • Global Volume Data

• URL Lists• Compromised Host Lists

• Web Crawlers• IP Blacklists & Whitelists

• Additional Data

SensorBaseData

Data Analysis/Security Modeling

SenderBaseReputation Scores-10 to +10

150 ParametersThreat Prevention in Realtime


Preventive Anti-Spam Defense:Reputation Filters

• Known good is delivered

• Suspicious is rate limited & spam filtered

• Known bad is deleted/tagged

Stop 80% Hostile Mail at the Door….

Anti-SpamEngine

Incoming MailGood, Bad, and “Grey”

or Unknown Email

ReputationFiltering


SensorBaseData

Cisco IronPort Web Reputation FiltersData Makes the Difference

• URL Blacklists • URL Whitelists

• URL Categorization Data• HTML Content Data• URL Behavior

• Global Volume Data• Domain Registrar

Information• Dynamic IP Addresses • Compromised Host Lists• Web Crawler Data • Network Owners

• Known Threats URLs• Offline data (F500,

G2000…)• Website History

Parameters

THREAT PREVENTION IN REALTIME

Data Analysis/Security Modeling

Web ReputationScores (WBRS)-10 to +10

Addresses Known and Unknown Sites


� IronPort Web Reputation technology determines need for scanning by

- IronPort Anti-Malware System- Decryption Engine

Intelligent Scanning

RequestedURLs

Known good sites aren’t scanned

Unknown sites are scanned by one or more engines

Known bad sitesare blocked

IRONPORTWEB REPUTATION

FILTERSIRONPORT

WEB REPUTATIONFILTERS

ANTI-MALWARESYSTEM

ANTI-MALWARESYSTEM

DECRYPTIONENGINE

DECRYPTIONENGINE



Cisco Firewall-Appliances


Botnet Filtering Process

Step 1:Infected clients try to communicate with a command and control host on the Internet

Step 2:Cisco SIO updates the Cisco ASA botnet filter list; the destination is a known

attack site

Step 3:Alerts go out to the security teams for

prevention, mitigation,and remediation

Cisco ASABotnet Filter

InternetCisco® Security Intelligence Operations(SIO)

1

2

3


Botnet Traffic FilterEnable Directly from Cisco ASDM Configuration Menus

Cisco® SIO data

Custom lists

Interface or global


Botnet Traffic Filter ReportsTop Botnet Sites and Ports


Botnet Traffic Filter ReportsTop Infected Hosts



Cisco Intrusion-Prevention-Appliances


Global ThreatTelemetry

8:10 GMT All Cisco IPS Customers Protected

Global Correlation in IPS 7.0Network IPS to Global IPS

Global ThreatTelemetry

8:00 GMTSensor Detects New Malware

8:03 GMTSensor Detects New Botnet

8:07 GMTSensor Detects Hacker Probing

Cisco Security ServicesGlobal Correlation

Coverage: Twice the Effectiveness of Signature-only IPSAccuracy: Full Context Analysis Reduces False PositivesTimeliness: Proactive Coverage

Ad Agency HQ in London ISP Datacenter in

MoscowBank Branchin Chicago

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 43© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 43Empowered Branch

Cisco IPS with Global Correlation� Correlation of SensorBase Data

Automatically correlates SensorBasethreat dataPackets with negative Reputation are

dropped� Fast response to emergent threats

Enhances detection capabilities Reduces the window of exposure

� Pinpoint AccuracyAnalyzes the attacker as well as the

attack Leverages reputation filters to stop

known attackers(40% of attackers are repeat

offenders)

1stReputationFilters

Signature Inspection

Global Correlation

DecisionEngine

1st

AnomalyDetection


Dynamic ProtectionAccurate Local Analysis

Who is the Attacker?

What is the Target?

What is the Attack?

Risk Rating Engine

Ri sk Ra ti n gCis co Pate nt


Defeating SQL InjectionThe Challenge of Traditional Signature-Based IPS

This could be your billing system talking to your customer database.

Or……..

What?

What SIGNATURES Find Verdict: UNKNOWNSQL Command Fragments

in Web Traffic


IPS Reputation Enables ProtectionPowered By Global Correlation

What CISCO IPS Finds Verdict: BLOCKSQL Command Fragmentsin Web TrafficFirst HTTP connection

Dynamic IP AddressDynamic DNSHistory of Web AttacksWithin Heavily Compromised.Asia NetworkHistory of Botnet Activity Clean

SourcesOnly

How?

Who?

Where?

What?


Defeating SQL InjectionCollaborate with Confidence

Traditional Signature only IPS view without Reputation

Global Correlation Enabled IPS allows Confident Deny Action


Cisco IPS 7.0 with Global CorrelationChanging Network IPS to Global IPS

� CoverageTwice the effectiveness of

signature-only IPS� Accuracy

Reputation analysis decreases false positives

� Timeliness100x faster than traditional signature-only methods

Harnessing the Power of Cisco Security Intelligence Operations

Results Averaged Over Two Week Period in Pre-release Deployments


Vision


Cisco Security Intelligence OperationsVision

� More Cisco devices will be linked into the Cisco Shared Defense Network

� This will provide global analysis, and be more informative about how your Cisco network is defending itself

Touch Cisco IT Sicherheit im Web 2.0 Zeitalter · Touch Cisco IT Sicherheit im Web 2.0 Zeitalter...

Documents

Transcript of Touch Cisco IT Sicherheit im Web 2.0 Zeitalter · Touch Cisco IT Sicherheit im Web 2.0 Zeitalter...