Touch Cisco IT Sicherheit im Web 2.0 Zeitalter · Touch Cisco IT Sicherheit im Web 2.0 Zeitalter...
Transcript of Touch Cisco IT Sicherheit im Web 2.0 Zeitalter · Touch Cisco IT Sicherheit im Web 2.0 Zeitalter...
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 1
Touch Cisco
IT Sicherheit imWeb 2.0 Zeitalter
Dirk BesteMichael VassighConsulting System Engineers
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 2
IT Sicherheit im Web 2.0 ZeitalterCisco SIO und Global Threat Correlation
Nach dem Webinar sollte der Zuhörer in der Lage sein:� Die Motivation für die Cisco Security Operations zuverstehen
� Den Mehrwert der Global-Correlation für die Analyseund Abwehr von Sicherheitsbedrohungen zu erkennen
� Die Implementierung & Arbeitsweise von Global-Correlation-Funktionen in den Web-, Email-, Firewall- und IPS-Produkten von Cisco zu verstehen
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 3
Agenda
� Cisco Security Intelligence OperationEinführung und GrundlagenMehrwert für die PraxisElemente für den Betrieb
� Implementierung & ArbeitsweiseWEB- und Email-SecurityFirewall- und IPS-Appliances
� Zusammenfassung
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 4
The Challenge TodayCountervailing Forces
Globalization
Collaboration
Data Loss
Acceptable UseMobility
Enterprise SaaS
Threats
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 5
A Seismic Shift2000-2008: IT Security
Products Look Deeper2009:
Cisco Security Products Look Around and Respond Faster
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 6
Cisco SensorBase
Threat Operations Center
DynamicUpdates
Cisco Security Intelligence OperationsPowerful Protection through Network Scanning Elements
Security Infrastructure that Dynamically Provides Intelligence to Network Scanning Elements
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 7
Cisco Global CorrelationUnmatched Breadth
Email Security
Web Security
IPS
Firewall
Identifying a global botnet requires complete visibility across all threat vectors
LARGEST FOOTPRINT | GREATEST BREADTH GREATEST BREADTH | FULL CONTEXT ANALYSIS
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 8
Cisco SIOCisco SensorBase
Largest Network, Highest Data Quality, Unmatched Breadth
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 9
Cisco SensorBase NetworkUnmatched Visibility Into Global Threats
Most Devices1M security devices, 10M clients shipped per yearCore Internet routersCloud-based services
Largest Footprint30% of the world’s
email traffic200+ parameters
368GB per day sensor feeds
Diverse SourcesEight of the top ten ISPsFortune 500, Global 2000,
universities, SMBs152 third-party feeds
First to Combine Network and Application Layer Data
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 10
Spam with MaliciousAttachment
Malware Distributing Site
Web
Directed Attack
Firewall / IPS
Cisco SensorBase NetworkUnmatched Breadth
Directed AttackSpam with MaliciousAttachment
SensorBase Network
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 11
Cisco SIOCisco Threat Operations Center (TOC)
Advanced Research and Development, Security Modeling, Experienced Analysts
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 12
Cisco Threat Operations CenterEnsuring Accuracy and Responsiveness
Experienced Analysts500 analysts
European and Asian languages1 Cisco Fellow
80+ Ph.D.s, CCIEs, CISSPs, MSCEs
Powerful ToolsDynamic updates
Correlation and data miningAdvanced rule approval, creation and publishing
applications24x7x365 Operations5 threat operations center locations around the globe
San Jose, San Bruno, Austin, North Carolina, Shanghai
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 13
Cisco SIOBroadest Enforcement Capabilities
Fast Device Scanning Engines and Granular Policy
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 14
Advanced ProtectionPutting It All Together
Live Reputation Scores
Live Reputation Scores
Authored Rule SetsAuthored Rule Sets
New and Updated Signatures
New and Updated Signatures
Web Reputation Filters
Web Reputation Filters
Anti-SpamAnti-SpamEmail
Reputation Filters
Email Reputation Filters
Virus Outbreak Filters
Virus Outbreak Filters
IPS Reputation and Signature
Filters
IPS Reputation and Signature
FiltersFirewall BotnetTraffic FiltersFirewall BotnetTraffic Filters
Adaptive Security Appliances
Intrusion Prevention Solution
Email Security Appliances
Web Security Appliances
Hosted Email Services
Cisco Products and Services: High-performance, flexible enforcement points
Cisco SIO: Cloud-based intelligence to power Cisco security services
Security Filters: Industry’s most effective security features
wwwwww
Auto-Updates Every 5 minutesAuto-Updates Every 5 minutes
Dynamic Rule SetsDynamic Rule Sets
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 15
Cisco SIO In Action
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 16
rulesrulesrules
rulesrulesrules
rules
wwwwww
Cisco SIO In ActionObama Botnet1. Baseline threat data installed in Cisco security devices2. Spoofed email for Obama speech triggers alert to Cisco SIO3. Rule update to:
� ASA firewall� Web security appliances� IPS
4. Botnet servers blocked
SIO
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 17
New President, New Malware…� Users receive an email inviting them to watch President-elect Barack Obama's victory speech� Links users to a government
themed botsite� Subject Line Examples:
- Election Results Winner
- The New President’s Cabinet?
http://slapiservlet.encrypted.viewcontent.XXXXXXXXXXXXXXX.wconlinenrue.com/president.htm?/slapiservlet/slapiservlet/OSL.htm?LOGIN=BfQd3Zno5H&VERIFY=0AHBgl9ixN7rvXm
http://portalserver.viewcontent.memberverify.EwTLOC5Rc.XXXXXXXXXXXXXXX.bfiinwach.com/president.htm?/verifyonenet/certificateupdate/OSL.htm?LOGIN=ZeuroEwTLO&VERIFY=C5Rcwjj7qjsuVeb
http://actionvalidate.linkbrowse.servletdologin.QdfFSKkiw.XXXXXXXXXXXXXXX/president.htm?/exacttrget/memberverify/OSL.htm?LOGIN=Tch0JQdfFS&VERIFY=KkiwFDDIWZhvVNJ
*Still Active* Malicious URLs
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 18
Government Themed Botsite
� Users prompted to install an Adobe Flash Player update, which is actually data-stealing malware
� Steals screen shots, passwords and sends to a web server located in Kiev, Ukraine
BOTSITE REAL SITE
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 19
Blocked by Web Reputation Filters
� All Malicious URLs were automatically blocked by Web Reputation Filters
� 3 URLs still active and serving malware
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 20
Web ReputationNew Threat Alert
THREAT: Fake Virus Scan & SoftwareVECTOR: Web; Top 20 Google Search ResultsSITE: http://career-counseling.com/
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 21
Google Search On Hurricane Jimena
‘Top 20’ Google search results
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 22
The Malicious Redirection Begins…
The user is notified that they need to run an immediate virus scan; possible virus infection!
Step 1 of 5
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 23
http://megaspywarescan2.com
Step 2 of 5
The user is notified their computer is infected
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 24
http://megaspywarescan2.com
Step 3 of 5Next, the user is shown a list of Trojans found on their computer
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 25
http://megaspywarescan2.com
Step 4 of 5Then the user is prompted to download the ‘Total Security’
software for protection
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 26
http://megaspywarescan2.com
Step 5 of 5Malicious software gets installed
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 27
Infected!
Look at the CPU consumption
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 28
New Domain, Same Malware!
Same Google search, clicking on the same link, the user is redirect to a different domain
(http://bewareofvirusattacks3.com)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 29
The Actual Web Site
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 30
All Blocked by Web Reputation
� SITE: http://megaspywarescan2.com, -8.90; default block� SITE: http://bewareofvirusattacks3.com, -8.90; default block
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 31
Principles & Configuration
Cisco Email and Web-Security Appliances
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 323
How SensorBase® for Mail WorksData Makes the Difference
• Complaint Reports• Spam Traps• Message
Composition Data • Global Volume Data
• URL Lists• Compromised Host Lists
• Web Crawlers• IP Blacklists & Whitelists
• Additional Data
SensorBaseData
Data Analysis/Security Modeling
SenderBaseReputation Scores-10 to +10
150 ParametersThreat Prevention in Realtime
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 333
Preventive Anti-Spam Defense:Reputation Filters
• Known good is delivered
• Suspicious is rate limited & spam filtered
• Known bad is deleted/tagged
Stop 80% Hostile Mail at the Door….
Anti-SpamEngine
Incoming MailGood, Bad, and “Grey”
or Unknown Email
ReputationFiltering
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 34
SensorBaseData
Cisco IronPort Web Reputation FiltersData Makes the Difference
• URL Blacklists • URL Whitelists
• URL Categorization Data• HTML Content Data• URL Behavior
• Global Volume Data• Domain Registrar
Information• Dynamic IP Addresses • Compromised Host Lists• Web Crawler Data • Network Owners
• Known Threats URLs• Offline data (F500,
G2000…)• Website History
Parameters
THREAT PREVENTION IN REALTIME
Data Analysis/Security Modeling
Web ReputationScores (WBRS)-10 to +10
Addresses Known and Unknown Sites
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 35
� IronPort Web Reputation technology determines need for scanning by
- IronPort Anti-Malware System- Decryption Engine
Intelligent Scanning
RequestedURLs
Known good sites aren’t scanned
Unknown sites are scanned by one or more engines
Known bad sitesare blocked
IRONPORTWEB REPUTATION
FILTERSIRONPORT
WEB REPUTATIONFILTERS
ANTI-MALWARESYSTEM
ANTI-MALWARESYSTEM
DECRYPTIONENGINE
DECRYPTIONENGINE
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 36
Principles & Configuration
Cisco Firewall-Appliances
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 37
Botnet Filtering Process
Step 1:Infected clients try to communicate with a command and control host on the Internet
Step 2:Cisco SIO updates the Cisco ASA botnet filter list; the destination is a known
attack site
Step 3:Alerts go out to the security teams for
prevention, mitigation,and remediation
Cisco ASABotnet Filter
InternetCisco® Security Intelligence Operations(SIO)
1
2
3
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 38
Botnet Traffic FilterEnable Directly from Cisco ASDM Configuration Menus
Cisco® SIO data
Custom lists
Interface or global
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 39
Botnet Traffic Filter ReportsTop Botnet Sites and Ports
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 40
Botnet Traffic Filter ReportsTop Infected Hosts
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 41
Principles & Configuration
Cisco Intrusion-Prevention-Appliances
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 42
Global ThreatTelemetry
8:10 GMT All Cisco IPS Customers Protected
Global Correlation in IPS 7.0Network IPS to Global IPS
Global ThreatTelemetry
8:00 GMTSensor Detects New Malware
8:03 GMTSensor Detects New Botnet
8:07 GMTSensor Detects Hacker Probing
Cisco Security ServicesGlobal Correlation
Coverage: Twice the Effectiveness of Signature-only IPSAccuracy: Full Context Analysis Reduces False PositivesTimeliness: Proactive Coverage
Ad Agency HQ in London ISP Datacenter in
MoscowBank Branchin Chicago
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 43© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 43Empowered Branch
Cisco IPS with Global Correlation� Correlation of SensorBase Data
Automatically correlates SensorBasethreat dataPackets with negative Reputation are
dropped� Fast response to emergent threats
Enhances detection capabilities Reduces the window of exposure
� Pinpoint AccuracyAnalyzes the attacker as well as the
attack Leverages reputation filters to stop
known attackers(40% of attackers are repeat
offenders)
1stReputationFilters
Signature Inspection
Global Correlation
DecisionEngine
1st
AnomalyDetection
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 44
Dynamic ProtectionAccurate Local Analysis
Who is the Attacker?
What is the Target?
What is the Attack?
Risk Rating Engine
Ri sk Ra ti n gCis co Pate nt
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 45
Defeating SQL InjectionThe Challenge of Traditional Signature-Based IPS
This could be your billing system talking to your customer database.
Or……..
What?
What SIGNATURES Find Verdict: UNKNOWNSQL Command Fragments
in Web Traffic
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 46
IPS Reputation Enables ProtectionPowered By Global Correlation
What CISCO IPS Finds Verdict: BLOCKSQL Command Fragmentsin Web TrafficFirst HTTP connection
Dynamic IP AddressDynamic DNSHistory of Web AttacksWithin Heavily Compromised.Asia NetworkHistory of Botnet Activity Clean
SourcesOnly
How?
Who?
Where?
What?
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 47
Defeating SQL InjectionCollaborate with Confidence
Traditional Signature only IPS view without Reputation
Global Correlation Enabled IPS allows Confident Deny Action
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 48
Cisco IPS 7.0 with Global CorrelationChanging Network IPS to Global IPS
� CoverageTwice the effectiveness of
signature-only IPS� Accuracy
Reputation analysis decreases false positives
� Timeliness100x faster than traditional signature-only methods
Harnessing the Power of Cisco Security Intelligence Operations
Results Averaged Over Two Week Period in Pre-release Deployments
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 49
Vision
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 50
Cisco Security Intelligence OperationsVision
� More Cisco devices will be linked into the Cisco Shared Defense Network
� This will provide global analysis, and be more informative about how your Cisco network is defending itself
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 51