Transcript Document
Introduction Presenter(s) Name Company Title Your Network is Compromised Do you know where? © 2014 Lancope, Inc. All rights reserved. The Perimeter Has Vanished Global trends contribute to a vanishing perimeter Shift to Cloud Mobile User-Developed Applications Composite Applications and Application Proliferation Enterprise Telecommuting BYOD Consumerization of IT / BYOD Supply Chain / Partners Dynamic Onboarding Advanced Authentication © 2014 Lancope, Inc. All rights reserved. Cloud Backup & Recovery 15 Global, Distributed Workforce How Have Enterprises Tried to Solve this Problem? Strengthen the Perimeter Enterprise Harden the Endpoint Monitor Content Moving Into and Out of the Enterprise © 2014 Lancope, Inc. All rights reserved. Increase Sophistication of Identity Management 16 Analytics & Remediation Today’s Threat Landscape Despite $32 billion spent on conventional tools, threats continue to evade detection… …data breaches continue © 2014 Lancope, Inc. All rights reserved. 17 Today top threats still get through IPS IDS FW 243 days before attackers were discovered 621 Incidents & over 44 million compromised records $3.03M is the avg lost business cost of a breach in the US © 2014 Lancope, Inc. All rights reserved. Stop Problems Before They Become Crises 259% ROI Impact to the Business ($) “Worm outbreaks impact revenue by up to $250k / hour. StealthWatch pays for itself in 30 minutes.” vulnerability closed Company with Legacy Monitoring Tools F500 Media Conglomerate attack identified Company with StealthWatch credit card data compromised STEALTHWATCH REDUCES MTTK attack onset early warning attack identified attack thwarted vulnerability closed Time MTTK ~70% of Incident Response is spent on MTTK © 2014 Lancope, Inc. All rights reserved. 7 Continuous Response with Context-Aware Security Monitor Detect • Network is your sensor • Operationalized security intelligence • • • • Continuous monitoring Detection Analysis Response • Multiple stake holders Respond © 2014 Lancope, Inc. All rights reserved. Analyze Why Cisco uses StealthWatch Visibility Network • 16 Billion NetFlow records daily, stored for 90 days • 175TB of daily traffic • 250,000 active hosts © 2014 Lancope, Inc. All rights reserved. Threat Detection Incident Response Network Diagnostics User Monitoring Problem Solution • Need to scalable solution to store more NetFlow for incident look-back • Requires enhanced detection capabilities • Must be IPv6 capable • Retain 90+ days of full NetFlow records • Provides unique interface for gaining insight into NetFlow and the information it contains • Automatic NetFlow analysis • Utilize the StealthWatch feature set: • Syslog export of events • Host Group-based detection • API queries • Host Alarms Why HP Uses StealthWatch Visibility Network •16,000 switches •10,000 routers •Connects over 300,000 users from 600 sites •In aggregate, generates 600,000 data flows per second © 2014 Lancope, Inc. All rights reserved. Threat Detection Problem •Need to monitor activity within enormously complex, global network •Must quickly detect malicious traffic buried within innocuous data Incident Response Network Diagnostics User Monitoring Solution •Detects broad range of malicious and anomalous traffic •Reduces HP’s response time to resolve threats •Integrates with Tipping Point and ArcSight •Scalable – collects and analyzes global network flow data •Cost effective solution Blue Chip Customer Base © 2014 Lancope, Inc. All rights reserved. Government Healthcare Higher Education Enterprise U.S. International New Zealand Ministry of Defense 12 Latvia Ministry of Internal Affairs Saudi Arabia Ministry of Defense Lancope Solution Areas Visibility Threat Detection •Context-aware visibility into network, application and user activity •BYOD •Cloud monitoring •IPv6 •East-West Traffic monitoring •Network segmentation •Firewall rule auditing •Advanced Persistent Threats © 2014 Lancope, Inc. All rights reserved. •Botnet (CnC) Detection •Data Exfiltration •Network Reconnaissance •Insider Threat •DDoS •Malware •Network Behavior Anomaly Detection •Cisco Cyber Threat Defense Solution •SLIC threat feed Incident Response •In-depth, flowbased forensic analysis of suspicious incidents •Scalable repository of security information •Retrace the step-by-step actions of a potential attacker •On-demand packet capture Network Diagnostics •Application Awareness •Capacity Planning •Performance Monitoring •Troubleshooting User Monitoring •Cisco ISE •Monitor privileged access •Policy enforcement The Power of StealthWatch System StealthWatch for Context-Aware Security What is Context-Aware Security? The use of situational information (e.g. identity, location, time of day or type of endpoint device) to operationalize security and improve information security decisions. © 2014 Lancope, Inc. All rights reserved. Breaking down the Boundaries © 2014 Lancope, Inc. All rights reserved. With StealthWatch… KNOW every host RECORD every conversation Audit Assess Know what is NORMAL Posture Alert to CHANGE Store for MONTHS Detect Response Company Network Context Everything must touch the network What else can the network tell me? Gain Context-Aware Security © 2014 Lancope, Inc. All rights reserved. Embedded context • Username integration – Devices, Ports, MAC, DHCP • Application information • RTT / SRT • Packet loss • XFF Header • URL information • Partial payload capture • Web summary for SIEM • Active Directory integration © 2014 Lancope, Inc. All rights reserved. • • • • • • • • • • NAT table integration Country codes Syslog parsers Scripted mitigation External event association External Threat Intelligence Weblinks for lookup User-defined threat criteria Custom Application configuration IPAM integration (xml import) Eyes and Ears of the Network Drilling into a single flow yields a plethora of information © 2014 Lancope, Inc. All rights reserved. 32 StealthWatch Advanced Threat Detection © 2014 Lancope, Inc. All rights reserved. Advanced Detection Methods Signature = Object against blacklist • IPS, Antivirus, Content Filter Signature Behavior = Inspect Victim behavior against blacklist • Malware Sandbox, NBAD, HIPS, SEIM Anomaly = Inspect Victim behavior against whitelist Anomaly • NBAD, Quantity/Metric based—not Signature based Signature Behavior Anomaly Known Exploits BEST Good Limited 0-day Exploits LimIted BEST Good Credential Abuse Limited Limited BEST Behavior How StealthWatch Analyzes Devices © 2014 Lancope, Inc. All rights reserved. 31 StealthWatch Labs Intelligence Center (SLIC) Lancope’s research initiative that tracks emerging threat information from around the world Botnet Command & Control Internet scanning New Behavioral Analysis Algorithms updated as new threats discovered; updates performed using the existing SLIC control channel and licensing © 2014 Lancope, Inc. All rights reserved. 26 Backscatter (DDoS Victims) © 2014 Lancope, Inc. All rights reserved. StealthWatch Architecture & Design © 2014 Lancope, Inc. All rights reserved. Network Is Your Sensor Internal Visibility from Edge to Access VPC Servers Cat4k 3850 Stack(s) ACCESS Internet ASA ASR-1000 3560-X San Jose WAN DATACENTER New York Atlanta 3925 ISR © 2014 Lancope, Inc. All rights reserved. © 2014 Lancope, Inc. All rights reserved. Nexus 7000 UCS with Nexus 1000v CORE Cat6k Primary Architectural Components • StealthWatch Management Console StealthWatch FlowCollector StealthWatch FlowSensor Manages, coordinates and configures all StealthWatch appliances to correlate security and network intelligence across the enterprise • Web user interface: dashboards, tools, analysis, and mitigation • Leverages Cisco NetFlow traffic accounting technology or traffic information from sFlow StealthWatch FlowReplicator • Supports IPFIX • Delivers flow-based Response Time Management (RTM) • Flow-by-flow visibility, including connection information such as Round Trip Time (RTT), Server Response Time (SRT), Retransmission Ratio (RT%), and advanced URL data © 2014 Lancope, Inc. All rights reserved. SLIC Threat Feed 33 • Draws upon global threat intelligence to provide an additional layer of protection from botnets and other sophisticated attacks • Correlates suspicious network activity with data on thousands of known C&C servers • Aggregates flow data, syslog and SNMP information in a single, highspeed appliance • Forwards information in a single data stream to one or more StealthWatch FlowCollector appliances • Automates user identification, streamlines remediation efforts and delivers powerful auditing capabilities for regulatory compliance • Agent-less approach enables scalable, cost-effective user tracking and reporting StealthWatch IDentity Massively Scalable StealthWatch Architecture © 2014 Lancope, Inc. All rights reserved. Thank you © 2014 Lancope, Inc. All rights reserved.