Scribd Logo
Upload

Welcome to Scribd!

  • BRKGS 2541

    Uploaded by

    Minal Salvi
    39 views24 pages
    cisco

    Original Title

    BRKGS-2541

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    cisco

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    39 views24 pages

    BRKGS 2541

    Uploaded by

    Minal Salvi
    cisco

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 24

    Securing the Enterprise with Network

    Intelligence
    BRKGS-2541

    Matt Robertson
    Security Technical Marketing Engineer

    Crown Jewels

    Imperial State Crown


    of the United Kingdom
    Jewel House,
    Tower of London
    BRKGS-2541

    2015 Cisco and/or its affiliates. All rights reserved.

    Cisco Public

    Crown Jewels

    Iron Crown of Lombardy


    Duomo of Monza

    BRKGS-2541

    2015 Cisco and/or its affiliates. All rights reserved.

    Cisco Public

    Crown Jewels
    Data that is valuable to attackers

    Card holder data (PCI)


    Patient records (HIPAA)
    Trade secrets
    BRKGS-2541

    2015 Cisco and/or its affiliates. All rights reserved.

    Competitive information (M&A)


    Employee data (PII)
    State Secrets
    Cisco Public

    Thinking beyond the perimeter

    Once the walls are built


    monitor for security visibility
    BRKGS-2541

    2015 Cisco and/or its affiliates. All rights reserved.

    Cisco Public

    eth0/2

    eth0/1

    NetFlow
    10.2.2.2
    port 1024

    Start Time

    Interface Src IP

    10:20:12.221 eth0/1
    10:20:12.871 eth0/2

    BRKGS-2541

    10.1.1.1
    port 80

    Src Port Dest IP Dest Port Proto

    10.2.2.2 1024
    10.1.1.1 80

    2015 Cisco and/or its affiliates. All rights reserved.

    10.1.1.1 80
    10.2.2.2 1024

    Cisco Public

    TCP
    TCP

    Pkts
    Sent
    5

    Bytes
    Sent
    1025

    17

    28712

    TCP Flags
    SYN,ACK,PSH
    SYN,ACK,FIN

    NetFlow = Visibility
    A single NetFlow Record provides a wealth of information
    Router# show flow monitor CYBER-MONITOR cache

    IPV4 SOURCE ADDRESS:


    192.168.100.100
    IPV4 DESTINATION ADDRESS: 192.168.20.6
    TRNS SOURCE PORT:
    47321
    TRNS DESTINATION PORT: 443
    INTERFACE INPUT:
    Gi0/0/0
    IP TOS:
    0x00
    IP PROTOCOL:
    6
    ipv4 next hop address: 192.168.20.6
    tcp flags:
    0x1A
    interface output:
    Gi0/1.20
    counter bytes:
    1482
    counter packets:
    23
    timestamp first:
    12:33:53.358
    timestamp last:
    12:33:53.370
    ip dscp:
    0x00
    ip ttl min:
    127
    ip ttl max:
    127
    application name:
    nbar secure-http

    BRKGS-2541

    2015 Cisco and/or its affiliates. All rights reserved.

    Cisco Public

    Components for NetFlow Security Monitoring


    StealthWatch Management
    Console
    Management and reporting
    Up to 25 FlowCollectors
    Up 3 million fps globally

    StealthWatch FlowCollector
    Collect and analyze
    Up to 2000 sources
    Up to sustained 120,000 fps

    Best Practice: Centralize


    collection globally
    StealthWatch FlowReplicator
    UDP Packet copier
    Forward to multiple
    collection systems

    NetFlow

    Cisco Network
    BRKGS-2541

    2015 Cisco and/or its affiliates. All rights reserved.

    Cisco Public

    StealthWatch FlowSensor
    Generate NetFlow data
    StealthWatch FlowSensor VE
    Virtual environment
    Visibility into ESX

    Conversational Flow Record


    Who

    What

    Where
    When

    Highly scalable (enterprise class) collection


    High compression => long term storage
    Months of data retention

    BRKGS-2541

    2015 Cisco and/or its affiliates. All rights reserved.

    Cisco Public

    How

    Who

    More context

    NetFlow Analysis can help:


    Discovery

    Identify business critical applications and services across the network

    Identify additional IOCs

    Policy & Segmentation

    Network Behaviour Anomaly Detection (NBAD)

    Better understand / respond to an IOC:

    BRKGS-2541

    Audit trail of all host-to-host communication

    2015 Cisco and/or its affiliates. All rights reserved.

    Cisco Public

    11

    Discovery: Finding your Jewels


    Identify assets and data
    Top Peers and Flow Tables
    Expected traffic profile
    Create Host Groups
    Tune Host Group policies to
    lower tolerance

    BRKGS-2541

    2015 Cisco and/or its affiliates. All rights reserved.

    Cisco Public

    12

    Map the Segmentation


    Identify relationships
    Monitor policy

    Not Allowed

    Allowed

    BRKGS-2541

    2015 Cisco and/or its affiliates. All rights reserved.

    Cisco Public

    13

    Custom Security Events and Host Locking

    Peer
    conditions
    Object
    conditions

    Time range
    Connection
    conditions
    BRKGS-2541

    2015 Cisco and/or its affiliates. All rights reserved.

    Cisco Public

    Data Anomaly Alarms

    Suspect Data Hoarding


    Target Data Hoarding
    Total Traffic
    Suspect Data Loss
    BRKGS-2541

    2015 Cisco and/or its affiliates. All rights reserved.

    Cisco Public

    15

    Suspect Data Hoarding

    Unusually large amount of


    data inbound from other hosts
    Default Policy

    BRKGS-2541

    2015 Cisco and/or its affiliates. All rights reserved.

    Cisco Public

    Target Data Hoarding

    Unusually large amount of data


    outbound from a host to multiple hosts
    Default Policy

    BRKGS-2541

    2015 Cisco and/or its affiliates. All rights reserved.

    Cisco Public

    Summary

    18

    Related Sessions
    BRKSEC-2136 Preventing Armageddon: Finding the threat before its too late
    Matt Robertson Wednesday, Jan 28 2:30-4:00

    BRKCRS-1449 - Introductory - Threat Defense for Enterprise Networks with


    Unified Access
    Vaibhav Katkade, Anoop Vetteth Tuesday, Jan 27 11:15-12:45

    BRKSEC-3068 Intermediate - Red Team, Blue Team: Lessons Learned for


    Real World Attacks
    Jamey Heary, Eddie Mize Tuesday Jan 27, 2:15-4:15

    BRKSEC-3128 - Secure your network with distributed behavioural analytics


    JP Vasseur Tuesday Jan 27, 4:45-6:15

    BRKGS-2541

    2015 Cisco and/or its affiliates. All rights reserved.

    Cisco Public

    19

    Call to Action
    Visit the World of Solutions for
    Cisco Campus:
    Lancope Booth Booth #G8
    Cisco Security - Cyber Threat Defence Demo
    Cisco Enterprise Networking Network as a Sensor & Enforcer

    Technical Solution Clinics

    Meet the Engineer


    Lunch time Table Topics

    DevNet zone related labs and sessions


    Recommended Reading: for reading material and further resources for this
    session, please visit www.pearson-books.com/CLMilan 2015

    BRKGS-2541

    2015 Cisco and/or its affiliates. All rights reserved.

    Cisco Public

    20

    Complete Your Online Session Evaluation


    Please complete your online session
    evaluations after each session.
    Complete 4 session evaluations
    & the Overall Conference Evaluation
    (available from Thursday)
    to receive your Cisco Live T-shirt.
    All surveys can be completed via
    the Cisco Live Mobile App or the
    Communication Stations

    BRKGS-2541

    2015 Cisco and/or its affiliates. All rights reserved.

    Cisco Public

    21

    Protect the Crown Jewels!

    NetFlow and the Lancope StealthWatch System provide actionable security intelligence

    BRKGS-2541

    2015 Cisco and/or its affiliates. All rights reserved.

    Cisco Public

    22

    You might also like