Tag Archives: network visibility

March 18, 2013

Situational Awareness For Cyber Threat Defense

Aamir Lakhani did a great post on Situational Awareness. The original post ca be found HERE

Illustration Kekai Kotaki Red Dragon 992x712 Situational Awareness For Cyber Threat Defense

Illustration by Kekai Kotaki

Problem

Cisco Systems in their Cyber Security Threat Defense white papers outlines how the network security threat landscape is evolving. They describe how modern attacks are stealthy and evade traditional security perimeter defenses.

Traditional monitoring and reporting tools are no longer sufficient in detecting true threats on the network. Modern security tools and hardware devices such as firewalls, anti-virus, patch management solutions, IPS, and other solutions can only provide a small amount of relief against attacks. Most of these tools seem to be really implemented to fulfill some sort of checkmark for an auditor on a compliance form. Security professional know these tools, although very important, alone don’t provide a full security defense architecture.

Furthermore, as security threats and malware invade systems, security administrators are having trouble understanding the nature of attacks, how they occur, and how to defend against them. Remember you can’t fight what you don’t understand.

“It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”

- Sun Tzu, The Art of War (source: http://en.wikiquote.org/wiki/Sun_Tzu)

Cisco ISE 1024x617 Situational Awareness For Cyber Threat Defense

Image Source: Cisco Identity Services Engine

Cisco Identity Services Engine provides true network identification, profiling, and access controls.

Combined as a center piece for Cisco’s TruseSec Solution, Cisco ISE creates a secure ecosystem treating security as a holistic solution.

Federal Cyber Initiatives

New mandates are making cyber security front and center of the news. President Obama recently challenged the nation and the Federal government in the United States to increase its cyber defense capabilities. As Federal IT budgets are getting slashed back in 2013; however, spending for cyber security appears to be increasing in the eyes of the casual on-looker.

Cisco Systems, in their Cyber Threat Defense White Paper discusses how “with increasingly sophisticated cyber attacks like WikiLeaks on the rise, federal agencies require more innovative solutions for maintaining a strong security posture. Additionally, with the evolution of the CNCI (Comprehensive National Cybersecurity Initiative), federal agencies are being required to take a more holistic and collaborative approach to analyzing threat information across the totality of government networks for improved incident response and forensic investigation.”

Being constantly bombarded with continuous threats, how can security professionals even guadge they are being attacked or a threat is posing a clear and present danger (yes that was a Harrison Ford shout out).

NetWitness Situational Awareness For Cyber Threat Defense

RSA NetWitness Logo

Image Source: RSA

How To Solve The Problem

I recommend creating a conceptional framework for Threat Defense Visibility and Awareness program. The goal of program should be to (1) provide a framework that can be built by using products, technologies, and methodologies that are available today, (2) provide network visibility on network health and status in real-time, (3) provide real-time network posture and attack risk baselines, (4) provide a training facility for attack analysis and defense.

What Is Network Visibility?

According to Lancope (source: http://www.lancope.com/), “network visibility focuses on the most complex and dangerous information security threats – threats that lurk in networks for months or years at a time stealing vital information and disrupting operations. This type of solution provides visibility into these threats and context to decipher their targets and potential damage”. Lancope further states on their website, security analysts gain visibility into advanced cyber threats such as:

  • Network reconnaissance
  • Network interior malware proliferation
  • Command and control traffic
  • Data ex-filtration

Lancope Situational Awareness For Cyber Threat Defense

Lancope Stealwatch provides network visibility

Understanding trends, anomalies, and threats of the network

Image Source: Lancope

Network visibility gives security administrators the ability to detect problems because they highlight changes in baseline behavior. Did traffic spike a 100%, did outbound traffic suddenly increase, are more requests being transmitted to new domain on the Internet? All these occurrences can indicate an attack. Network visibility shows network security professionals exactly what is different about today’s traffic patterns than what is normally looks like. Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under Security Management & Analysis

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

March 4, 2013

Cisco’s Cyber Solutions – What Is Happening In Your Network

Watching Cisco’s Cyber Solutions – What Is Happening In Your NetworkToday’s threat landscape is loaded with malicious websites, malware and other risks that attack users every nanosecond of the day.  There isn’t a single product available that can guarantee protection from cyber threats. Older solutions leveraging static technologies such as signatures are not good enough. The best approach for dealing with advanced threats is continuously monitoring the entire network through layering security technologies.

Cisco is known for network and collaboration products however Cisco also has a very strong security catalog that extends beyond traditional firewalls and IPS appliances. If I had to summarize Cisco’s core visibility technologies for cyber threats, I would highlight Cisco’s capabilities around Access Control, Web Security and partnership with Lancope for Insider Threats.

Access Control is critical for knowing who and what is accessing your network regardless if it’s the LAN, Wireless or remotely using VPN technology. Cisco Identity Services Engine ISE accomplishes visibility of users accessing the network by leveraging how people authenticate along with profiling what types of devices are being used. The screenshot below shows two users with mobile devices obtaining different levels of wireless access. Cisco ISE can also verify if devices meet specified polies by enforcing posture prior to providing network access meaning ensure Joey’s windows 7 laptop has the latest updates and security applications installed.

ISE Auth Cisco’s Cyber Solutions – What Is Happening In Your NetworkCisco ISE showing Android with Contractor access and iPhone with Employee mobile access

Screen Shot 2013 03 01 at 8.36.52 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkProfiled devices in my home lab. “Apple-Device” is a MACMINI hosting ISE via “VMWare-Device”

Screen Shot 2013 03 01 at 8.36.01 PM Cisco’s Cyber Solutions – What Is Happening In Your Network

Some default profiles for Cisco ISE. 

Web Security is crucial for protecting internal users from threats while surfing the public Internet. Cisco Web Security Appliance WSA (previously Ironport) provides visibility of Internet usage as well as security through layered technologies. Network use policies such as denying gambling web content during work hours can easily be enforced through Cisco WSA’s categorized content classes.

Screen Shot 2013 02 22 at 12.08.05 PM Cisco’s Cyber Solutions – What Is Happening In Your Network

Cisco WSA Content Dashboard

The real value of Cisco WSA is going beyond average web content filtering by offering layers of security options that protect users accessing approved content. The first layer is verifying if the web source is a known evil location based on reputation. Reputation can be factors such as where it’s located, how long it’s been up or if it has been marked as a source for malicious activity. If the web source has a safe reputation, WSA scans traffic with a combination of Sophos, McAfee and Webroot engines along with other intelligence looking for malicious behavior. There is also a botnet scanner that sits on a spam port designed to capture users that happen to get compromised and have malware phone home activity from their devices. The botnet scanner is a first step towards identifying insider threats but not good enough.

Screen Shot 2013 02 22 at 5.03.01 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkCisco WSA Main Dashboard

Screen Shot 2013 02 22 at 12.07.42 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkCisco WSA Threat Dashboard

True insider threat visibility can only be accomplished by monitoring all internal traffic for threats that can compromise your network through email, web, infected devices or other means. Cisco has partnered with Lancope to give network wide forensic visibility leveraging capabilities that exist within networking products such as routers, switches and firewalls as well as in the datacenter. Administrators can use Lancope’s Steathwatch to see the top 10 threats that range from Data Loss to Botnet infections.

Screen Shot 2013 02 22 at 12.11.20 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkMain Lancope Cyber Security Dashboard

(Top 4 machines infected with botnets)
Screen Shot 2013 02 22 at 12.12.19 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkEthel’s Windows 7 Workstation With Botnet

Screen Shot 2013 02 22 at 12.12.42 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkEthel’s Workstation communicating with malicious source

Lancope identifies threats using a combination of reputation and behavior regardless if the threat attempts to hide by throttling, encryption or interact through multiple compromised systems. Some examples are flagging a user dumping large amounts of data to dropbox, communication with known malware web sources, host-to-host reconnaissance and use of obscure ports. Lancope can zero in on a threat by stitching together the entire communication chain meaning an administrator will see a map of all infected devices, how the infection started, who the users are (including Cisco ISE integration), where its spreading and how its sending traffic off the network. Lancope also gives visibility into abusing network resources, unauthorized tunneling and problems in network performance.

Screen Shot 2013 02 22 at 12.13.00 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkLancope Dataloss Diagram
Screen Shot 2013 02 22 at 12.13.18 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkMalware Propagation Diagram

Purple IP has infected green IP which is probing other systems
Screen Shot 2013 02 22 at 12.14.47 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkKnown Botnet Sources via Reputation

Combing Access Control, Web Security and Insider Threat technology gives administrators complete visibility of what is happening on the network. There is a lot of power having reports showing every user and device on the network, how those devices access the public Internet and near real-time analytics on if any of those devices have been compromised. This information can dramatically improve identification and reaction to cyber threats saving time, money and other problems caused by network breaches.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

2 Comments

Filed under Internet Defense, Network Admission Control, Security Management & Analysis

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

January 8, 2013

The Business Value Of NetFlow : Why Invest In NetFlow Technology?

The Business Value Of NetFlow : Why Invest In NetFlow Technology?There has been a rapid increase in demand for security solutions that can defend against Advanced Persistent Threats (APTs). Why? Because today, cyber criminals don’t use a specific attack to compromise targeted networks.

Successful attacks are typically made up of a number of chained exploits. A hacker may start with social engineering, deliver malware through phishing and gain internal access through compromised machines. Once the hacker has established a foothold into the internal network, he may spread rootkits through a hidden torrent like environment to communicate under the radar and steal information.

Defending against attacks like this is difficult to detect and to remediate. Point productions may catch a piece of the puzzle however you will need the complete picture to deal with sophisticated attacks. Solutions must have network wide visibility, which typically can be accomplished through logging, packet capture or network analysis. Logging requires security tools such as firewalls and IPS appliances spread across the network sending logs to a centralized system for event correlation and reporting. Analyzing packets usually requires collectors analyzing a tremendous amount of data obtained from key network segments. Network security and performance analytics can be obtained directly from network devices capable of providing NetFlow such as routers and firewalls.

Of the three methods, network analysis is becoming an extremely attractive method to defend against advanced threats since NetFlow can be harvested from existing devices.

What are the key reasons to invest in NetFlow when an organization has already invested in firewalls, anti-virus, IPS systems, and other security tools? Continue reading

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)

1 Comment

Filed under Security Management & Analysis

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

May 24, 2012

Identifying Advanced Persistent Threats ATP Using Netflow – Lancope StealthWatch Overview And Lab

Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And LabCisco recently announced a partnership with Lancope to address Advanced Persistent Threat or APT type attacks. The reason Lancope / StealthWatch was added is most security solutions are based on signatures or behavior to identify threats. Some newer technologies are leveraging reputation (see my post HERE) or honey pots (example FireEye) however advanced attacks aka APTs are bypassing these traditional security solutions.

APTs are typically customized for a specific target and designed to stay under the radar using technics such as throttling network usage, communicating through standard ports, encryption and other means that bypass common security solutions. Examples of common security devices are Firewalls, IPS/IDS, Content filters, Anti-Virus / Anti-Malware, and other technologies that operate on a “probe” type design meaning they can only see traffic in a specific network segment. The APT problem becomes difficult to address with traditional tools due to lack of ability to detect the methods APTs operate on the network as well as difficultly to places detection technology in all network areas monitoring all layers of the network stack.

Some recent offerings to combat the APT threat are packet level and flow based monitoring solutions (Lancope being flow based). Both approaches look at all network traffic and flag anomalies that would bypass other security technology.  Both views have pros and cons however one clear advantage of using NetFlow is many network devices are capable of generating flows which makes it more cost effective than capturing and storing packet level data. I’m not saying packet level monitoring is a bad however storage requirements tend to quickly raise the price tag of this approach.

Lancope StealthWatch works by viewing any host with an IP address that creates TCP/IP traffic on the network. Lancope collects metadata on hosts and builds a profile of behavior. Network hosts connected to devices such as switches, routers and firewalls generate flows of information which typically are NetFlow or sFlow. As flows are collected, Lancope aggregates, normalizes and analyzes NetFlow telemetry data to detect threats and suspicious behavior. Lancope can also integrate with Cisco Identity Services Engine aka ISE by taking in contextual information such as User Identity, Endpoint Device Profiling and Posture information. Lancope essentially enables security monitoring on network devices. This dramatically improves the time to identify and react to threats. We had one customer identify some malware that apparently had been active for months throttling its communication phone home patterns to bypass their IPS and SIEM solution.

MY Lancope LAB

When logging into the management interface of Lancope StealthWatch, you first have to launch a Java session.
Screen Shot 2012 05 21 at 5.35.16 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

Screen Shot 2012 05 21 at 5.37.02 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

Once launched, the management interface of Lancope looks like this.

Screen Shot 2012 05 21 at 5.38.27 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

I have specific dashboards that come up which are customizable. Lancope offers TONs of reports that can pop up upon login. NOTE: My Lancope lab is using dummy data. Below is a breakdown of some of that data via the fake hosts, network devices and ISE system.

Screen Shot 2012 05 21 at 5.39.18 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

This Lancope dashboard shows traffic by hosts and bandwidth usage.

Screen Shot 2012 05 21 at 5.39.39 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

This shows a flow table in my Lancope lab. Flows are typically one way communications (Cisco ASAs are the only exception). Lancope stitches flows together so admins can easily see the full communication chain between hosts.

Screen Shot 2012 05 21 at 5.39.47 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

This Lancope diagram shows a global map of host relationship usage.

Screen Shot 2012 05 21 at 5.39.54 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

Here is a Lancope report showcasing user integration with Cisco Identity Services Engine aka ISE. Notice how inside Lancope, you can see who the users are , where they are located and what type of devices they have on the network utilizing the authorization and profiling capabilities of Cisco ISE.

Screen Shot 2012 05 23 at 4.24.49 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

The Lancope StealthWatch solution, Cisco NAM and Cisco Identity Services Engine or ISE integration is Cisco’s new flagship story to address advanced cyber threats aka APTs. I believe its critical to monitor flow or packet level data since in many cases, its the only way to identify and defend against advanced threats designed to bypass traditional security products. The scary thing about technology such as Lancope is what you will find when you first set it up in your environment. In many cases, customers find they are already owned and have been for a long time.

VN:F [1.9.22_1171]
Rating: 5.0/5 (5 votes cast)

4 Comments

Filed under Network Admission Control, Security Management & Analysis

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,