Ict 2015 saga - cisco cybersecurity rešenja- Viktor Varga
-
Upload
dejan-jeremic -
Category
Technology
-
view
48 -
download
6
Transcript of Ict 2015 saga - cisco cybersecurity rešenja- Viktor Varga
BUDUĆNOSTCisco Cybersecurity
rešenja
IT/ICT SECURITY CONFERENCE KLADOVO 2015
Viktor VargaSAGA, Business Development Manager
Četvrt veka oblikujemo budućnost
SAGA
• Established 1989 – 25 years
• System Integrator No.1 in Serbia*
• Member of New Frontier Group
SecurityDepartment
*since 2005 by revenue
Četvrt veka oblikujemo budućnost
SAGA Security 360˚Core Values
Holistic approach
Trusted Advisor
Security = Risk
Security as Enabler
Četvrt veka oblikujemo budućnost
Saga Security 360˚
Četvrt veka oblikujemo budućnost
Saga Security References
Security Intelligence
Network Identity
WAF DLP
Infrastructure Security
Četvrt veka oblikujemo budućnost
Cybersecurity
Global Risk Report
67B / 475B
Zakon o BICERT
Nigerijska šemaRansomware
Četvrt veka oblikujemo budućnost
Cybersecurity
STRATEGIJA
Kontrole
Četvrt veka oblikujemo budućnost
IPS
IPS
Četvrt veka oblikujemo budućnost
NGFW / UTM
Četvrt veka oblikujemo budućnost
FirePOWER
Access Control
• Remote Access VPN• Gateway VPN
Switching• Routing• NAT• Stateful Inspection
Context Awareness
• Correlate host and user activity• Passive OS Fingerprinting• Passive Service Identification• Passive Vulnerability mapping• Passive Network Discovery• Auto Policy Recommendations• Auto Impact Assessment
Threat Prevention
• Vulnerability facing rules• Threat facing rules• Enterprise accuracy and
performance
App Control
• Detection of applications
• Allow/block apps and app sub-functions
• Allow/block apps by user
• Allow/block apps by type, tag, category, risk rating
Typical IPSTypical Firewall
Typical NGFWs
FirePOWER NGIPS
FirePOWER – NGFW
Četvrt veka oblikujemo budućnost
Context - Traffic Analysis
First packet : 2013-02-22 16:08:46Last packet : 2013-02-22 16:08:46Source IP : 10.2.1.51Destination IP : 10.2.1.121Protocol : TCPSource Port : 2314Destination Port : 3108
---------Service : HTTPApplication Type : HTTP BrowserWeb Application : ACME HRClient App : Internet Explorer 7Server App : Apache 2.3.32Initiator packets: 6Responder packets: 6Initiator bytes : 1096Responder bytes : 2269URL : /foo/sploits/plugins/Detection Engine : London Data Center
10.2.1.51 exists10.2.1.121 exists
10.2.1.121 Has a daemon :3108
10.2.1.121 Is a webserver
10.2.1.51 Has a web browser
10.2.1.51 Has IE 7 installed10.2.1.121 Needs updating: vulns
Četvrt veka oblikujemo budućnost
Impact Assessment
Correlates all intrusion events to an impact of the attack against the target
IMPACT FLAG
ADMINISTRATOR ACTION
WHY
Act Immediately, Vulnerable
Event corresponds to vulnerability mapped to host
Investigate, Potentially Vulnerable
Relevant port open or protocol in use, but no vuln mapped
Good to Know, Currently Not Vulnerable
Relevant port not open or protocol not in use
Good to Know, Unknown Target
Monitored network, but unknown host
Good to Know, Unknown Network
Unmonitored network
Četvrt veka oblikujemo budućnost
One Size Fits All ?
NSS IPS Test Key Findings:Protection varied widely between 31% and 98%. Tuning is required, and is most important for remote attacks against servers and their applications. Organizations that do not tune could be missing numerous “catchable” attacks.
Četvrt veka oblikujemo budućnost
One Size Fits All ?
NSS IPS Test Key Findings:Protection varied widely between 31% and 98%. Tuning is required, and is most important for remote attacks against servers and their applications. Organizations that do not tune could be missing numerous “catchable” attacks.
Četvrt veka oblikujemo budućnost
One Size Fits All ?
NSS IPS Test Key Findings:Protection varied widely between 31% and 98%. Tuning is required, and is most important for remote attacks against servers and their applications. Organizations that do not tune could be missing numerous “catchable” attacks.
Četvrt veka oblikujemo budućnost
Automation
Impact Assessment and Recommended Rules Automate Routine Tasks
Četvrt veka oblikujemo budućnost
Kako radi ?
Četvrt veka oblikujemo budućnost
Contextual Policy – Primer 1
Trust privileged users access to sshd on production servers (regardless of port)
Četvrt veka oblikujemo budućnost
Contextual Policy – Primer 2
Treat connections to unauthorized websites as highly hostile.
Trust privileged users access to sshd on production servers (regardless of port)
Četvrt veka oblikujemo budućnost
Contextual Policy – Primer 3
Treat connections to unauthorized websites as highly hostile.
Trust privileged users access to sshd on production servers (regardless of port)
Prevent any .exe downloads from untrusted client apps (e.g. Internet
Explorer)
Četvrt veka oblikujemo budućnost
Custom Block Response Pages
Simple update that can be leveraged for existing infrastructure.Example: Use a Google Docs Spreadsheet and Web form for user access requests.
• Created a Google Spreadsheet and added a web form to the spreadsheet.
• Added either the urlor the iframeto the default block page
Četvrt veka oblikujemo budućnost
Detekcija
Detects if new application appears or traffic profile changes
Identify Hacked Hosts
Useful in static environments: Scada, DMZ, MEDTEC...
Reduced Risk and Cost ALERT
Host has suddenly started to use SSH client and outgoing traffic volume has
increased by 3
ssh
Četvrt veka oblikujemo budućnost
Automatska remediacija
Use pre-defined or custom script to initiate automatic actions
E.g, Quarantine device with ISE API
Reduced Risk and Cost
Indications Of Compromise - IPS event impact 1- Malware- Communication with BOTNETQUARANTINE
ISE
change VLAN or
SGT
Četvrt veka oblikujemo budućnost
Integracija
eStreamer APIExport Events
Vulnerability API
Import Vulnerabilities
Remediation Modules
ISE
DatabaseAccess(JDBC)
Četvrt veka oblikujemo budućnost
Integracija 2
Platform Exchange Grid – pxGrid
LET’S ALL SHARE DATA VIA
PROPRIETARY APIs!
That Didn’t Work So
Well!
pxGrid ContextSharing
Single Framework
Direct, Secured Interfaces
I have NBAR info!I need identity…
I have firewall logs!I need identity…
Talos
I have sec events!I need reputation…
I have NetFlow!I need entitlement…
I have reputation info!I need threat data…
I have MDM info!I need location…
I have app inventory info!I need posture…
I have identity & device-type!I need app inventory & vulnerability…
I have application info!I need location & auth-group…
I have threat data!I need reputation…
I have location!I need identity…
Četvrt veka oblikujemo budućnost
Two of a kind
• Focused on Threat Detection
• Some Firewall functions, but likely not enough to meet perimeter use cases
• Ideal for passive deployments or augmenting firewalls
• Deployed on FirePOWER appliances
Different devices for different use cases
• Full ASA firewall capabilities
• Full threat detection stack
• Best for NGFW usage
• Delivered alongside ASA
FirePOWER Appliance & FirePOWER services
Četvrt veka oblikujemo budućnost
Value
Četvrt veka oblikujemo budućnost
Hvala na pažnji !