#1 Security is a critical component of all the transformational shifts happening in the IT industry at large, and further, the network is becoming more relevant. #2 These transitions are changing the security model…go to next slide.
Visibility into the new network isn’t the only challenge that IT faces. There continues to be a lingering disconnect between the goals and objectives of the Network and Security teams. What is needed is a holistic approach that addresses the big picture that the CEO is facing. You need a solution that drives these different objectives towards each other – that enables business acceleration while securing the entire distributed environment. But how do you do that?
As networks and users become more sophisticated so do the kinds of threats organizations are required to deal with. Gone are the days of nuisance viruses and website vandalism as our primary concerns. As the network becomes more important, the threats have become more serious – with the potential for a wider impact on organizations than ever before to
Transcript:
Perimeter security alone is no longer sufficient. As an example, what happens is an attacker might be able to infect a host outside of the purview of an organization. This might be a Starbucks. This might be through a spear phishing attack, or a LinkedIn message, something that's outside of the purview of an organization. And that threat is then moved inside of the security perimeter, bypassing many of our security perimeter devices. And once inside the perimeter, we'll see a command and control channel that'll open up. And the attacker is then able to do some level of reconnaissance and infection spreading throughout the organization to execute against their objectives. Many times, the objective of this attack is going to be data loss. Now, it could be something else. The attacker might have infiltrated this organization for the purposes of disruption. They might decide to do a denial of service attack against the internal server here, shut down the operations of the organization. But many times, like I said, it will be data loss, and so we'll do some data theft. Now, when we're looking at attacks like this-- so we saw this device bypass the security perimeter. So only the network at this point has the appropriate level visibility to detect these threats, is able to track the spread of infection throughout the interior of the network, and be able to have the right level of visibility and intelligence to detect and allow our customers to defend themselves against these threats.
Author's Original Notes:
Interesting things to note: Each data breach results in companies losing ~3.7% of customers and 100% of these breaches the perpetrators used perfectly valid credentials!2012 PonemonAverage global cost to an organization for data breach is $3.4 MSony 2011 PlayStation Network breach cost $170 MEach data breach results in companies losing ~3.7% of customers2012 Verizon Data Breach Investigations Report 96% of attacks investigated were not highly difficult97% were avoidable through simple or intermediate controls85% of breaches took weeks or more to discoverMandiant 2012 survey Organizations were compromised ~ 416 days before attackers were discovered In 100% of cases, the bad guys used valid credentialsEach incident was discovered by 3rd party only
An added benefit is that the integration of security into the network also enables and supports the consolidation of the network infrastructure. As the network transitions to a broad and dynamic business environment, security based on that network moves from an overlay solutions to an actual security architecture integrated into the network environment.
Embedding Security within the infrastructure of the network achieves comprehensive visibility and scalable enforcement. Visibility from the network drives up into the organization’s policy. Cloud-Based Global Threat Intelligence with the absolutely latest threat landscape is applied and enforcement is pushed back down into the network. The network is changing from a source of information to a series of enforcement points.
The first step in defending against these attacks is to adopt a different strategy. This table categorizes common defense systems by where they are deployed – at the perimeter or network interior, and by their detection strategy – signature/reputation-based or behavioral-based.Cisco has traditionally positioned security products at the network perimeter using signature and reputation-based methods. On the network interior, application-oriented security products such as email and web content inspection can also use signature and reputation-based methods.All of these products are very good at eliminating known threats. However, advanced persistent threats are typically not known in advance. Signature-based security solutions are not usually very effective against them.The alternative to this type of detection is behavior-based detection. This method uses pattern recognition technologies to determine when network traffic patterns are abnormal, signaling a possible attack.In order to defend against against advanced persistent threats, behavior-based detection technology provides an edge because it doesn’t require foreknowledge of the attack – just recognition of the attack pattern.At the network perimeter, the traditional behavior-based security product is the Honeypot. This is an interesting technology but used mostly for forensics and is beyond the scope of our discussion.Cisco’s Cyber Threat Defense Solution operates on the network interior and is specifically designed to use of behavior-based threat detection.
Notes:Cisco’s portfolio is broader than any other. That helped build our market share and deployment coverage but those devices are very old.Furhter we recognize that we are trying to sell stand-alone IPSs that extend too far down in the speed continuum and not high enough.In March we replace the 4240 / 4255 / and 4260 with the 4345 and 4360. We drive lower level IPS to the integrated FW/IPS offerings that are in the 55xx family.The 4270 continues to be the only stand-alone IPS with 10G interfaces and fail-over. We continue to sell that until we deliver the Glen Rose product in the summer.
In conjunction with IDS, Netflow is one of our top two data sources.We process 13 billion netflow records each day across the enterprise.So what is it?Netflow is analogous to a phone record in that it shows who communicated with whom at what time, and for how long. We can therefore see: source address, destination address, number of packets transferred during that session, and a timestamp of the session.
The key to Cisco’s Cyber Threat Defense Solution is NetFlow. NetFlow is a very simple technology that Cisco created in the early 90s as a way of providing visibility into the network.As data flows between a source and destination, Cisco equipment collects key information about that data and sends it to a device called a NetFlow Collector.This exchange of data is called a “flow”. Flows can tell you what kind of data was exchanged, how much, and at what rate. The information in a flow can be used to describe network behaviors, and by applying the correct analysis, can also be used to detect threats.
The key to Cisco’s Cyber Threat Defense Solution is NetFlow. NetFlow is a very simple technology that Cisco created in the early 90s as a way of providing visibility into the network.As data flows between a source and destination, Cisco equipment collects key information about that data and sends it to a device called a NetFlow Collector.This exchange of data is called a “flow”. Flows can tell you what kind of data was exchanged, how much, and at what rate. The information in a flow can be used to describe network behaviors, and by applying the correct analysis, can also be used to detect threats.
There are several key pieces of this solution.The solution starts with NetFlow enabled switches and routers providing flow data, NBAR, and NSEL events to a flow collector. This flow collector analyzes NetFlow for the tell-tale signs of threats propagating inside the network.The Lancope StealthWatch console then displays the data along with with any alerts about suspicious activity.<Next>If you have a place in your network where you can’t generate NetFlow data, a supplemental device called a FlowSensor solves that problem for you.It generates NetFlow from a raw packet stream. There is even a version of a FlowSensor for use in virtualized environments.<Next>One really clever part of the solution is the FlowReplicator. This device sends one stream of NetFlow data to multiple destinations. This is really handy if you have multiple different NetFlow analysis systems.<Next>Finally, the StealthWatch Management Console polls the Cisco ISE appliance for user identity, device, and profile information, and unifies all of this data in a single console.
Transcript:
They themselves have been a NetFlow collector for close to 10 years now. They most likely will support previous versions of NetFlow, and older versions of Cisco equipment other than the ones that are on this chart. These are the tested components that Cisco has tested. There is a design and implementation guide that can fall into a Cisco validated design category, using these versions of devices. Now, when we talk with the Identity Services Engine integration into the solution, it does require this release, the ISE 1.1.1 release with StealthWatch 6.3 release. 1.2 has not yet been tested. When we get to testing ISE 1.2, it will be with StealthWatch 6.4. And that will be Cyber Threat Defense Solution 1.2 release.
Author's Original Notes:
Context helps put information into perspective. Is this the letter B or the number 13?
Context helps us determine whether information is important.We gather local intelligence - the Who, What, How, Where, and When – from the network: Who is on my network, what is the device, how is the user coming on to the network – wired, wireless, or VPN, where is it coming from - inside or outside of the network, where are they going once they are on the network, and when are they coming in? For example, is it 2PM or 2AM? And we gather critical information from Cisco’s global threat analysis system called the Cisco Security Intelligence Operations.
But what about context? What if we want to know who generated a specific flow? Or what application data is responsible for it? What if we need to know that flow is leaving the enterprise, and if it violates any firewall rules?Cisco adds additional context to NetFlow data with three key technologies.First, Cisco uses a product called Identity Services Engine to link flows with user identity. ISE tracks users as they connect to the network, profiles their devices, and restricts their access to only what is approved. Next, we gain application context through the use of routers that support Network Based Application Recognition. This technology can dig out key application information from a stream while data flows through it.Finally, we collect additional information from ASA firewalls that support NetFlow Secure Event Logging. This is a special form of log event that is reported using NetFlow and helps identify accepted and rejected connections.
Flow Action field can provide additional contextState-based NSEL reporting is taken into consideration in StealthWatch’s behavioral analysisConcern Index points accumulated for Flow Denied eventsNAT stitching
Transcript:
Breaking down those components in the architecture, we start with the access layer. So inside the access layer, which is actually, in the BYOD world, the new network edge. This is where the device is actually coming into the network now and where threats are arriving. We're looking at trying to add security telemetry right down to the access layer. And with the changes throughout switching the line over the last year and half, it actually has become possible, as Mark was talking about, to do this in a non-performance-impacting way. So you can get this visibility as threats enter the network and when they even never leave the access switch. So let's say you've got an attack that comes into this access switch and then moves over to the next access switch without ever leaving that switch, you can still get a source of telemetry and still be able to see that propagation of that particular piece of malware throughout the network. And then, of course, it's scaled throughout the entire network infrastructure so you have complete visibility, access, core, edge, and end. So what is now new edge through old edge, complete visibility. So we get NetFlow goes to the FlowCollector, which, again, is where collecting and analyzing happens. And I know many of you are looking at this diagram, and you go, Matt, you've got NetFlow at three different layers of the network. That collector's going to get a flow record for a flow from many different devices. So let's say you've got a client server versus three devices between that flow, you'll get three NetFlow records to the collector. Now, one of the very key components that differentiates StealthWatch flow system from most other vendors, and particularly any open-source vendor, is something called flow deduplication. A significant amount of engineering has gone into this. And what that means is when you get those three records, it creates one database entry for that flow. Now, it doesn't just ignore all the details. Because if it goes from this switch to this switch to this router, you're going to have interface statistics that traces the path of that packet through the network, it saves those. So it's kind of exclusive ors whatever records it sees, saves all relevant information, puts that in the database. And what's also really interesting, if you've got an NetFlow Version 9 record with some fields, NetFlow Version 5 with some fields, NetFlow Version 9 with other fields, again, exclusive or, full set put into the database. Another very important piece that FlowCollector does that, again, also differentiates it from any competitors, is the flow-stitching capability. So NetFlow is uni-directional-- client to server, server to client. You get a record for each direction. Inside the FlowCollector, they're stitched together, one record in the database. Also kind of a lot of engineering required to do this correctly. So we'll have the Cisco ISE down here, which we've already talked about, and again, the StealthWatch Management Console, which is where you're going to be able to view flow data and attribution data, and you're going to run your queries, reports, and actually visualize the data that we've talked about, the security telemetry.
Author's Original Notes:All of these components are available today
Flow Action field can provide additional contextState-based NSEL reporting is taken into consideration in StealthWatch’s behavioral analysisConcern Index points accumulated for Flow Denied eventsNAT stitching
CSIRT utilizes a tool called Lancope that allows us to query netflow data as well as setup alerts and special monitoring based off of flow traffic
Transcript:
So identifying opportunities-- generally, customers that have a security operation center. I like to use an analogy that you're looking at a customer that has private security firms. If they have somebody driving a truck in a campus or a security guard, what they've done is basically look at security as a cost center to the organization. They see the need to invest in security, and it's relatively easy to position these products there. It's harder to position at places that don't see security is a constant center, and see it as a hindrance or an annoyance to their operation. Any time there is an ISE opportunity, you can help position this as additional value that an ISE might offer, being able to take advantage of the telemetry that ISE offers, in addition to its policy management. Every time there's a core refresh, this is to help drive the value of the physical infrastructure. Talk about our ability to do NetFlow over our competitors. This solution offers unique advantage to higher education customers. Many higher education customers are faced with daily complaints from the RIAA saying, your IP address space is doing illegal file sharing, and they're unable to investigate this because it's their global IP address and they have no visibility through their NAT translations. This solution helps to provide visibility there. But generally, any customers with the listed use cases, which is advanced persistent threats, internally spreading malware, botnets, data leakage, network reconnaisance, BYOD problems, being able to get visibility into the internal network.
Author's Original Notes:Identifying potential customers is actually a fairly straightforward process.Primarily, you’re looking for customers with any of the problems listed here. The good news is, most customers have at least one of these problems that they have not been able to solve.In addition, certain verticals will be immediately drawn to the solution because they are subject to regulatory compliance, or are worried about legal liability issues, especially for student behavior in Higher Ed.
Transcript:
So as an example configuration of what we see, this is an example using a large enterprise. So a large enterprise, for example, might be Cisco. Cisco is a Lancope StealthWatch user-- one of their largest customers, actually. So a for example might be a flow volume of up to 150,000 flows per second. Now, the StealthWatch system is licensed on flows per second. Much like Security Information Event Management or SIM solutions are licensed on events per second, StealthWatch is licensed on flows per second. So most of the cost in the solution is going to be in the flows per second license. This is how they sell the software solution. So this example over all this large enterprise, flow volume of about 150,000 flows per second. The network is segmented into geographical regions. Some of them will generate traffic bursts of over 70,000 flows per second at peak traffic, but it's not all at the same time. Now, this particular example has a legacy network monitoring tool already established, meaning that they have somebody already collecting NetFlow for network management. And this solution has seen up to 35,000 flows per second in this particular spot. So this example requires that a flow replicator be in place to help maintain the value that the customer already has in that legacy tool. This customer also has ESX hosts, and they require monitoring of a VM network. They also want to have a redundant deployment in their management console.
Author's Original Notes:
Transcript:
So this is an example bill of materials that would show up, total of about $1.8 million. A significant portion that cost, like I mentioned, will be in the flow per second licensing. They'll also, in this case, because they wanted a redundant SMC, purchased two SMCs, multiple different flow collectors for their geographic regions. Because of the scale of the deployments-- up to 70,000-- we went with the largest physical flow collector that they had available, the flow collector 4000. We've also added some virtual sensors to monitor the VM environment, and the flow replicator, as mentioned.
Author's Original Notes:
Cisco combines all of these capabilities into a single integrated security solution designed to answer the “who” “what” “where” “when” and “how” of advanced persistent threats.To bring this solution to market, Cisco has partnered with Lancope to unite the flow data and context of a Cisco network infrastructure, with the threat analysis and visibility of Lancope’s StealthWatch system.<Next>In this solution, Cisco provides the network infrastructure that delivers flow data and rich security context. We begin by deploying access layer switches. These switches have Cisco’s hardware-enabled NetFlow capability. That means they can keep up with even the most demanding traffic loads. As devices connect to the network, these access layer switches “track” all of this data as “flows”<Next>Next, we collect some additional context surrounding these flows using the key Cisco security context technologies we just discussed. This includes user identity data, firewall events, and application identity data. <Next>Finally, we unite all of this information into a rich security context that links the flow data with the user identity and applications that generated it.Using the Lancope StealthWatch system, all of this information is expressed in a single pane of glass.<Next> The result is an integrated network security solution that provides the correct level of threat visibility, context and control needed to combat today’s sophisticated threats.