Cyber Security 2016 Využití aplikačních rozhraní pro analýzu malwaru a automatizovanou odezvu na hrozby

Jiří Tesař Cisco Systems jitesar@cisco.com CSE Security, CCIE #14558, SFCE #124266

Internet

Endpoint User

NGFW/UTM

Filter

URL

DATACENTER

I00I

00I

0II0

II

00

0II

0 0

0II

0II

0I0

00

0I0

0I 0

0I0

I II0

00

0I0

I0I0

00

I0I0

00

I0I0

I

0II I

I0I0

II00

I0I0

000

0000

II0I

I0 0

0II0

I 000

000I

I

0II I

I0I0

II00

I0I0

000

0000

II0I

I0 0

0II0

I 000

000I

II

I0II0I II0II0 0I 0 I

000II000I0I

000II000I0I

0I 0I 00 II 0II 0I 0I0I0

0II I0II00I0 II00I0

NGFW

NGIPS/AMP

00I0II0I0II0I00II0I

NGIPSv NGFWv

00 III 0 II0I0 II 0I0 00 III0I0 0 II 000

NGIPS/ AMP

NGIPSv

Roaming User

BEFORE Discover

Enforce

Harden

DURING Detect

Block

Defend

AFTER Scope

Contain

Remediate

Before During After Internet

NGFW

NGIPS

AMP

NG..

Management

Client SW

SSL

802.1x

AVC

URL SIEM

Data Sources

DC

Internet

ASA/Firepower

Firepower MC

AnyConnect

SSL

802.1x

DC

NGFW

NGIPS

AMP

AVC

URL

Before During After

What does their traffic look like over time?

What operating systems?

View all application traffic… Look for risky applications…

Geolocation for source and destination

URL …

Intrusion events by impact, priority, hosts, users …

File analysis

Malware detection

Identify Where to Start

If this is all there was then the “Order of Investigation” is easy.

From the FMC Dashboard

Identify Where to Start

Indications of Compromise Is often a better place to start. If it was always so easy.

From the FMC Context Explorer

An unknown file is present on IP: 10.4.10.183, having been downloaded from Firefox

At 10:57, the unknown file is from IP 10.4.10.183 to IP: 10.5.11.8

Seven hours later the file is then transferred to a third device (10.3.4.51) using an SMB application

The file is copied yet again onto a fourth device (10.5.60.66) through the same SMB application a half hour later

The Cisco Collective Security Intelligence Cloud has learned this file is malicious and a retrospective event is raised for all four devices immediately.

At the same time, a device with the FireAMP endpoint connector reacts to the retrospective event and immediately stops and quarantines the newly detected malware

AMP

Internet

ASA/Firepower

Firepower MC

AnyConnect

SSL

802.1x

NAC

CWS

DC

NGFW

NGIPS

AMP

AVC

URL

Before During After

Internet

AnyConnect

AMP

ASA/Firepower

Firepower MC NGFW

NGIPS

AMP

AVC

URL

DC SSL

802.1x

NAC

CWS

Before During After

Internet

AnyConnect

AMP

ASA/Firepower

Firepower MC NGFW

NGIPS

AMP

AVC

URL

DC SSL

802.1x

NAC

CWS

TALOS Before During After

Internet

AnyConnect

AMP

ASA/Firepower

Firepower MC NGFW

NGIPS

AMP

AVC

URL

DC SSL

802.1x

NAC

CWS

TALOS Before During After

Device Trajectory

• Gives you deep visibility into file activity on a single device/endpoint

Looks DEEP into a device and helps answer:

• How did the threat get onto the system?

• How bad is my infection on a given device?

• What communications were made?

• What don’t I know? • What is the chain of events?

Internet

AnyConnect

AMP

ASA/Firepower

Firepower MC NGFW

NGIPS

AMP

AVC

URL

DC SSL

802.1x

NAC

CWS

TG

TALOS Before During After

Internet

AnyConnect

AMP

ASA/Firepower

Firepower MC NGFW

NGIPS

AMP

AVC

URL

DC SSL

802.1x

NAC

CWS

TG

TALOS Before During After

Internet

AnyConnect

AMP

ASA/Firepower

Firepower MC NGFW

NGIPS

AMP

AVC

URL

DC SSL

802.1x

NAC

CWS

TG

TALOS Before During After

8 hours after the first attack, the Malware tries to re-enter the system through the original point of entry but is recognized and blocked.

802.1x

Internet

Switch WLC

Cisco Access Layer

AnyConnect

AMP

SSL

NAC

CWS

ASA/Firepower

NGFW

NGIPS

AMP

AVC

URL

TG

TALOS

FPMC

Before During After

Internet

Switch WLC

Cisco Access Layer

AnyConnect

AMP

SSL

802.1x

NAC

CWS

ASA/Firepower

NGFW

NGIPS

AMP

AVC

URL

TG

TALOS

FPMC

Before During After

Identity Services Engine

AAA

Network Resources Role-based policy

access

Traditional TrustSec

BYOD Access

Secure Access

Guest Access

Role-based Access

Identity Profiling

and Posture

Who

Compliant

What

When

Where

How

Quick Reminder – What is ISE?

A centralized security solution that automates context-aware access

to network resources and shares contextual data

Network

Door

Context ISE pxGrid

controller

Internet

Switch WLC

Cisco Access Layer

AnyConnect

AMP

SSL

802.1x

NAC

CWS

ASA/Firepower

NGFW

NGIPS

AMP

AVC

URL

TG

TALOS

FPMC

Before During After

Identity Services Engine

AAA Guest PROF POST

AD

Internet

Switch WLC

Cisco Access Layer

AnyConnect

AMP

SSL

802.1x

NAC

CWS

ASA/Firepower

NGFW

NGIPS

AMP

AVC

URL

TG

TALOS

FPMC

Before During After

Identity Services Engine

AAA Guest PROF POST

AD

PxGrid

Internet

Identity Services Engine

AAA Guest PROF POST

AD

Lancope

MDM

Switch WLC

PxGrid

Cisco Access Layer

AnyConnect

AMP

SSL

802.1x

NAC

CWS

ASA/Firepower

NGFW

NGIPS

AMP

AVC

URL

TG

TALOS

FPMC

Before During After

Internet

Identity Services Engine

AAA Guest PROF POST

AD

Lancope

MDM

Switch WLC

PxGrid

Cisco Access Layer

AnyConnect

AMP

SSL

802.1x

NAC

CWS

ASA/Firepower

NGFW

NGIPS

AMP

AVC

URL

TG

TALOS

FPMC

Before During After

Access denied

per security

policy

Based on the new

tag, ISE enforces

policy on

FMC detects

suspicious file and

alerts ISE using pxGrid

by changing the

Security Group Tag

(SGT) to suspicious

FMC scans the

user activity and

file

Enable Rapid Threat Containment With Cisco Firepower Management Center (FMC) and Identity Service Engine (ISE)

Corporate user

downloads file

Internet

Identity Services Engine

AAA Guest PROF POST

AD

Lancope

MDM

Switch WLC

PxGrid

Cisco Access Layer

AnyConnect

AMP

SSL

802.1x

NAC

CWS

ASA/Firepower

NGFW

NGIPS

AMP

AVC

URL

TG

TALOS

FPMC

Before During After

ESA WSA

AMP

AMP AMP

Internet

Identity Services Engine

AAA Guest PROF POST

AD

Lancope

MDM

Switch WLC

ESA WSA

PxGrid

Cisco Access Layer

AnyConnect

AMP

SSL

802.1x

NAC

CWS

ASA/Firepower

NGFW

NGIPS

AMP

AVC

URL

TG

TALOS

FPMC

Before During After

Internet

Identity Services Engine

AAA Guest PROF POST

AD

Lancope

MDM

Switch WLC

ESA WSA

PxGrid

Cisco Access Layer

AnyConnect

AMP

SSL

802.1x

NAC

CWS

ASA/Firepower

NGFW

NGIPS

AMP

AVC

URL

TG

TALOS

FPMC

Before During After

AMP AMP

CWS

Internet

Identity Services Engine

AAA Guest PROF POST

AD

Lancope

MDM

Switch WLC

ESA WSA

PxGrid

Cisco Access Layer

AnyConnect

AMP

SSL

802.1x

NAC

ASA/Firepower

NGFW

NGIPS

AMP

AVC

URL

TG

TALOS

FPMC

Before During After

AMP AMP

AMP/CTA

CWS OpenDNS

Internet

Identity Services Engine

AAA Guest PROF POST

AD

Lancope

MDM

Switch WLC

ESA WSA

PxGrid

Cisco Access Layer

AnyConnect

AMP

SSL

802.1x

NAC

CWS

ASA/Firepower

NGFW

NGIPS

AMP

AVC

URL

TG

TALOS

FPMC

Before During After

AMP AMP

AMP/CTA

CWS OpenDNS

53 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

VPN

WiFi/LAN

Content GW

Firewall

IPS

Threat Management

Meraki

Secure Access

Secure Transfer

Secure Inside

Meraki

TrustSec

Encryption

01001

110

TALOS

ISE

Security

Policy Management

& Monitoring

S2S VPN

DMVPN

GET VPN

Flex VPN

MacSec

SGT/SGACL

SourceFire

ASA/IPS

Switches

WLC

ASA 5500-X

ASA 5585-X

ASA-SM

ASAv

ASR

ISR, CSR

FireAMP

AMP for mobile

LanCope

AMP

AMP

AMP

ISE

AMP

TG

TG

TG

CWS

WSA/VM

SMA/VM

ESA/VM

ASA-SFR

CWS

CWS

AnyConnect

ASA

CWS

AMP

TG

CWS

AMP

TG

TG

Děkuji za pozornost