Monitoring Network Security with CSMARS BRKSEC-2007 Fransesca Martucci BRKSEC2007 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential HOUSEKEEPING We value your feedback, don’t forget to complete your online session evaluations after each session and complete the Overall Conference Evaluation which will be available online from Friday Visit the World of Solutions on Level -01! Please remember this is a ‘No Smoking’ venue! Please switch off your mobile phones! Please remember to wear your badge at all times including the Party! Do you have a question? Feel free to ask them during the Q&A section or write your question on the Question form given to you and hand it to the Room Monitor when you see them holding up the Q&A sign BRKSEC2007 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential Session Objectives Explain best practices in security information and event management CS-MARS main concepts and how it helps keeping your network secure LIVE DEMO! Real life implementation examples (for your reference) A good understanding of Cisco's security technologies and network monitoring foundations is suggested BRKSEC2007 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential Intelligent Security Threat Management BRKSEC2007 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential Security Operations/Reactions Today Always Too Late Network Operations Action Steps: Alert Investigate Mitigate 10K Win, 100s UNIX VPN BRKSEC2007 Vulnerability Scanners Collect Network Diagram Read and Analyze Tons of Data Repeat Router/Switch Security Operations Anti-Virus Authentication Servers © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential Firewall Security Knowledge Base IDS/IPS Management Dilemma Whom Do I Believe to? Mitigate Attacks Help Security Staff Working proactively rather than reactively BRKSEC2007 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential In-Depth Defense Noise Costly Business Dilemma Compliance and Audit Mandates Who Did It? Who Got Infected? Poor Attack Identification Show Me What Happened! Key Concept Sessions (Each Sentence == Session) Mark was hired to break into buildings He must assure security personnel are vigilant 14 Events (Each Word = Event) Incident (The Whole Story) BRKSEC2007 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential Events―raw messages sent to CS-MARS by the monitoring/ reporting devices Sessions―events that are correlated by the CS-MARS across NAT boundaries Incidents―identification of sessions to correlation rules Sessionization Enterprise Campus Building Enterprise Edge Unusual Traffic Based on Baseline Service Provider Edge Joe Smith Did Lots of Traffic at 9pm PST Lab Building Distribution Management ACS CS-MARS BRKSEC2007 Corporate Internet ISP A VPN and Remote Access PSTN Core High Amount of IPSec Packets ISP B Edge Distribution Joe SmithCSM performed a Buffer Server Overflow E-Commerce Joe Smith performed a Buffer Overflow © 2006 Cisco Systems, Inc All rights reserved Unusual Traffic Based on Baseline Cisco Confidential Unusual Traffic Based on Baseline Frame/ATM WAN Typical Incident Host A Recon ICMP and Port Scans to Target X Y Target X Executes Password Attack on Target Y Followed by Port Sweep Host A Buffer Overflow Attack to Target X RECONICMP Hi, They Call Me Joe X Followed by Host A Buffer Overflow Attack to Target X A BRKSEC2007 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential Where X Is Vulnerable to Attack, Target X Executes Password Attack on Target Y Vector Analysis Accurate Attack-Path, Detailed Investigation BR2-NIDS-2 HQ-SW-4 HQ-NIDS-2 BR2-ISS-Host1 Cloud 27 BR2-NIDS-4 BR2-NIDS-3 HQ-SW-3 Cloud 42 Cloud 40 n-10.4.14.0/24 Intruvert Sensor Entercept Cloud 39 BR2-WANEdge-Router n-192.168.2.0/24 Cloud 14 Cloud 16 CSA HQ-FW-3 HQ-FW-2 CP Module BR2-NIDS-10 HQ-WAN Edge Router nsSxt pix506 n-10.4.2.0/24 n-10.4.13.0/24 BR2-NIDS-1 ns25 BR2-NIDS- BR2-IQ-Router Cloud Cloud HQ Hub Router n-10.1.7.0/24 n-10.4.15.0/24 Mgmt HQ-SW-1 HQ-FW-1 Intruvert Cloud MARS Demo3 HQ-NIDS1 HQ-WEB-1 BRKSEC2007 BR3-RW-1 BR2-NIDS-9 “set port disable” HQ-SW-2 Network Intelligence n-192.168.0/24 • Topology BR2-NIDS-8 • Traffic flow out n-22.22.22.0/24 “access-list • deny False tcp positives host 135.17.76.5 any” • Device configuration BR3-ISSHost1 • Enforcement devices “shun 135.17.76.5 445 tcp” BR Head-End Router © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential 10 CS-MARS Global Controller Deployment CS-MARS 50 US Corporate Office AsiaPac Office CS-MARS 200 EMEA Office CS-MARS GC CS-MARS 100 CS-MARS GC • Communication over HTTPS (using certificates) • Only incidents from global rules are rolled up • GC can distribute updates, rules, report templates, access rules, and queries across LC BRKSEC2007 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential 60 For your reference RealReal LifeLife Implementation Implementation BRKSEC2007 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential 61 For your reference CS-MARS in Action: At a Big Financial BRKSEC2007 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential 62 Zero Day Virus: MYTOB Variant BRKSEC2007 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential For your reference 63 For your reference Custom Parser: unauthorized ‘su’ to root Need to Address Custom/Internal Application and to Fire Incident on Them Integrate as Much as Possible in One Console Successful su to root Custom parser Custom Rule BRKSEC2007 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential 64 Proof of External Scan For your reference I Am Paying for Someone to Scan My Network How Can I Check That They Actually Do It? Custom Report BRKSEC2007 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential 65 What Happened with Viruses Viruses Found in My Network BRKSEC2007 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential For your reference Viruses Not Cleaned 66 Where the Virus Was Sent BRKSEC2007 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential For your reference 67 Results Obtained with CS-MARS For your reference We have replaced multiple servers with CSMARS “We are getting more proactive and quicker to react to events when the occur” “Windows, UNIX and application events are monitored in near real time” “Events are processed by rules and emailed to the appropriate people or groups for escalation or investigation” “Staff only get events that are pertinent to their job responsibilities” “Single view to entire network and systems” “We now have the ability to go back and look for trends or events in our data” “Reports can now be generated and scheduled for management or auditors with little effort” BRKSEC2007 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential 68 In Summary Intelligence needs to be moved as much as possible at computer speed In order to allow the above the most information need to be correlated together in a flexible way across heterogeneous environment Network should be the most integrated as possible, and cooperation among different groups is important for effective investigations It is not possible to rely on signatures only, but Network Behavior Analysis needs to be implemented in parallel BRKSEC2007 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential 69 Meet the Experts Security Andres Gasson Consulting Systems Engineer Christophe Paggen Technical Marketing Engineer Eric Vyncke Distinguished Consulting Engineer Erik Lenten Technical Marketing Engineer Fredéric Detienne CA Technical Leader Luc Billot Consulting Engineer BRKSEC2007 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential 70 Meet the Experts Security Michael Behringer Distinguished System Engineer Olivier Dupont Corporate Dev Consulting Engineer Peter Matthews Technical Marketing Engineer Scott Wainner Distinguished System Engineer Steinthor Bjarnason Consulting Engineer BRKSEC2007 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential 71 Recommended Reading BRKSEC - 2007 Security Threat Mitigation and Response: Understanding Cisco Security MARS Network Security Principles and Practices Network Security Architectures Available in the Cisco Company Store BRKSEC2007 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential 72 Q and A BRKSEC2007 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential 73 BRKSEC2007 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential 74