Ict 2015 saga - cisco cybersecurity rešenja- Viktor Varga

Cisco Cybersecurity
rešenja
IT/ICT SECURITY CONFERENCE KLADOVO 2015
Viktor Varga
SAGA, Business Development Manager

Četvrt veka oblikujemo budućnost
SAGA
• Established 1989 – 25 years
• System Integrator No.1 in Serbia*
• Member of New Frontier Group
Security
Department
*since 2005 by revenue

SAGA Security 360˚
Core Values
Holistic approach
Trusted Advisor
Security = Risk
Security as Enabler

Saga Security 360˚

Saga Security References
Security
Intelligence
Network
Identity
WAF DLP
Infrastructure
Security

Cybersecurity
Global Risk
Report
67B / 475B
Zakon o BI
CERT
Nigerijska šema
Ransomware

Cybersecurity
STRATEGIJA
Kontrole

IPS
IPS

NGFW / UTM

FirePOWER
Access Control
• Remote Access VPN
• Gateway VPN
Switching
• Routing
• NAT
• Stateful Inspection
Context Awareness
• Correlate host and user activity
• Passive OS Fingerprinting
• Passive Service Identification
• Passive Vulnerability mapping
• Passive Network Discovery
• Auto Policy Recommendations
• Auto Impact Assessment
Threat Prevention
• Vulnerability facing rules
• Threat facing rules
• Enterprise accuracy and
performance
App Control
• Detection of
applications
• Allow/block apps and
app sub-functions
• Allow/block apps by
user
• Allow/block apps by
type, tag, category,
risk rating
Typical IPSTypical Firewall
Typical NGFWs
FirePOWER NGIPS
FirePOWER – NGFW

Context - Traffic Analysis
First packet : 2013-02-22 16:08:46
Last packet : 2013-02-22 16:08:46
Source IP : 10.2.1.51
Destination IP : 10.2.1.121
Protocol : TCP
Source Port : 2314
Destination Port : 3108
---------
Service : HTTP
Application Type : HTTP Browser
Web Application : ACME HR
Client App : Internet Explorer 7
Server App : Apache 2.3.32
Initiator packets: 6
Responder packets: 6
Initiator bytes : 1096
Responder bytes : 2269
URL : /foo/sploits/plugins/
Detection Engine : London Data Center
10.2.1.51 exists
10.2.1.121 exists
10.2.1.121 Has a daemon :3108
10.2.1.121 Is a webserver
10.2.1.51 Has a web browser
10.2.1.51 Has IE 7 installed
10.2.1.121 Needs updating: vulns

Impact Assessment
Correlates all intrusion events to an
impact of the attack against the target
IMPACT
FLAG
ADMINISTRATOR
ACTION
WHY
Act Immediately,
Vulnerable
Event corresponds to
vulnerability mapped
to host
Investigate,
Potentially
Vulnerable
Relevant port open or
protocol in use, but
no vuln mapped
Good to Know,
Currently Not
Vulnerable
Relevant port not
open or protocol not
in use
Good to Know,
Unknown Target
Monitored network,
but unknown host
Good to Know,
Unknown Network
Unmonitored network

One Size Fits All ?
NSS IPS Test Key Findings:
Protection varied widely between 31% and
98%. Tuning is required, and is most
important for remote attacks against servers
and their applications. Organizations that do
not tune could be missing numerous
“catchable” attacks.

Automation
Impact Assessment and Recommended Rules Automate Routine Tasks

Kako radi ?

Contextual Policy – Primer 1
Trust privileged users access to sshd on
production servers (regardless of port)

Treat connections to unauthorized
websites as highly hostile.

Treat connections to unauthorized
websites as highly hostile.
Prevent any .exe downloads from
untrusted client apps (e.g. Internet
Explorer)

Custom Block Response Pages
Simple update that can be leveraged
for existing infrastructure.
Example: Use a Google Docs
Spreadsheet and Web form for user
access requests.
• Created a Google Spreadsheet and
added a web form to the spreadsheet.
• Added either the urlor the iframeto the
default block page

Detekcija
 Detects if new application appears or traffic profile changes
 Identify Hacked Hosts
 Useful in static environments: Scada, DMZ, MEDTEC...
Reduced Risk and Cost ALERT
Host has suddenly
started to use SSH
client and outgoing
traffic volume has
increased by 3
ssh

Automatska remediacija
 Use pre-defined or custom script to initiate automatic actions
 E.g, Quarantine device with ISE API
Reduced Risk and Cost
Indications Of Compromise
- IPS event impact 1
- Malware
- Communication with BOTNET
QUARANTINE
I
S
E
change
VLAN or
SGT

Integracija
eStreamer API
Export Events
Vulnerability API
Import
Vulnerabilities
Remediation
Modules
I
S
E
Database
Access
(JDBC)

Integracija 2
Platform Exchange Grid – pxGrid
That Didn’t
Work So
Well!
pxGrid Context
Sharing
Single Framework
Direct, Secured
Interfaces
I have NBAR info!
I need identity…
I have firewall logs!
I need identity…
Talos
I have sec events!
I need reputation…
I have NetFlow!
I need entitlement…
I have reputation info!
I need threat data…
I have MDM info!
I need location…
I have app inventory info!
I need posture…
I have identity & device-type!
I need app inventory & vulnerability…
I have application info!
I need location & auth-group…
I have threat data!
I need reputation…
I have location!
I need identity…

Two of a kind
• Focused on Threat Detection
• Some Firewall functions, but likely
not enough to meet perimeter use
cases
• Ideal for passive deployments or
augmenting firewalls
• Deployed on FirePOWER
appliances
Different devices for different use cases
• Full ASA firewall capabilities
• Full threat detection stack
• Best for NGFW usage
• Delivered alongside ASA
FirePOWER Appliance & FirePOWER services

Value

Hvala na
pažnji !

Ict 2015 saga - cisco cybersecurity rešenja- Viktor Varga

More Related Content

Ict 2015 saga - cisco cybersecurity rešenja- Viktor Varga