Date post: | 13-Aug-2015 |
Category: |
Technology |
Upload: | cisco-devnet |
View: | 324 times |
Download: | 0 times |
for Hosted Applications Targeted Threat Defense Dave Jones [email protected] June, 2015
4 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Why are we here?
Was looking like this:
5 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Ask dave
5% of SySAdmin accounts or their laptops may be compromised at any moment
6 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
http://www.securityweek.com/research-finds-1-percent-online-ads-malicious
1% of 600K Add sites surveyed are hosting Malware
7 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Top 10 varieties of threat actions over time Source: 2014 Verizon Data Breach Investigation Report
8 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
By the numbers Source Verizon 2015 DBIR
9 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Source: Verizon 2015 DBIR
10 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
99.9% OF THE EXPLOITED VULNERABILITIES WERE COMPROMISED MORE THAN A YEAR AFTER THE CVE WAS PUBLISHED
Source: Verizon 2015 DBIR
11 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Nation State Run Book
12 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DataCenter
Infestation & Lateral Movement 1. User desktop infected WCE or Mimikatz is
started
2. Privileged user or Application logs in - WCE hijacks credentials
3. Rootkit remotely installed on server in datacenter
4. Super user performs task on datacenter server, malware hijacks credentials
5. Malware spreads throughout datacenter
Malware details • Targeting older software (Flash, Word, Acrobat
Reader, Java) • Malware customized to avoid AV signatures • Higher they get – the more unique the malware
13 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DataCenter
Infestation - Remediation
1. Super user logs in with SmartCard and has scoped access to other hosts
2. Malware not propagated throughout data center
3. Prevent privileged user or Application from logging into desktop.
4. Privileged user instead logs into administrator station.
5. Malware is not spread to data center
6. Upgrade Applications and Operating System baseline and Train Users
7. Initial attack fails
15 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Secure Administration Controls
Security Control Point
Production Resources
Administration End point
16 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Sandbox Detonation • pDNS • NetFlow • Host Based IP/DS on low value computers • Windows Event Logs • Log all of these to the same place so they can be correlated
Monitoring and Detection
18 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Blocking Lateral movement Scoped Access with GPOs
19 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Registry keys created or modified • Services running where file is outside of system32 • Executable executed • Accounts trying to log into hosts that they are not authorized to log
into
Security Configuration Management With Windows Event logs and App Locker
20 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Network device product management
Only allow SSH From SCP
Programmatic Interface
21 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
MDM product management suite Client and Management Traffic over HTTPS
Client App
Admin UI
App Replication
22 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Virtual Machine hosting product(s)
UCS
VMWare or OpenStack/KVM Tenant1 TenantX Tenant3 Tenant2
CSG Common Identity or DSX
Commodity dual
Internal Admin Token
ACLs Blocking Admin Ports
SCP
Web Server Plugin
Infra Admin
Internal Tenant
Partner
Authentication Mechanism
23 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Mail Server product management
Only allow SSH From SCP
BSDi Mail Appliances Appliance
Mail Servers
Only allow PwrShell from Prov Box
Linux SCP
24 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application to Application
25 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Simple Application Credential Management
Application 1 Application B
Logged Sudo Access to Credential
26 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Remove the Credential From the Application
Get Creds
Application 1 Application B
27 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
App to App - Target
OAuth Token request flow
Application 1 Application B
TLS Encrypted Tunnel Machine Certificate
Machine Certificate
User JanDoe
Delegated JanDoe
Encrypted Storage
28 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• HSM • TPM • USB • Files….
Certificate Storage
29 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Best Practice - pxGrid
30 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Certificates pxGrid Example
31 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Platform Exchange Grid – pxGrid Network-Wide Context Sharing
That Didn’t Work So Well!
pxGrid Context Sharing
Single Framework
Direct, Secured Interfaces
I have NBAR info! I need identity…
I have firewall logs! I need identity…
SIO
I have sec events! I need reputation…
I have NetFlow! I need entitlement…
I have reputation info! I need threat data…
I have MDM info! I need location…
I have app inventory info! I need posture…
I have identity & device-type! I need app inventory & vulnerability…
I have application info! I need location & auth-group…
I have threat data! I need reputation…
I have location! I need identity…
BENEFITS of pxGrid, it can…
• Establish that secure TLS tunnel for you
• Be leveraged as your communications bus with XMPP Including discovery of services available
• Verify Integrity of each endpoint communicating in the Grid
• Be used without you writing *that* code
32 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
In Action
pxGrid
Radius
1.802.1X
User Session
Publish User SGT
Device Location
Auth
User Meta Data
User Group
ISE Server
Switch
Internet
FireSIGHT Management Center
Sensor
User Meta Data
33 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• development SDK and client information. https://developer.cisco.com/site/pxgrid/
pxGrid – More Information
35 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Monitoring on Demand Solution: Topology Independent Investigation
Opportunity: Deliver scalable, topology-independent, automated means of capturing traffic and delivering into the appropriate incident response analysis tooling addressing • East-West • Branch Split Tunnel • Inspection gap The How: Controller Managed access layer Automated Targeted Copy and Transport to Investigation Service with Declarative Control APIC-EM Solution: • Context Informed Targeting through ISE context plus network filter • Copy through ERSPAN • Topology Independence – Routable Encapsulation • Automation through Controller minimizing configuration risk • Declarative Control – ISE session awareness APIC-DC Solution Concept: • Targeted - Applied to the endpoint(s) wanting to monitor, not the
endpoint(s) EPG. Push XML to activate policy label for ‘this contract’ or ‘this graph’, etc.
• Copy – introduce copy policy for full copy of requested traffic • Topology Independence - Insert a service to process the copied
traffic • Automation through APIC-DC Controller dynamically adding
investigation service in path or out of band • APIC-DC providing Declarative Control
fireSIGHT ISE
Application
APIC-EM
SecOps
Internet
Lab
Intranet
SCP
Source: Ken Beck
SecOps