ICT Security –Kladovo, maj 2015 Vidljivost događaja na ... · –Sofisticirani Phishing napadi...

Vidljivost događaja na mreži kao osnova sistema zaštite

Dejan Spasić, B.Sc.E.E.IT Security Department Executive ManagerCCIE #15476 Service [email protected]

ICT Security – Kladovo, maj 2015

222MDS Informatički inženjeringICT Securiity Kladovo 2015

Cyber kriminal – globalni fenomen


Ko su napadači?

• Hacktivists– Onemogućavanje servisa – DDoS

– Promena izgleda Web stranica

• Hackers/Cyber Criminals: – Sofisticirani Phishing napadi

– APT (Advanced Persisstent Threat)

– Promena izgleda Web stranica

• Aktivnosti na nacionalnom nivou?


Tehnike napada

• Web bazirani napadi

• Maliciozni softver – distribucija preko Mail i Web servisa

• DDoS – distribuirani DoS napadi

• Interne pretnje

• Krađa


Trendovi• Prosečno vreme otkrivanja

napada 205 dana • 69% incidenata otkriveno od

strane eksternih partnera

• Javno objavljeni slučajevi velikih incidenata (Target – podaci o 40 miliona kreditnih kartica, Cryptolocker, Sony – Playstation network, krađa podataka)

Izvor: M-Trends® 2015: A VIEW FROM THE FRONT LINES


Statistika


Integracija SourceFire tehnologije

• CONTEXT IS EVERYTHING – kompletna analitika događaja i mrežnog saobraćaja

Cisco LIVE: Martin Roesch – Cisco and Sourcefire: A Threat-Centric Security Approach (BRKSEC-2761)

“Context gives me the ability to discriminate my security events, to select easily from the thousands of events I get to the ten events that actually matter.”

Sourcefire NGIPS customer

“Context enables me to set access controls that make sense. I can select which users can access which public resources based on their job function.”

Sourcefire NGFW customer

“Context enables me to set access controls that make sense. I can select which users can access which public resources based on their job function.”

Sourcefire NGFW customer


Cisco FirePower - Koncept

OS & version identifikovano

Serverske aplikacije i verzije

Klijentski softver

Koji host

Verzije klijenta

Aplikacija

b10

Slide 8

b10 ili softverski definisane mrežebraca, 3/5/2015


Arhitektura sistema• Managemant centar

– Centralno upravljanje– Definicija polisa– Analiza događaja, korelacija– Mapa mreže (korisnici, uređaji,

hostovi, aplikacije)– Paneli - Dashboard vs Context Explorer

Hardware– Cisco ASA sa FirePower servisima– Cisco FirePower (SourceFire uređaji)

Servisi– IPS – dinamička primena polisa– Web Security– AMP (Advanced Malware Protection) – Cisco TALOS Security Intelligence and

Research Group

Obrada događaja

FirePower Managemant Centar

Generisanje događaja– IPS– Malware– File– Access Control– Inteligence– Discovery– Flow

FirePower uređaji


Indication of Compromise

Reconnaissance Weaponization Delivery Exploatation C2 Lateral Movement

• Ciklus napada

Izvor: Intrusion Along the Kill Chain, SANS Digital Forensic

• Korelacija događaja, indikacija kompromitovanja hosta

Exfiltration


Advanced Malware ProtectionZaštita u realnom vremenu (Point-in-Time Protection) Kontinualna analiza (Retrospective Security)

Podrška za razne sisteme


Arhitektura sistema zaštite


Rekapitulacija

• Kontekst - Vidljivost saobraćaja i događaja

• IPS dinamičko podešavanje, AMP, IoC

• Nova security arhitektura bazirana na fazamaCyber napada – Before, During, After

• NSS Labs – FirePower na vrhu po efikasnosti i TCO

Vidljivost događaja na mreži kao osnova sistema zaštite

Hvala na pažnji !!!

ICT Security – Kladovo, maj 2015


FirePower donosi vidljivost

Kategorije Primeri FirePowerTipični

IPSTipičniNGFW

Threats Attacks, Anomalies ✔ ✔ ✔

Users AD, LDAP, POP3 ✔ ✗ ✔

Web Applications Facebook Chat, Ebay ✔ ✗ ✔

Application Protocols HTTP, SMTP, SSH ✔ ✗ ✔

File Transfers PDF, Office, EXE, JAR ✔ ✗ ✔

Malware Conficker, Flame ✔ ✗ ✗

Command & Control Servers C&C Security Intelligence ✔ ✗ ✗

Client Applications Firefox, IE6, BitTorrent ✔ ✗ ✗

Network Servers Apache 2.3.1, IIS4 ✔ ✗ ✗

Operating Systems Windows, Linux ✔ ✗ ✗

Routers & Switches Cisco, Nortel, Wireless ✔ ✗ ✗

Mobile Devices iPhone, Android, Jail ✔ ✗ ✗

Printers HP, Xerox, Canon ✔ ✗ ✗

VoIP Phones Avaya, Polycom ✔ ✗ ✗

Virtual Machines VMware, Xen, RHEV ✔ ✗ ✗


Impact Assesment

Correlates all intrusion events to an impact of the attack against the target

Impact Flag Administrator Action Why

1 Act immediately, vulnerable

Event corresponds to vulnerability mapped to host

2Investigate, potentially vulnerable

Relevant port open or protocol in use, but no vuln mapped

3Good to know, currently not vulnerable

Relevant port not open or protocol not in use

4 Good to know, unknown target

Monitored network, but unknown host

0 Good to know, unknown network

Unmonitored network


Context Explorer u akciji

OS & version identifikovano

Serverske aplikacije i verzije

Klijentski softver

Koji host

Verzije klijenta

Aplikacija

Identifikacija korisnika i na kojim drugim sistemima je identifikovan isti korisnik

Date post:	08-Sep-2019
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

ICT Security –Kladovo, maj 2015 Vidljivost događaja na ... · –Sofisticirani Phishing napadi...

Documents