cisco techupdate marts 2018 · mongodb 75% couchdb 20% docker 75% elasticsearch to reduce risk of...
TRANSCRIPT
Tue Frei Nørgaard & Jesper Rathsach
Consulting systems engineers, Cisco Security North Team
22nd of march 2018
Cisco Annual Security Rapport, Firepower og TTT.
Cisco Techupdate Marts 2018
Dagens Agenda
• Introduktion
• Cisco Annual Security rapport
• AMP for Endpoint Exploit Prevention
• Firepower update
• Tips og Tricks
• Q & A
Jesper Rathsach
Consulting systems engineer, Cisco Security North team
20th of march 2018
Cisco Annual Security Rapport 18
2018 Annual Cybersecurity Report
• Unprecedented levels of sophistication and impact
• Becoming more adept at evasion
• Exploiting new technology security gaps
• Defenders: Investing in Protecting their Organizations
. Reliance on automation, machine learning, AI
. Majority of organizations are leveraging behavior analytics to ID, mitigate against bad actors
• Attackers: The Maturing Tradecraft
. Field testing of malware and deployment
. . Obfuscation of command and control
. Use of cloud
. Network-based ransomware
. Vulnerabilities and patch management
. IOT and DDoS
Cisco 2018 Annual Cybersecurity Report Highlights
Malicious Binaries and Encryption
Increase
November 2016
Attackers embrace encryption to conceal their command-and-control activity
19%
12% Increase
268%70%
50%
38%
Global Encrypted Web Traffic Malicious Sandbox Binaries with Encryption
October 2017
Malicious Documents in Email
January-May June-October
Compared usage of malicious attachments from first portion of 2017 to second
Office
55%
Archive
415%
255%
Sandbox Evasion PatternsAttackers are constantly testing sandbox evasion techniques
Document CloseDoc Embedded
in PDF
Malicious Samples Total Samples
Oct 2016
Volu
me
Volu
me
Oct 2017 Oct 2016 Oct 2017
Network-based Ransomware
Network-Based
Ransomware
Worm
WannaCry and Nyetya: rapid-moving, self-propagating network-based attacks
With active, unpatched machines, these automated worms
will attack again. Have you secured your network?
53%manage over half of
their infrastructure in
the cloudEase of use (46%)
Scalability (48%)
Lack of internal workforce (41%)
Better security (57%)
Appeal:
The CloudOrganizations increase reliance on the cloud
IoT and DDos
Application-layer attacks
are rising, network-layer
attacks are declining
Burst attacks are
increasing
Amplification attacks
• Complexity
• Frequency
• Duration
2/5of businesses experienced a
reflection amplification attack in
2017
of those organizations
mitigated the attacks2/3
Source: Radware
Malicious Use of Legitimate Resources
AdaptabilitySubverts Domain and
Certificate Intelligence
Easy Setup
Whitelisted
IP Address
Cybercriminals are adopting command-and-control channels that rely on legitimate
Internet services, making malware traffic almost impossible to shut down
Reduce Burning Infrastructure
Leverage
Encryption for C2Source: Anomali
Exposed Development Systems
80%Memcache
100%MongoDB
75%CouchDB
20%Docker
75%Elasticsearch
To reduce risk of exposure to
DevOps ransomware attacks:
• Develop solid standards for secure
deployment
• Maintain active awareness of the
company’s public infrastructure
• Keep DevOps technologies up to
date and patched
• Conduct vulnerability scans
Percentage of DevOps servers left WIDE OPEN is creating a huge ransomware risk
Source: Rapid7
Insider ThreatMachine learning algorithms can greatly help detect internal malicious actors
62%occur outside of
normal work hours
5200docs per user
PDFswere the most
common file type
“Data”was the most popular
keyword in doc titles
High*accuracy of malicious activity
detection since June 2017
IT/OT Attack Sentiment
69%of organizations believe
OT is a viable attack
vector in 2018
• 20% believe it will be
eventually
• 10% believe it will remain
in IT alone
ICS Vulnerabilities
Being Connected
to the Internet
Known Vulnerabilities
Rarely Patched
Lack of
Knowledge
Too Specialized
USB or DVD as Entry Point
Threat actors are actively engaged in
researching pivot points to facilitate
future attacks
Source: TrapX
We need a better way to improve patch management processes
High Severity Vulnerabilities and Patch Management
High severity is driven by headlines
MS17-010 Detections
Patches double as organizations
realize potential threat
Exploited vulnerability
makes headlines
Microsoft warns
of vulnerability
Nu
mb
er
of
Dete
cti
on
s
Month Source: Qualys
Alerts
44%of Alerts are
NOT Investigated
8%Experienced NO
Security Alert
56%of Alerts are
Investigated
34%of Investigated
Alerts are
Legitimate
51%of Legitimate Alerts
are Remediated
93%Experienced
Security Alert
Uninvestigated alerts still create huge business risk
49%of Legitimate Alerts are
NOT Remediated
Challenges and Obstacles
27%Lack of Trained
Personnel
( 5%)
34%Budget
27%Compatibility
Issues
27%Certification
Requirements
( 5%)
( 5%)( 2%)
Mobile Devices
57%Find Very and Extremely
Challenging to Defend
Data in Public
Cloud
56%Find Very and Extremely
Challenging to Defend
User Behavior(For Example, Clicking
Malicious Links in Email or
Websites)
56%Find Very and Extremely
Challenging to Defend
Data Center/
Servers
56%Find Very and Extremely
Challenging to Defend
Key Constraints Key Functions
Strategic, Operational, and Tactical Issues
26%can be addressed
by products alone
74% might also require
people and/or
processes to address
People
Products Policies
An overemphasis on
product solutions can leave
openings for attackers
The Need for OutsourcingIn order to keep up, organizations are looking for outside help
54%Consulting
(up 3%)
49%Monitoring
(up 5%)
47%Incident Response
(up 2%)
Most Frequently
Outsourced Services
Market Expectations: Threat Landscape
The threat landscape to remain complex and
challenging
• Few predict radically new threats on the horizon, but they
see more capable and more diabolical bad actors
• Believe they’ll need ever more sophisticated security
arsenals to keep they at bay
Market Expectations: Modern Workplace
The modern workplace will continue to create
conditions that favor the attackers
• The footprint security executives must secure continues to
expand
• Employees increasingly carry their work (and the
company’s data) with them wherever they go—a well-
documented source of exposure
• Clients, partners and suppliers all need secure access to
corporate resources
• With the increasing deployment of IoT sensors, etc.,
companies’ interfaces to the internet will multiply
dramatically
Market Expectations: Scrutiny
Additional scrutiny of their ability to secure
the organization
• Many expect they’ll be under additional scrutiny—from
regulators, executives, stakeholders, partners and clients
• Top scrutiny from Executive Leadership, Clients, and
Business Partners (76%, each)
• Several CISOs mention that the need to meet others’
expectations for accessibility puts increasing strains on staff
• Current and potential clients can be particularly demanding
of information regarding security processes and protocols
Market Expectations: Breaches Drive Budget
Budgets will remain stable, unless a security
breach drives unexpected investment
• 51%: Budgets based on previous year’s budget
• 51%: Organization’s security outcome objective
• 46%: Percent of revenue
• 47%: Breach drove improvements to a great extent
!
Market Expectations: AI and Machine Learning
More spending on AI/ML capabilities
• AI, ML and automation are all increasingly desired and
expected
• 83%: Reliant on automation to reduce the level of effort to
secure the organization
• 74%: Reliant on AI to reduce the level of effort to secure
the organization
• CISOs expect to take increasing advantage of AI and
robotics
Market Expectations: Safeguards
Spending more safeguards for
protecting critical systems
• 22.3% Protection
• 21.9% Identification
• 19.3% Detection
• 18.2% Recovery
• 18.1% Response
Market Expectations: Outsourcing
More reliance on outsourcing services
• 53%: More cost efficient
• 52%: Desire for more unbiased insight
• 51%: More timely response to incidents
Observed Threats and TTDCloud-based security technology has been a key factor in helping Cisco
maintain a low median despite an increase in threat samples
Cisco Annual Median TTD
(Hours)
37.1
14
4.6
2015 2016 2017
Number of Observed Threat Samples
10xIncrease
2016 2017
Adversary tactics are continuously evolving, using encryption and legitimate Internet
services to conceal their activity and undermine traditional security technologies
Lead from the top: executives/board set the security tone, culture
Top 7 Actions:
. Educate by roles for maximum benefit
. Adhere to corporate policies, practices for application, system, and appliance patching
. Assume ownership of IoT device security and add scanning for these devices to security reviews
. Review, practice security response procedures
. Back up data often, test restoration procedures
. Review third-party efficacy testing of security technologies to reduce risk of supply chain attacks
. Conduct security scanning of micro-service, cloud service, and application administration systems
Conclusion/Recommendations
2018 Annual Cybersecurity Report
• Unprecedented levels of sophistication and impact
• Becoming more adept at evasion
• Exploiting new technology security gaps
Jesper Rathsach
Consulting systems engineer, Cisco Security North team
20th of march 2018
Exploit detection
Cisco AMP For Endpoint
Memory attacks penetrate via endpoints and malware evades security defenses by exploiting vulnerabilities in applications and operating system processes
Most attacks operate in the memory space of the exploited application and remain untouched by existing solutions once they gain access to the memory
Advanced Attack Execution
Memory
App/OS
Vulnerabilities
DATA CENTER
ENDPOINT
NETWORK
FW / GW / IPS / IDS
AV
Command & Control Server
Disk
Malware
PERIMETER
In Memory
Exploit Prevention
On Disk
AMP Cloud
TETRA
Custom Detections
Post-Infection
DFC
CTA
Server Side IOC
Client Side IOC
Time To Detectionshorter longer
Exploit Prevention
New
System Resources
Making the memory unpredictable
to attack by manipulating the
memory structure.
Done on the fly each time it loads
One way randomization with no key
STEP 1
Trusted Code
System Resources
A user activates the application,
which loads to the memory space.
Exploit Prevention
Trusted Code
Decoy System
Resources
Make the process aware that there
is a legitimate new memory
structure.
Keep dummy of original structure
Application starts running as usual
STEP 2
New
System Resources
Exploit Prevention
Any code that tries to access the
original memory structure, not
aware of the changes, is malicious
by default!
STEP 3
New
System Resources
The attack is immediately trapped
during the initial exploit and saved
for further investigation.
STEP 4
Malicious Code Injection
Trusted Code
Trap
Decoy
Zero-day, one-day, exploit based malware, Shellcode, PowerShell,
attacks on unpatched vulnerabilities are prevented. For example:
All web-borne attacks
All malicious files such as Adobe and Office documents
Malicious sites containing Flash, Silverlight and JavaScript attacks
Attacks on Java that use shellcode to run payload (all recent attacks)
Vulnerabilities exploited by file-less and non-persistent malware
Ransomware, Trojan, Macros using in memory techniques
Coverage
© 2017 Cisco and/or its affiliates. All rights reserved. © 2017 Cisco and/or its affiliates. All rights reserved.
Dagens Agenda
• Firepower new stuff
• Tue’s tips og tricks
• Q & A
• Tak for i dag og på gensyn
© 2018 Cisco and/or its affiliates. All rights reserved.
System Improvements and Quality
6.2.3
Customer Found Issues
and Escalations• Major reduction of open CFDs
Improved Upgrade
Experience
• Upgrade times improved
• Improved upgrade reliability
• Single shot upgrade: 6.16.2.3
High Availability• Improved reliability and configuration
sync
Policy Apply
• Common Snort restarts removed, users
alerted if required
• Reliability and >50% performance
improvements
Context Explorer • Query times improved drastically
System Improvements in 6.2.3 Expected release date: 29/3-2018
© 2018 Cisco and/or its affiliates. All rights reserved.
Firepower 6.2.3, ASA 9.9.2Firepower 6.2.3 Features (March 2018)
New FDM Capability for
Commercial/Midmarket:• IPS Tuning
• SSL Decryption
• Security Intelligence
• Flexconfig
• Troubleshooting CLI Console
• KVM
FDM
APIs APIs allowing Control and
Orchestration:• FMC APIs: NAT, Routing, HA
• Publication of FTD API
Customer
Health
Score
Telemetry from FMC and FTD
Framework to eventually enable
us to determine customer needs
for improved experience
IPv6
Improvements
SNMP, Radius support for IPv6
Firepower 6.2.3.x Features (Target 1H CY2018)
SSL HW
Decrypt
ASA 9.9.2 Features (March 2018)
Man-in-the-middle and known
key decryption
• Enabled via command line on
4100/9300 devices
• Will be enabled by default in
future release
© 2018 Cisco and/or its affiliates. All rights reserved.
• Currently SSL decryption is performed in software
• Leverage crypto hardware already present on new platforms
• Delivered as part of 6.2.3.x
• Targeted for these platforms:
• Firepower Threat Defense on 4100/9300 and 5525/5545/5555
• 2100 - roadmap
SSL Hardware Decryption
Result: ~2-3X performance improvement over software alone
© 2018 Cisco and/or its affiliates. All rights reserved.
• Prevention of virtually all connection drops with Snort flow preservation
• Snort restart scenarios eliminated or warnings added
*Added in 6.2.3
• Warnings on policy applies that require Snort restart
Policy Apply Improvements
Result: Virtually all traffic impact eliminated
Restarts
Eliminated
Access Policy, NAP & Intrusion Policy, App Detectors & App-ID, Security Intelligence*,
URL & File Policy, Simple SRU Update, FTD HA Setup
Restart
Warnings
SSL Policy, Captive Portal, File Policy, MTU, SRU Updates (shared objects), VDB*, NAP
(Adv), Custom App Detectors, Upgrades
© 2018 Cisco and/or its affiliates. All rights reserved.
Warnings About Inspect Interruption on Policy Apply
© 2018 Cisco and/or its affiliates. All rights reserved.
Upgrade Improvements in 6.2.3
Single-Step
Upgrade
• Single-step upgrade
from 6.1 (and interim
versions) to 6.2.3
• For FMC, FTD, Firepower
Services, 7000/8000
Series
6.1
6.2
6.2.3
Backward
Management
• 6.2.3 installed on all new
systems by default
• 6.2.3 FMC will manage as
far back as 6.1 devices
• FMC Push feature reduces
software installation time
Result: Much easier, less time-consuming upgrade process
© 2018 Cisco and/or its affiliates. All rights reserved.
Firepower Device Manager Releases
Introduced in 6.1
• Easy Initial Device Setup
• Wizard based guided
configurations
• Firewall configurations –
Interfaces, NAT, Static Routing
• Unified Access Control Policy
• Captive Portal for User Identity
• Pre-defined IPS and Malware
Policies
• Topology View
• Intuitive GUI-based dashboard
and monitoring
• Real Time Logging
6.2.3
• IPS signature tuning for
false positives
• Cisco Security Threat
Intelligence for early
protection
• SSL Decryption in software
for encrypted Traffic
• Built-in CLI console for
troubleshooting
• Device APIs for
automation/orchestration
• Support for FTDv on KVM
6.2.X
• Support on FTDv on
VMware
• Site-to-Site VPN for branch
deployments
• Remote Access VPN for
mobile users using
Anyconnect
Simple, easy management
FDM vs FMCFirepower Management Center (Off-box) Firepower Device Manager (On-box)
NAT & Routing
Access Control
Intrusion & Malware
Device & Events Monitoring
VPN - Site to Site & RA
Security Intelligence
Other Policies: SSL, Identity, Rate Limiting (QoS) etc.
Active/Passive Authentications
Firewall Mode Router / Transparent Routed
Threat Intelligence & Analytics
Correlation & Remediation
Risk Reports
Device Setup Wizard
Interface Port-Channel
High Availability
6.2.3
6.2.3( )
( )
© 2017 Cisco and/or its affiliates. All rights reserved.
ue’s ips og ricks
ISE FMC
ASA
ESAISR FTD
WS
ASDA
CSM
API
ACS
ASR
T AAA
MAC
MABACL
T T
IOS
© 2017 Cisco and/or its affiliates. All rights reserved. © 2017 Cisco and/or its affiliates. All rights reserved
Firepower
• Recommended software versions
• Logging Best Practices
• Intelligent application bypass
• Exclude flows from snort inspection
• Variable sets
• Q & A
• Software selection is a highly tailored process
• Delicate balance between desired features and code stability
• Dependent on platform, traffic patterns, and other device interoperability
• A comprehensive network overview and a thorough bug scrub is required
• Ongoing certification and re-evaluation process ownership
• AS has tools to provide tailored recommendation. AS must be engaged for tailored recommendations.
• If not AS; GSSO, in consultation with customer’s network stakeholders, should provide tailored recommendation.
• TAC or BU may suggest an upgrade path for known defects only
• The final recommendation must be based on a customer deployment• Ta
Tailored or Custom Software Recommendation
Current Best Practices
Release Deployment Why
6.2.0.5 • Exiting installations
• New customer deployments
• Stable, fifth maintenance release.
• Flow preservation for existing flow in
case of snort restart or reload. Flow
preservation is not available in 6.2.2
• Customer prefers connectivity over
security on snort restart or reload
• 6.2.2 is new in the field
6.2.2.2 • New customer deployments
• FPR 2100’s
• Exiting installations
• If Customer need new features
RAVPN, CTID,
• Customer is planning to prominently
use scenarios solved by snort reload
• Customer prefer security over
connectivity
• Has 2100s
• Balance new features against code stability with ASA
• ASA 9.6(3.latest) or wait for ASA 9.6(4.latest) for conservative customers
• ASA 9.8(2.24 or later) for longevity and feature velocity
• Pick latest compatible FXOS based on Logical Device Support
Additional - ASA Code recommendation
FXOS release ASA release
FXOS 2.3(1.66) ASA 9.6.3, 9.6.4, 9.7.1
9.8.1, 9.8.2, 9.9.1
© 2017 Cisco and/or its affiliates. All rights reserved. © 2017 Cisco and/or its affiliates. All rights reserved.
Logging Best Practices
• Do not log at the beginning
and end of the connection
• Avoid logging for noisy
protocols:
• DNS
• NTP
• Routing traffic
• Monitoring rules
• Logging of monitoring tools
© 2017 Cisco and/or its affiliates. All rights reserved. © 2017 Cisco and/or its affiliates. All rights reserved.
Intelligent Application Bypass
• Snort is a single thread
process for traffic processing
• Uses data already available
• Test/On modes
• Configurable thresholds
© 2017 Cisco and/or its affiliates. All rights reserved.
Intelligent Application Bypass
• Every Performance Sample Interval monitor Inspection Performance Thresholds
• Once one of the Inspection Performance Thresholds is reached, determine what flows to bypass based on the Flow Bypass Thresholds
© 2017 Cisco and/or its affiliates. All rights reserved. © 2017 Cisco and/or its affiliates. All rights reserved.
Exclude flows from snort inspection
• First thing when starting to
tune an NGFW/NGIPS
• VOIP
• Scanner
• Backup
• Routing traffic
• Current limitation. Not
possible to create Layer 2
prefilter rules
© 2017 Cisco and/or its affiliates. All rights reserved. © 2017 Cisco and/or its affiliates. All rights reserved.
Exclude flows from snort inspection
• Prefilter Rules
• Fastpaths traffic from Lina+Snort
inspection
• Prefilter rules cannot be
configured on the default
Prefilter Policy
© 2017 Cisco and/or its affiliates. All rights reserved. © 2017 Cisco and/or its affiliates. All rights reserved.
Exclude flows from snort inspection
• Trust rules:
• Lina checks, bypasses snort
inspection only
• Can be defined based on
L4-L7 parameters
© 2017 Cisco and/or its affiliates. All rights reserved. © 2017 Cisco and/or its affiliates. All rights reserved.
Variable Set configuration
• Most IPS rules are based in
variables like HOME_NET
• alert tcp $EXTERNAL_NET any ->
$HOME_NET $HTTP_PORTS
• alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS
• Defining EXTERNAL_NET
• Cisco recommendation
!$HOME_NET
• Might not detect peer to peer
events
• If using non-standard ports,
they should be defined as
well
© 2017 Cisco and/or its affiliates. All rights reserved.
Access Control Policy:Rules ordering to improve performance
© 2017 Cisco and/or its affiliates. All rights reserved.
ACP rules ordering to improve performance
1. Trust rules should always be at the top of the
policy
2. Rules which use IP and port should always be
above rules that require application control or a
database mapping lookup (i.e. user, URL, Geo,
etc.)
3. Block rules should be above allow rules when at
all possible to exit detection sooner
4. URL based rules should be above application
based rules as we can see the URL sooner in the
session
© 2017 Cisco and/or its affiliates. All rights reserved. © 2017 Cisco and/or its affiliates. All rights reserved.
ACP rules ordering to improve performance
• What analysis is done to
packets before ACP rule can
be determined?• Inspection is determined by the “Intrusion
Policy used before Access Control rule is
determined”
© 2017 Cisco and/or its affiliates. All rights reserved. © 2017 Cisco and/or its affiliates. All rights reserved.
Air-gapped network:
Mit management net harikke internet adgang – hvadgør jeg så med licenser?
ASA : Bestille PLR* licenser –
fra starten
FTD : Snakker med Cisco DK
om beta på smart licensing
Satellite server til PLR* licenser.
*Permanent License Reservation
© 2017 Cisco and/or its affiliates. All rights reserved.
Fixed software versions for : cisco-sa-20180129-asa1
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Seminarkalender for 2018 – 1. halvår