Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM03-S - Chicago AWS Summit

275 visualizaciones

Publicado el

Rapid adoption of cloud services and application migration brings several challenges to network administrators and security professionals, making real-time visibility of the network even more of a priority. In this session, learn how Cisco Stealthwatch Cloud helps you leverage data that you inherently create with AWS within your network to prevent compute theft and orphaned compute, secure weak or incomplete access control lists (ACL), and enforce security policies beyond the traditional firewall while maintaining regulatory compliance by extending visibility across your entire network. This presentation is brought to you by AWS partner, Cisco Systems Inc.

  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM03-S - Chicago AWS Summit

  1. 1. Gain Visibility and Real-Time Actionable Security Alerts with VPC Flow Logs and AWS Mindy Schlueter Principal Cybersecurity Systems Engineer
  2. 2. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Why is this important? - Smarter threats are more difficult to detect Motivated and targeted adversaries Insider threats Increased attack sophistication State sponsored Financial/espionage motives $1T cybercrime market Compromised credentials Disgruntled employees Admin/privileged accounts Advanced persistent threats Encrypted malware Zero-day exploits Industry average detection time for a breach Industry average time to contain a breach Average cost of a data breach Time Source: Ponemon 2018 Cost of a Data Breach Study
  3. 3. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential What is required? - Visibility is required for detection, but is it enough? Crypto Mining Network Recon Ransomware Compliance Network Visualization Bad User Behavior Shadow IT Unapproved DNS High Risk Countries Poor Security Posture
  4. 4. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential The Challenge – How do we analyze massive amounts of data from many sources to find the interesting event? Network Users HQ Data Center Admin Branch RECORD every conversation Understand what is NORMAL Be alerted to CHANGE KNOW every host Respond to THREATS quickly Roaming Users Cloud
  5. 5. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Stealthwatch Cloud Help with Visibility, Threat Identification and Network Compliance Using Dynamic Entity Modeling (Machine Learning) Cloud Native Logs Premises Network Flows Virtual Sensor NetFlow IPFIX Mirror/Span AWS
  6. 6. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Entity Modeling (Machine Learning) How? - Use cloud native APIs and data sources to ingest the traffic in near real time What? - Maintain a model (a kind of simulation) of each and every device & entity on your network Why? - Have a derived understanding of typical behavior, be able to detect when behavior changes represent a security risk © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential How we do it?
  7. 7. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Machine Learning provides better threat detection 36 Day Baseline Collect Input Draw ConclusionsPerform Analysis AWS CloudTrail NetFlow/IPFIX IAM Logs Watch lists 3rd Party Services VPC Flow Logs Dynamic Entity Modeling Using Machine Learning Group Consistency Rules Forecast Role What ports/protocols does the device continually use or never use? Do all roles behave similarly? Do all remote desktop servers communicate the same? Does it communicate internally only? What countries does it talk to? Should the connection be allowed? How much data does the device normally send/receive by profile, time of day, etc.? What is the role of the device? Should this role being doing this on the network? Turn network data into actionable alerts! Start – collect meta data
  8. 8. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36 Day Baseline Monitor and model behavior Classify roles Dynamically assign roles to entities Alert Triggers for Database Exfiltration Database server identified IP address detected Data access from regular location Machine Learning helps us to detect abnormal activity for an entity New External Connection osbservation New High Throughput Connection Existing IP accesses database server Communicates with set of IPs Data stays within environment ? Discovery & Learning Role Detected Baselining Normal Behavior Anomaly Detected Alert Generated Machine Learning
  9. 9. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Excessive failed access attempts Produce low-noise alerts Made possible via Machine Learning DDoS and amplification attacks Potential data exfiltration Geographically unusual remote access Suspected botnet interaction ALERT: Anomaly detected 96% of customers rated the alerts generated by Stealthwatch Cloud’s entity modeling solutions as “helpful” E.g. 10k endpoints = 1-2 Alerts/day
  10. 10. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Create an understanding of the resource/entity http://www.cisco.obsrvbl.com/roles X IP Addresses Traffic Counters 30 Day Dashboard Connectivity Counters Matched Traffic Profiles For example we monitor an entity’s:
  11. 11. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Expected behavior based on role Lambda Nat Gateway Database Services ELBs Terminal Servers http://www.cisco.obsrvbl.com/roles X We use roles to predict how an entity will operate – determined by APIs or behavior Someone scanning the IP of the NAT Gateway (role) is not as interesting as someone scanning my databases. Entity with this role then scan less important Entity with this role then scan more important
  12. 12. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Network Visibility In addition to entity visibility, Stealthwatch Cloud can provide visibility of network resources
  13. 13. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential A database server exporting data to a foreign country Note the supporting observations
  14. 14. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Talos Intelligence - Web Probing from Tor Exit Nodes 172.23.3.45 entity appears on multiple watch (black) lists Leverage threat feeds like Cisco’s Talos to identify bad hosts
  15. 15. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Failed SSH connection attempts seen Multiple access failures – entity does not have SSH locked down Detect poor security posture – without the need to complete baselining So let’s identity the gaps before they become compromises.
  16. 16. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Building Segmentation Rules Compliance rules – catch unwanted communications Highlight forbidden communications between internal entities So let’s identity the gaps before they become compromises.
  17. 17. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential AWS Account How does it work? - Amazon Web Services architecture SaaS Portal API Permissions allow SWC to read AWS services Role Created for SWC in Account Amazon CloudWatch AWS CloudTrail Amazon VPC Amazon VPC Amazon VPC Amazon Simple Storage Service (S3) AWS Identity and Access Management (IAM) Amazon GuardDuty AWS Lambda Amazon Inspector AWS Config Flow logs Flow logs Read only permissions required for VPC flow logs TLS 1.2
  18. 18. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential How do we integrate? - Open APIs and built-in services allow for harmonization with current systems SaaS Management Portal Web Platforms Email SIEM AWS And Other Applications Amazon S3 Amazon SQS Stealthwatch Cloud Amazon SNS
  19. 19. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential How do I get started! - 60 Day free trial via AWS Marketplace or Cisco Direct SaaS Management Portal features - Unlimited users No patching necessary Support included Available anywhere New features added monthly http://www.cisco.obsrvbl.com/roles X Link to free trial - https://aws.amazon.com/marketplace/pp/B075MWZVBM
  20. 20. cisco.com/go/stealthwatch-cloud

×