Monitoring Network Security With CS - MARS

 Events―raw messages sent to CS-MARS by the monitoring/ reporting devices  Sessions―events that are correlated by the CS-MARS across NAT boundaries  Incidents―identification of sessio

HOUSEKEEPING

 We value your feedback, don’t forget to complete your online session

evaluations after each session and complete the Overall Conference

Evaluation which will be available online from Friday.

 Visit the World of Solutions on Level -01!

 Please remember this is a ‘No Smoking’ venue!

 Please switch off your mobile phones!

 Please remember to wear your badge at all times including the Party!

 Do you have a question? Feel free to ask them during the Q&A section or write your question on the Question form given to you and hand it to the

Room Monitor when you see them holding up the Q&A sign.

Session Objectives

 Explain best practices in security information and event management

 CS-MARS main concepts and how it helps keeping

your network secure

 LIVE DEMO!

 Real life implementation examples (for your reference)

 A good understanding of Cisco's security technologies

and network monitoring foundations is suggested

Intelligent Security Threat Management

Security Operations/Reactions Today

Firewall IDS/IPS VPN

Vulnerability Scanners

Authentication Servers

Working proactively rather than reactively

Management Dilemma

Costly Business Dilemma

Mitigate

Attacks

Whom Do I Believe to?

Who Did It?

Who Got Infected?

Show Me What Happened!

Help Security Staff

In-Depth Defense Noise

Poor Attack Identification

Compliance and Audit Mandates

Key Concept

Mark was hired to break

into buildings.

personnel are vigilant

 Events―raw messages sent to CS-MARS by the monitoring/

reporting devices

 Sessions―events that are correlated by the CS-MARS across NAT boundaries

 Incidents―identification of sessions to

correlation rules

14 Events (Each Word = 1 Event)

2 Sessions (Each Sentence == 1 Session)

1 Incident

(The Whole Story)

2 5

1

3

4 6

7

Joe Smith Did Lots of Traffic at 9pm PST

High Amount

of IPSec Packets

Joe Smith performed

a Buffer Overflow

Unusual Traffic Based on Baseline

Unusual Traffic Based on Baseline

Typical Incident

Host A Recon ICMP

and Port Scans to

Target X

Host A Buffer Overflow Attack to

Target X

Where X Is

Vulnerable to Attack,

Target X Executes Password Attack on

Target X Executes Password Attack

on Target Y

Followed by Host

A Buffer Overflow Attack to Target X

n-192.168.2.0/24

nsSxt n-10.4.2.0/24

CSA HQ-FW-3

“shun 135.17.76.5 445 tcp”

Accurate Attack-Path, Detailed Investigation

Rule Details

Life of an Incident

1 Events come into the appliance

from network devices

2 Events are parsed

3 Normalized

4 Sessionized/NAT correlation

5 Run against rule engine

- Drop rule matched first

- All rules are checked

Rules: Definition

Variables and Operators allow Context Sensitive Correlation

Component of a rule are the following:

• Use Operators (and/or/followed-by) among matching events

•Count for the matching for each row events for the rule to fire

• Variables allow to carry over values among rows

• The time range can specify how much time can pass among the

first and last matching event

For your

reference

Rules: Matching

$TARGET01 = 192.168.1.10

A Match for the First Line

Gives a Value to the

Variables

$TARGET02 = 40.40.1.23

Incident investigation

LIVE DEMO

2,694,083 Events 992,511 Sessions

Incident Details

Rule definition

For your reference

Incident Details

 Reporting devices

 Raw messages for the session selected

For your reference

Sessions Graphically Displayed with Their Sequence

2 Sessions

For your reference

Rules: Mitigation

Two Possible Mitigation Points on Which We Can Act

Choose:

1 The mitigation device

2 The preferred command:

Block host Block connection Shun

For your reference

Policy Lookup

Which Entry on My Access-List

Triggered the Alert?

Netflow and Statistical Information

Benefit of Netflow

 Statistical profiling identifies day zero attacks

Also performed on connections though the firewalls

Router (config)# export destination 10.42.41.1 9991

Router (config)#

ip flow-export version 5

Router (config)#

ip flow-export source loopback 0

Note: CS-MARS Only Supports Netflow Version 5 and Version 7

 Few days to profile

your network before

starting detecting

anomalies

 Two dynamically generated watermarks

comparing the old data against current data

Pre-Defined Anomalies Rule

Rule: “Sudden Traffic Increase To Port”

Specific for Day-Zero attacks

denies—host compromise likely”

main Day-Zero Rules

 Currently support

Cisco IOS ® and PIX ® /ASA ®

Using MARS in a Real Environment:

Cisco Telepresence Launch

Cisco TelePresence

Next-generation IP video conferencing

Hong Kong San Jose NYC London

15 Customers Rob Lloyd Charlie Giancarlo Marthin De Beer

15 Customers Chris Dedicoat Sue Bostrom Charles Stucki

10 – 12:30 AM

15 Customers Rob Lloyd Charlie Giancarlo Marthin De Beer

6:30 PM

5:30-Press 11:30-2 (incl lunch)

Press 8-9 am

Press 1:30-3:30

Press 10:30-12:30

Security Event Example

Infected host attacking call managers

Tuning and False Positives

Tuning Consists In:

 Modifying existing rules

 Create your own rules

 Define drop rules

Tune Allows a Quicker Identification

of the Real Problems, Filtering Out

False Positives

Tune: Define Your Network Boundaries

In the System Rules, You Can Modify the Following:

 Source IP

 Destination IP

 Reporting device

Add an Action

Examples of Good Places to Start With:

• Excessive denies from the same src

• Worm propagation

• Excessive e-mail from the same src (tune it to != e-mail servers)

• Sudden increase of traffic (set Netflow valid networks to your

inside network)

Tune: Create Custom Rules

 Duplicate a rule and make

modifications to it without

limitations

 Create a new rule from scratch

Note: a rule cannot be deleted, only changed to inactive

state or possible old incident might be

deleted as well

You Can Further Customize the System

Rules By:

Tune: Specify Valid Behavior

1 Select the event to tune out

2 Choose if log it or drop it

3 Once the drop rule is created,

you can modify it as with the normal rules

Define a Drop Rule so That an

Event Will Not Start Any Incident Under

Specific Conditions

User Intervention Needed

False Positives

Rules

Unconfirmed False Positive

System Determined False

Positive

User Confirmed False Positive User Confirmed Positive

Drop Log

Firing Event Is Believed to

Be Invalid Primarily Due to the Attack Being Against

an Invalid Target

False Positive: Examples

• We saw the attack but

Is the destination

vulnerable?

Is the exploitable service

running?

 We see an attack but

correlation told us:

Firewalls stopped the traffic Or

Antivirus cleaned it Or

Host firewall stopped it

False Positive Summary

 To reduce false positives, rules fires

Once in five minutes after the first time they fire

Once in ten minutes after the third fire

376,000 Instances

5 Types

 False positives page -> how many types

Queries/Reporting

 query template with a schedule, and an action associated to it

 Monitor periodically status of your network

 real time filter

 mostly used for drill down an incident and

do a real time investigation

Query

Report

Create a Query

 Which data to filter :

Traffic originated from 10.155.155.240

regarding security posture validation

• What result output I am interested in :

Predefined view or custom

• Time range :

Last one hour of data

Investigating incident with Queries

In Few Clicks You Can See:

10.1.1.10 Is Generating an Attack, Tell Me More

 Details for a device

 The sessions for the

destination of interest

 Or any other information

 Destination reached by

10.1.1.10

Reporting Needs

Working with Non-Natively

Supported Devices

 Even without creating a custom parser you can generate a

query/report or an incident based on a non supported event

All syslog Received Are Stored to the Database,

Regardless If They Are Supported or Not

Custom Parser

SNMP Traps

Note: If You Re-Use Events Already in the

Database, the Predefined Reports and Rules

Will Work Also for the Newly Defined Device

1 Create a new device/

application type

2 Create an event type

for the new device/application

3 Define the patterns associated

to the event type

4 Add this new device/application

into CS-MARS

Custom Parser—Example

 Define the fields you want

to extract:

Source IP Received time Transmitted bytes

Precompiled Regular Expressions for

known Parameters 155.98.65.40 - - [ 21/Nov/2004:21:08:47 -0800 ] "GET /~user/ HTTP/1.0" 200

1633 "-" "Lynx/2.8.2rel.1 libwww-FM/2.14"

Deployment Considerations

E-Commerce

Corporate Internet

VPN and Remote Access Edge Distribution

Where It Fits

Core

Possible Access Methods

• The three ways to add devices into CS-MARS

– Import from seed file – SNMP auto discovery (L3 devices—need route information) – Add manually

• Preferred method of access type

– SSH – TELNET – SNMP (SNMP RO to discover L2 information ) – FTP

– RPC (for Windows)

Caveats When Adding Devices

 Access-lists need to permit CS-MARS to connect to the

devices

 RO SNMP is needed on switches and routers, to read L2

configuration

 On border devices SSH is the suggested method ; SNMP

more intensive on the devices

 On windows devices it is suggested to install the SNARE

agent for better performances and real time data

 On IDS be specific in defining the monitored devices list

 Reporting IP address

Security vs Network

Network Operations

Security Operation s

Interface E0/2

on HW-Router-1

Is Flapping Traffic on Port 445 Block Inbound

on HQ-FW-2

Security vs Network

 Don’t have access rights to the routers

 How can I have full topology?

Enable Ssh

Event Normalization

 Security monitoring environment is multi-vendor

 Events from different devices and vendors have

Management Tab

• Manage events

Management Tab

• Manage/create devices and networks

• Manage/create services

Sizing Considerations

 How many access-list ?

 What type of traffic I see?

 Do I have NetFlow ?

 How many users I have on my VPN3k?

 How well is my IPS tuned ?

 Is one IDS on the outside network ?

Too Many Variables

170 Devices, Among Those:

4 ASA Pairs (Level 6)

Sizing Considerations

 Is this all I want to add?

Consider Also

Syslog Can Be Measured with

a Free Syslog Server

CS-MARS 50

CS-MARS 100 CS-MARS GC

• Communication over HTTPS (using certificates)

• Only incidents from global rules are rolled up

• GC can distribute updates, rules, report

templates, access rules, and queries across LC

Real Life Implementation

Real Life Implementation

For your reference

CS-MARS in Action:

At a Big Financial

For your reference

Zero Day Virus: MYTOB Variant

For your reference

Need to Address Custom/Internal Application

and to Fire Incident on Them

Integrate as Much as Possible in One Console

For your reference

Proof of External Scan

I Am Paying for Someone to Scan My Network How Can I Check That They Actually Do It?

Custom Report

For your reference

Viruses Not Cleaned

What Happened with Viruses

Viruses Found

in My Network

For your reference

Where the Virus Was Sent

For your reference

Results Obtained with CS-MARS

 We have replaced multiple servers with CSMARS

 “We are getting more proactive and quicker to react to events

when the occur”

 “Windows, UNIX and application events are monitored in near real

time”

 “Events are processed by rules and emailed to the appropriate

people or groups for escalation or investigation”

 “Staff only get events that are pertinent to their job responsibilities”

 “ Single view to entire network and systems ”

 “We now have the ability to go back and look for trends or events

in our data”

 “Reports can now be generated and scheduled for management or

auditors with little effort”

For your reference

In Summary

 Intelligence needs to be moved as much as

possible at computer speed

 In order to allow the above the most information

need to be correlated together in a flexible

way across heterogeneous environment

 Network should be the most integrated as

possible, and cooperation among different

groups is important for effective investigations

 It is not possible to rely on signatures only, but

Network Behavior Analysis needs to be

implemented in parallel

Meet the Experts

Meet the Experts

Q and A