CISCO SECURITY INTELLIGENCE OPERATIONS SIO
- 1. Welcome To SIO Cisco Security Intelligence Operations http://www.networkworld.com/community/blog/cisco-security-intelligenceoperations-explai http://www.wedomarketing.com/portfolio/playbook_c96-632812.pdf http://www.ciol.com/ciol/news/50193/cisco-security-intelligence-operations http://www.webtorials.com/main/resource/papers/cisco/paper167/reputationfiltering.pdf http://www.cisco.com/ELearning/quickstart/security/cdc_bulk/Additional_Resources/resources/CSIO_Ata-Glance.pdf http://technicafe.net/2012/06/junipers-new-mykonos-security-software_08.html
- 2. SIO AGENDA • COMPONENTS OF SIO • DIFFERENT REPUTATION FILTERS • HOW SIO IMPLEMENTED • WHERE SIO INCORPORATED
- 3. Cisco SIO is composed of three parts: • Cisco SensorBase™, a comprehensive threat database; • Threat Operations Center with 500 security analysts and • constant dynamic updates fed to Cisco security devices.
- 4. Sensor Base includes: • More than 700,000 (and growing) globally deployed Cisco intrusion prevention system (IPS), email security, web security, firewall devices • Cisco IntelliShield, a historical threat database of 40,000 vulnerabilities and 3300 tuned IPS signatures • More than 600 third-party threat intelligence sources, which track over 500 thirdparty data feeds and 100 security news feeds around the clock More than 1000 threat collection servers process 500 GB of data a day. The Cisco Threat Operations Center processes this global, real-time threat intelligence and incorporates it into the security services available on Cisco security devices.
- 6. Email Reputation Filtering • Cisco email security appliances retrieve reputation information in real time, as incoming messages arrive. • These Cisco devices query DNS text records in SensorBase and retrieve a reputation score associated with the IP address of the sending server. •The score can range from –10.0 for the worst email senders to +10.0 for the best. The reputation score is based on more than 200 aggregated and weighted parameters
- 7. Email Reputation Filtering • Cisco email security appliances reject email from servers with low scores (below –3.0.) and rate-limit senders that have medium to low reputation scores. • They can also white-list high reputation senders, such as IP addresses with +9.0 scores from Fortune 1000 organizations. • Because spam is so prevalent, most of our customers report that our default settings block more than 90 percent of incoming message attempts.
- 8. Web Reputation Filtering • Cisco web security appliances connect to Cisco SIO every five minutes for database updates. These rulesets contain lists of compromised web hosts as well as information about infected URLs and pages. • Rapid, granular scanning of each object on a requested webpage, rather than just URLs and initial HTML requests, significantly reduces the chance of infection. • The appliances dynamically calculate the risk of each web request and response using reputation data to block high-risk transactions and safeguard users from attacks such as IFrame and cross-site scripting. •Web reputation filtering is used in conjunction with signature and behavior-based scanners to provide much faster and stronger multi-layered web protection.
- 10. IPS Reputation Filtering • Cisco intrusion prevention systems connect to Cisco SIO every 30 minutes and retrieve updated reputation data based on parameters such as whether the IP address is a Dynamic Host Configuration Protocol (DHCP) address, whether the IP address has a Domain Name System (DNS) entry, and how often that information changes • For example, the IPS sensor may detect an event that is often but not always associated with malicious activity. Without Global Correlation, the sensor will send an alert about the activity, but no action is taken on the network traffic. • With Global Correlation, however, the sensor can access a wealth of historical data on the source of the traffic. If the reputation is low, the sensor can take direct action and thwart the potential attack without the risk of blocking valid traffic. • The sensor can also use reputation data to pre-filter traffic from sources with extremely low reputations, saving processing power for additional inspection
- 11. Layer 4 Traffic Monitor • Cisco Web Security Appliances include a Layer 4 Traffic Monitor, in addition to web reputation filters and multiple malware scanning engines, which detect website malware activity. • It scans all ports at wire speed, detecting and blocking spyware phone-home activity. By tracking all 65,535 network ports at the network data center, the Layer 4 Traffic Monitor effectively stops malware that attempts to proliferate through the network. • In addition, the Layer 4 Traffic Monitor can dynamically add IP addresses of known malware domains to its list of ports and IP addresses to detect and block. • Using this dynamic discovery capability, the Layer 4 Traffic Monitor can monitor the movement of malware in real time—even as the malware host tries to avoid detection by migrating from one IP address to another.
- 12. • Cisco SIO produces reputation scores for various traffic sources (networks) and then downloads the scores to Cisco IPS sensors that have been configured to receive them. These scores form the basis of the Cisco IPS Global Correlation feature. Thus, bad traffic denied by a Cisco IPS sensor falls into three categories: • Global Correlation Reputation Filtering: Based on reputation alone. Flow is not passed to the traditional inspection engines. • Global Correlation Inspection: Based on a combination of traditional inspection and network reputation information. The risk rating mechanism combines the two threat signals. • Traditional IPS Detection: Based on traditional inspection techniques, including protocol decoding engines, signature based inspection, and anomaly detection via statistical analysis of network traffic. In this case, network reputation information for the traffic flow is not available or does not have an effect on the flow. •Rather than collecting data from network security devices, Sensor Base also collect raw data from 600 third party news and data feeds, this collected information are like DNS registry information, global public blacklist/white list etc.
- 13. Global Correlation on Cisco IPS
- 14. Threat Operations Center • The operations arm of Cisco SIO is a combination of people and automated algorithms that process Cisco Sensor Base data in real time. These teams create machine generated and manually generated rules for protection against new and dynamic threats. •creating 95% of rules that Cisco’s network security devices use. Rules are published to Cisco products in form of automated rules and signatures, also these rules are published to customers through alerts and bulletin. Threat Operation Center is consist of : • Applied Security Research (ASR): ASR’s main work is to look for vulnerability in key technology area and provide threat indication and analysis to the customers. • Cisco IPS Signature team: Its main work is to research on exploits and writing vulnerability signatures for IPS products.
- 15. Threat Operations Center • Cisco IronPort Email and Web Threat Research Teams: Provide the latest protection for SMTP and Web-based attacks. • Cisco Malware Research Lab: A centralized malware lab focused on researching the latest malicious activity. • Intrusion Protection Signature Team: Researches and develops vulnerability and exploit-specific signatures that are used by IPS product lines. • Cisco Product Security Incident Response Team (PSIRT): Evaluates and works across Cisco to mitigate vulnerabilities reported in Cisco products. •Strategic Assessment Technology Team (STAT): Advanced, area-specific security research and product vulnerability testing.
- 16. Threat Operations Center • Infrastructure Security Research & Development (ISRD): A research-oriented, business enablement function that maintains strong expertise in the area of security and creates security solutions for customers engaged in emerging industries and infrastructures. • Remote Management Services (RMS): Provides 24x7x365 remote monitoring and management of Cisco security devices that are deployed on your network. •IntelliShield Security Analysts: Collect, research, and provide information about security events that have the potential for widespread impact on customer networks, applications, and devices.
- 18. Dynamic Updates Cisco SIO’s dynamic updates deliver current and complete security information to Cisco customers and devices. Threat mitigation data is provided through: • Automatic rule updates for Cisco products, such as firewall, web, IPS, or email devices delivered every 3 to 5 minutes • Cisco IntelliShield Alert Manager Service • Security best-practice recommendations and community outreach services • It is a communication hub responsible for streaming updates to Cisco devices and customers. There are two major part involved in Dynamic update, • one is to generate real time updates which are automatically delivered to security devices and •other is to helping customers to track and analyse threat to improve their overall security arrangement.
- 19. Examples of the other forms of Cisco security intelligence include: • Cisco IntelliShield Alerts, including Malicious Code Alerts, Security Activity Bulletins, Security Issue Alerts, Threat Outbreak Alerts, and Geopolitical Security Reports • Cisco Annual Security Reports • Cisco PSIRT Security Advisories and Security Responses • Applied Mitigation Bulletins • Cyber Risk Reports • Security Intelligence Best Practices • Service Provider Security Best Practices • Cisco IPS Active Update Bulletins • IntelliShield Event Responses • Annual Security Report • Cisco IronPort Virus Outbreak Reports
- 20. Advanced Cisco SIO protection is available on the following Cisco products: • CiscoAdaptiveSecurityAppliances • Cisco IronPort EmailSecurity Appliances, Hosted Email Security, and Hybrid Hosted Email Security • Cisco IronPortWebSecurity Appliances • Cisco IntrusionPreventionSystems • Cisco IntegratedServices Modules • Cisco IntelliShieldAlertServices These devices and hosted services are licensed with one or more security filters that are powered by Cisco SIO, including: • Cisco IronPortVirusOutbreak Filters • Cisco IronPortAnti-Spam • Cisco IronPort EmailReputation Filters • Cisco IronPortWebReputation Filters • Cisco IPS Reputation and Signature Filters • Cisco FirewallBotnet Traffic Filters
- 21. Thank You By Prem Kumar Viswanathan © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14