Cisco & Big Data Security

Cisco & Big Data Security

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

The any-to-any world and the Internet of Everything

is an evolution in connectivity and collaboration that

is unfolding rapidly. It’s the nexus of devices, clouds,

and applications.

Global cloud traffic will increase sixfold over the next

five years, growing at a rate of 44 percent from 2011 to

2016.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

“Every two days we create as much information as we did

from the dawn of civilization up until 2003.”

Eric Schmidt

(Chairman of Google)

•

Fraud detection

•

Wire transfer alerts

•

Traffic analysis

•

Network optimization to

support service levels

•

Environment monitoring

•

Security/ anti-terror

•

Cyber Security

•

Customer loyalty programs

•

Subscriber data

management

•

Content monetization

•

Store operation analysis

•

Collaborative planning and

forecasting

36%

search engines

22%

Online video

_{Social networks}

20%

_{Advertisements}

13%

Social Network

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Jan

Feb

Mar

Apr

May

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Perscription Drugs

Luxury Watches

Credit Card

Business Reviews

Professional Network

Electronic Money Transfer

Accounting Software

Social Network

Professional Associations

Airline

Mail

Weight Loss

Government Organization

Windows Software

Cellular Company

Online Classifieds

Taxes

Prescription Drugs

Luxury Watches

Credit Card

Business Reviews

Professional Network

Electronic Money Transfer

Accounting Software

Social Network

Professional Associations

Airline

Mail

Weight Loss

Government Organization

Windows Software

Cellular Company

Exploit 9.86%

Infostealing 3.49%

Downloader 1.12%

Worm 0.89%

Virus 0.48%

Mobile 0.42%

Scareware 0.16%

Malscript/Iframe

83.43%

12

Compromised Site

& Exploit Server

Advanced Persistent Threat

Users & Applications

CNC

社交工程 +

Zero Day

攻擊

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14

Threat Operations Center

Dynamic Updates

GLOBALLY DEPLOYED DEVICES

1.6M

DATA RECEIVED PER DAY

75 TB

SensorBase

13B

WEB REQUESTS

150M

GLOBALLY DEPLOYED ENDPOINTS

35%

Leveraging Cisco SensorBase

Very Good

Unknown

THREAT INDEX

Information Update

Dear Mr. Paulo Roberto Borges,

We are contacting you in order to inform

about a mandatory update of your

personal data, which is being conducted

Bank A

[email protected]

Email Sensor

Data

Verdict

Web Sensor

Data

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16

Outbreak Filters in Action

Targeted

Attack Filter

Cisco Security

Intelligence

Operations

Internet

_{Email Security}

Inbox

Dynamic Quarantine

Web Reputation 信譽評等

Internet Explorer (IE) Zero-Day Vulnerability

Day 0:

Exploit Site Detected

Day 8:

Exploit Site Volume Up

Malware Detected

Day 14:

IPS Sig Published

C&C Server Blocked

Day 16:

A/V Vendor “A” Sig

Published (Partial)

Day 17:

A/V Vendor “B”

Sig Published

Day 18:

A/V Vendor “A” and “C”

Full Sig Published

Competitive approaches: Endless race against hackers

Security Advisory

Issued

IE Patched

Blocked by Cisco

Blocked by Cisco

Info about domains:

Domain Name:

ROOTADMIN2012.COM

Creation Date:

23-jan-2013

Expiration Date:

23-jan-2014

Domain Name:

MYADMIN2012.COM

Creation Date:

23-jan-2013

Expiration Date:

23-jan-2014

Both domains hosted in the following IP address in Japan:

61.196.247.51 (061196247051.cidr.odn.ne.jp)

社交工程 +

Zero Day

攻擊

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22

Infected Client

_{Cisco ASA 5500 Series}

_{Command and Control}

Botnet Traffic Filters

Botnet Traffic Filters

Cisco Security

Intelligence Operations

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24

Live Dashboard

Integrated Reporting

Monitoring

Enabling the Potential of Network-Wide Context Sharing

I have threat data!

I have sec events!

I need reputation…

I have NetFlow!

I need entitlement…

I have reputation info!

I need threat data…

That Didn’t

Work So Well!

I have NBAR info!

I need identity…

SIO

I have location!

I need identity…

I have MDM info!

I need location…

I have application info!

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26

Enabling the Potential of Network-Wide Context Sharing

I have NBAR info!

I need identity…

SIO

I have location!

I need identity…

I have MDM info!

I need location…

I have app inventory info!

I need posture…

I have identity & device-type!

I need app inventory & vulnerability…

I have firewall logs!

I need identity…

I have threat data!

I need reputation…

I have sec events!

I need reputation…

I have NetFlow!

I need entitlement…

I have reputation info!

I need threat data…

I have application info!

I need location & auth-group…

pxGrid Context

Sharing

Single Framework

Direct, Secured

Who

What

Where

When

How

Cisco

®

_ISE

Wired Wireless VPN

Business-Relevant

Policies

Security Policy Attributes

Identity

Context

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28

Backed by Cisco SecureX

Cisco Prime

Third-Party

MDM Appliance

MDM Manager

Wired

Network

Devices

Cisco

Catalyst

Switches

Office Wired Access

Office Wireless Access

Cisco

_ISE

Remote Access

Cisco ASA

Firewall & IPS

Cisco CSM

and ASDM

Cisco

WLAN

Controller

_{Web Security}

Cisco

Cisco

AnyConnect

CISCO ISE

SIEM & Threat Defense Partners

ISE Provides Context

I

dentity, Device-Type, Posture,

Authorization Level, Location

SIEM/TD Takes Action

Network quarantine users &

devices via ISE

ISE Matches to

Cisco Switch Executes

Scott Smith

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30

Potential

Breach

Event

Associate User

to Event

Check Endpoint

Posture

How Do I

Mitigate?

Where is it on

the Network?

What Kind of

Device is it?

Associate User to

Authorization

MANY SCREENS, MISSING DATA

COMPLICATED MITIGATION

SIEM

AAA Logs

IAM

NAC

??

??

??

Potential

Breach

Event

Associate User

to Event

Check Endpoint

Posture

Mitigate in

Network

Check Network

Location

Check Device

Type

Security Event

Security Event

ISE User and Device

ISE User and Device

Endpoint Network Action

Integrated

Mitigation

Integrated

Mitigation

ONE SCREEN, ALL DATA

INTEGRATED MITIGATION

Associate User to

Authorization

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32

Mobile Device

Management

SIEM &

Threat Defense

•

ISE provides user and device context to SIEM and Threat Defense partners

•

Partners utilize context to identify users, devices, posture, location and

network privilege level associated with SIEM/TD security events

•

Partners may take network action on users/devices via ISE

Prioritize Events, User/Device-Aware Analytics, Expedite Resolution

•

ISE serves as policy gateway for mobile device network access

•

MDM provides ISE mobile device security compliance context

•

ISE assigns network access privilege based on compliance context