the critical security controls and the stealthwatch system
DESCRIPTION
As today’s cyber-attackers become more sophisticated and nefarious, organizations must adopt the right mix of conventional and next-generation security tools to effectively defend their infrastructure from advanced threats. The Critical Security Controls effort is a growing movement that has been helping government agencies and large enterprises prioritize their cyber security spending accordingly. By leveraging NetFlow and other types of flow data, Lancope’s StealthWatch System delivers continuous network visibility to fulfill a number of the highest priority controls, enhancing timely detection of targeted threats and improving incident response. Learn the latest about the Critical Security Controls and hear how the StealthWatch System fits in.TRANSCRIPT
1111
Ask the Expert Webcast: The Critical Security Controls and the
StealthWatch System
John Pescatore, Director, SANS Charles Herring, Lancope
Obligatory Agenda Slide
• Housekeeping info • Here’s what we will do
– 1:05 – 1:20 The Critical Security Controls– John Pescatore, SANS
– 1:20 – 1:45 StealthWatch - Charles Herring, Lancope
– 1:45 – 2:00 – Q&A
2
Bios John Pescatore joined SANS in January 2013 with 35 years experience in computer, network and information security. He was Gartner’s lead security analyst for 13 years, Prior to joining Gartner Inc. in 1999, he was Senior Consultant for Entrust Technologies and Trusted Information Systems. Before that, John spent 11 years with GTE developing secure computing and telecommunications systems. Mr. Pescatore began his career at the National Security Agency and the United States Secret Service, He holds a Bachelor's degree in Electrical Engineering from the University of Connecticut and is a NSA Certified Cryptologic Engineer.
3
Bios
Charles Herring is Senior Systems Engineer at Lancope and longtime StealthWatch user. While on active duty in the US Navy, Charles leveraged StealthWatch in his role as Lead Network Security Analyst for the Naval Postgraduate School. He was tasked with staffing and training Network Security Group personnel, building the security architecture and developing incident response procedures. After leaving the Navy, he spent six years consulting with Federal government, disaster relief organizations and enterprise on network security, communication and process improvement.
4
5555
Focus on protecting the mission first Effectively and efficiently and quickly
Advanced targeted attacks are happening now
Break the Breach Chain
Compliance must follow security
Disrupting the Breach chain
Source: Neusentry 2012 © 2013 The SANS™ Institute – www.sans.org 6
DMZ Monitoring
Advanced Threat Detect
Monitor internal flows
Monitor external flows
Critical Security Controls
7 7
1 2 3
4
5
6
7
8 9
10 11 12 13
14
15
16
17
18
19 20
1) Inventory of Authorized and
Unauthorized Devices
11) Limitation and Control of Network Ports,
Protocols and Services
2) Inventory of Authorized and Unauthorized Software
3) Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
4) Continuous Vulnerability Assessment and Remediation
5) Malware Defense
6) Application Software Security
7) Wireless Access Control
8) Data Recovery Capability
9) Security Skills Assessment and Appropriate Training to Fill Gaps 10) Secure Configuration of Devices such as Firewalls,
Routers, and Switches
20) Penetration Tests and Red Team Exercises
19) Secure Network Engineering
18) Incident Response Capability
17) Data Protection
15) Controlled Access Based on Need to Know
14) Maintenance, Monitoring and Analysis of Audit Logs
13) Boundary Defense
12) Controlled Use of Administrative Privileges
16) Account Monitoring and Control
Benefits: Risk Reduction and Visibility
0.0%10.0%20.0%30.0%40.0%50.0%60.0%70.0%
Risk
redu
ctio
n/vu
lner
abili
tym
itiga
tion
Impr
ovem
ents
to o
vera
llris
k po
stur
e
Situ
atio
nal
awar
enes
s/ga
p an
alys
is
Com
plia
nce
to m
anda
tes
and
regu
latio
ns
Thre
at m
itiga
tion
Inci
dent
resp
onse
Dete
ctin
g ad
vanc
edat
tack
s
Benc
hmar
king
syst
emic
impr
ovem
ents O
ther
Where have the Controls you implemented made the most improvement and/or helped you close your gaps? (Check all that
apply.)
Critical Security Controls Update
• Now maintained by the Council On CyberSecurity
• Version 5.0 in public review • Updated prioritization and definitions of
subcontrols
9
Getting to Continuous Security Action
Shield
Eliminate Root Cause
Monitor/ Report
Policy Assess Risk
Baseline Vuln Assessment/Pen Test Security Configuration
Mitigate
• FW/IPS/ATD • Anti-malware • NAC
• Patch Management • Config Management • Change Management
• Software Vuln Test • Training • Network Arch • Privilege Mgmt
Discovery/Inventory
• SIEM • Situational Awareness • Incident Response
Threats Regulations Requirements OTT Dictates
The Critical Security Controls and the StealthWatch System
11
Charles Herring Senior Systems Engineer [email protected]
Lancope: The Market Leader in Network Visibility Technology Leadership • Powerful threat intelligence • Patented behavioral analysis • Scalable monitoring up to 3M flows per second • 150+ algorithms
12
Best of Breed • 650 Enterprise Clients • Key to Cisco’s Cyber Threat Defense • Gartner recommended
• NBA market leader • Flow-based monitoring
© 2013 Lancope, Inc. All rights reserved.
Your Infrastructure Provides the Source...
Internet Atlanta
San Jose
New York
ASR-1000
Cat6k
UCS with Nexus 1000v
ASA Cat6k
3925 ISR
3560-X
3850 Stack(s)
Cat4k Datacenter
WAN
DMZ
Access
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow NetFlow
© 2013 Lancope, Inc. All rights reserved. 13
…for Total Visibility from Edge to Access.
Internet Atlanta
San Jose
New York
ASR-1000
Cat6k
UCS with Nexus 1000v
ASA Cat6k
3925 ISR
3560-X
3850 Stack(s)
Cat4k Datacenter
WAN
DMZ
Access
© 2013 Lancope, Inc. All rights reserved. 14
SANS Critical Controls Boundary Defense
15
Defense Type L3, L4, L7 Blocking
Signature Detection
Emerging Threat Detection
Targeted Threat Detection
Firewalls Yes Limited No No
Signature IDS Limited Yes No No
Malware Sandbox
No No Yes Limited
StealthWatch No Limited Yes Yes
16
Flow Statistical Analysis
16 © 2013 Lancope, Inc. All rights reserved.
SANS Critical Controls Monitoring & Audit
17
Defense Type Detection Mechanism
Data Source
SIEM Boolean Syslog
StealthWatch Algorithmic NetFlow
SANS Critical Controls Incident Response and Management
18
Logging Type Data Stored
Endpoint Hard Drive/Memory
Packet Capture Raw PCAP
Log Collection Syslog
StealthWatch NetFlow
Transactional Audits of ALL activities
19 © 2013 Lancope, Inc. All rights reserved.
SANS Critical Controls Secure Network Engineering
20
Monitor Type Data Monitored
Firewall Change Control
Changes in FW Configuration records
Configuration Polling SNMP
StealthWatch NetFlow against Policy
http://www.lancope.com
@Lancope (company) @netflowninjas (company blog)
https://www.facebook.com/Lancope
http://www.linkedin.com/groups/NetFlow-Ninjas-2261596/about
https://plus.google.com/u/0/103996520487697388791/posts
http://feeds.feedburner.com/NetflowNinjas
Thank You
21 © 2013 Lancope, Inc. All rights reserved.
Charles Herring Senior Systems Engineer Lancope
22
Resources
• SANS Reading Room: http://www.sans.org/reading_room/
• Blog – www.sans.org/security-trends/ • Sponsor link: http://www.lancope.com • Questions: [email protected]
23