CiscoWorks

Transcription

CiscoWorks
CWSIMS v3.1.1 Overview – February 2004
Jon Stiley
[email protected]
CiscoWorks
Security Information Management
Solution (CW SIMS)
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
1
Today’s Threat Defense Motivators
• Zero-Day Worms and
Viruses
• Application Vulnerabilities
• Denial of Service Attacks
• Reconnaissance probes
• Attacks through permitted
traffic
• Insider threats
• Operational complexities of
managing security
• Legal Accountabilities
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
2
Enterprise architecture
Partners &
Suppliers
Frame Relay
Private Backbone
Peering Stats
F5
Resonate
Cisco
Nortel
Foundry
Cisco
3COM
Lucent
Nortel
Juniper
Inktomi
Persistence
F5, Cisco
Apache
IIS
Netscape
iPlanet
NDS
iPlanet
Netscape
Microsoft
ATG Dynamo
BroadVision
BEA WebLogic
IBM WebSphere
iPlanet App Svr
TIBCO
MQ Series
Vitria
WebMethods
SeeBeyond
MSMQ
Siebel
SAP
Baan
PeopleSoft
Oracle
Microsoft SQL
Informix
Sybase
BIND
DMZ
Middle Tier
Back-End
DNS
Router
Load Balancer
Bandwidth
Manager
Directory App Server
Web Server Server
Web Cache
ERP
CRM Application
Middleware
Content
Distribution
Networks
Akamai
Digital Island (C&W)
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
3
Secured
Enterprise
architecture
Security
Infrastructure
Partners &
Suppliers
Frame Relay
Private Backbone
Peering Stats
F5
Resonate
Cisco
Nortel
Foundry
Cisco
3COM
Lucent
Nortel
Juniper
Inktomi
Persistence
F5, Cisco
DMZ
Router
Firewall
Apache
IIS
Netscape
iPlanet
Network IDS
NDS
iPlanet
Netscape
Microsoft
ATG Dynamo
BroadVision
BEA WebLogic
IBM WebSphere
iPlanet App Svr
Middle Tier
Firewall
Host IDS
TIBCO
MQ Series
Vitria
WebMethods
SeeBeyond
MSMQ
Siebel
SAP
Baan
PeopleSoft
Oracle
Microsoft SQL
Informix
Sybase
Back-End
Network IDS
App. Log
Content
Distribution
Networks
Akamai
Digital Island (C&W)
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
4
Dealing with multi-layered security
Massive amounts of data
Growing numbers of false positives
Numerous silos of stored data
Creates an exponential effect
on your level of Exposure and Risk!
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
5
Security Management Challenges
• Identifying the REAL Threats
• Correlating events
– Across multiple data sources
• Knowledge of the vulnerabilities
• Apply the appropriate response
– Immediately !
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
6
The Security Resource Gap
Security teams are
overwhelmed by data…
– Security organizations today
perform only “24X7 Triage” *
PEOPLE
Security Resource Requirements
What’s Needed
– Each security operator can
monitor up to 15 devices * *
RESOURCE GAP
– Event correlation is near
impossible
Existing Team
– All but the most critical
security events go unnoticed
TIME
*Source: Greg Shipley, Network Computing Magazine
**Source: Gartner Group, 7/02 (Depending Upon Device Type)
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
7
CiscoWorks SIMS
Intelligence for the Cisco Integrated Security Solution
Intelligence that let’s you reduce business risk and
prepare for the next unknown attack!
- Correlates real-time event data and presents it in a
form that is intuitive and actionable
- Identifies security attacks as they occur
- Assess risks and threats instantly
- Reduces data overload and false positives
- Ensures regulatory and audit compliance
Available in…
 Easy-to-deploy hardware solution
 Massively scalable software solution
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
8
The Leading SIM Solution
Powered by
Award-winning technology
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
9
CiscoWorks SIMS Overview
Key features:

Real-time monitoring and
graphing

Advanced reporting includes over
250 reports + custom reports

Business impact for value/risk
assessment

Minimizes the time gap between
detection and reaction

Scalable distributed monitoring
with fail-over to support large IDS,
CSA and PIX deployments

Role-based administration
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
10
Step 1: We have a problem
You get a
page and see
the number of
worldwide
severe events
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
11
Step 2: What kind of problem, where’s the problem, who’s seeing the
problem
Events displayed from IDS device
Attack alarm
Day zero
attack w/o
signature
Port 1434 is being
used with various
sources/destinations
Shows
assets under
attack
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
12
Step 3: What’s the device seeing?
Drill down
into IDS
device
What it looks
like when
signature
added
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
Right click
feature that
allows for
additional
Forensics
investigation
13
Step 4: What’s the source of the problem?
Graphically
shows many
different
sources of
intrusion
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
14
Step 5: One problem many sources
Shows status
across
devices
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
Categorizes
events
15
Last Step: Shut down port 1434
Customer Testimonial
"I always have the SIMS Event Viewer up and running in my NOC, so unsurprisingly it was easy
to notice that we were
experiencing abnormal activity. I immediately closed the port on
Slammer. This is what I've come to expect from CiscoWorks SIMS."
Charles Watson II, Cellular South
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
16
Advanced Reporting




250 canned reports including:

Top intruders by source

Top attack destinations

Sensor summary by alarm
level

Sensor summary by
signature

Signature analysis

Risk assessment report

Alert category reports
Create custom reports
Ad hoc and scheduled
Report formats include XML,
CSV, HTML or PDF
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
17
Business Impact & Risk Assessment

Risk assessment reporting
based on Cisco IDS, CSA,
PIX Security Appliance and
cross-vendor events

Tracks the business impact
of threats by continuously
monitoring the risk levels
of your most valued assets

Asset values can be
customized

Dynamic weighted scores
are used to identify
changes in threat levels,
activities and event types
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
18
Role Based Administration
For both Management….
and Security Operations

Provides actionable information for all levels
and roles in the organization

Access controls allow each user to be
assigned specific tasks
© 2003,
2001, Cisco Systems, Inc. All rights reserved.

Manage security devices by Business Units
and Asset Groups

Manage security devices from both local and
global perspective, simultaneously
19
Supports All Cisco Security Products
FIREWALLS
PIX 501
506E
NETWORK IDS
4210
HOST IDS
CSA
SWITCH SENSORS
IDSM-2
ROUTER SENSORS
1700
SWITCH MODULES
FW-SM
VPN 3000 FAMILY
3002
3005
ROUTERS
1700
11760
515
525
4235
4250 4250XL
2600
3600
535 CAT6400
7200
VPN-SM
SSL-SM
IDS-SM
3015
3030
3060
3080
2600XM
3600
3700
7000
IBNS
ACS CATALYSTS 3550-2950 4000-4500
6500
MANAGEMENT
VMS
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
CIC
CSPM
20
CWSIMS Multi-Vendor Support
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Cisco Secure PIX
Cisco Secure IDS
Cisco Secure ACS
Cisco IOS Firewall / IDS / ACL
Cisco VPN Concentrators
Cisco Routers, Switches, Content
Cisco Info Center, VMS, CSPM
Psionic IPS
Okena – Host based IDS
Arbor
Check Point Firewall-1
Computer Associates
CyberGuard
Enterasys
Entercept – Host based IDS
ISS Real Secure - Host/NW IDS
McAfee
Microsoft Windows
Netscreen
Secure Computing Sidewinder
•
Snort
•
Symantec
•
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
Tripwire
UNIX Log Data
Other devices via Universal Agent
21
Distributed Architecture
Choice: Software and/or Appliance
Software
Appliance
Distributed Architecture
Single Server / distributed
Global Scalability
Regional Scalability
1 to 4 Day Installation Service
Minimal Setup Time
Targeted for Medium to Large Sized
Deployments
Targeted for Small to Medium Sized
Deployments
Central location
Satellite location feeding to central location
High scale event rate, highly configurable
Up to 2000 events/sec
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
22
Software Solution
Starter Pack
•
30 device license
•
1 master engine
•
1 distributed engine
•
Oracle Database
•
Price $40,000
Additional Licenses
•
License for monitoring
20 Additional Devices $20k
•
License for additional
Engine $20k
•
License for additional
Database $10k
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
23
CiscoWorks SIMS Engine
Appliance-Based Security Solution
•
Used standalone or in distributed deployment
•
Can forward events to software-based deployment
•
Same Powerful netForensics SIM Technology
•
Pre-Installed on Cisco 1160 Hardware
•
Fast and Easy Setup and Deployment
•
Dual Pentium 4 Xeon CPU’s, 4Gb memory and
146Gb disk
•
Price: $40,000
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
24
Ensures Audit & Regulatory Compliance
CiscoWorks SIMS
• Demonstrates compliance with
the proper reporting and tools
• Addresses new accountabilities
of top executives
• Preserves the data
you need for the
long term
HIPAA
FTC OVERSIGHT
EU DATA PROTECTION ACT
SARBANES-OXLEY
GLBA
PATRIOT ACT
BASEL II
SEC REGULATIONS
Enterprise
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
25
SIMS vs. Other Log Management Solutions
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
26
VMS & SIMS
Feature Differences
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
27
Security Intelligence and Analysis
SIMS
Security Information Management
Technology Overview
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
28
Security Information Management
• The CWSIMS approach……
– Lets you manage your growing security infrastructure with the same
number of staff
– Normalise and Aggregate messages from disparate security devices
– Correlate and Visualise to respond to threats in real time
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
29
CWSIMS Architecture
• 3-Tier architecture scales to any
enterprise size
– Installations can be linked so that one
install reports to another at a higher level
• All CWSIMS components are fully
distributable from one server to many
• Oracle 9i Database included for
reporting
• CWSIMS Appliance provides “one
box” security solution
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
30
CWSIMS High Volume Architecture
Criteria Based
Event Forwarding
Region 1:
Paris / France
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
Central Monitoring: London
Region 2:
Munich / Germany
31
Communication and Encryption
Communication
 All components communicate via TCP
 Guaranteed transmission
 SSL V3
Encryption
 Certification Manager
 56-bit to 128-bit
 Designed to fit all implementations
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
32
Collection/Agent Redundancy
Agents Redundant
Agents Fault Tolerant
Engines Redundant
Engines Fault Tolerant
Database Redundant
Database Fault Tolerant
Should Databases fail real-time reporting continues
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
33
CWSIMS Architecture - Agents
• Receive multi-vendor device
messages
– Using
native protocols
• A collection, normalisation
mechanism
– Agents
do not typically require
installation on the security device
• Normalise data
– 20000+ unique device
messages mapped to 100 Alarm
ID types
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
34
Normalize All Event Information
Normalization
Format
Message
Severity
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
Parsed
Defined
Re-mapped
35
CWSIMS Architecture - Engine
• Aggregate & Correlate Events
– Perform de-duplication using
customizable rules
– Categorises events into one of
nine Incident Categories, allowing
operators to identify threats
– Correlate events using rules based
and statistical methods
– Forward correlated events to
Database, Master Engine or other
engines
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
36
Rules Based Correlation
• Rules Based Correlation
–Utilises pre-pre-defined scenarios (If this, then that, or something else)
to monitor a sequence of events to determine incident potential.
–Rules are triggered as normalized events are compared to rule criteria
–Event “states” are created to track successful execution of correlation
rules
–Effectively pin-points specific attack scenarios
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
37
Rules Based Correlation
-
Real-time
Design rules based
upon need
No scripting required
Drag & Drop for quick
enablement of rule
Use categories for
enterprise rule
correlation
50 Generalized Rules
out-of-the-box
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
38
Statistical Correlation
• Statistical Correlation uses
categorization and scoring to
determine incident potential
– Normalized events are
categorized by asset or asset
group into 9 incident types
– Threat scores are
continuously computed by
asset
– Threat scores combine event
severity and asset value to
determine overall threat
potential
– Finds anomalies that rules
based correlation may not
detect
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
39
Risk Management
Asset
Importance
Or Impact
of Loss
Abnormal
Traffic or
Activity
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
Likelihood
Of Successful
Attack
40
CWSIMS Architecture – Master Engine
•
Master Engine
– Centralises real time data feeds
from multiple engines
– Provides real time data feed to
the SIM Desktop
– Services reporting queries from
the SIM Desktop
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
41
CWSIMS Architecture - Provider
• Provider
– Controls the configuration of the CWSIMS system
– Maintains the users and access controls
– Manages service patches for the registered components
– Provides database services to all registered components
– Allows for explicit configuration of individual agents from a single console
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
42
Notification and Integration
• Real-Time Alerting at multiple levels
–Email
–SNMP traps to Network Management Software (for example)
–HPOV
–Unicenter TNG
–Tivoli
–Micromuse Netcool
–Opening trouble tickets
–Computer Associate’s Advanced Help Desk Option
–Remedy
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
43
Roadmap
• Incident Handling Functionality within SIM Desktop
– Help Desk style functionality, following the SANS Incident Handling
response methodology
– Incident Case Details, Affected Asset Details, Incident Description, Supporting
Evidence, Containment Procedure, Mitigation Procedure, Eradication
• Vulnerability Scanner integration
– Nessus, ISS, Foundstone, Qualys, etc…
• Cisco Works VMS integration
– netForensics will interface with VMS Basic via RDEP interface
• Network Admission Control
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
44
CWSIMS Architecture – SIM Desktop
• Fully featured Java WebStart console allowing :
– Real-time views and graphs
– Reports and drill down data
– Advanced Analysis
– Visualize Risks and Threats
– Centralised System Administration
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
45
CWSIMS Architecture – SIM Desktop
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
46
CWSIMS Architecture – SIM Desktop
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
47
CWSIMS Architecture – SIM Desktop
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
48
CWSIMS Architecture – SIM Desktop
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
49
System Health Monitor
-
Component status
-
Database size & activity
-
Message Rate per device
-
Analysts logged on
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
50
Database
- Oracle 9i
- No DBA required
- Archive
- Backup
- Maintenance
- Scheduling
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
51
Summary
• CWSIMS Solves Key Security Challenges
–Data Overload
–Event Correlation Across Multi-Vendor Systems
–Understanding Risk
• CWSIMS Provides
–A complete SIM solution for all multi-vendor environments
–Real-time event correlation for known and unknown security attacks
–Advanced Visualization
–Integrated Risk Assessment
• CWSIMS Beats The Competition
–Recognised Leadership Within Security Industry
–Best Service and Support
–Provides an End-to-End Security Solution
© 2003,
2001, Cisco Systems, Inc. All rights reserved.
52