View
22
Download
0
Category
Preview:
Citation preview
1© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Security @ Cisco
Laura KuiperConsulting Engineer, Security
2© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Agenda
Who Is Cisco
Security Technologies @ Cisco
Summary
3© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Security Commitment
“Security starts with me, the CEO, down to the individual contributor level…it’s mandatory.”
John ChambersPresident and CEO, Cisco Systems
4© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
So, What Is Security…
• One “size” doesn’t fit all
• What is important to an organization and what it must deliver to be successful is highly individual
• Security decisions are really business decisions
• This implies that security implementers have to understand the business, it’s culture, and it’s overall direction…
5© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
So, Who Is Cisco?
People: 38,000 Employees. 18,000 Contractors
Systems: 58,000 Windows desktops14,000 Solaris and Linux desktops84,000+ Data Center servers;210 Call Managers
Information: Cisco’s Information Assets andCustomer Information
Productivity: Investments from the past 10 years
• 8 primary multi-peered Internet gateways, 13 VPN gateways, 30+ lab Internet connections
• 900+ labs world wide
• 25+ Firewalls (Stateful PIXes, FWSM Blades, and Stateless Routers)
• 20+ Intrusion Detection Systems
• 210+ Business and Support Development Partners
• 230+ Application Service Providers
• 300 offices in 100 countries
6© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Culture
• Employee trust
• Bias toward openness
• Embrace virtual company model
• Implement bleeding edge new technology
• Cisco’s InfoSec StrategyPreserve Cisco’s cultural openness, but with lower risk
Build awareness consistent with culture
Proactive involvement in new technology deployment
Controls only when necessary and effective
Allow employee trust, but monitor and verify
7© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
What Are the Concerns?
• Disruption affects Productivity (The CIO Problem)External source (e.g. DDoS)
Internal source (e.g. virus breakout)
Accidental source (e.g. configuration mistake)
• Loss affects Value (The CFO Problem)Random theft (e.g. break-in, no coordination)
Directed theft (e.g. espionage)
Accidental loss (e.g. presentation left behind, picked up)
• Damage affects Reputation (The CEO Problem)Internet visage (e.g. web site defacement)
Customer and shareholder confidence (loss of information)
Accidental damage (e.g. making a misstep in industry)
Three Threats: Disruption, Loss, and Damage
8© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Security Strategy: Proactive and Reactive
Proactive Reactive
Architectural Design
Patch/Remediation Monitoring
Personal Firewall
Network Segmentation
Employee Awareness
Principal of Least Privilege
Information Classification
Network Access ControlDoS Protection
Investigations/Forensics
Legal Action
Internet Scanning
Scanning/Behavior Analysis
Incident Response
Loss
Network Segmentation Intrusion Detection
Cisco Products and Features
Cisco CSA
NAC, 802.1x
Cisco GuardRouter/Switch Features
Arbor
Addamark, MARS,NetForensics
Cisco IDS
CSIRT
Anomaly Detection
Dis
rupt
ion
9© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Security Strategy: Proactive and Reactive
Proactive Reactive
Architectural Design
Patch/Remediation MonitoringAnomaly Detection
Personal Firewall
Network Segmentation
Employee Awareness
Principal of Least Privilege
Information Classification
Network Access ControlDoS Protection
Investigations/Forensics
Legal Action
Internet Scanning
Scanning/Behavior Analysis
Incident Response
Loss
Network Segmentation Intrusion Detection
Cisco Guard Dis
rupt
ion
Arbor/Netflow
10© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
NetFlow Principles
• Inbound traffic onlyEgress NetFlow (available starting in 12.4)
• Accounts for both transit traffic and traffic destined for the router
• Works with Cisco Express Forwarding (CEF) or fast switching
Not a switching path
• Supported on all interfaces and Cisco IOS software platforms
• Returns the sub-interface information in the flow records
11© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Key Concepts
• If you think of packet capture like a wiretap, Netflow is more like a phone bill…
• This lower level of granularity allows NetFlow to scale for verylarge amounts of traffic
• NetFlow is a form of telemetry pushed from the routers/switches
Each one can be a sensor
• Advantage of NetFlow:No changes to the network while it’s under attack; passive monitoring
Scripts can be used to poll and sample throughout the network
IDS products can plug into NetFlow
12© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Traffic Graphs
Using Arbor Networks Peakflow
13© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Guard
• Security solution which mitigates DDoS attacks and other forms of undesirable traffic
• Not just anomaly detectionAlso provides actions for detected anomalies
• Not an in-line solutionFailure of Cisco guard appliance does not impact network
• Auto-baseline (learning mode)Discovery of servicesAuto threshold tuningIdentifies http proxies and top sources
• Filters based on traffic profiles
14© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Guard (Cont.)
• Provides a ‘scrubbing’ service for traffic directed towards those properties; through the use of statistical profiling techniques and anti-spoofing technology
• Filters out the bad traffic and allows the good traffic through
15© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Guard Example
Non-Targeted Servers
Target
Cisco GuardBGP Announcement
Detect1Riverhead Detector/Cisco IDS/Arbor Peekflow
16© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Guard Example
Non-Targeted Servers
Target
Cisco GuardBGP Announcement
Activate: Auto/Manual2
Detect1Riverhead Detector/Cisco IDS/Arbor Peekflow
17© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Guard Example
Non-Targeted Servers
Target
Cisco GuardBGP Announcement
Divert Only Target’s Traffic3
Detect1Riverhead Detector/Cisco IDS/Arbor Peekflow
Activate: Auto/Manual2
18© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Guard Example
Non-Targeted Servers
Target
Cisco GuardTraffic Destined to the Target
Divert Only Target’s Traffic3
Identify and Filter the Malicious4
Detect1Riverhead Detector/Cisco IDS/Arbor Peekflow
Activate: Auto/Manual2
19© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Guard Example
Non-Targeted Servers
Target
Cisco GuardTraffic Destined to the Target
Detect1Riverhead Detector/Cisco IDS/Arbor Peekflow
Divert Only Target’s Traffic3
Identify and Filter the Malicious4
Forward the Legitimate5
Legitimate Traffic to Target Activate: Auto/Manual2
20© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Guard Example
Non-Targeted Servers
Target
Cisco GuardTraffic Destined to the Target
Detect1Riverhead Detector/Cisco IDS/Arbor Peekflow
Divert Only Target’s Traffic3
Identify and Filter the Malicious4
Forward the Legitimate5
Legitimate Traffic to Target
Non Targeted Traffic Flows Freely
6Non Targeted Traffic Flows Freely
Activate: Auto/Manual2
21© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
AT CISCO: Anomaly Detection and D/DoS
• NetFlow deployed on network edges
• Arbor Peakflow used on network edges to identify D/DoS attacks and anomaly detection
• Netflow deployed on internal network
• NetQoS used capacity and anomaly detection
• Using Cisco Guard (with Arbor and Cisco Detector) to mitigate D/DoS
22© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Security Strategy: Proactive and Reactive
Proactive Reactive
Architectural Design
Patch/Remediation MonitoringAnomaly Detection
Personal Firewall
Network Segmentation
Employee Awareness
Principal of Least Privilege
Information Classification
Network Access ControlDoS Protection
Investigations/Forensics
Legal Action
Internet Scanning
Scanning/Behavior Analysis
Incident Response
Loss
Network Segmentation Intrusion Detection
Dis
rupt
ion
Addamark, MARS,NetForensics
Cisco IDS
23© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
CS-MARS Technologies
Network, Fw,NAT, NetflowCapture
Logs, Alerts,
Traffic flow
NAT, CVE, Anomaly, RuleCorrelate
VA, Fw, Sw, Rt, Rule Validate Drill-Down
Visualize, Prioritize, Investigate
Leveraged Mitigation
Rapid Query, Audit, Report
ContextCorrelation™ SureVector Analysis™
AutoMitigate™
• CS-MARS receives and monitors all event sourcesNetFlow, SNMP, syslog, POP, RDEP, XML APIs, raw Win, host / app logs…
• Rapid in-line event processing, embedded Oracle®, full storageDBMS transparent; raw and Protego data forensic / report archived
Continuous NFS archival with 40:1 compression
• Focus on validated incidents, not investigating isolated events
24© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
CS-MARS
• Network IntelligenceGives views into: Topology, traffic flow, device configuration, and enforcement devices
• ContextCorrelationCorrelates, reduces and categorizes events
Validates incidents
Valid Incidents
Sessions
Verify
Isolated EventsCorrelation Re
duct
ion
Rules
Router Cfg.
Firewall Log
Switch Cfg.Switch Log
Server Log
AV AlertApp Log
VA Scanner
Firewall Cfg.
Netflow
NAT Cfg.
IDS Event
...
25© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
At Cisco: IDS
• Close relations between IDS dev team and InfoSec
• Deployments of IDS:Edge Networks and Extranets
• Virtual team to review and react to alarms Bulk of Security cases initiated from alarms
IDS
26© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
At Cisco: Event Correlation
SIMSSIMS
CS-Mars
SIMS
CS-Mars
• SIMS deployed by InfosecLeveraged for reporting IDS events
• Deployment of CS-MARS planned
Collecting Netflow, IDS, syslog, CSA, QualysGuard, VirusScan data
Will be leveraged for reporting and categorization of events…
27© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Security Strategy: Proactive and Reactive
Proactive Reactive
Architectural Design
Patch/Remediation MonitoringAnomaly Detection
Personal Firewall
Network Segmentation
Employee Awareness
Principal of Least Privilege
Information Classification
Network Access ControlDoS Protection
Investigations/Forensics
Legal Action
Internet Scanning
Scanning/Behavior Analysis
Incident Response
Loss
Network Segmentation Intrusion Detection
Dis
rupt
ion
Cisco Products and Features
Router/Switch Features
28© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Best Practice: Disabled Services
Global• Finger
• Pad
• Small servers
• bootp
• Identification service
• Source routing
Interface• icmp redirects
• icmp unreachables
• icmp mask reply messages
• proxy-arp
• Directed broadcast
• mop
29© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Best Practice: Enabled Services
• Service-password encryption
• Service tcp-keepalives-in
• Service tcp-keepalives-out
• A banner
• Transport input/output
• Transport is only SSH
• Exec timeout 10
• SNMP if strings are defined
• Logging buffered
• Logging trap debugging
• AAA configurationTACACS+
30© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
At Cisco: General Configuration Template
• Regionalized information for:DNS
Logging
Log to regional syslog server
log buffer 128
SNMP
ACL for SNMP
TACACS
NTP Servers
Centralized Logging
Limit Who Can Do SNMP Queries
Consistent Time
31© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
At Cisco: Template Information
• Hostname/Prompt and System Information
• Create BannerStandard banner located in documentation
• TACACS, Passwords and TimeoutsConfigure standard TACACS
Enable secret
32© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
At Cisco: Best Practices
• Run a router audit tool on a daily basis and remediate devices
• Auto-configuration of some template features
• Policy to only permit SSH as remote access mechanism
33© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Unicast RPF Overview
• Cisco Express Forwarding is required• Checks to determine whether any packet that is
received at a router interface arrives on one of the best return paths to the source of the packet
• Performs a reverse lookup in the Cisco Express Forwarding table—if uRPF does not find a reverse path for the packet, uRPF can drop the packet
• Two types of uRPF:Strict mode uRPF requires that the source IP address of an incoming packet has a FIB path to the SAME interface as that on which the packet arrivedLoose mode uRPF requires that the source IP address of an incoming packet has a FIB path to ANY interface on the device, except null
34© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
uRPF—Strict Mode
router(config-if)# ip verify unicast reverse-pathor: ip verify unicast source reachable-via rx allow-default
Sy D data
FIBDest PathSx int 1Sy int 2Sz null0
int 1int 2
int 3 int 1int 2
int 3
FIBDest PathS int 1Sy int 2Sz null0
Sx D data Sx D data
x
Sy
D data
sourceIP=rx int? sourceIP=rx int?
IP Verify Unicast Source Reachable—Via rx
Sx D data
IP Verify Unicast Source Reachable—Via rx
Sx D data
35© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
uRPF—Loose Mode
router(config-if)# ip verify unicast source reachable-via any
Sz D data
FIBDest PathSx int 1Sy int 2Sz null0
int 1int 2
int 3 int 1int 2
int 3
FIBDest PathS int 1Sy int 2Sz null0
Sy D data Sy D data
x
Sz
D data
sourceIP=any int? sourceIP=any int?
IP Verify Unicast Source Reachable—Via rx
Sz D data
36© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
At Cisco: IOS Security Features
• uRPFEdge enabled—ISP edge, Building Edge, DMZ edge…
• CAR/Traffic PolicingUsed at ISP Edge
• IOS/FW (CBAC)Remote Access devices
Standard approved for Extranet
37© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
At Cisco: Switch Security Features
• DHCP SnoopingInvestigating usage on voice vlan
• Port SecurityDeployed on some networks
• ARP InspectionIncluded in standard for Secure Data Center
38© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Highly Scalable Multi-Context Security Services• Security Contexts (Virtual Firewalls) lower operational costs
• Reduce overall management and support costs by hosting multiple virtual firewalls in a single appliance
Enables the logical partitioning of a single Cisco PIXSecurity Appliance into multiple logical firewalls, each withtheir own unique policies and administration
Each context provides the same primary firewall featuresprovided by a standalone Cisco PIX Security Appliance
Supports up to 100 contexts, depending on platform
• Ideal solution for enterprises consolidating multiple firewalls into a single larger appliance, or service providers who offer managed firewall or hosting services
Dept/Cust 2Dept/Cust 1 Dept/Cust 3 Dept/Cust N
PIX PIX PIX PIX
Dept/Cust 1 Dept/Cust 2 Dept/Cust 3 Dept/Cust N
PIX
39© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Transparent (Layer 2) Firewall
• Transparent Firewall provides rapid deployment security services
• Simplifies and speeds deployment of security services into SMB and Enterprise network environments
Provides ability to rapidly “drop in” Cisco PIX Security Appliances into existing networks without requiring any addressing changes
Delivers high-performance stealth L2-L7 security services and provides protection against network layer attacks
Seamless security appliance integration in complex routing, highavailability, and multicast environments
• Ideal for environments with limited IT resources/budget
PIX10.30.1.0/24
Router
SAME Subnet
Transparent Firewall
10.30.1.0/24
Router
40© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
AT CISCO: Firewalls
• Using FWSM and PIX as our corporate firewalls
• Using transparent features in some locations
• Usage of FWSM and PIX on critical networks
• Planning usage of FWSM in the Data Center
• Investigating virtual firewalls for usage in Data Center
PIX FWSM
41© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Security Strategy: Proactive and Reactive
Proactive Reactive
Architectural Design
Patch/Remediation MonitoringAnomaly Detection
Personal Firewall
Network Segmentation
Employee Awareness
Principal of Least Privilege
Information Classification
Network Access ControlDoS Protection
Investigations/Forensics
Legal Action
Internet Scanning
Scanning/Behavior Analysis
Incident Response
Loss
Network Segmentation Intrusion Detection
Dis
rupt
ion
Cisco CSA
42© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
CSA 4.5: Additional Features
• Can put a single rule into test mode
• Can different policies for users when they are in the office and when they’re outside it
• Can have a different policy for different users
• Can delegate security responsibility to the end user
• Can push a configuration change out to the agents
43© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
End-User Security Decisions
Personal Firewall Type of GUI Is an Option; These Apps Have Been Granted Permission to Use the Network
User Queries Can Be “Remembered”—i.e., Permanently Cached
Central Definition of High, Medium, and Low
44© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
An ROI Example
Year Cost Freq. Event Cost Cost
2003 $250,000 minor 3 $750,000
$2.5m major 1 $2.5mi $3.25mil
OPEX
2004 w/CSA
$25,000 event 6 $150,000 $150,000
OPEX
LIST $3.7mil CAPEX $3.7mil $3.85mil
33% dis $2.5mil CAPEX 1 $2.5mil $2.65mil
We Nearly Doubled the Number of Events, Yet Spent 1/20th on OPEX Handling Them
If We Didn’t Do This,We Predict We WouldHave Spent $6mil(4 Minor + 2 Major)So We Saved Moneyat List Prices
NOTE:: Numbers Used February CSA Pricing, Which Has Subsequently Lowered So We Would Have Saved Even More
45© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
At Cisco: CSA
• Cisco desktops now fully migrated to 4.5
• Rolled out to all production desktop/laptop systems
• Continuing to work on Server/DMZ rollouts Currently on all Unity Servers (50+ worldwide)
Rolled out to Call Managers (10+ currently)
46© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Security Strategy: Proactive and Reactive
Proactive Reactive
Architectural Design
Patch/Remediation MonitoringAnomaly Detection
Personal Firewall
Network Segmentation
Employee Awareness
Principal of Least Privilege
Information Classification
Network Access ControlDoS Protection
Investigations/Forensics
Legal Action
Internet Scanning
Scanning/Behavior Analysis
Incident Response
Loss
Network Segmentation Intrusion Detection
Dis
rupt
ion
NAC, 802.1x
47© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
NAC Logical Components
Network Access Device
AAA Server
CTA
Vendor Server
Plug-ins
CTA
SecurityApp
CTA
Cisco Trust Agent (NT, 2000, XP)
Routers (83x-72xx)
Cisco Secure ACS
Cisco CS-MARS
Cisco Security Agent
McAfee VirusScan
Symantec SAV and SCS (EDAP Customers Only)
Trend Micro OfficeScan
RADIUSEAPoUDP HCAP
Monitoring and Reporting
Host
Trend Micro Policy Manager
EAPoUDP—Extensible Authentication Protocol (EAP) over User Datagram Protocol (UDP)RADIUS—Remote Authentication Dial-In User ServiceHCAP—Host Credential Authorization Protocol
48© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
AT CISCO: NAC
• Pilot on-going with Remote Access
• Planning and standard created for deployment to Field Sales Offices
• On-going Pilot for Field Sales Offices with sites currently in monitor mode.
• Working closely with Business Units on NAC phase 2
Other Features
49© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Security Strategy: Proactive and Reactive
Proactive Reactive
Architectural Design
Patch/Remediation MonitoringAnomaly Detection
Personal Firewall
Network Segmentation
Employee Awareness
Principal of Least Privilege
Information Classification
Network Access ControlDoS Protection
Investigations/Forensics
Legal Action
Internet Scanning
Scanning/Behavior Analysis
Incident Response
Loss
Network Segmentation Intrusion Detection
Dis
rupt
ion
CSIRT
50© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Six Phases of Incident Response
Preparation• Prep the network• Create tools• Test tools• Prep procedures• Train team• Practice
1
Post MortemWhat was done?
Can anything be done to prevent it?
How can it be less painful in the future?
6
IdentificationHow do you know about
the attack?
What tools can you use?
What’s your process for communication?
3
TRACEBACKWhere is the attack
coming from?
Where and how is it affecting the network?
4ReactionWhat options do you
have to remedy?
Which option is the best under the
circumstances?
5
IdentificationHow do you know about
the attack?
What tools can you use?
What’s your process for communication?
2
51© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Protecting Cisco from SQL SlammerTimeline Summary
10:35 (+6 Mins) DetectedAnomaly Detection Systems@Cisco Pick It Up
Slammer Cisco10:29 PST—Slammer Launched
10:39 (+10–15 Mins) ProtectedGlobal Access Rules Applied to Stop
Inbound/Outbound Access to UDP 1434
11:00 (+30 Mins) Scanner LaunchedScan Developed; Scan for Vulnerable Hosts Initiated
11:00 PST (+30 Mins)—74000 Hosts Worldwide Infected
000 PST (+1.5 Hrs)—Massive Proliferation, Network Traffic Spiking Worldwide
1:00 (+4-8 Hrs) Detected Phase II200+ Systems Identified as Vulnerable Internally
0200 PST (+3.5 Hrs)—Protection/Remediation Strategies Posted on Symantec
(+6 Days) Protected Phase II90% of Servers Remediated;
100% Desktop Agents Turned Off
52© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
At Cisco: Stopping SQL Slammer
1. Utilized Arbor Networks’ PeakFlow DoS anomaly detection tool (combined with Cisco’s NetFlow data) to verify the anomaly of UDP 1434; it triggered alarms of the “unusual” traffic
2. Within minutes, Transport and Infosec teams responded by quickly locking down the port at every ingress/egress point globally (corporate networks, internal nets, LANs, etc.)
3. In live war room environment, worked with PSIRT/TAC and key customers as we learned more about the infection; ensured precise communication and recommendations for blocking, detection and remediation
What We Did
1. Utilized Arbor Networks’ PeakFlow DoS anomaly detection tool (combined with Cisco’s NetFlow data) to verify the anomaly of UDP 1434; it triggered alarms of the “unusual” traffic
2. Within minutes, Transport and Infosec teams responded by quickly locking down the port at every ingress/egress point globally (corporate networks, internal nets, LANs, etc.)
3. In live war room environment, worked with PSIRT/TAC and key customers as we learned more about the infection; ensured precise communication and recommendations for blocking, detection and remediation
53© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
At Cisco: Stopping SQL Slammer (Cont.)
4. Scanned Cisco with an in-house developed host-tracker which scanned our network looking for vulnerable and/or infected hosts; identified the systems then worked with desktop/hosting people to quickly remediate/patch vulnerable systems
5. Developed the first scanner on worm detection; made it publicly available
6. Performed ‘round the clock’ monitoring and follow up with all teams involved to ensure no infection and to status on remediation progress
What We Did
54© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
At Cisco: Stopping SQL Slammer—Results
• Result to CiscoNo infections found to date
• Success CriteriaPreparation—Incident Response process/team in place; 24x7 response system critical in dealing with worm
Identification/Detection—early (and new) detection mechanisms (tools) to understand the live data pertaining to anomaly detection
Classification—knowledge of network setup and normal/abnormal behaviors
Communication and Empowerment—inherent in our successes against this and other DDoS and worm threats
Reaction—quick communication with ALL network owners to lock down (via ACLs) access into (and out of) the company
Follow Up and Post Mortem—briefings on a daily basis for two weeks to ensure that the threat was eradicated, and discuss lessons learned
55© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Summary
56© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
AT CISCO:
• Security is important to all aspects of Cisco
• InfoSec and IT Infrastructure work together to deploy Cisco Security features and products
• Incorporate both Proactive and Reactive mechanisms
57© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Security at Cisco
www.cisco.com/security
58© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Questions
59© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
More Security Resources
http://www.cisco.com/en/US/about/ciscoitatwork/case_studies/securi
ty.html
Case Studies
Call to get Product, Solution and Financing Information1-800-745-8308 ext 4699
Order Resourceshttp://cisco.com/en/US/ordering/index.shtml
60© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public
Recommended