Embed Size (px)
Citation preview
Hidden Figures: Securing what you cannot seeTK Keanini, Distinguished Engineer
Stealthwatch, Advanced Threat SolutionsCID-0006
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Hello My Name is TK KeaniniKeanini (Pronounced Kay-Ah-Nee-Nee)
TK: The past 53 years in a nutshell
• The problem responsible for the innovation
• Overview of Encrypted Traffic Analytics
• Encrypted Traffic Analytics Outcomes
• Encrypted Traffic Analytics Solution
• Conclusion
Agenda
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Networks are becoming more and more opaque!
Chrome will start marking all HTTP sites as not secure in July
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
The new threat landscape
38%
62%
Organizations are at risk
Decrypt Do not decrypt
New attack vectors• Employees browsing over HTTPS: Malware infection, covert channel with command
and control server, data exfiltration • Employees on internal network connecting to DMZ servers: Lateral propagation of
encrypted threats
cannot detect malicious content in
encrypted traffic
of attackers used encryption to
evade detection
of organizations have been victims of a cyber attack
41%81% 64%
Source: Ponemon Report, 2016
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Malicious Activity within Encrypted Traffic
Increase
November 2016
Attackers embrace encryption to conceal their command-and-control activity
19%
12% Increase
268%70%
50%38%
Global Encrypted Web Traffic Malicious Sandbox Binaries with Encryption
October 2017
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Privacy AND Security
Now Available: Cisco Encrypted Traffic Analytics
Industry’s first network with the ability to find threats in encrypted traffic without decryptionAvoid, stop, or mitigate threats faster then ever before | Real-time flow analysis for better visibility
Encrypted traffic Non-encrypted traffic
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Artificial Intelligence/Machine Learning
Known Malware Traffic
Known Benign Traffic
Extract Observable Features in the Data
Employ Machine Learning techniques
to build detectors
Known Malware sessions detectedin encrypted traffic with high accuracy
“Identifying Encrypted Malware Traffic with Contextual Flow Data” AISec ’16 | Blake Anderson, David McGrew (Cisco Fellow)
Cisco research
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ETA Solution Overview
Cisco Stealthwatch
Machine Learning Malware
detection and cryptographic compliance
Telemetry Exporter*
NetFlow
Enhanced NetFlow
Telemetry for encrypted malware detectionand cryptographic compliance
Enhanced analytics and machine learning
Global-to-local knowledge correlation
Enhanced NetFlow from Cisco’s newest
switches and routers
Continuous Enterprise-wide
compliance
Leveraged network Faster investigation Higher precision Stronger protection
Metadata
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Make the most of theunencrypted fields
Identify the content type through the size and timing of packets
Initial data packet Sequence of packet lengths and times
How can we inspect encrypted traffic?
Self-Signed certificate
Data exfiltrationC2 message
Who’s who of the Internet’sdark side
Global risk map
Broad behavioral information about the servers on the Internet.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Multi-Layer Machine Learning
Global risk mapInitialdata packet
Sequence of packet lengths and times
Multi-layerMachineLearning
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Encrypted Traffic Analytics: Example Incident
CryptographicCompliance
How much of your digital business travels in the clear versus encrypted?
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Encryption details on all network flows
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Filter Flows by TLS/SSL
BRKSEC-2809
The ETA Solution Set
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Campus Branch Cloud
Devices generating ETA telemetry
ETA expands into the cloud and branch offices
ISR & ASR
NEW
CSR 1000V
NEW
Catalyst 9000
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
What do you buy? Licensing / packaging
Solution element Software version License
Enterprise switches (Cisco® Catalyst® 9000 Series)* Cisco IOS® XE 16.6.1+
Included in Cisco DNA™Advantage license/
Cisco ONE™ Advanced
Branch routers (ASR 1000 Series, 4000 Series ISR,
CSR, ISRv, 1100 Series ISR)**Cisco IOS XE 16.6.2+ Included in SEC/k9 license
Cisco ONE foundation
Stealthwatch Enterprise v6.9.2+Management Console,
Flow Collector, Flow Rate License
*C9300 series with 16.6.1, C9400 series available with 16.6.2**Available for Proof of Concept (PoC) with 16.6.1, General availability in 16.6.2
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Conclusion• Nearly all network communication is encrypted these days.
• Decryption is not a viable option.
• ETA is a solution set! It is not a product.o Branch, WAN and Cloud routerso Campus switcheso Cisco Stealthwatch Enterprise
• ETA delivers two outcomes:o Cryptographic compliance.o Detection of malicious traffic in encrypted traffic WITHOUT decryption.
Thank you
