Monitoring Network
Security with CSMARS
BRKSEC-2007
Fransesca Martucci

BRKSEC2007

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

1


HOUSEKEEPING
 We value your feedback, don’t forget to complete your online session
evaluations after each session and complete the Overall Conference
Evaluation which will be available online from Friday.
 Visit the World of Solutions on Level -01!
 Please remember this is a ‘No Smoking’ venue!
 Please switch off your mobile phones!
 Please remember to wear your badge at all times including the Party!
 Do you have a question? Feel free to ask them during the Q&A section or
write your question on the Question form given to you and hand it to the
Room Monitor when you see them holding up the Q&A sign.

BRKSEC2007

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

2


Session Objectives
 Explain best practices in security information and event
management
 CS-MARS main concepts and how it helps keeping
your network secure
 LIVE DEMO!
 Real life implementation examples (for your reference)
 A good understanding of Cisco's security technologies
and network monitoring foundations is suggested

BRKSEC2007

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

3


Intelligent Security Threat Management

BRKSEC2007

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential


4


Security Operations/Reactions Today
Always Too Late
Network Operations

Action Steps:
1. Alert
2. Investigate
3. Mitigate

10K Win,
100s UNIX

VPN

BRKSEC2007

Vulnerability
Scanners

Collect Network
Diagram
Read and Analyze
Tons of Data
Repeat

Router/Switch


Security Operations

Anti-Virus

Authentication
Servers

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Firewall

Security
Knowledge
Base

IDS/IPS

5


Management Dilemma
Whom Do I
Believe to?

Mitigate
Attacks


Help
Security
Staff

Working
proactively rather
than reactively

BRKSEC2007

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

In-Depth
Defense
Noise

Costly
Business
Dilemma

Compliance
and Audit
Mandates

Who Did It?
Who Got Infected?

Poor Attack

Identification

Show Me What
Happened!

6


Key Concept
2 Sessions
(Each Sentence == 1 Session)

Mark was hired to break
into buildings.
He must assure security
personnel are vigilant.
14 Events
(Each Word = 1 Event)
1 Incident
(The Whole Story)

BRKSEC2007

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

 Events―raw messages
sent to CS-MARS by
the monitoring/

reporting devices
 Sessions―events that
are correlated by the
CS-MARS across
NAT boundaries
 Incidents―identification of
sessions to
correlation rules

7


Sessionization
Enterprise Campus
Building

Enterprise Edge
Unusual
Traffic
Based on
Baseline

Service
Provider
Edge

Joe Smith
Did Lots of
Traffic at
9pm PST


Lab
Building Distribution

Management

ACS

CS-MARS

5

BRKSEC2007

Corporate Internet

ISP A

VPN and
Remote Access

PSTN

3

Core

High Amount
of IPSec
Packets


2
4

6

ISP B

Edge Distribution

Joe SmithCSM
performed
a Buffer
Server
Overflow

7

E-Commerce

Joe Smith
performed
a Buffer
Overflow

© 2006 Cisco Systems, Inc. All rights reserved.

Unusual
Traffic
Based on

Baseline

Cisco Confidential

Unusual
Traffic
Based on
Baseline

Frame/ATM

WAN

1
8


Typical Incident
Host A Recon ICMP
and Port Scans to
Target X
Y

Target X Executes
Password Attack
on Target Y
Followed
by Port
Sweep


Host A Buffer
Overflow Attack to
Target X

RECONICMP
Hi, They
Call Me
Joe

X
Followed by Host
A Buffer Overflow
Attack to Target X

A
BRKSEC2007

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Where X Is
Vulnerable to Attack,
Target X Executes
Password Attack on
Target Y
9


Vector Analysis

Accurate Attack-Path, Detailed Investigation
BR2-NIDS-2

HQ-SW-4

HQ-NIDS-2

BR2-ISS-Host1

Cloud 27

BR2-NIDS-4

BR2-NIDS-3

HQ-SW-3
Cloud 42

Cloud 40

n-10.4.14.0/24

Intruvert
Sensor

Entercept

Cloud 39

BR2-WANEdge-Router

n-192.168.2.0/24

Cloud 14
Cloud 16
CSA
HQ-FW-3

HQ-FW-2

CP Module

BR2-NIDS-10

HQ-WAN
Edge Router

nsSxt

pix506

n-10.4.2.0/24
n-10.4.13.0/24

BR2-NIDS-1

ns25

BR2-NIDS-

BR2-IQ-Router

Cloud 4

Cloud 5

HQ Hub Router

n-10.1.7.0/24
n-10.4.15.0/24
Mgmt

HQ-SW-1
HQ-FW-1

Intruvert

Cloud 2

MARS
Demo3

HQ-NIDS1

HQ-WEB-1

BRKSEC2007

BR3-RW-1

BR2-NIDS-9
“set port disable”

HQ-SW-2
Network Intelligence
n-192.168.0/24
• Topology
BR2-NIDS-8
• Traffic flow out
n-22.22.22.0/24 “access-list
• deny
False tcp
positives
host 135.17.76.5 any”
• Device configuration
BR3-ISSHost1
• Enforcement devices
“shun 135.17.76.5 445 tcp”
BR Head-End Router

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

10


Rule Details

BRKSEC2007

© 2006 Cisco Systems, Inc. All rights reserved.


Cisco Confidential

11


Life of an Incident
1. Events come into the appliance
from network devices
2. Events are parsed
3. Normalized
4. Sessionized/NAT correlation
5. Run against rule engine
- Drop rule matched first
- All rules are checked

6. False-positive analysis
7. Vulnerability Assessments against
suspected hosts
Continuous behavior analysis is performed

BRKSEC2007

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

12


Rules: Definition

Variables and Operators allow
Context Sensitive Correlation

For your
reference
BRKSEC2007

Component of a rule are the following:
• Use Operators (and/or/followed-by) among matching events
•Count for the matching for each row events for the rule to fire
• Variables allow to carry over values among rows
• The time range can specify how much time can pass among the
first and last matching event

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

13


Rules: Matching
A Match for the First Line
Gives a Value to the
Variables

BRKSEC2007

© 2006 Cisco Systems, Inc. All rights reserved.


Cisco Confidential

$TARGET02 = 40.40.1.23
$TARGET01 = 192.168.1.10

14


Incident investigation
LIVE DEMO

BRKSEC2007

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

15


For your
reference

Dashboard

2,694,083 Events
992,511 Sessions
249 Incidents
61 High Severity
Incidents

I Need to Clean My Network
and Investigate Further
BRKSEC2007

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

16


For your
reference

Incident Details
Rule definition

BRKSEC2007

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

17


Incident Details

For your
reference


 Reporting devices
 Raw messages for the session selected
BRKSEC2007

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

18


For your
reference

Rules: Path

1 Sessions Graphically Displayed
with Their Sequence

Step 1: 40.40.1.23

2 Sessions

Step 2: 40.40.1.23

1 Session

192.168.1.10


192.168.1.10

2
3
Step 3: 192.168.1.10

BRKSEC2007

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

3 Sessions

10.1.1.10

19


For your
reference

Rules: Attack Vector
1

Graphical Representation of the
Attack Vector Time Sequence

2
Event:

ICMP Ping Network Sweep
Event:
WWW IIS .ida Indexing Service Overflow

3

Event:
Built/Teardown/Permitted
IP Connection
BRKSEC2007

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

20


For your
reference

Rules: Mitigation

Two Possible Mitigation
Points on Which We Can Act

Choose:
1. The mitigation device
2. The preferred command:
Block host

Block connection
Shun
BRKSEC2007

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

21


Policy Lookup
Which Entry on My Access-List
Triggered the Alert?

BRKSEC2007

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

22


Netflow and Statistical Information

BRKSEC2007

© 2006 Cisco Systems, Inc. All rights reserved.


Cisco Confidential

23


Benefit of Netflow
 Statistical profiling identifies day zero attacks
Also performed on connections though the firewalls

 Few days to profile
your network before
starting detecting
anomalies

Router (config)# export
destination 10.42.41.1 9991
Router (config)#
ip flow-export version 5
Router (config)#
ip flow-export source
loopback 0

 Two dynamically generated watermarks
comparing the old data against current data
Note: CS-MARS Only Supports Netflow Version 5 and Version 7
BRKSEC2007

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential


24


Pre-Defined Anomalies Rule
Rule: “Sudden Traffic Increase To Port”
Specific for Day-Zero attacks

 “Client exploit—mass mailing worm“
 “Network activity: excessive
denies—host compromise likely”
 “Worm propagation—attempt”

main
Day-Zero
Rules

 “Sudden traffic increase to port”
BRKSEC2007

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

25