Published on February 28, 2014
Ask the Expert Webcast: The Critical Security Controls and the StealthWatch System John Pescatore, Director, SANS Charles Herring, Lancope 1111
Obligatory Agenda Slide • Housekeeping info • Here’s what we will do – 1:05 – 1:20 The Critical Security Controls– John Pescatore, SANS – 1:20 – 1:45 StealthWatch - Charles Herring, Lancope – 1:45 – 2:00 – Q&A 2
Bios John Pescatore joined SANS in January 2013 with 35 years experience in computer, network and information security. He was Gartner’s lead security analyst for 13 years, Prior to joining Gartner Inc. in 1999, he was Senior Consultant for Entrust Technologies and Trusted Information Systems. Before that, John spent 11 years with GTE developing secure computing and telecommunications systems. Mr. Pescatore began his career at the National Security Agency and the United States Secret Service, He holds a Bachelor's degree in Electrical Engineering from the University of Connecticut and is a NSA Certified Cryptologic Engineer. 3
Bios Charles Herring is Senior Systems Engineer at Lancope and longtime StealthWatch user. While on active duty in the US Navy, Charles leveraged StealthWatch in his role as Lead Network Security Analyst for the Naval Postgraduate School. He was tasked with staffing and training Network Security Group personnel, building the security architecture and developing incident response procedures. After leaving the Navy, he spent six years consulting with Federal government, disaster relief organizations and enterprise on network security, communication and process improvement. 4
Focus on protecting the mission first Effectively and efficiently and quickly Advanced targeted attacks are happening now Compliance must follow security Break the Breach Chain 5555
Disrupting the Breach chain DMZ Monitoring Advanced Threat Detect Source: Neusentry 2012 Monitor internal flows © 2013 The SANS™ Institute – www.sans.org Monitor external flows 6
Critical Security Controls 20) Penetration Tests and Red Team Exercises 19) Secure Network Engineering 18) Incident Response Capability 17) Data Protection 16) Account Monitoring and Control 15) Controlled Access Based on Need to Know 19 1) Inventory of Authorized and Unauthorized Devices 20 1 2 2) Inventory of Authorized and Unauthorized Software 3 3) Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4 18 17 4) Continuous Vulnerability Assessment and Remediation 5 16 6 7 15 14) Maintenance, Monitoring and Analysis of Audit Logs 5) Malware Defense 14 13) Boundary Defense 13 12) Controlled Use of Administrative Privileges 12 11 10 11) Limitation and Control of Network Ports, Protocols and Services 9 8 6) Application Software Security 7) Wireless Access Control 8) Data Recovery Capability 9) Security Skills Assessment and Appropriate Training to Fill Gaps 10) Secure Configuration of Devices such as Firewalls, Routers, and Switches 7
Other Benchmarking systemic improvements Detecting advanced attacks Incident response Threat mitigation Compliance to mandates and regulations Situational awareness/gap analysis Improvements to overall risk posture Risk reduction/vulnerability mitigation Benefits: Risk Reduction and Visibility Where have the Controls you implemented made the most improvement and/or helped you close your gaps? (Check all that apply.) 70.0% 60.0% 50.0% 40.0% 30.0% 20.0% 10.0% 0.0%
Critical Security Controls Update • Now maintained by the Council On CyberSecurity • Version 5.0 in public review • Updated prioritization and definitions of subcontrols 9
Getting to Continuous Security Action Threats Regulations Requirements OTT Dictates Discovery/Inventory Vuln Assessment/Pen Test Baseline Security Configuration Policy • SIEM • Situational Awareness • Incident Response • • • • Monitor/ Report Assess Risk Shield Eliminate Root Software Vuln Test Cause Mitigate Training Network Arch Privilege Mgmt • FW/IPS/ATD • Anti-malware • NAC • Patch Management • Config Management • Change Management
The Critical Security Controls and the StealthWatch System Charles Herring Senior Systems Engineer email@example.com 11
Lancope: The Market Leader in Network Visibility Technology Leadership • Powerful threat intelligence • Patented behavioral analysis • Scalable monitoring up to 3M flows per second • 150+ algorithms Best of Breed • 650 Enterprise Clients • Key to Cisco’s Cyber Threat Defense • Gartner recommended • NBA market leader • Flow-based monitoring © 2013 Lancope, Inc. All rights reserved. 12
Your Infrastructure Provides the Source... 3560-X Atlanta San Jose NetFlow Internet NetFlow NetFlow NetFlow 3925 ISR WAN NetFlow New York NetFlow ASR-1000 NetFlow NetFlow Cat6k ASA NetFlow NetFlow Datacenter NetFlow UCS with Nexus 1000v Cat4k Cat6k NetFlow DMZ NetFlow Access NetFlow NetFlow NetFlow 3850 Stack(s) © 2013 Lancope, Inc. All rights reserved. 13
…for Total Visibility from Edge to Access. 3560-X Internet Atlanta ASR-1000 San Jose WAN 3925 ISR Cat6k New York Datacenter UCS with Nexus 1000v © 2013 Lancope, Inc. All rights reserved. Cat4k Cat6k ASA DM Z Access 3850 Stack(s) 14
SANS Critical Controls Boundary Defense Defense Type L3, L4, Signature Emerging L7 Detection Threat Blocking Detection Targeted Threat Detection Firewalls Yes Limited No No Signature IDS Limited Yes No No Malware Sandbox No No Yes Limited StealthWatch No Limited Yes Yes 15
Flow Statistical Analysis © 2013 Lancope, Inc. All rights reserved. 16 16
SANS Critical Controls Monitoring & Audit Defense Type Detection Mechanism Data Source SIEM Boolean Syslog StealthWatch Algorithmic NetFlow 17
SANS Critical Controls Incident Response and Management Logging Type Data Stored Endpoint Hard Drive/Memory Packet Capture Raw PCAP Log Collection Syslog StealthWatch NetFlow 18
Transactional Audits of ALL activities © 2013 Lancope, Inc. All rights reserved. 19
SANS Critical Controls Secure Network Engineering Monitor Type Data Monitored Firewall Change Control Changes in FW Configuration records Configuration Polling SNMP StealthWatch NetFlow against Policy 20
Thank You Charles Herring Senior Systems Engineer Lancope http://www.lancope.com @Lancope (company) @netflowninjas (company blog) https://www.facebook.com/Lancope http://www.linkedin.com/groups/NetFlow-Ninjas-2261596/about https://plus.google.com/u/0/103996520487697388791/posts http://feeds.feedburner.com/NetflowNinjas © 2013 Lancope, Inc. All rights reserved. 21
Resources • SANS Reading Room: http://www.sans.org/reading_room/ • Blog – www.sans.org/security-trends/ • Sponsor link: http://www.lancope.com • Questions: firstname.lastname@example.org 23
SANS Critical Security Controls Featuring Lancope. ... Lancope’s StealthWatch System provides several powerful features for securing the perimeter of a ...
Critical Security Controls POSTER ... Intel Security/McAfee StealthWatch = Lancope ... CRITICAL SECURITy CONTROL DESCRIPTION
20 Critical Security Controls ... Solution PRoViDERS 20 CritiCal SeCurity ... penetrated existing controls and compromised critical systems at thousands ...
Industrial Control Systems; Software Security; ... Critical Vulnerability Recaps; ... The CIS Critical Security Controls for Effective Cyber Defense Now.
and maps these changing security controls to Lancope’s StealthWatch ... StealthWatch System ... and Exceeding the Standard with StealthWatch 13
... System. StealthWatch System 5.0 ... control of network ... they become security incidents. As a critical resource ...
Stealthwatch. Articles, experts, jobs, and more: ... Corporate Trainer (Information Security Domain) at Recknors, Head of Systems and Computing Division ...
... at StealthWatch System 5.0" at lancope.webex.com ... become security incidents. As a critical ... Security • Access Control ...
Today’s post is all about Control 8 of the CSIS 20 Critical Security Controls ... Know your systems well ... to The State of Security who now ...