Transcript Cisco Security Agent

THIS IS THE POWER OF
CISCO SECURITY.
now.
Cisco Security NOW
© 2003, Cisco Systems, Inc. All rights reserved.
1
Server
and
Desktop
Host Based Intrusion Prevention (HIPS)
Items to secure Servers and Desktops
• Cisco Security Agent software (CSA)
-Behavior based, NO SIGNATURE UPDATES
REQUIRED
-Zero Hour Protection
• BLOCKED:
-MS Blaster (luvgate)
-CodeRed v1 & v2
-SoBig
Backdoor.IRC.RPCBot.D
- Nimda
- SQL Slammer
-
• Event correlation at the management console across the
network to give high alert of potential WORM or VIRUS
• With the addition of the PROFILER, event correlation is
enhanced and custom policies generated
© 2003, Cisco Systems, Inc. All rights reserved.
3
Transition From Detection to Protection:
At the Endpoint…
• From Signature-based to Policy-Based
Stops new attacks that attempt malicious activity
Policies allow “good” behavior and prevent “bad” behavior
P2P, Instant Messaging, Custom Programs
• From Multiple Products to Single Agent
Aggregates multiple security functionality in one agent
HIPS, Zero-day protection, Firewall and OS lockdown
• From Updates to Zero-Update Protection
Behavior-based architecture changes desktop and server
paradigm
© 2003, Cisco Systems, Inc. All rights reserved.
4
Cisco Security Agent (CSA):
Behavioral Protection From Attacks
Rapidly Mutating
Continual signature
updates
Inaccurate
Target
 Most damaging
 Change very slowly
 Inspiration for CSA
© 2003, Cisco Systems, Inc. All rights reserved.
solution
5
Behavior Control Protects End Points
Corporate Security Policy
Web
Server
Email
Client
Web
Browser
System Call Shims
Host Operating System
...
File System Access
Registry Access
COM Object Access
Memory Access
Code Execution
HTTP Filtering
Network Protocol Stack
Inbound packets
Outbound packets
Network Shim
SMBDie
Ping of Death
Mount Shares
Buffer Overflow
Active Content
Protocol Attack
Operating System Attack
Application Attack
© 2003, Cisco Systems, Inc. All rights reserved.
6
Cisco Security Agent Functions
• System Hardening
• Application-related
Syn-flood protection
Malformed packet protection
Application run control
Executable file version control
Restart of failed services
Protection against code injection
Protection of process memory
• Resource Protection
File access control
Network access control
Registry access control
COM component access control
• Control of executable content
Protection against email worms
Protection against automatic
execution of downloaded files or
ActiveX controls
© 2003, Cisco Systems, Inc. All rights reserved.
Protection against buffer overflows
Protection against keystroke
logging
• Detection
Packet sniffers & unauthorized
protocols
Network scans
Monitoring of OS event logs
7
Types of Behavior
• CSA can also provide
customized behavioral
security for any
environment
Strict
Control
Policy
Violations
Application Specific Policies
via CSA Profiler
Default Application
Policies
May be undesired
Malicious Behavior
Always undesired
Default Server
and Desktop
Policies
All Possible Types of Security Relevant Behavior
© 2003, Cisco Systems, Inc. All rights reserved.
8
CSA Management Model
CSA MC
Security Administrators
•
•
•
•
•
•
Configure the system via browser
connected to CSA Management Console
Review security events, reports, & alerts
Modify security policies
Can have: Configure, Deploy, Monitor roles
Is required to be physically secure
Holds the configuration and event databases (SQL
Server)
Serves to distribute agent software to end-points
Deploys security policies to end-points
Receives events from agents and performs correlation
Sends alerts to administrators
•
•
•
•
Management
Console
Web Browser
Administrator
Events
Configuration data
Router
Agent
Agent
Agent
Hosts or End Points
•
•
•
•
Agent
Agent
© 2003, Cisco Systems, Inc. All rights reserved.
Protected by CSA
Are members of one or more groups
Get their security policies from the CSAMC
Send security events to the CSAMC
Agent
9
CISCO Security Agent Architecture
Other
Managers
Web Browser
Management
Configuration
Desktop
Agent
Policy Updates
Reports, Events
Alerts
CSA
Mgmt
Console
SNMP
Manager
Custom
Programs
Local
File
© 2003, Cisco Systems, Inc. All rights reserved.
Desktop
Agent
Laptop
Agent
Server
Agent
Server
Agent
• Platforms: WinNT, Win2K, WinXP and Solaris 8 64bit
• Agents enforce policy locally, connected or not
• All communications HTTP and SSL
10
CSA Correlation Capabilities
CSA offers unique agent and
management level correlation
Correlation on Agent
• Higher accuracy
• Fewer “False Positive”
events
Agent
Agent
Management
Server
Example: Trojan Horse
detection, Network
Worm propagation,
automatic application
recognition
Correlation on Manager
• Higher accuracy
• Fewer “False Negative” events
Example: Distributed “Ping
Scans”, Network Worm
propagation
© 2003, Cisco Systems, Inc. All rights reserved.
11
CSA Market-Leadership
Validation
© 2003, Cisco Systems, Inc. All rights reserved.
12
CISCO Security Agent v4.0 – July 2003
• Integration with Cisco Works VMS 2.2
– Co-resident installation; SecMon integration
• Additional Web server protection features
– HTTP filtering; Connection Rate Limiting
• End-point integrity enforcement
– Are You There integration with Cisco VPN client 4.0
• Augmenting the security of CISCO infrastructure
– CSA policies for VMS and CISCO Call Manager
© 2003, Cisco Systems, Inc. All rights reserved.
13
The Value of Prevention
We estimated three
classes of users, from
data input to managerial
functions, and assigned
a population to each.
After totaling the server
downtime, the amount
of time lost for
employees and the
hourly rate for each
group, we came up with
a staggering $98,306 for
the incident. " Network
Computing Magazine,
October 2002
© 2003, Cisco Systems, Inc. All rights reserved.
14
The Value of Patch Relief
"And Digex, a provider of managed Web and application hosting services,
calculates the annual cost of manually managing patch deployment to be
about $14,400 per server." CSO Magazine , August 2003
• CSA enables more cost effective patch management (providing
relief from today’s reactive approach):
Vulnerable hosts have protection in the face of new attacks
Customer may wait for ‘roll-ups’ and Service Packs, which come
better qualified from vendor
Testing and implementation of updates can be scheduled without
undue change control interruption
• CSA enables fewer updates to endpoints in a proactive and
scheduled fashion …..which means a lower TCO per server
“IT managers spend two hours per server to test and deploy a patch, which
leads research firm Gartner to estimate that it can cost a company with 1,000
servers about $300,000 for each patch. Information Week, Attacks Averted, Feb 3, 2003
© 2003, Cisco Systems, Inc. All rights reserved.
15
CISCO Security Agent Summary
• CSA’s behavior based technology enables:
– Lower Total Cost of Ownership
• Single agent for Desktops and Servers
• Provides multiple security solutions
(Firewall + IDS + Malicious Mobile Code + OS Hardening + File Integrity)
• Removal of the signature management burden
• Huge reduction in alerts and false positives
• Correlation on the Agent and Management
Console
• Intrusion Prevention not detection
© 2003, Cisco Systems, Inc. All rights reserved.
16
CISCO Security Agent Summary
• CSA’s behavior based technology enables:
– You get to enforce your Corporate Security
Policies
– You get to control the Patch process
– Data Theft Policy protects Intellectual Property
– Protection in the face of new and unknown threats
© 2003, Cisco Systems, Inc. All rights reserved.
17
© 2003, Cisco Systems, Inc. All rights reserved.
18