CyOps - v3 - Chap10

Chapter 10: Endpoint
Security and Analysis
Cybersecurity Operations
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 371
Chapter 10 - Sections & Objectives
 10.1 Endpoint Protection
• Use a malware analysis website to generate a malware analysis report.
 10.2 Network and Server Profiling

• Classify endpoint vulnerability assessment information
10.1 Endpoint Protection
Endpoint Protection
Antimalware Protection
 Endpoint Threats
• Increased number of devices due to mobility and IoT
 Endpoint Security
• Two points of protection
o Endpoints
o Infrastructure devices
Endpoint Protection
Antimalware Protection (Cont.)
 Host-based malware protection includes
antimalware/antivirus software, as well as a firewall
 Network-based malware protection
• Advanced Malware
Protection (AMP)
• Email Security Appliance
(ESA)
• Web Security Appliance
(WSA)
• Network Admission
Control (NAC)
Host-Based Malware Protection
 Antivirus/Antimalware Software
• to detect and mitigate viruses and malware.
• Examples: Windows Defender, Norton Security, McAfee, Trend Micro
• Three different approaches:
o Signature-based –recognizes various characteristics of known malware files.
o Heuristics-based –recognizes general features shared by various types of
malware.
o Behavior-based –employs analysis of suspicious behavior.
• Provide real-time protection and offer scan for existing malware
• Host-based antivirus protection is also known as agent-based.
• Rq: Agentless antivirus protection performs scans on hosts from a centralized
system. They have become popular for virtualized environments with multiple OS
instances are running on a host simultaneously. (eg VMware’s vShield.)
 Host-based Firewall
 Host-based Security Suites
Host-Based Malware Protection
 Antivirus/Antimalware Software
 Host-based Firewall
• installed on a host, it restricts incoming and outgoing traffic.
• Some firewall software can also prevent a host from becoming infected and stop
infected hosts from spreading malware to other hosts.
• Example:Windows Defender and Windows Firewall, IPtables and TCP Wrapper
tools (Linux).
 Host-based Security Suites
• include antivirus, anti-phishing, safe browsing, Host-based intrusion prevention
system, and firewall capabilities.
•  provide a layered defense that will protect against most common threats.
• Besides, it also provides a telemetry function.
o It includes robust logging functionality that is essential to cybersecurity
operations.
o Some host-based security programs will submit logs to a central location for
analysis.
• Example: AV-TEST.
Network-Based Malware Protection
 New security architectures for the borderless network address security
challenges by having endpoints use network scanning elements.
 Network-based malware prevention devices are also capable of sharing
information among themselves to make better informed decisions.
 Protecting endpoints in a borderless network can be accomplished using
network-based, as well as host-based techniques.
 Examples of devices and techniques
• Advanced Malware Protection (AMP) –endpoint protection from viruses and malware.
• Email Security Appliance (ESA) – This provides filtering of SPAM and potentially
malicious emails before they reach the endpoint. An example is the Cisco ESA.
• Web Security Appliance (WSA) – This provides filtering of websites and blacklisting to
prevent hosts from reaching dangerous locations on the web. The Cisco WSA provides
control over how users access the Internet and can enforce acceptable use policies,
control access to specific sites and services, and scan for malware.
• Network Admission Control (NAC) – This permits only authorized and compliant
systems to connect to the network.
Advance Malware Protection Everywhere
Cybersecurity deployement and interaction
Other solutions
Cisco Advanced Malware Protection (AMP)
 Cisco Advanced Malware Protection (AMP) addresses all phases of a
malware attack, from breach prevention to detection, response, and
remediation.
• Before an attack - AMP uses global threat intelligence from Cisco’s Talos Security
Intelligence and Research Group, and Threat Grid’s threat intelligence feeds to
strengthen defenses and protect against known and emerging threats.
• During an attack - AMP uses that intelligence coupled with known file signatures
and Cisco Threat Grid’s dynamic malware analysis technology. It identifies and
blocks policy-violating file types and exploit attempts, as well as malicious files trying
to infiltrate the network.
• After an attack –continuously monitors and analyzes all file activity and traffic,
regardless of disposition, searching for any indications of malicious behavior.
 Cisco AMP is very flexible and can be deployed on endpoints, on

ASA and FirePOWER firewalls, and on various other appliances, such
as ESA, WSA, and Meraki MX.
Cisco Advanced Malware Protection (AMP)
Host-Based Firewalls
 Host-based personal firewalls are standalone software programs
that control traffic entering or leaving a computer.
 Firewall apps are also available for Android phones and tablets.
 Host-based firewalls may use a set of predefined policies, or
profiles, to control packets entering and leaving a computer.
 They also may have rules that can be directly modified or created
to control access based on addresses, protocols, and ports.
 Host-based firewall applications can also be configured to issue
alerts to users if suspicious behavior is detected.
 Logging varies depending on the firewall application.
 Distributed firewalls combine features of host-based firewalls with
centralized management. The management function pushes rules
to the hosts and may also accept log files from the hosts.
Host-Based Firewalls examples
 Windows Firewall –
• First included with Windows XP,
• Uses a profile-based approach.
• Access to public networks is assigned the restrictive Public firewall profile.
• Private profile is for computers that are isolated from the Internet by other security
devices, such as a home router with firewall functionality.
• Domain profile is the third available profile. It is chosen for connections to a trusted
network, such as a business network that is assumed to have an adequate security
infrastructure.
• Windows Firewall has logging functionality and can be centrally managed with
customized group security policies from a management server such as System
Center 2012 Configuration Manager.
 iptables
 nftables
 TCP Wrapper
Host-Based Firewalls examples
 Windows Firewall
 iptables
• configure network access rules that are part of the Linux kernel Netfilter
modules.
 nftables –
• The successor to iptables, nftables is a Linux firewall application that
uses a simple virtual machine in the Linux kernel.
• Code is executed within the virtual machine that inspects network
packets and implements decision rules regarding packet acceptance
and forwarding.
 TCP Wrapper
• This is a rule-based access control and logging system for Linux.
Packet filtering is based on IP addresses and network services.
Endpoint Protection
Host-Based Intrusion Protection
 host-based intrusion detection system (HIDS) combines
the functionalities of antimalware applications with firewall
protection.
 It protects hosts against malware and can perform
monitoring and reporting, log analysis, event correlation,
integrity checking, policy enforcement, and rootkit
detection.
• Anomaly-based - host behavior is
compared to a learned baseline model.
• Policy-based – normal behavior is
described by rules or by the violation of
predefined rules.
• Examples: Cisco AMP, AlienVault USM,
Tripwire, and Open Source HIDS SECurity (OSSEC)
OSSECS
 OSSEC uses a central manager server and agents that are
installed on individual hosts (Windows).
 For other platforms, OSSEC can also operate as an
agentless system, and can be deployed in virtual
environments.
 The OSSEC server can also receive and analyze alerts from
a variety of network devices and firewalls over syslog.
 OSSEC monitors system logs on hosts and also conducts file
integrity checking.
 OSSEC can detect rootkits, and can also be configured to run
scripts or applications on hosts in response to event triggers.
Endpoint Protection
Attack Surface (AS)
 Total sum of vulnerabilities
• Expanding due to cloud-based systems, mobile devices, and the IoT
• SANS Institute describes three components of the attack surface:
o Network AS : attack exploits vulnerabilities in networks
o Software AS : attack is delivered through exploitation of
vulnerabilities in web, cloud, or host-based software applications
o Human : attack exploits weaknesses in user behavior.
 AS reduction
• Application blacklist – which apps are not permitted
• Application whitelist – which apps are allowed to run
• Sandboxing is a technique that allows suspicious files to be analyzed
and run in a safe environment.
Expanding Attack surface
Application Blacklisting and Whitelisting
 Using Local Goup Policy editor, (user config  Admin template 
System), admin can allow or deny the execution of specified
windows applications.
 Whitelists are created in accordance with a security baseline that
has been established by an organization.
• The baseline establishes an accepted amount of risk, and the
environmental components that contribute to that level of risk.
 Websites can also be whitelisted and blacklisted. Blacklists can be
continuously updated.
 Cisco’s FireSIGHT security management system is an example of
a device that can access the Cisco Talos security intelligence
service to obtain blacklists.
System-Based Sandboxing
 Sandboxing is a technique that allows suspicious files to be
executed and analyzed in a safe environment.
 Automated malware analysis sandboxes offer tools that analyze
malware behavior.
 A suspect file can then be executed in a sandbox, such as Cisco
Threat Grid Glovebox, and the activities are logged.
 This information can then be used to create signatures to prevent
the file from entering the network again.
 Cuckoo Sandbox is a free malware analysis system sandbox.
 A number of online public sandboxes also exist. These services
allow malware samples to be uploaded for analysis. Some of these
services are VirusTotal, Payload Security VxStream Sandbox, and
Malwr.
10.2 Endpoint Vulnerability
Assessment
Endpoint Vulnerability Assessment
Network and Server Profiling
 Network profiling – create a baseline to compare against
when an attack occurs; include session duration, total
throughput, ports used, and critical asset address space
 Server profiling – includes listening ports, logged in
users/service accounts, running processes, running tasks,
and applications
 Network vulnerability testing can include risk analysis,
vulnerability assessment, and penetration testing.
Network Profiling
 Deviations in network behavior are difficult to detect if normal behavior is
not known.
• Increased utilization of WAN links at unusual times can indicate a network breach
and exfiltration of data.
• Hosts that begin to access obscure Internet servers, resolve domains that are
obtained through dynamic DNS, or use protocols or services that are not needed by
the system user can also indicate compromise.
 Tools : NetFlow and Wireshark
 Important elements of the network profile : Session duration, Total
throughput, Ports used , Critical asset address space
 Profile the types of traffic is important.
• Malware can use unusual ports
• Host-to-host traffic is another important metric.
 Other valuable indicator is changes in user behavior, as revealed by AAA,
server logs, or a user profiling system like Cisco Identity Services Engine
(ISE ~AAA based on context). For example, a user who suddenly begins
logging in to the network at strange times.
Elements of a network profile
Server Profiling
 Server profiling is used to establish the accepted operating
state of servers.
 it is important to understand the function that a server is
intended to perform in a network.
 A server profile may establish the following:
• Listening ports.
• User accounts – user access and behavior.
• Service accounts : type of service that an application is allowed to run
on a given host.
• Software environment tasks, processes, and applications that are
permitted to run on the server.
Network Anomaly Detection
 Network behavior is described by a large amount of diverse
data such as the features of packet flow, features of the
packets themselves, and telemetry from multiple sources.
 One approach to detection of network attacks is the analysis
of this diverse, unstructured data using Big Data analytics
techniques.
  use of sophisticated statistical and machine learning
techniques to compare normal performance baselines with
network performance at a given time.
 Significant deviations can be indicators of compromise.
Network Vulnerability Testing
 Vast number of potential vulnerabilities, and new ones  periodic
security testing is essential.
 Various types of tests can be performed:
• Risk Analysis –assessment of the likelihood of attacks, identifies types of likely
threat actors, and evaluates the impact of successful exploits on the organization.
• Vulnerability Assessment –
o Vulnerability assessment includes, but goes beyond, port scanning.
o scan servers and internal networks for various vulnerabilities. .
o Example: missing software patches, unnecessary listening ports
o Tools : OpenVAS platform, Microsoft Baseline Security Analyzer, Nessus,
Qualys, and FireEye Mandiant services.
• Penetration Testing
o uses authorized simulated attacks to test the strength of network security.
o Metasploit is a tool used in penetration testing.
o CORE Impact offers penetration testing software and services.
Network Vulnerability Testing
Common Vulnerability Scoring System
(CVSS)
 Standardized vulnerability scores (is a risk assessment)
 Open framework with metrics
 Helps prioritize risk in a meaningful way
 Other information sources
• Common Vulnerabilities and Exposures – dictionary of common names
• National Vulnerability Database
CVSS Overview
 The Common Vulnerability Scoring System (CVSS) is a risk
assessment designed to convey the common attributes and
severity of vulnerabilities.
 The third revision, CVSS 3.0, is a vendor-neutral, industry
standard, open framework for weighting the risks of a
vulnerability using a variety of metrics.
 The numeric score can be used to determine the urgency
of the vulnerability, and the priority of addressing it.
 FIRST has been designated as the custodian of the CVSS
 Version 3.0 was under development for 3 years, and Cisco
and other industry partners contributed to the standard
CVSS Metric Groups
 CVSS uses three groups of metrics to assess vulnerability:
• Base Metric Group
o characteristics of a vulnerability that are constant over time and across
contexts.
o Two classes of metrics:
 Exploitability - features such as attack vector (proximity to the
vulnerability), attack complexity(number of needed components), privileges
required and user interaction (second complexity parameter) to conduct
attack.
 Impact metrics - The impacts of the exploit are rooted in the CIA triad of
confidentiality, integrity, and availability.
• Temporal Metric Group
o This measures the characteristics of a vulnerability that may change over
time, but not across user environments.
o The severity of a new vulnerability may be high, but will decrease as patches,
signatures, and other countermeasures are developed.
• Environmental Metric Group
o This measures the aspects of a vulnerability that are rooted in a specific
organization’s environment.
o List of confidentiality, integrity and availability requirement
CVSS Metric Groups
The CVSS Process
 The CVSS process uses a tool called the CVSS v3.0
Calculator.
 The calculator is similar to a questionnaire in which choices
are made that describe the vulnerability for each metric
group. After all choices are made, a score is generated.
The CVSS Process
CVSS Reports
 The affected organization completes the environmental metric
group to tailor the vendor-supplied scoring to the local context.
 The resulting score serves to guide the affected organization in the
allocation of resources to address the vulnerability.
 The higher the severity rating, the greater the potential impact of
an exploit and the greater the urgency in addressing the
vulnerability.
 In general, vulnerability that exceeds 3.9 should be addressed.
Other Vulnerability Information Sources
 Common Vulnerabilities and Exposures (CVE)
• a dictionary of common names, in the form of CVE identifiers,
• CVE identifier provides a standard way to research a reference to
vulnerabilities.
• When a vulnerability has been identified, CVE identifiers can be used to
access fixes.
• Threat intelligence services use CVE identifiers,
• CVE Details website provides a linkage between CVSS scores and CVE
information.
 National Vulnerability Database (NVD)
• This utilizes CVE identifiers and supplies additional information on
vulnerabilities such as CVSS threat scores, technical details, affected
entities, and resources for further investigation.
• The database was created and is maintained by the U.S. government
National Institute of Standards and Technology (NIST) agency.
Compliance Frameworks
 Cybersecurity regulations that impact
cybersecurity
• FISMA (Federal Information Security Management
Act of 2002) –security standards for U.S. government systems and
contractors.
• SOX (Sarbanes-Oxley Act of 2002) – requirements for U.S. public
company boards, management, and public accounting firms regarding
control and disclosure of financial information.
• HIPAA (Health Insurance Portability and Accountability Act) – protection
of patient healthcare information.
• PCI-DSS (Payment Card Industry Data Security Standard) –
proprietary, non-governmental standard created by five major credit
card companies that defines requirements for secure handling of
customer credit card data.
• GLBA (Gramm-Leach-Bliley Act) – requirements for security of
customer information by financial institutions.
Secure Device Management
 Risk management involves the selection and specification of
security controls for an organization.
Threat-vulnerability (T-V) pairing
I-API-M
Risk Management
 Risk is determined as the relationship between threat,
vulnerability, and the nature of the organization.
 It first involves answering the following questions as part of a
risk assessment:
• Who are the threat actors who want to attack us? (who)
• What vulnerabilities can threat actors exploit? (potentiality)
• How would we be affected by attacks? (impact)
• What is the likelihood that different attacks will occur? (frequency)
Risk treatement
AR-SR
 There are four potential ways to respond to risks
• Risk avoidance - Stop performing the activities that create risk. It is
possible that as a result of a risk assessment, it is determined that the
risk involved in an activity outweighs the benefit of the activity to the
organization.
• Risk reduction - Decrease the risk by taking measures to reduce
vulnerability.
• Risk sharing - Shift some of the risk to other parties (outsource,
insurance).
• Risk retention - Accept the risk and its consequences. This strategy is
acceptable for risks that have low potential impact and relatively high
cost of mitigation or reduction. Other risks that may be retained are
those that are so dramatic that they cannot realistically be avoided,
reduced, or shared.
Vulnerability Management D-PAR-RV
 According to NIST, vulnerability

management is a security practice
designed to proactively prevent the
exploitation of IT vulnerabilities
that exist within an organization.
 The expected result is to reduce the
time and money spent dealing with
vulnerabilities and the exploitation of
those vulnerabilities.
Vulnerability Management
 The steps in the Vulnerability Management Life Cycle are
• Discover - Inventory all assets across the network and identify host details,
including operating systems and open services, to identify vulnerabilities.
Develop a network baseline. Identify security vulnerabilities on a regular
automated schedule.
• Prioritize Assets - Categorize assets into groups or business units, and
assign a business value to asset groups based on their criticality to
business operations.
• Assess - Determine a baseline risk profile to eliminate risks, based on
asset criticality, vulnerability, threats, and asset classification.
• Report - Measure the level of business risk associated with your assets
according to your security policies. Document a security plan, monitor
suspicious activity, and describe known vulnerabilities.
• Remediate - Prioritize according to business risk and address
vulnerabilities in order of risk.
• Verify - Verify that threats have been eliminated through follow-up audits.
Secure Device Management
 Asset management – track location and configuration of
devices and software
 Mobile device management (MDM) – configure, monitor,
and update mobile clients
 Configuration management – hardware and software
configuration inventory and control
 Patch management – installing software patches
• Agent-based – software on each host
• Agentless scanning – patch management
servers scan for devices that need patching
• Passive network monitoring – monitor
network traffic to identify which devices
need patching
Asset Management
 Asset management involves the implementation of systems
that track the location and configuration of networked devices
and software across an enterprise.
 NIST specifies in publication NISTIR 8011 Volume 2, the
detailed records that should be kept for each relevant device.
C-S
F
C
Mobile Device Management
 Mobile device management (MDM), especially in the age of
BYOD, presents special challenges to asset management.
 Mobile devices cannot be physically controlled on the premises
of an organization. They can be lost, stolen, or tampered with,
putting data and network access at risk.
 Part of an MDM plan is taking action when devices leave the
custody of the responsible party. Measures that can be taken
include disabling the lost device, encrypting the data on the device,
and enhancing device access with more robust authentication
measures.
 Network administrators should assume that all mobile devices are
untrusted until they have been properly secured by the organization.
 MDM systems, such as Cisco Meraki Systems Manager allow
security personnel to configure, monitor and update a very diverse
set of mobile clients from the cloud.
Configuration Management
 Configuration management addresses the inventory and control of hardware
and software configurations of systems.
 Secure device configurations reduce security risk.
 To manage this, the organization may create baseline software images and
hardware configurations for each type of machine
 Configuration management extends to the software and hardware
configuration of networking devices and servers as well.
 For internetworking devices, software tools are available that will backup
configurations, detect changes in configuration files, and enable bulk change
of configurations across a number of devices.
 With the advent of cloud data centers and virtualization, management of
numerous servers presents special challenges. Configuration management
tools like Puppet, Chef, Ansible, and SaltStack were developed to allow
efficient management of servers that enable cloud-based computing.
Enterprise Patch Management
 Patch management is related to vulnerability management.
 Patch management involves all aspects of software patching,
including identifying required patches, acquiring, distributing,
installing, and verifying that the patch is installed on all
required systems.
 Patch management is required by some security compliance
regulations, such as SOX and HIPAA.
 Patch management depends on asset management data to
identify systems that are running software that requires
patching.
 Example: SolarWinds Patch Manager
Patch Management Techniques
 There are three patch management technologies.
• Agent-based
o This requires a software agent to be running on each host to be
patched.
o The agent reports whether vulnerable software is installed on the host.
o The agent runs with sufficient privileges to allow it to install the patches.
o Agent-based approaches are the preferred for patching mobile devices.
• Agentless scanning
o Patch management servers scan the network for devices that require
patching.
o Only devices that are on scanned network segments can be patched in
this way.
o This can be a problem for mobile devices
• Passive network monitoring
o Devices requiring patching are identified through the monitoring of
traffic on the network. This approach is only effective for software that
includes version information in its network traffic.
Information Security Management Systems
(ISMS)
 Management framework to identify, analyze, and address
information security risks
 ISO/IEC 27000 family of
standards – internationally
accepted standards that
facilitate business
conducted between countries
 NIST Cybersecurity Framework
IP-DRR
Security Management Systems
 An Information Security Management System (ISMS)
consists of a management framework through which an
organization identifies, analyzes, and addresses information
security risks.
 ISMSs are not based in servers or security devices.
Instead, an ISMS consists of a set of practices that are
systematically applied by an organization to ensure
continuous improvement in information security.
 SMSs are a natural extension of the use of popular
business models, such as Total Quality Management (TQM)
and Control Objectives for Information and Related
Technologies (COBIT), into the realm of cybersecurity.
ISO-2700X
ISO 27001 : PDCA
NIST Cybersecurity Framework - IPDRR
 NIST has developed the Cybersecurity Framework, which,
like ISO/IEC 27000, is a set of standards designed to
integrate existing standards, guidelines, and practices to help
better manage and reduce cybersecurity risk.
10.3 Chapter Summary
Chapter Summary
Summary
 Investigate endpoint vulnerabilities and attacks using antimalware, host-based
firewall, and host-based intrusion detection systems (HIDS).
 Attack surface is all of the vulnerabilities accessible to an attacker and can
include open ports, applications, wireless connections, and users.
 Three components of the attack surface: network, software, and human.
 Baselining is performed by network profiling and server profiling.
 A network profile could contain session duration, total throughput, port(s) used,
and critical asset address space.
 A server profile commonly contains listening ports, logged in users/service
accounts, running processes, running tasks, and applications.
 Network vulnerability testing is performed using risk analysis, vulnerability
assessment, and penetration testing.
 CVSS is a vendor-neutral risk assessment that contains three main metric
groups (base, temporal, and environmental). Each group has specific metrics
that can be measured.
Chapter Summary
Summary (Cont.)
 Compliance regulations include FISMA, SOX, HIPAA, PCI-DSS, and GLBA.
 Risk management is used to identify assets, vulnerabilities and threats.
 4 methods of risk reduction include risk avoidance, risk reduction, risk sharing,
and risk retention
 Vulnerability management proactively prevents the exploitation of IT
vulnerabilities. The 6 steps of the vulnerability management lifecycle include
discover, prioritize assets, assess, report, remediate, and verify.
 Other device managements that must be considered include asset management,
mobile device management, configuration management, and patch
management.
 An ISMS consists of a management framework used to identify, analyze, and
address information security risks. Examples include the ISO/IEC 27000 family
of standards and the NIST Cybersecurity Framework Core and Functions.

CyOps - v3 - Chap10

Uploaded by

Copyright:

Available Formats

CyOps - v3 - Chap10

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CyOps - v3 - Chap10

Uploaded by

Copyright:

Available Formats

Chapter 10: Endpoint

Security and Analysis

 10.2 Network and Server Profiling

 Cisco AMP is very flexible and can be deployed on endpoints, on

Threat-vulnerability (T-V) pairing

 According to NIST, vulnerability

You might also like

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.