Scribd Logo
Upload

Welcome to Scribd!

  • Advanced Threat Detection and Internet of Everything

    Uploaded by

    Cisco IT
    42 views3 pages
    The coming Internet of Everything (IoE) will add thousands if not millions of sensors, devices, and automated systems to enterprise networks. However, most of these endpoints will not support security capabilities, making them useful to hackers as a way to access and attack the connected network. This IoE security challenge is reflected in two critical questions for information security departments: ● How can we protect our network, data, and applications from threats that could come from millions of endpoints, most of which can’t be secured? ● How will we be able to analyze the huge volume of status and operational data generated by IoE devices for potential attacks and risks?

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The coming Internet of Everything (IoE) will add thousands if not millions of sensors, devices, and automated systems to enterprise networks. However, most of these endpoints will not support security capabilities, making them useful to hackers as a way to access and attack the connected network. This IoE security challenge is reflected in two critical questions for information security departments: ● How can we protect our network, data, and applications from threats that could come from millions of endpoints, most of which can’t be secured? ● How will we be able to analyze the huge volume of status and operational data generated by IoE devices for potential attacks and risks?

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    42 views3 pages

    Advanced Threat Detection and Internet of Everything

    Uploaded by

    Cisco IT
    The coming Internet of Everything (IoE) will add thousands if not millions of sensors, devices, and automated systems to enterprise networks. However, most of these endpoints will not support security capabilities, making them useful to hackers as a way to access and attack the connected network. This IoE security challenge is reflected in two critical questions for information security departments: ● How can we protect our network, data, and applications from threats that could come from millions of endpoints, most of which can’t be secured? ● How will we be able to analyze the huge volume of status and operational data generated by IoE devices for potential attacks and risks?

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    Advanced Threat Detection and

    the Internet of Everything


    Cisco IT Insights

    What
    The coming Internet of Everything (IoE) will add thousands if not millions of sensors, devices, and automated systems to enterprise
    networks. However, most of these endpoints will not support security capabilities, making them useful to hackers as a way to
    access and attack the connected network.
    This IoE security challenge is reflected in two critical questions for information security departments:

    How can we protect our network, data, and applications from threats that could come from millions of endpoints, most of
    which cant be secured?

    How will we be able to analyze the huge volume of status and operational data generated by IoE devices for potential
    attacks and risks?

    Security managers will need the ability to leverage IoE data not only to identify specific threats, but also to learn about what types
    of traffic or activity represent an actual risk, says Logan Wilkins, program manager, Cisco InfoSec.

    Building a Security Data Infrastructure


    For Cisco IT, answering the questions about IoE security means first looking to the network level, which is the best place for getting
    security-related information and where security measures can have the most effect.
    To gather IoE security information within Cisco, we are deploying a system to collect network traffic data that reaches a volume of
    billions of records per day. The initial focus of the system is Domain Name System (DNS) data, which as of mid-2015 means
    collecting up to three billion events daily, even before weve started to deploy massive numbers of IoE sensors. We started with
    DNS data because of these factors:

    The volume is large enough to validate that our data collection and processing systems will be adequate to handle the
    higher data volumes generated by IoE elements.

    DNS records provide an easy, fast way to find many security problems.

    DNS also provides an important foundation for deeper analysis into other protocols that may be involved in a breach or
    attack.

    In the future, we plan to expand data collection to include NetFlow, which will help us automatically detect and handle more
    security threats.

    Machine Learning for Data Filtering and Correlation


    To make all of this information useful to Cisco security teams, we are applying machine learning technology. Sophisticated
    learning algorithms classify and correlate the data to identify unusual events, outlier values, and unexpected behaviors. Examples
    of how we will apply machine learning to IoE security data include:

    Using advanced learning algorithms to recognize with a high degree of confidence those external hosts that are likely to
    have malicious intent.

    Analyzing the behavior of hosts and devices on our network to discern unusual activity that would indicate malware or
    unauthorized control of the device.

    2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

    May 2015

    Page 1 of 3

    Security Data System Deployment


    Cisco IT tested the new security data system in a proof-of-concept project that included the following elements:

    Cisco Unified Computing System (Cisco UCS) servers for the data processing and access applications

    MapR file system for data storage as well as a time-based database for events that are generated as a time series

    Splunk for automated filtering and initial analysis of events, which creates more useful information for detailed assessment
    by the Cisco security team

    Lancope StealthWatch hardware for monitoring and ad hoc searches in the NetFlow data

    Figure 1 presents a high-level architecture view of the data collection and processing system.
    Figure 1.

    Cisco IT Architecture for Security Data Analysis

    Why
    We know that defending the Cisco network as it connects more IoE sensors and devices will require the ability to quickly identify
    new threats. Thats why were focusing on two critical capabilities in the security data infrastructure: scalability and automation.

    Scalability to Handle Huge Data Volumes


    Scalability is first about handling an enormous and ever-growing volume of network data. If we have the infrastructure to handle
    billions of events today, then we can be confident about handling the even higher volumes of data that come with IoE, says Jeff
    Bollinger, senior investigator, Cisco InfoSec.
    We also want a scalable infrastructure design that will allow us to collect and process log data from other IoE monitoring programs
    as well as data from sources outside the network.

    Automated, Intelligent Event Processing


    Continual improvement in the machine learning capabilities will allow our automated event processing to become more intelligent
    over time. Increasing automation will also reduce the number of events that will need to be evaluated by a Cisco security analyst,
    even as IoE brings more data and new threats.

    2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

    May 2015

    Page 2 of 3

    We also apply automated event processing with machine learning to identifying risks in outbound network traffic. For example, our
    internally developed iCAM software analyzes user behavior (including outbound data transfers) and generates alerts when that
    behavior violates Cisco security policies.
    However, There will always be a place for human analysis because we cant know for sure in some situations whether something
    is really bad or not, so we cant set up all events for automated handling, says Bollinger. We need the knowledge of our security
    analysts to identify which events indicate a false positive and which indicate a true problem.

    For More Information


    Cisco IT Case Study: How Cisco Automates Protection of Intellectual Property
    Cisco IT Case Study: Using Lancope StealthWatch for Information Security Monitoring
    Cisco Unified Computing System
    To read additional Cisco IT case studies about a variety of business solutions, visit Cisco on Cisco: Inside Cisco IT
    To view Cisco IT webinars and events about related topics, visit Cisco on Cisco Webinars & Events

    Note
    This publication describes how Cisco has benefited from the deployment of its own products. Many factors may have contributed to
    the results and benefits described. Cisco does not guarantee comparable results elsewhere.
    CISCO PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,
    INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
    Some jurisdictions do not allow disclaimer of express or implied warranties; therefore, this disclaimer may not apply to you.

    2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

    May 2015

    Page 3 of 3

    You might also like