As part of CSIRT’s mobile monitoring offering for special events, we undertook monitoring of the corporate and customer traffic of the Cisco House at the London 2012 Olympics. This engagement presents us with an excellent opportunity to showcase Cisco technology, while keeping a close watch on potential network security threats. CSIRT monitoring for this event will be active for the entire life-span of the Cisco House, from two months before the Olympics, until two months after.
For the London 2012 engagement, we shipped our gear in a 14RU military-grade rack that is containerized: made for shipping. Inside the mobile monitoring rack we have an assortment of Cisco kit and third-party kit that mirrors the monitoring we do internally:
Catalyst 3750 to fan out traffic to all the other devices
FireEye for advanced malware detection
Two Cisco IronPort WSA devices for web traffic filtering based on reputation
Cisco UCS box where we run multiple VMs
Lancope StealthWatch collector for NetFlow data
and a Cisco 4255 IDS for intrusion detection
We mirror the signatures that we have deployed internally at Cisco out to these remote locations. Depending on the environment where the mobile monitoring rack is deployed, we may also do some custom tuning. The kit in the mobile monitoring rack can do intrusion detection, advanced malware detection, and collect and parse NetFlow and log data for investigation purposes. The Cisco UCS rack server also helps us have several VMs, allowing us to run multiple tools that complement the other devices in the rack. For example, we run a Splunk instance on a VM to collect the logs generated by all the services. The data from the gear in the mobile monitoring rack is analyzed by our team of analysts and investigators, to eliminate false positives, conduct mitigation and remediation, and finally produce an incident report if required.
For corporations, Advanced Persistent Threat (APT) is a widely publicized yet little understood topic. Does it exist? Is it a real threat? How can an organization tell if it is impacted?
The Cisco Computer Security Incident Response Team (CSIRT) is a global team of information security professionals responsible for the 24/7 monitoring, investigation and response to cyber security incidents for Cisco-owned businesses. CSIRT engages in proactive threat assessment, mitigation planning, incident detection and response, incident trending with analysis, and the development of security architecture. This article will provide the Cisco CSIRT team’s perspective on APT, and is the fifth in a series of blog posts on related issues from CSIRT’s point of view. As with the other posts, provided here are some real-world examples and techniques that will hopefully help organizations utilize existing tools and processes, or even understand gaps in security infrastructure. Read on to find out more.
This is the Forth part in the series “Missives from the Trenches.” (Here are the (first), (second), and(third) parts of the series.) In today’s blog post we will be discussing Cisco IOS Netflow. Netflow has an interesting position as being both the most useful and least used tool. When meeting with other companies I often ask them “do you use Netflow?” By asking this question I am actually asking several different questions--Do you care about the security of your site? Or do you have any hopes in managing/responding to events at your site? Answers to these questions unfortunately tend to be as follows: What is Netflow? The network guys use it but we don’t. I think we capture it somewhere but not really sure where -- and so on. I then mention that Netflow is free, they don’t have to buy anything to start using it, and it’s used for every large case we do. At that point they start looking angrily at the sales engineer asking why this is the first they are hearing about it. So what is Netflow and why does Cisco CSIRT say its critical to daily event management? Read on to find out!
Cisco has had a long history of supporting the Forum of Incident Response Teams (FIRST), as members in the organization, as chairs of various programs, steering committee members, and conference organizers. Cisco has also been providing the network for the global conference for many years. This year I am chairing the conference that will be held in Vienna on June 12-17, 2011. To that end, I am asking for some good security presentations for this year’s conference. We already have some great submissions from Interpol, Kapersky ENISA, etc. As chair I would really like to differentiate the conference with presentations based on real-world cybercrime defense. As we look back we see how rapidly the environment has changed over the past 10 years, starting to bring focus on upcoming changes on the horizon with things like borderless networks, externalization of services, and cloud. And then, further, combine that with the increasing monetization and militarization of cyber threats. FIRST would like to take a close look at the protections and responses of the past, and whether they will be up to the challenge or part of the problem. I talk more about the theme and the conference in this short podcast.
If you have something you would like to share with the security community please read below and contact us using the Speakers Submission Form.
How does Cisco deal with cyber threats from the web? How does Cisco protect any device on a network? The following video will give you an update from Cisco CSIRT’s Gavin Reid on how Cisco is combating this increasing threat.