Page 8 - Cisco Tribune Q2 2014
P. 8





l l l 
8 2nd Quarter 2014
NEWS PRODUCTS PEOPLE EVENTS
Telecom Reseller: Cisco Tribune

Beyond the 

usual measures: 
Plixer


A
potential threat could come from 
anywhere at any-time and it 
doesn’t have to start from the 
Internet. Many threats are initiated internally by infected handhelds and 
laptop devices which walk right past the 
firewall. Anti-virus has become nearly 
ineffective against targeted threats. Even 
next generation firewalls aren’t stopping 
the outbound connections created by 
unwanted data exfiltration. Reviewing 
logs with expensive SIEM solutions is a 
great reactive measure when the logs they 
depend on haven’t been tampered with.
In the VISA DATA SECURITY ALERT 
released on 4/2013, Visa stated “Hackers 
are also using anti-forensic techniques 
such as tampering with or deleting security 
event logs, using strong encryption or 
modifying security applications (e.g., 
whitelist malware files) to avoid detection.” 
For all these reasons, your Cisco Cyber 
Threat Defense strategy needs to consider 
alternate defensive measures.
The Cisco Cyber Threat Defense effort 
often includes multiple technologies, one 
of which is NetFlow or the IETF standard 
called IPFIX.
Watch Detecting Payment Card Data 
Breaches on YouTube.
For example, your Cisco Cyber Threat 
Defense strategy for uncovering data 
exfiltration might include taking notes; 
how do the end systems running the 
business applications communicate
over the network with the servers? 
Characteristics to be mindful of include:
l What ports do they use, are 
connections encrypted?
l How large and frequent are the traffic 
patterns?
l How does a busy season like 
Christmas or Valentine’s Day impact traffic? Point of Sale systems are impacted 
by this.
Loaded with the above notes or possibly 
a saved historical behavior baseline that 
doesn’t include the malware, your Cisco 
Cyber Threat Defense solution can begin 
to sleuth for signs that are indicative of 
some type of contagion. Although there
is no one solution acting as a panacea for 
uncovering all types data exfiltration. 
NetFlow should be part of your Cisco 
Cyber Threat Solution. Here are 4 tell- 
tale behaviors that could indicate a host 
participating in data exfiltration using 
flow data:
l Monitor encrypted connections to the 
Internet, is the upload of bytes greater 
than the download volume? What is the 
pattern?
Watch for occasional Internet 
l connections where the internal device does 
not receive a response. How often does it 
happen?
Can you identify any strange DNS 
l requests for domains that meet suspicious 
criteria? Is it the same reoccurring host?
l Host Reputation: are any devices 
communicating with known Internet bots?
False positives are expected for any
one of the above individual behaviors. 
However, if a host is exhibiting all four 
characteristics, possible data exfiltration 
should be investigated further. Make sure 
your Cisco Cyber Threat Defense solution 
knows how to build Threat IndexesTM 
which help you quickly sift through the 
onslaught of events with the goal of 
identifying real data exfiltration.
Michael Patterson– www.plixer.com





p1-12_2nd_Qtr_Cisco Tribune.indd 8
15/05/2014
15:31
   6   7   8   9   10