Page 8 - Cisco Tribune Q2 2014
P. 8
l l l
8 2nd Quarter 2014
NEWS PRODUCTS PEOPLE EVENTS
Telecom Reseller: Cisco Tribune
Beyond the
usual measures:
Plixer
A
potential threat could come from
anywhere at any-time and it
doesn’t have to start from the
Internet. Many threats are initiated internally by infected handhelds and
laptop devices which walk right past the
firewall. Anti-virus has become nearly
ineffective against targeted threats. Even
next generation firewalls aren’t stopping
the outbound connections created by
unwanted data exfiltration. Reviewing
logs with expensive SIEM solutions is a
great reactive measure when the logs they
depend on haven’t been tampered with.
In the VISA DATA SECURITY ALERT
released on 4/2013, Visa stated “Hackers
are also using anti-forensic techniques
such as tampering with or deleting security
event logs, using strong encryption or
modifying security applications (e.g.,
whitelist malware files) to avoid detection.”
For all these reasons, your Cisco Cyber
Threat Defense strategy needs to consider
alternate defensive measures.
The Cisco Cyber Threat Defense effort
often includes multiple technologies, one
of which is NetFlow or the IETF standard
called IPFIX.
Watch Detecting Payment Card Data
Breaches on YouTube.
For example, your Cisco Cyber Threat
Defense strategy for uncovering data
exfiltration might include taking notes;
how do the end systems running the
business applications communicate
over the network with the servers?
Characteristics to be mindful of include:
l What ports do they use, are
connections encrypted?
l How large and frequent are the traffic
patterns?
l How does a busy season like
Christmas or Valentine’s Day impact traffic? Point of Sale systems are impacted
by this.
Loaded with the above notes or possibly
a saved historical behavior baseline that
doesn’t include the malware, your Cisco
Cyber Threat Defense solution can begin
to sleuth for signs that are indicative of
some type of contagion. Although there
is no one solution acting as a panacea for
uncovering all types data exfiltration.
NetFlow should be part of your Cisco
Cyber Threat Solution. Here are 4 tell-
tale behaviors that could indicate a host
participating in data exfiltration using
flow data:
l Monitor encrypted connections to the
Internet, is the upload of bytes greater
than the download volume? What is the
pattern?
Watch for occasional Internet
l connections where the internal device does
not receive a response. How often does it
happen?
Can you identify any strange DNS
l requests for domains that meet suspicious
criteria? Is it the same reoccurring host?
l Host Reputation: are any devices
communicating with known Internet bots?
False positives are expected for any
one of the above individual behaviors.
However, if a host is exhibiting all four
characteristics, possible data exfiltration
should be investigated further. Make sure
your Cisco Cyber Threat Defense solution
knows how to build Threat IndexesTM
which help you quickly sift through the
onslaught of events with the goal of
identifying real data exfiltration.
Michael Patterson– www.plixer.com
p1-12_2nd_Qtr_Cisco Tribune.indd 8
15/05/2014
15:31
