180 likes | 206 Views
Discover the power of Cisco Security Agent software with behavior-based protection and zero-day defense. Transition from detection to protection with policy-based security that safeguards endpoints. Explore how CSA ensures endpoint security with comprehensive functionalities.
E N D
Internet WAN Server and Desktop
Host Based Intrusion Prevention (HIPS) Internet Items to secure Servers and Desktops • Cisco Security Agent software (CSA) • Behavior based, NO SIGNATURE UPDATES REQUIRED • Zero Hour Protection • BLOCKED: • MS Blaster (luvgate) - Nimda • CodeRed v1 & v2 - SQL Slammer • SoBig -Backdoor.IRC.RPCBot.D • Event correlation at the management console across the network to give high alert of potential WORM or VIRUS • With the addition of the PROFILER, event correlation is enhanced and custom policies generated
Transition From Detection to Protection:At the Endpoint… • From Signature-based to Policy-Based • Stops new attacks that attempt malicious activity • Policies allow “good” behavior and prevent “bad” behavior • P2P, Instant Messaging, Custom Programs • From Multiple Products to Single Agent • Aggregates multiple security functionality in one agent • HIPS, Zero-day protection, Firewall and OS lockdown • From Updates to Zero-Update Protection • Behavior-based architecture changes desktop and server paradigm
Rapidly Mutating • Continual signature updates • Inaccurate • Most damaging Change very slowly Inspiration for CSA solution Cisco Security Agent (CSA):Behavioral Protection From Attacks Target
Web Browser Web Server Email Client Network Protocol Stack Host Operating System Protocol Attack SMBDie Ping of Death Operating System Attack Buffer Overflow Active Content Application Attack Behavior Control Protects End Points Corporate Security Policy . . . File System Access Registry Access COM Object Access Memory Access Code Execution HTTP Filtering System Call Shims Inbound packets Outbound packets Network Shim Mount Shares
System Hardening Syn-flood protection Malformed packet protection Restart of failed services Resource Protection File access control Network access control Registry access control COM component access control Control of executable content Protection against email worms Protection against automatic execution of downloaded files or ActiveX controls Application-related Application run control Executable file version control Protection against code injection Protection of process memory Protection against buffer overflows Protection against keystroke logging Detection Packet sniffers & unauthorized protocols Network scans Monitoring of OS event logs Cisco Security Agent Functions
Policy Violations May be undesired Malicious Behavior Always undesired Types of Behavior Application Specific Policies via CSA Profiler • CSA can also provide customized behavioral security for any environment Strict Control Default Application Policies Default Server and Desktop Policies All Possible Types of Security Relevant Behavior
CSA MC • Is required to be physically secure • Holds the configuration and event databases (SQL Server) • Serves to distribute agent software to end-points • Deploys security policies to end-points • Receives events from agents and performs correlation • Sends alerts to administrators • Security Administrators • Configure the system via browser connected to CSA Management Console • Review security events, reports, & alerts • Modify security policies • Can have: Configure, Deploy, Monitor roles Management Console Agent Agent Agent • Hosts or End Points • Protected by CSA • Are members of one or more groups • Get their security policies from the CSAMC • Send security events to the CSAMC Agent Agent Agent CSA Management Model Web Browser Administrator Configuration data Events Router
SNMP Manager Custom Programs Local File CISCO Security Agent Architecture Other Managers Laptop Agent Desktop Agent Configuration Server Agent Policy Updates Web Browser Management Alerts Reports, Events CSA Mgmt Console Server Agent Desktop Agent • Platforms: WinNT, Win2K, WinXP and Solaris 8 64bit • Agents enforce policy locally, connected or not • All communications HTTP and SSL
CSA Correlation Capabilities CSA offers unique agent and management level correlation • Correlation on Agent • Higher accuracy • Fewer “False Positive” events • Example: Trojan Horse detection, Network Worm propagation, automatic application recognition Agent Agent Management Server • Correlation on Manager • Higher accuracy • Fewer “False Negative” events • Example: Distributed “Ping Scans”, Network Worm propagation
CISCO Security Agent v4.0 – July 2003 • Integration with Cisco Works VMS 2.2 • Co-resident installation; SecMon integration • Additional Web server protection features • HTTP filtering; Connection Rate Limiting • End-point integrity enforcement • Are You There integration with Cisco VPN client 4.0 • Augmenting the security of CISCO infrastructure • CSA policies for VMS and CISCO Call Manager
The Value of Prevention We estimated three classes of users, from data input to managerial functions, and assigned a population to each. After totaling the server downtime, the amount of time lost for employees and the hourly rate for each group, we came up with a staggering $98,306 for the incident. " Network Computing Magazine, October 2002
The Value of Patch Relief "And Digex, a provider of managed Web and application hosting services, calculates the annual cost of manually managing patch deployment to be about $14,400 per server." CSO Magazine , August 2003 • CSA enables more cost effective patch management (providing relief from today’s reactive approach): • Vulnerable hosts have protection in the face of new attacks • Customer may wait for ‘roll-ups’ and Service Packs, which come better qualified from vendor • Testing and implementation of updates can be scheduled without undue change control interruption • CSA enables fewer updates to endpoints in a proactive and scheduled fashion …..which means a lower TCO per server “IT managers spend two hours per server to test and deploy a patch, which leads research firm Gartner to estimate that it can cost a company with 1,000 servers about $300,000 for each patch. Information Week, Attacks Averted, Feb 3, 2003
CISCO Security Agent Summary • CSA’s behavior based technology enables: • Lower Total Cost of Ownership • Single agent for Desktops and Servers • Provides multiple security solutions • (Firewall + IDS + Malicious Mobile Code + OS Hardening + File Integrity) • Removal of the signature management burden • Huge reduction in alerts and false positives • Correlation on the Agent and Management Console • Intrusion Prevention not detection
CISCO Security Agent Summary • CSA’s behavior based technology enables: • You get to enforce your Corporate Security Policies • You get to control the Patch process • Data Theft Policy protects Intellectual Property • Protection in the face of new and unknown threats