Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Thanks for joining! We will begin in just a few minutes as more people.

Published byLesley Montgomery Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Thanks for joining! We will begin in just a few minutes as more people."— Presentation transcript:

1 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Thanks for joining! We will begin in just a few minutes as more people come on line. This event will be recorded.

2 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 2 IPS Tech Talk – Risk Rating 2010 October 14 Robert Albach and James Kasper

3 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 3 Agenda :00 Welcome to Tech Talks :03 Risk Ratings @ :30 Question and Answer Mechanics of Tech Talks Introduction and Definitions What you can do with it and how Components and how to calculate it Details to consider

4 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 4 Tech Talk Mechanics How these events will operate  With many people on-line we will mute all but the presenters  We will try to answer questions at the end Please use the “Question and Answer” feature for questions If we don’t get to your question, we will try to answer them off- line  The presentation and recording will be placed on the TAC support site

5 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 5 Risk Ratings  Risk Ratings help answer the questions: “How important is this event?” and “What should be done?”  Risk Ratings impact attributes of the EVENT  Risk Ratings DO NOT impact the operation of SIGNATURES but does potentially impact the ACTIONS taken  Risk Ratings are highly customizable and their effects are as automated as you chose to configure them

6 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 6 Event views – How important is this?

7 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 7 Policy Impact: What should be done?

8 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 8 Policy Impact: Customize Risk Thresholds and Ranges for Actions

9 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 9 How is Risk Rating Determined?  Risk Rating has multiple contributing inputs. Attack Severity Rating – derived from other inputs (more to come) Target Value Rating – configurable by user Signature Fidelity Rating – pre-set by Cisco for each signature Attack Relevance Rating – derived from other inputs (more to come) Promiscuous Delta – derived value – impacted by IDS mode Watch List Rating – derived from internal list data (more to come) *Global Correlation – (7.0 and later) – impact discussed later

10 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 10 Attack Severity Rating  Derived from the Alert Severity parameter which you can configure Informational Low Medium High

11 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 11 Target Value is Configurable

12 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 12 Signature Fidelity Rating  100 is highly confident Always correct in all conditions forever  Reality is that there is always a degree of uncertainty

13 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 13 Policy Impact: Attack Relevance - Operating System is a Determinant Derived results are:relevant unknownnot relevant

14 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 14 Promiscuous Delta (IDS) Rating  A risk reducing value (negative) associated with the signature with values ranging from 0 to 30.

15 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 15 Watch List / Reputation Rating  Can import your own watch list (Sensor Configuration)

16 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 16 Global Correlation and Risk Rating  For 7.0+ releases you have access to Cisco Global Correlation Reputation data  There are three modes that let you determine how aggressively the sensor uses global correlation information to initiate deny actions: Permissive: Modifies standard Risk Rating w Risk Delta (below). Standard: Permissive but uses lower internal overide thresholds. Deny Packet – 86Deny Attacker - 100 Aggressive: Standard but uses even lower override thresholds. Deny Packet – 83Deny Attacker - 95 + Risk Delta

17 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 17 How To: Global Correlation and Risk Rating

18 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 18 More Global Correlation Details  GC is processed in the alarm channel (post signature trigger) Determine GC score from GC database. Score of 0 denotes no “bad actor” reputation for the attacker address Scores are -0.1 … -10.0, with a lower score denoting a “worse” reputation of the attacker. For example: Score of -3.1 is not nearly as bad as score of -7.3. If have negative “bad actor” score, apply special GC handling: Modify RiskRating with “GC incrementalRiskRating” calculated by internal formula (combines Risk and Score) Check internal thresholds for deny-packet and deny-attacker, adjust deny action bits as appropriate. Check regular user overrides with modified RiskRating Modify elements in evIdsAlert structures to show action performed on alert. Record GC stats Each alert’s RiskRating will be modified (increased) with the results of the scoring function. This will be reflected in the evIdsAlert..

19 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 19 evIdsAlert example evIdsAlert: eventId=1235401816505394192 severity=high vendor=Cisco originator: hostId: beau-test-129 appName: sensorApp appInstanceId: 408 time: 2009/02/23 22:42:53 2009/02/23 22:42:53 UTC signature: description=IP options-Strict Source Route id=1006 created=20010202 type=other version=S2 subsigId: 0 marsCategory: Info/UncommonTraffic/TCPIPOptions interfaceGroup: vs0 vlan: 0 participants: attacker: addr: locality=OUT 4.1.1.7 target: addr: locality=OUT 10.2.1.7 os: idSource=unknown relevance=relevant type=unknown actions: denyPacketRequestedNotPerformed: true riskRatingValue: attackRelevanceRating=relevant targetValueRating=medium 96 threatRatingValue: 96 interface: ge0_0 protocol: icmp globalCorrelation: globalCorrelationScore: -3.7 globalCorrelationRiskDelta: 7 globalCorrelationModifiedRiskRating: true globalCorrelationDenyPacket: false globalCorrelationDenyAttacker: false globalCorrelationOtherOverrides: false globalCorrelationAuditMode: false

20 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 20 Reporting Criteria

21 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 21 A customizable attribute aligned with a Signature but not altering Signatures

22 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 22 What IPS features do not participate in the Risk Rating?  Network Behavior Analysis It might be of value in adding to the risk rating but it is not used today.  Historical Alert Data Automating the history of attackers as a contributor could make sense.

23 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 23 Risk Rating Configuration and Roles  Anyone who can configure sigs or event action rules (alarm channel) can configure Risk Rating influencers

24 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 24 Do Risk Ratings Extend beyond the IPS?  CSM DOES report Risk Rating data.  CSM DOES configure Risk Rating settings.  Risk Rating information IS sharable across IPSs.  Risk Rating information IS conveyed via SNMP – in alert – get alert info.  Both Global Correlation and Watch List influencers can come “off box”

25 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 25 What might be some limitations?  IPS location may make a difference.  Example: If I the addresses I see coming from inside my network are NATed then the target information may be worth less. If inspecting only internal traffic then external reputation data may not have much meaning (Global Correlation) less impact but my internal watch list info is a better fit.

26 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 26 Risk Rating Summary  Risk Ratings help you to: Recognize and Prioritize security events Automate event specific reactions  Risk Ratings are customizable: You can customize the conditions You can customize the actions  Risk Ratings are cool

27 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 27 Quick Poll  Risk Ratings and You…

28 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 28 Before the Q&A Session  Thanks for attending.  Let us know: Was this session worth while to you? What future topics would you like to see? How might we improve these events?  Send an email to: Robert Albach ralbach@cisco.com

29 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 29 Q&A Please use the Question and Answer section of WebEx

30 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 30 THANKS!

31 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 31

Download ppt "© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Thanks for joining! We will begin in just a few minutes as more people."

Similar presentations

New Tenant Billing Service October 2008 Scott Muench – Senior Applications Engineer James Johnson - Channel Sales Engineer Gareth Johnson – Senior Software.

New Tenant Billing Service October 2008 Scott Muench – Senior Applications Engineer James Johnson - Channel Sales Engineer Gareth Johnson – Senior Software.
1 Authority on Demand Flexible Access Control Solution.

1 Authority on Demand Flexible Access Control Solution.
Signature Actions Non Aggressive Actions Produce Alert Produce Verbose Alert Log Attacker Packets Log Victim Packets Log pair Packets Request SNMP trap.

Signature Actions Non Aggressive Actions Produce Alert Produce Verbose Alert Log Attacker Packets Log Victim Packets Log pair Packets Request SNMP trap.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Inter-VLAN Routing Routing And Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Inter-VLAN Routing Routing And Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Inter-VLAN Routing Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Inter-VLAN Routing Routing & Switching.
Workflow & Event Derivation Workshop

Workflow & Event Derivation Workshop
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Communicating over the Network Network Fundamentals – Chapter 2.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Communicating over the Network Network Fundamentals – Chapter 2.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Introduction. 2 What Is SmartFlow? SmartFlow is the first application to test QoS and analyze the performance and behavior of the new breed of policy-based.

Introduction. 2 What Is SmartFlow? SmartFlow is the first application to test QoS and analyze the performance and behavior of the new breed of policy-based.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Department Of Computer Engineering

Department Of Computer Engineering
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Communicating over the Network Network Fundamentals – Chapter 2.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Communicating over the Network Network Fundamentals – Chapter 2.
Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.

Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.
Installing Samba Vicki Insixiengmay Jonathan Krieger.

Installing Samba Vicki Insixiengmay Jonathan Krieger.
1 © 2006 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Using the Cisco Technical Support & Documentation Website for Security.

1 © 2006 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Using the Cisco Technical Support & Documentation Website for Security.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Inter-VLAN Routing Routing And Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Inter-VLAN Routing Routing And Switching.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

Similar presentations

Ads by Google