Professional Documents
Culture Documents
Andrew Turner
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#PSOSPM-2037
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
At the end of the session, you will be able
to:
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
If you firewall everything, why do you need this?
PGW
MME
Firewalls at Perimeter
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
How do you know your firewall is working?
Rulesets
Configure
Denied
Reporting
Allowed
Allowed Connection
Blocked Connection
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Breaches are more than Hacking
Operational Integrity
Knowing what people, processes and systems are doing, what
they are supposed to be doing & when they are NOT doing it
2017 Cost of Data Breach Study by Ponemon Institute
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
And the complexity is ever growing
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Threats focused on in this session
Infrastructure not Subscriber Analytics
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Would you like to know more?
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Threats are real, cheap and easy
https://www.blackhat.com/docs/eu-15/materials/eu-
15-Borgaonkar-LTE-And-IMSI-Catcher-Myths.pdf
https://www.documentcloud.org/documents/4392401-
4G-LTE-attacks-paper.html
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Recent Example in the News
https://www.cnet.com/news/homeland-security-detected-phone-spying-devices-in-dc/
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Stealthwatch in a Nutshell
Actionable Outcomes
Identity
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
The general ledger
A trace of every conversation in your network
1.1.1.1 2.2.2.2 3.3.3.3 80/tcp Doug http 20M location 00:2b:1f 10 TLS 1.2
Visibility
10 101 10
User Network Interface Policy Threat Encrypted Group / NAT/Proxy LAYER 7 Endpoint Cloud
Information Telemetry Information Information Intelligence Traffic Segment
Analytics
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Stealthwatch value
Policy Anomaly
Monitoring Detection
Leverages Identify a
knowledge of change from
known bad “normal”
behavior
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Policy Monitoring
Internet Payment
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Anomaly Detection
Suspicion is not proof of guilt
Anomaly in
Traffic Pattern
100 Gbps
Normal High
Normal Low
0Gbps Server A
Server B
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Policy Modeling in the Packet Core
Policy is defined by :-
3GPP standards for communication between nodes in the packet core
Allowed by standards
SGW
MME
Should never communicate
according to the standards.
PGW 18
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Policy Monitoring in the Packet Core
Telemetry sent To Stealthwatch
from the network such as
Routers, Switches and Firewalls
Stealthwatch
Stealthwatch adds context by
knowing what is a MME, PGW
SGW and SGW
If communications occurs
between these host groups, we
Stealthwatch know that the defined policy has
been violated.
AMF
Slice A The question is why?
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Traffic Anomalies
Incorrect Prefix Redistributed into Routing
Infrastructure Communication
Stealthwatch
Cell Site Multiple alarms
Operational Integrity through Stealthwatch’s generated
Network Accountability
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
“Often legitimate credentials are compromised,
enabling intruders to get in, and masquerade as
legitimate users, coming after the network.”
Rob Joyce, Tailored Access Operations, NSA
https://www.youtube.com/watch?v=bDJb8WOJYdA
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Insider Threat
81% of hacking-
25% involved related breaches
internal Actors leveraged stolen
and/or weak
passwords
Verizon 2017 Data Breach Report http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Be Like Mike
Employee Employee
Trusted Trusted
Authorized Authorized
Admin Admin
Pramod Mike
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Be Like Mike
Employee Employee
Trusted Trusted
Authorized Authorized
Admin Admin
Pramod Mike
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Insider Threat Detection
Internet
Corp
DCN IT
Firewall
Data
Firewall Exfiltration
Deploy
Corp
DCN IT Stealthwatch
across the network
Firewall
Firewall
to maximize the
ability to spot
IMS
Firewall anomalies
EPC
Stealthwatch
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Data Hoarding and Exfiltration Alarms in
Stealthwatch
Details on the Host
Lots of Traffic to
Confidential Servers
Host Classification
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
What else might be leaking?
Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Validating Core Segmentation
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Validating Core Segmentation
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
General Data
Protection Regulation
Fines of up to 4% of
global revenue
Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
What data leaves the network?
For example, how would you know if your equipment calls home?
External Connection
Vendor
Operator Internet
Network
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Comprehensive Operational Integrity
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
"The theme I want you to take away is, if
you really want to protect your network,
you really have to know your network."
Rob Joyce, Tailored Access Operations, National Security Agency
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#PSOSPM-2037
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Complete your online
session survey
• Please complete your Online Session
Survey after each session
• Complete 4 Session Surveys & the Overall
Conference Survey (available from
Thursday) to receive your Cisco Live T-
shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Continue Your Education
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Thank you