Arming Security Investigators

FIRST/TF-CSIRT Seminar

Tuesday — January 29th, 2013 11:15

Over 10 years, security threats have grown from network annoyances to attacks on sensitive infrastructure. Evidence indicates that security threats are growing more sophisticated and aimed at embedding malware in infrastructure. This presentation will share Cisco CSIRT's evolving architecture for addressing sophisticated, embedded threats.

Topics will describe how CSIRT has evolved its network infrastructure over the past 10 years, and will give detailed architectural examples and guidance regarding their multi-petabyte global deployments of:

• Log/event collection of syslog, DNS, web proxy logs, ModSecurity logs
• NetFlow collection
• Host and user attribution techniques (using DHCP, NAT, VPN logs to identify users)

It will also include a description of how CSIRT Engineering is integrating the following solutions into their global deployment:

• Nascent APT detection using precursors
• Challenges and solutions for multiple filtered detection using SPANs and taps (IDS, DNS collection, web proxy, DLP)
• Data loss protection (DLP)
• Rapid operationalization of collaborative, commercial, and home-grown intelligence
• Pulling this all together in a free-form custom SEIM.

Presenters

• Chris Fry (Cisco Systems, US)

• Matthew Valites (Cisco)