-拓展任务4.4-2思科自防御安全解决方案综述.ppt

* * * Events are correlated locally on the agent, as well as globally on the Manager. This results in an extraordinary increase in accuracy when compared to signature-based host IDS systems. Global correlation is similar to local correlation, but correlates events received from many different agents. Attackers who send only a few (sometimes only one) packet to each host in the enterprise have traditionally been able to map the entire network while evading detection. If several agents detect a common program trying to propagate via email, the Manager will add the program to the Global Quarantine List. When agents poll, they will receive the updated list. Even if they have not yet been attacked by the worm, the worm’s executable files will be placed “off limits”. 20 This slide is the result of several hundred Cisco “Security Posture Assessments” or consulting engagements. Customers ask us to review their network security from both the outside and the inside. How difficult is it to break through the firewall from the Internet or take advantage of holes in the dial-in environment? How difficult is it to act as a disgruntled or malicious employee to gain control of a critical business system? Cisco Security Engineers, on average, break to the client’s network from the outside, about 75% of the time using direct exploitation techniques. When more advanced, secondary exploitation techniques are used -- this is using several vulnerabilities in combination with one another and is representative of a more advanced, structured threat -- the external penetration rate increases to over 95%. [Build] Approximately 65% of the time, unauthorized access is gained via dial-up means -- either with poor passwords on modems or unauthorized modems with little to no security. [Build] Finally, in the internal assessment phase of the SPA, our engineers have gained unauthorized super-user or root privileges to critical corporate machines 100% of the time. These are not insignifican