Lewis Tan CISSP, OPST
Regional Sales Specialist, ATS Asia
Simple and Effective Security
Branch office
HQ
Airport
Productivity
Productivity File share
Productivity File share
CRM
Deny Allow access
Productivity File share
Connected
Apps
CRM
Allow access
Risks Faced Using Cloud
• Users not protected by traditional security stack
• Gaps in visibility and coverage
• Expose sensitive info (inadvertently or
maliciously)
• Users can install and use risky apps on their
own
The way we work has changed
49% of the workforce
are mobile
82%admit to not
using the VPN
70%increase in
SaaS usage
70% of branch offices
have DIA
25% of corporate
data bypass
perimeter security
, security must too
Infrastructure
as a Service (IaaS)
Platform
as a Service (PaaS)SaaS
People People People
Data Data Data
Applications Applications Applications
Runtime Runtime Runtime
Middleware Middleware Middleware
Operating system Operating system Operating system
Virtual network Virtual network Virtual network
Hypervisor Hypervisor Hypervisor
Servers Servers Servers
Storage Storage Storage
Physical network Physical network Physical network
Cloud shared responsibility – SaaS/PaaS/IaaS
CSR responsibilityCustomer responsibility
Security Weaknesses of Native Cloud Service Providers
Single Platform OnlySolves Fewer
Problems
Lack of Security
Expertise
& Focus
UpchargeNo Incident
ManagementWeak Remediation
Capabilities
1
Key questions for Cloud Usage
ApplicationsDataUsers/Accounts
Who is doing what in
my cloud applications?
How do I detect account
compromises?
Are malicious insiders
extracting information?
Do I have toxic and
regulated data in the cloud?
Do I have data that is being
shared inappropriately?
How do I detect policy
violations?
How can I monitor app
usage and risk?
Do I have any 3rd party
connected apps?
How do I revoke risky apps?
Keys to the kingdom: third-party appsLet’s start with an example
OAuth-connected apps have extensive access to corporate environments
The attackers gained
a persistent connection
to the victim’s identity
Cloudlock CyberLab estimates:
Approximately 300,000corporations have been infected
On Average 0.65%got infected per organization within the first
2 hrs.
of employees
May 3rd 2017, Google OAuth Attack Aftermath
Do you know all the apps that are accessing your cloud data?
Yes or No?
Your security challenges
Malware and
ransomware
Gaps in visibility
and talent shortage
Budget Competition Difficult to
manage security
To be effective, cloud security must be
Simple Open Automated
Services
Leveraging the Attack Continuum to shift the conversations to
business outcomes!
Before During After
Branch Operational
Technology
CloudData
Center
Endpoint CampusEdge
SECURITY EVERYWHERE
250+Full Time Threat
Intel Researchers
MILLIONSOf Telemetry
Agents
4Global Data
Centers
1100+Threat Traps
100+Threat Intelligence
Partners
THREAT INTEL Per Day
1.5 MILLIONDaily Malware
Samples
600 BILLIONDaily Email
Messages, 86% SPAM
16 BILLIONDaily Web
Requests
Honeypots
Open Source
Communities
Vulnerability
Discovery (Internal)
Product
Telemetry
Internet-Wide
Scanning
20 BILLION
Threats Blocked
INTEL SHARING
Why Cisco - Eff icacy
Customer Data
Sharing
Programs
Service Provider
Coordination
Program
Open
Source
Intel
Sharing
3rd Party Programs
(MAPP)
Industry
Sharing
Partnerships
(ISACs)
500+
Participants
*Google : 3.5B searches/day
Branch office
Simple & Effective Cloud Security
CloudLock / Stealthwatch CloudSecure Usage of Cloud Services
Umbrella / Amp for EndpointsSecure Access to Internet
HQ Roaming
Cisco Cloudlock addresses customers’ most critical cloud security use cases
Discover and Control
User and Entity
Behavior Analytics
Cloud Data Loss
Prevention (DLP)Apps Firewall
Cloud Malware
Shadow IT/OAuth
Discovery and Control
Data Exposures
and Leakages
Privacy and
Compliance Violations
Compromised
Accounts
Insider Threats
Multi-Cloud
SWC SaaS Portal
Stealthwatch
Cloud
Hybrid-Cloud
How Cisco Security helps
Victimredirected
to attacker’s
domain
Attackergains access
to OAuth token
Attackerhas persistent
access to the
victims’ account
Victimopens email
and clicks link
Victimgrants access
to their account
Cloudlockrevokes OAuth token
Umbrellablocks user redirect to
malicious domain.
Attacker never
receives OAuth token
if blocked here.
Umbrella
Investigateused to research
attacker’s infrastructure
Security blocks
malicious
emails
Google Docs would
like to
Read, send, delete,
manage your email
Manage your
contacts
AllowDeny
Stopping Attacks Before It Happens
• Wouldn’t it be great if you could...
Best Defenses
Stop Ransomware
from running
on endpoints
DNS
Stop Ransomware
from arriving
by email
Stop Ransomware
from using DNS or
arriving by the web
Introducing Umbrella – Simple & Effective DNS Security
Overview
Authoritative DNS
Owns and publishes
the “phone books”
Domain registrar
Maps and records names
to #s in “phone books”
Recursive DNS
Looks up and remembers
the #s for each name
Our view of the internet
140Brequests per day
15Kenterprise customers
100Mdaily active
users
160+countriesworldwide
INTELLIGENCE
Our efficacy
3M+daily new
domain names
Discover
60K+daily malicious
destinations
Identify
7M+malicious destinations while resolving DNS
Enforce
INTELLIGENCE
Intelligence to see attacks before launched
Data
Cisco Talos feed of malicious
domains
Cisco Threat Grid file-based
intelligence (1.5M+ daily
samples)
Umbrella DNS data —
125B requests per day
Security researchers
Industry renown researchers
Build models that can
automatically classify and
score domains and IPs
Models
Dozens of models continuously
analyze millions of live events
per second
Automatically uncover malware,
ransomware, and other threats
What is Umbrella?
a) DNS Securityb) Ransomware Protection for all
devicesc) Protecting you when you are on
network onlyd) All of the abovee) A + B
WHY?
Top Use Cases Using Umbrella
OFF-NETWORK SECURITY
50% of PCs are already mobile1
DIRECT-TO-NET OFFICES / GUEST WIFI
70% of offices already go direct2
PROACTIVE AND PREDICTIVE SECURITY
70-90% of malware is unique to each org3
IMPROVED INCIDENT
RESPONSE
Only 4% of alerts are investigated per
week
SIMPLIFIED SECURITY & VISIBILITY
Mean time-to-contain threats 26-39 hours4
Sources: (1) Gartner, (2) Forrester, (3) Verizon,
Enterprise-wide deployment in minutes
DEPLOYMENT
Existing
DNS/DHCP servers,
Wi-Fi APs
Simple config
change to
redirect DNS
ISR4K(today)
WLC(today)
Network footprint
Provisioning and policies per VLAN/SSID;
tags for granular filtering and reporting
Out-of-the-box integration
(Umbrella virtual appliance also available)
Meraki MR
Endpoint footprint
Granular filtering and
reporting on- & off-network
(Umbrella roaming client
also available)
AnyConnect roaming module
Cisco Security Connector
vEdge(future)
Protecting Your Endpoints
Typically
updates 2
times a day
Typically once a
week older
machines once a
month or never
Can take hrs /
Days to complete
a full Scan
Should Ransomware happen, would you pay the ransom?
a) Yesb) Noc) Depends on
value of data
Permanent Innovation makes Prevention a Non Ending Game
BRKSEC-2139 39
1. Cyber Criminal Organizations are like IT companies
2. Security companies innovate Every Day to Protect youBetter
3. Cyber Criminals innovate Every Day to Breach youBetter
INTERNET
MALWARE
C2/BOTNETS
PHISHING
AV
AV
AV AV
ROUTER/UTM
AV AV
ROUTER/UTM
SANDBOX
PROXY
NGFW
NETFLOW
AV AV
AV AV
MID
LAYER
LAST
LAYERMID
LAYER
LAST
LAYER
MID
LAYER
FIRST
LAYER
Where Do You Enforce Security?
Perimeter
Perimeter Perimeter
Endpoint
Endpoint
CHALLENGES
Too Many Alerts via Appliances & AV
Wait Until Payloads Reaches Target
Too Much Time to Deploy Everywhere
BENEFITS
Alerts Reduced 2-10x; Improves Your SIEM
Traffic & Payloads Never Reach Target
Contain Malware if already inside
Internet is faster not slower
AMP AMPAMP AMP
AMP AMP
AMP AMP
AMP
AMP
Data At Rest
Intra Cloud Traffic
Public / Private Cloud
How are we helping customers today with Umbrella?
Next Steps
Easiest security trial you’ll ever deploy
UmbrellaStart blocking in minutes
Signup1
2 Point your DNS
3 Done