Cisco Customer Education How to Detect and Defend Against Today's Security Threats
This session was recorded via Cisco WebEx! You can watch the live session recording via the following URL:
https://acecloud.webex.com/acecloud/lsr.php?RCID=2a9e13dcb37a4721b5c9fc97052488bb
Thanks for your interest and participation!
This session was recorded via Cisco WebEx! You can watch the live session recording via the following URL:
https://acecloud.webex.com/acecloud/lsr.php?RCID=a95525d3a4d94e6887d6edc67ddd0e24
Presentation Agenda
► Welcome from Cisco
► Security in the 21st Century
► Cloud Web Security and OpenDNS
► Talos and Advanced Malware Protection
► Next Generation Threat Protection
About Your Host Brian Avery Territory Business Manager, Cisco Systems, Inc.
[email protected] ► Conclusion
Who Is Cisco?
Cisco Confidential 4 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Computer scientists, Len Bosack and Sandy Lerner found Cisco Systems
Bosack and Lerner run network cables between two different buildings on the Stanford University campus
A technology has to be invented to deal with disparate local area protocols; the multi-protocol router is born
1984
WellFleet
SynOptics
3Com
ACC
DEC
Proteon
IBM
Bay Netw orks
Newbridge
Cabletron
Ascend
Fore
Xylan
3Com Nortel
Ericsson
Alcatel
Juniper Lucent
Siemens
NEC Foundry
Redback
Riverstone
Extreme Arista HP
Avaya
Juniper
Huawei
Aruba
Brocade
Checkpoint
Fortinet
ShoreTel
Polycom
Microsoft
F5
Riverbed
Dell
Internet of Everything
1990 – 1995 1996 – 2000 2001 – 2007 2008 – Today
The Landscape is Constantly
Changing
Leading for Nearly 30 Years
2016
Cisco Confidential 6 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Who Is Cisco?
Chuck Robbins, CEO, Cisco
• Dow Jones Industrial Average Fortune 100 Company (AAPL, CSCO, INTC, MSFT)
• $117B Market Capitalization
• $49.6B in Revenue
• $10B in Annual Net Profits
• $34B More Cash than Debt
• $6.3B in Research and Development
http://finance.yahoo.com/q/ks?s=CSCO+Key+Statistics
No. 1
Voice
41%
No. 1
TelePresence
50%
No. 1
Web Conferencing
43%
No. 1
Wireless LAN
50%
No. 2
x86 Blade Servers
29%
No. 1
Routing Edge/Core/
Access
47%
No. 1
Security
31%
No. 1
Switching Modular/Fixed
65%
No. 1
Storage Area Networks
47%
Market Leadership Matters
Cisco Confidential 8 C97-731719-02 © 2014 Cisco and/or its affiliates. All rights reserved.
Security in the 21st Century
Cisco Confidential 9 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Remember This Movie?
http://www.imdb.com/title/tt0086567/
Global Cybercrime Market $450B‒$1T
It’s All About The Money Industrial Hackers Are Making Big Money with Innovative Tactics
1990 1995 2000 2005 2010 2015 2020
Viruses 1990–2000
Worms 2000–2005
Spyware and Rootkits 2005–Today
APTs Cyberware Today +
Phishing, Low Sophistication Hacking Becomes
an Industry Sophisticated Attacks, Complex Landscape
of large companies targeted by malicious traffic 95% of organizations interacted
with websites hosting malware 100% 1. Cybercrime is lucrative, barrier to entry is low 2. Hackers are smarter and have the resources to compromise your organization 3. Malware is extremely sophisticated and complex 4. Cybercrime is now a formal, for-profit industry
Source: 2014 Cisco Annual Security Report
Cisco Confidential 11 C97-731719-02 © 2014 Cisco and/or its affiliates. All rights reserved.
http://www.popsci.com/dark-web-revealed
Cisco Confidential 12 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
High Profile Breaches
As of 12/31/2014 http://www.idtheftcenter.org/images/breach/DataBreachReports_2014.pdf
1,000,000
70,000,000
56,000,000 2,600,000
1,100,000
And Yet… Organizations of every size are targets
60% of UK small businesses were compromised in 2014 (2014 Inf ormation Security Breaches Survey)
100% of corporate networks examined had malicious traffic (Cisco 2014 Annual Security Report)
41% of targeted attacks are against organizations with fewer than 500 employees (July 2014 The National Cyber Security Alliance (NCSA)
41% of targeted attacks are against organizations with fewer than 500 employees (July 2014 The National Cyber Security Alliance (NCSA)
Today’s cyber-threat reality
Hackers will likely command and control
your environment via web
You’ll most likely be infected via email
Your environment will get breached
Information of up to 750 million individuals on the black market over last three years.
54% of breaches remain undiscovered for months.
Years Months
Impact of a Breach
Hours Start
Breach occurs 60% data in breaches is stolen in hours.
The Attack Surface
Attack surface – web browsers
More than
85% of the companies studied were affected each month by malicious browser extensions
Users becoming complicit enablers of attacks Untrustworthy sources
Clickfraud and Adware
Outdated browsers 10% 64% IE requests running latest version
Chrome requests running latest version
vs
Attack surface – user error on web
Attackers: Shifts in the attack vectors
Java
Silverlight
Flash
Java drop 34%
Silverlight rise 228%
PDF and Flash steady
Log Volume
2015 Cisco Annual Security Report
Attack surface – web applications
Attack surface – web protocol
Encrypted traffic is increasing. It represents over 50% of bytes transferred.
Individual Privacy Government Compliance
Organizational Security
The growing trend of web encryption creates a false sense of security and blind spots for defenders
https://
Attackers:
Malvertising is on the rise: low-limit exfiltration makes infection hard to detect
In October 2014, there is a spike of
250%
Compromising without clicking
Exploit Kits, e.g. Cryptowall version 4
• Notorious ransomware • Version 1 first seen in 2014 • Distributed via Exploitkits and Phishing Emails • Fast Evolution
CRYPTOWALL 4.0
Phishing and Social Engineering
Exposure- email blocks
Attackers:
A growing appetite to leverage targeted phishing campaigns
Example: Snowshoe SPAM attack
SPAM up
250%
Attack surface - email
Social Engineering Waiting for his plane
Meet Joe. He is heading home for a well deserved vacation.
He’s catching up on email using the airport Wi-Fi while he waits for his flight.
Social Engineering Checks his email
Joe just got an email from his vacation resort.
Your Tropical Getaway
Joe,
Thank you for choosing us. We look forward to seeing you.
Before your arrival, please verify your information here: www.vacationresort.com
Best, Resort Team
Social Engineering Instinctively, he clicks on the link
No problem, right? Everything looks normal.
The site may even be a trusted site, or maybe a site that is newly minted.
Your Tropical Getaway
Joe,
Thank you for choosing us. We look forward to seeing you.
Before your arrival, please verify your information here: www.vacationresort.com
Best, Resort Team
Social Engineering Joe is now infected
Joe opens the link and the resort video plays.
Although he doesn’t know it, Joe’s machine has been compromised by a Silverlight based video exploit.
The malware now starts to harvest Joe’s confidential information:
• Passwords
• Credentials
• Company access authorizations
Cisco Security Overview
Too Many Disparate Security Products Mean Gaps in Protection
vs
â
â
Fragmented offerings across multiple vendors
Streamlined advanced security solution
Cost
Lower opex and easier to manage
Higher total cost to build and run
Overall performance
Less communication betw een components
Better communication and integration
Time to detection
Faster time to detection
More lag in f inding threats
*�N�HPJOH�GPS�GFBSTPNF�IFSF��CVU�*�KVTU�EPO�U�GFFM�JU�� �
�*�N�UIJOL�*�N�KVTU�DPNJOH�PGG�BT�BOOPZJOH� �
Competitors
Defending Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum
Before Discover Enforce Harden
During Detect Block
Defend
After Scope Contain
Remediate
FireSIGHT and pxGrid
ASA VPN
OpenDNS Meraki
Advanced Malware Protection
Network as Enforcer
NGIPS
ESA/WSA
CWS Secure Access + Identity Services ThreatGRID
Attack Continuum
Cisco Advanced Malware Protection
AMP
Cisco Advanced Malware Protection
Software-as-a-Service Cloud Managed
Subscription Based
Threat Intelligence and Advanced Analytics The Numbers
§ 1.6 million global sensors § 100 TB of data received
per day § 150 million+
deployed endpoints § Experienced team of
engineers, technicians, and researchers
§ 35% w orldw ide email traff ic
§ 13 billion w eb requests § 24x7x365 operations § 4.3 billion w eb blocks
per day § 40+ languages § 1.1 million incoming
malw are samples per day § AMP Community § Private/Public
Threat Feeds
§ Talos Security Intelligence § AMP Threat Grid
Intelligence § AMP Threat Grid Dynamic
Analysis 10 million f iles/month
§ Advanced Microsoft and Industry Disclosures
§ Snort and ClamAV Open Source Communities
§ AEGIS Program
Web
WWW
Endpoints Devices
Networks Email IPS Automatic updates
in real time
101000 0110 00 0111000 111010011 101 1100001 110 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
1001 1101 1110011 0110011 101000 0110 00 101000 0110 00 0111000 111010011 101 1100001 1100001110001110 1001 1101 1110011 0110011 10100
1001 1101 1110011 0110011 101000 0110 00 Cisco®
Collective Security
Intelligence Cisco Collective
Security Intelligence Cloud
AMP Advanced Malware Protection 3.5 BILLION
SEARCHES TODAY
19.7 BILLION THREATS BLOCKED
TODAY
Cisco Security Decreases Time to Detection
36
Current Industry Average (TTD)
100 days - Source: 2016 Cisco Annual Security Report
Cisco Security Decreases Time to Detection
37
Cisco Security Decreases Time to Detection
38
100 days to 17.5 hours - Source: 2016 Cisco Annual Security Report
Point in Time Protection
Point-in-Time Detection AMP Delivers the First Line of Defense, Blocking Known and Emerging Threats with Point-in-Time Defenses
One-to-one signature
Fuzzy finger-printing
Machine learning
Advanced analytics
Static and dynamic analysis (sandboxing)
â
Offer better accuracy and dispositioning
Block known and emerging threats
Protect your business with no lag
Automatically stop as many threats as possible, known and unknown
Dynamic Analysis
Machine Learning
Fuzzy ger-printing
Advanced Analytics
Indications of Compromise
Device Flow Correlation
Behavioral Detection: Example Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
Collective Security Intelligence Cloud
File of unknown disposition is encountered 1
File replicates itself and this information is communicated to the cloud
2
File communicates with malicious IP addresses or starts downloading files with known malware disposition
3
Combination of activities indicates a compromise and the behavior is reported to the cloud and AMP client
4
These indications are prioritized and reported to security team as possible compromise
5
namic alysis
Advanced Analytics
Device Flow Correlation
Behavioral Detection: Example Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
Collective Security Intelligence Cloud
IP: 64.233.160.0
Device Flow Correlation monitors communications of a host on the network
1
Two unknown files are seen communicating with a particular IP address
2
One is sending information to the IP address, the other is receiving commands from the IP address
3
Collective Security Intelligence Cloud recognizes the external IP as a confirmed, malicious site
4
Unknown files are identified as malware because of the association
5
Trajectory Behavioral Indications
of Compromise
Breach Hunting
nuous ysis
Attack Chain Weaving
Behavioral Indications of Compromise: Example
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
Behavioral Indications of Compromise uses continuous analysis and retrospection to monitor systems for suspicious and unexplained activity… not just signatures!
Using the power of Attack Chain Weaving, Cisco® AMP is able to recognize patterns and activities of a given fi le, and identify an action to look for across your environment rather than a fi le fingerprint or signature
An unknown file is admitted into the network
1 The unknown file copies itself to multiple machines
2 Duplicates content from the hard drive
3 Sends duplicate content to an unknown IP address
4
How Malware Gets In to Your Network
Breach Prevention Rapid Breach Detection, Response, Remediation Threat Intelligence
But Point-in-Time Detection Alone Will Never Be 100% Effective
Continuous Analysis and Retrospective Security Only AMP Continuously Monitors and Analyzes All File Activity, Regardless of Disposition
Across all control points
To answer the questions that matter…
Take advantage of key capabilities
Web
WWW
Endpoints Email Netw ork
â
Mobile
Track it’s rate of progression and how it spread
See w hat it is doing Identify a threat’s point of origin
See w here it's been Surgically target and remediate
If Something Gets in, Retrospective Security Helps You Find Answers to the Most Pressing Security Questions
What happened? Where did the malware come from? Where has the malware been? What is it doing? How do we stop it?
See AMP in Action!
See Where It Entered the System
What happened?
Track threat’s origin and progression: • How did it get into the system
• What is the point of origin
• What was the attack vector
Where has the malware been? What is it doing? How do we stop it?
Where did the malware come from?
See AMP in Action!
See Everywhere That It Has Been
What happened? Where did the malware come from? Where has the malware been?
What is it doing? How do we stop it?
Track infected areas in the system: • Where is the attack now
• What other endpoints have seen it
• Where should I focus my response
• Where is still safe
See AMP in Action!
Determine What the Malware Is Doing
What happened? Where did the malware come from? Where has the malware been? What is it doing?
How do we stop it?
Understand the details of how the malware works: • What is it trying to do, in plain English
• How does the malware behave
• Get detailed information vital for incident response
See AMP in Action!
Stop It with a Few Clicks
Where did the malware come from? Where has the malware been? What is it doing?
Knowing the details above, surgically remediate: • Stop it at the source and all infected areas
• Simply right click, add to a blocklist, and remediate the malware from the entire system
What happened?
How do we stop it?
See AMP in Action!
Cisco Advanced Malware Protection (AMP) Deployment Options Get Visibility and Control across all attack vectors to defend against today’s most advanced threats.
Protect your Endpoints! Get visibility into file and executable-
level activity, and remediate advanced malware on devices running Windows, Mac OS,
Linux, and Android. Supercharge your next-generation
firewall by turning on AMP capabilities on the Cisco Firepower
NGFW or the Cisco ASA with Firepower Services.
Get deep visibility into threat activity and block advanced malware with
AMP deployed as a network-
Add AMP to a Cisco Web Security Appliance (WSA) or Cisco Cloud
Web Security (CWS) and get visibility and control to defend
against advanced threats launched from the web.
Add AMP to a Cisco Email Security Appliance (ESA)
and get visibility and control to defend against advanced
threats launched via email.
Combat and block network-based threats by deploying
AMP capabilities on the Cisco Integrated Services
Router (ISR).
For high privacy environments that restrict the use of the public cloud, use an on-premises, air-gapped
private cloud deployment of AMP for Networks or AMP for Endpoints.
An on-premises appliance or cloud-based solution for static and dynamic malware analysis
(sandboxing) and threat intelligence.
based solution running on AMP-bundled security appliances (NGIPS). AMP for Endpoints
AMP for Firew alls
AMP for Netw orks
AMP for Email
AMP for ISR
AMP for Web
Threat Grid
AMP for Private Cloud Virtual Appliance
The AMP Everywhere Architecture AMP Protection Across the Extended Network for an Integrated Threat Defense
AMP Threat Intelligence
Cloud
Windows OS Android Mobile Virtual MAC OS CentOS, Red Hat Linux for serv ers and datacenters
AMP on Web and Email Security Appliances AMP on Cisco® ASA Firewall
with Firepower Services
AMP Priv ate Cloud Virtual Appliance
AMP on Firepower NGIPS Appliance
(AMP for Networks)
AMP on Cloud Web Security and Hosted Email
CWS/CTA
Threat Grid Malware Analysis + Threat
Intelligence Engine
AMP on ISR with Firepower Serv ices
AMP for Endpoints
AMP for Endpoints
Remote Endpoints
AMP for Endpoints can be launched from AnyConnect
Third Party Validation NSS Labs Security Value Map for Breach Detection Systems - 2015
Who is NSS Labs? NSS Labs is an independent testing organization focused on the cyber security industry.
What was measured? Security Effectiveness of Breach Detection Systems • Malware delivered by HTTP, Email, and Server Message Block
(SMB), Drive-by and Social Exploits, and Evasions • Total Cost of Ownership per protected Mbps
What Cisco products were tested?
Advanced Malware Protection • AMP for Networks and AMP for Endpoints • FirePOWER 8120 (with AMP subscription)*
What competitor products were evaluated?
Blue Coat, Check Point, Fidelis, FireEye, Fortinet, Lastline, Trend Micro
Methodology BDS Methodology 2.0
The Leader in Security Effectiveness
§ 99.2% Security Effectiveness rating in BDS testing, the highest of all vendors tested.
§ Only vendor to block 100% of evasion techniques during testing.
§ Excellent performance with minimal impact on network, endpoint, or application latency.
§ Download the flysheet and full report here.
Cisco AMP offers superior security effectiveness, excellent performance, and provides security across more attack vectors than any other vendor
Next-Generation Security
On-Prem Managed Cloud Managed
Cisco Architecture
Cisco Traditional
ISR / ASA
Catalyst
Aironet
Meraki Systems Manager EMM
Cisco Meraki
MX
MS
MR
Systems Manager EMM Cisco ISE
Policy & Control
Cisco Prime Management & Analytics
Cisco Confidential 58 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Superior Integrated & Multilayered Protection
Cisco ASA
URL Filtering (Subscription)
FireSIGHT Analytics & Automation
Advanced Malware
Protection (Subscription)
Application Visibil ity & Control Network Firewall
Routing | Switching
Clustering & High Availability
WWW
Cisco Collective Security Intelligence Enabled
Built-in Network Profil ing
Intrusion Prevention
(Subscription)
World’s most widely deployed, enterprise-class ASA stateful firewall
Granular Cisco® Application Visibility and Control (AVC)
Industry-leading FirePOWER next-generation IPS (NGIPS)
Reputation- and category-based URL filtering
Advanced malware protection
Identity-Policy Control & VPN
Industry-leading FirePOWER next-generation IPS (NGIPS)
Advanced malware protection
Cisco Confidential 59 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Meraki MS Ethernet Switches
Meraki SME Enterprise Mobility
Management
Meraki MR Wireless LAN
Meraki MX Security
Appliances
Cisco Meraki - Cloud Managed Networking
Enterprise License Advanced Security License
Stateful firewall
Site to site VPN
Branch routing
Internet load-balancing (over dual WAN)
Application control
Web caching
Intelligent WAN (IWAN)
Client VPN
`
All enterprise features, plus Content filtering (with Google SafeSearch)
Kaspersky Anti-Virus and Anti-Phishing
SourceFire IPS / IDS
Geo-based firewall rules
Advanced Malware Protection (AMP)
Application Control Traffic Shaping, Content Filtering, Web Caching
Security NG Firewall, Client VPN, Site to Site VPN, IDS/IPS
Networking NAT/DHCP, 3G/4G Cellular, Static Routing, Link Balancing
Best IPS SOURCEfire IDS / IPS, updated every day
Anti-Malware Advanced Malware Protection powered by Cisco Sourcefire and Talos
Content Filtering 4+ billions URLS, updated in real-time
Geo-based security Block attackers from rogue countries
AV / anti-phishing Kaspersky AV, updated every hour
PCI compliance PCI L1 certified cloud-based management
Cisco Web Security
It Starts with Usage Controls and an Active Defense
Comprehensive Defense
Web Usage Control
Web Usage Control
Web Filtering
Block over 50 million known malicious sites
Web Reputation
Restrict access to sites based on assigned reputation score
Dynamic Content Analysis
Categorize webpage content and block sites automatically
Web Usage Reporting
Gain greater visibility into how web resources are used
Roaming Laptop-User Protection
Extend security beyond the network to include mobile users
Application Visibility and Control
Regulate access to individual website components and apps
Outbreak Intelligence
Identify unknown malware and zero-hour outbreaks in real time
Centralized Cloud Management
Enforce policies from a single, centralized location
Web Filtering Webpage Web
Reputation
Application Visibil ity and
Control Anti-
Malware Outbreak
Intell igence File
Reputation Cognitive
Threat Analytics
X X X X
Before After
www.webs i te .c om
During
X
File Retrospection
www
Roaming User
Reporting
Log Extraction
Management
Branch Office
www www
Allow Warn Block Partial Block Campus Office
ASA Standalone WSA ISR G2 Any Connect® Admin Traf f ic Redirections
Talos Cisco® Cloud Web Security (CWS)
www
HQ
File Sandboxing
X
Cisco Security and OpenDNS
§ A system for relating names and numbers § Domain = IP Address § Amazon.com =
205.251.242.103 § Like a library of phone books
What is DNS? Domain Name System
Why DNS?
DNS is Everywhere
OpenDNS adds a Layer of Security
Everything uses DNS
Simple to Set Up Easy Win Blocks Access to Unsafe Places
DNS: Doth Protest Too Much
91.3% of malware uses DNS
68% of organizations don’t monitor it
A blind spot for attackers to gain command and control, exfiltrate data, and redirect traffic
69 CONFIDENTIAL
INTERNET
MALWARE BOTNETS/C2 PHISHING
SANDBOX PROXY
NGFW NETFLOW
AV AV
AV AV
AV
AV
AV AV
ROUTER/UTM
AV AV
ROUTER/UTM
HERE?
& HERE?
& HERE?
& HERE?
& HERE?
OR HERE?
Where Do You Enforce Security?
CHALLENGES
Too Many Alerts via Appliances & AV
Wait Until Payloads Reaches Target
Every Payload Scan Slows Things Down
Too Much Time to Deploy Everywhere
BENEFITS
Alerts Reduced 2x; Improves Your SIEM
Traffic & Payloads Never Reach Target
Internet Access Is Faster; Not Slower
Provision Globally in UNDER 30 MINUTES
HQ
Branch Branch
Mobile
Mobile
Apply statistical models and
human intelligence
Identify probable
malicious sites
Ingest millions of data
points per second
How Our Security Classification Works
a.ru
b.cn
7.7.1.3
e.net
5.9.0.1
p.com/jpg
Where Does Umbrella Fit?
INTERNET
ON NETWORK
ALL OTHER TRAFFIC
WEB TRAFFIC
EMAIL TRAFFIC
INTERNET ALL
OTHER TRAFFIC
WEB TRAFFIC
EMAIL TRAFFIC
OFF NETWORK
ASA blocks inline by IP, URL or packet
ESA/CES blocks by sender
or content
WSA/CWS blocks by URL or content via proxy
ESA/CES blocks by sender
or content
CWS blocks by URL or content via proxy
Umbrella blocks by domain as w ell as IP or URL
Umbrella blocks by domain as w ell as IP or URL
Conclusion
Defending Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum
Attack Continuum
Before Discover Enforce Harden
During Detect Block
Defend
After Scope Contain
Remediate
FireSIGHT and pxGrid
ASA VPN
OpenDNS Meraki
Advanced Malware Protection
Network as Enforcer
NGIPS
ESA/WSA
CWS Secure Access + Identity Services ThreatGRID
Thank You and Next Steps
Brian Avery [email protected]
www.
Learn more about Cisco Security: www.cisco.com/go/security/
Contact Your Cisco Partner https://tools.cisco.com/WWChannels/LOCATR/performBasicSearch.do
• CCE sessions are held weekly on a variety of topics
• CCE sessions can help you understand the capabilities and business benefits of Cisco technologies
• Watch replays of past events and register for upcoming events!
Visit http://cs.co/cisco101 for details
Join us again for a future Cisco Customer Education Event