Cisco Customer Education How to Detect and Defend Against Today's Security Threats

This session was recorded via Cisco WebEx! You can watch the live session recording via the following URL:

https://acecloud.webex.com/acecloud/lsr.php?RCID=2a9e13dcb37a4721b5c9fc97052488bb

Thanks for your interest and participation!

This session was recorded via Cisco WebEx! You can watch the live session recording via the following URL:

https://acecloud.webex.com/acecloud/lsr.php?RCID=a95525d3a4d94e6887d6edc67ddd0e24

Presentation Agenda

► Welcome from Cisco

► Security in the 21st Century

► Cloud Web Security and OpenDNS

► Talos and Advanced Malware Protection

► Next Generation Threat Protection

About Your Host Brian Avery Territory Business Manager, Cisco Systems, Inc.

bravery@cisco.com ► Conclusion

Who Is Cisco?

Cisco Confidential 4 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Computer scientists, Len Bosack and Sandy Lerner found Cisco Systems

Bosack and Lerner run network cables between two different buildings on the Stanford University campus

A technology has to be invented to deal with disparate local area protocols; the multi-protocol router is born

1984

WellFleet

SynOptics

3Com

ACC

DEC

Proteon

IBM

Bay Netw orks

Newbridge

Cabletron

Ascend

Fore

Xylan

3Com Nortel

Ericsson

Alcatel

Juniper Lucent

Siemens

NEC Foundry

Redback

Riverstone

Extreme Arista HP

Avaya

Juniper

Huawei

Aruba

Brocade

Checkpoint

Fortinet

ShoreTel

Polycom

Microsoft

F5

Riverbed

Dell

Internet of Everything

1990 – 1995 1996 – 2000 2001 – 2007 2008 – Today

The Landscape is Constantly

Changing

Leading for Nearly 30 Years

2016

Cisco Confidential 6 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Who Is Cisco?

Chuck Robbins, CEO, Cisco

• Dow Jones Industrial Average Fortune 100 Company (AAPL, CSCO, INTC, MSFT)

• $117B Market Capitalization

• $49.6B in Revenue

• $10B in Annual Net Profits

• $34B More Cash than Debt

• $6.3B in Research and Development

http://finance.yahoo.com/q/ks?s=CSCO+Key+Statistics

No. 1

Voice

41%

No. 1

TelePresence

50%

No. 1

Web Conferencing

43%

No. 1

Wireless LAN

50%

No. 2

x86 Blade Servers

29%

No. 1

Routing Edge/Core/

Access

47%

No. 1

Security

31%

No. 1

Switching Modular/Fixed

65%

No. 1

Storage Area Networks

47%

Market Leadership Matters

Cisco Confidential 8 C97-731719-02 © 2014 Cisco and/or its affiliates. All rights reserved.

Security in the 21st Century

Cisco Confidential 9 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Remember This Movie?

http://www.imdb.com/title/tt0086567/

Global Cybercrime Market $450B‒$1T

It’s All About The Money Industrial Hackers Are Making Big Money with Innovative Tactics

1990 1995 2000 2005 2010 2015 2020

Viruses 1990–2000

Worms 2000–2005

Spyware and Rootkits 2005–Today

APTs Cyberware Today +

Phishing, Low Sophistication Hacking Becomes

an Industry Sophisticated Attacks, Complex Landscape

of large companies targeted by malicious traffic 95% of organizations interacted

with websites hosting malware 100% 1. Cybercrime is lucrative, barrier to entry is low 2. Hackers are smarter and have the resources to compromise your organization 3. Malware is extremely sophisticated and complex 4. Cybercrime is now a formal, for-profit industry

Source: 2014 Cisco Annual Security Report

Cisco Confidential 11 C97-731719-02 © 2014 Cisco and/or its affiliates. All rights reserved.

http://www.popsci.com/dark-web-revealed

Cisco Confidential 12 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

High Profile Breaches

As of 12/31/2014 http://www.idtheftcenter.org/images/breach/DataBreachReports_2014.pdf

1,000,000

70,000,000

56,000,000 2,600,000

1,100,000

And Yet… Organizations of every size are targets

60% of UK small businesses were compromised in 2014 (2014 Inf ormation Security Breaches Survey)

100% of corporate networks examined had malicious traffic (Cisco 2014 Annual Security Report)

41% of targeted attacks are against organizations with fewer than 500 employees (July 2014 The National Cyber Security Alliance (NCSA)

41% of targeted attacks are against organizations with fewer than 500 employees (July 2014 The National Cyber Security Alliance (NCSA)

Today’s cyber-threat reality

Hackers will likely command and control

your environment via web

You’ll most likely be infected via email

Your environment will get breached

Information of up to 750 million individuals on the black market over last three years.

54% of breaches remain undiscovered for months.

Years Months

Impact of a Breach

Hours Start

Breach occurs 60% data in breaches is stolen in hours.

The Attack Surface

Attack surface – web browsers

More than

85% of the companies studied were affected each month by malicious browser extensions

Users becoming complicit enablers of attacks Untrustworthy sources

Clickfraud and Adware

Outdated browsers 10% 64% IE requests running latest version

Chrome requests running latest version

vs

Attack surface – user error on web

Attackers: Shifts in the attack vectors

Java

Silverlight

PDF

Flash

Java drop 34%

Silverlight rise 228%

PDF and Flash steady

Log Volume

2015 Cisco Annual Security Report

Attack surface – web applications

Attack surface – web protocol

Encrypted traffic is increasing. It represents over 50% of bytes transferred.

Individual Privacy Government Compliance

Organizational Security

The growing trend of web encryption creates a false sense of security and blind spots for defenders

https://

Attackers:

Malvertising is on the rise: low-limit exfiltration makes infection hard to detect

In October 2014, there is a spike of

250%

Compromising without clicking

Exploit Kits, e.g. Cryptowall version 4

• Notorious ransomware • Version 1 first seen in 2014 • Distributed via Exploitkits and Phishing Emails • Fast Evolution

CRYPTOWALL 4.0

Phishing and Social Engineering

Exposure- email blocks

Attackers:

A growing appetite to leverage targeted phishing campaigns

Example: Snowshoe SPAM attack

SPAM up

250%

Attack surface - email

Social Engineering Waiting for his plane

Meet Joe. He is heading home for a well deserved vacation.

He’s catching up on email using the airport Wi-Fi while he waits for his flight.

Social Engineering Checks his email

Joe just got an email from his vacation resort.

Your Tropical Getaway

Joe,

Thank you for choosing us. We look forward to seeing you.

Before your arrival, please verify your information here: www.vacationresort.com

Best, Resort Team

Social Engineering Instinctively, he clicks on the link

No problem, right? Everything looks normal.

The site may even be a trusted site, or maybe a site that is newly minted.

Your Tropical Getaway

Joe,

Thank you for choosing us. We look forward to seeing you.

Before your arrival, please verify your information here: www.vacationresort.com

Best, Resort Team

Social Engineering Joe is now infected

Joe opens the link and the resort video plays.

Although he doesn’t know it, Joe’s machine has been compromised by a Silverlight based video exploit.

The malware now starts to harvest Joe’s confidential information:

• Passwords

• Credentials

• Company access authorizations

Cisco Security Overview

Too Many Disparate Security Products Mean Gaps in Protection

vs

â

â

Fragmented offerings across multiple vendors

Streamlined advanced security solution

Cost

Lower opex and easier to manage

Higher total cost to build and run

Overall performance

Less communication betw een components

Better communication and integration

Time to detection

Faster time to detection

More lag in f inding threats

*�N�HPJOH�GPS�GFBSTPNF�IFSF��CVU�*�KVTU�EPO�U�GFFM�JU�� �

�*�N�UIJOL�*�N�KVTU�DPNJOH�PGG�BT�BOOPZJOH� �

Competitors

Defending Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum

Before Discover Enforce Harden

During Detect Block

Defend

After Scope Contain

Remediate

FireSIGHT and pxGrid

ASA VPN

OpenDNS Meraki

Advanced Malware Protection

Network as Enforcer

NGIPS

ESA/WSA

CWS Secure Access + Identity Services ThreatGRID

Attack Continuum

Cisco Advanced Malware Protection

AMP

Cisco Advanced Malware Protection

Software-as-a-Service Cloud Managed

Subscription Based

Threat Intelligence and Advanced Analytics The Numbers

§ 1.6 million global sensors § 100 TB of data received

per day § 150 million+

deployed endpoints § Experienced team of

engineers, technicians, and researchers

§ 35% w orldw ide email traff ic

§ 13 billion w eb requests § 24x7x365 operations § 4.3 billion w eb blocks

per day § 40+ languages § 1.1 million incoming

malw are samples per day § AMP Community § Private/Public

Threat Feeds

§ Talos Security Intelligence § AMP Threat Grid

Intelligence § AMP Threat Grid Dynamic

Analysis 10 million f iles/month

§ Advanced Microsoft and Industry Disclosures

§ Snort and ClamAV Open Source Communities

§ AEGIS Program

Web

WWW

Endpoints Devices

Networks Email IPS Automatic updates

in real time

101000 0110 00 0111000 111010011 101 1100001 110 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

1001 1101 1110011 0110011 101000 0110 00 101000 0110 00 0111000 111010011 101 1100001 1100001110001110 1001 1101 1110011 0110011 10100

1001 1101 1110011 0110011 101000 0110 00 Cisco®

Collective Security

Intelligence Cisco Collective

Security Intelligence Cloud

AMP Advanced Malware Protection 3.5 BILLION

SEARCHES TODAY

19.7 BILLION THREATS BLOCKED

TODAY

Cisco Security Decreases Time to Detection

36

Current Industry Average (TTD)

100 days - Source: 2016 Cisco Annual Security Report

Cisco Security Decreases Time to Detection

37

Cisco Security Decreases Time to Detection

38

100 days to 17.5 hours - Source: 2016 Cisco Annual Security Report

Point in Time Protection

Point-in-Time Detection AMP Delivers the First Line of Defense, Blocking Known and Emerging Threats with Point-in-Time Defenses

One-to-one signature

Fuzzy finger-printing

Machine learning

Advanced analytics

Static and dynamic analysis (sandboxing)

â

Offer better accuracy and dispositioning

Block known and emerging threats

Protect your business with no lag

Automatically stop as many threats as possible, known and unknown

Dynamic Analysis

Machine Learning

Fuzzy ger-printing

Advanced Analytics

Indications of Compromise

Device Flow Correlation

Behavioral Detection: Example Point-in-Time Detection Retrospective Security

Cisco Collective Security Intelligence

Collective Security Intelligence Cloud

File of unknown disposition is encountered 1

File replicates itself and this information is communicated to the cloud

2

File communicates with malicious IP addresses or starts downloading files with known malware disposition

3

Combination of activities indicates a compromise and the behavior is reported to the cloud and AMP client

4

These indications are prioritized and reported to security team as possible compromise

5

namic alysis

Advanced Analytics

Device Flow Correlation

Behavioral Detection: Example Point-in-Time Detection Retrospective Security

Cisco Collective Security Intelligence

Collective Security Intelligence Cloud

IP: 64.233.160.0

Device Flow Correlation monitors communications of a host on the network

1

Two unknown files are seen communicating with a particular IP address

2

One is sending information to the IP address, the other is receiving commands from the IP address

3

Collective Security Intelligence Cloud recognizes the external IP as a confirmed, malicious site

4

Unknown files are identified as malware because of the association

5

Trajectory Behavioral Indications

of Compromise

Breach Hunting

nuous ysis

Attack Chain Weaving

Behavioral Indications of Compromise: Example

Point-in-Time Detection Retrospective Security

Cisco Collective Security Intelligence

Behavioral Indications of Compromise uses continuous analysis and retrospection to monitor systems for suspicious and unexplained activity… not just signatures!

Using the power of Attack Chain Weaving, Cisco® AMP is able to recognize patterns and activities of a given fi le, and identify an action to look for across your environment rather than a fi le fingerprint or signature

An unknown file is admitted into the network

1 The unknown file copies itself to multiple machines

2 Duplicates content from the hard drive

3 Sends duplicate content to an unknown IP address

4

How Malware Gets In to Your Network

Breach Prevention Rapid Breach Detection, Response, Remediation Threat Intelligence

But Point-in-Time Detection Alone Will Never Be 100% Effective

Continuous Analysis and Retrospective Security Only AMP Continuously Monitors and Analyzes All File Activity, Regardless of Disposition

Across all control points

To answer the questions that matter…

Take advantage of key capabilities

Web

WWW

Endpoints Email Netw ork

â

Mobile

Track it’s rate of progression and how it spread

See w hat it is doing Identify a threat’s point of origin

See w here it's been Surgically target and remediate

If Something Gets in, Retrospective Security Helps You Find Answers to the Most Pressing Security Questions

What happened? Where did the malware come from? Where has the malware been? What is it doing? How do we stop it?

See AMP in Action!

See Where It Entered the System

What happened?

Track threat’s origin and progression: • How did it get into the system

• What is the point of origin

• What was the attack vector

Where has the malware been? What is it doing? How do we stop it?

Where did the malware come from?

See AMP in Action!

See Everywhere That It Has Been

What happened? Where did the malware come from? Where has the malware been?

What is it doing? How do we stop it?

Track infected areas in the system: • Where is the attack now

• What other endpoints have seen it

• Where should I focus my response

• Where is still safe

See AMP in Action!

Determine What the Malware Is Doing

What happened? Where did the malware come from? Where has the malware been? What is it doing?

How do we stop it?

Understand the details of how the malware works: • What is it trying to do, in plain English

• How does the malware behave

• Get detailed information vital for incident response

See AMP in Action!

Stop It with a Few Clicks

Where did the malware come from? Where has the malware been? What is it doing?

Knowing the details above, surgically remediate: • Stop it at the source and all infected areas

• Simply right click, add to a blocklist, and remediate the malware from the entire system

What happened?

How do we stop it?

See AMP in Action!

Cisco Advanced Malware Protection (AMP) Deployment Options Get Visibility and Control across all attack vectors to defend against today’s most advanced threats.

Protect your Endpoints! Get visibility into file and executable-

level activity, and remediate advanced malware on devices running Windows, Mac OS,

Linux, and Android. Supercharge your next-generation

firewall by turning on AMP capabilities on the Cisco Firepower

NGFW or the Cisco ASA with Firepower Services.

Get deep visibility into threat activity and block advanced malware with

AMP deployed as a network-

Add AMP to a Cisco Web Security Appliance (WSA) or Cisco Cloud

Web Security (CWS) and get visibility and control to defend

against advanced threats launched from the web.

Add AMP to a Cisco Email Security Appliance (ESA)

and get visibility and control to defend against advanced

threats launched via email.

Combat and block network-based threats by deploying

AMP capabilities on the Cisco Integrated Services

Router (ISR).

For high privacy environments that restrict the use of the public cloud, use an on-premises, air-gapped

private cloud deployment of AMP for Networks or AMP for Endpoints.

An on-premises appliance or cloud-based solution for static and dynamic malware analysis

(sandboxing) and threat intelligence.

based solution running on AMP-bundled security appliances (NGIPS). AMP for Endpoints

AMP for Firew alls

AMP for Netw orks

AMP for Email

AMP for ISR

AMP for Web

Threat Grid

AMP for Private Cloud Virtual Appliance

The AMP Everywhere Architecture AMP Protection Across the Extended Network for an Integrated Threat Defense

AMP Threat Intelligence

Cloud

Windows OS Android Mobile Virtual MAC OS CentOS, Red Hat Linux for serv ers and datacenters

AMP on Web and Email Security Appliances AMP on Cisco® ASA Firewall

with Firepower Services

AMP Priv ate Cloud Virtual Appliance

AMP on Firepower NGIPS Appliance

(AMP for Networks)

AMP on Cloud Web Security and Hosted Email

CWS/CTA

Threat Grid Malware Analysis + Threat

Intelligence Engine

AMP on ISR with Firepower Serv ices

AMP for Endpoints

AMP for Endpoints

Remote Endpoints

AMP for Endpoints can be launched from AnyConnect

Third Party Validation NSS Labs Security Value Map for Breach Detection Systems - 2015

Who is NSS Labs? NSS Labs is an independent testing organization focused on the cyber security industry.

What was measured? Security Effectiveness of Breach Detection Systems • Malware delivered by HTTP, Email, and Server Message Block

(SMB), Drive-by and Social Exploits, and Evasions • Total Cost of Ownership per protected Mbps

What Cisco products were tested?

Advanced Malware Protection • AMP for Networks and AMP for Endpoints • FirePOWER 8120 (with AMP subscription)*

What competitor products were evaluated?

Blue Coat, Check Point, Fidelis, FireEye, Fortinet, Lastline, Trend Micro

Methodology BDS Methodology 2.0

The Leader in Security Effectiveness

§ 99.2% Security Effectiveness rating in BDS testing, the highest of all vendors tested.

§ Only vendor to block 100% of evasion techniques during testing.

§ Excellent performance with minimal impact on network, endpoint, or application latency.

§ Download the flysheet and full report here.

Cisco AMP offers superior security effectiveness, excellent performance, and provides security across more attack vectors than any other vendor

Next-Generation Security

On-Prem Managed Cloud Managed

Cisco Architecture

Cisco Traditional

ISR / ASA

Catalyst

Aironet

Meraki Systems Manager EMM

Cisco Meraki

MX

MS

MR

Systems Manager EMM Cisco ISE

Policy & Control

Cisco Prime Management & Analytics

Cisco Confidential 58 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Superior Integrated & Multilayered Protection

Cisco ASA

URL Filtering (Subscription)

FireSIGHT Analytics & Automation

Advanced Malware

Protection (Subscription)

Application Visibil ity & Control Network Firewall

Routing | Switching

Clustering & High Availability

WWW

Cisco Collective Security Intelligence Enabled

Built-in Network Profil ing

Intrusion Prevention

(Subscription)

World’s most widely deployed, enterprise-class ASA stateful firewall

Granular Cisco® Application Visibility and Control (AVC)

Industry-leading FirePOWER next-generation IPS (NGIPS)

Reputation- and category-based URL filtering

Advanced malware protection

Identity-Policy Control & VPN

Industry-leading FirePOWER next-generation IPS (NGIPS)

Advanced malware protection

Cisco Confidential 59 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Meraki MS Ethernet Switches

Meraki SME Enterprise Mobility

Management

Meraki MR Wireless LAN

Meraki MX Security

Appliances

Cisco Meraki - Cloud Managed Networking

Enterprise License Advanced Security License

Stateful firewall

Site to site VPN

Branch routing

Internet load-balancing (over dual WAN)

Application control

Web caching

Intelligent WAN (IWAN)

Client VPN

`

All enterprise features, plus Content filtering (with Google SafeSearch)

Kaspersky Anti-Virus and Anti-Phishing

SourceFire IPS / IDS

Geo-based firewall rules

Advanced Malware Protection (AMP)

Application Control Traffic Shaping, Content Filtering, Web Caching

Security NG Firewall, Client VPN, Site to Site VPN, IDS/IPS

Networking NAT/DHCP, 3G/4G Cellular, Static Routing, Link Balancing

Best IPS SOURCEfire IDS / IPS, updated every day

Anti-Malware Advanced Malware Protection powered by Cisco Sourcefire and Talos

Content Filtering 4+ billions URLS, updated in real-time

Geo-based security Block attackers from rogue countries

AV / anti-phishing Kaspersky AV, updated every hour

PCI compliance PCI L1 certified cloud-based management

Cisco Web Security

It Starts with Usage Controls and an Active Defense

Comprehensive Defense

Web Usage Control

Web Usage Control

Web Filtering

Block over 50 million known malicious sites

Web Reputation

Restrict access to sites based on assigned reputation score

Dynamic Content Analysis

Categorize webpage content and block sites automatically

Web Usage Reporting

Gain greater visibility into how web resources are used

Roaming Laptop-User Protection

Extend security beyond the network to include mobile users

Application Visibility and Control

Regulate access to individual website components and apps

Outbreak Intelligence

Identify unknown malware and zero-hour outbreaks in real time

Centralized Cloud Management

Enforce policies from a single, centralized location

Web Filtering Webpage Web

Reputation

Application Visibil ity and

Control Anti-

Malware Outbreak

Intell igence File

Reputation Cognitive

Threat Analytics

X X X X

Before After

www.webs i te .c om

During

X

File Retrospection

www

Roaming User

Reporting

Log Extraction

Management

Branch Office

www www

Allow Warn Block Partial Block Campus Office

ASA Standalone WSA ISR G2 Any Connect® Admin Traf f ic Redirections

Talos Cisco® Cloud Web Security (CWS)

www

HQ

File Sandboxing

X

Cisco Security and OpenDNS

§ A system for relating names and numbers § Domain = IP Address § Amazon.com =

205.251.242.103 § Like a library of phone books

What is DNS? Domain Name System

Why DNS?

DNS is Everywhere

OpenDNS adds a Layer of Security

Everything uses DNS

Simple to Set Up Easy Win Blocks Access to Unsafe Places

DNS: Doth Protest Too Much

91.3% of malware uses DNS

68% of organizations don’t monitor it

A blind spot for attackers to gain command and control, exfiltrate data, and redirect traffic

69 CONFIDENTIAL

INTERNET

MALWARE BOTNETS/C2 PHISHING

SANDBOX PROXY

NGFW NETFLOW

AV AV

AV AV

AV

AV

AV AV

ROUTER/UTM

AV AV

ROUTER/UTM

HERE?

& HERE?

& HERE?

& HERE?

& HERE?

OR HERE?

Where Do You Enforce Security?

CHALLENGES

Too Many Alerts via Appliances & AV

Wait Until Payloads Reaches Target

Every Payload Scan Slows Things Down

Too Much Time to Deploy Everywhere

BENEFITS

Alerts Reduced 2x; Improves Your SIEM

Traffic & Payloads Never Reach Target

Internet Access Is Faster; Not Slower

Provision Globally in UNDER 30 MINUTES

HQ

Branch Branch

Mobile

Mobile

Apply statistical models and

human intelligence

Identify probable

malicious sites

Ingest millions of data

points per second

How Our Security Classification Works

a.ru

b.cn

7.7.1.3

e.net

5.9.0.1

p.com/jpg

Where Does Umbrella Fit?

INTERNET

ON NETWORK

ALL OTHER TRAFFIC

WEB TRAFFIC

EMAIL TRAFFIC

INTERNET ALL

OTHER TRAFFIC

WEB TRAFFIC

EMAIL TRAFFIC

OFF NETWORK

ASA blocks inline by IP, URL or packet

ESA/CES blocks by sender

or content

WSA/CWS blocks by URL or content via proxy

ESA/CES blocks by sender

or content

CWS blocks by URL or content via proxy

Umbrella blocks by domain as w ell as IP or URL

Umbrella blocks by domain as w ell as IP or URL

Conclusion

Defending Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum

Attack Continuum

Before Discover Enforce Harden

During Detect Block

Defend

After Scope Contain

Remediate

FireSIGHT and pxGrid

ASA VPN

OpenDNS Meraki

Advanced Malware Protection

Network as Enforcer

NGIPS

ESA/WSA

CWS Secure Access + Identity Services ThreatGRID

Thank You and Next Steps

Brian Avery bravery@cisco.com

www.

Learn more about Cisco Security: www.cisco.com/go/security/

Contact Your Cisco Partner https://tools.cisco.com/WWChannels/LOCATR/performBasicSearch.do

• CCE sessions are held weekly on a variety of topics

• CCE sessions can help you understand the capabilities and business benefits of Cisco technologies

• Watch replays of past events and register for upcoming events!

Visit http://cs.co/cisco101 for details

Join us again for a future Cisco Customer Education Event