Cyber SecurityA Systematic Approach

Cristian Matei - Solutions Architect

cristian.matei@datanets.ro

Who are we?

A Team of Certified Specialists:

• Cisco Connect Technology Partner

• Cisco Enterprise Partner of the Year 2015

• Architectural Excellence in SP Architectures

2014

What are we doing?

Why are we here?

Who are we?

Only what we do best:

• Systems Integration

• Turnkey Technology Projects

• Innovation Through In-House Development

• Custom Solutions

Why are we here?

What are we doing?

Who are we?

What are we doing?

Why are we here?

To get connected:

• 12:00-12:30 IoT Turnkey Systems, Gabriel

Musat - Technical & Marketing Director

• 14:15-14:45 Automate Datacenter Service

Delivery, Mihai Gagea - Presales Consultant

• Booth Demo: Security, DataCenter and

Unified Communications

$300K

$1

$150

Exploits$1000-

Facebook Account

Malware Development

Spam

$0.25-$60

>$50

~$7

$1

Credit Card Data

DDOSas a Service

Social Security

Medical

Record

Bank

Account Info

>$1000

Global Cybercrime

Market:$450B-$1T

Mobile Malware

$50/ 500K

$2500

Cyber Crime Market

Technical Support Discounts

The Before Phase

The During Phase, Thief Visible

The During Phase, Thief Disguised

The After Phase, Thief Gets Busted

BEFOREDetect

Block

Defend

DURING AFTERControl

Enforce

Harden

Scope

Contain

Remediate

Attack Continuum

Network Endpoint Mobile Virtual Cloud

Point in Time Continuous

Networking Attack Phases

BEFOREDetect

Block

Defend

DURINGControl

Enforce

Harden

Guard Network Entries

Web Security

Email Security

Next Generation Firewall

Endpoints

Which vendor provides better security?

Covers the attack continuum

Protects against unknown malware

Secures the system, not individual components

Actual Disposition = Bad =Blocked

Antivirus

Sandboxing

Initial Disposition = Clean

RetrospectiveDetection,Analysis Continues

Initial Disposition = Clean

Continuous

Blind to scope of compromise

Sleep Techniques

Unknown Protocols

Encryption

Polymorphism

Turns back time

Visibility and Control are Key

AnalysisStops

Point-in-timeDetection

Cisco AMP Analyzes Beyond the Event Horizon

TrajectoryBehavioralIndications

of Compromise

BreachHunting

Attack Chain Weaving

Retrospective Security Is Built On

File trajectory automatically records propagation of the file across the network

Collective Security Intelligence Cloud

Computer

Virtual Machine

Mobile

Mobile

Virtual Machine Computer

Network

Collective Security Intelligence Cloud

Mobile

Mobile

File TrajectoryUnknown file is downloadedto device1

Fingerprint is recorded and sent to cloud for analysis2

The unknown file travels across the network to different devices

3

Sandbox analytics determines the file is malicious and notifies all devices

4

If file is deemed malicious, file trajectory can provide insight into which hosts are infected, and it provides greater visibility into the extent of an infection

5

TrajectoryBehavioralIndications

of Compromise

BreachHunting

Retrospective Security Is Built On

Computer

Unknown file is downloaded to a particular device

1

The file executes2

Device trajectory records this, the parent processes lineage and all actions performedby the file

3

File is convicted as malicious and the user is alerted to the root cause and extent of the compromise

4

Drive #1 Drive #2 Drive #3

Device Trajectory

If Something Gets in, Retrospective Security Helps You Find Answers to the Most Pressing Security Questions

What happened?

Where did the malware come from?

Where has the malware been?

What is it doing?

How do we stop it?

See AMP in Action!

What happened?

Understand the anatomy of the attack:

• Where is the threat now

• Which users are compromised

• What type of malware is it

Where did the malware come from?

Where has the malware been?

What is it doing?

How do we stop it?

See AMP in Action!

Understand How It All Happened

What happened?

Track threat’s origin and progression:

• How did it get into the system

• What is the point of origin

• What was the attack vector

Where has the malware been?

What is it doing?

How do we stop it?

Where did the malware come from?

See AMP in Action!

See Where It Entered the System

What happened?

Where did the malware come from?

Where has the malware been?

What is it doing?

How do we stop it?

Track infected areas in the system:

• Where is the attack now

• What other endpoints have seen it

• Where should I focus my response

See AMP in Action!

See Everywhere That It Has Been

What happened?

Where did the malware come from?

Where has the malware been?

What is it doing?

How do we stop it?

Understand how malware works:

• What is it trying to do, in plain English

• How does the malware behave

• Get detailed information vital for

incident response

See AMP in Action!

Determine What the Malware is Doing

Knowing the details above,

surgically remediate:

• Stop it at the source and all infected areas

• Simply right click and take action to stop the

attack

See AMP in Action!

What happened?

Where did the malware come from?

Where has the malware been?

What is it doing?

How do we stop it?

Stop It with a Few Clicks

I know

it’s there

But I don’t know

what it is

You Can’t Protect What You Can’t See

Network ResourcesAccess Policy

Traditional Cisco TrustSec®

BYOD Access

Threat Containment

Guest Access

Role-BasedAccess

Identity Profilingand Posture

Who

Compliant

What

When

Where

How

A context-aware next-generation secure network access solution that reduces risks and contains threats by dynamically controlling network access

NetworkDoor

Context

ISE pxGridController

Cisco Identity Services Engine

AFTERScope

Contain

Remediate

Your Network Is Your Sensor

Use network data to extend

visibility to the access layer

Internal Network

Identity

Routers and Switches

Firewall

Context

Enrich flow of data with identity, events, proxy,

and application to create context Accelerated detection,

investigation and response.

WHO WHAT WHERE WHEN HOW

Proxy Server

Devices

Cisco Lancope for Visibility, Context, and Control

Rapid Threat Containment via pxGrid

When

Where

Who

How

What

Cisco and Partner Ecosystem

ISE

Cisco Network

pxGridController

Context

32

1

45

Cisco® ISE collects contextual data from network1

Context is shared viapxGrid technology2

Cisco AMP, Lancope and Partners use context to improve visibility

to detect threats3

Cisco AMP, Lancope and Partners can direct Cisco ISE to rapidly

contain threats4

Cisco ISE uses partner data to update context andrefine access policy

5

See RTC in Action!

Thank you!