Advanced threat security - Cyber Security For The Real World

Cisco Advanced Threat Security

Steve Gindi

v1.2

Cyber Security For The Real World

2 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Advanced Threat Security What is Advanced Malware?

•  Advance Malware is sophisticated malware designed to bypass traditional POINT IN TIME defenses such as Anti-Malware Engines, Sandboxes, etc. Malware utilizes techniques such as Encryption, Polymorphism, Sleep Techniques. Also known as Zero Hour Exploits, Advanced Persistent Threats.

•  Attack surface is typically found with Email and Web based traffic.

•  Top 5 Security Concern for CIO/CSO’s.

•  Very Public Hacks in 2013/2014 that affects Brand.


The Way We Do Business Is Changing Making it more difficult to protect your network

Mobile Coffee shop Corporate Home Airport


The Industrialization of Hacking

2000 1990 1995 2005 2010 2015 2020 Viruses 1990–2000

Worms 2000–2005

Spyware and Rootkits 2005–Today

APTs Cyberware Today +

Hacking Becomes an Industry

Sophisticated Attacks, Complex Landscape

Phishing, Low Sophistication


Most dangerous threats

Approach

Tactic

Impact

Threat vector

Infect or inject a trusted site

Conduct reconnaissance on a target

Deliver an exploit that will attack

Target users through compromised links

Leverage social engineering

Deliver an exploit that will attack

Deliver malware with stealth and self-deleting programs

Gain access through DLL injection and control firewalls, antivirus, ect

Compromises system control, personal data and authorizations

Dropper Watering hole Spear phishing


The Silver Bullet Does Not Exist…

“Captive Portal”

“It matches the pattern”

“No false positives, no false negatives.”

Application Control

FW/VPN

IDS / IPS UTM

NAC

AV PKI

“Block or Allow”

“Fix the Firewall”

“No key, no access”

Sandboxing

“Detect the Unknown”


Attack Continuum

BEFORE Discover Enforce Harden

AFTER Scope

Contain Remediate

Detect Block

Defend

DURING

NGIPS

Advanced Malware Protection

Network Behavior Analysis

ESA/WSA

Firewall

NGFW

NAC +

Identity Services

VPN

UTM

Perfect Fit for The New Security Model

Cisco - Advanced Threat Security

v1.2


Why are we still Struggling??!!??!! Complexity Visibility Cost

•  Multi-Vendor

•  Redundancy

•  Training

•  Hardware

•  Power

•  Rack Space


Control

Cisco AnyConnect®

Cisco IPS

Cisco CWS

WWW

Cisco WSA Cisco ASA Cisco ESA

Visibility

WWW

Web

Endpoints

Devices

Networks

Email

IPS

TALOS Outstanding Cloud-based Global Threat Intelligence

1.6 million global sensors

100 TB of data received per day

150 million+ deployed endpoints

35% worldwide email traffic

13 billion web requests

24x7x365 operations

40+ languages

600+ engineers, technicians, and researchers

80+ PH.D., CCIE, CISSP, AND MSCE users

More than US$100 million

spent on dynamic research and development

3- to 5- minute updates

5,500+ IPS signatures produced

8 million+ rules per day

200+ parameters tracked

70+ publications produced

Info

rmat

ion

Actions

Cisco® SIO


Cisco Email Security Architecture

Antivirus and Virus Outbreak Filter

Threat Defense

Antispam

Data Security

Encryption

Data Loss Prevention

Appliance Virtual Flexible Deployment Options

Inbound Protection Outbound Control


The Magic Quadrant is copyrighted 2014 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner’s analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders” quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from Cisco.

Source: Magic Quadrant for Secure Email Gateways: http://www.gartner.com/technology/reprints.do?id=1-1GT4N4C&ct=130702&st=sb

Gartner Magic Quadrant for Secure Email Gateway, 2014


Cisco Security Intelligence Operations (SIO)

Cisco Web Security Architecture

URL Filtering

Application Visibility and Control (AVC)

*Data Loss Prevention

(DLP)

Layer 4 Traffic Monitoring (On-premises)

Malware Protection

PROTECTION CONTROL

Centralized Management & Reporting

WWW

Allow

WWW Limited Access

WWW Block

WWW


The Magic Quadrant is copyrighted 2014 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner’s analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders” quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from Cisco.

Source: Magic Quadrant for Secure Web Gateways: http://www.gartner.com/technology/reprints.do?id=1-1VSLKXG&ct=140624&st=sb

Gartner Magic Quadrant for Secure Web Gateway, 2014


Cisco Next Gen Firewall Architecture

CISCO ASA

Identity-Policy Control & VPN

URL Filtering (subscription)

FireSIGHT Analytics & Automation

Advanced Malware Protection (subscription)

Application Visibility &Control

Network Firewall Routing | Switching

Clustering & High Availability

WWW

Cisco Collective Security Intelligence Enabled

Built-in Network Profiling

Intrusion Prevention (subscription)


NSS Labs: Next Generation Firewall


AMP on Email, Web & Firewall

•  Blocks known and unknown files

•  Reputation verdicts delivered by AMP cloud intelligence network

•  Behavioral analysis of unknown files

•  Looks for suspicious behavior

•  Feeds intelligence back to AMP cloud

•  Continuous analysis of files that have traversed the gateway

•  Retrospective alerting after an attack when file is determined to be malicious

File Reputation

File Sandboxing

File Retrospection


Antivirus Sandboxing

Initial Disposition = Clean

Point-in-time Detection

Initial Disposition = Clean

AMP

Blind to scope of compromise

Actual Disposition = Bad = Too Late!!

Never 100% Analysis Stops

Sleep Techniques Unknown Protocols

Encryption

Polymorphism

Actual Disposition = Bad = Blocked

Retrospective Detection, Analysis Continues

AMP is unique in the way it reevaluates information. If new data shows known-good files actually aren't good or have turned bad, AMP re-mines its data set and automatically transmits notifications to customers to trigger remediation.


NSS Labs: Advanced Malware Protection


AMP Everywhere

•  Stops threats before they enter the network

•  Easy activation

•  File Trajectory & Retrospective Security

•  Ideal for new or existing Cisco Email or Web Security customers

•  Effective upsell for all existing customers

Secure Gateway Network Appliance Endpoint

•  Wide visibility inside the network with File Trajectory & Retrospective Security

•  Layered with network threat defense (IPS/NGFW) & event correlation

•  Broad selection of features- before, during and after an attack

•  Ideal for IPS/NGFW customers

•  Granular visibility and control at the endpoint level with Device Trajectory, File Trajectory & Retrospective Security

•  Protection for mobile and

remote devices

•  For advanced customers wanting comprehensive threat protection, investigation & response


Why Cisco??

Advanced threat security - Cyber Security For The Real World

Technology

Transcript of Advanced threat security - Cyber Security For The Real World