Advanced threat security - Cyber Security For The Real World
-
Upload
cisco-canada -
Category
Technology
-
view
525 -
download
0
description
Transcript of Advanced threat security - Cyber Security For The Real World
Cisco Advanced Threat Security
Steve Gindi
v1.2
Cyber Security For The Real World
2 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Advanced Threat Security What is Advanced Malware?
• Advance Malware is sophisticated malware designed to bypass traditional POINT IN TIME defenses such as Anti-Malware Engines, Sandboxes, etc. Malware utilizes techniques such as Encryption, Polymorphism, Sleep Techniques. Also known as Zero Hour Exploits, Advanced Persistent Threats.
• Attack surface is typically found with Email and Web based traffic.
• Top 5 Security Concern for CIO/CSO’s.
• Very Public Hacks in 2013/2014 that affects Brand.
3 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
The Way We Do Business Is Changing Making it more difficult to protect your network
Mobile Coffee shop Corporate Home Airport
4 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
The Industrialization of Hacking
2000 1990 1995 2005 2010 2015 2020 Viruses 1990–2000
Worms 2000–2005
Spyware and Rootkits 2005–Today
APTs Cyberware Today +
Hacking Becomes an Industry
Sophisticated Attacks, Complex Landscape
Phishing, Low Sophistication
5 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Most dangerous threats
Approach
Tactic
Impact
Threat vector
Infect or inject a trusted site
Conduct reconnaissance on a target
Deliver an exploit that will attack
Target users through compromised links
Leverage social engineering
Deliver an exploit that will attack
Deliver malware with stealth and self-deleting programs
Gain access through DLL injection and control firewalls, antivirus, ect
Compromises system control, personal data and authorizations
Dropper Watering hole Spear phishing
6 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
The Silver Bullet Does Not Exist…
“Captive Portal”
“It matches the pattern”
“No false positives, no false negatives.”
Application Control
FW/VPN
IDS / IPS UTM
NAC
AV PKI
“Block or Allow”
“Fix the Firewall”
“No key, no access”
Sandboxing
“Detect the Unknown”
7 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Attack Continuum
BEFORE Discover Enforce Harden
AFTER Scope
Contain Remediate
Detect Block
Defend
DURING
NGIPS
Advanced Malware Protection
Network Behavior Analysis
ESA/WSA
Firewall
NGFW
NAC +
Identity Services
VPN
UTM
Perfect Fit for The New Security Model
Cisco - Advanced Threat Security
v1.2
9 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Why are we still Struggling??!!??!! Complexity Visibility Cost
• Multi-Vendor
• Redundancy
• Training
• Hardware
• Power
• Rack Space
10 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Control
Cisco AnyConnect®
Cisco IPS
Cisco CWS
WWW
Cisco WSA Cisco ASA Cisco ESA
Visibility
WWW
Web
Endpoints
Devices
Networks
IPS
TALOS Outstanding Cloud-based Global Threat Intelligence
1.6 million global sensors
100 TB of data received per day
150 million+ deployed endpoints
35% worldwide email traffic
13 billion web requests
24x7x365 operations
40+ languages
600+ engineers, technicians, and researchers
80+ PH.D., CCIE, CISSP, AND MSCE users
More than US$100 million
spent on dynamic research and development
3- to 5- minute updates
5,500+ IPS signatures produced
8 million+ rules per day
200+ parameters tracked
70+ publications produced
Info
rmat
ion
Actions
Cisco® SIO
11 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Email Security Architecture
Antivirus and Virus Outbreak Filter
Threat Defense
Antispam
Data Security
Encryption
Data Loss Prevention
Appliance Virtual Flexible Deployment Options
Inbound Protection Outbound Control
12 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
The Magic Quadrant is copyrighted 2014 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner’s analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders” quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from Cisco.
Source: Magic Quadrant for Secure Email Gateways: http://www.gartner.com/technology/reprints.do?id=1-1GT4N4C&ct=130702&st=sb
Gartner Magic Quadrant for Secure Email Gateway, 2014
13 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Security Intelligence Operations (SIO)
Cisco Web Security Architecture
URL Filtering
Application Visibility and Control (AVC)
*Data Loss Prevention
(DLP)
Layer 4 Traffic Monitoring (On-premises)
Malware Protection
PROTECTION CONTROL
Centralized Management & Reporting
WWW
Allow
WWW Limited Access
WWW Block
WWW
14 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
The Magic Quadrant is copyrighted 2014 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner’s analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders” quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from Cisco.
Source: Magic Quadrant for Secure Web Gateways: http://www.gartner.com/technology/reprints.do?id=1-1VSLKXG&ct=140624&st=sb
Gartner Magic Quadrant for Secure Web Gateway, 2014
15 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Next Gen Firewall Architecture
CISCO ASA
Identity-Policy Control & VPN
URL Filtering (subscription)
FireSIGHT Analytics & Automation
Advanced Malware Protection (subscription)
Application Visibility &Control
Network Firewall Routing | Switching
Clustering & High Availability
WWW
Cisco Collective Security Intelligence Enabled
Built-in Network Profiling
Intrusion Prevention (subscription)
16 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
NSS Labs: Next Generation Firewall
17 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AMP on Email, Web & Firewall
• Blocks known and unknown files
• Reputation verdicts delivered by AMP cloud intelligence network
• Behavioral analysis of unknown files
• Looks for suspicious behavior
• Feeds intelligence back to AMP cloud
• Continuous analysis of files that have traversed the gateway
• Retrospective alerting after an attack when file is determined to be malicious
File Reputation
File Sandboxing
File Retrospection
18 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Antivirus Sandboxing
Initial Disposition = Clean
Point-in-time Detection
Initial Disposition = Clean
AMP
Blind to scope of compromise
Actual Disposition = Bad = Too Late!!
Never 100% Analysis Stops
Sleep Techniques Unknown Protocols
Encryption
Polymorphism
Actual Disposition = Bad = Blocked
Retrospective Detection, Analysis Continues
AMP is unique in the way it reevaluates information. If new data shows known-good files actually aren't good or have turned bad, AMP re-mines its data set and automatically transmits notifications to customers to trigger remediation.
19 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
NSS Labs: Advanced Malware Protection
20 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AMP Everywhere
• Stops threats before they enter the network
• Easy activation
• File Trajectory & Retrospective Security
• Ideal for new or existing Cisco Email or Web Security customers
• Effective upsell for all existing customers
Secure Gateway Network Appliance Endpoint
• Wide visibility inside the network with File Trajectory & Retrospective Security
• Layered with network threat defense (IPS/NGFW) & event correlation
• Broad selection of features- before, during and after an attack
• Ideal for IPS/NGFW customers
• Granular visibility and control at the endpoint level with Device Trajectory, File Trajectory & Retrospective Security
• Protection for mobile and
remote devices
• For advanced customers wanting comprehensive threat protection, investigation & response
21 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Why Cisco??
22 © 2013-2014 Cisco and/or its affiliates. All rights reserved.