Cisco Customer Education · 2020. 4. 27. · sandboxes powered by Cisco ® AMP Threat Grid . 1 ....

You've Already Been Hacked. Now What? Cisco Next-Gen Security Can Help

Cisco Customer Education

Brian Avery Territory Business Manager, Cisco

This session was recorded via Cisco WebEx! You can watch the live session recording via the following URL:

Check http://cs/co/cisco101 for replay

Thanks for your interest and participation!

http://cs/co/cisco101

You've Already Been Hacked. Now What? Cisco Next-Gen Security Can Help

Cisco Customer Education

Brian Avery Territory Business Manager, Cisco

Connect using the audio conference box or you can call into the meeting:

1. Toll-Free: (866) 432-9903

2. Enter Meeting ID: 306 072 345 and your attendee ID number.

3. Press “1” to join the conference.

Presentation Agenda

► Welcome from Cisco

► There’s Big Money in Hacking

► Lancope Stealthwatch

► Introducing Cisco Security

► Advanced Malware Protection

About Your Host Brian Avery Territory Business Manager, Cisco Systems, Inc.

[email protected] ► Conclusion

Who Is Cisco?

Cisco Confidential 5 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Computer scientists, Len Bosack and Sandy Lerner found Cisco Systems

Bosack and Lerner run network cables between two different buildings on the Stanford University campus

A technology has to be invented to deal with disparate local area protocols; the multi-protocol router is born

1984


Who Is Cisco?

Chuck Robbins, CEO, Cisco

• Dow Jones Industrial Average Fortune 100 Company

• $145B Market Capitalization

• $48B in Revenue

• $8B in Annual Profits

• $33B More Cash than Debt

• $5.9B in Research and Development

http://finance.yahoo.com/q/ks?s=CSCO+Key+Statistics

http://finance.yahoo.com/q/ks?s=CSCO+Key+Statistics

Market Leadership Matters

No. 1 Voice

39%

No. 1 TelePresence

43%

No. 1 Web

Conferencing 41%

No. 1 Wireless LAN

50%

No. 2 x86 Blade Servers

27%

No. 1 Routing Edge/Core/

Access

45%

No. 1 Security

33%

No. 1 Switching Modular/Fixed

64%

No. 1 Storage Area

Networks 47%

Q1CY14

§ CCE is an educational session for current and prospective Cisco customers

§ Designed to help you understand the capabilities and business benefits of Cisco technologies

§ Allow you to interact directly with Cisco subject matter experts and ask questions

§ Offer assistance if you need/want more information, demonstrations, etc.

What Is the Cisco Customer Education Series?

There’s Big Money in Hacking

The Reality: Organizations Are Under Attack

1990 1995 2000 2005 2010 2015 2020

Viruses 1990–2000

Worms 2000–2005

Spyware and Rootkits 2005–Today

APTs Cyberware Today +

Phishing, Low Sophistication Hacking Becomes

an Industry Sophisticated Attacks, Complex Landscape

of large companies targeted by malicious traffic 95% of organizations interacted

with websites hosting malware 100% § Cybercrime is lucrative, barrier to entry is low § Hackers are smarter and have the resources to compromise your organization § Malware is more sophisticated § Organizations face tens of thousands of new malware samples per hour

Source: 2014 Cisco Annual Security Report

Dynamic Threat Landscape

It is a Community that hides in plain sight

avoids detection, and attacks swiftly

60% of data is stolen in hours

54% of breaches

remain undiscovered for months

100% of companies connect to domains that host

malicious files or services


High Profile Breaches

As of 12/31/2014 http://www.idtheftcenter.org/images/breach/DataBreachReports_2014.pdf

Total Breaches in 2014 - 783 Records Exposed – 85,611,528

1,000,000

70,000,000

56,000,000 2,600,000

1,100,000

http://www.idtheftcenter.org/images/breach/DataBreachReports_2014.pdf

Cisco Confidential 13 C97-731719-02 © 2014 Cisco and/or its affiliates. All rights reserved.

But… I am just a small fish in a BIG pond.

Yet organizations of every size are targets

Adversaries are attacking you And using you By targeting your organization’s: To attack your enterprise customers and partners:

Customer data

Intellectual property

Company secrets

60% of UK small businesses were compromised in 2014 (2014 Information Security Breaches Survey)

100% of corporate networks examined had malicious traffic (Cisco 2014 Annual Security Report)

41% of targeted attacks are against organizations with fewer than 500 employees (July 2014 The National Cyber Security Alliance (NCSA)

The Question Is No Longer if Malware Will Get Into Your Network

Where do I start?

How bad is the situation?

What systems were affected?

What did the threat do?

How do we recover?

How do we keep it from happening again?

Confirm Infection

Analyze Malware

Malware Proliferation

Remediate Search Network Traffic

Search Device Logs

Scan Devices

Define Rules (from

profile)

Build Test Bed

Static & Dynamic Analysis

Device Analysis

Network Analysis

Proliferation Analysis

Notification Quarantine Triage

Malware Profile

Stop

Search for Re-infection

Update Profile

Confirm

Infection Identified

Cannot Identify Infection No Infection

It’s How Quickly You Can Detect the Infection, Understand Scope, and Remediate the Problem

If you knew you were going to be compromised, would you do security differently?

Cisco Security Overview

Defending Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum

Attack Continuum

Before Discover Enforce Harden

During Detect Block

Defend

After Scope

Contain Remediate

Network Endpoint Mobile Virtual Cloud Email & Web

Point in Time Continuous


Attack Continuum


During Detect Block

Defend

After Scope

Contain Remediate

FireSIGHT and pxGrid

ASA VPN

NGFW Meraki

Advanced Malware Protection

Network as Enforcer

NGIPS

ESA/WSA

CWS Secure Access + Identity Services ThreatGRID


Network as Enforcer

Comprehensive Security Requires

Breach Prevention Rapid Breach Detection, Response, Remediation Threat Intelligence

Source: http://www.pcworld.com/article/2109210/report-average-of-82-000-new-malware-threats-per-day-in-2013.html

http://www.pcworld.com/article/2109210/report-average-of-82-000-new-malware-threats-per-day-in-2013.html























Cisco Sourcefire Advanced Malware Protection

Cisco Advanced Malware Protection Built on unmatched collective security intelligence

1.6 million global sensors 100 TB of data received per day 150 million+ deployed endpoints 600 engineers, technicians, and researchers 35% worldwide email traffic

13 billion web requests

24x7x365 operations

4.3 billion web blocks per day

40+ languages

1.1 million incoming malware samples per day

AMP Community

Private/Public Threat Feeds

Talos Security Intelligence

AMP Threat Grid Intelligence

AMP Threat Grid Dynamic Analysis 10 million files/month

Advanced Microsoft and Industry Disclosures

Snort and ClamAV Open Source Communities

AEGIS Program

Email Endpoints Web Networks IPS Devices

WWW Automatic Updates in real time

101000 0110 00 0111000 111010011 101 1100001 110 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

1001 1101 1110011 0110011 101000 0110 00 101000 0110 00 0111000 111010011 101 1100001 1100001110001110 1001 1101 1110011 0110011 10100

1001 1101 1110011 0110011 101000 0110 00 Cisco®

Collective Security

Intelligence Cisco Collective

Security Intelligence Cloud

AMP Advanced Malware Protection

Cisco AMP Threat Grid Feeds Dynamic Malware Analysis and Threat Intelligence to the AMP Solution

Cisco® AMP Threat Grid platform correlates the sample result with millions of other samples and billions of artifacts

Actionable threat content and intelligence is generated that can be utilized by AMP, or packaged and integrated into a variety of existing systems or used independently.

1100001110001110 1001 1101 1110011 0110011 101000 0110 00

101000 0110 00 0111000 111010011 101 1100001 110

1001 1101 1110011 0110011 101000 0110 00

Analyst or system (API) submits suspicious sample to Threat Grid

Low Prevalence Files

An automated engine observes, deconstructs, and analyzes using multiple techniques

Actionable threat content and intelligence is generated that can be packaged and integrated in to a variety of existing systems or

used independently.

AMP Threat Grid platform correlates the sample

result with millions of other samples and

billions of artifacts

101000 0110 00 0111000 111010011 101 1100001 110

101000 0110 00 0111000 111010011 101 1100001 110

1001 1101 1110011 0110011 101000 0110 00

Threat Score/Behavioral Indicators Big Data Correlation

Threat Feeds

Sample and Artifact Intelligence Database

Actionable Intelligence

§ Proprietary techniques for static and dynamic analysis

§ “Outside looking in” approach

§ 350 Behavioral Indicators

Unique to Cisco® AMP

Cisco AMP Delivers a Better Approach

Point-in-Time Protection

File Reputation, Sandboxing, and Behavioral Detection

Retrospective Security

Continuous Analysis

Cisco AMP Defends With Reputation Filtering And Behavioral Detection

Point-in-Time Detection Retrospective Security

Cisco Collective Security Intelligence

Continuous Protection Reputation Filtering Behavioral Detection

Dynamic Analysis

Machine Learning

Fuzzy Finger-printing

Advanced Analytics

One-to-One Signature

Indications of Compromise

Device Flow Correlation

Dynamic Analysis

Machine Learning


Advanced Analytics




Reputation Filtering Behavioral Detection

Dynamic Analysis

Machine Learning


Advanced Analytics




Reputation Filtering Is Built On Three Features



Unknown file is encountered, signature is analyzed, sent to cloud

1

File is not known to be malicious and is admitted 2

Unknown file is encountered, signature is analyzed, sent to cloud

3

File signature is known to be malicious and is prevented from entering the system

4

Collective Security Intelligence Cloud

Dynamic Analysis

Machine Learning


Advanced Analytics








Fingerprint of file is analyzed and determined to be malicious 1

Malicious file is not allowed entry 2

Polymorphic form of the same file tries to enter the system 3

The fingerprints of the two files are compared and found to be similar to one another

4

Polymorphic malware is denied entry based on its similarity to known malware

5

Dynamic Analysis

Machine Learning


Advanced Analytics

ne-to-One Signature







Machine Learning Decision Tree

Possible clean file

Possible malware

Confirmed malware Confirmed clean file

Confirmed clean file

Confirmed malware

Metadata of unknown file is sent to the cloud to be analyzed 1

Metadata is recognized as possible malware 2

File is compared to known malware and is confirmed as malware

3

Metadata of a second unknown file is sent to cloud to be analyzed

4

Metadata is similar to known clean file, possibly clean 5

File is confirmed as a clean file after being compared to a similarly clean file

6

Dynamic Analysis

Machine Learning

Fuzzy ger-printing

Advanced Analytics



Behavioral Detection Is Built On Four Features




File of unknown disposition is encountered 1

File replicates itself and this information is communicated to the cloud

2

File communicates with malicious IP addresses or starts downloading files with known malware disposition

3

Combination of activities indicates a compromise and the behavior is reported to the cloud and AMP client

4

These indications are prioritized and reported to security team as possible compromise

5

Dynamic Analysis

achine earning

Advanced Analytics







Collective User Base

AMP Threat Grid Sandbox

Dynamic Analysis Engine executes unknown files in on-premises or cloud sandboxes powered by Cisco® AMP Threat Grid

1

Two files are determined to be malware, one is confirmed as clean

2

Intelligence Cloud is updated with analysis results, and retrospective alerts are broadcast to users

3

Dynamic Analysis

Advanced Analytics

cations mpromise





Collective User Base


Cisco® AMP Threat Grid Analysis

Receives information regarding software unidentified by Reputation Filtering appliances

1

Receives context regarding unknown software from Collective User Base

2

Analyzes file in light of the information and context provided 3

Identifies the advanced malware and communicates the new signature to the user base

4

namic alysis

Advanced Analytics






IP: 64.233.160.0

Device Flow Correlation monitors communications of a host on the network

1

Two unknown files are seen communicating with a particular IP address

2

One is sending information to the IP address, the other is receiving commands from the IP address

3

Collective Security Intelligence Cloud recognizes the external IP as a confirmed, malicious site

4

Unknown files are identified as malware because of the association

5

Cisco AMP Delivers A Better Approach

Unique to Cisco® AMP

Point-in-Time Protection

File Reputation, Sandboxing, and Behavioral Detection

Retrospective Security

Continuous Analysis

Cisco AMP Defends With Retrospective Security



To be effective, you have to be everywhere

Continuously

Why Continuous Protection Is Necessary

0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110

1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

Web

WWW

Endpoints Network Email Devices

Gateways

File Fingerprint and Metadata

Process Information

Continuous feed

Continuous analysis

File and Network I/O

Breadth and Control points:

Telemetry Stream



Talos + Threat Grid Intelligence

Why Continuous Protection Is Necessary

Context Enforcement Continuous Analysis

Who What

Where When

How

Event History

Collective Security Intelligence



Cisco AMP Defends With Retrospective Security



Trajectory Behavioral Indications

of Compromise

Elastic Search

Continuous Analysis

Attack Chain Weaving


of Compromise

Breach Hunting

Continuous Analysis


Retrospective Security Is Built On… Point-in-Time Detection Retrospective Security


Performs analysis the first time a file is seen

1

Persistently analyzes the file over time to see if the disposition is changed

2

Giving unmatched visibility into the path, actions, or communications that are associated with a particular piece of software

3


of Compromise

Breach Hunting

Continuous Analysis




Uses retrospective capabilities in three ways:

File Trajectory records the trajectory of the software from device to device

File Trajectory 1

Process Monitoring monitors the I/O activity of all devices on the system Communications Monitoring monitors which applications are performing actions

Attack Chain Weaving analyzes the data collected by File Trajectory, Process, and Communication Monitoring to provide a new level of threat intelligence

Process Monitoring 2

Communications Monitoring 3


of Compromise

Breach Hunting

nuous ysis




Behavioral Indications of Compromise uses continuous analysis and retrospection to monitor systems for suspicious and unexplained activity… not just signatures!

Using the power of Attack Chain Weaving, Cisco® AMP is able to recognize patterns and activities of a given file, and identify an action to look for across your environment rather than a file fingerprint or signature

An unknown file is admitted into the network

1 The unknown file copies itself to multiple machines

2 Duplicates content from the hard drive

3 Sends duplicate content to an unknown IP address

4


of Compromise

Breach Hunting

ck Chain eaving



File trajectory automatically records propagation of the file across the network


Computer

Virtual Machine

Mobile

Mobile

Virtual Machine Computer

Network


Mobile

Mobile

File Trajectory Unknown file is downloaded to device 1

Fingerprint is recorded and sent to cloud for analysis 2

The unknown file travels across the network to different devices

3

Sandbox analytics determines the file is malicious and notifies all devices

4

If file is deemed malicious, file trajectory can provide insight into which hosts are infected, and it provides greater visibility into the extent of an infection

5

Trajectory avioral cations

mpromise

Breach Hunting



Computer

Unknown file is downloaded to a particular device 1

The file executes 2

Device trajectory records this, the parent processes lineage and all actions performed by the file

3

File is convicted as malicious and the user is alerted to the root cause and extent of the compromise

4

Drive #1 Drive #2 Drive #3

Device Trajectory

Trajectory avioral cations

mpromise

Elastic Search



Elastic Search is the ability to use the indicators generated by Behavioral IoCs to monitor and search for threats across an environment

1

When a threat is identified, it can be used to search for and identify if that threat exists anywhere else

2

This function enables quick searches to aid in the detection of files that remain unknown but are malicious

3

Cisco AMP Provides Contextual Awareness and Visibility That Allows You to Take Control of an Attack Before It Causes Damage

These applications are affected

What

The breach affected these areas

Where

This is the scope of exposure over time

When

Here is the origin and progression of the threat

How

Focus on these users first

Who

Cisco AMP Everywhere Strategy Means Protection Across the Extended Network

AMP Advanced Malware

Protection

AMP for Networks

AMP on Web & Email Security Appliances

AMP on Cisco® ASA Firewall with FirePOWER Services

AMP for Endpoints

AMP for Cloud Web Security & Hosted Email

AMP Private Cloud Virtual Appliance

MAC OS

Windows OS Android Mobile

Virtual

CWS

AMP Threat Grid Malware Analysis + Threat

Intelligence Engine

Appliance or Cloud

*AMP for Endpoints can be launched from AnyConnect

There Are Several Ways You Can Deploy AMP AMP


Deployment Options Email and Web; AMP

on Cisco® ASA CWS

AMP for Networks (AMP on FirePOWER Network

Appliance)

AMP for Endpoints AMP Private Cloud Virtual Appliance

Method License with ESA, WSA, CWS, or ASA customers Snap into your network Install lightweight

connector on endpoints On-premises Virtual Appliance

Ideal for New or existing Cisco CWS, Email /Web Security, ASA customers

IPS/NGFW customers Windows, Mac, Android, virtual machines

High-Privacy Environments

Details

§ ESA/WSA: Prime visibility into email/web

§ CWS: web and advanced malware protection in a cloud-delivered service

§ AMP capabilities on ASA with FirePOWER Services

§ Wide visibility inside network

§ Broad selection of features- before, during, and after an attack

§ Comprehensive threat protection and response

§ Granular visibility and control

§ Widest selection of AMP features

§ Private Cloud option for those with high-privacy requirements

§ For endpoints and networks

PC/MAC Mobile Virtual

Protection Across Networks

The Network platform uses indications of compromise, file analysis, and in this example file trajectory to show you exactly how malicious files have moved across the environment

Endpoint

Content

Network

WWW

Protection Across Endpoints

The Endpoint platform has device trajectory, elastic search, and outbreak control, which in this example is shown quarantining recently detected malware on a device that has the AMP for Endpoints connector installed

Endpoint

Content

Network

WWW

Protection Across Web and Email

Cisco® AMP for Web and Email protects against malware threats in web and email traffic by blocking known malware and issuing retrospective alerts when unknown files are convicted

Endpoint

Content

Network

WWW

Network as Enforcer


You Can’t Protect What You Can’t See The Network Gives Deep and Broad Visibility

010101001011

010101001011

010101001011

010101001011


NetFlow – The Heart of Network as a Sensor Example: NetFlow Alerts With Lancope StealthWatch

Denial of Service SYN Half Open; ICMP/UDP/Port Flood

Worm Propagation Worm Infected Host Scans and Connects to the Same Port Across Multiple Subnets, Other Hosts Imitate the Same Above Behavior

Fragmentation Attack Host Sending Abnormal # Malformed Fragments.

Botnet Detection When Inside Host Talks to Outside C&C Server

for an Extended Period of Time

Host Reputation Change Inside Host Potentially Compromised or

Received Abnormal Scans or Other Malicious Attacks

Network Scanning TCP, UDP, Port Scanning Across Multiple Hosts

Data Exfiltration Large Outbound File Transfer VS. Baseline

§ The StealthWatch System . . . § Collects and analyzes NetFlow data and brings it together with user

information, application awareness, and other security context to provide pervasive visibility and security intelligence across the network.

§ StealthWatch helps organizations: § Accelerate incident identification and response. § Improves forensic investigations. § Reduces overall enterprise risk.

What is the StealthWatch System?

53 11/16/2015


Use Case – Defense against Data Breaches Anatomy of a Data Breach Network as Enforcer

enterprise network

Attacker

Perimeter (Inbound)

Perimeter (Outbound)

Infiltration and Backdoor establishment

1

C2 Server

Admin Node

Reconnaissance and Network Traversal

2

Exploitation and Privilege Elevation

3

Staging and Persistence (Repeat 2,3,4)

4

Data Exfiltration

5


What Can the Network Do for You? Network as Sensor

Detect Anomalous Traffic Flows, Malware e.g. Communication with Malicious Hosts, Internal Malware Propagation, Data Exfiltration

Detect App Usage, User Access Policy Violations e.g. Maintenance Contractor Accessing Financial Data

Detect Rogue Devices, APs and More e.g. Maintenance Contractor Connecting an Unauthorized AP in Bank Branch to Breach


What Can the Network Do for You? Network as Enforcer

Segment the Network to Contain the Attack TrustSec - Secure Group Tagging, VRF, ISE and More

Encrypt the Traffic to Protect the Data in Motion MACsec for Wired, DTLS for Wireless, IPSec/SSL for WAN and More

Secure The Branch and Remote Users for Direct Internet Access Anyconnect, IWAN, Cloud Web Security and More

Conclusion


Attack Continuum


During Detect Block

Defend

After Scope

Contain Remediate

Network Endpoint Mobile Virtual Cloud Email & Web

Point in Time Continuous

Only Cisco Security Can Deliver… Visibility and Control Across the Full Attack Continuum

Attack Continuum


During Detect Block

Defend

After Scope

Contain Remediate

FireSIGHT and pxGrid

ASA VPN

NGFW Meraki


Network as Enforcer

NGIPS

ESA/WSA

CWS Secure Access + Identity Services ThreatGRID

Thank You and Next Steps

Brian Avery [email protected]

Contact Your Cisco Partner https://tools.cisco.com/WWChannels/LOCATR/performBasicSearch.do

www.

Learn more about Cisco Security: www.cisco.com/go/security/

mailto:[email protected]

https://tools.cisco.com/WWChannels/LOCATR/performBasicSearch.do

https://tools.cisco.com/WWChannels/LOCATR/performBasicSearch.do

http://www.cisco.com/go/security/

• CCE sessions are held weekly on a variety of topics

• CCE sessions can help you understand the capabilities and business benefits of Cisco technologies

• Watch replays of past events and register for upcoming events!

Visit http://cs.co/cisco101 for details

Join us again for a future Cisco Customer Education Event

http://cs.co/cisco101

Cisco Customer Education · 2020. 4. 27. · sandboxes powered by Cisco ® AMP Threat Grid . 1 ....

Documents

Transcript of Cisco Customer Education · 2020. 4. 27. · sandboxes powered by Cisco ® AMP Threat Grid . 1 ....