Cisco - Global Home Page - Content Security Update · Security Platform w/ 80M+ malicious requests...

György Ács

Security Consulting Systems Engineer

3rd November 2015

Content Security Update

Agenda

• Email Security

• Appliance, Cloud, Hybrid

• Web Security

• Web Security Appliance

• Cloud Web Security

• Cognitive Threat Analytics

• OpenDNS

• Cloud Access Security, CAS,

• Elastica

3C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public

Control

Cisco

AnyConnect®Cisco

IPS

Cisco CWS

WWW

Cisco WSACisco ASACisco ESA

Visibility

WWW

Web

Endpoints

Devices

Networks

Email

IPS

Cisco TALOSOutstanding cloud-based global threat intelligence

1.6 millionglobal sensors

100 TBof data received per day

150 million+ deployed endpoints

35%worldwide email traffic

13 billionweb requests

24x7x365operations

40+languages

600+engineers, technicians, and researchers

80+PH.D., CCIE, CISSP, AND MSCE users

More than US$100

millionspent on dynamic research and development

3- to 5-minute updates

5,500+IPS signatures produced

8 million+rules per day

200+parameters tracked

70+publications produced

Info

rma

tio

nU

pd

ate

s

Cisco® TALOS

Email Security http://beta.senderbase.org/ebc_spam/


Global Spam Volume - last 18 months[Average Daily Email and Spam Volume (Billions)]

Spam : 85.97%

Legitimate : 14.02%

Malware :0.0089%

http://www.senderbase.org/static/spam/#tab=1


Contacts• Cisco IronPort Anti-Spam

• Report undetected spam to: [email protected]

• Report false-positives to: [email protected]

• Brightmail Anti-Spam

• Report undetected spam to: [email protected]

• Report false-positives to: [email protected]

• Marketing Spam

• Report marketing spam false positives to: [email protected]

• Report marketing spam false negatives to: [email protected]

mailto:[email protected]







Cisco Email Security Threat DefenseComplete Inbound Protection

Cisco® TALOS

SenderBase Reputation Filtering

Anti-Spam

Anti-Virus

Outbreak Filters

Real-time URL Analysis

Deliver QuarantineRe-write

URLsDrop

Drop

Drop/Quarantine

Drop/Quarantine

Quarantine/Re-write

Advanced Malware Protection Drop/QuarantineAMP

cws


• Reduce the exposure of your users to phishing

• Tie DKIM and SPF together and address their shortcomings

• Identifies actions to take if message authentication fails for sender’s domains

• Allows for sending of aggregate reports back to sending domain to inform of message disposition

DMARCStandardizing Email Authentication

DNS

Serve

r

SIGNED

SIGNEDVerified

Trusted_Partner.com

Trusted_Partner.com

Imposter

Cisco

ESA

Drop/Quarantine

Report

DMARC p=reject


URL DefenseIntegrated email and web security

Rewrite

Email Contains URL

URL Categorization

Cisco TALOS

BLOCKEDwww.playboy.comBLOCKED

BLOCKEDwww.proxy.orgBLOCKEDDefang

Replace “This URL is blocked by policy”

Send to Cloud

x-msg://1676/BLOCKEDwww.playboy.comBLOCKED

x-msg://1676/BLOCKEDwww.proxy.orgBLOCKED


Cisco Zero-Hour Malware ProtectionAdvanced Malware Protection

Cloud Powered Zero-Hour

Malware Detection

Advanced Malware Protection Outbreak Filters

Telemetry Based Zero-Hour

Virus and Malware Detection

File

Reputation

File

Sandboxing

Known File

Reputation

Unknown files are

uploaded for

sandboxing

Reputation

updateSourceFire AMP

integration


Outbreak filters defend against blended attacksIntegrated email and web security

Website is

cleanLink is clicked

Website is

blocked Cisco Security

The requested web page

has been blocked

http://www.threatlink.com

Cisco Email and Web Security protects your

organization’s network from malicious software.

Malware is designed to look like a legitimate email or

website which accesses your computer, hides itself

in your system, and damages files.

Dynamic, real-time inspection via HTTP

Cisco TALOS


Outbreak Filters in Action: User Experience

Request for Review

Paul,

I forward my thesis to you for review.

Please open it and provide comments.

www.Personal Site.com/Thesis_Draft.pdf

Hope all’s well since Verizon.

Best regards,

Friend

Frien

d

[email protected]

After

Subject: Request for Review

http://www.threatlink.com/

Before

Subject: [SUSPICIOUS MESSAGE] Request for Review

http://secure-web.Cisco.com/auth=X&URL=www.threatlink.com

WARNING: This appears to be a

malicious email Paul


Identified: Targeted Attack

Content: Malware Payload

Vector: Email

Action: Blocked

Cisco TALOS - Cloud Security Enforcement

Cisco Cloud

Web Security

Request for Review

WARNING: This appears to be a

malicious email

Paul,

I forward my thesis to you for review.

Please open it and provide comments.

www.Personal Site.com/Thesis_Draft.pdf

Hope all’s well since Verizon.

Best regards,

Friend

Frien

d

[email protected]


Malware

Payload Blocked

Cisco Outbreak Filters Defends against Targeted Attacks

http://secure-web.Cisco.com…

The requested web page has been blocked

http://www.threatlink.com

Cisco Email and Web Security protects your

organization’s network from malicious software.

Malware is designed to look like a legitimate email

or website which accesses your computer, hides

itself in your system, and damages files.

Cisco Security


IPv6 SupportDefense for email systems against emerging IPv6 threats

• Supports: IPv4/IPv6 addressing – single or dual stack – with Anti-Spam, Anti-Virus, Content Filters, DLP, Encryption, and more

• Translates: IPv6 in and IPv4 out… or vice versa

• Full reporting and Message Tracking support

IPv6 Addressing

Is your Email Security

filtering content with IPv6

addressing appropriately?


ESA v9.0 – Feature rich release

• Enhanced File-types support for sandboxing

PDFs, MS Objects,

Inspection within archives and encoded formats

• Anti Snowshoe

• S/MIME signing and encryption

• Larger disk support

• Flexible disk capacity allocation

• Virtual SMA support

• AsyncOS API


Cisco ESA 9.5

• Graymail Detection and Safe Unsubscribing

• Web Interaction Tracking

• System health monitoring enhancements

• Support for On-Premises File Analysis

• Support for TLS v1.2

Continuous Analysis

ESA Local AMP ThreatGrid

Local LAN

Web Security http://beta.senderbase.org/ebc_malware/

Customers Are Challenged with Today’s Evolving Threat Landscape

Data Loss

Acceptable Use Violations

Malware Infections

Web

FilteringCloud Access

Security

Web

ReputationApplication

Visibility and

Control

Parallel AV

ScanningData-Loss

Prevention

File

Reputation

Cognitive

Threat

Analytics*

XX X X

BeforeAfterDuring

X

File

Retrospection

www

Roaming User

Reporting

Log Extraction

Management

Branch Office

www www

Allow Warn Block Partial BlockCampus Office

WCCP Explicit/PACLoad Balancer PBR AnyConnect® Client

AdminTraffic

Redirections

Talos Cisco Web Security Appliance (WSA)

www

HQ

File

Sandboxing

X

Client

Authentication

Technique

* Roadmap feature: Projected release 2H CY15

XCisco® ISE

Appliance Virtual

1. Scans text

Cisco Web Usage ControlsURL Filtering and Dynamic Content Analysis

WWW

URL Database

3. Calculates model document proximity

4. Returns closest category match

2. Scores relevancy

Finance

Adult

Health

Finance Adult Health

AllowWWW WarnWWW WWW Partial

BlockBlockWWW

5. Enforces policy

If Unknown, the

Page Is Analyzed

BlockWWW

WarnWWW

AllowWWW

If Known

BEFORE

Discover

Enforce

Harden

DURING

Detect

Block

Defend

AFTER

Scope

Contain

Remediate

Layer 1

Layer 2

AMP

CTA

CWS PREMIUM

AMP

CTALayer 3

File Reputation Anomaly

detection

Trust

modelingEvent classification Entity modeling

Dynamic

Malware

Analysis

File

Retrospection

Relationship

CTA

AMP Delivers Point-in-Time, Continuous, andRetrospective Security

AMP

Retrospection

Policy AVAMP File

Reputation

File Unknown

Retrospective

Incidents

1

3

AMP Cloud

Know

Where It

All Started

OI

Understand

How It Entered

the System

See Everywhere

It Has Been

Determine

What It

Has Done

Learn

How to

Stop It

AMP Dynamic

Malware Analysis

2

BEFORE

Discover

Enforce

Harden

DURING

Detect

Block

Defend

AFTER

Scope

Contain

Remediate

Combining the Powerof ISE with WSAWSA with ISE Process Flow

Cisco® ISE acquires important context and identity

from the network.

It monitors and provides visibility into

unauthorized access.

Cisco ISE provides differentiated access to the network; Cisco TrustSec® Security provides segmentation throughout the network; and Cisco Web Security Appliance provides web security and policy enforcement.

Consistent Secure

Access Policy

Who: Doctor

What: Laptop

Where: Office

Who: Doctor

What: iPad

Where: Office

Who: Guest

What: iPad

Where: Office

Cisco® I dentity

Service Engine

WSA

Confidential

Patient Records

Internal

Employee Intranet

Internet

BEFORE

Discover

Enforce

Harden

DURING

Detect

Block

Defend

AFTER

Scope

Contain

Remediate

WSA News

WSA / AsyncOS 8.8: ICAPs (for DLP vendors) and AMP ThreatGrid integration

Recommendation : min. WSA 9.0

Cisco Web Security Advanced Reporting App 4.5 : WSA and CWS logs

Referral header support (allow Youtube channel if you have good referral)

WSA logs Cloud Web Security,

CWS

CWS logs

Cloud Based AMP

ThreatGrid

Local AMP ThreatGrid

ICAPs

DLP

vendor

Cognitive Threat Analytics CTA(for CWS, WSA, and other)

• As users go through a web proxy, access logs are generated

Cognitive Threat Analytics

Cisco

Cognitive Threat

Analytics (CTA)

Pro

xy

HTTP/HTTPS

HTTP/HTTPS Headers

(meta data)

Time | IP | URL | User Agent | … 2:45 | 54.62.37.10 | www.google.com | Mozilla (…

2:45 | 68.62.37.10 | www.yahoo.com | Mozilla (…

2:45 | 22.62.37.10 | www.cnn.com | Chrome (…

2:45 | 59.62.37.10 | www.seznam.com | Mozilla (…

http://www.google.com/



http://www.seznam.com/

Unique threat detection approach

Cognitive Threat Analytics: Key features

Anomaly Detection & Big Data Machine Learning01000111 0100 11 01 1001 00101 1 1 0 10101 01000111

01000111 0100 11 01 1001 11 00 0100 011 101000111

110010100 11 111 0 010 01100 01000 010100 110010100

1001 010 01000 010100101 10 1001 010 01000 1001 010

01000111 0100 11 01 1001 11 00 0100 011 101000111

1001 010 01000 010100101 10 1001 010 01000 1001 010

Understand context

Continuously analyze data

Make decisionsPrevent testing in advance

Always evolve

Find threats faster

Demo Time !

Elastica, Cisco Cloud Access Security

How does Elastica Work?

Gateway

Securlets

Log Files

ElasticaCloudSOC™

AUDIT Shadow IT and Data Risk

INVESTIGATE incidents and respond

PROTECT against intrusions in cloud apps accounts

DETECT exploitations of cloud app accountsStreamIQ™ ThreatScore™

Comprehensive Cloud App Security Stack

1. Direct Upload2. Direct Stream3. On Premise VM

1. PAC files 2. Chaining with Cisco3. Lite Agent (roadmap)

Elastica CloudSOC

Main Goals

Granular Control Intelligent Protection

• External and public content exposures, including compliance risks

• Inbound risky content shared with employees (e.g. malware, IP, etc)

• Risky users and user activities

SHADOW DATA RISK ASSESSMENTSHADOW IT RISK ASSESSMENT

• Analytics on your cloud app risks and compliance issues

• App usage anomalies across your organization

• What apps you should sanction and what apps you should block

SaaS Visibility

Identify Shadow IT &

Monitor cloud app

usage in real time

Gain control of Shadow

Data in a cloud-first,

mobile-first world

Combat evolving threats

using data science

As simple as enabling a feature from the CWS back-office portal

Automated customer provisioning at Elastica

Automated log transfer without any customer setup/deployment effort

Cisco CWS Integration

OpenDNS

Recap DifferentiatorsNote: This is usually our first slide in intro decks

+

World’s Largest Security Platform w/

80M+malicious requests

blocked/day

=

GLOBAL NETWORK

• 80B+ DNS requests/day

• 65M+ biz & home users

• 100% uptime

• Any port, protocol, app

UNIQUE ANALYTICS

• security research team

• automated classification

• BGP peer relationships

• 3D visualization engine

UMBRELLAEnforcementNetwork security service protects any device, anywhere

INVESTIGATEIntelligenceDiscover and predict attacks before they happen

PRODUCTS & TECHNOLOGIES

A New Layer of Breach Protection

UMBRELLA

Threat PreventionNot just threat detection

Turnkey & Custom API IntegrationsDoes not require professional services to setup

Protects On & Off NetworkNot limited to devices forwarding traffic through on-prem appliances

Always Up to DateNo need for device to VPN back to an on-prem server for updates

Block by Domains for All Ports Not just IP addresses or domains only over ports 80/443

A Single, Correlated Source of Information

INVESTIGATE

WHOIS record data

ASN attribution

IP geolocation

IP reputation scores

Domain reputation scores

Domain co-occurrences

Anomaly detection (DGAs, FFNs)

DNS request patterns/geo. distribution

Passive DNS database

Competing Vendors

Not available

Not available

Not available

HARD-CODED IP

@23.4.24.1

“FAST FLUX”

@23.4.24.1

bad.com?

@34.4.2.110

@23.4.34.55

@44.6.11.8

Evolution of Command & Control Callbacks

@129.3.6.3

DOMAIN GENERATION ALGORITHM

bad.com?

@34.4.2.11

0

baa.ru?

bid.cn

@8.2.130.3

@12.3.2.1

@67.44.21.1

Applystatistical models and

human intelligence

Identifyprobable

malicious sites

Ingestmillions of data

points per second

How Our Security Classification Works

a.ru

b.cn

7.7.1.3

e.net

5.9.0.1

p.com/jpg

Demo Time !

Agenda

• Email Security

• Appliance, Cloud, Hybrid

• Web Security

• Web Security Appliance

• Cloud Web Security

• Cognitive Threat Analytics

• OpenDNS

• Cloud Access Security, CAS,

• Elastica

Cisco - Global Home Page - Content Security Update · Security Platform w/ 80M+ malicious requests...

Documents

Transcript of Cisco - Global Home Page - Content Security Update · Security Platform w/ 80M+ malicious requests...