Give yourself time in the - Cisco€¦ · Story Tweedie-Yates Head of Cisco Security Product...
Transcript of Give yourself time in the - Cisco€¦ · Story Tweedie-Yates Head of Cisco Security Product...
Story Tweedie-Yates
Head of Cisco Security Product Marketing in EMEAR
December 2016
With an integrated threat defense
Give yourself time in the fight against cyberattacks
Most interesting thing about Ukraine?
Debunk “kill chain” misconception
Your basic defense and attackers’ speed
How Cisco lowers Total Time to Detection
Source: Verizon 2016 Data Breach Investigations Report and Ponemon Cost of Data Breach Study 2016
0
50
100
150
200
250
Compromise Exfiltrate Identify Contain
Seconds Minutes Hours Days
Attackers are winning the battle for time
Attacker Victim
Total Time to Detection (TTD)
Compromise Detection
Measure and improve your TTDGaining an edge on the continuous “arms race.”
bayrob
drydex
ngrbot
nemucod xtrat
Median TTD
Detected earlier
(<Median)
Detected later
(>Median)
0 13 50 100TTD (Hours)
teslactypt
Is early protection the best way to lower TTD?
RECON
STAGE
CALLBACK
PERSIST
LAUNCH
EXPLOIT
INSTALL
Learning about target
Building infrastructure and acquiring tools
Initial connection made with users
Utilizing vulnerabilities to run code
Installing malware
Communicating ‘home’
Spread until goal is accomplished
Typical ransomware kill chain
Exploitation Ransomware
Payload
User Clicks a
Malicious Link,
Malvertising
Decryption
key
assymetric
exchange
Call to
malicious
Infrastructure
Email w/ Ransomware Payload
Files
inaccessible
!
Launch Exploit Install Callback
Multi-layer defense that can improve TTD
Exploitation Ransomware
Payload
User Clicks a
Malicious Link,
Malvertising
Decryption
key
assymetric
exchange
Call to
malicious
Infrastructure
Email w/ Ransomware Payload
Files
inaccessible
!
Email Security
Endpoint Security
DNS Layer
Intrusion Prevention
Protection after an attack is crucial to lowering TTD
Network Endpoint Mobile Virtual Cloud
Point in Time ContinuousThreat Intelligence
X
DURING
Detect
Block
Defend
AFTER
Scope
Contain
Remediate
BEFORE
Discover
Enforce
Harden
A multi-layer defense lowers TTD for other threats – like Black Energy
Email w/ weaponized MS Office
attachments
Black
Energy 3
installed
C&C
through
Explorer
Remote
connections
using stolen
credentials
AttackC&C and
plug-in
installation
x2
Endpoint
SecurityWeb
Security
SegmentationEmail
Security
NGFW/IPS
Protecting multiple attack vectors and ‘after’ an attack is more effective at lowering TTD than protecting early on in the kill chain
Why are attackers so fast?
Time to Patch: Vulnerable Endpoints Are Ripe Targets
Browsers
Chrome
Applications
Java
Enterprise Software
Office
Vers
ion
up
da
te
15.0.4420
14.0.4762
10 weeks
15.0.4454
15.0.4569
42.0.2311 43.0.2357
10 weeks
41.0.2272
7.0.550
10 weeks
7.0.600
7.0.650
7.0.670
7.0.710
7.0.7207.0.790
HTTPS Malware Traffic
Increase
% Increase % Avg.
HTTPS
Advertisements +9.27% 34.06%
Search Engines and
Portals+8.58% 64.27%
Chat and Instant
Messaging+8.23% 96.83%
Don’t ignore encryptionAdversaries hide their tracks in the encrypted traffic to evade detection.
Technical considerations alone are not enough
Combining people, processes and technology
*Adapted from Cisco’s Program Assessment Service
18
NGIPS
Patch Mgmt
Threat Correlation
Strategy
Metrics
Strategy (People) Operations (Process) Tactical (Technology)
Malware Defense
Ukraine National Center for Cybersecurity will support people, processes
National Cyber Security Strategy
National Coordination Center for
Cybersecurity
How Cisco lowers Total Time to Detection
VS.
More Effective Against Sophisticated AttacksMuch faster than most organizations discover breaches
*Source Cisco Midyear Security Report, 2016
Industry Days
100Cisco Hours
~13
Integrated threat defense: sharing information to lower TTD
Event
Policy
Threat intel
Unrivaled global threat research and intelligence
00I00 I00I0I II0I0I 0II0I I0I00I0I0 0II0I0II 0I00I0I I0 00
II0III0I 0II0II0I II00I0I0 0I00I0I00 I0I0 I0I0 I00I0I00
III00II 0II00II I0I0II0II0 I0 I0 I00 00I0 I000 0II0 00
III00II I000I0I I000I0I I000I0I II 0I00 I0I000 0II0 00
00I I0I0I0 I0I0III000 I0I00I0I 0II0I0 I00I0I0I0I 000
II0II0I0I0I I0I0I0I 0I0I0I0I 0I0I00I0 I0I0I0I 0II0I0I0I
0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I0
00I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I
III00II 0II00II I0I000 0II0 00I0I00 I0 I000I0I 0II 0I0I0I
III00II 0II00II 0I0I0I0I 0I I0 I00 000II0 I0I0 0II0 00
24 7 365
Operations
100 TB Data
Received
1.5 MILLION
Malware Samples
600 BILLION
Email Messages
16 BILLION
Web Requests
MILLIONS of Telemetry
Agents
4 Global Data Centers
Over 100 Threat
Intelligence Partners
250+ Full Time Threat
Intel Researchers
Threat Sharing Demo
Product intercommunication across many attack vectors lowers TTD
Network
ISR/ASR
Advanced
Malware
Cisco Umbrella
WebW W W
ISE
NGFW/
NGIPS
Threat Grid
Stealthwatch
Event
Threat Intel
Policy
The minimum for lowering TTD
26
Educate users
about threats
and best
practices
Basic
hardening to
resist
malware and
attacks
Measure TTD
What/how
many/where are
the devices on
the network
Monitor network
actively for
evidence of
compromise
Develop an
incident
response plan
People Process Technology
“Carol of the Bells”
Rakhiv, Ukraine is the center of Europe
World’s first constitution
4th most educated country in the world