This session was recorded via Cisco WebEx! You can watch ... · Welcome from Cisco Introducing...

Cisco Customer Education You've Already Been Hacked. Now What? Cisco Next-Gen Security Can Help

This session was recorded via Cisco WebEx! You can watch the live session recording via the following URL:

https://acecloud.webex.com/acecloud/lsr.php?RCID=2a9e13dcb37a4721b5c9fc97052488bb

Thanks for your interest and participation!



Presentation Agenda

► Welcome from Cisco

► Introducing Cisco Security

► Cloud Web Security and OpenDNS

► Talos and Advanced Malware Protection

► Next Generation Threat Protection

About Your Host Brian Avery Territory Business Manager, Cisco Systems, Inc.

[email protected] ► Conclusion

Who Is Cisco?

Cisco Confidential 4 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Computer scientists, Len Bosack and Sandy Lerner found Cisco Systems

Bosack and Lerner run network cables between two different buildings on the Stanford University campus

A technology has to be invented to deal with disparate local area protocols; the multi-protocol router is born

1984

WellFleet

SynOptics

3Com

ACC

DEC

Proteon

IBM

Bay Netw orks

Newbridge

Cabletron

Ascend

Fore

Xylan

3Com Nortel

Ericsson

Alcatel

Juniper Lucent

Siemens

NEC Foundry

Redback

Riverstone

Extreme Arista HP

Avaya

Juniper

Huawei

Aruba

Brocade

Checkpoint

Fortinet

ShoreTel

Polycom

Microsoft

F5

Riverbed

Dell

Internet of Everything

1990 – 1995 1996 – 2000 2001 – 2007 2008 – Today

The Landscape is Constantly

Changing

Leading for Nearly 30 Years

2016


Who Is Cisco?

Chuck Robbins, CEO, Cisco

• Dow Jones Industrial Average Fortune 100 Company (AAPL, CSCO, INTC, MSFT)

• $117B Market Capitalization

• $49.6B in Revenue

• $10B in Annual Net Profits

• $34B More Cash than Debt

• $6.3B in Research and Development

http://finance.yahoo.com/q/ks?s=CSCO+Key+Statistics

http://finance.yahoo.com/q/ks?s=CSCO+Key+Statistics

No. 1

Voice

41%

No. 1

TelePresence

50%

No. 1

Web Conferencing

43%

No. 1

Wireless LAN

50%

No. 2

x86 Blade Servers

29%

No. 1

Routing Edge/Core/

Access

47%

No. 1

Security

31%

No. 1

Switching Modular/Fixed

65%

No. 1

Storage Area Networks

47%

Market Leadership Matters

Cisco Confidential 8 C97-731719-02 © 2014 Cisco and/or its affiliates. All rights reserved.

Security in the 21st Century


The Good Old Days Are Over

Organizations Are Under Attack Industrial Hackers Are Making Big Money with Innovative Tactics

1990 1995 2000 2005 2010 2015 2020

Viruses 1990–2000

Worms 2000–2005

Spyware and Rootkits 2005–Today

APTs Cyberware Today +

Phishing, Low Sophistication Hacking Becomes

an Industry Sophisticated Attacks, Complex Landscape

of large companies targeted by malicious traffic 95% of organizations interacted

with websites hosting malware 100% 1. Cybercrime is lucrative, barrier to entry is low 2. Hackers are smarter and have the resources to compromise your organization 3. Malware is more sophisticated 4. Organizations face tens of thousands of new malware samples per hour

Source: 2014 Cisco Annual Security Report

Global Cybercrime Market $450B‒$1T


High Profile Breaches

As of 12/31/2014 http://www.idtheftcenter.org/images/breach/DataBreachReports_2014.pdf

1,000,000

70,000,000

56,000,000 2,600,000

1,100,000

And Yet… Organizations of every size are targets

60% of UK small businesses were compromised in 2014 (2014 Inf ormation Security Breaches Survey)

100% of corporate networks examined had malicious traffic (Cisco 2014 Annual Security Report)

41% of targeted attacks are against organizations with fewer than 500 employees (July 2014 The National Cyber Security Alliance (NCSA)

http://www.idtheftcenter.org/images/breach/DataBreachReports_2014.pdf

If you knew you were going to be compromised, would you do security differently?

It’s no longer a question of “if” you’ll be breached, it’s a question of “when”

Cisco Security Overview

Cybersecurity today requires a “Defense-in-Depth” Approach ► Defense-in-depth is the coordinated use of

multiple security countermeasures to protect the integrity of the information assets in an enterprise

► Firewalls are are the first step, not an overall strategy

► Firewalls offer only a single layer of defense

Too Many Disparate Security Products Mean Gaps in Protection

vs

â

â

Fragmented offerings across multiple vendors

Streamlined advanced security solution

Cost

Lower opex and easier to manage

Higher total cost to build and run

Overall performance

Less communication betw een components

Better communication and integration

Time to detection

Faster time to detection

More lag in f inding threats

Defending Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum

Before Discover Enforce Harden

During Detect Block

Defend

After Scope Contain

Remediate

FireSIGHT and pxGrid

ASA VPN

OpenDNS Meraki

Advanced Malware Protection

Network as Enforcer

NGIPS

ESA/WSA

CWS Secure Access + Identity Services ThreatGRID

Attack Continuum


Attack Continuum


During Detect Block

Defend

After Scope Contain

Remediate


ASA VPN

OpenDNS Meraki


Network as Enforcer

NGIPS

ESA/WSA


Advanced Malware Protection ASA

OpenDNS

NGIPS

ESA/WSA

CWS

Combined with the Best Threat Intelligence Capabilities World-Class Threat Research

221B Total Threats

991M

Web + Malware Threats

19.7B Threats Per Day

1.4M

2.6M 9.9B

1.1M

1.8B

1B

8.2B

Incoming Malware Samples Per Day

Sender Base Reputation Queries

Per Day

Web Filtering Blocks Per Month

AV Blocks Per Day

Spyware Blocks Per Month

Blocks Per Sec Total Blocks Per Month

3.5 BILLION SEARCHES

TODAY

19.7 BILLION THREATS BLOCKED

TODAY

More Effective Against Sophisticated Attacks

Source: Cisco Annual Security Report, 2016

Less than

1 Day 100 VS.

DAYS

Industry Cisco

Much Faster Than Most Organizations Discover Breaches

Malware WILL Get Into Your Environment

95% of large companies

targeted by malicious traffic

60% of data stolen in hours

65% of organizations say attacks evaded existing preventative

security tools

41% of attacks against companies

under 500 employes

Once Inside, Organizations Struggle to Deal With It

33% of organizations take 2+ years to discover breach

55% of organizations unable to

determine cause of a breach

45 days Average time to resolve

a cyber-attack

54% of breaches remain

undiscovered for months

When Malware Strikes, You Have Questions

Where did it come from?

Who else is infected?

What is it doing? How do I stop it?

Unique to Cisco® AMP

Cisco AMP Delivers a Better Approach

Point-in-Time Protection

File Reputation, Sandboxing, and Behavioral Detection

Retrospective Security

Continuous Analysis

Comprehensive Security Requires

Breach Prevention Rapid Breach Detection, Response, Remediation Threat Intelligence

Cisco AMP Defends With Reputation Filtering And Behavioral Detection

Point-in-Time Detection Retrospective Security

Cisco Collective Security Intelligence

Continuous Protection Reputation Filtering Behavioral Detection

Dynamic Analysis

Machine Learning

Fuzzy Finger-printing

Advanced Analytics

One-to-One Signature

Indications of Compromise

Device Flow Correlation

Dynamic Analysis

Machine Learning


Advanced Analytics




Reputation Filtering Behavioral Detection

Dynamic Analysis

Machine Learning


Advanced Analytics




Reputation Filtering: Example Point-in-Time Detection Retrospective Security


Unknown file is encountered, signature is analyzed, sent to cloud

1

File is not known to be malicious and is admitted 2

Unknown file is encountered, signature is analyzed, sent to cloud

3

File signature is known to be malicious and is prevented from entering the system

4

Collective Security Intelligence Cloud

Dynamic Analysis

Machine Learning


Advanced Analytics




Reputation Filtering: Example Point-in-Time Detection Retrospective Security



Fingerprint of file is analyzed and determined to be malicious 1

Malicious file is not allowed entry 2

Polymorphic form of the same file tries to enter the system 3

The fingerprints of the two files are compared and found to be similar to one another

4

Polymorphic malware is denied entry based on its similarity to known malware

5

Dynamic Analysis

Machine Learning

Fuzzy ger-printing

Advanced Analytics



Behavioral Detection: Example Point-in-Time Detection Retrospective Security



File of unknown disposition is encountered 1

File replicates itself and this information is communicated to the cloud

2

File communicates with malicious IP addresses or starts downloading files with known malware disposition

3

Combination of activities indicates a compromise and the behavior is reported to the cloud and AMP client

4

These indications are prioritized and reported to security team as possible compromise

5

namic alysis

Advanced Analytics


Behavioral Detection: Example Point-in-Time Detection Retrospective Security



IP: 64.233.160.0

Device Flow Correlation monitors communications of a host on the network

1

Two unknown files are seen communicating with a particular IP address

2

One is sending information to the IP address, the other is receiving commands from the IP address

3

Collective Security Intelligence Cloud recognizes the external IP as a confirmed, malicious site

4

Unknown files are identified as malware because of the association

5

Cisco AMP Delivers A Better Approach

Unique to Cisco® AMP

Point-in-Time Protection

File Reputation, Sandboxing, and Behavioral Detection

Retrospective Security

Continuous Analysis

Cisco AMP Defends With Retrospective Security



To be effective, you have to be everywhere

Continuously

Why Continuous Protection Is Necessary

0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110

1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

Web

WWW

Endpoints Network Email Devices

Gateways

File Fingerprint and Metadata

Process Information

Continuous feed

Continuous analysis

File and Network I/O

Breadth and Control points:

Telemetry Stream



Talos + Threat Grid Intelligence

Cisco AMP Defends With Retrospective Security



Trajectory Behavioral Indications

of Compromise

Elastic Search

Continuous Analysis

Attack Chain Weaving


of Compromise

Breach Hunting

Continuous Analysis


Continuous Analysis: Example Point-in-Time Detection Retrospective Security


Performs analysis the first time a file is seen

1

Persistently analyzes the file over time to see if the disposition is changed

2

Giving unmatched visibility into the path, actions, or communications that are associated with a particular piece of software

3


of Compromise

Breach Hunting

Continuous Analysis


Attack Chain Weaving: Example Point-in-Time Detection Retrospective Security


Uses retrospective capabilities in three ways:

File Trajectory records the trajectory of the software from device to device

File Trajectory 1

Process Monitoring monitors the I/O activity of all devices on the system Communications Monitoring monitors which applications are performing actions

Attack Chain Weaving analyzes the data collected by File Trajectory, Process, and Communication Monitoring to provide a new level of threat intelligence

Process Monitoring 2

Communications Monitoring 3


of Compromise

Breach Hunting

nuous ysis


Behavioral Indications of Compromise: Example



Behavioral Indications of Compromise uses continuous analysis and retrospection to monitor systems for suspicious and unexplained activity… not just signatures!

Using the power of Attack Chain Weaving, Cisco® AMP is able to recognize patterns and activities of a given fi le, and identify an action to look for across your environment rather than a fi le fingerprint or signature

An unknown file is admitted into the network

1 The unknown file copies itself to multiple machines

2 Duplicates content from the hard drive

3 Sends duplicate content to an unknown IP address

4

Cisco AMP Defends With Reputation Filtering And Behavioral Detection



Continuous Protection Reputation Filtering Behavioral Detection

Dynamic Analysis

Machine Learning


Advanced Analytics




Advanced Malware Protection AMP Everywhere: See Once, Protect Everywhere

Networks Web Endpoint

AMP Intelligence Sharing

Email

W W W

Visibility

Cisco AMP Provides Contextual Awareness and Visibility That Allows You to Take Control of an Attack Before It Causes Damage

These applications are affected

What

The breach affected these areas

Where

This is the scope of exposure over time

When

Here is the origin and progression of the threat

How

Focus on these users first

Who

The Leader in Security Effectiveness Cisco AMP offers superior security effectiveness, excellent performance, and provides security across more attack vectors than any other vendor

• 99.2% Security Effectiveness rating in BDS testing, the highest of all vendors tested.

• Only vendor to block 100% of evasion techniques during testing.

• Excellent performance with minimal impact on network, endpoint, or application latency.

…and with Cisco AMP Everywhere Strategy Means Protection Across the Extended Network

AMP Advanced Malware

Protection

AMP for Networks

AMP on Web & Email Security Appliances

AMP on Cisco® ASA Firewall with FirePOWER Services

AMP for Endpoints

AMP for Cloud Web Security & Hosted Email

AMP Private Cloud Virtual Appliance

MAC

PC Mobile

Virtual

CWS

AMP Threat Grid Dynamic Malware Analysis + Threat

Intelligence Engine

AMP for Meraki Cloud Networking

Meraki

Next-Generation Firewall

Typical NGFWs are focused too narrowly on apps and are too hard to manage

NGFW

DDoS Sandbox URL IPS

Focused on apps, not threats Another silo to manage

Threat

Threat

Threat


Introducing

Industry’s First Threat-Focused NGFW

• Integrating defense layers helps organizations get the best visibility

• Enable dynamic controls to automatically adapt

• Protect against advanced threats across the entire attack continuum

Proven Cisco ASA firewalling

Industry leading NGIPS and AMP

Cisco ASA with FirePOWER Services Next-Generation

Firewall (NGFW)

Cisco ASA with FirePOWER Services


Superior Integrated & Multilayered Protection

Cisco ASA

URL Filtering (Subscription)

FireSIGHT Analytics & Automation

Advanced Malware

Protection (Subscription)

Application Visibil ity & Control Network Firewall

Routing | Switching

Clustering & High Availability

WWW

Cisco Collective Security Intelligence Enabled

Built-in Network Profil ing

Intrusion Prevention

(Subscription)

World’s most widely deployed, enterprise-class ASA stateful firewall

Granular Cisco® Application Visibility and Control (AVC)

Industry-leading FirePOWER next-generation IPS (NGIPS)

Reputation- and category-based URL filtering

Advanced malware protection

Identity-Policy Control & VPN

Cisco Meraki Cloud Security

Meraki MS Ethernet Switches

Meraki SME Enterprise Mobility

Management

Meraki MR Wireless LAN

Meraki MX Security

Appliances

Wired, wireless &

EMM

Client fingerprints

Security & bandwidth

policy

Instant search

Location analytics

Real-time control Integrated

MDM

Application visibility

On-Prem Managed Cloud Managed

Cisco Architecture

Cisco Traditional

ISR / ASA

Catalyst

Aironet

Meraki Systems Manager EMM

Cisco Meraki

MX

MS

MR

Systems Manager EMM Cisco ISE

Policy & Control

Cisco Prime Management & Analytics

52

Application Control Traffic Shaping, Content Filtering, Web Caching

Security NG Firewall, Client VPN, Site to Site VPN, IDS/IPS

Networking NAT/DHCP, 3G/4G Cellular, Static Routing, Link Balancing

Intuitive centralized management • No training, no command line • Templates to configure at-scale • Packet capture, built-in tools and

diagnostics

Industry-leading visibility • Fingerprints users, applications, and devices • Network-wide monitoring and alerts • Full stack: APs, switches, Security, MDM

Designed for distributed enterprises • Single pane of glass visibility • Zero-touch provisioning • Seamless updates from the cloud • Site-to-site IPSec VPN in 3 clicks

Best IPS SOURCEfire IDS / IPS, updated every day

Anti-Malware Advanced Malware Protection powered by Cisco Sourcefire and Talos

Content Filtering 4+ billions URLS, updated in real-time

Geo-based security Block attackers from rogue countries

AV / anti-phishing Kaspersky AV, updated every hour

PCI compliance PCI L1 certified cloud-based management

Enterprise License Advanced Security License

Stateful firewall

Site to site VPN

Branch routing

Internet load-balancing (over dual WAN)

Application control

Web caching

Intelligent WAN (IWAN)

Client VPN

`

All enterprise features, plus Content filtering (with Google SafeSearch)

Kaspersky Anti-Virus and Anti-Phishing

SourceFire IPS / IDS

Geo-based firewall rules

Advanced Malware Protection (AMP)

Cisco Web Security

Today’s cyber-threat reality

Hackers will likely command and control

your environment via web

You’ll most likely be infected via email

Your environment will get breached

Exposure – web blocks

82,000 Virus Blocks

181 Million Spyware Blocks

818 Million Web Blocks

Daily Web Breakdown

Daily

Yearly

19.7 Billion

7.2 Trillion

Total Threats Blocked

Exposure- email blocks

Large Attack Surface

Attack surface – web browsers

More than

85% of the companies studied were affected each month by malicious browser extensions

Users becoming complicit enablers of attacks Untrustworthy sources

Clickfraud and Adware

Outdated browsers 10% 64% IE requests running latest version

Chrome requests running latest version

vs

Attack surface – user error on web

Attackers: Shifts in the attack vectors

Java

Silverlight

PDF

Flash

Java drop 34%

Silverlight rise 228%

PDF and Flash steady

Log Volume

2015 Cisco Annual Security Report

Attack surface – web applications

Attack surface – web protocol

Encrypted traffic is increasing. It represents over 50% of bytes transferred.

Individual Privacy Government Compliance

Organizational Security

The growing trend of web encryption creates a false sense of security and blind spots for defenders

https://

Attackers:

Malvertising is on the rise: low-limit exfiltration makes infection hard to detect

In October 2014, there is a spike of

250%

Compromising without clicking

Attackers:

A growing appetite to leverage targeted phishing campaigns

Example: Snowshoe SPAM attack

SPAM up

250%

Attack surface - email

Exploit Kits, e.g. Cryptowall version 4

• Notorious ransomware • Version 1 first seen in 2014 • Distributed via Exploitkits and Phishing Emails • Fast Evolution

CRYPTOWALL 4.0

Threats from a user’s perspective

Sample attacking: Joe CFO Waiting for his plane

Meet Joe. He is heading home for a well deserved vacation.

He’s catching up on email using the airport Wi-Fi while he waits for his flight.

Sample attacking: Joe CFO Checks his email

Joe just got an email from his vacation resort.

Your Tropical Getaway

Joe,

Thank you for choosing us. We look forward to seeing you.

Before your arrival, please verify your information here: www.vacationresort.com

Best, Resort Team

Sample attacking: Joe CFO Instinctively, he clicks on the link

No problem, right? Everything looks normal.

The site may even be a trusted site, or maybe a site that is newly minted.

Your Tropical Getaway

Joe,

Thank you for choosing us. We look forward to seeing you.

Before your arrival, please verify your information here: www.vacationresort.com

Best, Resort Team

Sample attacking: Joe CFO Joe is now infected

Joe opens the link and the resort video plays.

Although he doesn’t know it, Joe’s machine has been compromised by a Silverlight based video exploit.

The malware now starts to harvest Joe’s confidential information:

• Passwords

• Credentials

• Company access authorizations

It Starts with Usage Controls and an Active Defense

Comprehensive Defense

Web Usage Control

Web Usage Control

Web Filtering

Block over 50 million known malicious sites

Web Reputation

Restrict access to sites based on assigned reputation score

Dynamic Content Analysis

Categorize webpage content and block sites automatically

Web Usage Reporting

Gain greater visibility into how web resources are used

Roaming Laptop-User Protection

Extend security beyond the network to include mobile users

Application Visibility and Control

Regulate access to individual website components and apps

Outbreak Intelligence

Identify unknown malware and zero-hour outbreaks in real time

Centralized Cloud Management

Enforce policies from a single, centralized location

Web Filtering Webpage Web

Reputation

Application Visibil ity and

Control Anti-

Malware Outbreak

Intell igence File

Reputation Cognitive

Threat Analytics

X X X X

Before After

www.webs i te .c om

During

X

File Retrospection

www

Roaming User

Reporting

Log Extraction

Management

Branch Office

www www

Allow Warn Block Partial Block Campus Office

ASA Standalone WSA ISR G2 Any Connect® Admin Traf f ic Redirections

Talos Cisco® Cloud Web Security (CWS)

www

HQ

File Sandboxing

X

Cisco Security and OpenDNS

§ A system for relating names and numbers § Domain = IP Address § Amazon.com =

205.251.242.103 § Like a library of phone books

What is DNS? Domain Name System

Why DNS?

DNS is Everywhere

OpenDNS adds a Layer of Security

Everything uses DNS

Simple to Set Up Easy Win Blocks Access to Unsafe Places

DNS: Doth Protest Too Much

91.3% of malware uses DNS

68% of organizations don’t monitor it

A blind spot for attackers to gain command and control, exfiltrate data, and redirect traffic

Requests Per Day

80B Countries 160+

Daily Active Users

65M Enterprise Customers

10K

Our Perspective Diverse Set of Data

Our View of the Internet providing visibility into global Internet activity (e.g. BGP, AS, Whois, DNS)

We see where attacks are staged

82 CONFIDENTIAL

INTERNET

MALWARE BOTNETS/C2 PHISHING

SANDBOX PROXY

NGFW NETFLOW

AV AV

AV AV

AV

AV

AV AV

ROUTER/UTM

AV AV

ROUTER/UTM

HERE?

& HERE?

& HERE?

& HERE?

& HERE?

OR HERE?

Where Do You Enforce Security?

CHALLENGES

Too Many Alerts via Appliances & AV

Wait Until Payloads Reaches Target

Every Payload Scan Slows Things Down

Too Much Time to Deploy Everywhere

BENEFITS

Alerts Reduced 2x; Improves Your SIEM

Traffic & Payloads Never Reach Target

Internet Access Is Faster; Not Slower

Provision Globally in UNDER 30 MINUTES

HQ

Branch Branch

Mobile

Mobile

Apply statistical models and

human intelligence

Identify probable

malicious sites

Ingest millions of data

points per second

How Our Security Classification Works

a.ru

b.cn

7.7.1.3

e.net

5.9.0.1

p.com/jpg

Where Does Umbrella Fit?

INTERNET

ON NETWORK

ALL OTHER TRAFFIC

WEB TRAFFIC

EMAIL TRAFFIC

INTERNET ALL

OTHER TRAFFIC

WEB TRAFFIC

EMAIL TRAFFIC

OFF NETWORK

ASA blocks inline by IP, URL or packet

ESA/CES blocks by sender

or content

WSA/CWS blocks by URL or content via proxy

ESA/CES blocks by sender

or content

CWS blocks by URL or content via proxy

Umbrella blocks by domain as w ell as IP or URL

Umbrella blocks by domain as w ell as IP or URL

A New Layer of Breach Protection

Threat Prevention Not just threat detection

Protects On & Off Network Not limited to devices forwarding traffic through on-prem appliances

Partner & Custom Integrations Does not require professional services to setup

Block by Domains for All Ports Not just IP addresses or domains only over ports 80/443

Always Up to Date No need for device to VPN back to an on-prem server for updates

UMBRELLA Enforcement

Conclusion


Attack Continuum


During Detect Block

Defend

After Scope Contain

Remediate


ASA VPN

OpenDNS Meraki


Network as Enforcer

NGIPS

ESA/WSA


Thank You and Next Steps

Brian Avery [email protected]

www.

Learn more about Cisco Security: www.cisco.com/go/security/

Contact Your Cisco Partner https://tools.cisco.com/WWChannels/LOCATR/performBasicSearch.do

mailto:[email protected]

http://www.cisco.com/go/security/

https://tools.cisco.com/WWChannels/LOCATR/performBasicSearch.do

https://tools.cisco.com/WWChannels/LOCATR/performBasicSearch.do

• CCE sessions are held weekly on a variety of topics

• CCE sessions can help you understand the capabilities and business benefits of Cisco technologies

• Watch replays of past events and register for upcoming events!

Visit http://cs.co/cisco101 for details

Join us again for a future Cisco Customer Education Event

http://cs.co/cisco101

This session was recorded via Cisco WebEx! You can watch ... · Welcome from Cisco Introducing...

Documents

Transcript of This session was recorded via Cisco WebEx! You can watch ... · Welcome from Cisco Introducing...