Talent2: QA Mgr, Technical Mgr, Dmm Intimate, Senior Designer & Technical Services Mgr
Threat-Centric Security James Weathersby Sr Mgr, Cyber Security Engineers and Architects.
-
Upload
jonas-waters -
Category
Documents
-
view
213 -
download
0
Transcript of Threat-Centric Security James Weathersby Sr Mgr, Cyber Security Engineers and Architects.
Threat-Centric Security
James Weathersby
Sr Mgr, Cyber Security Engineers and Architects
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
The Security Problem
Changing Business Models
Changing Business Models
Dynamic Threat Landscape
Dynamic Threat Landscape
Complexity and Fragmentation
Complexity and Fragmentation
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
The Industrialization of Hacking
20001990 1995 2005 2010 2015 2020
Viruses1990–2000
Worms2000–2005
Spyware and Rootkits2005–Today
APTs CyberwareToday +
Hacking Becomesan Industry
Sophisticated Attacks, Complex Landscape
Phishing, Low Sophistication
‟Would you do security differently if you knew you were going to be compromised?
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
The New Security Model
BEFOREBEFORE
DiscoverEnforce Harden
DiscoverEnforce Harden
AFTERAFTER
ScopeContain
Remediate
ScopeContain
Remediate
Attack ContinuumAttack Continuum
Network Endpoint Mobile Virtual Cloud
Detect Block Defend
Detect Block Defend
DURINGDURING
Point in Time Continuous
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Visibility and ContextVisibility and Context
Firewall
App Control
VPN
Patch Mgmt
Vuln Mgmt
IAM/NAC
IPS
Antivirus
Email/Web
IDS
FPC
Forensics
AMD
Log Mgmt
SIEM
The New Security Model
BEFOREBEFORE
DiscoverEnforce Harden
DiscoverEnforce Harden
AFTERAFTER
ScopeContain
Remediate
ScopeContain
Remediate
Attack ContinuumAttack Continuum
Detect Block Defend
Detect Block Defend
DURINGDURING
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Lessons of the Attack Continuum
Security Technologies have a Scope of Application
Due to Scope, there can be no Silver Bullet technologies
An advanced, modern approach to security will share information and capabilities across all phases of the Attack Continuum
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Network-Integrated,Broad Sensor Base,
Context and Automation
Continuous Advanced Threat Protection,
Cloud-Based Security Intelligence
Agile and Open Platforms,
Built for Scale, Consistent Control,
Management
Strategic Imperatives
Network Endpoint Mobile Virtual Cloud
Visibility-Driven Threat-Focused Platform-Based
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Need Both Breadth and Depth
Network Endpoint Mobile Virtual Cloud
BREADTHBREADTH
DEPTHDEPTH
Who What Where When How
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
You Can’t Protect What You Can’t See
Network Servers
Operating Systems
Routers and Switches
Mobile Devices
Printers
VoIP Phones
Virtual Machines
Client Applications
Files
Users
Web Applications
Application Protocols
Services
Malware
Command and Control
Servers
Vulnerabilities
NetFlow
NetworkBehavior
Processes
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
?
Threat-Focused
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Detect, Understand, and Stop Threats
?
Collective Security Collective Security Intelligence Intelligence
Threat Threat IdentifiedIdentified
Event HistoryEvent History
How
What
Who
Where
When
ISE + Network, Appliances (NGFW/NGIPS)
ContextContextAMP, CWS, Appliances
RecordedRecorded
EnforcementEnforcement
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Continuous Advanced Threat Protection
ISE + Network, Appliances (NGFW/NGIPS)
How
What
Who
Where
When
Collective Security Collective Security Intelligence Intelligence
AMP, CWS, Appliances
EnforcementEnforcement
Event HistoryEvent History
AMP, Threat Defense
Continuous AnalysisContinuous AnalysisContextContext
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Today’s Security Appliances
Context- Aware
Functions
Context- Aware
FunctionsIPS
FunctionsIPS
FunctionsMalware
FunctionsMalware
Functions
VPNFunctions
VPNFunctions
Traditional Firewall
Functions
Traditional Firewall
Functions
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Reduce Complexity and Increase Capability
Collective Security IntelligenceCollective Security Intelligence
Centralized Centralized Management Management
Appliances, VirtualAppliances, Virtual
Network Control Network Control PlatformPlatform
Device Control Device Control PlatformPlatform
Cloud ServicesCloud ServicesControl PlatformControl Platform
Appliances, Appliances, VirtualVirtual
Host, Mobile, VirtualHost, Mobile, Virtual HostedHosted
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Management
Security Services and Applications
Security Services Platform
Infrastructure Element Layer
Platform-Based Security Architecture
Common Security Policy & Management
Common Security Policy and ManagementCommon Security Policy and Management
OrchestrationOrchestration
Security Security Management APIsManagement APIs
Cisco ONE Cisco ONE APIsAPIs
Platform Platform APIsAPIs
Cloud Intelligence Cloud Intelligence APIsAPIs
Physical AppliancePhysical Appliance VirtualVirtual CloudCloud
Access Access ControlControl
Context Context AwarenessAwareness
Content Content InspectionInspection
Application Application VisibilityVisibility
Threat Threat PreventionPrevention
Device API – OnePK, OpenFlow, CLIDevice API – OnePK, OpenFlow, CLI
Cisco Networking Operating Systems (Enterprise, Data Center, Service Provider)Cisco Networking Operating Systems (Enterprise, Data Center, Service Provider)
Route – Switch – Compute Route – Switch – Compute ASIC Data PlaneASIC Data Plane Software Data PlaneSoftware Data Plane
APIs APIs
Cisco Security ApplicationsCisco Security Applications Third Party Security ApplicationsThird Party Security Applications
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Enforcement delivered from the Cloud
Distributed Enforcement
Cloud ConnectedNetwork
Collective Security Intelligence
Telemetry Data Threat Research Advanced Analytics
Mobile Router Firewall
3M+3M+Cloud webCloud web
security userssecurity users
6GB6GBWeb traffic Web traffic
examined, examined,
protected every protected every
hourhour
75M75MUnique hits every Unique hits every
hourhour
10M10MBlocks enforced Blocks enforced
every hourevery hour
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
CLOUD-BASED THREAT INTEL & DEFENSE
ATTACKSAPPLICATIONREPUTATION
SITEREPUTATION MALWARE
COMMON POLICY, MANAGEMENT & CONTEXT
COMMONMANAGEMENT
SHAREDPOLICY
ROLES BASEDCONTROLS
NETWORK ENFORCED POLICY
ACCESS FW IPS VPN WEB EMAIL
APPLIANCES ROUTERS SWITCHES WIRELESS VIRTUAL CO
NT
RO
LV
ISIB
ILIT
Y
Open Source to the Community: OpenAppID
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
What is Snort?
Snort® is an open source network intrusion prevention and detection system (IDS/IPS).– Snort engine– Snort rules language
Created in 1998 by Martin Roesch, developed by Sourcefire.– Sourcefire was acquired by Cisco Systems on October 7th,
2013 Snort combines the benefits of signature, protocol,
and anomaly-based inspection. Snort is the most widely deployed IDS/IPS
technology worldwide. With millions of downloads and nearly 400,000 registered users, Snort has become the de facto standard for IPS.
See more at http://www.snort.org. Never designed to be application aware
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
The Application Problem
With a closed
approach, it’s hard
for a network
security team to
extend detection to
bespoke apps that
only exist within that
customers network
or geography
There are more
‘apps’ today than
ever before; it’s an
impossible task for
any one vendor to
develop all
detections and keep
pace with app
innovation
Volume Closed
Without an open approach
collaboration is impossible.
Therefore the sharing and validation of
detection content is stymied
Isolation
Little User Benefit From A Closed Approach
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Open Source Security Philosophy
Build with the
community to solve
complex security
problems
Engage with users
and developers to
strengthen their
solutions
Community Collaboration
Demonstrate
technical
excellence,
trustworthiness and
thought leadership
Trust
Complex Security Problems Solved Through Open Source
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
OpenAppID Overview
What is OpenAppID?
An open source application-focused detection language that enables users to create, share and implement custom application detection.
Key AdvantagesNew simple language to detect apps Reduces dependency on vendor release cyclesBuild custom detections for new or specific (ex. Geo-based) app-based threats Easily engage and strengthen detector solutionsApplication-specific detail with security events
Demo
Advanced Malware Protection
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Advanced Malware Protection Deployment
Dedicated Advanced Malware Protection (AMP) appliance
Advanced Malware Protection for FirePOWER (NGIPS, NGFW)
FireAMP for hosts, virtual and mobile devices
Complete solution suite to protect the extended network
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Advanced Malware Detection
One-to-One
Signature-based, 1st line of defense
One-to-One
Signature-based, 1st line of defense
Fuzzy FingerprintingFuzzy Fingerprinting
Advanced AnalyticsAdvanced AnalyticsMachine Learning
Analyzes 400+ attributes for unknown malware
Machine Learning
Analyzes 400+ attributes for unknown malware
Detection lattice considers content from each engine for real time file disposition
Cloud-based delivery results in better protection plus lower storage & compute burden on endpoint
Algorithms identify polymorphic malware
Algorithms identify polymorphic malware
Combines data from lattice with global trends
Combines data from lattice with global trends
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Retrospective Security
Continuous Analysis - Retrospective detection of malware beyond the event horizon
Trajectory – Determine scope by tracking malware in motion and activity
File Trajectory – Visibility across organization, centering on a given file
Device Trajectory – Deep visibility into file activity on a single system
Always Watching… Never Forgets… Turns Back Time
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Outbreak ControlMultiple ways to stop threats and eliminate root causes
Simple and specific controls, or Context rich signatures for broader control
Cloud & Client Based Cloud & Client Based
SimpleCustom
Detections
SimpleCustom
Detections
AdvancedCustom
Signatures
AdvancedCustom
Signatures
ApplicationBlocking
Lists
ApplicationBlocking
Lists
CustomWhiteLists
CustomWhiteLists
Fast&
Specific
Fast&
Specific
FamiliesOf
Malware
FamiliesOf
Malware
GroupPolicyControl
GroupPolicyControl
TrustedApps &Images
TrustedApps &Images
Device Flow Device Flow Correlation / Correlation / IP BlacklistsIP Blacklists
Device Flow Device Flow Correlation / Correlation / IP BlacklistsIP Blacklists
Stop Connections to Bad Sites
Stop Connections to Bad Sites
Cloud & Client Based Cloud & Client Based
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
File AnalysisFast and Safe File Forensics
VRT powered insight into Advanced Malware behavior Original file, network capture and screen shots of malware execution Understand root cause and remediation
Advanced malware analysis without advanced investment
FireAMP &Clients
SourcefireVRT
Sandbox Analysis
4E7E9331D22190FD41CACFE2FC843F
4E7E9331D22190FD41CACFE2FC843F
4E7E9331D22190FD41CACFE2FC843F
4E7E9331D22190FD41CACFE2FC843F
4E7E9331D22190FD41CACFE2FC843F
4E7E9331D22190FD41CACFE2FC843F
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Indicators of CompromiseBig data spotlight on systems at high risk for an active breach
Automated compromise analysis & determination
Prioritized list of compromised devices
Quick links for quick root cause analysis and remediation
Demo
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Only Cisco Delivers
Continuous Capability
Complexity Reduction
Point-in-Time and Contiuous
Protection Across the
Network and Data Center
Fits and Adapts
to Changing Business Models
whereever the Threat
Manifests
Global Intelligence
With Context
Detects and Stops
Advanced Threats
Advanced Threat
ProtectionUnmatched
Visibility