Intelligent Cyber Security for Real World

Transcription

1 Intelligent Cyber Security for Real World Simone Posti Security Account Manager Cisco GSSO June 2016

2 The Security Challenges Without integrated security, our data is at risk 60% of data is stolen in HOURS 85% of data center intrusions aren t discovered for WEEKS 54% of data center breaches remain undiscovered for MONTHS 51% increase in companies reporting a $10M loss or more in the last YEAR

3 The Security Challenges Without integrated security, our data is at risk 60% of data is stolen in HOURS 85% of data center intrusions aren t discovered for WEEKS 54% of data center breaches remain undiscovered for MONTHS 51% increase in companies reporting a $10M loss or more in the last YEAR START HOURS WEEKS MONTHS YEARS Source: Verizon 2015 Data Breach Investigations Report (DBIR)

4 Malware Will Get Into Your Environment.. 95% of large companies targeted by malicious traffic $5.9M Average cost of a breach in the United States 60% of data stolen in hours 65% of organizations say attacks evaded existing preventative security tools

5 ..Once Inside, Organizations Struggle to Deal With It 33% of organizations take 2+ years to discover breach 54% of breaches remain undiscovered for months 55% of organizations unable to determine cause of a breach 45 days Average time to resolve a cyber-attack

6 The Security Challenges Information wants to be free Code wants to be wrong Services want to be on Users want to click Fake antivirus software The efficacy of a security control deteriorate with time: once put in place, security controls tend to remain static, while the environment in which they operate is dymanic. Tendency to set and forget Malcolm Harkins, Intel CISO Source: Verizon 2014 Data Breach Investigations Report (DBIR)

7 The Security Challenges Security Skill Shortage ICT Teams Shrinked of data is stolen in HOURS ICT

8 The Security Challenges Analysts perspective of data is stolen in HOURS

9 The Security Challenges Analysts perspective Peter Sondergaard Senior VP and Global Head of Research 65% of CEOs say their risk management approach is falling behind. In a new reality where security breaches come at a daily rate, we must move away from trying to of data is stolen in achieve HOURS the impossible perfect protection and instead invest in detection and response. Organizations should move their investments from 90 percent prevention and 10 percent detection and response to a 60/40 split.

10 Journey of Building a Complete Security Offering NGIPS / Anti-Malware NAC addition Cloud Security UTM Security Analytics Sandbox Messaging and Web Security Appliance

11 Title slides should be airy Security Everywhere Endpoint Branch Edge Campus Data Center Cloud Operational Technology Services

12 The Security MODEL Attack Continuum BEFORE Discover Enforce Harden of data is stolen in HOURS DURING Detect Block Defend AFTER Scope Contain Remediate Network Endpoint Mobile Virtual Cloud Point in Time Continuous

13 Cisco Security MODEL ATTACK CONTINUUM BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate ASA / NGFW VPN NGIPS Advanced Malware Protection Meraki / Cloud OpenDNS ESA/WSA Lancope Secure Access + Identity Services CWS / OpenDNS ThreatGRID FirePOWER Threat Defense and pxgrid Market Best in Class

14 Cisco credibility: INTELLIGENCE IDENTIFY & REMEDIATE MarketLeadership

15 Cisco credibility: INTELLIGENCE 7399 CVE Entries in 2013, 10% increase YoY incoming sample malware per day, sustained uptrend 19,6 Billion threaats blocked per day (Google does 3,5B searches/day), 4,2 Billion web filtering blocks per day, 1 Billion Sender Base Reputation queries per day 10 Million APT per month within advanced sandbox 35% of all WW traffic 3 RD Biggest DNS Service WW (80 Billion/Day requests) TALOS the biggest threat intelligence network MarketReputation

16 Cisco New Solutions File Trajectory Device Trajectory Continuous Passive Discovery MarketInnovation

17 Cisco New Solutions Propagation Dynamics Behavior Analysis Patient Zero Root Cause Analysis MarketInnovation

18 Cisco Advanced Malware Protection Built on Superior Collective Security Intelligence Cisco Collectiv e Security Intelligen ce 1.6 million global sensors 100 TB of data received per day 150 million+ deployed endpoints 600 engineers, technicians, and researchers 35% worldwide traffic Endpoints WWW Web 13 billion web requests 24-hour daily operations Networks 4.3 billion web blocks per day 40+ languages 1.1 million incoming malware samples per day AMP community Private/public threat feeds IPS Devices Talos security intelligence AMP threat grid intelligence AMP Threat Grid dynamic analysis 10 million files/monthly Advanced Microsoft and industry disclosures Snort and ClamAV open source communities Cisco Collective Security Intelligence Cloud Automatic Updates Every 3 5 Minutes AEGIS program MarketInnovation

19 Cisco credibility: NSS Security Value Map Security Value Map for Intrusion Prevention System (IPS) Next-Generation Firewall (NGFW) Security Value Map Security Value Map for Breach Detection MarketLeadership

20 Cisco credibility: Commitment on Security Gartner November 2015 NG IPS 10 years continuous leadership MarketLeadership

21 Gain more insight with increased visibility You can t protect what you can t see Client applications Operating systems Threats Users Application protocols File transfers Web applications Typical IPS Typical NGFW Cisco Firepower NGFW Command and control servers Malware Routers and switches Network servers Mobile devices VoIP phones Printers

22 Detect infections earlier and act faster Industry TTD rate:* 100 days JAN FEB MAR APR Cisco: 17.5 hours JAN MONDAY 1 Automated attack correlation Indications of compromise Local or cloud sandboxing Malware infection tracking Two-click containment Malware analysis Source: Cisco 2016 Annual Security Report *Median time to detection (TTD)

23 Reduce complexity with simplified, consistent management Unified Network-to-endpoint visibility Manages firewall, applications, threats, and files Track, contain, and recover remediation tools Scalable Central, role-based management Multitenancy Policy inheritance Automated Impact assessment Rule recommendations Remediation APIs Cisco Firepower Management Center

24 AMP Everywhere Architecture for Integrated Threat Defense AMP on Firepower NGIPS Appliance (AMP for Networks) AMP Threat Intelligence Cloud Threat Grid Malware Analysis + Threat Intelligence Engine Systemic Response: Pervasive as Advanced Threats AMP Private Cloud Virtual Appliance remote endpoints AMP for Endpoints AMP on Cisco ASA Firewall with Firepower Services AMP for Endpoints AMP on Web & Security Appliances CWES/CTA AMP on ISR with Firepower Services AMP on Cloud Web Security & Hosted Windows OS Android Mobile Virtual MAC OS CentOS, Red Hat Linux for datacenters AMP for Endpoints can be launched from AnyConnect

25 OpenDNS OpenDNS Umbrella Complements Cisco CWS

26

27 What is OpenDNS? OpenDNS Investigate (intelligence) Insight into the Internet infrastructure attackers use for attacks and uncovers current and future malicious places Umbrella (enforcement) Enforce security at the DNS & IP layers

28 A New Layer of Breach Protection Threat Prevention Not just threat detection Protects On & Off Network Not limited to devices forwarding traffic through on-prem appliances Always Up to Date No need for device to VPN back to an on-prem server for updates Block by Domains, IPs & URLs for All Ports Not just ports 80/443 or only IPs UMBRELLA Enforcement Turn-Key & Custom API-Based Integrations Does not require professional services to setup

29 Why Add Security at the DNS Layer? most command & control (C2) is initiated via DNS lookups with some non-web callbacks 15% of C2 bypasses Web ports 80 & 443 NON-WEB C2 EXAMPLES Stor Regi BifroseStarsypound (APT1) Pushdo/Cutwai m n DarkCome Gameover Gh0s l Lethi Hesperbot t Longrun Zeus Seasalt t njrat c Tinb Citadel(APT1) Kelihos (APT1) Glooxmail Zbot PoisonIvy a Biscuit (APT1) ZeroAccess Bouncer (APT1) (APT1) Tinb a 91% of C2 can be blocked at the DNS layer IP DNS IP Lancope Research (now part of Cisco) 1 NON-WEB WEB Cisco AMP Threat Grid Research 2 millions of unique malware samples from small office LANs over 2 years millions of unique malware samples submitted to sandbox over 6 months NOTE1: Visual Investigations of Botnet Command and Control Behavior (link) malware reached out to 150,000 C2 servers over 100,000 TCP/UDP ports malware often used 866 (TCP) & 1018 (UDP) well known ports, whereas legitimate traffic used 166 (TCP) & 19 (UDP) ports NOTE2: Forthcoming 2016 Cisco Annual Security Report 9% had IP connections only and/or legitimate DNS requests 91% had IP connections, which were preceded by malicious DNS lookups very few had no IP connections

30

31 Reduce complexity with simplified, consistent management

32 FY16 Vision & Strategy for SECURITY Cisco Your 1 st Security Partner MarketCommitment

33 SECURITY is everywhere Simone Posti Security Account Manager Cisco GSSO April 2016