Cisco Advanced Malware Protection

Transcription

1 Cisco Advanced Malware Protection Security Webinar Nikos Mourtzinos, CCIE#9763 Cisco Security Product Sales Specialist October 2016

2 Agenda AMP Malware - Today s Reality Cisco AMP Solution Components & Architecture Demo Cisco's Advanced Malware Protection (AMP) is the only solution available today that combines the power of big data analytics, point-in-time detection, and retrospective security tools powered by continuous analysis to protect organizations from advanced threats. Free Threat Scan and Assessment

3 The Reality: Organizations Are under Attack of large companies 95% Network Threats Are Getting Smarter targeted by malicious traffic Hackers are smarter and have the resources to compromise your organization Malware is more sophisticated Organizations face tens of thousands of new malware samples per hour Custom malware remains dormant for months Phishing, Low Sophistication Hacking Becomes an Industry Sophisticated Attacks, Complex Landscape Viruses Worms Spyware and Rootkits 2005-Today APTs Cyberware Today +

4 Ransomware Most profitable malware in history At that rate, ransomware is on pace to be a $1 billion a year crime this year.

5 The Evolution of Ransomware Variants PC Cyborg The confluence of easy and effective encryption, the popularity of exploit kits and phishing, and a willingness for victims to pay have caused an explosion of ransomware variants. Fake Antivirus CRYZIP Redplus First commercial Android phone Cryptolocker Cryptowall Virlock Lockdroid Reveton TeslaCrypt SamSam Locky 73V3N Keranger Petya Teslacrypt 3.0 Teslacrypt 4.0 Teslacrypt GPCoder QiaoZhaz Bitcoin network launched Reveton Ransomlock Dirty Decrypt Cryptorbit Cryptographic Locker Urausy CryptoDefense Koler Kovter Simplelock Cokri CBT-Locker TorrentLocker Virlock CoinVault Svpeng Tox Cryptvault DMALock Chimera Hidden Tear Lockscreen Teslacrypt 2.0 Cerber Radamant Hydracrypt Rokku Jigsaw Powerware

6 How Ransomware Works COMPROMISED SITES AND MALVERTISING PHISHING SPAM Web redirect Web link EXPLOIT KIT DOMAINS Angler Nuclear Rig C2 Malicious Infrastructure File drop Encryption Key Infrastructure C2 RANSOMWARE PAYLOAD attachment

7 C Ransomware The Kidnapping Metaphor 44% of UK companies hit by ransomware in the past 24 months 33% hit more than once 65% of companies locked out of their critical data do end up paying because they were worried about being fined if data was lost, because the encrypted data was highly confidential Only around 45% of those who paid got their data back the average ransom in the UK was % of companies polled reported ransoms of more than 1,000.

8 Point-in-Time Detection Tools Alone Are Insufficient and Provide No Visibility Into Threats Once They Get in Event Horizon Antivirus Analysis Stops Not 100% Sleep Techniques Unknown Protocols Encryption Polymorphism Blind to scope of compromise Legacy IPS Initial Disposition = Clean Actual Disposition = Bad Too Late!!

9 IPS Tuning Protection varied widely between 31% and 99,5%. Tuning is required, and is most important for remote attacks against servers and their applications. Organizations that do not tune could be missing numerous catchable attacks.

10 Protection Across Networks Network Endpoint WWW Content The Network platform uses indications of compromise, file analysis, and in this example file trajectory to show you exactly how malicious files have moved across the environment

11 NGIPS Tuning Automated Tuning Adjust IPS policies automatically based on network changes Automated Recommended Rules based on Visibility & Customer s Infrastructure Automated IPS Policies based on Changes, Scheduling Simplifies Operations & Reduces Costs Impact Assessment 99.5% Security Effectiveness

12 Advanced Malware Protection Advanced Malware Protection Analyses files to block malware Analyses files to detect and block malware File Reputation Big data analytics Continuous analysis Dynamic Analysis with Sandboxing (outside-looking-in) 100% Detection Rate

13 Advanced Malware Protection Network Traffic 1) File Capture Cisco and/or its affiliates. All rights reserved. 13

14 Advanced Malware Protection TALOS Cisco Collective Security Intelligence Network Traffic 1) File Capture 2) Send File Fingerprint SHA Cisco and/or its affiliates. All rights reserved. 14

15 Advanced Malware Protection 3) File look-up returns "malware File dropped immediately TALOS Cisco Collective Security Intelligence Network Traffic Malware Alert! 1) File Capture 2) Send File Fingerprint SHA Cisco and/or its affiliates. All rights reserved. 15

16 Advanced Malware Protection 5 AMP Dynamic Malware Analysis Network Traffic 4 AMP File Reputation = Unknown Cisco and/or its affiliates. All rights reserved. 16

17 Sandboxing

18 Advanced Malware Protection 5 AMP Cloud Network Traffic AMP Dynamic Malware Analysis Retrospective Incidents 6 AMP Retrospection 4 AMP File Reputation = Unknown Know where it all started Understand how it entered the system See everywhere that it has been Determine what it has done Learn how to stop it Cisco and/or its affiliates. All rights reserved. 18

19 Protection Across Endpoints Network Endpoint WWW Content The Endpoint platform inspect processes and files, integrates with Network and TALOS Identifies Known and unknown threats Quarantine Threats on the Endpoint (Remediation)

20 AMP Protection Across the Extended Network AMP Threat Intelligence Cloud Remote Endpoints AMP for Endpoints AMP for Endpoints Windows OS Android Mobile Virtual MAC OS AMP for Endpoints can be launched from Cisco AnyConnect CentOS, Red Hat Linux for servers and datacenters

21 What do you get with AMP for Endpoints over AMP for Networks? The AMP Endpoint : inspect processes and files,

22 See Where It Entered the System Where did the malware come from? Track threat s origin and progression: How did it get into the system What is the point of origin What was the attack vector Track malware s spread and communications

23 See Everywhere That It Has Been Where has the malware been? Track infected areas in the system: Where is the attack now What other endpoints have seen it Where should I focus my response Where is still safe Track malware s spread and communications

24 Determine What the Malware Is Doing What happened? Where did the malware come from? Where has the malware been? What is it doing? Understand the details of how the malware works: What is it trying to do, in plain English How does the malware behave Get detailed information vital for incident response How do we stop it?

25 Stop It with a Few Clicks What happened? Where did the malware come from? Where has the malware been? What is it doing? How do we stop it? Knowing the details above, surgically remediate: Stop it at the source and all infected areas Simply right click, add to a blocklist, and remediate the malware from the entire system Automatically Quarantine Threats on the Endpoint

26 Cisco Security Architecture NGFW Cloud TALOS Threat GRID ESA TALOS NGIPS Analyses and Correlates Threat Intelligence AMP WSA 26 Indications of Compromise Warning indicator to more rapidly remediate threats ASA Firepower Inspects all traffic (hosts, servers, OS, users, Apps, Vulns) Visibility Automated IPS Policy Automated Impact Assessment Sends unknown to TALOS Remediation AMP Endpoint Inspect processes and files Integrates with Firepower and TALOS Identifies Known and unknown threats Remediation

27 Protection Across Web and Network Endpoint WWW Content Cisco AMP for Web and protects against malware threats in web and traffic by blocking known malware and issuing retrospective alerts when unknown files are convicted

28 is still the #1 threat vector

29 Phishing leaves businesses on the line Phishing $500M Spoofing Ransomware 30% 94% malicious attachments 1 are opened 1 of phish mail has of phishing messages Loss incurred due to phishing attacks in a year by US companies Cisco Annual Security Report Verizon Data Breach Report, Kerbs on Security Messages contain attachments and URL s Socially engendered messages are well crafted and specific Credential hooks give criminals access to your systems

30 Spoofing rates are on the rise Phishing Spoofing 270 % increase 1 $2.3B Ransomware In losses from spoofing FBI Warns of Dramatic Increase in Business scams, 2016 Forged addresses fool recipients Threat actors extensively research targets Money and sensitive information are targeted

31 Ransomware attacks are holding companies hostage Phishing Spoofing Ransomware 9,515 users are paying ransoms per month 2 Ransomware represents the biggest jump in occurrences of crimeware 1 $60M Cost to consumers and companies of a single campaign Verizon Data Breach Report, Kerbs on Security Cisco Annual Security Report Malware encrypts critical files Locking you out of your own system Extortion demands are made

32 Cisco Security (Overview) Talos Cisco Incoming Threat Before During Cloud After Appliance Virtual Inbound Reputation Mail Flow Policies Acceptance Controls Anti-Spam Anti-Virus File Reputation ThreatGrid Graymail Management Safe Unsubscribe Content Controls URL Rep & Cat Outbreak Filters Anti-Phish File Sandboxing & Retrospection Tracking User click Activity (Anti-Phish) X X X X X X X X Outbound Outbound Liability HIPAA Before X Mail Flow Policies X Anti-Spam and Anti-Virus During X Data Loss Protection X Encryption HQ Allow Admin Warn Management Reporting Message Track Block Partial Block

33 With Cisco security, you can Reduce exposure Enhanced Security Visibility to Sender/Recipients/ Malicious URLs Quarantine while Sandboxing is pending

34 Cisco Threat-Centric Model BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate ASA & AnyConnect FirePOWER NGIPS Security/ Web Security Advanced Malware Protection (AMP) Threat Intelligence

35 A Leader in Security Effectiveness Only Cisco with its architectural approach to security can provide an integrated solution that can see a threat once and block it everywhere. Figure 1. NSS Breach Detection Test Results for Cisco - August 2016 A leader for 3 rd year in a row in BDS test detecting 100% of malware, exploits & evasions. Faster time to detection than any other vendor Cisco delivers breach detection across more platforms and attack vectors than any other solution - blocking more threats, faster Cisco and/or its affiliates. All rights reserved. 35

36 Fastest Time to Detection Faster time to detection means less time and space for attackers to operate closing the protection gap and providing more effective security. Figure 2. NSS Time to Detection Test Results We block attacks fastest - blocking 91.8% of attacks in < 3 minutes Products with faster detection rates get to green numbers faster moving from top to bottom. Products may have the same Overall Detection Score at the bottom, but those with the faster time to detection are more effective giving attackers less time and space to operate Cisco and/or its affiliates. All rights reserved. 36

37 Cisco NGIPS and BDS superiority in protection Cisco NGIPS-99.5%, 2016 BDS- 100% Fortinet NGIPS-99.2%, 2016 BDS-99.0% Palo Alto NGIPS-98.8%, 2016 BDS-98.9% CheckPoint NGIPS 96,4%, 2016 BDS- 99,4% Daily Attack Exposure = 0 Daily Attack Exposure = 124 avg. Daily Attack Exposure = 205 avg. Daily Attack Exposure = 335 avg Cisco and/or its affiliates. All rights reserved. 37

38 Based on our (Breach Detection Systems) reports, Advanced Malware Protection from Cisco should be on everyone s short list Vendor Rating for Security: Positive So do any network security vendors understand data center and what s needed to accommodate network security? Cisco certainly does. Market Recognition AMP will be one of the most beneficial aspects of the [Sourcefire ] acquisition. Cisco is disrupting the advanced threat defense industry. The AMP products will provide deeper capability to Cisco's role in providing secure services for the Internet of Everything (IoE).

39 Compare Industry Next-Generation Firewalls (NGFWs)

40

41

42 Put Your Security to the Test Get better visibility into your network. Start by exploring your options now Scan your network... for free! See what s on your network with a 2-week trial at no cost to you. 1. Tell us that you're interested. 2. You ll get an appointment to set up a live threat scan in your network 3. Let the scan run for 7 to 10 days. 4. We will review the results with you.

43