Cisco Customer Education

Transcription

1 This session was recorded via Cisco WebEx! You can watch the live session recording via the following URL: Cisco Customer Education =2a9e13dcb37a4721b5c9fc bb Thanks for your interest and participation! You've Already Been Hacked. Now What? Cisco Next-Gen Security Can Help

2 Presentation Agenda Welcome from Cisco Introducing Cisco Security Talos and Advanced Malware Protection Next Generation Threat Protection Cloud Web Security and OpenDNS Conclusion About Your Host Brian Avery Territory Business Manager, Cisco Systems, Inc.

3 Who Is Cisco?

4 1984 Computer scientists, Len Bosack and Sandy Lerner found Cisco Systems Bosack and Lerner run network cables between two different buildings on the Stanford University campus A technology has to be invented to deal with disparate local area protocols; the multi-protocol router is born Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

5 Leading for Nearly 30 Years Internet of Everything WellFleet Proteon 3Com SynOptics IBM ACC DEC Bay Netw orks Ascend 3Com Newbridge Fore Cabletron Xylan Siemens Alcatel Extreme Ericsson Nortel Foundry Riverstone NEC Lucent Juniper Redback Juniper HP Microsoft Checkpoint Arista Aruba Riverbed Avaya ShoreTel Dell F5 Huawei Fortinet Brocade Polycom The Landscape is Constantly Changing Today 2016

6 Who Is Cisco? Dow Jones Industrial Average Fortune 100 Company (AAPL, CSCO, INTC, MSFT) $117B Market Capitalization $49.6B in Revenue $10B in Annual Net Profits $34B More Cash than Debt Chuck Robbins, CEO, Cisco $6.3B in Research and Development Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6

7 Market Leadership Matters No. 1 Routing Edge/Core/ Access 47% No. 1 TelePresence 50% No. 1 Wireless LAN 50% No. 1 Switching Modular/Fixed 65% No. 1 Voice 41% No. 1 Web Conferencing 43% No. 2 x86 Blade Servers 29% No. 1 Storage Area Networks 47% No. 1 Security 31%

8 Security in the 21 st Century C Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

9 The Good Old Days Are Over Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9

10 Organizations Are Under Attack Industrial Hackers Are Making Big Money with Innovative Tactics 95% of large companies targeted by malicious traffic 100% of organizations interacted with websites hosting malware 1. Cybercrime is lucrative, barrier to entry is low 2. Hackers are smarter and have the resources to compromise your organization 3. Malware is more sophisticated 4. Organizations face tens of thousands of new malware samples per hour Source: 2014 Cisco Annual Security Report Phishing, Low Sophistication Hacking Becomes an Industry Sophisticated Attacks, Complex Landscape Global Cybercrime Market $450B $1T Viruses Worms Spyware and Rootkits 2005 Today APTs Cyberware Today +

11 High Profile Breaches 1,000,000 56,000,000 1,100,000 70,000,000 2,600,000 And Yet Organizations of every size are targets 41% of targeted attacks are against organizations with fewer than 500 employees (July 2014 The National Cyber Security Alliance (NCSA) 60% of UK small businesses were compromised in 2014 (2014 Inf ormation Security Breaches Survey) 100% of corporate networks examined had malicious traffic (Cisco 2014 Annual Security Report) As of 12/31/ Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11

12 It s no longer a question of if you ll be breached, it s a question of when If you knew you were going to be compromised, would you do security differently?

13 Cisco Security Overview

14 Cybersecurity today requires a Defense-in-Depth Approach Defense-in-depth is the coordinated use of multiple security countermeasures to protect the integrity of the information assets in an enterprise Firewalls are are the first step, not an overall strategy Firewalls offer only a single layer of defense

15 Too Many Disparate Security Products Mean Gaps in Protection Overall performance Time to detection Cost Fragmented offerings across multiple vendors Less communication betw een components More lag in finding threats Higher total cost to build and run vs Streamlined advanced security solution Better communication and integration Faster time to detection Lower opex and easier to manage

16 Defending Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum Attack Continuum Before Discover Enforce Harden During Detect Block Defend After Scope Contain Remediate ASA VPN NGIPS Advanced Malware Protection OpenDNS Meraki ESA/WSA Network as Enforcer Secure Access + Identity Services CWS ThreatGRID FireSIGHT and pxgrid

17 Defending Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum Attack Continuum Before Discover Enforce Harden During Detect Block Defend After Scope Contain Remediate ASA VPN NGIPS Advanced Malware Protection OpenDNS Meraki ESA/WSA Network as Enforcer Secure Access + Identity Services CWS ThreatGRID FireSIGHT and pxgrid

18 Combined with the Best Threat Intelligence Capabilities World-Class Threat Research 19.7B Threats Per Day 991M Web + Malware Threats 221B Total Threats 1.1M Incoming Malware Samples Per Day B BILLION 1.4M THREATS Web Filtering AV Blocks Blocks Per BLOCKED Month Per Day TODAY 1B Sender Base Reputation Queries Per Day 1.8B Spyware Blocks Per Month 2.6M 9.9B 3.5 BILLION SEARCHES Total Blocks Per Month T ODAY Blocks Per Sec

19 More Effective Against Sophisticated Attacks Much Faster Than Most Organizations Discover Breaches Industry 100 VS. DAYS Cisco Less than 1 Day Source: Cisco Annual Security Report, 2016

20 Advanced Malware Protection

21

22 Malware WILL Get Into Your Environment 95% of large companies targeted by malicious traffic 60% of data stolen in hours 41% of attacks against companies under 500 employes 65% of organizations say attacks evaded existing preventative security tools

23 Once Inside, Organizations Struggle to Deal With It 54% of breaches remain undiscovered for months 55% of organizations unable to determine cause of a breach 33% of organizations take 2+ years to discover breach 45 days Average time to resolve a cyber-attack

24 When Malware Strikes, You Have Questions Where did it come from? Who else is infected? What is it doing? How do I stop it?

25 Cisco AMP Delivers a Better Approach Point-in-Time Protection Retrospective Security File Reputation, Sandboxing, and Behavioral Detection Continuous Analysis Unique to Cisco AMP

26 Comprehensive Security Requires Breach Prevention Rapid Breach Detection, Response, Remediation Threat Intelligence

27 Cisco AMP Defends With Reputation Filtering And Behavioral Detection Reputation Filtering Point-in-Time Detection Behavioral Detection Retrospective Security Cisco Collective Security Intelligence Continuous Protection One-to-One Signature Fuzzy Finger-printing Machine Learning Indications of Compromise Dynamic Analysis Advanced Analytics Device Flow Correlation

28 Reputation Filtering: Example Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence Reputation Filtering 1 Unknown file is encountered, signature is analyzed, sent to cloud Behavioral Detection 2 File is not known to be malicious and is admitted Collective Security Intelligence Cloud 3 Unknown file is encountered, signature is analyzed, sent to cloud One-to-One Signature Fuzzy Finger-printing 4 Machine Indications Learning of Compromise File signature is known to be malicious and is prevented from entering the system Dynamic Analysis Advanced Analytics Device Flow Correlation

29 Reputation Filtering: Example Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence 1 Fingerprint of file is analyzed and determined to be malicious 2 Malicious file is not allowed entry Collective Security Intelligence Cloud 3 Polymorphic form of the same file tries to enter the system One-to-One Signature 4 Fuzzy Finger-printing The fingerprints of the two files are compared and found to be similar to one Machine another Learning Indications of Compromise Dynamic Analysis Advanced Analytics Device Flow Correlation 5 Polymorphic malware is denied entry based on its similarity to known malware

30 Behavioral Detection: Example Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence 1 File of unknown disposition is encountered 2 File replicates itself and this information is communicated to the cloud 3 File communicates with malicious IP addresses or starts downloading files with known malware disposition uzzy er-printing Machine Learning 4 Indications of Compromise 5 Combination of activities indicates a compromise and the behavior is reported to the cloud and AMP client Dynamic Advanced Analysis Analytics These indications are prioritized and reported to security team as possible compromise Device Flow Correlation Collective Security Intelligence Cloud

31 Behavioral Detection: Example Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence 1 Device Flow Correlation monitors communications of a host on the network IP: Two unknown files are seen communicating with a particular IP address Collective Security Intelligence Cloud 3 One is sending information to the IP address, the other is receiving commands from the IP address amic lysis Advanced Analytics Device Flow Correlation 4 Collective Security Intelligence Cloud recognizes the external IP as a confirmed, malicious site 5 Unknown files are identified as malware because of the association

32 Cisco AMP Delivers A Better Approach Point-in-Time Protection Retrospective Security File Reputation, Sandboxing, and Behavioral Detection Continuous Analysis Unique to Cisco AMP

33 Cisco AMP Defends With Retrospective Security Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence To be effective, you have to be everywhere Continuously

34 Why Continuous Protection Is Necessary Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence Breadth and Control points: WWW Endpoints Web Network Gateways Devices Telemetry Stream File Fingerprint and Metadata Continuous feed File and Network I/O Process Information Continuous analysis Talos + Threat Grid Intelligence

35 Cisco AMP Defends With Retrospective Security Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence Continuous Analysis Attack Chain Weaving Behavioral Indications of Compromise Trajectory Elastic Search

36 Continuous Analysis: Example Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence Continuous Analysis Persistently Performs analysis analyzes the file 1 Attack the Chain first time a file is Behavioral 2 over time to Trajectory see if Weaving seen Indications the disposition is of Compromise changed 3 Giving unmatched visibility into the path, actions, or communications Breach that are associated Hunting with a particular piece of software

37 Attack Chain Weaving: Example Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence Uses retrospective capabilities in three ways: 1 File Trajectory 2 Process Monitoring 3 Communications Monitoring Continuous Analysis Attack Chain Weaving Attack Chain Weaving analyzes the data collected Behavioral by File Trajectory, Process, Indications and Communication of Compromise Monitoring to provide a new level of threat intelligence File Trajectory Communications Process Monitoring Monitoring Trajectory records the trajectory Breach of the software from device to monitors which the I/O applications activity of all are devices performing on the actions system device Hunting

38 Behavioral Indications of Compromise: Example Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence Behavioral Indications of Compromise uses continuous analysis and retrospection to monitor systems for suspicious and unexplained activity not just signatures! uous sis Attack Chain Weaving Behavioral Indications of Compromise 1 An unknown Trajectory file is admitted into the network 2 The unknown Breach file copies Hunting itself to multiple machines 3 Duplicates content from the hard drive 4 Sends duplicate content to an unknown IP address Using the power of Attack Chain Weaving, Cisco AMP is able to recognize patterns and activities of a given file, and identify an action to look for across your environment rather than a file fingerprint or signature

39 Cisco AMP Defends With Reputation Filtering And Behavioral Detection Reputation Filtering Point-in-Time Detection Behavioral Detection Retrospective Security Cisco Collective Security Intelligence Continuous Protection One-to-One Signature Fuzzy Finger-printing Machine Learning Indications of Compromise Dynamic Analysis Advanced Analytics Device Flow Correlation

40 Advanced Malware Protection AMP Everywhere: See Once, Protect Everywhere Visibility AMP Intelligence Sharing WWW Endpoint Networks Web

41 Cisco AMP Provides Contextual Awareness and Visibility That Allows You to Take Control of an Attack Before It Causes Damage Who Focus on these users first What These applications are affected Where The breach affected these areas When How This is the scope of exposure over time Here is the origin and progression of the threat

42 The Leader in Security Effectiveness Cisco AMP offers superior security effectiveness, excellent performance, and provides security across more attack vectors than any other vendor 99.2% Security Effectiveness rating in BDS testing, the highest of all vendors tested. Only vendor to block 100% of evasion techniques during testing. Excellent performance with minimal impact on network, endpoint, or application latency.

43 and with Cisco AMP Everywhere Strategy Means Protection Across the Extended Network Virtual PC Mobile AMP for Networks MAC AMP for Endpoints AMP on Cisco ASA Firewall with FirePOWER Services AMP Advanced Malware Protection AMP Private Cloud Virtual Appliance AMP Threat Grid Dynamic Malware Analysis + Threat Intelligence Engine Meraki CWS AMP on Web & Security Appliances AMP for Meraki Cloud Networking AMP for Cloud Web Security & Hosted

44 Next-Generation Firewall

45 Typical NGFWs are focused too narrowly on apps and are too hard to manage NGFW Threat IPS URL DDoS Sandbox Threat Threat Focused on apps, not threats Another silo to manage

46 Introducing Industry s First Threat-Focused NGFW Proven Cisco ASA firewalling Industry leading NGIPS and AMP Cisco ASA with FirePOWER Services Cisco ASA with FirePOWER Services Next-Generation Firewall (NGFW) Integrating defense layers helps organizations get the best visibility Enable dynamic controls to automatically adapt Protect against advanced threats across the entire attack continuum Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46

47 Superior Integrated & Multilayered Protection Cisco Collective Security Intelligence Enabled World s most widely deployed, enterpriseclass ASA stateful firewall Clustering & High Availability Network Firewall Routing Switching Intrusion Prevention (Subscription) Application Visibility & Control FireSIGHT Analytics & Automation Cisco ASA Advanced Malware Protection (Subscription) Built-in Network Profiling WWW URL Filtering (Subscription) Identity-Policy Control & VPN Granular Cisco Application Visibility and Control (AVC) Industry-leading FirePOWER next-generation IPS (NGIPS) Reputation- and category-based URL filtering Advanced malware protection Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47

48 Cisco Meraki Cloud Security

49 Meraki MR Wireless LAN Meraki MS Ethernet Switches Meraki MX Security Appliances Meraki SME Enterprise Mobility Management

50 Wired, wireless & EMM Client fingerprints Instant search Location analytics Security & bandwidth policy Application visibility Integrated MDM Real-time control

51 Cisco Architecture Cisco Traditional Meraki Systems Manager EMM ISR / ASA Catalyst Aironet Cisco ISE Policy & Control Cisco Prime Management & Analytics Cisco Meraki Systems Manager EMM MX MS MR On-Prem Managed Cloud Managed

52 Security NG Firewall, Client VPN, Site to Site VPN, IDS/IPS Networking NAT/DHCP, 3G/4G Cellular, Static Routing, Link Balancing Application Control Traffic Shaping, Content Filtering, Web Caching 52

53 Intuitive centralized management No training, no command line Templates to configure at-scale Packet capture, built-in tools and diagnostics Designed for distributed enterprises Single pane of glass visibility Zero-touch provisioning Seamless updates from the cloud Site-to-site IPSec VPN in 3 clicks Industry-leading visibility Fingerprints users, applications, and devices Network-wide monitoring and alerts Full stack: APs, switches, Security, MDM

54 Best IPS SOURCEfire IDS / IPS, updated every day Anti-Malware Advanced Malware Protection powered by Cisco Sourcefire and Talos Content Filtering 4+ billions URLS, updated in realtime Geo-based security Block attackers from rogue countries AV / anti-phishing Kaspersky AV, updated every hour PCI compliance PCI L1 certified cloud-based management

55 Enterprise License Advanced Security License Stateful firewall Site to site VPN Branch routing Internet load-balancing (over dual WAN) Application control Web caching All enterprise features, plus Content filtering (with Google SafeSearch) Kaspersky Anti-Virus and Anti-Phishing SourceFire IPS / IDS Geo-based firewall rules ` Advanced Malware Protection (AMP) Intelligent WAN (IWAN) Client VPN

56 Cisco Web Security

57 Today s cyber-threat reality Your environment will get breached You ll most likely be infected via Hackers will likely command and control your environment via web

58 Exposure web blocks 19.7 Billion Total Threats Blocked Daily 82,000 Virus Blocks 181 Million Spyware Blocks 818 Million Web Blocks 7.2 Trillion Daily Web Breakdown Yearly

59 Exposure- blocks

60 Large Attack Surface

61 Attack surface web browsers More than 85% of the companies studied were affected each month by malicious browser extensions

62 Attack surface user error on web Users becoming complicit enablers of attacks Untrustworthy sources Clickfraud and Adware 10% 64% vs Outdated browsers IE requests running latest version Chrome requests running latest version

63 Attack surface web applications Attackers: Shifts in the attack vectors Java PDF Flash Log Volume PDF and Flash steady Java drop 34% Silverlight rise 228% Silverlight 2015 Cisco Annual Security Report

64 Attack surface web protocol The growing trend of web encryption creates a false sense of security and blind spots for defenders Organizational Security Individual Privacy Government Compliance Encrypted traffic is increasing. It represents over 50% of bytes transferred.

65 Compromising without clicking Attackers: Malvertising is on the rise: low-limit exfiltration makes infection hard to detect In October 2014, there is a spike of 250%

66 Attack surface - Attackers: A growing appetite to leverage targeted phishing campaigns SPAM up 250% Example: Snowshoe SPAM attack

67 Exploit Kits, e.g. Cryptowall version 4 CRYPTOWALL 4.0 Notorious ransomware Version 1 first seen in 2014 Distributed via Exploitkits and Phishing s Fast Evolution

68 Threats from a user s perspective

69 Sample attacking: Joe CFO Waiting for his plane Meet Joe. He is heading home for a well deserved vacation. He s catching up on using the airport Wi- Fi while he waits for his flight.

70 Sample attacking: Joe CFO Checks his Joe just got an from his vacation resort. Your Tropical Getaway Joe, Thank you for choosing us. We look forward to seeing you. Before your arrival, please verify your information here: Best, Resort Team

71 Sample attacking: Joe CFO Instinctively, he clicks on the link No problem, right? Everything looks normal. The site may even be a trusted site, or maybe a site that is newly minted. Your Tropical Getaway Joe, Thank you for choosing us. We look forward to seeing you. Before your arrival, please verify your information here: Best, Resort Team

72 Sample attacking: Joe CFO Joe is now infected Joe opens the link and the resort video plays. Although he doesn t know it, Joe s machine has been compromised by a Silverlight based video exploit. The malware now starts to harvest Joe s confidential information: Passwords Credentials Company access authorizations

73 It Starts with Usage Controls and an Active Defense Comprehensive Defense Web Usage Control Web Filtering Web Reputation Dynamic Content Analysis Web Usage Reporting Block over 50 million known malicious sites Application Visibility and Control Restrict access to sites based on assigned reputation score Outbreak Intelligence Web Usage Control Categorize webpage content and block sites automatically Centralized Cloud Management Gain greater visibility into how web resources are used Roaming Laptop-User Protection Regulate access to individual website components and apps Identify unknown malware and zero-hour outbreaks in real time Enforce policies from a single, centralized location Extend security beyond the network to include mobile users

74 Talos Cisco Cloud Web Security (CWS) Before During After www Web Filtering Web Reputation Application Visibility and Control Webpage b s i te.c om Anti- Malware File Reputation Outbreak Intelligence File Sandboxing File Retrospection Cognitive Threat Analytics X X X X X X Traf f ic Redirections ASA WSA Standalone ISR G2 Any Connect Admin www www www HQ Management Reporting Log Extraction Campus Office Branch Office Roaming User Allow Warn Block Partial Block

75 Cisco Security and OpenDNS

76 What is DNS? Domain Name System A system for relating names and numbers Domain = IP Address Amazon.com = Like a library of phone books

77 Why DNS? Everything uses DNS DNS is Everywhere OpenDNS adds a Layer of Security Blocks Access to Unsafe Places Simple to Set Up Easy Win

78 DNS: Doth Protest Too Much A blind spot for attackers to gain command and control, exfiltrate data, and redirect traffic 91.3% of malware uses DNS 68% of organizations don t monitor it

79 Our Perspective Diverse Set of Data 80B Requests Per Day 65M Daily Active Users 160+ Countries 10K Enterprise Customers

80 Our View of the Internet providing visibility into global Internet activity (e.g. BGP, AS, Whois, DNS)

81 We see where attacks are staged

82 Where Do You Enforce Security? INTERNET MALWARE BOTNETS/C2 PHISHING HQ NGFW NETFLOW PROXY SANDBOX AV AV AV Branch AV HERE? AV Mobile & HERE? & HERE? & HERE? Branch AV Mobile & HERE? OR HERE? CHALLENGES BENEFITS Too Alerts Many Reduced Alerts 2x; via Appliances Improves Your & AV SIEM Wait Traffic Until & Payloads Reaches Never Reach Target Target Every Internet Payload Access Scan Is Slows Faster; Things Not Slower Down Too Provision Much Globally Time to in Deploy UNDER Everywhere 30 MINUTES ROUTER/UTM ROUTER/UTM AV AV AV AV 82 CONFIDENTIAL

83 How Our Security Classification Works Ingest millions of data points per second Apply statistical models and human intelligence Identify probable malicious sites a.ru b.cn e.net p.com/jpg

84 Where Does Umbrella Fit? INTERNET INTERNET WSA/CWS blocks by URL or content via proxy ASA blocks inline by IP, URL or packet WEB TRAFFIC ALL OTHER TRAFFIC TRAFFIC ESA/CES blocks by sender or content WEB TRAFFIC CWS blocks by URL or content via proxy ALL OTHER TRAFFIC TRAFFIC ESA/CES blocks by sender or content Umbrella blocks by domain as w ell as IP or URL Umbrella blocks by domain as w ell as IP or URL ON NETWORK OFF NETWORK

85 A New Layer of Breach Protection Threat Prevention Not just threat detection UMBRELLA Enforcement Protects On & Off Network Not limited to devices forwarding traffic through on-prem appliances Always Up to Date No need for device to VPN back to an on-prem server for updates Block by Domains for All Ports Not just IP addresses or domains only over ports 80/443 Partner & Custom Integrations Does not require professional services to setup

86 Conclusion

87 Defending Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum Attack Continuum Before Discover Enforce Harden During Detect Block Defend After Scope Contain Remediate ASA VPN NGIPS Advanced Malware Protection OpenDNS Meraki ESA/WSA Network as Enforcer Secure Access + Identity Services CWS ThreatGRID FireSIGHT and pxgrid

88 Thank You and Next Steps www. Contact Your Cisco Partner CATR/performBasicSearch.do Brian Avery Learn more about Cisco Security:

89 Join us again for a future Cisco Customer Education Event CCE sessions are held weekly on a variety of topics CCE sessions can help you understand the capabilities and business benefits of Cisco technologies Watch replays of past events and register for upcoming events! Visit for details

90