Cisco and Web Security News

Transcription

1 Cisco and Web Security News Threat-centric and web security Dragan Novakovic Security Consulting Systems Engineer

2 is still the #1 threat vector

3 Phishing leaves businesses on the line Phishing $500M Spoofing Ransomware 30% 94% malicious attachments 1 are opened 1 of phish mail has of phishing messages Loss incurred due to phishing attacks in a year by US companies Cisco Annual Security Report Verizon Data Breach Report, Krebs on Security Messages contain attachments and URL s Socially engendered messages are well crafted and specific Credential hooks give criminals access to your systems

4 Spoofing rates are on the rise Phishing Spoofing 270 % increase 1 $2.3B Ransomware In losses from spoofing FBI Warns of Dramatic Increase in Business scams, 2016 Forged addresses fool recipients Threat actors extensively research targets Money and sensitive information are targeted

5 Ransomware attacks are holding companies hostage Phishing Spoofing Ransomware 9,515 users are paying ransoms per month 2 Ransomware represents the biggest jump in occurrences of crimeware 1 $60M Cost to consumers and companies of a single campaign Verizon Data Breach Report, Kerbs on Security Cisco Annual Security Report Malware encrypts critical files Locking you out of your own system Extortion demands are being paid

6 Cisco secures your , cloud or on-premises Reduce threats Support growth Achieve agility

7 Reduce threats

8 Cisco Security is backed by unrivaled global threat intelligence 100 TB Of Data Received Daily 1.5 MILLION Daily Malware Samples 600 BILLION Daily Messages with SenderBase III00II 0II00II 0I0I0I0I 0I I0 I00 000II0 I0I0 0II0 00 III00II 0II00II I0I0II0II0 I0 I0 I00 00I0 I000 0II0 00 III00II 0II00II I0I000 0II0 00I0I00 I0 I000I0I 0II 0I0I0I 00I00 I00I0I II0I0I 0II0I I0I00I0I0 0II0I0II 0I00I0I I0 00 II0III0I 0II0II0I II00I0I0 0I00I0I00 I0I0 I0I0 I00I0I00 II0II0I0I0I I0I0I0I 0I0I0I0I 0I0I00I0 I0I0I0I 0II0I0I0I III00II I000I0I I000I0I I000I0I II 0I00 I0I000 0II I I0I0I0 I0I0III000 I0I00I0I 0II0I0 I00I0I0I0I 000 0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I0 00I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I 250+ Full Time Threat Intel Researchers MILLIONS Of Telemetry Agents 4 Global Data Centers 16 BILLION Daily Web Requests Operations Over 100 Threat Intelligence Partners Deploy the world's largest traffic monitoring network Leverage industry-leading threat analytics

9 It s built with industry-leading spam protection Anti-spam processing / Context Adaptive Scanning Engine (CASE) Cisco Anti-Spam Block Cisco Security Who sent the message? What Is the content? How was the message constructed? Where does the call to action take you? Forward O365 Mail Server Quarantine Review sender reputation, URL reputation, and message content Block spam with 99% accuracy with fewer than 1:1M false positives Quarantine suspicious messages for additional review

10 And reduces your exposure to the three main components of an attack Attachments URLs content

11 Cisco protects against threats hidden within attachments Anti-spam Anti-virus Virus Outbreak Filters Advanced Malware Protection (AMP)

12 Block known and zero-day viruses Anti-virus processing Outbreak Filters Block Block Multiple detection methods: Pattern matching Emulation technology Advanced heuristic techniques Forward Zero-Hour Virus and Malware Detection.DOC.EXE.LNK Updates every 12 hours.pdf Quarantine Determine what actions to take on viral messages Real time security updates that prevent new malware Also receive AV Signature updates regularly Quarantine Determine whether anomalies are zero-day threats Scan attachments for known viruses Forward clean s to additional security checks Defend against zero-day malware

13 Detect and contain advanced threats quickly Advanced Malware Protection (AMP) architecture AMP Threat Intelligence Cloud Remote Endpoints Private Network Edge Meraki MX ISR w/ FirePOWER Services Cisco ASA w/ FirePOWER Services FirePOWER NGIPS Appliance Threat Grid Malware Analysis Endpoints Private Cloud Virtual Appliance Cloud Security and Security Appliance CWS CWS and Web Security Appliance Data Center Virtual Windows OS Android Mobile MAC OS CentOS, Red Hat and Linux AnyConnect Leverage threat intelligence and dynamic malware analysis Deploy easily with multiple platform options

14 Keep tabs on all s admitted into the environment after analysis Advanced Malware Protection (AMP) File Reputation File Sandboxing File Retrospection? Advanced Analytics Dynamic analysis 560+ indicators.sys.doc.exe.lnk.pdf.scr Unknown Clean Malicious Known Signatures Fuzzy Fingerprinting Indications of compromise Block known malware Investigate files safely Auto-remediate threats in O365 Gain visibility into messages trying to enter the network

15 Investigate unrecognized attachments safely AMP Threat Grid for Sandboxing Threat Grid Cisco Security HTML sent to O365 for administered action Office 365 SWF JPG Threat Score: delivered PDF Admin Upload unknown files to Threat Grid Examine files with context-driven analysis Receive threat report and score to guide decision making Automatically remediate malware for O365 users

16 Cisco protects against disguised hyperlinks Anti-spam Content Filters Outbreak Filters

17 Control which s cross the network Content Filters Content Filters Rewrite URL Cisco Cloud Web Proxy Defang / Block BLOCKEDwww.proxy.org BLOCKED URL reputation and categorization Replace with Text This URL is blocked by policy Admin Customize filters in three different ways for additional security Easily enforce business and compliance policies

18 Detect targeted or blended attacks automatically Outbreak Filters Outbreak Filters Rewritten message Site validated From: Bank.com To: Bob Smith Subject: Suspicious mail Cisco Cloud Web Proxy Forward Warning! This contains suspicious content Prepend subject line Hello John, Access your account here. Add threat warning Site blocked Rewrite URLs Block Dynamic quarantine Block Block all known threats with Talos Quarantine s with suspicious URLs Modify s to protect end-user Redirect traffic to protect from malicious links

19 Cisco defends against human error Anti-spam DMARC, DKIM and SPF Forged Detection

20 Block fraudulent senders DMARC, DKIM and SPF Cisco Security TrustedPartner.com Signed Delete TrustedPartner.com Fraudulent SPF Checks if mail from a domain is being sent from an authorized host DNS DMARC Ties SPF and DKIM results to 'From' header Send Verified DKIM Matches public key to sender domain s private key records Quarantine Determine whether a sender is reputable Inspect sender details on inbound messages Block invalid senders and identify next steps

21 SMTP Envelope Protect against spoofing attacks Forged Detection Pre-processing Inspects the SMTP envelope address: $ telnet mail-smtp-in.l.mail.com 25 Trying Connected to mail-smtp-in.l.mail.com. Escape character is '^]'. Recipient Domain Compare against Company directory 220 mx.mail.com ESMTP i11si wmh.67 - gsmtp From: Chuck <chuck.robbins@mail.com> Subject: [URGENT] Need help transferring funds HELO mail.outside.com Sending Domain 250 mx.mail.com at your service MAIL FROM:<adam@outside.com> Actual Sender OK i11si wmh.67 - gsmtp RCPT TO:<alan@mail.com> Allison Johnson Barry Smith Chuck Robbins Dave Tucker From: adam@outside.com Subject: {Possibly Forged} [URGENT] Need help transferring funds OK i11si wmh.67 gsmtp Data Post-processing Inspect SMTP envelope for sender address Match sender address against company directory Send appended mail to warn users of potential forgery Record a log of attempts and actions taken

22 Cisco catches critical data before it leaves the network Data loss prevention Cisco Registered Envelope Service and ZixGateway with Cisco Technology

23 Protect personal information and IP Data Loss Prevention (DLP) Cisco Security Manage policies such as: Specific users Groups Locations Federal compliance State regulations With multi-language support Critical violation: Info redirected and not sent Minor violation: Content sent with encryption Admin Scanned against 100+ predefined DLP policies No violation: Content sent with optional encryption Control what leaves the network and customize policies Scan content for sensitive information Prevent data exfiltration automatically

24 Extend security to external communications Cisco Registered Envelope Service (CRES) CRES Sender controls Cisco Security Push Open attachment & confirm identity Scan messages for keywords, policies, and sender Apply authentication mechanisms to access encryption keys Maintain control over your sent messages

25 Send highly secure s on-premises ZixGateway with Cisco Technology (ZCT) Zix Directory ZCT Secure Hosted Portal Transparent secure delivery Other Zix Users Senders employees Mail Server Cisco Security ZCT TLS Users External DB (PXE keys) PXE web server & key server PXE Push Use transparent secure delivery for e-discovery and archiving Make delivery transparent for senders and receivers Select the best method of secure delivery automatically

26 Achieve agility

27 Investigate users without running new reports Message tracking +You Search Images Videos Maps News Shopping mail More Search 1.Recipient 2.Envelope sender 3.Subject line 4.File names 5.URLs Admin Track messages in near-real-time Search for a single based on specific parameters Search for common threats across s

28 Understand the health of your system Unified business reporting 00I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I II0II0I0I0I I0I0I0I 0I0I0I0I 0I0I00I0 I0I0I0I 0II0I0I0I III00II I000I0I I000I0I I000I0I II 0I00 I0I000 0II I I0I0I0 I0I0III000 I0I00I0I 0II0I0 I00I0I0I0I 000 0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I0 00I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I Cisco Security 0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I0 See details around: Threats Malicious Attachments Volume Spam Counters Policy Violations Virus Reports Outgoing Data Reputation Service System Health View Access data from the cloud to create consolidated reports Reduce investigations and response times Identify trends with scheduled and ad-hoc reporting

29 Separate what matters from what doesn t Graymail detection and safe unsubscribe Mark Up Messages Graymail Detection Modify subject Add x-header Add Safe Unsubscribe Link Safe unsubscribe unsubscribe here Bulk Social Network Marketing Unsubscribe engine Quarantine / Block Graymail warning added to banner of Identify messages that aren t spam Categorize incoming bulk, marketing, and social networking s Provide users a method to safely unsubscribe

30 Simplify backup and recovery of archived messages Cisco Security supports archiving through Commvault partnership Cisco Security You Search Images Videos Maps News Shopping mail More Search Local storage with IntelliSnap technology End user Automate data management to optimize storage Store critical messages and attachments Retrieve s easily with O365 integration

31 Support growth

32 Transition to the cloud with confidence Cisco Security Integrate easily with O365 Deliver % availability Prevent sharedfate with compute instances Increase dedicated instances up to 50% at no cost Migrate to new deployment options easily

33 Easily integrate with your current client Cloud Security with Office 365 *Anti-virus provided by O365 O365 Cisco Security w/ O365 Outbound Anti-spam filters Anti-virus protection Anti-spam filters Anti-virus protection* O365 Exchange Online Inbound Policy enforcement Disaster recovery Policy enforcement Disaster recovery Directory services Directory services Advanced threat protection Graymail detection Message tracking Outbreak Filters Message tracking encryption AMP Detailed reporting Zero-day incident mgmt Customer domain Cisco Security External domain Data loss prevention Point Mail Exchange (MX) records to the Cisco Cloud Security Configure Smart Host settings in O365 to deliver outbound mail

34 Deploy the configuration that works best for you Cloud Hybrid On Premises

35 Cisco delivers superior protection and visibility to specialized threats Reduce threats Support growth Achieve agility with advanced protection with availability and assurance through operational efficiency

36 Cisco Web Security Industry-Leading Protection across the Attack Continuum

37 The Way We Use the Web Is Changing Making It More Difficult to Protect Your Network Mobile Coffee Shop Corporate Home Airport

38 Why do we need Content Filtering? Network Security Web 2.0 brings more content,, to the user. More attack vectors. Advertisements, from third parties, are a popular vehicle for malware Gone are the days of simple one domain pages different requests different domains MB for front page different requests different domains MB for front page different requests different domains MB for front page different requests different domains KB for front page 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 38

39 Customers Are Challenged with Today s Evolving Threat Landscape Malware Infections Acceptable Use Violations Data Loss

40 Talos Cisco Web Security Before During Appliance After Virtual Web Reputation Web Filtering Application Visibility and Control Cloud Access Security Parallel AV Scanning File Reputation Data-Loss Prevention File Sandboxing Cognitive Threat Analytics* www Client Authentication Technique File Retrospection Cisco ISE X X X X X X X Traffic Redirections WCCP Load Balancer Explicit/PAC PBR AnyConnect Client www www www HQ Admin Management Reporting Log Extraction Campus Office Branch Office Roaming User Allow Warn Block Partial Block * Roadmap feature: Projected release 2H CY15

41 Cloud to Core Coverage 18.5 BILLION AMP queries a day END POINT: Software ClamAV, Razorback, Moflow 16 BILLION web requests a day WEB: Reputation, URL Filtering, AVC CLOUD: FireAMP & ClamAV detection content 300 BILLION messages a day Reputation, AntiSpam, Outbreak Filters

42 Reputation Analysis The Power of Real-Time Context BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate IP Reputation Score Who Where How When Suspicious Server in High example.com Example.org San London Beijing Kiev Jose Domain Owner Risk Location Dynamic IP HTTPS SSL Address Domain Web Server Registered < 1 Month > < 21 Month Year Min

43 Loss of Productivity Is a Threat How Much Bandwidth and Time Is Being Wasted? BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Facebook YouTube Pandora Facebook time: 2,110,516 minutes or 35,175 hours, 1465 days, 4.1 years Bytes on YouTube video playback: 11,344,463,363,245 or 10 TB Pandora: 713,884,303,727 or 0.6 TB Total browsing time per day: 2,270,690,423 or 4,320 years No. of Facebook likes: 3,925,407 at 1 second per like. That s almost 1100 hours per day, or 45 days just liking things Total bytes per day: 70,702,617,989,737 or 64 TB; over 15% from YouTube Source: Cloud Web Security Report

44 Acceptable Use Controls Beyond URL Filtering BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate URL Filtering Application Visibility and Control (AVC) Constantly updated URL database covering over 50 million sites worldwide Real-time dynamic categorization for unknown URLs Hundreds of Apps 150,000+ Micro-Apps Application Behavior Control over mobile, collaborative, and Web 2.0 applications Assured policy control over which apps can be used by which users and devices Granular enforcement of behaviors within applications Intelligent Controls of Bandwidth Usage

45 Acceptable Use Controls Beyond URL Filtering BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate URL Filtering Application Visibility and Control (AVC) Hundreds of Apps LinkedIn YouTube Facebook itunes Google+ Control over mobile, collaborative, and Web 2.0 applications Constantly updated URL database covering over 50 million sites worldwide Real-time dynamic categorization for unknown URLs 150,000+ Micro-Apps Application Behavior FarmVille Assured policy control over which apps can be used by which users and devices Granular enforcement of behaviors within applications Intelligent Controls of Bandwidth Usage

46 Real-Time Malware Scanning Dynamic Vectoring and Streaming BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Signature and Heuristic Analysis Heuristics Detection Identify Unusual Behaviors Antimalware Scanning Optimizes efficiency and catch rate with intelligent multiscanning Enhances coverage with multiple signature scanning engines Multiple Anti-malware Scanning Engines Signature Inspection Identify Known Behaviors Parallel Scans, Stream Scanning Identifies encrypted malicious traffic by decrypting and scanning SSL traffic Improves user experience with parallel scanning for fastest analysis Provides the latest coverage with automated updates

47 Delivers the First Line of Detection All detection is less than 100% effective One-to-One Signature Fuzzy Fingerprinting Machine Learning Advanced Analytics Dynamic Analysis Reputation Filtering and File Sandboxing

48 And Continues to Analyze What Happens Along the Attack Continuum Breadth and Control Points: WWW Endpoints Web Network IPS Devices Telemetry Stream Retrospective Detection Behavioral Indications of Compromise Trajectory Threat Hunting File Fingerprint and Metadata Continuous feed File and Network I/O Process Information Continuous analysis Talos + Threat Grid Intelligence

49 AMP Provides Contextual Awareness and Visibility That Allows You to Take Control of an Attack Before It Causes Damage Who Focus on these users first What These applications are affected When How This is the scope of exposure over time Here is the origin and progression of the threat

50 AMP Threat Grid Feeds Dynamic Malware Analysis and Threat Intelligence to the Cisco AMP Solution Low Prevalence Files Actionable AMP Threat threat Grid content platform and intelligence correlates is generated the sample that can be packaged result 00 with and integrated millions in to 00 a variety of other of existing samples systems and or Analyst or system (API) submits suspicious used billions independently. of artifacts Threat Score/Behavioral Indicators sample to Threat Grid Big Data Correlation Threat Feeds Actionable Intelligence AMP Threat Grid platform correlates the sample result with millions of other samples and billions of artifacts Proprietary techniques for static and dynamic analysis Outside looking in approach 350 Behavioral Indicators An automated engine observes, deconstructs, and analyzes using multiple techniques Sample and Artifact Intelligence Database Actionable threat content and intelligence is generated that can be used by AMP, or packaged and integrated into a variety of existing systems or used independently.

51 On-Premises Layer 4 Traffic Monitor Infected Endpoint Detection BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Packet and Header Inspection Network - Layer Analysis Internet Cisco S-Series Users Preventing Phone-Home Traffic Scans all traffic, all ports, all protocols Detects malware bypassing port 80 Prevents botnet traffic Powerful Antimalware Data Automatically updated rules Real-time rule generation using dynamic discovery Also Available on Cisco Adaptive Security Appliance as Botnet Traffic Filter

52 Identify Possible Breach with Cognitive Threat Analytics Reduced time to discovery Active, continuous monitoring to stop the spread of an attack Normal or not? Spots symptoms of infection using behavioral anomaly detection algorithms and trust modeling Security that learns Uses machine learning and Big Data Analytics to learn from what it sees and adapts over time Behavior Analysis Machine Learning Anomaly Detection No more rule sets Discovers threats on its own just turn it on.

53 Web Security Advanced Threat Protection Differentiators AMP File Reputation AMP Dynamic Malware Analysis CTA Layer 1 Anomaly detection Trust modeling CWS Premium CTA Layer 2 Event classification Entity modeling CTA Layer 3 Relationship modeling File Retrospection

54 CTA presents results in two categories Confirmed Threats Confirmed Threats - Threat Campaigns Threats spanning across multiple users 100% confirmed breaches For automated processing leading to fast reimage / remediation Contextualized with additional Cisco Collective Security Intelligence

55 CTA presents results in two categories Detected Threats Detected Threats One-off Threats Unique threats detected for individuals Suspected threat confidence and risk levels provided For semi-automated processing Very little or no additional security context exists

56 Cisco AnyConnect Secure Mobility Client Redirect Roaming Users to Premises and/or Cloud Web Users Cisco AnyConnect Client Web Traffic Redirection Web Security Location Delivers Verdict Roaming Laptop Users Client Installed on Machine VPN ACWS Routes Traffic Through SSL Tunnel Directly to Closest Cisco Cloud Proxy CWS Applies Web Security Features WWW Allow WWW Roaming Laptop, Mobile, or Tablet User VPN Backhauls Traffic Through VPN Tunnel to HQ Warn WWW Router or Firewall Router or firewall Reroute re-route Traffic traffic to to WSA WSA or or CWS WSA Applies Web Security Features Block

57 Extend User Identity and Context Who: Doctor What: Laptop Where: Office Identity Services Engine Integration Acquires important context and identity from the network Who: Doctor What: ipad Where: Office Who: Guest What: ipad Where: Office Cisco Identity Services Engine Consistent Secure Access Policy WSA Confidential Patient Records Internal Employee Intranet Monitors and provides visibility into unauthorized access Provides differentiated access to the network Cisco TrustSec provides segmentation throughout the network Cisco Web Security Appliance provides web security and policy enforcement Internet Available only on WSA

58 Referer Header Exception Referer is an HTTP header field that identifies the webpage that requested the current webpage. WSA will use referer field to find out the URL from where website was browsed and use it to define access policies. Block video category Allow embedded youtube video in specific website

59 Periodic Fetch External Feed for policies Periodically get inputs from external sources to block IP address, domain or URLs Dynamic update access policies (w/o proxy restart) to implement new inputs Out-of-box integration with O365 xml feed published by Microsoft Web Security Appliance ACL Engine ACL Rules Web Proxy O365 Feed daemon HTTP Feed daemon O365 Cloud Periodic Fetch HTTP(S) Server External system Admin Used to integrate with ticketing system, government feeds or external security agencies

60 Time and Volume Quotas Intelligent Controls of Bandwidth Usage Control web usage to meet administrative policies, such as: - Total bandwidth used during work hours - Total bandwidth per day used for social media categories Configure polices to restrict access based on the amount of data (in bytes) and time Quotas are applicable to HTTP, HTTPS, and FTP traffic Configured under access policies and decryption policies Create custom end-user notifications of warnings when a quota is close, as well as when exceeded

61 Actionable Reporting Analyze, Troubleshoot, and Refine Security Policies BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Centralized Management Centralized Appliance- and Application-based Reporting Centralized Policy Management Delegated Administration In-Depth Threat Visibility Extensive Forensic Capabilities Insight Across Threats, Data, and Applications Control Consistent Policy across Offices and for Remote Users Visibility Continuous Visibility across Different Devices, Services, and Network Layers

62 Cisco Web Security At a Glance WWW Cisco Talos Monitors threats worldwide, filters on reputation and automatically updates every 3-5 minutes Threat Monitoring and Analytics Spots symptoms of infection based on behavioral anomalies and CNC traffic Protection Advanced Malware Protection Blocks unknown files through reputation and sandboxing Continues to monitor threat levels after an attack URL Filtering Contains 50 million known sites Categorizes unknown URLs in real time Centralized Management and Reporting Control Application Visibility and Control (AVC) Controls mobile, collaborative, and Web 2.0 applications Enforces behaviors within Web 2.0 applications Offers actionable insight across threats, data, and applications Data-Loss Prevention (DLP) Blocks sensitive information Integrates easily by ICAP with third-party vendors WWW Allow WWW Limited Access WWW Block

63 In Today s Exposed, Highly Connected and Increasingly Mobile World, Cisco Web Security Delivers Strong Protection Complete Control Investment Value Safeguards Every Device, Everywhere, All the Time Offers Control of All Web Traffic on All Devices Delivers More for Your Investment

64