Defend. Discover. Remediate. An Integrated Security Strategy. Gary Osland Business Development Manager Cisco Systems Inc.

Transcription

1 Defend. Discover. Remediate. An Integrated Security Strategy Gary Osland Business Development Manager Cisco Systems Inc. 1

2 Cybersecurity Your View? Allies Hackers Nation States Insider Threat DOD 8570 Education Partners DISA STIG Revenue Loss Intellectual Property Theft Protecting National Security Government Regulations Internal Policies Property Destruction Embarrassment NIST Policy Money Theft PII Theft Malware NERC CIP MS-ISAC Reputation Advanced Persistent Threat Espionage Customer Anonymous 2

3 Current Landscape 3

4 Mobility Cloud Threat Customer centric market dynamics require an end to end security architecture 4

5 UTOMATION AGILITY FLEXIBITY AUTOMATION AGILITY CONSISTENCY VISIBILITY EFFICIENCY CONSISTENCY ELASTIC UTOMATION CONSOLIDATION Physical COST Virtual REDUCTION Cloud ELASTIC CONSOLID AGILITY FLEXIBITY AUTOMATION AGILITY CONSISTENCY VISIBILITY EFFICIENCY CONSISTENCY ELASTIC CONSOLIDATION COST REDUCTION ELASTIC CONSOLID DC CLOUD TRANSITION #! % Extending security posture Unifying the network services Securing multi-tenancy designs 5

6 Social Media Peer-to-Peer Cloud Right people using the right apps in the right way 6

7 IT Megatrends are creating the Any to Any problem Infrastructure hybrid public Apps / Services tenants Workloads private Endpoint Proliferation Blending of Personal & Business Use Access Assets through Multiple Medians Services Reside In Many Clouds 7

8 Today s Security Multiple products, policies, unmanaged devices and cloud access SaaS Comm. / SMB / Branch Cellular Internet Web Security Gateway WWW CSR ASR Branch WWW ANY WWW MultipleEdge Management Paradigms Multiple DC Enterprise Identity Stores Isolated Edge Threat Intelligence SP-1 CSR SP-2 Global Orchestra tion Campus Connect UCS SP Core/ Edge Inconsistent Enforcement SP Cloud ANY 8

9 The Threat Evolution Enterprise Response Anti-virus (Host based) IDS/IPS (Network Perimeter) Reputation (global) & Sandboxing Intelligence & Analytics (Cloud) INCREASED ATTACK SURFACE (MOBILITY & CLOUD) Threats WORMS SPYWARE / ROOTKITS APTs CYBERWARE Tomorrow 9

10 Cyber Threat Detection and Response Malware Detection Methods 49% External Party LE, Fraud Detection Org., Customer etc 1 28% Self Detection Passive Employee, Slow Network etc 1 16% Self Detection Active Security Devices 1 Response *416 Average number of days an Advanced Persistent Threat sits on your network before detection! 7 Compromise Is Not If, But When 59% of organizations believe they have been cyber threat targets 5 46% believe they are still highly vulnerable despite increased prevention investments 5 1 Verizon Data Breach Report; 2 US House Intelligence; 3 NSA; 4 Bloomberg; 5 GAO; 6 ESG 7 Mandiant 10

11 Loss of Revenue Cost of Cyber Breach $1T/year private sector revenue loss from cyber espionage 2 $100B/year Cost of Cybercrime in US 6 $1B/year in Cyber Bank Robberies 4 $43M/year for traditional bank robberies $? State data record breaches + indirect costs 25% of stolen PII records = victims of Identity Fraud Cyber Breach - South Carolina 3.8M tax records stolen $20M for notification and credit checks + $25M for remediation $11.84 per record so far Taxpayer confidence lost added costs due to paper tax filing 1 Verizon Data Breach Report; 2 US House Intelligence; 3 NSA; 4 Bloomberg; 5 GAO; 6 McAfee / CSIS 11

12 Current Breaches 12

13 How Malware Works Progression into the network Gets In Receives Instructions Spreads Hides Initial Infection Vector Command and Control Propagation Mechanism Persistent Mechanism Hacking Web Flash Media Web P-2-P DNS User Interaction Autorun USB Network Browser Plug-ins Registry Kernel rootkits Device drivers 13

14 Top 10 Government Breaches South Carolina Department of Revenue million tax returns phishing attack 2. California Department of Social Services Sensitive payroll information - 700,000 individuals - mail en route between IT contractors and the Department of Social Services 3. Utah Department of Health Health information and PII - 780,000 Utah citizens - Eastern European hackers taking advantage of poor authentication configuration following database migration to a new server. 4. California Department of Child Support Services Sensitive health and financial records- 800,000 records - lost FedEx shipment 5. United States Bureau of Justice Statistics Embarrassed GB of sensitive data leaked, s / data dump 6. City of Springfield, MO City claims 2,100 records Anonymous claims more than 1,000 vehicle descriptions from online police reports and records from more than 280,000 summons filed in city digital data stores. 7. United States Navy & DHS Usernames, passwords, IDs, and security questions and answers for all users on Dep. Websites - Blind SQL injection attacks. 8. Wisconsin Department of Revenue Sensitive seller information - 110,000 people and businesses who sold property in embedded file in a Microsoft Access file 9. NASA PII 10,000 employees - unencrypted agency laptop, stolen from employee s car 10. New Hampshire Department of Corrections Unauthorized Access inmates accessed the main offender management database system. 14

15 Cyber Threats Effectiveness of Phishing More than 95% of all attacks tied to State-Affiliated espionage employed Phishing as a means of establishing a foothold in their intended victims systems. - Verizon Data Breach Report 15

16 Framework 16

17 Trusted Systems Advanced Services User Network Systems Network Security Content Security Governance Policy Regulations Standards Education Cybersecurity Scope Application Presentation Session Transport Network Data Link Physical Secure Network Fabric Vendor Partner Distribution Delivery Supply Chain Anti-Counterfeit Disti-Channels Cybersecurity 17

18 Implications for Security Functions need to work as a system Defend Discover Remediate Policy & Access Control Blocking Quarantine Re-routing Traffic Increased Content Inspection Behavior Anomaly Detection Advanced Threats Inside the Network Assess Environment & Threat Advanced Forensics Contain Fix 18

19 Security Context Throughout the Network Traffic Flow, Identity, Application Visibility Secure Network Fabric NetFlow in Switches and Routers Identity Services Engine Network Based Application Recognition (NBAR) NetFlow Secure Event Logging (NSEL) 19

20 Malware Detection & Defense A multi-layered approach to network protection with threat intelligence information Security Intelligence Operations Web and Security Appliances IPS Untrusted Networks Firewall with Botnet Filters Trusted Enterprise Network Enterprise Resources Connections to untrusted networks must be checked in depth by multiple layers of defense before reaching enterprise resources 20

21 Malware Detection Component How does it work Protects by Security Intelligence Operation Web Security Appliance Security Appliance Global collection of internet traffic to Analyze, Identify and give Reputation Scores. Feeds this information to other Cisco security products Filters all Web traffic based on reputation scores received from SIO Filters all traffic based on reputation of sender, which it receives from SIO. Virus Outbreak Filters quarantine suspect Providing threat detection, correlation, and mitigation information to help protect against the spread of Malware Preventing malicious Web traffic from entering network at perimeter. Blocking malicious traffic before it enters network by recognizing anomalies associated with virus proliferation on a global level. Botnet Traffic Filter Monitors all ports and performs a real-time lookup in its database of known Botnet IP addresses and domain names that are fed into the database from SIO Uses IP address and domain names to determine if a connection attempt is benign and should be allowed, or if it is a risk and should be tagged for mitigation Intrusion Prevention System Calculates risk for every event. Combines attack and attacker details with live SIO knowledge to produce a calibrated risk measurement to drive a unique response according to attacker and target visibly Preventing malicious activity, through the entire attack lifecycle and at all layers of the application stack (deep packet inspection) Cyber Threat Defense Monitors traffic flows and categorizes behavior Detecting network anomalies to give a more comprehensive view of attack 21

22 Secure Identity and Mobility Identity and Context Centric Policy Platform WHERE WHAT WHEN Security Policy Attributes Business-Relevant Policies WHO HOW Identity Centralized Policy Engine (Identity Services Engine) Dynamic Policy User and Devices Monitoring & Reporting Security Policy Enforcement in the Network Application Controls 22

23 Cyber Threat Defense Monitor, collect and analyze network traffic, establish a baseline, and alarm on anomalies and behavior changes Cybersecurity Anomaly Detection Security Enabled Network NetFlow: Switches, Routers, and Firewalls Context: NBAR/AVC Identity Services Engine Cyber Threat Detection - enhances efficiency and effectiveness of analysis and provides key insight into internal activity across the network 23

24 Putting It All Together for Integrated Defense WHERE WHAT WHEN WHO HOW Visibility, Context, and Control Devices Internal Network Context ISE Security Appliance + NSEL Router + NBAR Use NetFlow Data to Extend Visibility to the Access Layer Enrich Flow Data With Identity, Events and Application to Create Context Unify Into a Single Pane of Glass for Detection, Investigation and Reporting 24

25 Virtualized Security Physical virtual consistency vcenter Virtual Network Management Center Collaborative Security Model Zone Based Firewall for intra-tenant secure zones Tenant A VDC Tenant B VDC vapp Virtual Firewall for tenant edge controls Zone Firewall Zone Firewall vapp Zone Firewall Seamless Integration Virtual Switch / Virtual Path Virtual Firewall Virtual Firewall Zone Firewall Scales with Cloud Demand Multi-instance deployment for horizontal scale-out deployment Virtual Path Virtual Switch Hypervisor 25

26 Implications for Security Functions need to work as a system Defend Discover Remediate Policy & Access Control Blocking Quarantine Re-routing Traffic Increased Content Inspection Behavior Anomaly Detection Advanced Threats Inside the Network Assess Environment & Threat Advanced Forensics Contain Fix 26

27 Strategic Direction 27

28 Market Direction Integrated Platform for Defense, Discovery and Remediation Device Threat Aware Malware, APT Data Center Context Aware Identity, Data, Location Content Aware Applications Network Access Control Firewall Firewall Content Gateways Integrated Platform Virtual Cloud 28

29 CLOUD-BASED THREAT INTEL & DEFENSE ATTACKS APPLICATION REPUTATION SITE REPUTATION MALWARE GLOBAL LOCAL PARTNER API Infrastructure COMMON POLICY, MANAGEMENT & CONTEXT COMMON MANAGEMENT SHARED POLICY ANALYTICS COMPLIANCE PARTNER API IDENTITY APPLICATION DEVICE LOCATION TIME hybrid public Apps / Services tenants NETWORK ENFORCED POLICY ACCESS FW IPS VPN WEB APPLIANCES ROUTERS SWITCHES WIRELESS VIRTUAL Workloads private 29

30 AI-based Threat Detection Hardware Assisted NetFlow Increase Telemetry for Analysis Self-Learning and Evasion Resistance www DNS IPS Web Log Data Identity DNS Queries IDS/IPS Events Global Threat Intelligence Cisco Cyber Threat Defense Future 30

31 Next Generation Perimeter Driving Platform Consolidation and Consistency Comm. / SMB / Branch WWW WWW Leverage context awareness in NGFW to make more intelligent decisions Identity and Application Convergence onto a common platform Integrated directly on devices or via Connectors Campus Edge 2 31

32 Current State Future State Cloud-Based Threat Intelligence & Defense SaaS SaaS Comm. / SMB / Branch Cellular Cellular ASR Internet Internet Private CSR Comm. / SMB / Branch WWW Web Cloud CSR Security Security Gateway Gateway SP-1 Hybrid WWW WWW SP Core/ Edge ASR SP-2 Branch Branch SP Cloud Public Network Enforced Policy WWW Campus Campus Connect Connect ANY WWWUCS WWW Global Orchestra tion SP Core/ Edge SP-1 CSR Global Orchestra tion Campus Edge Enterprise DC Edge Edge Common Policy, Management & Context XaaS UCS SP-2 SP Cloud Data Center/V ANY 32

33 Human Firewall IT Management & Workforce Education Promote Formal Education and Training SANS Institute / MS-ISAC / CA University System Certifications User Training Certified Cybersecurity Analyst CCNA CCNP- CCIE CISSP Cyber Threats Compromise Instructions DOD Model Cyber Testing Security Assessment Network Penetration Testing Etc Cyber Exercises 33

34 Cybersecurity Silver Bullet vs. Silver Buckshot The multiple attack vectors that our Cyber adversaries rely on require a multi-faceted approach to security. Cisco s leadership in the research and development of secure products, along with our inherent role in the network, positions us as the natural partner in developing and executing a successful cyber defense strategy 34

35 35