The Importance of Threat-Centric Security

Transcription

1 The Importance of Threat-Centric Security Jay Iyer Distinguished Engineer, Office of the Security CTO Martin Roesch Vice President and Chief Architect, Cisco Security Business Group BRKSEC-2135

2 Agenda Today s Security Challenges A Threat-Centric and Operational Security Model Mapping Technologies to the Model Visibility Architecture Reducing Complexity and Increasing Capability Why choose Cisco Security

3 Session Objective Provide a detailed review of today s dynamic threat landscape and outline a threat-centric and operational security model that spans a range of attack vectors to address the full attack continuum before, during, and after an attack.

4 Security Perspective

5 The Problem is THREATS

6 Today s advanced malware is not just a single entity Missed by Point-in-time 100 percent of companies surveyed Detection by Cisco have connections to domains that are known to host malicious files or services. (2014 CASR) It is a Community that hides in plain sight

7 Top cyber risks for users Untrustworthy sources Clickfraud and Adware Outdated browsers 10% 64% vs IE requests running latest version Chrome requests running latest version 2015 Cisco Annual Security Report

8 The Challenges Come from Every Direction Sophisticated Attackers Complicit Users Dynamic Threats Boardroom Engagement Defenders Complex Geopolitics Misaligned Policies

9 Cisco 2015 Annual Security Report Now available: cisco.com/go/asr2015

10 Impact of a Breach Breach occurs data in breaches is stolen in of breaches remain undiscovered for Information of up to individuals on the black market over last three START HOURS MONTHS YEARS Source: Verizon Data Breach Report 2014

11 Breach/Detection Time Delta is Not Improving Percent of beaches where time to compromise (red)/time to discovery (blue) was days or less 100% Time to compromise 75% 50% 25% Time to discovery Source: Verizon 2014 Data Breach Investigations Report

12 Why?

13 The Configuration Problem Poor awareness of true operational environment Change to environment requiring configuration/posture changes unrecognized Detection content unavailable 0-day No anomaly detection mechanisms in place

14 The Organizational Problem False positive rates too high Operator overload due to mass of equally meaningless events that must be contextualized Frequently technologies are deployed but not properly operationalized Check-box security In 2014, the average cost of an organizational data breach was US$3.5 million Source: The Ponemon Institute

15 Defenders Less than half of security practitioners leverage known effective practices SecOps Identity Administration and Provisioning 43% Patching and configuration as defense 38% Pentesting 39% 2015 Cisco Annual Security Report Quarantine malicious applications % 55%

16 If you knew you were going to be compromised, would you do security differently?

17 Addressing The Configuration Problem Visibility Architecture Collect context about the operational environment Continuously in real-time Visibility data is used to recommend configuration of security infrastructure Real-time notifications of change to drive real-time change in security posture Content Rapid development and dissemination of updated detection is a fundamental Vendor Security operations teams

18 Addressing The Organizational Problem Contextualization Event loads are high due to misconfiguration Even when well tuned, raw events must be contextualized automatically when possible Operationalization That s your job Engagement from corporate boards is crucial in setting security priorities and expectations Boards need to know what the cybersecurity risks to the business are and their potential impact CIOs must ask tough questions about security controls that are meaningful to the board and outline the business implications

19 A Threat-Centric and Operational Security Model Attack Continuum BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall Patch Mgmt IPS IDS AMD App Control Vuln Mgmt Anti-Virus FPC Log Mgmt VPN IAM/NAC /Web Forensics SIEM Visibility and Context

20 A Threat-Centric and Operational Approach Attack Continuum BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Network Endpoint Mobile Virtual Cloud Point in time Continuous

21 Cisco: Covering the Entire Continuum Attack Continuum BEFORE DIscover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate ASA VPN NGIPS Advanced Malware Protection NGFW Meraki ESA/WSA Cognitive Secure Access + Identity Services CWS ThreatGRID FireSIGHT & PXGrid Services

22 APIs Workflow (automation) Engine Visibility is the Foundation Breach Understand scope, contain & remediate Threat Focus on the threat security is about detecting, understanding, and stopping threats Control Set policy to reduce surface area of attack Visibility Broad awareness for context

23 APIs Workflow (automation) Engine Visibility Must Be Pervasive BEFORE DURING AFTER Breach Scope Contain Remediate AMP ThreatGRID CTA Threat Detect Block Defend NGIPS ESA/WSA Reputation Control Control Enforce Harden ASA NGFW VPN Meraki ISE NAC Visibility Discover Monitor Inventory Map Network / Devices (FireSIGHT/PXGrid) Users / Applications (FireSIGHT/PXGrid/ISE) Files / Data (FireSIGHT/AMP)

24 Today s Security Appliances Traditional Firewall Functions VPN Functions Context- Aware Functions IPS Functions WWW Malware Functions

25 We must integrate more effectively to make more effective security solutions

26 Two Kinds of Integration Front-end integration Most security technologies have information about the environment that they are defending but do not share it Build a Visibility Architecture to collect information about the composition, configuration and change in the environment being defended Back-end integration Collect and centralize information about what s happening to the environment and try to figure out what is happening Traditional integration model

27 Building a Visibility Architecture Why? Automation Contextualization Anomaly Detection Event-driven Security What visibility is important?

28 Types of Visibility Asset/Network Network topology Asset profiles Address Hardware platform/class Operating System Open Ports/Services Vendor/Version of client or server software Attributes Vulnerabilities User Location Access profile Behaviors File/Data/Process Motion Execution Metadata Origination Parent Security Point-in-time events Telemetry Retrospection

29 Platform Exchange Grid pxgrid I have reputation info! I need threat data Talos I have application info! I need location & auth-group I have sec events! I need reputation I have NetFlow! I need entitlement I have threat data! I need reputation I have firewall logs! I need identity pxgrid Context Sharing That Didn t Work So Well! Single Framework Direct, Secured Interfaces I have NBAR info! I need identity I have location! I need identity I have MDM info! I need location I have app inventory info! I need posture I have identity & device-type! I need app inventory & vulnerability

30 Cisco FireSIGHT Context Collection Platform IPS Events Malware Backdoors Exploit Kits Web App Attacks CnC Connections Admin Privilege Escalations SI Events Connections to Known CnC IPs Malware Events Malware Detections Office/PDF/Java Compromises Malware Executions Dropper Infections

31 Cisco FireSIGHT Fuels Automation Impact Assessment and Recommended Rules Automate Routine Tasks

32 Impact Assessment IMPACT FLAG ADMINISTRATOR ACTION WHY Correlates all intrusion events to an impact of the attack against the target Act Immediately, Vulnerable Investigate, Potentially Vulnerable Event corresponds to vulnerability mapped to host Relevant port open or protocol in use, but no vuln mapped Good to Know, Currently Not Vulnerable Relevant port not open or protocol not in use Good to Know, Unknown Target Monitored network, but unknown host Good to Know, Unknown Network Unmonitored network

33 FireSIGHT Brings Visibility CATEGORIES EXAMPLES Cisco FireSIGHT TYPICAL IPS TYPICAL NGFW Threats Attacks, Anomalies Users AD, LDAP, POP3 Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame Command & Control Servers C&C Security Intelligence Client Applications Firefox, IE, BitTorrent Network Servers Apache 2.3.1, IIS4 Operating Systems Windows, Linux Routers & Switches Cisco, Nortel, Wireless Mobile Devices iphone, Android, Jail Printers HP, Xerox, Canon VoIP Phones Cisco, Avaya, Polycom Virtual Machines VMware, Xen, RHEV

34 OpenAppID First OSS Application and Control OpenAppID Language Documentation o Accelerate the identification and protection for new cloud-delivered applications Special Snort engine with OpenAppID preprocessor o o o o o Detect apps on network Report usage stats Block apps by policy Snort rule language extensions to enable app specification Append App Name to IPS events Library of Open App ID Detectors o o Over 1000 new detectors to use with Snort preprocessor Extendable sample detectors Available now at Snort.org

35 The Event Horizon Problem Point-in-time Events generated as they re discovered Discovery (detection) failure = false negative Brittle. Continuous (Telemetry) Specific event types are continuously recorded and analyzed Structural (signatures) Behavioral (activities)

36 The Event Horizon Firewall IDS/IPS AMD Antivirus X X X X Event Horizon Device

37 Beyond the Event Horizon Continuous Capability is needed for the world in which you will be compromised Streaming telemetry Continuous analysis Real-time and retrospective security with the full spectrum of controls available at any time

38 APIs Workflow (automation) Engine The Threat-Centric Model Breach Understand scope, contain & remediate Threat Focus on the threat security is about detecting, understanding, and stopping threats Control Set policy to reduce surface area of attack Visibility Broad awareness for context

39 Visibility Layer Concept RNA & RUA RUA AD Connector 3rd Party Context Src ISE AnyConnect PXGrid API Network Map Host Input API Auto-Config (R 3 ) Impact Assessment Policy & Response Engine APIC Control Layer FireSIGHT Remediation API 3rd Party Apps Security Platforms

40 Control Control is about defining & managing the interactions between users, applications, devices, and data Access control & segmentation Policy enforcement Asset hardening & management User management

41 Control Layer Concept Mobile Device + VPN Endpoint + AnyConnect Endpoint Endpoint Endpoint User Environment Endpoint ISE Route/S witch APIC FireSIGHT ASA/VP N Server Hypervisor Hypervisor Hypervisor Policy Enforcement Directives Network Traffic Data Center Environment

42 Threat & Breach Detection & Response are critical functions today Being able to detect in a relevant timeframe Timeframe of response The Golden Hour

43 Integrated Threat Defense Architecture Concept CSI Cognitive Endpoint + AnyConnect Mobile device & AnyConnect Threat Environment CWS Control Layer NGIPS ESA WSA Endpoint Endpoint Endpoint Server User Environment Hyperviso r Hyperviso r Data Center Environment Raw/Uninspected Traffic Telemetry/Eventing/Mgmt APIC / ISE FireSIGHT Visibility Layer Streaming Telemetry Inspected Traffic

44 Integrated Threat Defense Architecture Concept CSI Cognitive Endpoint + AMP & AnyConnect Mobile device + AMP & AnyConnect Threat Environment CWS + AMP Control Layer NGIPS + AMP ESA + AMP WSA + AMP Endpoint + AMP Server + AMP Endpoint + AMP User Environment Hyperviso r + AMP Endpoint + AMP Hyperviso r + AMP Data Center Environment Raw/Uninspected Traffic Telemetry/Eventing/Mgmt APIC / ISE FireSIGHT Visibility Layer Streaming Telemetry Inspected Traffic

45 Challenges None of this works if everything has to be there for any of it to work Each product must stand alone as the best in its class When Cisco products are brought together they gain capability through leveraging each other s visibility and control mechanisms Our fundamental job is to reduce complexity and increase capability

46 Reduce Complexity and Increase Capability Collective Security Intelligence Centralized Management Appliances, Virtual, Cloud Network Control Platform Device Control Platform Cloud Services Control Platform Appliances, Virtual Host, Mobile, Virtual Hosted BROAD VISIBILITY and CONTROL

47 Collective Security Intelligence Malware Protection Reputation Feeds IPS Rules Cisco Talos (Talos Security Intelligence and Research Group) Vulnerability Database Updates Sandboxing Machine Learning Big Data Infrastructure Private and Public Threat Feeds Sandnets File Samples (>1.1 Million per Day) FireAMP Community Honeypots Sourcefire AEGIS Program Advanced Microsoft and Industry Disclosures SPARK Program Snort and ClamAV Open Source Communities

48 Only Cisco Delivers Unmatched Visibility Consistent Control Advanced Threat Protection Complexity Reduction Global Intelligence With the Right Context Consistent Policies Across the Network and Data Center Detects and Stops Advanced Threats Fits and Adapts to Changing Business Models

49 Thank You! E: E:

50 Participate in the My Favorite Speaker Contest Promote Your Favorite Speaker and You Could Be a Winner Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress) Send a tweet and include Your favorite speaker s Twitter Two hashtags: #CLUS #MyFavoriteSpeaker You can submit an entry for more than one of your favorite speakers Don t forget to View the official rules at

51 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card. Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

52 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Table Topics Meet the Engineer 1:1 meetings Related sessions

53 Thank you

54

55 Session Abstract BRKSEC-2135: The Importance of Threat-Centric Security Jay Iyer, Distinguished Engineer, Security Business Group Martin Roesch, Vice President and Chief Architect, Security Business Group Today s sophisticated attacks have grown in frequency, severity and complexity. Evolving trends such as mobility, cloud computing and collaboration are paving the way for new attack techniques we couldn t have anticipated a few years ago. To truly protect against all possible attack vectors, IT professionals must accept the nature of modern networked environments and devices and start thinking like an attacker. Crucial to accomplishing this is first understanding the modern threat landscape and how a threat-centric approach to security can increase the effectiveness of threat prevention. This session will offer a detailed review of today s dynamic threats and an overview of how open source technologies such as Snort and ClamAV play a role in enabling effective, coordinated protection for enterprise environments. Enterprise security administrators and architects, CISOs and even CIOs will learn about threat-centric security approaches that protect their environments across the attack continuum - before, during and after an attack.