We re ready. Are you?

Transcription

1 We re ready. Are you?

2 Defense against Multi-Vector Threats with Cisco and Web Security Usman Din Consulting Systems Engineer

3 Agenda Threat Landscape and Web Solutions: Reputation Filtering Content Scanning Engines Advanced Malware Scanning Reporting and Analytics

4 Threat Landscape

5 Threat Landscape The number of CVE Entries in 2015 so far is 8147

6 Threat Landscape

7 Threat Landscape

8 Threat Landscape

9 Blended Threats Watering hole Spear phishing Dropper Approach Infect or inject a trusted site Target users through compromised links Deliver malware with stealth and self-deleting programs Tactic Conduct reconnaissance on a target Leverage social engineering Gain access via DLL injection, control firewalls, antivirus, etc Impact Deliver an exploit that will attack Deliver an exploit that will attack Compromises system control, personal data and authorization Threat vector

10 THREATS DON T GO AWAY, HOW DO WE ADDRESS IT?

11 Multi-Tiered Defense Cloud to Core Coverage Web: Reputation, URL Filtering, AVC End Point: Software ClamAV, Razorback, Moflow Cloud: FireAMP & ClamAV detection content Reputation, AntiSpam, Outbreak Filters Network: Snort Subscription Rule Set, VDB FireSIGHT Updates & Content, SEU/SRU Product Detection & Prevention Content Global Threat Intelligence Updates

12 Talos: Before, During and After Threat Intelligence I00I III0I III00II 0II00II I0I I000 0II0 00 0III000 II Cisco III000III0 I00I II0I III Talos Research Response III0 I00I II0I III00II 0II00II II0 00 0III000 III0I00II II II0000I II0 100I II0I III00II 0II00II I0I000 0II0 00 Endpoints Web Networks IPS Devices 1.6 million global sensors WWW 100 TB of data received per day 150 million+ deployed endpoints 600+ engineers, technicians, and researchers 35% worldwide traffic 13 billion web requests 24x7x365 operations 40+ languages ESA/WSA/CWS 1.1 million file samples per day AMP community Advanced Microsoft and industry disclosures Snort and ClamAV open source communities AMP TG Intelligence AEGIS program Private and public threat feeds 10 million files per month - AMP TG Dynamic analysis

13 Defending across the full attack continuum: Attack Continuum Before Discover Enforce Harden During Detect Block Defend After Scope Contain Remediate Reputation Filtering Acceptance Controls Signature, AV, Spam scanning URL Scanning File Reputation Continuous Retrospection Message Tracking File Sandboxing

14 Defending across the full attack continuum: Web Attack Continuum Before Discover Enforce Harden During Detect Block Defend After Scope Contain Remediate Web Reputation Filtering Acceptable Usage Controls Application Controls Malware scanning File Reputation File Sandboxing Continuous Retrospection Threat Analytics Reporting & Tracking

15 Deep Dive: Reputation Filtering

16 Deep Dive: and Web Reputation Spam Traps Complaint Reports IP Blacklists and Whitelists Geo-Location data Message Composition Data Global Volume Data Compromised Host Lists Domain Blacklist and Safelists Website Composition Data Other Data Host Data DNS Data Real-time insight into this data that allows us to see threats before anyone else in the industry to protect our customers IP Reputation Score

17 Using Reputation on the ESA Default Settings: Moderate Blocking Custom Settings: Aggressive Throttling Reputation Score determined when connection initiated Sender Groups and actions are defined by the administrator Reputation can block 80-90% connections on the ESA

18 Controlling Senders with Connection Throttling Throttling allows for mail to be delivered but not in excessive amounts Additional verification steps surrounding envelope sender and DNS can be enforced in throttle policies Reputation Score is used through out the workqueue process

19 Limiting Hosts and Senders Host and Envelope sender limits are extremely useful for protecting against mail storm attacks Sliding time windows allows for customized rate limiting Use exception tables for known / accepted bulk mail senders

20 Check those senders! DMARC, SPF and DKIM Use SPF to verify Identity Use DKIM to Authenticate Use DMARC to correlate the information from SPF and DKIM into an actionable policy

21 Using Reputation on Web

22 Web Reputation Analysis IP Reputation Score Who Where How When Suspicious Server in High example.com Example.org San London Beijing Kiev Jose Domain Owner Risk Location Dynamic IP HTTPS SSL Address Domain Web Server Registered < 1 Month > < 21 Month Year Min

23 Adaptive Scanning Dynamic Scanner Selection Cisco Talos HTML WSA HTML Sophos Adaptive Scanning McAfee HTML Webroot Reputation + Content Type + Scanner Selection = Adaptive Scanning

24 Adaptive Scanning Detail, Step 1: Analyze every object on a page & assign a risk score Object One - PDF Object Two - JPG +0.0 (low risk) +5.6 (safe) Object Three - JavaScript -5.3 (high risk) Scores below -6 automatically blocked Object Four - Flash -7.8 (very high risk - blocked)

25 Adaptive Scanning Detail, Step 2: Scans prioritized in order of risk Object One - PDF +0.0 (low risk) Chooses McAfee best for Flash Object Two - JPG +5.6 (safe) If CPU at low load, scans with all available scanners Object Three - JavaScript -5.3 (high risk) Looks at all licensed scanners, chooses Sophos best for Javascript Scores below -6 automatically blocked Object Four - Flash -7.8 (very high risk - blocked)

26 Reputation in action: Blocking Angler Nodes IP Infrastructure Only Unique IP s hosting Angler Daily Hosting Information Found 60%+ Angler activity for month at two providers Referrers Found Thousands of Different Referrers Malvertising Lots of top websites seen directing to Angler News Sites, Real Estate, Sports, Popular Culture Response: Published Community Rules for Front-End & Back-End Communication Blacklisted all servers Blacklisted all domains Working with Providers resulted in huge returns Exposed Largest Angler Actor Active on Internet Today

27 Deep Dive: Content Scanning

28 ESA: Anti-Spam Defense in Depth What Incoming mail good, bad, and unknown Cisco Talos Suspicious mail is rate limited and spam filtered Who Where Cisco Anti-Spam When How > 99% catch rate < 1 in 1 million false positives Known bad mail is blocked before it enters the network Choice of scanning engines to suit every customer s risk posture

29 Best in class Anti-Spam Efficacy Intelligence is key to best in class Efficacy Cisco ESA remembers and uses information from Reputation to enhance efficacy No vendor can block 100% Source: Opus1 2015

30 Evaluating URLs inside an Contains URL Web Rep and/or Web Cat Send to Cloud Rewrite URL Analysis Cisco Talos Defang BLOCKEDwww.playboy.comBLOCKED BLOCKEDwww.proxy.orgBLOCKED Replace This URL is blocked by policy

31 1 st Layer of Defense against malicious URLs WBRS directly integrated on the ESA in a Content Filter Can be defined as Condition or Action Combine WBRS and SBRS to provide a better way to use onbox intelligence

32 2 nd Layer of Defense against malicious URLs Link is clicked Website is clean Cisco Security Dynamic, real-time inspection via HTTP Cisco Talos Website is blocked The requested web page has been blocked Cisco and Web Security protects your organization s network from malicious software. Malware is designed to look like a legitimate or website which accesses your computer, hides itself in your system, and damages files.

33 And for files too Outbreak Filters Advantage Average lead time*: Over 13 hours Outbreaks blocked*: 291 outbreaks Total incremental protection*: Over 157 days Cisco Talos Dynamic Quarantine Virus Filter Advanced Malware Protection Outbreak Filters in Action Cloud Powered Zero-Hour Malware Detection Zero-Hour Virus and Malware Detection

34 WSA Real-Time Malware Scanning Dynamic Vectoring and Streaming Signature and Heuristic Analysis Heuristics Detection Identify Unusual Behaviors Antimalware Scanning Optimizes efficiency and catch rate with intelligent multiscanning Enhances coverage with multiple signature scanning engines Multiple Antimalware Scanning Engines Signature Inspection Identify Known Behaviors Parallel Scans, Stream Scanning Identifies encrypted malicious traffic by decrypting and scanning SSL traffic Improves user experience with parallel scanning for the fastest analysis Provides the latest coverage with automated updates

35 Real-Time Sandbox Analysis for Zero-Day Defense Real-Time Emulation

36 Layer 4 Traffic Monitor Packet and Header Inspection Network - Layer Analysis Internet Users Cisco S-Series Preventing Phone-Home Traffic Scans all traffic, all ports, all protocols Detects malware bypassing port 80 Prevents botnet traffic Powerful Antimalware Data Automatically updated rules Real-time rule generation using dynamic discovery

37 Content Scanning in action: Windows 10 Upgrade

38 Deep Dive: Advanced Malware

39 Cisco AMP Delivers a Better Approach Point-in-Time Protection Retrospective Security File Reputation, Sandboxing, and Behavioral Detection Continuous Analysis

40 Point-in-Time, Continuous, and Retrospective Security AMP enables you to know: where the threat started understand how it entered the system see everywhere it s been determine what it s done learn how to stop it. Policy AV 1 AMP File Reputation File Unknown 2 AMP Dynamic Malware Analysis OI Retrospective Incidents 3 AMP Cloud AMP Retrospection Know Where It All Started Understand How It Entered the System See Everywhere It Has Been Determine What It Has Done Learn How to Stop It

41 Accurate Threat Identification with File Reputation File Reputation One-to-One Identifies specific instances of malware with a signature-based approach Fuzzy Fingerprinting Automatically detects polymorphic variants of known malware Machine Learning Identifies new malware using statistical modeling and analytics engines Machine Learning Decision Tree Possible Malware Confirmed Malware Confirmed Clean File Collective User Base Collective User Base Possible clean file Confirmed Clean File Confirmed Clean File

42 Zero-Day Detection with Dynamic Malware Analysis Dynamic Malware Analysis Dynamic Analysis Analyzes unknown malware and assigns a threat score within minutes Advanced Analytics Works in tandem with One-to-One, fuzzy fingerprinting, and machine learning to identify malware that remains undetected Collective User Base AMP Dynamic Malware Analysis AMP Dynamic Malware Analysis Collective User Base

43 Incoming Traffic AMP Threat Grid Public Cloud Cisco AMP Client AMP Cloud Advanced malware analysis combined with deep threat analytics content in a single solution ESA or WSA AMP Connector Threat Grid API File Reputation update In-depth malware analysis and data pivoting capabilities Local AV Scanners Optional Threat Grid Appliance Threat Grid Cloud Robust API to integrate and automate sample submissions Automated threat intelligence feeds

44 AMP Threat Grid Low Prevalence Files Actionable AMP Threat threat Grid content platform and intelligence correlates is generated the sample that can be packaged result 00 with and integrated millions in to 00 a variety of other of existing samples systems and or Analyst or system (API) submits suspicious used billions independently. of artifacts Threat Score / Behavioral Indicators sample to Threat Grid Big Data Correlation Threat Feeds Actionable Intelligence AMP Threat Grid platform correlates the sample result with millions of other samples and billions of artifacts Proprietary techniques for static and dynamic analysis Outside looking in approach 350 Behavioral Indicators An automated engine observes, deconstructs, and analyzes using multiple techniques Sample and Artifact Intelligence Database Actionable threat content and intelligence is generated that can be utilized by AMP, or packaged and integrated into a variety of existing systems or used independently.

45 Get Insight on What and Where with Retrospection File Retrospection Analyze Monitor Identify 1 Performs analysis the first time a file is seen 2 Analyzes the file persistently over time to see if the disposition is changed 3 Gives unmatched visibility into the path, actions, or communications associated with a particular software

46 AMP Everywhere *AMP for Endpoints can be launched from AnyConnect Virtual AMP for Networks Windows OS Android Mobile MAC OS AMP for Endpoints AMP on Cisco ASA Firewall with FirePOWER Services AMP Advanced Malware Protection AMP Private Cloud Virtual Appliance AMP Threat Grid Malware Analysis + Threat Intelligence Engine Appliance or Cloud CWS AMP on Web and Security Appliances AMP for Cloud Web Security and Hosted

47 AMP in action: My Resume sent with an attached zip file that contains a resume (html) Through redirection, Cryptowall 3.0 is delivered after execution Protection provided via , Web and AMP

48 Deep Dive: Reporting & Analytics

49 Finding the needle in the haystack Message tracking is key tool to finding messages inbound and outbound on the appliances Messages can be filtered to look for specific criteria Use an Security Management Appliance (SMA) to consolidate tracking and reporting from multiple appliances

50 ESA Reporting API Introduced in version 9.0 Full REST based API for reporting data Results returned in JSON format Resource request (Health Status) Agent Auth Type Data returned in JSON

51 Web Interaction Tracking Enabling tracking of URLs rewritten by policy Filtering User A Rewritten URL: 2asyncfs.com Click Time: 09:23:25 12 Jan 2015 Re-write reason: Outbreak Action taken: Blocked User B Rewritten URL: 5asynxsf.com Click Time: 11:01:13 09 Mar 2015 Re-write reason: Policy Action taken: Allowed App 1 App 2 App 3 App 5 App 4 G App 6 App 7 Potentially Malicious URLs Rewritten URLs User C Rewritten URL: 8esynttp.com Click Time: 16:17:44 15 Jun 2015 Re-write reason: Outbreak Action taken: Blocked Monitor users from a single pane of glass

52 Drill Down Reporting Web Integration Tracking

53 AMP Reporting: Tracking Malware Block based on hash value Something changed with a file Files sent to the Sandbox AMP Blocks file based on changed disposition Ben s PC needs to be checked

54 Cisco Cloud Access Security In collaboration with??? Cloud Apps???????? Shadow IT Risk Assessment Report WSA Security Operations Center Audit Analyze & Control Detect Securlet IO IOI IO IOI 17 IO IOI IO IOI Gateway 54 Data Account User Audit Score Business Readiness Rating Shadow Data Risk Assessment StreamIQ ThreatScore Before During Protect Cloud SOC Policy IO IOI IO IOI IO IOI IO IOI ContentIQ Elastica CloudSOC Investigate IO IOI Reports & Analysis After

55 Cognitive Threat Analytics (CTA) Integration Reduced time to discovery Active, continuous monitoring to stop the spread of an attack Normal or not? Spots symptoms of infection using behavioral anomaly detection algorithms and trust modeling Security that learns Uses machine learning and big data analytics to learn from what it sees and adapt over time Behavior Analysis Machine Learning Anomaly Detection No more rule sets Discovers threats on its own just turn it on

56 Proxy Cognitive Threat Analytics As users go through a web proxy, access logs are generated Time IP URL User Agent 2: Mozilla ( 2: Mozilla ( 2: Chrome ( 2: Mozilla ( HTTP/HTTPS Cisco Cognitive Threat Analytics (CTA) HTTP/HTTPS Headers (meta data)

57 CTA Layered Processing Anomaly Detection Trust Modeling Classification Entity Modeling Relationship Modeling Cluster 1 Classifier X Classifier A Cluster 1 Threat Campaigns Cluster 3 Cluster 2 Classifier H Classifier Z Classifier K Classifier M Cluster 2 Cluster 3 10B requests per day +/- 1% is anomalous 10M events per day 1K-50K incidents per day Near real-time processing

58 C&C URLS

59 AMP ThreatGRID enriches CTA reports Key benefits C&C channels linked with threat artifacts Endpoint-level data Help define custom IoC

60 CTA Exports STIX / TAXII API Transform Poll Service CTA Incident STIX formatted CTA threat intelligence Adapter TAXII Log Adapter:

61 In Closing

62 Today s cyber-threat reality Your environment will get breached You ll most likely be infected via Hackers will likely command and control your environment via web

63 Cisco provides some of the best protection available No one can provide 100% protection 2015 NSS Breach Detection Report

64 The Reality We need to do better. It s not an option. It s a requirement. Now is the time. We re ready. Are you?

65 Thank you

66

67