Security Experts Webinar Content Security Email and Web Fabio Panada Consulting Systems Engineer Security Mauro Pellicioli Systems Engineer May 2016
Content Security - Agenda Threat Landscape Cisco Approach to modern threats Web Security Email Security Q&A
Threat Landscape
Attack surface - email Attackers: A growing appetite to leverage targeted phishing campaigns SPAM up 250% Example: Snowshoe SPAM attack Email morphing
Attack surface web browsers More than 85% of the companies studied were affected each month by malicious browser extensions
Attack surface user error on web Users becoming complicit enablers of attacks Untrustworthy sources Clickfraud and Adware Outdated browsers 10% 64% vs IE requests running latest version Chrome requests running latest version
Exploit Kits, e.g. Cryptowall version 4 CRYPTOWALL 4.0 Notorious ransomware Version 1 first seen in 2014 Distributed via Exploitkits and Phishing Emails Fast Evolution
Web and email are portable Mobile Coffee shop Corporate Home Airport
Sample attacking: Joe CFO Joe is now infected Joe opens the link and the resort video plays. Although he doesn t know it, Joe s machine has been compromised by a Silverlight based video exploit. The malware now starts to harvest Joe s confidential information: Passwords Credentials Company access authorizations
The Attack Continuum BEFORE Discover Enforce Harden DURING Detect Defend AFTER Scope Contain Remediate Network Endpoint Mobile Virtual Cloud X Threat IntelligencePoint in Time Continuous
Cloud to Core Coverage 18.5 BILLION AMP queries a day END POINT: Software ClamAV, Razorback, Moflow 16 BILLION web requests a day WEB: Reputation, URL Filtering, AVC CLOUD: FireAMP & ClamAV detection content 300 BILLION email messages a day EMAIL: Reputation, AntiSpam, Outbreak Filters
Cisco Email Security Integration with Threat Intelligence Built on Outstanding Collective Security Analytics I00I III0I III00II 0II00II I0I000 0110 00 10I000 0II0 00 0III000 II1010011 101 1100001 110 Cisco 110000III000III0 I00I II0I III0011 0110011 101000 0110 00 Cisco SIO Email Endpoints Web Networks IPS Devices 1.6 million global sensors WWW 100 TB of data received per day 150 million+ deployed endpoints 600+ engineers, technicians, and researchers 35% worldwide email traffic 13 billion web requests 24x7x365 operations 40+ languages Cisco Sourcefire 1100001110001III0 I00I II0I III00II 0II00II 101000 0110 00 101000 0II0 00 0III000 III0I00II II II0000I II0 100I II0I III00II 0II00II I0I000 0II0 00 Talos Cisco ESA AMP Advanced Malware Protection VRT (Vulnerability Research Team) 180,000+ File Samples per Day Cisco AMP Community Advanced Microsoft and Industry Disclosures Snort and ClamAV Open Source Communities Honeypots Sourcefire AEGIS Program Private and Public Threat Feeds Dynamic Analysis
Email Security
Cisco Email Security Threat Defense Complete Inbound Protection Before Discover Enforce Harden During Detect Defend After Scope Contain Remediate Cisco Talos SenderBase Reputation Filtering Drop Antispam Drop/Quarantine Antivirus Drop/Quarantine Advanced Malware Protection (AMP) Drop/Quarantine Graymail Detection Rewrite Outbreak Filters Quarantine/Rewrite Real-Time URL Analysis Deliver Quarantine Rewrite URLs Drop
Cisco Email Reputation Database Before Discover Enforce Harden During Detect Defend After Scope Contain Remediate Threat Intelligence Over 1.6 million global devices Historical library of 40,000 threats Spam Traps Complaint Reports IP Blacklists and Whitelists 35% of global email traffic seen per day 13 billion+ worldwide web requests seen per day 200+ parameters tracked Message Composition Data Compromised Host Lists Website Composition Data Multivector visibility Benefits 360-degree dynamic threat visibility Understanding of vulnerabilities and exploit technologies Global Volume Data Domain Blacklist and Safelists Other Data Visibility into highest threat vehicles Latest attack trends and techniques IP Reputation Score -10 0 +10
Antispam Processing Defense in Depth Before Discover Enforce Harden During Detect Defend After Scope Contain Remediate Intelligent multiscan (IMS) Cisco Antispam Engine What Cisco Antispam Engine Antispam Engine B Incoming mail good, bad, and unknown email SBRS Powered by Cisco SIO Mail Policies Normal mail is spam filtered Suspicious emails are rate limited and spam filtered Who Where Cisco Anti-Spam When How Antispam Engine (Future) Whitelist is spam filtered Known bad email is blocked before entering the network URL reputation and context used in scoring > 99% catch rate < 1 in 1 million false positives
Antispam Architecture Marketing Message Detection Before Discover Enforce Harden During Detect Defend After Scope Contain Remediate Privacy Policy At Buy.com, your privacy is a top priority. Please read our privacy policy details. All information collected from you will be shared with Buy.com and its affiliate companies.
URL Defense Integrated Email and Web Security Before Discover Enforce Harden During Detect Defend After Scope Contain Remediate Email Contains URL Cisco Talos Rewrite Send to Cloud Defang/ BLOCKEDwww.playb oy.comblocked BLOCKEDwww.prox y.orgblocked Replace This URL is blocked by policy URL Reputation and Categorization
Antivirus Defense in Depth Before Discover Enforce Harden During Detect Defend After Scope Contain Remediate Antispam Engines Antivirus Engines Cisco Anti-Spam Choice of Antivirus Engines Sophos McAfee Or both Sophos and McAfee
Cisco Zero-Hour Malware Protection Advanced Malware Protection Before Discover Enforce Harden During Detect Defend After Scope Contain Remediate Cisco AMP integration Reputation update File Reputation File Sandboxing Known file reputation Advanced Malware Protection Unknown files are uploaded for sandboxing (archived, Windows PE, PDF, MS Office) Outbreak Filters
Cisco Zero-Hour Malware Protection Cisco AMP Retrospective Alerts Before Discover Enforce Harden During Detect Defend After Scope Contain Remediate Retrospective alerts and reports Give updates on files that have passed through the system Alert administrators to files that have changed disposition Inform you of files that had delayed payloads or other techniques designed to bypass sandboxing Collective Security Intelligence Event History Retrospection = Continuous Advanced Threat Protection
DLP and Compliance Standalone or Part of a Comprehensive DLP Solution Before Discover Enforce Harden During Detect Defend After Scope Contain Remediate Accurate, Easy, and Extensible On-Box RSA DLP Engine Data-Loss Prevention Integrated with RSA Enterprise DLP Email Uptime Risk-Policy Definition Threat Prevention Email Scanning Policy Enforcement Incidents Policies Advanced Incident Workflow Fingerprinting
Rate Limiting Outbound Rate Limit per Mail from Before Discover Enforce Harden During Detect Defend After Scope Contain Remediate Receive alerts identifying high-volume possibly infected senders Rate limit can be set higher for senders such as marketing or customer help desk Users can send up to 100 mails per hour 1-100 Emails 101-1000 Emails Malicious Sender Known High- Volume Sender Typical User! Policy! Administrator can set rate limit for individual senders Admin Alert admin when limit is hit
Cisco Envelope Encryption Easy for the Sender Before Discover Enforce Harden During Detect Defend After Scope Contain Remediate Cisco Email Security Appliance Message Key Sender Controls Recipient Automated key management No desktop software requirements Send transparently to any email address Encryption triggered by + keywords policies senders recipients etc.
And Easy for the Recipient Before Discover Enforce Harden During Detect Defend After Scope Contain Remediate Cisco Registered Envelope Service Corporate Credentials (opt) 1 2 3 Open attachment Confirm identity View message
Flexible Deployment Options Industry-Leading, Best-in-Class Email Protection at the Gateway On Premises Cloud Deployment Options Appliance Virtual Hybrid Hybrid Cloud Managed Multidevice Support Desktop Mobile Laptop Cloud Tablet
Web Security
Web Pages Contain Hidden Threats Flash Java JPG PDF Script.exe Etc. Potential Threats
Loss of Productivity Is Also a Threat How Much Bandwidth and Time Is Being Wasted on Web 2.0 Every Day? Facebook YouTube Pandora Option Facebook time: 2,110,516 minutes or 35,175 hours, 1465 days, 4.1 years Number of Facebook likes: 3,925,407 at 1 second a like; that s almost 1100 hours per day or 45 days just liking things Bytes on YouTube video playback: 11,344,463,363,245 or 10 TB Pandora: 713,884,303,727 or.6 TB Total browse time for the day: 2,270,690,423 or 4320 years Total bytes for the day: 70,702,617,989,737 or 64 TB or 15% from YouTube Source: Cloud Web Security Report
Talos Cisco Web Security Appliance (WSA) Before During Appliance After Virtual Web Reputation Web Filtering Application Visibility and Control Cloud Access Security Parallel AV Scanning File Reputation Data-Loss Prevention File Sandboxing Cognitive Threat Analytics* www Client Authentication Technique File Retrospection Cisco ISE X X X X X X X Traffic Redirections WCCP Load Balancer Explicit/PAC PBR AnyConnect Client www www www HQ Admin Management Reporting Log Extraction Campus Office Branch Office Roaming User Allow Warn Partial * Roadmap feature: Projected release 2H CY15
Reputation Analysis The Power of Real-Time Context BEFORE Discover Enforce Harden DURING Detect Defend AFTER Scope Contain Remediate -10-9 -8-7 -6-5 -4-3 -2-1 0 1 2 3 4 5 6 7 8 9 10 IP Reputation Score Who Where How When Suspicious Server in High example.com Example.org 192.1.0.68 17.0.2.12 San London Beijing Kiev Jose Domain Owner Risk Location Dynamic IP HTTPS SSL Address Web Domain Server Registered Less Than < > < 1 2 Month 1 Year Min 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0101 1100110 1100 111010000 110 0001110 00111 010011101 11000 0111 0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100 010 010 10010111001 10 100111 010 00010 0101 110011 011 001 110100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000
Cisco Web Usage Controls URL Filtering and Dynamic Content Analysis BEFORE Discover Enforce Harden DURING Detect Defend AFTER Scope Contain Remediate WWW WWW Allow WWW Warn If Unknown, the Page Is Analyzed URL Database If Known WWW 1. Scans text 2. Scores relevancy 3. Calculates model document proximity 4. Returns closest category match Finance Adult Health Finance Adult Health 5. Enforces policy WWW Allow WWW WWW Partial Warn WWW
Acceptable Use Controls for Today s Web Reduce Disruptions from Distracted Users URL Filtering Application Visibility and Control (AVC) 1000+ Apps Control over collaborative and Web 2.0 applications http:// URL database covers over 50 million sites worldwide Real-time dynamic categorization for unknown URLs + 150,000+ Micro-Apps Application Behavior Policy control over which apps can be used by which users and devices Granular enforcement of behaviors within applications Visibility of activity across the network
Time and Volume Quotas Intelligent Controls of Bandwidth Usage Time and volume quotas allow WSA administrators to configure polices to restrict access based on amount of data (in bytes) and time Quotas are applicable to HTTP, HTTPS, and FTP traffic Can be configured under access policies and decryption policies Can be configured with time ranges to apply them for specific periods of time Quotas are reset daily; the reset time is configurable When more than one quota is applicable the most restrictive quota applies Quotas are applied per user; when user identity is not available they are applied per IP address
Cisco AMP Delivers a Better Approach BEFORE Discover Enforce Harden DURING Detect Defend AFTER Scope Contain Remediate Point-in-Time Protection Retrospective Security File Reputation, Sandboxing, and Behavioral Detection Continuous Analysis Unique to Cisco AMP
Improve the Accuracy of Threat Identification with File Reputation BEFORE Discover Enforce Harden DURING Detect Defend AFTER Scope Contain Remediate File Reputation One-to-One Identifies specific instances of malware with a signature-based approach Fuzzy Fingerprinting Automatically detects polymorphic variants of known malware Machine Learning Identifies new malware using statistical modeling and analytics engines AMP Collective User Base File Reputation AMP Dynamic Malware Analysis CTA Layer 1 Collective User Base Anomaly detection Trust modeling CWS PREMIUM CTA Layer 2 Event classification Machine Learning Decision Tree Possible Malware Possible clean file Entity modeling Confirmed Malware Confirmed Clean File Confirmed Clean File Confirmed Clean File CTA Layer 3 Relations File Retrospection
Get Insight on What a File Has Done and Where It Has Been with File Retrospection File Retrospection BEFORE Discover Enforce Harden DURING Detect Defend AFTER Scope Contain Remediate Analyze Monitor Identify AMP File Reputation AMP Dynamic Malware Analysis CTA Layer 1 Anomaly detection Trust modeling CWS PREMIUM CTA Layer 2 Event classification Entity modeling CTA Layer 3 Relations File Retrospection 1 Performs analysis the first time a file is seen 2 Analyzes the file persistently over time to see if the disposition is changed 3 Gives unmatched visibility into the path, actions, or communications associated with a particular software
Incoming Traffic AMP Threat Grid Feeds Dynamic Malware Analysis and Threat Intelligence to the Cisco AMP Solution BEFORE Discover Enforce Harden DURING Detect Defend AFTER Scope Contain Remediate Public Cloud Web Security Cisco AMP Client AMP Cloud Advanced malware analysis combined with deep threat analytics content in a single solution Web Proxy AMP Connector Threat Grid API File Reputation update In-depth malware analysis and data pivoting capabilities Local AV Scanners Optional Threat Grid Appliance Threat Grid Cloud Robust API to integrate and automate sample submissions Automated threat intelligence feeds
Easily Identify and Prioritize threats Easy-to-understand Threat Scores guide decision making 450+ behavioral indicators (and growing) Malware families, malicious behaviors, and more Detailed description and actionable information Prioritize threats with confidence Enhance SOC analyst and IR knowledge and effectiveness (and security product)
How CTA Analyzes a Threat BEFORE Discover Enforce Harden DURING Detect Defend AFTER Scope Contain Remediate Attacker Techniques: Domain Generation Algorithm (DGA) 0 Domain Age: 2 Weeks - Active Channels Data Tunneling via URL (C&C) DGA DGA Domain Age: 3 Hours - WSA Proxy Webrep DGA Domain Age: 1 Day DGA C&C 0 Domain Age: 2 Weeks AV C&C +
Data Loss Prevention Reduce Risk of Sensitive Information Leaks Basic DLP CWS Cloud Basic DLP WSA On-Premises Advanced DLP Enterprise DLP Integration through ICAP protocol WSA + DLP Vendor Box
Redirect Roaming Users to Premises and Cloud Cisco AnyConnect Secure Mobility Client Web Users Cisco AnyConnect Client Web Traffic Redirection Web Security Location BEFORE Discover Enforce Harden DURING AFTER Detect Scope Contain Defend Remediate Delivers Verdict Roaming Laptop Users Client Installed on Machine VPN ACWS Routes Traffic Through SSL Tunnel Directly to Closest Cisco Cloud Proxy CWS Applies Web Security Features WWW Allow WWW Roaming Laptop, Mobile, or Tablet User VPN Backhauls Traffic Through VPN Tunnel to HQ Warn WWW Router or Firewall Router or firewall Reroutes re-route traffic Traffic to to WSA WSA or or CWS CWS WSA Applies Web Security Features
Extend User Identity and Context Who: Doctor What: Laptop Where: Office Identity Services Engine Integration Acquires important context and identity from the network Who: Doctor What: ipad Where: Office Who: Guest What: ipad Where: Office Cisco Identity Services Engine Consistent Secure Access Policy WSA Confidential Patient Records Internal Employee Intranet Monitors and provides visibility into unauthorized access Provides differentiated access to the network Cisco TrustSec provides segmentation throughout the network Cisco Web Security Appliance provides web security and policy enforcement Internet Available only on WSA
Centralized Management and Reporting Complete Solution for On-Premises or Cloud Deployment Centralized Management Centralized Reporting Centralized Policy Management Delegated Administration In-Depth Threat Visibility Extensive Forensic Capabilities Insight Across Threats, Data, and Applications Control Consistent Policy Across Offices and for Remote Users Analyze, Troubleshoot, and Refine Security Policies Visibility Visibility Across Different Devices, Services, and Network Layers
With unified reporting and policy management Unified Reporting Unified Policies Roaming user HQ Roaming user HQ WSA WSA Web Security Reporting Application Cloud Web Security Graphical User Interface
Flexible Deployment Options On- and Off-Premises On-Premises Cloud Deployment Options Appliance Virtual Next-Generation Firewall Cloud Connectors and Redirects Router Firewall Roaming Router Firewall Appliance Roaming Client Options Implicit Explicit Implicit Explicit
Call to Action Trial version WSA/CWS/CTA ESA/CES 45 days try and buy Ask your Cisco Sales Rep