Cisco Security Exposed Through the Cyber Kill Chain

Similar documents
Cisco Security. Advanced Malware Protection. Guillermo González Security Systems Engineer Octubre 2017

Agenda: Insurance Academy Event

Modern attacks and malware

The Internet of Everything is changing Everything

Agile Security Solutions

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

Cisco Advanced Malware Protection. May 2016

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

Security Experts Webinar

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Sourcefire and ThreatGrid. A new perspective on network security

We re ready. Are you?

Cisco ASA with FirePOWER Services

Fully Integrated, Threat-Focused Next-Generation Firewall

Cisco ASA 5500-X NGFW

Passit4Sure (50Q) Cisco Advanced Security Architecture for System Engineers

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

A New Security Model for the IoE World. Henry Ong SE Manager - ASEAN Cisco Global Security Sales Organization

Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer

ANATOMY OF AN ATTACK!

Aby se z toho bezpečnostní správci nezbláznili Cisco security integrace. Milan Habrcetl Cisco CyberSecurity Specialist Mikulov, 5. 9.

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

Intelligent Cyber Security for Real World

Cisco Advanced Malware Protection against WannaCry

Innovative Cisco Security- Lösungen für den Endpoint Das Alpha und Omega unsere Next Gen Security

Cisco Ransomware Defense The Ransomware Threat Is Real

Network Visibility and Advanced Malware Protection. James Weathersby, Director Technical Marketing Gyorgy Acs, Consulting Security Engineer

SAFE Architecture Guide. Places in the Network: Secure Campus

Firewall nové generace na platformě SF, přístupové politiky, analýza souborů, FireAMP a trajektorie útoků

Cisco Comstor

Global vision. Local knowledge. Cisco Forum Kyiv Country Day Month Year

Simplify Technology Deployments

Protection - Before, During And After Attack

Building Resilience in a Digital Enterprise

Cisco Security Enterprise License Agreement

Next Generation IPS and Advance Malware Protection. Mahmoud Rabi Consulting Systems Engineer - Security

Cisco Advanced Malware Protection

Cisco and Web Security News

Cisco AMP Solution. Rene Straube CSE, Cisco Germany January 2017

Compare Security Analytics Solutions

Cisco Cyber Range. Paul Qiu Senior Solutions Architect June 2016

How to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption

Advanced Malware Protection. Dan Gavojdea, Security Sales, Account Manager, Cisco South East Europe

Cisco Advanced Malware Protection for Endpoints. Donald J Case BizCare, Inc. Saturday, May 19, 2018

Design and Deployment of SourceFire NGIPS and NGFWL

Advanced Malware Protection: A Buyer s Guide

Chapter 1: Content Security

How to build a multi-layer Security Architecture to detect and remediate threats in real time

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

Cisco Advanced Malware Protec3on

Key Security Measures to Enable Next-Generation Data Center Transformation

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

SilverBlight. Craig Williams Sr. Technical Leader / Security Outreach Manager Cisco and/or its affiliates. All rights reserved.

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco Threat Control Solutions. Version: Demo

Easy Setup Guide. Cisco ASA with Firepower Services. You can easily set up your ASA in this step-by-step guide.

Cisco Secure Access Control

Cisco Advanced Malware Protection for Endpoints

AMP for Endpoints & Threat Grid

Proactive Approach to Cyber Security

CloudSOC and Security.cloud for Microsoft Office 365

SAFE Architecture Guide. Places in the Network: Secure Branch

Data Center Security. Fuat KILIÇ Consulting Systems

The Internet of Everything is changing Everything

with Advanced Protection

Secure solutions for advanced threats

Threat Centric Network Security

THE ACCENTURE CYBER DEFENSE SOLUTION

Implementing Cisco Edge Network Security Solutions ( )

IBM Security Network Protection Solutions

The Importance of Threat-Centric Security

Security Automation. Challenge: Automatizzare le azioni di isolamento e contenimento delle minacce rilevate tramite soluzioni di malware analysis

An Investment Checklist

Gladiator Incident Alert

A Pragmatic Approach to HealthCare Security. Hans Mathys CSE, Cybersecurity, Cisco Switzerland

Cloud-Managed Security for Distributed Networks with Cisco Meraki MX

Designing an Adaptive Defense Security Architecture. George Chiorescu FireEye

How Boards use the NIST Cybersecurity Framework as a Roadmap to oversee cybersecurity

Klaudia Bakšová System Engineer Cisco Systems. Cisco Clean Access

Deploying Intrusion Prevention Systems

Synchronized Security

McAfee Advanced Threat Defense

Intelligent Cybersecurity for the Real World Scott Lovett Vice President, Global Security Sales

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

AlgoSec: How to Secure and Automate Your Heterogeneous Cisco Environment

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Stop Threats Before They Stop You

MODERN DESKTOP SECURITY

The Importance of Threat-Centric Security

Cisco Security: Advanced Threat Defense for Microsoft Office 365

Cisco Advanced Malware Protection for Networks

Office 365 Buyers Guide: Best Practices for Securing Office 365

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

Identity-Based Cyber Defense. March 2017

Cisco s Appliance-based Content Security: IronPort and Web Security

How to securely connect user endpoints to network access wireless or wired. Gyorgy Acs Consulting Systems Engineer Cisco

Seqrite Endpoint Security

Cisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339

Threat Detection and Mitigation for IoT Systems using Self Learning Networks (SLN)

Transcription:

Cisco Forschung & Lehre Forum für Mecklenburg Vorpommern Cisco Security Exposed Through the Cyber Kill Chain Rene Straube CSE, Cisco Advanced Threat Solutions January, 2017

The Cisco Security Model BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Network Endpoint Mobile Virtual Cloud Threat Intelligence X Point in Time Continuous

Preparation Intrusion Active Breach 1. Reconnaissance Harvest information to create attack strategy and toolset 3. Delivery Delivering weaponized bundle to the victim via email, web, USB, etc. 5. Installation Installing malware on the asset 7. Actions on Objectives With Hands on Keyboard access, intruders accomplish 2. Weaponization Coupling exploit with backdoor into deliverable payload 4. Exploitation Exploiting a vulnerability to execute code on victim s system 6. Command & Control Command channel for remote manipulation of victim s system Based on Lockheed Martin s Cyber Kill Chain

1. Reconnaissance Harvest information to create attack strategy and toolset OS AV Applications Ports Personal Information

Reduce your threat exposure WWW Network Firewalling Application Visibility and Control (AVC) URL Filtering VPN Capabilities Block unauthorized access and activity by controlling traffic flow Tailor application behavior to reduce attack surface and risk of data loss Restrict access to specific sites and sub-sites, as well as categories of sites Protect both site-to-site connections and remote users with granular control Next Generation Intrusion Prevention System (NGIPS) Detect and prevent threats from entering your network

Get more with advanced intelligence and integrated defense Shared intelligence Talos Shared contextual awareness Visibility Radware DDoS URL Network analysis Email Threats Identity & NAC DNS Firewall Consistent policy enforcement Firepower 4100 Series Firepower Management Center Firepower 9300 Platform

SECURITY SOLUTION STARTS WITH CISCO ASA VIRTUAL ASA PHYSICAL ASAv Full ASA Feature Set Hypervisor Independent Virtual Switch Agnostic Dynamic Scalability ASA 5585-X 16 Way Clustering with State Synchronization Scalable to 640Gbps ASAv available on VMWare, KVM, Hyper-V and AWS TODAY

Cisco NGFW Platforms New Appliances Firepower 4100 Series and Firepower 9300 Firepower Services on ASA 5500-X Firepower Services on ASA 5585-X All* Managed by Firepower Management Center *5585-X management avail 2H 16 (pre-commit date)

Introducing Cisco Identity Services Engine A centralized security solution that automates context-aware access to network resources and shares contextual data Physical or VM Identity Profiling and Posture Role-Based Policy Access Network Resources Who Traditional Cisco TrustSec Network Door What When Where How Guest Access BYOD Access Role-Based Access Context Compliant Secure Access ISE pxgrid Controller

Control It All from a Single Location Network, Data, and Application Secure access from any location, regardless of connection type Wired Wireless VPN Apply access and usage policies across entire network Admin Headquarters Branch Remote User Monitor access, activity, and compliance of noncorporate assets, take containment actions when needed Guest Enterprise Mobility Contractor Partner

Enhance Control with Location-Based Authorization With the Integration of Cisco Mobility Services Engine (MSE) What s New for Cisco ISE 2.0? The integration of Cisco Mobility Services Engine (MSE) adds the physical location of a user and/or endpoint to the context by which access is authorized. Benefits Granular Control of network access with location-based authorization for individual users Enhanced Policy Enforcement with automated location check and reauthorization Simplified Management by configuring authorization with Cisco ISE management tools Location-Based Authorization Admin defines location hierarchy and grants users specific access rights based on their location Patient Data Access Locations Lobby Patient Room Lab ER Patient Data Lab ER Doctor No access to patient data Access to patient data No access to patient data Access to patient data Lobby Patient Room Capabilities Enables configuration of location hierarchy across all location entities Applies Cisco MSE location attributes to access request to be used in authorization policy Checks Cisco MSE periodically for location changes Reauthorizes access based on new location

2. Weaponization Coupling exploit with backdoor into deliverable payload Exploit Kits AV Evasion Obfuscation Rootkit

Reputation Filtering And Behavioral Detection Reputation Filtering Behavioral Detection Continuous Protection One-to-One Signature Fuzzy Finger-printing Machine Learning Indications of Compromise Dynamic Analysis Advanced Analytics Device Flow Correlation

AMP ThreatGrid

3. Delivery Delivering weaponized bundle to the victim via email, web, USB, etc. Phishing Watering Whole Malvertising

Most dangerous threats Watering hole Spear phishing Dropper Approach Infect or inject a trusted site Target users through compromised links Deliver malware with stealth and self-deleting programs Tactic Conduct reconnaissance on a target Leverage social engineering Gain access through DLL injection and control firewalls, antivirus, ect Impact Deliver an exploit that will attack Deliver an exploit that will attack Compromises system control, personal data and authorizations Threat vector 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18

Cisco Email Security (Overview) Incoming Threat Before During Talos Cisco Cloud After Appliance Virtual Inbound Email Email Reputation Mail Flow Policies Acceptance Controls Anti-Spam Anti-Virus File Reputation ThreatGrid Graymail Management Safe Unsubscribe Content Controls URL Rep & Cat Outbreak Filters Anti-Phish File Sandboxing & Retrospection Tracking User click Activity (Anti-Phish) X X X X X X X X Outbound Email Outbound Liability HIPAA Before X Mail Flow Policies X Anti-Spam and Anti-Virus During X Data Loss Protection X Encryption HQ Allow Admin Warn Management Reporting Message Track Block Partial Block

Cisco Email Security Integration with Threat Intelligence Built on Unmatched Collective Security Analytics Threat Intelligence I00I III0I III00II 0II00II I0I000 0110 00 10I000 0II0 00 0III000 II1010011 101 Cisco 1100001 110 110000III000III0 I00I II0I III0011 0110011 101000 0110 00 Talos Research Response 1100001110001III0 I00I II0I III00II 0II00II 101000 0110 00 101000 0II0 00 0III000 III0I00II II II0000I II0 100I II0I III00II 0II00II I0I000 0II0 00 Email Endpoints Web Networks IPS Devices 1.6 million global sensors WWW 100 TB of data received per day 150 million+ deployed endpoints 600+ engineers, technicians, and researchers 35% worldwide email traffic 13 billion web requests 24x7x365 operations 40+ languages ESA 180,000+ file samples per day FireAMP community Advanced Microsoft and industry disclosures Snort and ClamAV open source communities Honeypots Sourcefire AEGIS program Private and public threat feeds Dynamic analysis

Talos Cisco Web Security Appliance (WSA) Before During Appliance After Virtual Client Authentication Technique Web Reputation Web Filtering Application Visibility and Control Cloud Access Security Parallel AV Scanning File Reputation Data-Loss Prevention File Sandboxing Cognitive Threat Analytics* www File Retrospection Cisco ISE X X X X X X X Traffic Redirections WCCP Load Balancer Explicit/PAC PBR AnyConnect Client www www www HQ Admin Management Reporting Log Extraction Campus Office Branch Office Roaming User Allow Warn Block Partial Block

Who Leveraging Resolves a Single Your DNS Global Requests? Recursive DNS Service CHALLENGES BENEFITS Multiple Global Internet Service Activity Visibility Providers Direct-to-Internet Network Security Branch w/o Adding Offices Latency Users Consistent Forget Policy to Always Enforcement Turn VPN On Different Internet-Wide DNS Log Cloud Formats App Visibility ISP? mobile carrier ISP? ISP? Home Users Mobile Devices Roaming Laptops Remote Sites Enterprise Location A Internal InfoBlox Appliance Enterprise Location B Internal Windows DNS Server Enterprise Location C Internal BIND Server ISP 1 ISP 2 ISP 3 Authoritative DNS for Intranet Domains Recursive DNS for Internet Domains

4. Exploitation Exploiting a vulnerability to execute code on victim s system Day-0 Unpatched Social Engineering

Rest Assured That Cisco ISE Is Keeping Track Identifies Device Checks Posture Helps Ensure Policy Compliance Quarantines Non- Compliant Devices Enterprise Mobility Management (EMM) Integrations AV installed? Registered?? Custom Criteria? Vulnerable? OS Patches? X X X

Vulnerable Endpoints

5. Installation Installing malware on the asset Rootkit AV evasion

Protection Across Networks Network Endpoint WWW Content The Network platform uses indications of compromise, file analysis, and in this example file trajectory to show you exactly how malicious files have moved across the environment

Protection Across Endpoints Network Endpoint WWW Content The Endpoint platform has device trajectory, elastic search, and outbreak control, which in this example is shown quarantining recently detected malware on a device that has the AMP for Endpoints connector installed

Protection Across Web and Email Network Endpoint WWW Content Cisco AMP for Web and Email protects against malware threats in web and email traffic by blocking known malware and issuing retrospective alerts when unknown files are convicted

6. Command & Control Command channel for remote manipulation of victim s system Encryption Use Known Legit Apps (Twitter, SSH)

Turn-Key and API-Based Integrations Works with what you already have THREAT DETECTION + OTHERS THREAT ANALYSIS & INTEL FEEDS + THREAT INTEL PLATFORMS + OTHERS CUSTOM Indicators of Compromise UMBRELLA Enforcement & Visibility Logs or blocks domains sent from partner or custom systems

7. Actions on Objectives With Hands on Keyboard access, intruders accomplish Multiple hops to cover tracks Compromised 3 rd party machines Ecosystem

Cyber Threat Defense Dashboard Active Alarms Alarms Top Applications Flow collection trend

Dynamic Flow Analysis: Results Actions conversational or tabular view Faceted filtering of results Enhanced Quick View

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback