Innovative Cisco Security- Lösungen für den Endpoint Das Alpha und Omega unsere Next Gen Security Sven Kutzer Consulting Systems Engineer GSSO - CYBERSECURITY SALES Mittwoch, 7. März 2018
Challenges 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The way we work has changed Internet Critical infrastructure Amazon, Rackspace, Windows Azure, etc. Business apps Salesforce, Office 365, G Suite, etc. Critical infrastructure Business apps Workplace desktops Roaming laptops Branch office
The threats have also changed Prevention tools alone can t catch everything and provide limited visibility into threats once inside Analysis Stops AV IPS Initial Inspection Sleep Techniques Unknown Protocols Encryption Polymorphism Blind to scope of compromise Initial Disposition = Clean <45% Actual Disposition = Bad Too Late!! AV Efficacy Rate
Cisco Umbrella 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Where do Umbrella and AMP fit? Malware C2 Callbacks Phishing Network and endpoint All starts with DNS Precedes file execution and IP connection NGFW Netflow Proxy Sandbox AMP AMP Network and endpoint Router/UTM AMP AMP Endpoint AMP Detect and Respond With deep visibility, context, and control HQ BRANCH ROAMING
Built into foundation of the internet Destinations Original destination or block page Safe Original destinations Blocked Modified destination Security controls DNS and IP enforcement Risky domain inspection through proxy SSL decryption available Intelligent proxy Deeper inspection Internet traffic On and off-network
Intelligence to see attacks before launched Data Cisco Talos feed of malicious domains Cisco Threat Grid file-based intelligence (1.5M+ daily samples) Umbrella DNS data 120B requests per day Models Security researchers Industry renown researchers Build models that can automatically classify and score domains and IPs Dozens of models continuously analyze millions of live events per second Automatically uncover malware, ransomware, and other threats
Co-occurrence model Domains guilty by inference time - time + a.com b.com c.com x.com d.com e.com f.com Possible malicious domain Known malicious domain Possible malicious domain Co-occurrence of domains means that a statistically significant number of identities have requested both domains consecutively in a short timeframe
Spike rank model Patterns of guilt DGA MALWARE EXPLOIT KIT PHISHING Massive amount of DNS request volume data is gathered and analyzed DNS REQUESTS y.com DAYS y.com is blocked before it can launch full attack DNS request volume matches known exploit kit pattern and predicts future attack
Anycast IP routing for reliability YVR 208.67.222.222 DFW 208.67.222.222 All data centers announce same IP address Requests transparently sent to fastest available
Anycast IP routing for reliability YVR 208.67.222.222 DFW 208.67.222.222 100% uptime since 2006 DDoS protection and global fail-over If down for any reason, automatically re-routes to next fastest available
Connecting to Umbrella Roaming CLIENT / ANYCONNECT Route traffic and IDs via DNS No need for connectors/pac files On-network INTERNAL DNS OR DHCP NETWORK DEVICES Anycast routing Customers not tied to a data center Umbrella VA AND AD CONNECTOR Customer
Prevent, Detect, and Contain Ransomware With Cisco Umbrella, AMP, and Cloud Email Security Encryption Key Infrastructure COMPROMISED SITES AND MALVERTISING Web redirect DNS EXPLOIT KIT DOMAINS C2 DNS PHISHING SPAM Web link DNS Angler Nuclear Neutrino DNS C2 Malicious Infrastructure File drop RANSOMWARE PAYLOAD Email attachment DNS Blocked by Cisco Umbrella Blocked by Cisco AMP for Endpoints Blocked by Cisco Cloud Email Security
Cisco AMP for Endpoints 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco AMP for Endpoints Powerful host-based protection Prevent Prevent attacks and block malware in real time Detect Continuously monitor for threats on your endpoints to decrease time to detection Respond Accelerate investigations and remediate faster and more effectively
Plan A Prevention framework 1-to-1 Signatures Antivirus Engine Exploit Prevention Fuzzy Fingerprinting Machine Learning IN MEMORY ON DISK TIME TO DETECTION
Plan A Prevention framework 1-to-1 Signatures Antivirus Engine Exploit Prevention Fuzzy Fingerprinting Machine Learning IN MEMORY ON DISK TIME TO DETECTION
Prevention eventually fails.
ΑΩ Plan B Device Flow Correlation Detection framework Advanced Analytics <#> Command Line Capture TIME TO DETECTION Indicators of Compromise Dynamic Analysis
Continuous Analysis and Retrospective Security Monitor, record, and analyze all file activity, regardless of disposition RECORDING Identify a threat s point of origin See what it is doing See where it's been Track it s rate of progression and how it spread Surgically target and remediate
Find the Answers to Break the Kill Chain Gain full context for each detection What happened? Where did the malware come from? Where has the malware been? What is it doing? How do we stop it? Recon Stage Launch Exploit Install Callback Persist
Prevent, Detect, and Contain Ransomware With Cisco Umbrella, AMP, and Cloud Email Security Encryption Key Infrastructure COMPROMISED SITES AND MALVERTISING Web redirect DNS EXPLOIT KIT DOMAINS C2 DNS PHISHING SPAM Web link DNS Angler Nuclear Neutrino DNS C2 Malicious Infrastructure File drop RANSOMWARE PAYLOAD Email attachment DNS Blocked by Cisco Umbrella Blocked by Cisco AMP for Endpoints Blocked by Cisco Cloud Email Security