cisco tec chris young - security intelligence operations
Post on 20-Aug-2015
1.222 Views
Preview:
TRANSCRIPT
1 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.
Cisco Innovation Security Intelligence Operations (SIO)
Chris Young, SVP, Security & Government
Lee Jones, Principal Engineer, Security Applications
Technical Editors Day May 24, 2012
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 2
1990 2000 2010
NAC Pioneer
Reputation Pioneer
SaaS Leader 1st Switch
Security Blade
1st Dual-Mode VPN Client
1st Router Integrated Security
Launch SecureX Strategy
Identity Services Engine
| |
Cybercriminals Capitalize on Disaster
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 3
MOBILITY
THE NETWORK
COLLABORATION
SECURITY
THREAT LANDSCAPE
CLOUD
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 4
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 5
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 6
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 7
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 8
Compliance (GRC)
Ecosystem (Partners & Providers)
Services (TS, AS, Partner)
Network (Enforcement)
Secure Unified
Access
Enabling
Endpoint
Transformation
Protecting
Network
Edges
Threat
Defense
Securing
Cloud
Transition
Virtualization
& Cloud
Application
Visibility & Control
Authorizing
Content
Usage
Threat Intelligence (Visibility)
Contextual Policy
Management
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 9
Detect Accurately
Protect Holistically
Adapt Continuously
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 10
Threat Operations Center SensorBase Dynamic Updates
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 11
Threat Operations Center Dynamic Updates
13B 150M 35%
GLOBALLY DEPLOYED DEVICES
1.6M DATA RECEIVED PER DAY
75 TB
WEB REQUESTS GLOBALLY DEPLOYED ENDPOINTS WORLDWIDE EMAIL TRAFFIC
SensorBase
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 12
Threat Operations Center
24x7x365 $100M OPERATIONS SPENT IN DYNAMIC RESEARCH
AND DEVELOPMENT
600 40+ 80+ ENGINEERS, TECHNICIANS AND RESEARCHERS
LANGUAGES Ph.D.s, CCIE, CISSPs, MSCEs
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 13
Dynamic Updates
70 200 8M
IPS SIGNATURES PRODUCED
5,500+
PUBLICATIONS PRODUCED PARAMETERS TRACKED RULES per DAY
MIN UTE UPDATES
3 to 5
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 14
Malware
Distributing Site
Directed
Attack
Spam with
Malicious Attachment
SensorBase Threat Operations Center Dynamic Updates
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 15
Co
mp
eti
tors
C
onte
nt O
nly
C
isc
o S
IO
Conte
nt +
Conte
xt
9:25am 9:45am 10:30am
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 16
Phishing
SIO
Content
Security
(WSA/ESA)
Network
Security
(IPS/ASA) Users
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 17
Internal & 3rd Party Feeds
• Best of the threat intelligence ecosystem:
• Visibility into criminal networks
• Leading AV Scanners
• ISPs, Hosting Providers, Registrars, etc.
Same infrastructure was
used for other attacks
Haiti Spear Phishing
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 18
Depth of SensorBase
• Visibility into the widest threat telemetry database in the industry
• Sensors in network security infrastructure and endpoints
• History of domain registration
• Information across web, email and IPS/ASA
Haiti Spear Phishing
Spike in spear phishing volume and malicious web traffic
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 19
Reputation
• Determine risk of zero-day threats through a web of connections
• Global data correlation across:
• Source IP
• Hosts
• Registrars and more
Haiti Spear Phishing
Reputation filters tripped early, preventing the mutating threat from
gaining traction
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 20
Change is constant:
Signatures
Domains
Hosts
Registrars
Content
Blended attacks
Multiple vectors
Sophisticated
Persistent
Evolving
Block at the connection level with content
and context.
No matter when an attack comes in through
any avenue
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 21
SensorBase Threat Operations Center Dynamic Updates
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 22
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 23
Header
Body of Objects
Cross-Ref Table
Trailer
AV Scanners
scan the file.
Based on
industry-leading
signatures, it is a
clean file
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 24
After inspection
we find
• Security Feeds
• Geolocation
• Registrant Info
• Registrar
• Traffic Volume
and Age
• Sensor Info
top related