cisco tec chris young - security intelligence operations

1 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

Cisco Innovation Security Intelligence Operations (SIO)

Chris Young, SVP, Security & Government

Lee Jones, Principal Engineer, Security Applications

Technical Editors Day May 24, 2012

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 2

1990 2000 2010

NAC Pioneer

Reputation Pioneer

SaaS Leader 1st Switch

Security Blade

1st Dual-Mode VPN Client

1st Router Integrated Security

Launch SecureX Strategy

Identity Services Engine

| |

Cybercriminals Capitalize on Disaster

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 3

MOBILITY

THE NETWORK

COLLABORATION

SECURITY

THREAT LANDSCAPE

CLOUD

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 4

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 5

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 6

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 7

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 8

Compliance (GRC)

Ecosystem (Partners & Providers)

Services (TS, AS, Partner)

Network (Enforcement)

Secure Unified

Access

Enabling

Endpoint

Transformation

Protecting

Network

Edges

Threat

Defense

Securing

Cloud

Transition

Virtualization

& Cloud

Application

Visibility & Control

Authorizing

Content

Usage

Threat Intelligence (Visibility)

Contextual Policy

Management

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 9

Detect Accurately

Protect Holistically

Adapt Continuously

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 10

Threat Operations Center SensorBase Dynamic Updates

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 11

Threat Operations Center Dynamic Updates

13B 150M 35%

GLOBALLY DEPLOYED DEVICES

1.6M DATA RECEIVED PER DAY

75 TB

WEB REQUESTS GLOBALLY DEPLOYED ENDPOINTS WORLDWIDE EMAIL TRAFFIC

SensorBase

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 12

Threat Operations Center

24x7x365 $100M OPERATIONS SPENT IN DYNAMIC RESEARCH

AND DEVELOPMENT

600 40+ 80+ ENGINEERS, TECHNICIANS AND RESEARCHERS

LANGUAGES Ph.D.s, CCIE, CISSPs, MSCEs

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 13

Dynamic Updates

70 200 8M

IPS SIGNATURES PRODUCED

5,500+

PUBLICATIONS PRODUCED PARAMETERS TRACKED RULES per DAY

MIN UTE UPDATES

3 to 5

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 14

Malware

Distributing Site

Directed

Attack

Spam with

Malicious Attachment

SensorBase Threat Operations Center Dynamic Updates

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 15

Co

mp

eti

tors

C

onte

nt O

nly

C

isc

o S

IO

Conte

nt +

Conte

xt

9:25am 9:45am 10:30am

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 16

Phishing

Email

SIO

Content

Security

(WSA/ESA)

Network

Security

(IPS/ASA) Users

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 17

Internal & 3rd Party Feeds

• Best of the threat intelligence ecosystem:

• Visibility into criminal networks

• Leading AV Scanners

• ISPs, Hosting Providers, Registrars, etc.

Same infrastructure was

used for other attacks

Haiti Spear Phishing

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 18

Depth of SensorBase

• Visibility into the widest threat telemetry database in the industry

• Sensors in network security infrastructure and endpoints

• History of domain registration

• Information across web, email and IPS/ASA

Haiti Spear Phishing

Spike in spear phishing volume and malicious web traffic

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 19

Reputation

• Determine risk of zero-day threats through a web of connections

• Global data correlation across:

• Source IP

• Hosts

• Registrars and more

Haiti Spear Phishing

Reputation filters tripped early, preventing the mutating threat from

gaining traction

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 20

Change is constant:

Signatures

Domains

Hosts

Registrars

Content

Blended attacks

Multiple vectors

Sophisticated

Persistent

Evolving

Block at the connection level with content

and context.

No matter when an attack comes in through

any avenue

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 21

SensorBase Threat Operations Center Dynamic Updates

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 22

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 23

Header

Body of Objects

Cross-Ref Table

Trailer

AV Scanners

scan the file.

Based on

industry-leading

signatures, it is a

clean file

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. 24

After inspection

we find

• Security Feeds

• Geolocation

• Registrant Info

• Registrar

• Traffic Volume

and Age

• Sensor Info