cisco customer education - cisco files · hackers, botnets and malware - oh my! battle 21st century...
TRANSCRIPT
Hackers, Botnets and Malware - Oh My! Battle 21st Century Threats with Cisco Next-Gen Security
Cisco Customer Education
Brian Avery Territory Business Manager, Cisco
This session was recorded via Cisco WebEx! You can watch the live session recording via the following URL:
https://acecloud.webex.com/acecloud/lsr.php?RCID=5a9980687b274a64b7b92995fade11c2
Thanks for your interest and participation!
Hackers, Botnets and Malware - Oh My! Battle 21st Century Threats with Cisco Next-Gen Security
Cisco Customer Education
Brian Avery Territory Business Manager, Cisco
Connect using the audio conference box or you can call into the meeting:
1. Toll-Free: (866) 432-9903
2. Enter Meeting ID: 200 567 410 and your attendee ID number.
3. Press “1” to join the conference.
Presentation Agenda
► Welcome from Cisco
► There’s Big Money in Hacking
► Cisco Security Solutions Portfolio
► Introducing Cisco Security
► Advanced Malware Protection
About Your Host Brian Avery Territory Business Manager, Cisco Systems, Inc.
[email protected] ► Conclusion
Who Is Cisco?
Cisco Confidential 5 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Computer scientists, Len Bosack and Sandy Lerner found Cisco Systems
Bosack and Lerner run network cables between two different buildings on the Stanford University campus
A technology has to be invented to deal with disparate local area protocols; the multi-protocol router is born
1984
Cisco Confidential 6 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Who Is Cisco?
Chuck Robbins, CEO, Cisco
• Dow Jones Industrial Average Fortune 100 Company (AAPL, CSCO, INTC, MSFT)
• $117B Market Capitalization
• $49.6B in Revenue
• $10B in Annual Net Profits
• $34B More Cash than Debt
• $5.9B in Research and Development
http://finance.yahoo.com/q/ks?s=CSCO+Key+Statistics
Market Leadership Matters
No. 1 Voice
39%
No. 1 TelePresence
43%
No. 1 Web
Conferencing 41%
No. 1 Wireless LAN
50%
No. 2 x86 Blade Servers
27%
No. 1 Routing Edge/Core/
Access
45%
No. 1 Security
33%
No. 1 Switching Modular/Fixed
64%
No. 1 Storage Area
Networks 47%
Q1CY14
§ CCE is an educational session for current and prospective Cisco customers
§ Designed to help you understand the capabilities and business benefits of Cisco technologies
§ Allow you to interact directly with Cisco subject matter experts and ask questions
§ Offer assistance if you need/want more information, demonstrations, etc.
What Is the Cisco Customer Education Series?
There’s Big Money in Hacking
Organizations Are Under Attack Industrial Hackers Are Making Big Money with Innovative Tactics
1990 1995 2000 2005 2010 2015 2020
Viruses 1990–2000
Worms 2000–2005
Spyware and Rootkits 2005–Today
APTs Cyberware Today +
Phishing, Low Sophistication Hacking Becomes
an Industry Sophisticated Attacks, Complex Landscape
of large companies targeted by malicious traffic 95% of organizations interacted
with websites hosting malware 100% 1. Cybercrime is lucrative, barrier to entry is low 2. Hackers are smarter and have the resources to compromise your organization 3. Malware is more sophisticated 4. Organizations face tens of thousands of new malware samples per hour
Source: 2014 Cisco Annual Security Report
Global Cybercrime Market $450B‒$1T
Cisco Confidential 11 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
High Profile Breaches
As of 12/31/2014 http://www.idtheftcenter.org/images/breach/DataBreachReports_2014.pdf
1,000,000
70,000,000
56,000,000 2,600,000
1,100,000
And Yet… Organizations of every size are targets
60% of UK small businesses were compromised in 2014 (2014 Information Security Breaches Survey)
100% of corporate networks examined had malicious traffic (Cisco 2014 Annual Security Report)
41% of targeted attacks are against organizations with fewer than 500 employees (July 2014 The National Cyber Security Alliance (NCSA)
If you knew you were going to be compromised, would you do security differently?
It’s no longer a question of “if” you’ll be breached, it’s a question of “when”
Cisco Security Overview
Too Many Disparate Security Products Mean Gaps in Protection
vs
â
â
Fragmented offerings across multiple vendors
Streamlined advanced security solution
Cost
Lower opex and easier to manage
Higher total cost to build and run
Overall performance
Less communication between components
Better communication and integration
Time to detection
Faster time to detection
More lag in finding threats
Defending Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum
Attack Continuum
Before Discover Enforce Harden
During Detect Block
Defend
After Scope
Contain Remediate
Branch Cloud Data Center
Endpoint Campus
Edge Operational Technology
Defending Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum
Attack Continuum
Before Discover Enforce Harden
During Detect Block
Defend
After Scope
Contain Remediate
FireSIGHT and pxGrid
ASA VPN
NGFW Meraki
Advanced Malware Protection
Network as Enforcer
NGIPS
ESA/WSA
CWS Secure Access + Identity Services ThreatGRID
Advanced Malware Protection ASA
NGFW Meraki
Comprehensive Security Requires
Breach Prevention Rapid Breach Detection, Response, Remediation Threat Intelligence
Combined with the Best Threat Intelligence Capabilities World-Class Threat Research
221B Total Threats
991M
Web + Malware Threats
19.7B Threats Per Day
1.4M
2.6M 9.9B
1.1M
1.8B
1B
8.2B
Incoming Malware Samples Per Day
Sender Base Reputation Queries
Per Day
Web Filtering Blocks Per Month
AV Blocks Per Day
Spyware Blocks Per Month
Blocks Per Sec Total Blocks Per Month
3.5 BILLION SEARCHES
TODAY
19.7 BILLION THREATS BLOCKED
TODAY
More Effective Against Sophisticated Attacks
Source: Cisco Annual Security Report, 2016
Less than
1 Day 100 VS.
DAYS
Industry Cisco
Much Faster Than Most Organizations Discover Breaches
Advanced Malware Protection
Malware WILL Get Into Your Environment
95% of large companies
targeted by malicious traffic
60% of data stolen in hours
65% of organizations say attacks evaded existing preventative
security tools
$5.9M Average cost of a breach in
the United States
Once Inside, Organizations Struggle to Deal With It
33% of organizations take 2+ years to discover breach
55% of organizations unable to
determine cause of a breach
45 days Average time to resolve
a cyber-attack
54% of breaches remain
undiscovered for months
When Malware Strikes, You Have Questions
Where did it come from?
Who else is infected?
What is it doing? How do I stop it?
Cisco AMP Delivers A Better Approach
Unique to Cisco® AMP
Point-in-Time Protection
File Reputation, Sandboxing, and Behavioral Detection
Retrospective Security
Continuous Analysis
Cisco AMP Defends With Reputation Filtering And Behavioral Detection
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
Continuous Protection Reputation Filtering Behavioral Detection
Dynamic Analysis
Machine Learning
Fuzzy Finger-printing
Advanced Analytics
One-to-One Signature
Indications of Compromise
Device Flow Correlation
Cisco AMP Defends With Retrospective Security
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
Trajectory Behavioral Indications
of Compromise
Elastic Search
Continuous Analysis
Attack Chain Weaving
Why Continuous Protection Is Necessary
0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110
1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
Web
WWW
Endpoints Network Email Devices
Gateways
File Fingerprint and Metadata
Process Information
Continuous feed
Continuous analysis
File and Network I/O
Breadth and Control points:
Telemetry Stream
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
Talos + Threat Grid Intelligence
Advanced Malware Protection AMP Everywhere: See Once, Protect Everywhere
Networks Web Endpoint
AMP Intelligence Sharing
W W W
Visibility
Cisco AMP Provides Contextual Awareness and Visibility That Allows You to Take Control of an Attack Before It Causes Damage
These applications are affected
What
The breach affected these areas
Where
This is the scope of exposure over time
When
Here is the origin and progression of the threat
How
Focus on these users first
Who
The Leader in Security Effectiveness Cisco AMP offers superior security effectiveness, excellent performance, and provides security across more attack vectors than any other vendor
• 99.2% Security Effectiveness rating in BDS testing, the highest of all vendors tested.
• Only vendor to block 100% of evasion techniques during testing.
• Excellent performance with minimal impact on network, endpoint, or application latency.
…and with Cisco AMP Everywhere Strategy Means Protection Across the Extended Network
AMP Advanced Malware
Protection
AMP for Networks
AMP on Web & Email Security Appliances
AMP on Cisco® ASA Firewall with FirePOWER Services
AMP for Endpoints
AMP for Cloud Web Security & Hosted Email
AMP Private Cloud Virtual Appliance
MAC
PC Mobile
Virtual
CWS
AMP Threat Grid Dynamic Malware Analysis + Threat
Intelligence Engine
Next-Generation Firewall
Typical NGFWs are focused too narrowly on apps and are too hard to manage
NGFW
DDoS Sandbox URL IPS
Focused on apps, not threats Another silo to manage
Threat
Threat
Threat
Cisco Confidential 35 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
T h r e a t
i n
p l a i n s i g h t
Visibility Is the Key
s
h i d d e n
Cisco Confidential 36 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Introducing
Industry’s First Threat-Focused NGFW
• Integrating defense layers helps organizations get the best visibility
• Enable dynamic controls to automatically adapt
• Protect against advanced threats across the entire attack continuum
Proven Cisco ASA firewalling
Industry leading NGIPS and AMP
Cisco ASA with FirePOWER Services
Cisco ASA with FirePOWER Services Next-Generation
Firewall (NGFW)
Cisco Confidential 37 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Superior Integrated & Multilayered Protection
Cisco ASA
URL Filtering (Subscription)
FireSIGHT Analytics & Automation
Advanced Malware
Protection (Subscription)
Application Visibility & Control Network Firewall
Routing | Switching
Clustering & High Availability
WWW
Cisco Collective Security Intelligence Enabled
Built-in Network Profiling
Intrusion Prevention
(Subscription)
World’s most widely deployed, enterprise-class ASA stateful firewall
Granular Cisco® Application Visibility and Control (AVC)
Industry-leading FirePOWER next-generation IPS (NGIPS)
Reputation- and category-based URL filtering
Advanced malware protection
Identity-Policy Control & VPN
Cisco Confidential 38 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Malware
Client applications
Operating systems
Mobile Devices
VOIP phones
Routers & switches
Printers
C & C Servers
Network Servers
Users
File transfers
Web applications
Application protocols
Threats
No other NGFW offers this level of visibility • The more infrastructure you see, the better protection you get
Typical IPS
Typical NGFW
Cisco ASA with FirePOWER Services
Enhanced user interface for quick views on trends and click-downs on details
Consolidated management of all stateful and Next-Generation Firewall functions for ease of use
Optimized design for single-instance deployments
Get integrated, local management Adaptive Security Device Manager (ASDM) On-box
Unmatched visibility and control of policies across a deployment
Automatic threat assessment to enhance staff productivity and response time
Centralized management designed for multi-site and distributed deployments
Or centralized, multi-device management FireSIGHT Management Center
Anyconnect
Simply and securely work anywhere on any device
Cisco AnyConnect Secure Mobility Client Extending Control of Context to the Endpoint
§ Delivers reliable and transparent secure remote access for the off-premises users
§ All major devices supported (PC, Mac, Android, IOS, more)
Helps ensure endpoint integrity § Multiple authentication
options § Comprehensive posture
checks
Provides automatic secure connectivity § End-to-end encryption § Integrated web security § Per-app VPN for mobile
Cisco Web Security
Web Security Is More Important Than Ever Before
The web is a popular attack vector for criminals
Without proper control, your own users can put your business at risk
Increased cloud adoption creates greater vulnerabilities
Superior Flexibility Advanced Threat Protection
Cisco Web Security Delivers…
Comprehensive Defense
Deploy, manage, and scale easily to fit your business
Protect against advanced threats with adaptive web
security
Defend and control with best-in-class, cloud-delivered web
security
It Starts with Usage Controls and an Active Defense
Comprehensive Defense
Web Usage Control
Web Usage Control
Web Filtering
Block over 50 million known malicious sites
Web Reputation
Restrict access to sites based on assigned reputation score
Dynamic Content Analysis
Categorize webpage content and block sites automatically
Web Usage Reporting
Gain greater visibility into how web resources are used
Roaming Laptop-User Protection
Extend security beyond the network to include mobile users
Application Visibility and Control
Regulate access to individual website components and apps
Outbreak Intelligence
Identify unknown malware and zero-hour outbreaks in real time
Centralized Cloud Management
Enforce policies from a single, centralized location
Web Filtering Webpage Web
Reputation
Application Visibility and
Control Anti-
Malware Outbreak
Intelligence File
Reputation Cognitive
Threat Analytics
X X X X
Before After
www.website.com
During
X
File Retrospection
www
Roaming User
Reporting
Log Extraction
Management
Branch Office
www www
Allow Warn Block Partial Block Campus Office
ASA Standalone WSA ISR G2 AnyConnect® Admin Traffic Redirections
Talos Cisco® Cloud Web Security (CWS)
www
HQ
File Sandboxing
X
Cisco Meraki Cloud Security
Meraki MS Ethernet Switches
Meraki SME Enterprise Mobility
Management
Meraki MR Wireless LAN
Meraki MX Security
Appliances
50
Application Control Traffic Shaping, Content Filtering, Web Caching
Security NG Firewall, Client VPN, Site to Site VPN, IDS/IPS
Networking NAT/DHCP, 3G/4G Cellular, Static Routing, Link Balancing
Centralized cloud management scales to thousands of sites
Multi-site visibility and control
Map-based dashboard; configuration sync; remote diagnostics; automatic monitoring and alerts
Zero-touch provisioning
Devices automatically provision from the cloud, no staging required; self-configuring site-to-site VPN
Traffic acceleration WAN optimization and web caching accelerates and de-duplicates network traffic; application-aware QoS prioritizes productivity apps
Site-to-site IPsec VPN in just two clicks in the Dashboard
Simple Creates L3 site-to-site VPN tunnels with just 2 clicks in the dashboard
Automatic Comparable to Cisco DMVPN, it creates a mesh or hub-and-spoke VPN tunnel between all peers and adjusts to IP changes
Resilient Automatic failover over to secondary WAN link or 3G/4G USB modem
Best IPS SOURCEfire IDS / IPS, updated every day
Content Filtering
4+ billions URLS, updated in real-time
Geo-based security
Block attackers from rogue countries
AV / anti-phishing
Kaspersky AV, updated every hour
PCI compliance
PCI L1 certified cloud-based management
MX64/64W
MX84
MX100
MX400
MX600
Z1
Small branch (~50 users)
Where FW Throughput
250 Mbps
Campus/ VPN Concentration (~10,000 users)
Large branch/campus (~2,000 users)
Mid-size branch (~200 users)
Mid-size branch/ Small campus (~500 users)
Notable Features 11ac wireless (MX64W)
Power redundancy Modular interface SFP or SFP+ (with modules)
500 Mbps SFP Ports
750 Mbps SFP Ports
1 Gbps
1 Gbps
Power redundancy Modular interface SFP or SFP+ (with modules)
For teleworkers (1-5 users) Dual-radio wireless FW throughput: 50 Mbps
All devices support 3G/4G
MX65/65W
Small branch (~50 users)
11ac wireless (MX65W) 10 LAN ports (2 POE ports)
250 Mbps
Network as Enforcer
Cisco Confidential 56 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
You Can’t Protect What You Can’t See The Network Gives Deep and Broad Visibility
010101001011
010101001011
010101001011
010101001011
Lancope StealthWatch System Network Reconnaissance Using Dynamic NetFlow Analysis
Monitor Detect Analyze Respond
Ø Understand your network and data center normal
Ø Gain real-time situational awareness of all traffic
Ø Leverage Network Behavior Anomaly detection & analytics
Ø Detect behaviors linked to APTs, insider threats, DDoS, and malware
Ø Collect & Analyze holistic network audit trails
Ø Achieve faster root cause analysis to conduct thorough forensic investigations
Ø Accelerate network troubleshooting & threat mitigation
Ø Respond quickly to threats by taking action to quarantine through Cisco ISE
Cisco Confidential 58 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Use Case – Defense against Data Breaches Anatomy of a Data Breach Network as Enforcer
enterprise network
Attacker
Perimeter (Inbound)
Perimeter (Outbound)
Infiltration and Backdoor establishment
1
C2 Server
Admin Node
Reconnaissance and Network Traversal
2
Exploitation and Privilege Elevation
3
Staging and Persistence (Repeat 2,3,4)
4
Data Exfiltration
5
Cisco Confidential 59 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
NetFlow – The Heart of Network as a Sensor Example: NetFlow Alerts With Lancope StealthWatch
Denial of Service SYN Half Open; ICMP/UDP/Port Flood
Worm Propagation Worm Infected Host Scans and Connects to the Same Port Across Multiple Subnets, Other Hosts Imitate the Same Above Behavior
Fragmentation Attack Host Sending Abnormal # Malformed Fragments.
Botnet Detection When Inside Host Talks to Outside C&C Server
for an Extended Period of Time
Host Reputation Change Inside Host Potentially Compromised or
Received Abnormal Scans or Other Malicious Attacks
Network Scanning TCP, UDP, Port Scanning Across Multiple Hosts
Data Exfiltration Large Outbound File Transfer VS. Baseline
Conclusion
Defending Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum
Attack Continuum
Before Discover Enforce Harden
During Detect Block
Defend
After Scope
Contain Remediate
FireSIGHT and pxGrid
ASA VPN
NGFW Meraki
Advanced Malware Protection
Network as Enforcer
NGIPS
ESA/WSA
CWS Secure Access + Identity Services ThreatGRID
Thank You and Next Steps
Brian Avery [email protected]
Contact Your Cisco Partner https://tools.cisco.com/WWChannels/LOCATR/performBasicSearch.do
www.
Learn more about Cisco Security: www.cisco.com/go/security/
• CCE sessions are held weekly on a variety of topics
• CCE sessions can help you understand the capabilities and business benefits of Cisco technologies
• Watch replays of past events and register for upcoming events!
Visit http://cs.co/cisco101 for details
Join us again for a future Cisco Customer Education Event