Dragan Novakovic

Security Consulting Systems Engineer

dnovakov@cisco.com

Threat-centric email and web security

Cisco Email and Web Security News

Email is still the #1 threat vector

Phishing leaves businesses on the line

Phishing

Spoofing

Ransomware

Messages contain

attachments and URL’s

Socially engendered

messages are well crafted

and specific

Credential “hooks” give

criminals access to your

systems

94% of phish mail has

malicious attachments1

30% of phishing messages

are opened1

$500M

Loss incurred due

to phishing

attacks in a year

by US companies2

12016 Cisco Annual Security Report22016 Verizon Data Breach Report, Krebs on Security

Forged addresses

fool recipients

Threat actors extensively

research targets

Money and sensitive

information are targeted

Spoofing rates are on the rise

2015 2016

In losses

from spoofing

2013 - 20151

$2.3B

increase1

270%

1FBI Warns of Dramatic Increase in Business email scams, 2016

Phishing

Spoofing

Ransomware

Ransomware attacks are holding companies hostage

Malware encrypts

critical files

Locking you out of your

own system

Extortion demands

are being paid

$60M

Cost to

consumers and

companies of a

single campaign2

9,515users are paying

ransoms per month2

Ransomware

represents the

biggest jump in

occurrences of

crimeware1

12016 Verizon Data Breach Report, Kerbs on Security22016 Cisco Annual Security Report

Phishing

Spoofing

Ransomware

Reduce threats Support growth Achieve agility

Cisco secures your email, cloud or on-premises

Reduce threats

Cisco Email Security is backed by unrivaled global threat intelligence

00I00 I00I0I II0I0I 0II0I I0I00I0I0 0II0I0II 0I00I0I I0 00

II0III0I 0II0II0I II00I0I0 0I00I0I00 I0I0 I0I0 I00I0I00

III00II 0II00II I0I0II0II0 I0 I0 I00 00I0 I000 0II0 00

III00II I000I0I I000I0I I000I0I II 0I00 I0I000 0II0 00

00I I0I0I0 I0I0III000 I0I00I0I 0II0I0 I00I0I0I0I 000

II0II0I0I0I I0I0I0I 0I0I0I0I 0I0I00I0 I0I0I0I 0II0I0I0I

0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I0

00I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I

III00II 0II00II I0I000 0II0 00I0I00 I0 I000I0I 0II 0I0I0I

III00II 0II00II 0I0I0I0I 0I I0 I00 000II0 I0I0 0II0 00

24 7 365 Operations

100 TBOf Data Received Daily

1.5 MILLIONDaily Malware Samples

600 BILLIONDaily Email Messages

16 BILLIONDaily Web Requests

MILLIONSOf Telemetry Agents

4Global Data Centers

Over 100Threat Intelligence Partners

250+Full Time Threat Intel

Researchers

Deploy the world's largest email

traffic monitoring network

Leverage industry-leading

threat analytics

with SenderBase

Anti-spam processing / Context Adaptive Scanning Engine (CASE)

It’s built with industry-leading spam protection

Review sender reputation, URL

reputation, and message contentQuarantine suspicious messages

for additional review

Block spam with 99% accuracy with

fewer than 1:1M false positives

Quarantine

Forward

BlockCisco Anti-Spam

Whosent the

message?

WhatIs the

content?

Howwas the

message

constructed?

Wheredoes the

call to

action

take you?Cisco Email Security O365 Mail Server

And reduces your exposure to the three main components of an email attack

Attachments

URLswww.url.com

Email content

Cisco protects against threats hidden within attachments

Anti-virusVirus Outbreak

Filters

Advanced

Malware

Protection (AMP)Anti-spam

Forward clean emails to

additional security checks

Defend against

zero-day malware

Scan attachments for

known viruses

Anti-virus processing

Block known and zero-day viruses

Block

Forward

QuarantineDetermine what

actions to take on viral

messages

Multiple detection methods:

Outbreak Filters

Zero-Hour Virus

and Malware Detection

Real time security updates that

prevent new malware

Also receive AV Signature

updates regularly

.PDF.LNK.EXE.DOC

Block

QuarantineDetermine whether

anomalies are

zero-day threats

Pattern

matching

Emulation

technology

Advanced

heuristic

techniques

Updates every 12 hours

Advanced Malware Protection (AMP) architecture

Detect and contain advanced threats quickly

AMP Threat

Intelligence Cloud

Meraki® MX

ISR w/

FirePOWER

Services

Cisco® ASA w/ FirePOWER™

Services

FirePOWERNGIPS Appliance

Threat Grid Malware Analysis Private Cloud

Virtual Appliance

Cloud Email Security and

Email Security Appliance

Endpoints

AnyConnect®Windows OS Android MobileCentOS, Red Hat

and LinuxVirtual MAC OS

CWS and Web Security

ApplianceNetwork

Edge

Data

Center

Private

CWS

Remote Endpoints

Deploy easily with

multiple platform options

Leverage threat intelligence

and dynamic malware analysis

Advanced Malware Protection (AMP)

Keep tabs on all emails admitted into the environment after analysis

File Reputation

Known

Signatures

File Sandboxing

• Advanced Analytics

• Dynamic analysis

• 560+ indicators

File Retrospection

.PDF.LNK.EXE.DOC.SYS .SCR

?

Fuzzy

Fingerprinting

Indications of

compromise

Block known malware Investigate files safelyAuto-remediate

threats in O365

Gain visibility into

messages trying to enter

the network

MaliciousCleanUnknown

AMP Threat Grid for Sandboxing

Upload unknown files to

Threat Grid

Examine files with

context-driven analysis

Receive threat report

and score to guide

decision making

Automatically remediate

malware for O365 users

JPG

PDF

SWF

Threat Grid

Email delivered

Email sent to O365 for

administered action

Office 365

Admin

Threat Score:

Cisco Email Security

Investigate unrecognized attachmentssafely

HTML

Cisco protects against disguised hyperlinks

Content Filters Outbreak FiltersAnti-spam

Control which emails cross the network

Easily enforce business and

compliance policies

Customize filters in three different ways

for additional security

Content Filters

Rewrite URL

Defang / Block

BLOCKEDwww.proxy.org

BLOCKED

Replace with Text

“This URL is blocked by

policy”

URL reputation

and categorization

Content FiltersCisco Cloud Web

Proxy

Admin

Outbreak Filters

Dynamic

quarantine

Rewritten message

Modify emails to

protect end-user

Redirect traffic to protect

from malicious linksBlock all known

threats with Talos

Forward

Block

Cisco Cloud Web Proxy

Rewrite URLs

Quarantine emails with

suspicious URLs

Add threat

warning

Prepend

subject line

Site blocked

Site validated

From: Bank.com

To: Bob Smith

Subject: Suspicious mail

Warning! This email contains

suspicious content

Hello John,

Access your account here.

Block

Outbreak Filters

Detect targeted or blended attacks automatically

Cisco defends against human error

DMARC, DKIM

and SPF

Forged Email

DetectionAnti-spam

DMARC, DKIM and SPF

Block fraudulent senders

Inspect sender details

on inbound messages

Block invalid senders

and identify next steps

Determine whether a

sender is reputable

Signed

Fraudulent

Delete

Send

Quarantine

Verified

TrustedPartner.com

TrustedPartner.com

SPFChecks if mail from a

domain is being sent from

an authorized host

DMARCTies SPF and DKIM

results to 'From' header

DKIMMatches public key to

sender domain’s private

key records

DNS

Cisco Email Security

Forged Email Detection

Protect against spoofing attacks

Match sender address

against company directory

Send appended mail to warn

users of potential forgery

Inspect SMTP envelope

for sender address

Record a log of attempts

and actions taken

Compare against

Company directory

• Allison Johnson

• Barry Smith

• Chuck Robbins

• Dave Tucker

From: Chuck

<chuck.robbins@mail.com>

Subject: [URGENT] Need help

transferring funds

Inspects the SMTP envelope address:

$ telnet mail-smtp-in.l.mail.com 25

Trying 74.125.206.26...

Connected to mail-smtp-in.l.mail.com.

Escape character is '^]'.

220 mx.mail.com ESMTP i11si22058766wmh.67 - gsmtp

HELO mail.outside.com

250 mx.mail.com at your service

MAIL FROM:<adam@outside.com>

250 2.1.0 OK i11si22058766wmh.67 - gsmtp

RCPT TO:<alan@mail.com>

250 2.1.5 OK i11si22058766wmh.67 – gsmtp

Data

SM

TP

En

ve

lop

e

From: adam@outside.com

Subject: {Possibly Forged}

[URGENT] Need help

transferring funds

Post-processing

Pre-processing

Recipient Domain

Sending Domain

Actual Sender

Cisco catches critical data before it leaves the network

Data loss

prevention

Cisco Registered Envelope

Service and

ZixGateway with Cisco

Technology

Data Loss Prevention (DLP)

Protect personal information and IP

Control what leaves the

network and customize policies

Scan email content for

sensitive information

Prevent data exfiltration

automatically

Scanned against

100+ predefined

DLP policies

Cisco Email Security

Critical violation: Info

redirected and not sent

Minor violation: Content

sent with encryption

Admin

Manage policies such as:

• Specific users

• Groups

• Locations

• Federal compliance

• State regulations

With multi-language support

No violation: Content sent

with optional encryption

Cisco Registered Envelope Service (CRES)

Extend security to external communications

Scan messages for

keywords, policies, and sender

Apply authentication mechanisms

to access encryption keys

Maintain control over

your sent messages

Cisco Email Security

CRES

Sender

controls

Push Open attachment

& confirm identity

ZixGateway with Cisco Technology (ZCT)

Send highly secure emails on-premises

Use transparent secure delivery

for e-discovery and archiving

Make delivery transparent for

senders and receivers

Select the best method of

secure delivery automatically

Cisco Email Security ZCT

PXE web server

& key server

ZCT Secure

Hosted Portal

Zix

Directory

Mail ServerSenders

employees

Transparent secure delivery

Other Zix Users

External DB(PXE keys)

TLS Users

PXE Push

Achieve agility

Message tracking

Investigate users without running new reports

Track messages in

near-real-time

Search for a single email based

on specific parameters

Search for common

threats across emails

+You Search Images Videos Maps News Shopping mail More

1.Recipient

2.Envelope sender

3.Subject line

4.File names

5.URLs

Search

Admin

Unified business reporting

Understand the health of your system

Access data from the cloud

to create consolidated reports

Reduce investigations

and response times

Identify trends with scheduled

and ad-hoc reporting

III00II I000I0I I000I0I I000I0I II 0I00 I0I000 0II0 00

00I I0I0I0 I0I0III000 I0I00I0I 0II0I0 I00I0I0I0I 000

II0II0I0I0I I0I0I0I 0I0I0I0I 0I0I00I0 I0I0I0I 0II0I0I0I

0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I0

00I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I

00I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I

0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I0Cisco Email Security

See details around:

• Email Threats

• Malicious Attachments

• Email Volume

• Spam Counters

• Policy Violations

• Virus Reports

• Outgoing Email Data

• Reputation Service

• System Health View

Graymail detection and safe unsubscribe

Separate what matters from what doesn’t

Identify messages

that aren’t spam

Categorize incoming bulk, marketing,

and social networking emails

Provide users a method

to safely unsubscribe

unsubscribe here

Graymail Detection

Bulk

Social

Network Marketing

Add Safe

Unsubscribe Link

Quarantine / Block

Unsubscribe

engine

Graymail warning added to

banner of email

Mark Up Messages

Modify

subject

Add

x-header

Safe unsubscribe

Cisco Email Security supports archiving through Commvault partnership

Simplify backup and recovery of archived messages

Automate data management

to optimize storage

Store critical messages

and attachments

Retrieve emails easily

with O365 integration

End user

+You Search Images Videos Maps News Shopping mail More

Local storage

Search

Cisco Email Security

1010 01010 1010

00110 01000 10110 11

with IntelliSnap technology

Support growth

Transition to the cloud with confidence

Cisco Email Security

Increase dedicated

instances up to

50% at no cost

Prevent shared-

fate with compute

instances

Integrate easily

with O365

Deliver 99.999%

availability

Migrate to new

deployment

options easily

Cloud Email Security with Office 365

Easily integrate with your current email client

Point Mail Exchange (MX) records to the

Cisco Cloud Email Security

Configure Smart Host settings in O365 to

deliver outbound mail

O365 Exchange Online

O365 Cisco Email Security w/ O365

Anti-spam filters Anti-spam filters

Anti-virus protection Anti-virus protection*

Policy enforcement Policy enforcement

Disaster recovery Disaster recovery

Directory services Directory services

Advanced threat protection Graymail detection

Message tracking Outbreak Filters

Message tracking

Email encryption

AMP

Detailed reporting

Zero-day incident mgmt

Data loss preventionCustomer email domain External domain

*Anti-virus provided by O365

Cisco Email Security

Outbound

Inbound

Cisco Email Security

Outbound

Inbound

Deploy the configuration that works best for you

HybridCloud

On Premises

Cisco delivers superior protection and visibility to specialized threats

Reduce threats Support growth Achieve agility

with advanced

protection

through operational

efficiency

with availability and

assurance

Industry-Leading Protection acrossthe Attack Continuum

Cisco Web Security

The Way We Use the Web Is ChangingMaking It More Difficult to Protect Your Network

Mobile Coffee Shop Corporate

Home Airport

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Why do we need Content Filtering?

• Web 2.0 brings more content, , to the user. More attack vectors.

• Advertisements, from third parties, are a popular vehicle for malware

• Gone are the days of simple one domain pages

Network Security

38

www.lifehacker.com

183 161 different requests

52 30+ different domains

2.8+ 2.1+ MB for front page

www.cnn.com

329 425 different requests

95 61 different domains

3.6 6.4+ MB for front page

www.cisco.com

163 112 different requests

123 21 different domains

6.0 1.3 MB for front page

www.reddit.com

66 47 different requests

134 11 different domains

775 500 KB for front page

Customers Are Challenged with Today’s Evolving Threat Landscape

Data Loss

Acceptable Use Violations

Malware Infections

Web

FilteringCloud Access

Security

Web

ReputationApplication

Visibility and

Control

Parallel AV

ScanningData-Loss

Prevention

File

Reputation

Cognitive

Threat

Analytics*

XX X X

BeforeAfterDuring

X

File

Retrospection

www

Roaming User

Reporting

Log Extraction

Management

Branch Office

www www

Allow Warn Block Partial BlockCampus Office

WCCP Explicit/PACLoad Balancer PBR AnyConnect® Client AdminTraffic

Redirections

Talos Cisco Web Security

www

HQ

File

Sandboxing

X

Client

Authentication

Technique

* Roadmap feature: Projected release 2H CY15

XCisco® ISE

Appliance Virtual

Cloud to Core

Coverage web requests a day

16 BILLION

email messages a day

300 BILLIONAMP queries a day

18.5 BILLION

WEB: Reputation, URL

Filtering, AVC

CLOUD: FireAMP &

ClamAV detection content

EMAIL: Reputation, AntiSpam,

Outbreak Filters

END POINT: Software –

ClamAV, Razorback, Moflow

Reputation AnalysisThe Power of Real-Time Context

Suspicious

Domain Owner

Server in High

Risk Location

Dynamic IP

Address

Domain

Registered

< 1 Min

192.1.0.68example.comExample.org17.0.2.12 BeijingLondonSan JoseKiev HTTPSSLHTTPS

Domain

Registered

> 2 Year

Domain

Registered

< 1 Month

Web Server

< 1 Month

Who HowWhere When

0010 010 10010111001 10 100111 010 00010 0101 1100110 1100 111010000 110 0001110 00111 010011101 11000 0111 0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101

0010 010 10010111001 10 100111 010 00010 0101 110011 011 001 110100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101

0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101

-10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10

IP Reputation Score

BEFORE

Discover

Enforce

Harden

DURING

Detect

Block

Defend

AFTER

Scope

Contain

Remediate

Loss of Productivity Is a ThreatHow Much Bandwidth and Time Is Being Wasted?

Source: Cloud Web Security Report

Facebook YouTube Pandora

BEFORE

Discover

Enforce

Harden

DURING

Detect

Block

Defend

AFTER

Scope

Contain

Remediate

Facebook time:

2,110,516 minutes or

35,175 hours, 1465

days, 4.1 years

No. of Facebook

likes: 3,925,407 at 1

second per like. That’s

almost 1100 hours per

day, or 45 days just

liking things

Bytes on YouTube

video playback:

11,344,463,363,245

or 10 TB

Pandora:

713,884,303,727

or 0.6 TB

Total browsing time

per day:

2,270,690,423 or

4,320 years

Total bytes per day:

70,702,617,989,737

or 64 TB; over 15%

from YouTube

Acceptable Use ControlsBeyond URL Filtering

URL Filtering

Constantly updated URL database covering over 50 million sites worldwide

Real-time dynamic categorization for unknown URLs

HTTP://

Application Visibility and Control (AVC)

Hundreds

of Apps

Control over mobile,

collaborative, and

Web 2.0 applications

Assured policy control

over which apps can

be used by which

users and devices

Granular enforcement

of behaviors within

applications

Intelligent Controls of

Bandwidth Usage

BEFORE

Discover

Enforce

Harden

DURING

Detect

Block

Defend

AFTER

Scope

Contain

Remediate

150,000+

Micro-Apps

Application

Behavior

Application Visibility and Control (AVC)

Acceptable Use ControlsBeyond URL Filtering

URL Filtering

Constantly updated URL database covering over 50 million sites worldwide

Real-time dynamic categorization for unknown URLs

HTTP://

Control over mobile,

collaborative, and

Web 2.0 applications

Assured policy control

over which apps can

be used by which

users and devices

Granular enforcement

of behaviors within

applications

Intelligent Controls of

Bandwidth Usage

BEFORE

Discover

Enforce

Harden

DURING

Detect

Block

Defend

AFTER

Scope

Contain

Remediate

Application

Behavior

Hundreds

of AppsFacebook

LinkedIn

iTunes

YouTube

Google+

150,000+

Micro-Apps

FarmVille

Real-Time Malware ScanningDynamic Vectoring and Streaming

Signature and Heuristic Analysis

Heuristics DetectionIdentify Unusual Behaviors

Antimalware Scanning

Parallel Scans, Stream Scanning

Signature InspectionIdentify Known Behaviors

Multiple Anti-malware

Scanning Engines

Optimizes efficiency and catch rate with

intelligent multiscanning

Enhances coverage with multiple signature

scanning engines

Improves user experience with parallel scanning

for fastest analysis

Provides the latest coverage with

automated updates

Identifies encrypted malicious traffic by

decrypting and scanning SSL traffic

BEFORE

Discover

Enforce

Harden

DURING

Detect

Block

Defend

AFTER

Scope

Contain

Remediate

Dynamic

Analysis

Machine

Learning

Fuzzy

Fingerprinting

Advanced

Analytics

One-to-One

Signature

Delivers the First Line of Detection

All detection is less than 100% effective

Reputation Filtering and File Sandboxing

And Continues to Analyze What Happens Along the Attack Continuum

0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110

1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

Web

WWW

Endpoints NetworkEmail DevicesIPS

File Fingerprint and Metadata

Process Information

Continuous feed

Continuous analysis

File and Network I/O

Breadth and Control Points:

Telemetry Stream

Talos + Threat Grid Intelligence

TrajectoryBehavioral

Indications

of Compromise

Threat

Hunting

Retrospective

Detection

These applications

are affected

What

This is the scope of

exposure over time

When

Here is the origin

and progression

of the threatHow

Focus on these

users first

Who

AMP Provides Contextual Awareness and Visibility That Allows You to Take Control of an Attack Before It Causes Damage

AMP Threat Grid Feeds Dynamic Malware Analysis and Threat Intelligence to the Cisco AMP Solution

AMP Threat Grid platform

correlates the sample result with

millions of other samples and

billions of artifacts

Actionable threat content and

intelligence is generated that

can be used by AMP, or

packaged and integrated into a

variety of existing systems or

used independently.

1100001110001110 1001 1101 1110011 0110011 101000 0110 00

101000 0110 00 0111000 111010011 101 1100001 110

1001 1101 1110011 0110011 101000 0110 00

Analyst or system (API) submits suspicious

sample to Threat Grid

Low Prevalence Files

An automated engine observes, deconstructs,

and analyzes using multiple techniques

Actionable threat content and

intelligence is generated that can

be packaged and integrated in to

a variety of existing systems or

used independently.

AMP Threat Grid platform

correlates the sample

result with millions

of other samples and

billions of artifacts

101000 0110 00 0111000 111010011 101 1100001 110

101000 0110 00 0111000 111010011 101 1100001 110

1001 1101 1110011 0110011 101000 0110 00

Threat Score/Behavioral Indicators

Big Data Correlation Threat Feeds

Sample and Artifact Intelligence Database

Actionable Intelligence

Proprietary techniques for

static and dynamic analysis

“Outside looking in” approach

350 Behavioral Indicators

On-Premises Layer 4 Traffic MonitorInfected Endpoint Detection

Users

Cisco®

S-Series

Network -Layer

Analysis

PowerfulAntimalware Data

Preventing“Phone-Home” Traffic

Scans all traffic, all ports, all protocols

Detects malware bypassing port 80

Prevents botnet traffic

Automatically updated rules

Real-time rule generation using “dynamic discovery”

Packet and Header

Inspection

Internet

Also Available on Cisco® Adaptive Security Appliance as Botnet Traffic Filter

BEFORE

Discover

Enforce

Harden

DURING

Detect

Block

Defend

AFTER

Scope

Contain

Remediate

Identify Possible Breach with Cognitive Threat Analytics

Anomaly Detection

010 01000 11110 100 0110

01000 01000111 0100 11

11 111 0 010 01100 01000

010 01000 11110 100 0110

01000 01000111 0100 11

11 111 0 010 01100 01000

010 01000 11110 100 0110

01000 01000111 0100 11

11 111 0 010 01100 01000

010 01000 11110 100 0110

01000 01000111 0100 11

11 111 0 010 01100 01000

Behavior Analysis Machine Learning

01000 01000111 0100 11

11 111 0 010 01100 01000

Reduced time to discoveryActive, continuous monitoring to

stop the spread of an attack

Normal… or not?Spots symptoms of infection

using behavioral anomaly

detection algorithms and

trust modeling

Security that learnsUses machine learning and

Big Data Analytics to learn from

what it sees and adapts

over time

No more rule setsDiscovers threats on its own…

just turn it on.

Layer 1

Layer 2

AMP

CTA

CWS Premium

AMP

CTALayer 3

File Reputation Anomaly

detection

Trust

modelingEvent classification Entity modeling

Dynamic

Malware

Analysis

File

Retrospection

Relationship modeling

CTA

Web Security Advanced ThreatProtection Differentiators

CTA presents results in two categoriesConfirmed Threats

Confirmed Threats - Threat

Campaigns• Threats spanning across multiple users

• 100% confirmed breaches

• For automated processing leading to fast reimage / remediation

• Contextualized with additional Cisco Collective Security Intelligence

CTA presents results in two categoriesDetected Threats

Detected Threats – One-off Threats• Unique threats detected for individuals

• Suspected threat confidence and risk levels provided

• For semi-automated processing

• Very little or no additional security context exists

Cisco AnyConnect Secure Mobility ClientRedirect Roaming Users to Premises and/or Cloud

Roaming Laptop,

Mobile, or Tablet User

Roaming Laptop Users

Client Installed on Machine

Web Users

WSA Applies

Web Security

Features

Web Security

Location

CWS Applies

Web Security

Features

Router or firewall

re-route traffic to

WSA or CWS

Web Traffic

Redirection

Backhauls

Traffic Through

VPN Tunnel

to HQ

Routes Traffic

Through SSL Tunnel

Directly to Closest

Cisco® Cloud Proxy

Router or Firewall

Reroute Traffic to

WSA or CWS

Cisco

AnyConnect®

Client

VPN

ACWS

VPN

Block

WWW

Warn

WWW

Allow

WWW

Delivers Verdict

Identity Services

Engine Integration

Extend User Identity and Context

Acquires important context

and identity from the network

Monitors and provides visibility

into unauthorized access

Provides differentiated access

to the network

Cisco TrustSec® provides

segmentation throughout the

network

Cisco Web Security Appliance

provides web security and

policy enforcement

Available only on WSA

Confidential

Patient

Records

Internal

Employee

IntranetWho: Guest

What: iPad

Where: Office

Who: Doctor

What: iPad

Where: Office

Internet

Who: Doctor

What: Laptop

Where: Office

WSA

Consistent Secure

Access Policy

Cisco® Identity

Services Engine

• Referer is an HTTP header field that identifies the webpage that requested the current webpage.

• WSA will use referer field to find out the URL from where website was browsed and use it to define access policies.

Referer Header Exception

Block video category

Allow embedded youtube video

in specific website

External Feed for policies

Periodically get inputs from external sources to

block IP address, domain or URLs

Dynamic update access policies (w/o proxy

restart) to implement new inputs

Out-of-box integration with O365 xml feed

published by Microsoft

Web Proxy

Web Security Appliance

HTTP(S) Server

HTTP Feed

daemon

ACL

Rules

ACL

Engine

Admin

O365 Feed

daemon

O365

Cloud

Pe

rio

dic

Fe

tch

Periodic Fetch

Used to integrate with ticketing system,

government feeds or external security agencies

External system

Time and Volume QuotasIntelligent Controls of Bandwidth Usage

100100101001000100100100100001010101

110110010100101001010010101001001001

1010

0101

0101

0010

0010

0011

1101

0101

0010

1010

0101

0101

0010

0010

0011

1101

0101

0010

1010

0101

0101

0010

0010

0011

1101

0101

0010

Control web usage to meet administrative policies,such as:

- Total bandwidth used during work hours

- Total bandwidth per day used for social media categories

Configure polices to restrict access based on the amount of data (in bytes) and time

Quotas are applicable to HTTP, HTTPS, and FTP traffic

Configured under access policies and decryption policies

Create custom end-user notifications of warnings when a quota is close, as well as when exceeded

Actionable ReportingAnalyze, Troubleshoot, and Refine Security Policies

Centralized Appliance- and Application-based Reporting

Centralized Management

Delegated Administration

Centralized Policy Management

In-Depth Threat Visibility

Extensive Forensic Capabilities

Insight

Across Threats, Data, and Applications

Control

Consistent Policy across Offices and for Remote Users

Visibility

Continuous Visibility across Different Devices, Services, and Network Layers

BEFORE

Discover

Enforce

Harden

DURING

Detect

Block

Defend

AFTER

Scope

Contain

Remediate

Cisco Web Security At a Glance

Centralized Management and Reporting

Cisco® Talos

URL Filtering

Application Visibility and Control (AVC)

Data-Loss Prevention (DLP)

Threat Monitoring and Analytics

Advanced Malware Protection

Spots symptoms of infection based on behavioral anomalies and CNC traffic

Blocks unknown files through reputationand sandboxing

Continues to monitor threat levels afteran attack

Contains 50 million known sites

Categorizes unknown URLs in real time

Controls mobile, collaborative, and Web 2.0 applications

Enforces behaviors within Web2.0 applications

Blocks sensitive information

Integrates easilyby ICAP withthird-party vendors

Offers actionable insight across threats, data, and applications

AllowWWW Limited AccessWWW BlockWWW

Monitors threats worldwide, filters on reputation and automatically updates every 3-5 minutes

Protection Control

WWW

Safeguards Every

Device, Everywhere, All

the Time

Strong Protection Complete Control Investment Value

Offers Control of All

Web Traffic

on All Devices

Delivers More for

Your Investment

In Today’s Exposed, Highly Connected and Increasingly Mobile World, Cisco WebSecurity Delivers