malware mega threats 2700 w. cypress creek rd. suite c110, fort lauderdale, fl 33309 954-832-3601...

Malware Mega Threats 2700 W. Cypress Creek Rd. Suite C110, Fort Lauderdale, FL 33309 954-832-3601 Fax: 954-659-1610 www.greysontech.com

www.greysontech.com Who is Greyson Technologies?

www.greysontech.com What We Do! Greyson delivers measureable business outcomes by architecting and implementing Unified Communications, Security, Enterprise Networking, Virtualization and Storage solutions in secure, hybrid cloud environments.

www.greysontech.com Why Greyson? Named South Floridas Fastest Growing IT Company Floridas 13 th fastest Simply the Best Engineers An Expert Team of A+ Players Local Certified Experienced w/Real World Expertise Professional

www.greysontech.com CIO Roundtable Security Presents a Major Concern! Survey Data: 57% of respondents expect to experience a security breach within the next year. Attack vectors changing: Silverlight attacks up 228% in Sept. 2014 Phishing and SPAM: Up 250% Persistent state of infection: Malware infections 250% in Oct 2014 Only 20% of respondents regularly communicate with management about threats. 1 month The amount of time survey respondents say it took to investigate, restore service and verify resolution of incidents. Why We Are Here

2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Intelligent Cybersecurity for the Real World Chris Robb Advanced Malware Specialist, Cisco Security [email protected]

2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Spyware & Rootkits 2010 Viruses 2000 Worms 2005 APTs Cyberware Today + Anti-virus (Host) IDS/IPS (Network) Anti-malware (Host+Network) Intelligence and Analytics (Host+Network+Cloud) Enterprise Response The World Has Changed: The Industrialization of Hacking

2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 In the newswhat do these all have in common? Home Depot 25,000 Records of Homeland Security Employees Stolen Over 50 UPS Franchises hit by data breach 4.5M Records stolen from US Health Giant Goodwill Russian Hackers steal 4.5B records MeetMe Social Network Users Passwords Stolen Insider breach at Las Vegas Brain and Spine Surgery Center Florida bank notifies roughly 72,000 customers of breech Los Angeles based health system breached 60k Tennessee works impacted by subcontractor breech Payment cards used on Wireless Emporium website compromised Albertsons stores CC data hacked $100,000 bitcoin loss due to hack Microsofts Twitter Account Hacked Sonys Twitter Account Hacked Russian PMs Twitter hacked I resign NRC Compturs hacked 3 times Ferguson police offices computers hacked Norwegian oil industry under attack Saudi TV website hacked by Libyan Teenager hacked in to Metropolitan Polices computer Sony suffer DOS attack Dairy Queen hacked JP Morgan

2014 Cisco. CONFIDENTIAL. www.ThreatGRID.com Customer Success Story: Large Financial Services Firm 12/04/2014: What has happened at Sony Pictures Entertainment over the past week reads like a blockbuster screenplayor a chief executives nightmare: Hackers target a major company, disabling its internal systems and leaking documents revealing long-held secrets, from coming products to executive pay. 12/05/2014: The Sony data breach continues to get worse. First, it was exposed budgets, layoffs and 3,800 SSNs, then it was passwords. Now, it's way more social security numbersincluding Sly Stallone's. The Wall Street Journal reports that analysis of the documents leaked so far included the Social Security numbers of 47,000 current and former Sony Pictures workers. That included Sylvester Stallone, Rebel Wilson, and Anchorman director, Judd Apatow. The Journal reports that the SSNs are found alongside salary information, home addresses, and contract details. Version of malware that took out Sony Pictures seen in wild in July While the malware that took down computers at Sony Pictures last week was compiled just days before it was triggered, an earlier version of the code used to unleash the destructive attack may have been in use much earlier within Sonys network. Malware with the same cryptographic signature and filename as the Destover malware was spotted by the security firm Packet Ninjas in July. That malware communicated with one of the same IP addresses and domain names as the final Destover malware: a server at Thammasat University in Bangkok, Thailand. The malware, which was found in a Cisco Partner ThreatGrid repository, also communicated with a network address assigned to a New York business customer of TimeWarner Cable. Taken from article, http://arstechnica.com/security/2014/12/version-of-malware-that-took-out- sony-pictures-seen-in-wild-in-july/http://arstechnica.com/security/2014/12/version-of-malware-that-took-out- sony-pictures-seen-in-wild-in-july/

Cisco Confidential 11 2014 Cisco and/or its affiliates. All rights reserved. The Silver Bullet Does Not Exist Captive portal It matches the pattern No false positives, no false negatives Application Control FW/VPN IDS/IPS UTM NAC AV PKI Block or Allow Fix the Firewall No key, no access Sandboxing Detect the Unknown Threat Analytics Outside looking in The Best Point in Time Protection Protects you 90 + % of the time

2014 Cisco and/or its affiliates. All rights reserved. 12 Point-in-Time Detection Antivirus Sandboxing Initial Disposition = Clean Actual Disposition = Bad Too Late!! Not 100% Analysis Stops Event Horizon Sleep Techniques Unknown Protocols Encryption Polymorphism Blind to scope of compromise

2014 Cisco and/or its affiliates. All rights reserved. 13 AMP goes beyond point-in-time detection BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate NetworkMobileVirtual Email & Web ContinuousPoint-in-time Attack Continuum Cloud

2014 Cisco and/or its affiliates. All rights reserved. 14 Continuous Protection when advanced malware evades point-in-time detection Antivirus Sandboxing Initial Disposition = Clean Point-in-time Detection Initial Disposition = Clean AMP Actual Disposition = Bad = Too Late!! Not 100% Analysis Stops Sleep Techniques Unknown Protocols Encryption Polymorphism Actual Disposition = Bad = Blocked Retrospective Detection, Analysis Continues

Cisco Confidential 17 2013-2014 Cisco and/or its affiliates. All rights reserved. Retrospective detection and protection Ability to learn and proactively reduce your attack Surface Reduce Attack Surface

2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 Cisco Advanced Malware Protection Built on unmatched collective security intelligence 101000 0110 00 0111000 111010011 101 1100001 110 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 1001 1101 1110011 0110011 101000 0110 00 1.6 million global sensors 100 TB of data received per day 150 million+ deployed endpoints 600+ engineers, technicians, and researchers 35% worldwide email traffic 13 billion web requests 24x7x365 operations 40+ languages 180,000+ File Samples per Day AMP Community AMP Threat Grid Intelligence AMP Threat Grid Dynamic Analysis 10 million files/month Advanced Microsoft and Industry Disclosures Snort and ClamAV Open Source Communities AEGIS Program Private/Public Threat Feeds 101000 0110 00 0111000 111010011 101 1100001 110 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 1001 1101 1110011 0110011 101000 0110 00 Cisco Collective Security Intelligen ce EmailEndpointsWebNetworksIPSDevices WWW Cisco Collective Security Intelligence Cloud Automatic Updates every 3-5 minutes

2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 Cisco AMP Solution Options Customer NeedFeature WSA, ESA, CWSNetworkEndpoint I want to be able to define policies for malwareFile Reputation I want to be able to isolate suspected malware for threat analysis Sandboxing I want to be able to backtrack if malware makes it into my system Retrospective Security I need to identify compromised devices on my network Indications of Compromise I want to track how a file has been behavingFile Analysis I want to track how threats traverse the networkFile Trajectory I want to see system activities, relationships and events Device Trajectory I want to search large sets of data for compromises Elastic Search I want to be able to stop the spread of malware with custom tools Outbreak Control

2014 Cisco. All Rights Reserved. CONFIDENTIAL. The First Unified Malware Analysis & Threat Intelligence Solution ThreatGRID is revolutionizing how organizations use accurate and context-rich malware analysis and threat intelligence to defend against advanced cyber attacks. Be Proactive. Recover Faster. Defeat Advanced Threats. Maximize Existing Investments.

2014 Cisco. CONFIDENTIAL. www.ThreatGRID.com 21 Some Cool Things We Do !!! Allow you Interact with Malware Outside Looking In approach Prioritize threatsContext-driven Malware Analytics

2014 Cisco. CONFIDENTIAL. www.ThreatGRID.com Sample report from AMP integration

2014 Cisco. CONFIDENTIAL. www.ThreatGRID.com 23 ThreatGRID Unique Value Context-Driven Malware Analytics 2 way API Integration Multiple Deployment options Community Power & Scale Adaptive Analysis Simple & Custom Feeds Easy to use ThreatGRID Portal SOC Investigation & Response Threat Intelligence Security Infrastructure Eng. Defeat Advanced Attacks Recover FasterBe Proactive Maximize Existing Investment

Cisco Confidential24C97-732872-00 2014 Cisco and/or its affiliates. All rights reserved. Cisco AMP Delivers Three Advantages 3 Address the full attack continuum 2 More comprehensive protection Cisco Collective Security Intelligence Point-in-Time Detection Retrospective Security 1 A better approach BEFOREDURINGAFTER Network Content

2014 Cisco. CONFIDENTIAL. www.ThreatGRID.com Web Filtering and Reputation Security Intelligence File Type Blocking Application Visibility & Control Indicators of Compromise Traffic Intelligence File Reputation Cognitive Threat Analytics XXXX Before After www.website.c om During X File Retrospection Roaming User Reporting Log Extraction Management Branch Office AllowWarnBlock Partial Block Main Office ASA/NSI PS AMP Applianc e WSAESAAnyConnect Admin Traffic Redire ctions TALOS Cisco Advanced Malware Protection (AMP) Threats HQ File Sandboxin g X Threat Grid AMP for Endpoint

2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 Evolution of AMP Everywhere AMP 2012 Retrospective Trajectory Outbreak Control Security AMP Endpoint PC 2012 AMP Endpoint Mobile 2013 AMP Endpoint Virtual 2013 AMP Network 2013 AMP Network Appliance 2014 AMP Endpoint Mac 2014 Device Trajectory Flow Correlation 2014 AMP Private Cloud 2014 AMP for Content 2014 AMP for ASA 2014 ThreatGRID 2014

www.greysontech.com Lets Play Enterprise Feud

www.greysontech.com Top 3 Answers on the Board

www.greysontech.com Phishing Attack Example

www.greysontech.com Phishing Attack Results

www.greysontech.com Greyson Consulting Services

www.greysontech.com How Greyson Works with Our Clients Local, personal relationships built on trust. Long term partnerships with consistency of engineering talent. Analysis, Architecture, Delivery and Management. Enterprise solutions: Security infrastructure best practices assessment Next generation firewalls and IPS Advanced Malware Protection Email and Web Content Security Netflow based network behavior anomaly detection Policy based security enforcement

www.greysontech.com Questions?

malware mega threats 2700 w. cypress creek rd. suite c110, fort lauderdale, fl 33309 954-832-3601...

Documents

cisco confidential

cisco security

cisco andor

security breach

jp morgan slide

hybrid cloud environments

data breach

malware infections