NG Content Security

Cisco Connect 2015

Agenda

• Why is important Content Security?

• AMP on Content Security (Sandboxing and file reputation)

• What is new on Email?

• What is new on Web?

2

Why is Content Security important?

Cisco Connect 2015

How to hack a system/company?

Use a vulnerability and try to hack the server/computer

Solve these attacks installing a patch and using FW, IPS, etc… 4

Cisco Connect 2015

How to hack a system/company?

Social Engineering: Please, can you give me your password?

Solve this installing a patch in the end user’s brain.

5

Cisco Connect 2015

Passwords more frequently used.

2012 2013 2014

6

Cisco Connect 2015

How to hack a system/company?

There are different ways to contact with the End User.

1.- Email

2.- Web

3.- Phone

7

Cisco Connect 2015

Patch the Brain

Training is the word.

8

Cisco Connect 2015

At the end, we need technology

9

Advance Malware Protection on Content Security

Cisco Connect 2015

File Sandboxing

Behavioral analysis

of unknown files

File Retrospection

Retrospective

alerting after an

attack

Advanced Malware Protection on Content Security

File Reputation

Preventative blocking

of suspicious files

Cisco Connect 2015

Advanced Malware Protection Positioned between AV and Content Filters

Known bad email is

blocked before

entering the network

Low Reputation

email is throttled

Blacklisted email is

dropped

Scripted pre-

processing rules

used for specific

email handling

SBRS &

Mail Flow Policies

Message Filters

Anti-

Spam

Engines

>99% Spam Catch

Rate with <1:1M

False Positives

URL Aware

Infected email

attachments are

remediated

Malicious

attachments are

dealt with

Outbreak Filters

Filter according to

organizational

rules – content,

URLs, and more

Content

Fiilters

0-Day Viral Threat

and Blended

Threat Protection

w/URL Rewrites

Advanced

Malware

Protection

Cisco Connect 2015

Advanced Malware Protection (AMP)

• File Reputation

• SHA256 Lookup (Clean, Malicious or Unknown)

• SPERO Fingerprint

• File Analysis

• Behavioral analysis (If Unknown)

• Feeds intelligence back to AMP cloud

• File Retrospection

• Retrospective alerting when file is determined to be malicious after initially passing

Overview

File

Rep

uta

tio

n

up

da

te AMP Client

Local

Cache

Unknown File

Upload for Dynamic

Analysis Dyn

am

ic V

ec

tori

ng

an

d S

trea

min

g

File Reputation Query

Sha256 checksum

+SPERO fingerprint for WinPE files

Verdict / 15 Min Heartbeat

Sandbox Connector

AMP

Cloud

VRT

Sandboxing

13

Cisco Connect 2015

Advanced Malware Protection

File SHA256

Hash

Verdict

Unknown

1->100

Recognized

File

File Unknown

File Analysis?

Yes

No

1->59 : clean

60->100: malicious

Verdict Clean

Verdict Malicious

Disposition

Amp

Service

AMP Cloud Service

Verdict Clean +

Dynamic Analysis

Verdict Clean

AMP Client

Clean

Malicious

Verdict Score

No score

No score

14

• Connector Decision Flow

For Your Reference

Cisco Connect 2015

Do Sandboxing in line or at the application level?

In-Line WSA ESA

Policy base user YES and NO YES YES

IP Source YES YES YES

IP Dest YES YES YES

Email address NO N/A YES

URL Category YES YES YES

Web Reputation NO YES YES

HTTP user agent NO YES N/A

Encrypted Bad idea YES (easy) YES

Content of the data NO YES (limited) YES

Delay the object NO NO YES 15

Cisco Connect 2015

TLS & HTTPS

TLS ESMTP

SSL HTTPS

16

Cisco Connect 2015

AMP on Content

AMP

Granular policies

17

Cisco Connect 2015

AMP on Content

Reputation or/and File Analysis

Files

18

Cisco Connect 2015

AMP File Analysis Quarantine

• Quarantine to store potential malware under investigation in

sandbox.

• System Quarantine with standard functions

• 'Release', 'Delete', 'Send Copy' and 'Delay

scheduled exit

• Auto release and rescan the message when file analysis is

complete

19

What is new on Email?

Cisco Connect 2015

• Protect your identity from phishing

• Improve sender reputation and deliverability

• Visibility and control of sent email and who is sending on your behalf

Your Company ISP

Email Authentication: Outbound DMARC

DNS

Serve

r

Public

From: Your_Company.com From: Your_Company.com

SIGNED

From: Your_Company.com

SIGNED Verified

Report

Cisco ESA

21

Cisco Connect 2015

• Reduce the exposure of your users to phishing

• Tie DKIM and SPF together and address their shortcomings

• Identifies actions to take if message authentication fails for sender’s domains

• Allows for sending of aggregate reports back to sending domain to inform of message disposition

DNS

Serve

r

SIGNED

SIGNED Verified

Trusted_Partner.com

Trusted_Partner.com

Imposter

Cisco

ESA

Drop/Quarantine

Report

DMARC p=reject

Email Authentication: Inbound DMARC

Cisco Connect 2015

URL Defense Integrated email and web security

Rewri

te Email Contains

URL

URL Categorization

Cisco SIO

BLOCKEDwww.playboy.comBLOCKED

BLOCKEDwww.proxy.orgBLOCKED Defa

ng

Repla

ce

“This URL is blocked by policy”

Send to Cloud

Cisco Connect 2015

Outbreak Filters in Action: User Experience

Request for Review

Paul,

I forward my thesis to you for review.

Please open it and provide comments.

www.Personal Site.com/Thesis_Draft.pdf

Hope all’s well since Verizon.

Best regards,

Friend

Frien

d

Paul@email.com

After

Subject: Request for Review

http://www.threatlink.com/

Before

Subject: [SUSPICIOUS MESSAGE] Request for Review

http://secure-

web.Cisco.com/auth=X&URL=www.threatlink.com

WARNING: This appears to be a

malicious email

Paul

24

Cisco Connect 2015

Identified: Targeted Attack

Content: Malware Payload

Vector: Email

Action: Blocked

Cisco SIO - Cloud Security Enforcement

Cisco Cloud

Web Security

Request for Review

WARNING: This appears to be a

malicious email

Paul,

I forward my thesis to you for review.

Please open it and provide comments.

www.Personal Site.com/Thesis_Draft.pdf

Hope all’s well since Verizon.

Best regards,

Friend

Frien

d

Paul@email.com

25

Cisco Connect 2015

Malware

Payload Blocked

Cisco Outbreak Filters Defends against Targeted Attacks

http://secure-web.Cisco.com…

The requested web page has been blocked

http://www.threatlink.com

Cisco Email and Web Security protects your

organization’s network from malicious software.

Malware is designed to look like a legitimate email

or website which accesses your computer, hides

itself in your system, and damages files.

Cisco Security

26

Cisco Connect 2015

ESA v9.0 – Feature rich release

• Enhanced File-types support for sandboxing

• Malware quarantine

• Anti Snowshoe

• S/MIME signing and encryption

• Larger disk support

• Flexible disk capacity allocation

• AsyncOS API

• Virtual SMA support

• Support for complex policy configuration

• Flexible Spam digest configuration

• Block page white labeling

• Virtual gateways enhanced.

• SMTP-Auth

27

Cisco Connect 2015

Anti-Snowshoe “Maintain leadership in anti-spam efficacy through ever-changing threat landscape to protect our customers and keep ahead of the competition”

Increase automation and auto-classification of emails for faster

response

Enhanced awareness for anti-spam through “Contextual Analysis”

Strong defense against Snow shoe campaigns and Phishing

attacks

Cisco Connect 2015

SMIME Signing & Encryption “Provide ability to exchange Emails securely using S/MIME support on ESA”

Gateway-Gateway Encryption support using S/MIME on box

Both Encryption and Signing supported

Detailed reports are provided showing messages

encrypted/decrypted using S/MIME

Cisco Connect 2015

Platform Enhancements “These enhancements are intended to provide our customers with flexibility in utilizing their appliances efficiently”

Flexible disk allocation on ESA

Support for larger disks

Support for virtualized SMA (VM Ware)

Cisco Connect 2015

AsyncOS API “Programmable Interface to support easy Management and Automation”

REST API support on ESA

Phased approach, with support for Reporting in the first phase

Invocation of APIs through authenticated access over https

Cisco Connect 2015

IPv6 Addressing

IPv6 Support Defense for email systems against emerging IPv6 threats

• Supports: IPv4/IPv6 addressing – single or dual stack – with Anti-Spam, Anti-Virus, Content Filters, DLP, Encryption, and more

• Translates: IPv6 in and IPv4 out… or vice versa

• Full reporting and Message Tracking support

Is your Email Security

filtering content with IPv6

addressing appropriately?

Cisco Connect 2015

Reporting/Tracking for IPv6 ESA and SMA Reporting/Tracking will show IPv6 addresses along with IPv4.

33

What is new on Web?

Cisco Connect 2015

HTTP Transaction Policy Flow

• Access Policy Pipeline High Level

35

Determine Identity

Authentication (If required by Identity)

Determine Access Policy

CONNECT Port Check

Response Body Size Check

MIME Type Checks

Application Visibility and Control Checks

Anti-Malware Protection (McAfee, Sophos and Webroot)

Deliver Content

Proxy Proxy

Web Server

Tim

e o

f R

equest

Tim

e o

f R

esponse

DV

S

Advanced Malware Protection (File Reputation & Analysis)

Web Reputation Check

Webroot DVS check

Suspect User agent Check

Quota Check

URL Category Checks (Custom Top Down Then pre-defined)

For Your Reference

Cisco Connect 2015

Cisco Identity Services Engine (ISE) Single Source of Identity and Context Data to Complement the Cisco WSA

How

What

Who

Where

When

Network

Partner Context Data

Cisco® ISE Is the Market Leader

Consistent Secure

Access Policy

Cisco ISE

Cisco Connect 2015

The Power of Cisco ISE with Cisco WSA WSA with ISE Process Flow

Confidential

Patient Records

Internal Employee

Intranet

Internet Who: Guest

What: iPad

Where: Office

Who: Doctor

What: Laptop

Where: Office

Who: Doctor

What: iPad

Where: Office

TrustSec®

ISE

WSA

► Acquires important

context and identity

from the network

► Monitors and provides

visibility into

unauthorized access

► Cisco® ISE provides

differentiated access to

the network; TrustSec®

provides segmentation

throughout the network;

WSA provides web

security and policy

enforcement

Cisco Connect 2015

Adaptive

Scanning

Adaptive Scanning Dynamic Scanner Selection

Reputation + Content Type + Scanner Selection = Adaptive Scanning

www.anysite2.com -3.5

www.anysite1.com +1.1

www.anysite3.com -5.5

WSA

0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101

0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101

Cisco® Talos

HTML

HTML

HTML

Cisco Connect 2015

• Step 1: Analyze every object on a page & assign a risk score

Object Two - JPG

Object One - PDF

Object Three -

JavaScript

+5.6 (safe)

+0.0 (low risk)

-5.3 (high risk)

Object Four - Flash -7.8 (very high risk - blocked)

Scores below -6 automatically blocked

3

9

Adaptive Scanning Detail For Your Reference

Cisco Connect 2015

Adaptive Scanning Detail

• Step 2: Scans prioritized in order of risk and assigns each object to the scanner with the highest efficacy for the given content type

Object Two - JPG

Object One - PDF

Object Three -

JavaScript

+5.6 (safe)

+0.0 (low risk)

-5.3 (high risk) Looks at all licensed scanners

(Sophos, McAfee & Webroot).

Chooses Sophos – best for Javascript

Chooses McAfee –

best for JPG

If CPU at low load, scans

with all available

scanners

Safe objects scanned (to confirm verdict) only if box is at low load

For Your Reference

Cisco Connect 2015

Streaming Media & Facebook Bandwidth Control

► AVC engine detects streaming media (audio and video) and Facebook using HTTP for transport

► Per-user limits

− Each end client/IP allowed N Kbit/sec of streaming media

− Limit local network congestion, and enforce acceptable use/user productivity

► Aggregate limits

− Streaming media may use no more than N Kbit/sec of upstream bandwidth

− Helps to ensure availability of upstream bandwidth

► Can be combined with identities, URL categories

“The March Madness or World Cup Problem”

Cisco Connect 2015

Time and Volume Quotas Intelligent Controls of Bandwidth Usage

► Time and volume quotas allow WSA administrators to configure polices to restrict access based on amount of data (in bytes) and time

► Quotas are applicable to HTTP, HTTPS, and FTP traffic

► Can be configured under access policies and decryption policies

► Can be configured with time ranges to apply them for specific periods of time

► Quotas are reset daily; the reset time is configurable

► When more than one quota is applicable the most restrictive quota applies

► Quotas are applied per user; when user identity is not available they are applied per IP address

Cisco Connect 2015

Integrate High Availability in Cisco WSA Designs VRRP/CARP Redundant Architecture

Proxy Address

192.168.10.4

► Simple network layer redundancy

► High-availability Cisco® WSA deployment

Failover Group

192.168.10.4

Master 192.168.10.5

Backup 192.168.10.6

Backup 192.168.10.7

Cisco Connect 2015

► Cisco® WSA acts as

a proxy between a

SOCKS client

communicating with

a SOCKS server

− Ex: Bloomberg

terminals

► SOCKS & HTTP

CONNECT is widely

used for dedicated

communications

between business

partners or the

financial industry

SOCKS & HTTP CONNECT Proxy Support Provides a Single Point of Exit for Traffic Leaving an Intranet

Cisco Connect 2015

From Generic to Specific Reporting Different Engineering Challenges

“Overview”

Reports

“Detailed”

Reports

Targeted

Search

Needle in Haystack

Top ‘N’ Summary

Cisco Connect 2015

Flexible Deployment Options On- and Off-Premises

On-Premises Cloud

Cloud Virtual Next-Generation

Firewall

Appliance

Deployment

Options

Implicit Explicit Implicit Explicit

Client

Options

Connectors/

Redirects

Firewall Router Roaming Roaming Appliance Firewall Router

Key takeaways

Cisco Connect 2015 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco ESA Pipeline

Clean emails

delivered

Signature-Based

Malware

Scanners

File Reputation

• Known File Reputation

• Retrospection data

Unknown files are uploaded to VRT

sandboxing

Dropped: Emails with

known bad file

reputation attachments

bad senders

blocked

SourceFire

FireAMP

signature-based malware

dropped

FirePOWER AMPEndpoint

Anti-Spam

(URL Data)

spam dropped

Content Filters

• URL Category

• URL WBRS Reputation

Defang URL

Redirect CWS

Replace URL

with Text

URL

Rendered

Safe and

Delivered

File Reputation File Reputation

Drop or Quarantine, etc

• SBRS Reputation

• Recipient Validation

• DMARC / SPF / DKIM

VRT Analysis

Sandboxing

• Behavioral Analysis Uploaded

• Retrospection data

downloaded

File Reputation

Update

Outbreak Filters

• URL Data

• On-Board Phishing DB

• Outbreak Rules Data from SIO and

Contextual Data on Email from CASE

Cisco SIO

SBRS Servers

DNS

Query

Outbreak

Filters Rules

Updates

Signature

Updates for

Malware

Scanner

Updates

48