ng content security - cisco - global home page · behavioral analysis of unknown files file...
TRANSCRIPT
NG Content Security
Cisco Connect 2015
Agenda
• Why is important Content Security?
• AMP on Content Security (Sandboxing and file reputation)
• What is new on Email?
• What is new on Web?
2
Why is Content Security important?
Cisco Connect 2015
How to hack a system/company?
Use a vulnerability and try to hack the server/computer
Solve these attacks installing a patch and using FW, IPS, etc… 4
Cisco Connect 2015
How to hack a system/company?
Social Engineering: Please, can you give me your password?
Solve this installing a patch in the end user’s brain.
5
Cisco Connect 2015
Passwords more frequently used.
2012 2013 2014
6
Cisco Connect 2015
How to hack a system/company?
There are different ways to contact with the End User.
1.- Email
2.- Web
3.- Phone
7
Cisco Connect 2015
Patch the Brain
Training is the word.
8
Cisco Connect 2015
At the end, we need technology
9
Advance Malware Protection on Content Security
Cisco Connect 2015
File Sandboxing
Behavioral analysis
of unknown files
File Retrospection
Retrospective
alerting after an
attack
Advanced Malware Protection on Content Security
File Reputation
Preventative blocking
of suspicious files
Cisco Connect 2015
Advanced Malware Protection Positioned between AV and Content Filters
Known bad email is
blocked before
entering the network
Low Reputation
email is throttled
Blacklisted email is
dropped
Scripted pre-
processing rules
used for specific
email handling
SBRS &
Mail Flow Policies
Message Filters
Anti-
Spam
Engines
>99% Spam Catch
Rate with <1:1M
False Positives
URL Aware
Infected email
attachments are
remediated
Malicious
attachments are
dealt with
Outbreak Filters
Filter according to
organizational
rules – content,
URLs, and more
Content
Fiilters
0-Day Viral Threat
and Blended
Threat Protection
w/URL Rewrites
Advanced
Malware
Protection
Cisco Connect 2015
Advanced Malware Protection (AMP)
• File Reputation
• SHA256 Lookup (Clean, Malicious or Unknown)
• SPERO Fingerprint
• File Analysis
• Behavioral analysis (If Unknown)
• Feeds intelligence back to AMP cloud
• File Retrospection
• Retrospective alerting when file is determined to be malicious after initially passing
Overview
File
Rep
uta
tio
n
up
da
te AMP Client
Local
Cache
Unknown File
Upload for Dynamic
Analysis Dyn
am
ic V
ec
tori
ng
an
d S
trea
min
g
File Reputation Query
Sha256 checksum
+SPERO fingerprint for WinPE files
Verdict / 15 Min Heartbeat
Sandbox Connector
AMP
Cloud
VRT
Sandboxing
13
Cisco Connect 2015
Advanced Malware Protection
File SHA256
Hash
Verdict
Unknown
1->100
Recognized
File
File Unknown
File Analysis?
Yes
No
1->59 : clean
60->100: malicious
Verdict Clean
Verdict Malicious
Disposition
Amp
Service
AMP Cloud Service
Verdict Clean +
Dynamic Analysis
Verdict Clean
AMP Client
Clean
Malicious
Verdict Score
No score
No score
14
• Connector Decision Flow
For Your Reference
Cisco Connect 2015
Do Sandboxing in line or at the application level?
In-Line WSA ESA
Policy base user YES and NO YES YES
IP Source YES YES YES
IP Dest YES YES YES
Email address NO N/A YES
URL Category YES YES YES
Web Reputation NO YES YES
HTTP user agent NO YES N/A
Encrypted Bad idea YES (easy) YES
Content of the data NO YES (limited) YES
Delay the object NO NO YES 15
Cisco Connect 2015
TLS & HTTPS
TLS ESMTP
SSL HTTPS
16
Cisco Connect 2015
AMP on Content
AMP
Granular policies
17
Cisco Connect 2015
AMP on Content
Reputation or/and File Analysis
Files
18
Cisco Connect 2015
AMP File Analysis Quarantine
• Quarantine to store potential malware under investigation in
sandbox.
• System Quarantine with standard functions
• 'Release', 'Delete', 'Send Copy' and 'Delay
scheduled exit
• Auto release and rescan the message when file analysis is
complete
19
What is new on Email?
Cisco Connect 2015
• Protect your identity from phishing
• Improve sender reputation and deliverability
• Visibility and control of sent email and who is sending on your behalf
Your Company ISP
Email Authentication: Outbound DMARC
DNS
Serve
r
Public
From: Your_Company.com From: Your_Company.com
SIGNED
From: Your_Company.com
SIGNED Verified
Report
Cisco ESA
21
Cisco Connect 2015
• Reduce the exposure of your users to phishing
• Tie DKIM and SPF together and address their shortcomings
• Identifies actions to take if message authentication fails for sender’s domains
• Allows for sending of aggregate reports back to sending domain to inform of message disposition
DNS
Serve
r
SIGNED
SIGNED Verified
Trusted_Partner.com
Trusted_Partner.com
Imposter
Cisco
ESA
Drop/Quarantine
Report
DMARC p=reject
Email Authentication: Inbound DMARC
Cisco Connect 2015
URL Defense Integrated email and web security
Rewri
te Email Contains
URL
URL Categorization
Cisco SIO
BLOCKEDwww.playboy.comBLOCKED
BLOCKEDwww.proxy.orgBLOCKED Defa
ng
Repla
ce
“This URL is blocked by policy”
Send to Cloud
Cisco Connect 2015
Outbreak Filters in Action: User Experience
Request for Review
Paul,
I forward my thesis to you for review.
Please open it and provide comments.
www.Personal Site.com/Thesis_Draft.pdf
Hope all’s well since Verizon.
Best regards,
Friend
Frien
d
After
Subject: Request for Review
http://www.threatlink.com/
Before
Subject: [SUSPICIOUS MESSAGE] Request for Review
http://secure-
web.Cisco.com/auth=X&URL=www.threatlink.com
WARNING: This appears to be a
malicious email
Paul
24
Cisco Connect 2015
Identified: Targeted Attack
Content: Malware Payload
Vector: Email
Action: Blocked
Cisco SIO - Cloud Security Enforcement
Cisco Cloud
Web Security
Request for Review
WARNING: This appears to be a
malicious email
Paul,
I forward my thesis to you for review.
Please open it and provide comments.
www.Personal Site.com/Thesis_Draft.pdf
Hope all’s well since Verizon.
Best regards,
Friend
Frien
d
25
Cisco Connect 2015
Malware
Payload Blocked
Cisco Outbreak Filters Defends against Targeted Attacks
http://secure-web.Cisco.com…
The requested web page has been blocked
http://www.threatlink.com
Cisco Email and Web Security protects your
organization’s network from malicious software.
Malware is designed to look like a legitimate email
or website which accesses your computer, hides
itself in your system, and damages files.
Cisco Security
26
Cisco Connect 2015
ESA v9.0 – Feature rich release
• Enhanced File-types support for sandboxing
• Malware quarantine
• Anti Snowshoe
• S/MIME signing and encryption
• Larger disk support
• Flexible disk capacity allocation
• AsyncOS API
• Virtual SMA support
• Support for complex policy configuration
• Flexible Spam digest configuration
• Block page white labeling
• Virtual gateways enhanced.
• SMTP-Auth
27
Cisco Connect 2015
Anti-Snowshoe “Maintain leadership in anti-spam efficacy through ever-changing threat landscape to protect our customers and keep ahead of the competition”
Increase automation and auto-classification of emails for faster
response
Enhanced awareness for anti-spam through “Contextual Analysis”
Strong defense against Snow shoe campaigns and Phishing
attacks
Cisco Connect 2015
SMIME Signing & Encryption “Provide ability to exchange Emails securely using S/MIME support on ESA”
Gateway-Gateway Encryption support using S/MIME on box
Both Encryption and Signing supported
Detailed reports are provided showing messages
encrypted/decrypted using S/MIME
Cisco Connect 2015
Platform Enhancements “These enhancements are intended to provide our customers with flexibility in utilizing their appliances efficiently”
Flexible disk allocation on ESA
Support for larger disks
Support for virtualized SMA (VM Ware)
Cisco Connect 2015
AsyncOS API “Programmable Interface to support easy Management and Automation”
REST API support on ESA
Phased approach, with support for Reporting in the first phase
Invocation of APIs through authenticated access over https
Cisco Connect 2015
IPv6 Addressing
IPv6 Support Defense for email systems against emerging IPv6 threats
• Supports: IPv4/IPv6 addressing – single or dual stack – with Anti-Spam, Anti-Virus, Content Filters, DLP, Encryption, and more
• Translates: IPv6 in and IPv4 out… or vice versa
• Full reporting and Message Tracking support
Is your Email Security
filtering content with IPv6
addressing appropriately?
Cisco Connect 2015
Reporting/Tracking for IPv6 ESA and SMA Reporting/Tracking will show IPv6 addresses along with IPv4.
33
What is new on Web?
Cisco Connect 2015
HTTP Transaction Policy Flow
• Access Policy Pipeline High Level
35
Determine Identity
Authentication (If required by Identity)
Determine Access Policy
CONNECT Port Check
Response Body Size Check
MIME Type Checks
Application Visibility and Control Checks
Anti-Malware Protection (McAfee, Sophos and Webroot)
Deliver Content
Proxy Proxy
Web Server
Tim
e o
f R
equest
Tim
e o
f R
esponse
DV
S
Advanced Malware Protection (File Reputation & Analysis)
Web Reputation Check
Webroot DVS check
Suspect User agent Check
Quota Check
URL Category Checks (Custom Top Down Then pre-defined)
For Your Reference
Cisco Connect 2015
Cisco Identity Services Engine (ISE) Single Source of Identity and Context Data to Complement the Cisco WSA
How
What
Who
Where
When
Network
Partner Context Data
Cisco® ISE Is the Market Leader
Consistent Secure
Access Policy
Cisco ISE
Cisco Connect 2015
The Power of Cisco ISE with Cisco WSA WSA with ISE Process Flow
Confidential
Patient Records
Internal Employee
Intranet
Internet Who: Guest
What: iPad
Where: Office
Who: Doctor
What: Laptop
Where: Office
Who: Doctor
What: iPad
Where: Office
TrustSec®
ISE
WSA
► Acquires important
context and identity
from the network
► Monitors and provides
visibility into
unauthorized access
► Cisco® ISE provides
differentiated access to
the network; TrustSec®
provides segmentation
throughout the network;
WSA provides web
security and policy
enforcement
Cisco Connect 2015
Adaptive
Scanning
Adaptive Scanning Dynamic Scanner Selection
Reputation + Content Type + Scanner Selection = Adaptive Scanning
www.anysite2.com -3.5
www.anysite1.com +1.1
www.anysite3.com -5.5
WSA
0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101
0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101
Cisco® Talos
HTML
HTML
HTML
Cisco Connect 2015
• Step 1: Analyze every object on a page & assign a risk score
Object Two - JPG
Object One - PDF
Object Three -
JavaScript
+5.6 (safe)
+0.0 (low risk)
-5.3 (high risk)
Object Four - Flash -7.8 (very high risk - blocked)
Scores below -6 automatically blocked
3
9
Adaptive Scanning Detail For Your Reference
Cisco Connect 2015
Adaptive Scanning Detail
• Step 2: Scans prioritized in order of risk and assigns each object to the scanner with the highest efficacy for the given content type
Object Two - JPG
Object One - PDF
Object Three -
JavaScript
+5.6 (safe)
+0.0 (low risk)
-5.3 (high risk) Looks at all licensed scanners
(Sophos, McAfee & Webroot).
Chooses Sophos – best for Javascript
Chooses McAfee –
best for JPG
If CPU at low load, scans
with all available
scanners
Safe objects scanned (to confirm verdict) only if box is at low load
For Your Reference
Cisco Connect 2015
Streaming Media & Facebook Bandwidth Control
► AVC engine detects streaming media (audio and video) and Facebook using HTTP for transport
► Per-user limits
− Each end client/IP allowed N Kbit/sec of streaming media
− Limit local network congestion, and enforce acceptable use/user productivity
► Aggregate limits
− Streaming media may use no more than N Kbit/sec of upstream bandwidth
− Helps to ensure availability of upstream bandwidth
► Can be combined with identities, URL categories
“The March Madness or World Cup Problem”
Cisco Connect 2015
Time and Volume Quotas Intelligent Controls of Bandwidth Usage
► Time and volume quotas allow WSA administrators to configure polices to restrict access based on amount of data (in bytes) and time
► Quotas are applicable to HTTP, HTTPS, and FTP traffic
► Can be configured under access policies and decryption policies
► Can be configured with time ranges to apply them for specific periods of time
► Quotas are reset daily; the reset time is configurable
► When more than one quota is applicable the most restrictive quota applies
► Quotas are applied per user; when user identity is not available they are applied per IP address
Cisco Connect 2015
Integrate High Availability in Cisco WSA Designs VRRP/CARP Redundant Architecture
Proxy Address
192.168.10.4
► Simple network layer redundancy
► High-availability Cisco® WSA deployment
Failover Group
192.168.10.4
Master 192.168.10.5
Backup 192.168.10.6
Backup 192.168.10.7
Cisco Connect 2015
► Cisco® WSA acts as
a proxy between a
SOCKS client
communicating with
a SOCKS server
− Ex: Bloomberg
terminals
► SOCKS & HTTP
CONNECT is widely
used for dedicated
communications
between business
partners or the
financial industry
SOCKS & HTTP CONNECT Proxy Support Provides a Single Point of Exit for Traffic Leaving an Intranet
Cisco Connect 2015
From Generic to Specific Reporting Different Engineering Challenges
“Overview”
Reports
“Detailed”
Reports
Targeted
Search
Needle in Haystack
Top ‘N’ Summary
Cisco Connect 2015
Flexible Deployment Options On- and Off-Premises
On-Premises Cloud
Cloud Virtual Next-Generation
Firewall
Appliance
Deployment
Options
Implicit Explicit Implicit Explicit
Client
Options
Connectors/
Redirects
Firewall Router Roaming Roaming Appliance Firewall Router
Key takeaways
Cisco Connect 2015 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco ESA Pipeline
Clean emails
delivered
Signature-Based
Malware
Scanners
File Reputation
• Known File Reputation
• Retrospection data
Unknown files are uploaded to VRT
sandboxing
Dropped: Emails with
known bad file
reputation attachments
bad senders
blocked
SourceFire
FireAMP
signature-based malware
dropped
FirePOWER AMPEndpoint
Anti-Spam
(URL Data)
spam dropped
Content Filters
• URL Category
• URL WBRS Reputation
Defang URL
Redirect CWS
Replace URL
with Text
URL
Rendered
Safe and
Delivered
File Reputation File Reputation
Drop or Quarantine, etc
• SBRS Reputation
• Recipient Validation
• DMARC / SPF / DKIM
VRT Analysis
Sandboxing
• Behavioral Analysis Uploaded
• Retrospection data
downloaded
File Reputation
Update
Outbreak Filters
• URL Data
• On-Board Phishing DB
• Outbreak Rules Data from SIO and
Contextual Data on Email from CASE
Cisco SIO
SBRS Servers
DNS
Query
Outbreak
Filters Rules
Updates
Signature
Updates for
Malware
Scanner
Updates
48