network visibility and advanced malware protection · network visibility and advanced malware...
Post on 21-Jun-2020
9 Views
Preview:
TRANSCRIPT
Network Visibility and Advanced Malware Protection
James Weathersby, Director Technical Marketing
Gyorgy Acs, Consulting Security Engineer
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Security Challenges
Changing
Business Models
Dynamic
Threat Landscape
Complexity
and Fragmentation
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Security Challenges No change
Changing
Business Models
Dynamic
Threat Landscape
Complexity
and Fragmentation
of organizations not “fully aware” of all network devices
BYOD
90%
SOCIAL MEDIA
times more cloud services are being used than
known by IT
CLOUD
5–10 of top 500 Android apps
carry security/privacy risks
APP STORES
92% of organizations had
malware enter the corporate network through social
media/web apps
14%
complete
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Security Challenges No change convert
Changing
Business Models
Dynamic
Threat Landscape
Complexity
and Fragmentation
A community that hides in plain sight avoids detection and attacks swiftly
60% of data is
stolen in
HOURS
54% of breaches remain
undiscovered for
MONTHS
YEARS MONTHS WEEKS HOURS START
85% of point-of-sale intrusions
aren’t discovered for
WEEKS
51% increase of companies
reporting a $10M loss
or more in the last
YEAR
complete
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Security Challenges No change convert
Changing
Business Models
Complexity
and Fragmentation
Dynamic
Threat Landscape
Security Vendors
at RSA
Demand for
Security Talent
373 12x
Security Vendors for
Some Customers
45
Complexity Talent Fragmentation
complete
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
The Reality: Organizations Are Under Attack
Source: 2014 Cisco Annual Security Report
95% of large companies
targeted by malicious traffic 100% of organizations interacted
with websites hosting malware
2000 1990 1995 2005 2010 2015 2020
Viruses 1990–2000
Worms 2000–2005
Spyware and Rootkits 2005–Today
APTs Cyberware Today +
Hacking Becomes an Industry
Sophisticated Attacks, Complex Landscape
Phishing, Low Sophistication
Cybercrime is lucrative, barrier to entry is low
Hackers are smarter and have the resources to compromise your organization
Malware is more sophisticated
Organizations face tens of thousands of new malware samples per hour
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Comprehensive Security Requires
Breach Prevention Rapid Breach Detection, Response, Remediation
Threat Intelligence
Source: http://www.pcworld.com/article/2109210/report-av erage-of- 82- 000- new-malware-t hreats- per- day- in- 2013.html
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
The Full Attack Continuum
BEFORE Discover
Enforce
Harden
DURING Detect
Block
Defend
AFTER Scope
Contain
Remediate
Network Endpoint Mobile Virtual Email & Web
Continuous Point-in-time
Attack Continuum
Cloud
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Visibility and Context
Firewall
App Control
VPN
Patch Mgmt
Vuln Mgmt
IAM/NAC
IPS
Antivirus
Email/Web
IDS
FPC
Forensics
AMP
Log Mgmt
SIEM
Mapping Technologies to the Model
BEFORE Discover
Enforce Harden
AFTER Scope
Contain Remediate
Attack Continuum
Detect
Block Defend
DURING
Secure DC, Enterprise Licensing Agreement, Enterprise Mobility
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
FireSIGHT Sees “Everything”
CATEGORIES
EXAMPLES
SOURCEFIRE
NGIPS & NGFW
TYPICAL
IPS
TYPICAL
NGFW
Threats Attacks, Anomalies ✔ ✔ ✔
Users AD, LDAP, POP3 ✔ ✗ ✔
Web Applications Facebook Chat, Ebay ✔ ✗ ✔
Application Protocols HTTP, SMTP, SSH ✔ ✗ ✔
File Transfers PDF, Office, EXE, JAR ✔ ✗ ✔
Malw are Conficker, Flame ✔ ✗ ✗
Command & Control Servers C&C Security Intelligence ✔ ✗ ✗
Client Applications Firefox, IE6, BitTorrent ✔ ✗ ✗
Netw ork Servers Apache 2.3.1, IIS4 ✔ ✗ ✗
Operating Systems Window s, Linux ✔ ✗ ✗
Routers & Sw itches Cisco, Nortel, Wireless ✔ ✗ ✗
Mobile Devices iPhone, Android, Jail ✔ ✗ ✗
Printers HP, Xerox, Canon ✔ ✗ ✗
VoIP Phones Avaya, Polycom ✔ ✗ ✗
Virtual Machines VMw are, Xen, RHEV ✔ ✗ ✗
Contextual
Awareness Information Superiority
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
FireSIGHT Enables Automation
IT Insight Spot rogue hosts, anomalies, policy
violations, and more
Impact Assessment Threat correlation reduces
actionable events by up to 99%
Automated Tuning Adjust IPS policies automatically
based on network change
User Identification Associate users with security
and compliance events
FireSight Demo
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cisco Advanced Malware Protection Built on unmatched collective security intelligence
101000 0110 00 0111000 111010011 101 1100001 110
1100001110001110 1001 1101 1110011 0110011 101000 0110 00
1001 1101 1110011 0110011 101000 0110 00
1.6 million
global sensors
100 TB
of data received per day
150 million+
deployed endpoints
600
engineers, technicians,
and researchers
35%
w orldw ide email traff ic
13 billion
w eb requests
24x7x365 operations
4.3 billion w eb blocks per day
40+ languages
1.1 million incoming malw are
samples per day
AMP Community
Private/Public Threat Feeds
Talos Security Intelligence
AMP Threat Grid Intelligence
AMP Threat Grid Dynamic
Analysis
10 million f iles/month
Advanced Microsoft
and Industry Disclosures
Snort and ClamAV Open Source
Communities
AEGIS™ Program
101000 0110 00 0111000 111010011 101 1100001 110
1100001110001110 1001 1101 1110011 0110011 101000 0110 00
1001 1101 1110011 0110011 101000 0110 00
Cisco® Collective Security
Intelligence
Email Endpoints Web Networks IPS Devices
WWW
Cisco Collective Security
Intelligence Cloud
Automatic Updates
in real-time
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cisco AMP Delivers A Better Approach
Retrospective Security Point-in-Time Protection
Continuous Analysis File Reputation, Sandboxing and Behavioral
Detection
Unique To Cisco AMP
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cisco Collective Security Intelligence
Point-in-Time Protection Continuous Protection
File Reputation & Behavioral Detection
Unique to Cisco AMP
Retrospective Security
Cisco AMP Defends With Reputation Filtering And Behavioral Detection
Reputation Filtering Behavioral Detection
Dynamic
Analysis
Machine
Learning
Fuzzy
Finger-printing
Advanced
Analytics One-to-One
Signature
Indications
of Compromise
Device Flow
Correlation
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Reputation Filtering Behavioral Detection
Reputation Filtering Is Built On Three Features
Dynamic
Analysis
Machine
Learning
Fuzzy
Finger-printing
Advanced
Analytics One-to-One
Signature
Indications
of Compromise
Device Flow
Correlation
Collective Security
Intelligence Cloud
Unknown fi le is encountered,
signature is analyzed, sent to
cloud 1
File is not known to be malicious
and is admitted 2
Unknown file is encountered,
signature is analyzed, sent to
cloud 3
File’s signature is known to be
malicious and is prevented from
entering the system 4
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Reputation Filtering Behavioral Detection
Reputation Filtering Is Built On Three Features
Dynamic
Analysis
Machine
Learning
Fuzzy
Finger-printing
Advanced
Analytics One-to-One
Signature
Indications
of Compromise
Device Flow
Correlation
Collective Security
Intelligence Cloud
Fingerprint of fi le is analyzed
and determined to be malicious 1
Malicious fi le is not allowed entry 2
Polymorphic form of the same file
tries to enter the system 3
The fingerprints of the two fi les
are compared and found to be
similar to one another 4
Polymorphic malware is denied
entry based on its similarity to
known malware 5
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Dynamic
Analysis
Machine
Learning
Fuzzy
Finger-printing
Advanced
Analytics One-to-One
Signature
Indications
of Compromise
Device Flow
Correlation
Reputation Filtering Is Built On Three Features
Collectiv e Security
Intelligence Cloud
Unknown file’s metadata is sent
to the cloud to be analyzed 1
Metadata is recognized as
possible malware 2
File is compared to known
malware and is confirmed as
malware 3
A second unknown fi le’s
metadata is sent to cloud to be
analyzed 4
Metadata is similar to known
clean fi le, possibly clean 5
File is confirmed as a clean fi le
after being compared to a
similarly clean fi le 6
Machine Learning Decision Tree
Possible clean f ile
Possible malware
Conf irmed malware
Conf irmed clean f ile
Conf irmed clean f ile
Conf irmed malware
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Dynamic
Analysis
Machine
Learning
Fuzzy
Finger-printing
Advanced
Analytics One-to-One
Signature
Indications
of Compromise
Device Flow
Correlation
Behavioral Detection Is Built On Four Features
Collective Security
Intelligence Cloud
File of unknown disposition is encountered 1
File replicates itself and this inf ormation is communicated to the
cloud 2
File communicates with malicious IP addresses or starts downloading files
with known malware disposition 3
Combination of activities indicates a compromise and the behavior is
reported to the cloud and AMP client 4
These indications are prioritized and reported to security team as possible
compromise 5
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Dynamic
Analysis
Machine
Learning
Fuzzy
Finger-printing
Advanced
Analytics One-to-One
Signature
Indications
of Compromise
Device Flow
Correlation
Behavioral Detection Is Built On Four Features
Dynamic Analysis Engine
executes unknown fi les in on-
premise or cloud sandboxes
powered by AMP Threat Grid
1
Two files are determined to be
malware, one is confirmed as
clean 2
Intell igence Cloud is updated with
analysis results and retrospective
alerts are broadcast to users 3
Collective Security
Intelligence Cloud Collective
User Base AMP Threat Grid Sandbox
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Dynamic
Analysis
Machine
Learning
Fuzzy
Finger-printing
Advanced
Analytics One-to-One
Signature
Indications
of Compromise
Device Flow
Correlation
Behavioral Detection Is Built On Four Features
Receives information regarding
software unidentified by
Reputation Filtering appliances 1
Analyzes fi le in light of the
information and context provided 3
Identifies the advanced malware
and communicates the new
signature to the user base 4
Receives context regarding
unknown software from Collective
User Base 2 Collective
User Base
Collective Security
Intelligence Cloud
AMP Threat Grid Analysis
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Dynamic
Analysis
Machine
Learning
Fuzzy
Finger-printing
Advanced
Analytics One-to-One
Signature
Indications
of Compromise
Device Flow
Correlation
Behavioral Detection Is Built On Four Features
Collective Security
Intelligence Cloud
Two unknown files are seen
communicating with a particular
IP address 2
One is sending information to the
IP address, the other is receiving
commands from the IP address 3
Collective Security Intell igence
Cloud recognizes the external IP
as a confirmed, malicious site 4
Unknown files are identified
as malware because
of the association 5
IP: 64.233.160.0 Device Flow Correlation monitors
communications of a host on the
network 1
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cisco AMP Delivers A Better Approach
Retrospective Security Point-in-Time Detection
Continuous Protection File Reputation & Behavioral Detection
Unique to Cisco AMP
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cisco AMP Defends With Retrospective Security
To be effective, you have to be everywhere
Continuously
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cisco AMP Provides Retrospective Security
Trajectory Behavioral
Indications of
Compromise
Elastic
Search
Continuous
Analysis
Attack Chain
Weaving
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Trajectory Behavioral
Indications of
Compromise
Breach
Hunting
Continuous
Analysis
Attack Chain
Weaving
Retrospective Security Is Built On…
Performs analysis
the first time a fi le is
seen 1
Persistently
analyzes the fi le
over time to see if
the disposition is
changed
2
Giving unmatched
visibil ity into the path,
actions or
communications that
are associated with a
particular piece of
software
3
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Trajectory Behavioral
Indications of
Compromise
Breach
Hunting Continuous
Analysis
Attack Chain
Weaving
Retrospective Security Is Built On…
Leverages retrospective
capabilities in three ways:
File Trajectory records the trajectory of the software from device to device
File Trajectory 1
Process Monitoring 2
Communications
Monitoring 3
Process Monitoring monitors the I/O activity of all devices on the system
Communications Monitoring monitors which applications are performing actions
Attack Chain Weaving analy zes the data
collected by File Trajectory , Process and
Communication Monitoring to prov ide a
new lev el of threat intelligence
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Trajectory Behavioral
Indications of
Compromise
Breach
Hunting
Continuous
Analysis
Attack Chain
Weaving
Retrospective Security Is Built On…
Behavioral Indications of Compromise uses continuous analysis and retrospection
to monitor systems for suspicious and unexplained activity… not just signatures!
An unknown file
is admitted into
the network 1
The unknown f ile copies itself to
multiple machines 2
Duplicates
content from the
hard drive 3
Sends duplicate
content to an
unknown IP
address
4
Leveraging the power of Attack Chain Weaving, AMP is able to recognize patterns and activities of a
given fi le, and identify an action to look for across your environment rather than a fi le fingerprint or signature
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Retrospective Security Is Built On…
Trajectory Behavioral
Indications of
Compromise
Breach
Hunting
Continuous
Analysis
Attack Chain
Weaving
File trajectory automatically records propagation of the file across the
network
Unknown f ile is downloaded to dev ice 1
Fingerprint is recorded and sent to cloud f or analysis 2
The unknown f ile travels across the network to different devices
3
Sandbox analy tics determines the f ile is malicious and notifies all
dev ices 4
If f ile is deemed malicious, file trajectory can provide insight into
which hosts are infected and it prov ides greater visibility into the
extent of an infection
5
Collective Security Intelligence Cloud
Computer
Virtual Machine
Mobile
Mobile
Virtual Machine Computer
Network
Collective Security Intelligence Cloud
Mobile
Mobile
File Trajectory
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Trajectory Behavioral
Indications of
Compromise
Breach
Hunting
Continuous
Analysis
Attack Chain
Weaving
Computer
Unknown file is downloaded to a
particular device 1
The file executes 2
Device trajectory records this, the
parent processes, l ineage, and
all actions performed by the fi le 3
File is convicted as malicious and
the user is alerted to the root
cause and extent of the
compromise
4
Retrospective Security Is Built On…
Drive #1 Drive #2 Drive #3
Device Trajectory
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Trajectory Behavioral
Indications of
Compromise
Elastic
Search
Continuous
Analysis
Attack Chain
Weaving
Retrospective Security Is Built On…
Elastic Search is the
ability to leverage the
indicators generated
by Behavioral IoC’s to
monitor and search for
threats across an
environment
1
Once a threat has
been identified, it can
be used to search for
and identify if that
threat exists anywhere
else
2
This functionality
enables quick
searches to aid in the
detection of fi les that
remain unknown but
are malicious
3
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
AMP Provides Contextual Awareness and Visibility
Who
What
Where
When
How
Focus on these users first
These applications
are affected
The breach impacted
these areas
This is the scope of
exposure over time
Here is the origin and
progression
of the threat
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Deployment Options
Method
Ideal for
Email and Web; AMP on ASA
CWS
New or existing Cisco CWS, Email /Web Security, ASA
customers
AMP for Networks
(AMP on FirePOWER Network Appliance)
IPS/NGFW customers
AMP for Endpoints
Windows, Mac, Android, VMs
License with ESA, WSA,
CWS, or ASA customers Snap into your network
Install lightweight connector
on endpoints
Details
• ESA/WSA: Prime visibility
into email/web
• CWS: web and advanced malware protection in a
cloud-delivered service
• AMP capabilities on ASA with FirePOWER Services
• Wide visibility inside
network
• Broad selection of
features- before,
during and after an
attack
• Comprehensive threat protection and response
• Granular visibility and control
• Widest selection of AMP features
AMP Private Cloud Virtual Appliance
High Privacy Environments
On-premise Virtual
Appliance
• Private Cloud option for those with high
privacy requirements
• For endpoints and
networks
There are several ways you can deploy AMP
PC / MAC Virtual
Mobile
AMP Demo
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Block Threats Before They Breach
Challenge
Experienced security team of 7 supporting over
120 locations needed greater intelligence to quickly identify and stop threats. Current
defenses alerted personnel and logged details but did nothing to aid investigation of the issue.
Solution Augmented intrusion prevention systems with
AMP for Endpoint.
Result
After installation of AMP, a targeted attack was
identified and remediated in half a day. 7 days after the initial attack, new business processes
and intelligences implemented by AMP resulted in the immediate mitigation of a second targeted
attack.
BEFORE
A US Bank Case Study
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Identify Scope And Remediate Impact After Breach
Challenge
The company is a frequent victim of spear fishing
campaigns with indications of infection emanating from multiple sources.
Solution Added AMP for Endpoints to a system already
using FirePOWER to enable them to track and investigate suspicious file activity.
Result
The company gained complete visibility into their
malware infections, determined the attack vector, assessed the impact to the network and made
intelligent surgical decisions for remediation in a fraction of the time than it would take to respond
manually.
AFTER
Power Utility Case Study
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
How Cisco AMP Works: Network File Trajectory Use Case
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
An unknown file is present on IP:
10.4.10.183, having
been downloaded from Firefox
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
At 10:57, the
unknown file is from IP 10.4.10.183 to IP:
10.5.11.8
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Seven hours later the
file is then transferred to a third device
(10.3.4.51) using an
SMB application
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
The file is copied yet
again onto a fourth
device (10.5.60.66) through the same
SMB application a
half hour later
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
The Cisco Collective Security Intelligence
Cloud has learned
this file is malicious and a retrospective
event is raised for all
four devices
immediately.
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
At the same time, a
device with the
FireAMP endpoint connector reacts to
the retrospective
event and immediately stops
and quarantines the
newly detected
malware
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
8 hours after the first
attack, the Malware
tries to re-enter the system through the
original point of entry
but is recognized and
blocked.
DEMO TITLE
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Protection Across Networks
The Network platform uses indications of compromise, file analysis, and in this example file trajectory to show you exactly how malicious files have moved across the environment
Netw ork
Endpoint
Content
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Protection Across Endpoints
The Endpoint platform has device trajectory, elastic search and outbreak control which in this example is shown quarantining recently detected malware on a device that has the FireAMP connector installed
Netw ork
Endpoint
Content
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Protection Across Web and Email
AMP for Web and Email protects against malware threats in web and email traffic by blocking known malware and issuing retrospective alerts when unknown files are convicted
Netw ork
Endpoint
Content
top related