cisco security everywhere · cisco security investment & innovation (2013-2015) sourcefire...
TRANSCRIPT
Cisco Security Everywhere
Cluj-Napoca
Dan Gavojdea – Security Specialist – Cisco Systems
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
50 billionnew networkeddevices by 2020
3/4of employees uses
MULTIPLE DEVICES for work
56%of information workers
spend time workingOUTSIDE THE OFFICE
100%of IT staff
STRUGGLEto keep up withmobile needs
Demand for Mobility
There are two types of
customers…
How would you do
security differently if you
knew you were going to
be hacked?
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Cisco Security Architecture
ADMIN
NGFW
Filter
URL
Leading Threat Intelligence
Research Group
I0I00I00I0I 0II0 I00I0 00I0II0 00I0I00I 0I0II00I0 I00I 0I00 I0I00 II0I 0 II0 I I0I00I0II0I I0II 00I 0I0
00II0I0II0I0I0II 0I00II
II0I 00I0
0 I00000I0
0
00I00I0I00I00I0I00I0II00II00I0 I00I 000 I0I 0I0II000I0 0I00 I0II00 I0I000I00I0
0I 0
00I0
0I0
I00I
Roaming User
00II0
I 0I0
0II0
0I0
0I 0
00I0
0I0
II0I0I00I00I 000I00I00 I0I00I0II0 0II00I0 I00I 0I00 I0I00 00I00I0I00I00I0I00I0II00II00I0 I00I 0I00 I0I00 II0I0II0II 00II0III0I 0II0I00I 0II0II0I0I 0I0II0I 00I00I000II0I II0I0II0
000I0II0II0I 00I0I0
00II0
I00
I
0I0
0I0
0 III0I 00I00I 000I00I0II0I I0I0 00 I0I I00I0II 00I00I0I 00I0I00I0 00II0I0I 00II0II0I
00I0II0I0 0II
AMP for Endpoints
00I00I0I00I00I0I00I0II00II00I0 I00I 0I00 I00I 0I0 I000I I0 0I00II 00I0 I0I 00I I0I 00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00 I0I0I0I00 I0I0 I0I0 0I0 I0I00 I00 I0I I00 0I0II 00II00I 0 I00I0 0I0I0 00I0I0 I00I I0I 0I0I 0I I0 0 I00I I0I0 I00I 0I0I 0I0 0I0I0 I0 0 I0 0 I 0I0 0 I 0 I0I0 0I0I I0I0 I0 0 I00 I0 0I0 0 I0 I00 I 00 I0 0 I 0I0 0I0 0 I0 0 I 0 0I 0I
0I0 I00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00II0 0I0I0I00 I0I0 I0I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00 0II0I000II0I0I 0I0II0
I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 0I0I 0I00 00II0I 00I00I I00I0 00I 0000I00I00II0I 00I00I 00I00II0I I00I I0I0 I00I 0I0I 0I0 0I0I0 I0 0 I0 0 I 0I0 0 I 0 I0I0 0I0I I0I0 I0 0 I00 0
I00I0II00I0I00II0I0
0II0II0I000I0I000II
0I00I00I0I00I00I0
00II0 II0I 00I0
0I 0I0
0I
00I0
I0I0
I00I0
00II0I 00II0I0II0 0II0II0I 00I0I)I00II0I0 00I0I00 00II0II0I 0I0I 00II0II000I00I
000I00I00 I0I00
CTA
II00I0
I00I 0
I00 I0
I00 II0
I 0 II0
I I0I0
0I0
II0I I0
00I0
0I
0I0
I0II0
0I0
I0III0
0I0
I0I0
I0I0
I0I0
0II0
I0II
000II0
II00I0
0I0
I II0 II0II 0II II00I0 I00I 0I00 I0I00 II0I 0 II0 I I0I00I0II0I I0I00I 0II0I 0II0 0II0I I00I0I 000II0I 00II00I I0II00I
00II0I0III000I 0I0I II00I0 I00I 0I00 I0I00 II0I 0 II0 I I0I00I0II0I I0I00I 0I0I 00II 0II0I 0II0I0II00I00 00II0I0II0I0I
00I000I0I00I 0000I
II0I0
II 00II0
I00 0
0I0
0I0
0I
I0I0I0 I0I00III0 0I
0II II0I00 0I00II0
AMP for
Endpoints
Endpoint User
I00I0II00I0I00II0I0
0II0II0I000I0I000II
0I00I00I0I00I00I0
00II0
VPN
DATACENTER
I00I
00I0
II0
II000II
0 0
0II
0II
0I0
000I0
0I 00I0
I II
0000I0
I0I0
00I0
I000I0
I0I
0II
II0
I0 II0
0I0
I0000 0
000 II0
II0 0
0II
0I 000000II
I
0II
II0
I0 II0
0I0
I0000 0
000 II0
II0 0
0II
0I 000000II
I
I0I II0II0
0I
000II0
00I0
I
000II0
00I0
I
0I 0I0I0 II00I0
I0II00I0 II00I0
NGFW
AMP for Network
00I0 0000I 00 00I 0I I0II I00I I0I00I
I0II0I
I0I0I0 I0I00II0 I0I0I0 0I0I00 I0II0 0I0I
00I0II II0I00 0I0I 000II0I 00I00 I0I00 000
I00
Block
Warn
Allow
Cloud Option
Network Traffic
Flow
Analysis
Vector TRAFFIC
AMP for Content
I00I0II00I0I00II0I0
0II0II0I000I0I000II
0I00I00I0I00I00I0
00II0
Web & Email Security
Dynamic Malware
Analysis
NGIPS
NGIPS
0I0II0I00II0
I
Cloud Access Security
CLOUD APPS
Intelligent cybersecurity to protect against advanced threats
Identity
Services
Trustsec
PEOPLE & DEVICES
Vector
CLOUD APPS
Vector
ASAv
Vector
CES ESA
Lancope
Stealthwatch
ASA
AnyConnect VPN
Cloud Access Security
AMP Threat Grid
CWS WSA
ASA
ISE
0I0I0 II0I0
PEOPLE & DEVICES
WEB & EMAIL CLOUD APPSWEB & EMAIL
AMP for Endpoints
AMP for Content
AMP for Network
AMP for
Endpoints
NGIPSv
NGIPS
NGIPS
The Security Problem
New Business Models
Dynamic Threat Landscape
Complexity of security solutions
The Industrialization of Hacking
20001990 1995 2005 2010 2015 2020
Viruses1990–2000
Worms2000–2005
Spyware and Rootkits2005–Today
APTs CyberwareToday +
Hacking Becomesan Industry
Sophisticated Attacks, Complex Landscape
Phishing, Low Sophistication
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Security Challenges
Changing
Business Models
Dynamic
Threat Landscape
Complexity
and Fragmentation
A community that hides in plain sight avoids detection and attacks swiftly
50%Of attacks last year
were basic attacks
54%of breaches remain
undiscovered for
MONTHS
YEARSMONTHSWEEKSHOURSSTART
85%intrusions
aren’t discovered for
WEEKS
51%increase of companies
reporting a $10M loss
or more in the last
YEAR
Dangerous Times
Nation State
Political
Insider
Criminal
Confidential
Data
A Security Executives’ business challengesWho, What, Where, When…
Game the
Stock Price
Steal Customer
Data
Damage
the Brand
Fraud
Industrial Espionage
Pivot Through Us To
Attack Customers
Exploit the
Network
Steal IP
HOW
What are the acceptable
risks?
Where do you think your
greatest vulnerabilities lie?
Are you compliant?
19
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco
Confidential
Who is responsible ?
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Point-in-Time Malware Detection Alone is not 100% Effective
It will catch But only takes
99% 1%of threats to cause a breach
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
AMP provides contextual awareness and visibility that allows you to take control of an attack before it causes damage
Who
What
Where
When
How
Focus on these
users first
These applications
are affected
The breach impacted
these areas
This is the scope of
exposure over time
Here is the origin and
progression
of the threat
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Cisco’s AMP Everywhere Strategy Means Protection Across the Extended Network
MAC
AMP for
Networks
PC
AMP for
Cloud Web Security
& Hosted Email
CWS
Virtual
AMP on Web & Email
Security Appliances
Mobile
AMP on ASA Firewall
with FirePOWER
Services
AMP for Endpoints
AMP Private Cloud
Virtual ApplianceAMP Threat Grid
Dynamic Malware Analysis +
Threat Intelligence Engine
Mapping to the Holistic Threat Continuum
ControlEnforceHarden
DetectBlock
Defend
ScopeContain
Remediate
Infrastructure
and Protocols
Network
Firewall
Next-Generation
Firewall (NGFW)Next-Generation
IPS (NGIPS)
Web Security
Content Filtering
Mobile Users
Remote Access
VPN
Email Security
SSL Decryption
and Inspection
Network ForensicsAdvanced Malware
Protection (AMP)
Incident Response
Open Source
Custom Tools
Context-Awareness Attribution
CLUS:
AMP
Data Center
Cisco Security Investment & Innovation(2013-2015)
Sourcefire
Acquisition closed
Security
for ACI
RSAC:
AMP Everywhere
OpenAppID
Managed Threat
Defense
Black Hat:
2014 MSR & Talos
2014 ASR
Global Security
Sales Organization
Neohapsis
Acquired
AMP Everywhere
Incident Response
Service
Cisco ASA with
FirePOWER Services
for Mid-Size, Branch
Offices and Industrial
environments
ThreatGRID
acquired
Cisco ASA with
FirePOWER Services
Security & Trust
Organization
InterOp NY:
ISE 1.3 / AC 4.0 / CTD 2.0
EN integrations
Intent
OpenDNS
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
NSS Labs ReportComparative Testing on Breach Detection Systems
Who is NSS Labs?NSS Labs, one of the best and most thorough independent
testing bodies in the industry, performed comparative
testing on Breach Detection Systems.
What was measured?
Security Effectiveness of Breach Detection Systems
• HTTP/Email Malware, Exploits, Evasions, and False
Positive Rate
Total Cost of Ownership per protected Mbps
What Cisco-Sourcefire
products were tested?
AMP Everywhere
• AMP for Networks and AMP for Endpoints (TCO
calculations include this set of FireAMP connectors)
• FirePOWER 8120 (with AMP subscription)*
What competitor
products were
evaluated?
FireEye, AhnLab, Fortinet, TrendMicro, Fidelis
BDS Methodology v1.5
[The methodology] utilizes real threats
and attack methods that exist in the
wild and are actually being used by
cyber-criminals and other threat
actors. This is the real thing, not
facsimile; systems under test (SUT)
are real stacks connected to a live
internet feed.
--NSS Labs
*Dedicated AMP Appliances (AMP8150/AP7150) were not shipping at the time of the test, otherwise one would have been used
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Se
cu
rity
Eff
ec
tive
ne
ss
TCO per Protected-Mbps
The ResultsCisco AMP is a Leader in Security Effectiveness and TCO and offers Best Protection Value
Cisco Advanced Malware
Protection
Best Protection Value
99.0% Breach Detection
Rating
Lowest TCO per Protected-
Mbps
Other Products Do Not Provide
Retrospective Security After a
Breach
NSS Labs Security Value Map (SVM) for Breach Detection Systems
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
AMP Case Studies
Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Block Threats Before They Breach
Challenge
Experienced security team of 7 supporting over
120 locations needed greater intelligence to
quickly identify and stop threats. Current
defenses alerted personnel and logged details
but did nothing to aid investigation of the issue.
SolutionAugmented intrusion prevention systems with
FireAMP for Endpoint.
Result
After installation of FireAMP, a targeted attack
was identified and remediated in half a day. 7
days after the initial attack, new business
processes and intelligences implemented by
FireAMP resulted in the immediate mitigation of a
second targeted attack.
BEFORE
Bank Case Study
2106 Security Report
• Blocked threats: 19,692,200,000 threats per day
• Blocked threats w/ spam: 2,557,767 blocks/sec
Talos Detection Content
Talos
NGFW
ESA
Threat
GRID
AMP
Cloud
WSA
NGIPS
Security Bundles
Securitatea informatica pentru dezvoltatorii de aplicații si soluții
Bogdan Voiculescu
Net Brinel - Presales Consultant
2 Martie 2016
About sandboxing technology
Sandbox definition
A sandbox has the objective of detecting malware by executing the suspicious code in a protected environment and to analyze its behavior.
It’s used for zero-day and stealthy attacks.
Stalling code
Execution of code is delayed so that the sandbox times out. Malware doesn’t just sleep, it gives the appearance of activity – useless operation, everything is normal –Malware Analysis System Blind SPOT.
Blind spot in a Sandbox
“Hooks” are inserted into a program to get notifications (callbacks) – whenever certain functions or library are called. This forces program modifications that is identified by malware. Also, sandbox is not able to see any instruction that malware execute between calls.
Where is the Human ?
User behavioral monitoring allows Malware to detect user interaction before execution. Activities done by a human have random character that are very hard to replicate – page scrolling, mouse movement, mouse clicks etc. – suspicious unnatural behavior DETECTED.
Diagnosing the Sandbox
Malware is able to scan for• VM registry keys• running processes• disk size• remote communication and other specific VM characteristics
About Antivirus Solution
https://media.blackhat.com/bh-us-12/Briefings/Flynn/bh-us-12-Flynn-intrusion-along-the-kill-chain-WP.pdf
Don’t believe us…
Let’s test it !
Cisco PxGrid – Platform Exchange
Thank you !
