les solutions de cybersécurité cisco
DESCRIPTION
En 2014 les Cyber attaques sont de plus en plus sophistiquées avec de véritables entités dédiées au développement de malwares de nouvelle génération. Que ce soit des entreprises privées ou des instituts d'État, chacun doit se protéger et être en mesure d'analyser et de contrer ces nouvelles menaces. Cisco a introduit sur le marché des solutions de protection anti-malware innovantes. Ces solutions sont maintenant implémentées dans la plupart des équipements de sécurité Cisco, que ce soit dans les Proxy Web ou Mail mais également, dans les sondes IPS, dans des appliances dédiés ou sur les postes de travail. Cisco met à disposition de ces clients, son expertise sécurité avec une analyse en temps réel dans le cloud de ces attaques, et une analyse rétrospective des évènements qui ont précédés cette attaque. Ce sont l'ensemble de ces technologies que nous vous invitons à venir découvrir dans cette présentationTRANSCRIPT
1 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Les techniques de Cybersécurité
Frédéric HER Christophe SARRAZIN
Consultant Sécurité, Europe du Sud
Consultant Sécurité, Europe du Sud
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Le problème actuel
Nouveaux Usages Evolution constante
des menaces
Complexité &
Fragmentation
3
“On ne resout pas un probleme avec les modes de pensee
qui l’ont engendre ”
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Le nouveau modèle de sécurité
BEFORE Discover
Enforce
Harden
AFTER Scope
Contain
Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Detect
Block
Defend
DURING
Point in Time Continuous
5
L’évolution des menaces
Menaces
Réponse
Virus, vers
Spyware / Rootkits
APTs / Cyberware
Surface d’attaques
augmentée (Mobilité & Cloud)
INTELLIGENCE & ANALYSE
Aujourd’hui
REPUTATION & SANDBOXING
2010
SECURITE DU POSTE DE TRAVAIL (AV)
2000
PERIPHERIE RESEAU (IDS/IPS)
2005
6
Extend Attack Surface
Lateral Movement
Control Infiltrate
Compromised Site
& Exploit Server
Advanced Cyber Threats
Users & Applications
CNC
WWW
Data Exfiltration
7
Défendre avec intelligence : Cisco SIO
Connexion SMTP
légitime?
Contenu malicieux ou non désiré?
Zombies vers des serveurs
CNC?
Actions hostiles ou utilisateurs déviants ?
Contenus malicieux sur le poste de
travail ?
WWW
Reputation Signatures
Signatures
Recherche
sur les
menaces
Domain
Registration
Inspection des
Contenus
Spam Traps,
Honeypots,
Crawlers
Blocklists &
Réputation
Partenariats
Platform-specific Rules & Logic
Cisco Security Intelligence Operations
8
La couverture étendue de Cisco SIO
100TB Security
Intelligenc
e
1.6M Dispositifs
déployés
13B Requêtes
Web
150 000 Micro-
applications
1,000 Application
s
93B Messages
35% Email des
Entreprise
s
5 500 Signatures
IPS
150M Endpoints
Déployés
3-5 min MAJ
5B Connexions
Emails
4.5B Bloquages
d’emails
9
…and web exploits can be difficult to detect Just a blog amongst plenty….
• URLs in browser: 1
• HTTP Gets: 162
• Images: 66 from 18 domains including 5 separate 1x1 pixel invisible tracking images
• Scripts: 87 from 7 domains
• Cookies: 118 from 15 domains
• 8 Flash objects from 4 domains
10
…and web exploits can be difficult to detect Just a blog amongst plenty….
11
Day 0 Zero-day Malware
In the wild
Day 14 Cisco IPS Signature
C&C Server Blocked
Day 16 1st Anti-Virus
Signature Deployed
Day 17 2nd Anti-Virus
Signature Deployed
Security Advisory
Issued
IE Patched
Cisco SIO Proactive Defense Traditional Response
Day 0 Zero-day Malware
Blocked by Cisco
Day 18 3rd Anti-Virus
Signatures Deployed
Internet Explorer (IE) Zero-Day Vulnerability
Multiple Attack Vectors, Multiple Layers of Defense
• SIO cross-platform intelligence
• Blocked zero-day threat
• Blocked 40+ “parked” domains
• Blocked exploit server & CNC
• 18 day lead time
12
La réputation en action New York Times: victime d’une attaque via une publicité
• Publicité apparemment légitime qui génère en réalité 3 redirections vers des liens web
• Destination finale: protection-check07.com
Faux Anti--Virus
Un pop-up apparaît qui simule un logiciel AV, qui demande à l’utilisateur d’acheter un logiciel pour nettoyer la machine.
Score de Réputation Web : -9.3
Action par défaut : BLOCK
Le site du NYT est bien autorisé
mais la redirection vers le lien
malicieux est bloquée
13
Consolidation des serveurs des pirates Il est très important de connaitre la réputation de ces serveurs
http://www.cisco.com/web/offers/lp/2014-annual-security-report/index.html
14
Outbreak Intelligence Des moteurs heuristiques s’ajoutant aux signatures et à la réputation
15
Header
Body of Objects
Cross-Ref Table
Trailer
L’Anti-Virus scanne le
fichier
Nous pensons connaitre la
structure d’un fichier PDF
et à quoi il devrait
ressembler
D’après les signatures,
c’est un fichier sain
16
%PDF-1.4 (version)
%Comments
1 0 obj << /Type /Page >> endobj 2 0 obj << /Type /Action /S /JS >> endobj
xref
trailer
Nous connaissons les choses
qui peuvent être exploitées,
donc les scanlets
décomposent le fichier,
l’analysent et les algorithmes
recherchent les exploitations
malicieuses potentielles
Après inspection nous
trouvons :
• Pas de mots anglais
• Headers incorrects
• Proportion élevée de
contenu Javascript
• Javascript spécifiques
• Fonctions “exploitables”
• Autres indicateurs
OI prend la décision que ce
fichier est potentiellement
dangereux
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Outbreak Intelligence contre Signature Detection
17
• Ce graphique montre la part quotidienne de menaces bloquées par OI et par les signatures AV traditionnelles
• En 2013, 22% des malware provenant d’Internet ont été bloquées par Cisco Outbreak Intelligence avant que des signatures ne soient disponibles
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
01-janv.-13 01-févr.-13 01-mars-13 01-avr.-13 01-mai-13 01-juin-13 01-juil.-13 01-août-13 01-sept.-13 01-oct.-13 01-nov.-13 01-déc.-13
Bloquages quotidiens, 2013 (Source: Cisco Cloud Web Security)
Signature Outbreak Intelligence™
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Outbreak Intelligence contre Signature Detection
18
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 19
Cisco AMP
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
1.6 million global sensors
100 TB of data received per day
150 million+ deployed endpoints
600+ engineers, technicians,
and researchers
35% worldwide email traffic
13 billion web requests
24x7x365 operations
40+ languages
Cisco SIO + Sourcefire VRT Collective security intelligence for the Broadest Visibility on the Internet
10I000 0II0 00 0III000 II1010011 101 1100001 110
110000III000III0 I00I II0I III0011 0110011 101000 0110 00
I00I III0I III00II 0II00II I0I000 0110 00
180,000+ File Samples per Day
FireAMP™ Community
Advanced Microsoft
and Industry Disclosures
Snort and ClamAV Open Source Communities
Honeypots
Sourcefire AEGIS™ Program
Private and Public Threat Feeds
Dynamic Analysis
101000 0II0 00 0III000 III0I00II II II0000I II0
1100001110001III0 I00I II0I III00II 0II00II 101000 0110 00
100I II0I III00II 0II00II I0I000 0II0 00 Cisco®
SIO
Sourcefire
VRT®
(Vulnerability
Research Team)
Cisco Collective
Security Intelligence
Email Endpoints Web Networks IPS Devices
WWW
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Amp : Reputation Filtering and Behavioral Detection
(Sha-256) (Sanboxing) (Hash +
détails)
(Structural information
Referred DLLs
PE header)
(VRT
Correlation) (AV) (Network Monitoring)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Actual Disposition = Bad = Blocked
Antivirus
Sandboxing
Initial Disposition = Clean
Point-in-time Detection
Retrospective Detection,
Analysis Continues
Initial Disposition = Clean
Cisco- Sourcefire
Blind to scope of
compromise
Sleep Techniques
Unknown Protocols
Encryption
Polymorphism
Actual Disposition = Bad = Too Late!!
Turns back time
Visibility and
Control are Key
Not 100%
Analysis Stops
Beyond the Event Horizon
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
• Trajectory – Determine scope by tracking malware in
motion and activity
• File Trajectory – Visibility across organization, centering
on a given file
• Device Trajectory – Deep visibility into file activity on a
single system
Retrospective Security Always Watching… Never Forgets… Turns Back Time
• Continuous Analysis - Retrospective detection of malware beyond
event horizon
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
File Trajectory
• What systems were infected?
• Who was infected first (“patient 0”) and when did it happen?
• What was the entry point?
• When did it happen?
• What else did it bring in?
Looks ACROSS the organization and answers:
Quickly understand the scope of malware problem
Network
+
Endpoint
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
An unknown file is present
on IP: 10.4.10.183, having
been downloaded from
Firefox
At 10:57, the unknown file is
from IP 10.4.10.183 to IP:
10.5.11.8
Seven hours later the file is
then transferred to a third
device (10.3.4.51) using an
SMB application
The file is copied yet to a
fourth device (10.5.60.66)
through the same SMB
application a half hour later
The Cisco Collective Security
Intelligence Cloud has learned
this file is malicious and a
retrospective event is raised for
all four devices immediately.
At the same time, a device with
the FireAMP endpoint connector
reacts to the retrospective event
and immediately stops and
quarantines the newly detected
malware
8 hours after the first attack,
the Malware tries to re-enter
the system through the original
point of entry but is recognized
and blocked.
26
Device Trajectory
• How did the threat get onto the system?
• How bad is my infection on a given device?
• What communications were made?
• What don’t I know?
• What is the chain of events?
Looks DEEP into a device and helps answer:
Endpoint
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
AMP is context-aware
Data shows the bad and the good
Context helps you decide about the rest
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
The Power of Continuous Analysis
Point-in-time security sees a
lighter, bullet, cufflink, pen &
cigarette case…
Wouldn’t it be nice to know if
you’re dealing with something
more deadly?
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
• VRT powered insight into Advanced Malware behavior
• Original file, network capture and screen shots of malware execution
• Understand root cause and remediation
File Analysis
FireAMP & Clients Cisco-Sourcefire
VRT
Sandbox Analysis
Fast and Safe File Forensics
Infected
File
File 4E7E9331D22190F
D41CACFE2FC843
F
Infected
File
File 4E7E9331D22190F
D41CACFE2FC843
F
Infected
File
File 4E7E9331D22190F
D41CACFE2FC843
F
Advanced malware analysis without advanced investment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
1) File Capture
File Extraction and Sandbox Execution
Malware Alert!
2) File Storage
4) Execution Report
Available In Firesight Management
Network Traffic
Collective Security Intelligence
Sandbox
3) Send to Sandbox
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
• Managed and Deployed from the Cloud
• File Activity (Created/Edit/Move/Execute)
•One-to-One/Spero/Ethos
•Simple and Advanced Custom Detections
• Retrospective Alerting and Quarantine
• Application Control
• Network Flow Correlation
•Black/White Lists
• Dynamic Analysis
AMP Cloud
FireAMP for Endpoints
Windows
Mac OSX Android
32
FireSIGHT
Management Console
ASA with
Sourcefire Sensor
FirePOWER Services on the ASA
File Submitted for
Dynamic Analysis
File Disposition queried
against AMP Cloud
(SHA256, Spero)
- AMP Cloud
- VRT Dynamic Analysis Cloud
Endpoint
Connectors
Windows Mac OSX Android
33
FireSIGHT Management
FireAMP FirePOWER
ASA (NGFW)
ESA
WSA
CWS
Dynamic Analysis
Dynamic Analysis FireAMP Private Cloud (Appliance)
Events /
Correlation
Cloud Connected
On-Premises
Endpoint Network Gateway Sandbox
Cisco has the most comprehensive strategy for Advanced Malware Protection.
AMP Everywhere
34
NSS Labs breach detection systems security value map (Avril 2014)
https://www.nsslabs.com/reports/breach-detection-systems-bds-comparative-analysis-report
35 35
Cisco Threat Defense
36
Defense Strategies
Signature/Reputation-based
Threat Detection
Behavioral-based
Threat Detection
Network
Perimeter
Firewalls
IPS/IDS Honeypots
Network
Interior
Email Content Inspection
Web Content Inspection
Cisco’s Cyber Threat
Defense Solution
37
Example Targeted Attack - Kill Chain
• Malicious USB Stick
• Social Engineering
• Email with malicious attachment
• Public WLAN MITM
• Malicious Office document
• HW key logger
• Server application vulnerability
• Drive-by-Download
• Any other attack vector…
Initial Infection by 0-Day
38
Kill Chain: Post Breach
Final Target reached, security infrastructure
bypassed
• Data Leakage
• Damage
• Data Manipulation (e.g. Source Code)
Command and
Control Channel
C&C Server
39
Collect Information by Netflow Track the attacker
Router# show flow monitor CYBER-MONITOR cache
…
IPV4 SOURCE ADDRESS: 192.168.100.100
IPV4 DESTINATION ADDRESS: 192.168.20.6
TRNS SOURCE PORT: 47321
TRNS DESTINATION PORT: 443
INTERFACE INPUT: Gi0/0/0
IP TOS: 0x00
IP PROTOCOL: 6
ipv4 next hop address: 192.168.20.6
tcp flags: 0x1A
interface output: Gi0/1.20
counter bytes: 1482
counter packets: 23
timestamp first: 12:33:53.358
timestamp last: 12:33:53.370
ip dscp: 0x00
ip ttl min: 127
ip ttl max: 127
application name: nbar secure-http
…
Netflow Record
40
How does it work in a network – Baselining and Anomaly Detection based on Netflow
4
0
41
CRISIS REGION
Company with Legacy
Monitoring Tools
Stop Security Problems BEFORE They Become Crises Im
pact
to th
e B
usin
ess
( $
)
Time
credit card data compromised
*
attack identified
*
vulnerability closed
*
CRISIS REGION
Security Problems
“Worm outbreaks can impact revenue by up to $250k
per hour.”
F500 Media Conglomerate
attack
onset
*
42
CRISIS REGION
Stop Security Problems BEFORE They Become Crises
Impa
ct to
the
Bus
ines
s (
$ )
Time
credit card data compromised
*
attack identified
*
vulnerability closed
*
CRISIS REGION
Security Problems
“Worm outbreaks can impact revenue by up to $250k
per hour. StealthWatch pays for itself in 30 minutes.”
F500 Media Conglomerate
attack
onset
*
StealthWatch
Reduces MTTK
* attack
thwarted
* early warning
* attack
identified
* vulnerability closed
Company with StealthWatch
Company with Legacy
Monitoring Tools
43
Attack Penetration, Propagation, and Exfiltration
Network Reconnaissance Data Leakage
Internally Propagating
Malware Botnet Command
And Control
44
NetFlow v5 and NetFlow v9 Which to Use for Threat Detection?
NetFlow v5
NetFlow v5 Captures Essential Information Regarding Traffic Patterns • Source/dest IP and port
• Packet counts
• Byte counts
• Flow duration
• I/O interfaces
NetFlow v9 Extends NetFlow v5 by Adding: • Numerous TCP flags/counters
• Flow direction
• Fragmentation flags
• ICMP and IGMP info
• Header stats
• Time-to-live
• DSCP/TOS info
• Destination routing info
NetFlow v5 Is Useful, However, NetFlow v9 Delivers Deeper Insight
NetFlow v9
Useful for Layers 3 and 4 Traffic Pattern Analysis
Provides Insight to Malformed Packets, Protocol Manipulation, and Direction of Traffic
45
Interface
ToS
Protocol
Source IP Address
Destination IP Address
Source Port
Destination Port
Deep Packet (Payload)
Inspection
Introduction to NBAR Network-Based Application Recognition
Data Link Layer
Header
IP Header
TCP or
UDP Header
Data
Traditional NetFlow
Flexible NetFlow with NBAR
• Classifies traffic by protocol (Layers 4–7)
• Supports over 600 applications and protocols
• Provides visibility into which application protocols are running on which ports and to where
• Useful in identifying stealthy behaviour (ex. hiding file transfers over port 80)
46
Developing Patterns Through Context Identity and Application Visibility
Users/Devices Cisco Identity
Services Engine (ISE)
Network Based Application Recognition (NBAR)
NetFlow Secure Event Logging (NSEL)
47
CTD Architecture: Minimum Required Components
StealthWatch
Management
Console
Flow
htt
ps
StealthWatch
FlowCollector
Cisco ASA Firewall,
NetFlow/sFlow-enabled Cisco Routers and
Switches
Unified
Security
Monitoring
48
Cyber Threat Defense Solution (CTD) Overview
StealthWatch FlowCollector*
StealthWatch Management
Console*
Management
StealthWatch FlowReplicator (optional – replicates NetFlow
and other protocols)
Other Traffic Analysis Software
Cisco ISE
StealthWatch FlowSensor* OR
Cisco Netflow Generation Appliance (NGA) (optional – monitors traffic and generates
NetFlow )
Netflow enabled device
Non-Netflow enabled device
SS
L
NetFlow NetFlow
Ne
tFlo
w
* Virtual or Physical Edition
49
Flow Exporters
Flow Collectors
Management and Reporting
Scalability
X 25 up to 25 collectors per StealthWatch System
StealthWatch FC for NetFlow
StealthWatch Management Console
X 2 full redundancy between primary and secondary
X 2000 up to 2000 exporters and/or 120,000 flows per second
User Interface X everyone customizable views for Virtualization, Network, and Security Teams
Physical Virtual
routers and switches FlowSensor VE FlowSensor
3 Million flows per second
scalability
50
CSIRT NetFlow Collection at Cisco
RTP San Jose
Amsterdam
Bangalore
Sydney
Tokyo
15.6 billion flows / day
90 day retention
51
Cisco CTD Solution
Active Alarms
Alarms
Top
Applications
Flow collection
trend
52
Cisco CTD Solution: Attack Detection without Signatures
High Concern Index indicates a significant
number of suspicious events that deviate from
established baselines
Host Groups Host CI CI% Alarms Alerts
Desktops 10.10.101.118 338,137,280 8656% High Concern index Ping, Ping_Scan, TCP_Scan
Monitor and baseline activity for a host and within host groups.
53
The Art is putting it in the right context Not everything is what it seems to be…
5
3
54
5
4
The Art is putting it in the right context …this use case might be different
55
Obtain Context through the Cisco ISE Attribute flows and behaviors to a user and device
55
Policy Start
Active
Time
Alarm Source Source
Host
Groups
Source User
Name
Device
Type
Switch Port
Desktops &
Trusted
Wireless
Jan 3, 2013 Suspect Data Loss 10.10.101.89 Atlanta,
Desktops
John Chambers Apple-iPad Cat 7/42
56
Detecting Command and Control
What to analyze:
• Countries
• Applications
• Uploads/Downloads ratio
• Time of day
• Repeated connections
• Beaconing - Repeated
dead connections
• Long lived flows
• Known C&C servers
Periodic “phone home” activity
StealthWatch Method of Detection:
Host Lock Violation
Suspect Long Flow
Beaconing Host
Bot Command & Control Server
Bot Infected Host – Attempted C&C
Bot Infected Host – Successful C&C
57
Zeus Credential Capture Example
User logs into
cisco.com userid and password
58
Zeus Detection Alarm Details
59
Detecting Suspect Data Loss
Policy Start Active
Time
Alarm Source Source
Host
Group
Source
Username
Target Details
Inside Hosts 8-Feb-2012 Suspect Data
Loss
10.34.74.123 Wired
Data
Bob Multiple
Hosts
Observed 4.08G bytes. Policy
Maximum allows up to 81.92M
bytes.
5
9
60
Infection Tracking
Tertiary Infection
Secondary Infection
Initial Infection
6
0
61 61
Cisco Email Security
62 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
L’évolution des menaces provenant de l’Email
Menaces
????
Demain
BAS VOLUMES HAUTE VALEUR $$
Aujourd’hui
VOLUMES ELEVES VALEUR $$ BASSE
Passé
Attaques ciblées
Targeted Phishing
Covert, Sponsored Targeted Attacks
Blended Threats
Advanced Persistent Threats
Phishing
Spam
Attachment-based
Slammer
Worms
Network Evasions Polymorphic Code
Code Red Image Spam
Alertes Virales
Custom URL
Botnets Conficker
Stuxnet
63 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Il y a une grande volatilité Retour à plus de 85% de spams
http://www.senderbase.org/static/spam/#tab=1
64
Pourquoi la réputation est fondamentale Aggrégation et Corrélation de milliards de données dans un seul score
65 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Management
L’architecture de Sécurité Email Cisco
Antivirus & Outbreak Filters
Défense face aux menaces
Antispam
Sécurité des Données
Chiffrement
Data Loss Prevention
Protection Flux Entrants Contrôle des Flux Sortants
66 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Défense anti-spam à deux niveaux
Bon score: les mails sont délivrés
Score intermédiaire: le
débit est limité et les
messages sont envoyés à
l’anti-spam
• Taux de bloquage : > 99%
• Faux positifs < 1 sur 1
million
Mauvais score: la
connexion TCP est
bloquée et les messages
ne sont pas reçus sur le
réseau
Mails entrants
Bons, mauvais
ou
inconnus/suspici
eux
What
Cisco
Anti-Spam,
IMS
When Who
How Where
Cisco® SIO
67 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Défense anti-spam à deux niveaux
Bon score: les mails sont délivrés
Score intermédiaire: le
débit est limité et les
messages sont envoyés à
l’anti-spam
• Taux de bloquage : > 99%
• Faux positifs < 1 sur 1
million
Mauvais score: la
connexion TCP est
bloquée et les messages
ne sont pas reçus sur le
réseau
Mails entrants
Bons, mauvais
ou
inconnus/suspici
eux
What
Cisco
Anti-Spam,
IMS
When Who
How Where
Cisco® SIO
68 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Défense anti-virus à deux niveaux
Virus Outbreak Filters Advantage
http://www.senderbase.org
• Temps moyen de protection additionnelle : + de 13h
• Total d’attaques bloquées : 291
• Protection totale incrémentale : + de 157 jours/360 Virus
Filter
Dynamic
Quarantine Cisco® SIO
Virus Outbreak Filters Moteurs Anti-Virus
Détection
Zero Hour
Choix de
moteurs
69
Sécurisation des URL dans les Emails avec Outbreak Filters
Information Update
Dear Mr. Paulo Roberto Borges,
We are contacting you in order to inform about a
mandatory update of your personal data, which is being
conducted after Bank A and Bank B merge. To begin the
update, please click on the link and download the
protection program.
Protection Module 3.0 (2011)
Best regards, Bank A
Bank A
Après
http://www.threatlink.com
Avant
http://secure-web.cisco.com/auth=X&URL=www.threatlink.com
70
Malware
bloqué
http://secure-web.cisco.com…
The requested web page has been blocked
http://www.threatlink.com
Cisco Email and web Security protects your organization’s network
from malicious software. Malware is designed to look like a legitimate
email or website which accesses your computer, hides itself in your
system, and damages files.
Cisco Security
Sécurisation des URL dans les Emails avec Outbreak Filters
71
Outbreak Filters stoppe les attaques Phishing et Mixtes
72
Advanced Malware Protection sur ESA
Cisco® SIO
SenderBase Reputation Filtering
Anti-Spam & Spoofing Prevention
AV Scanning & Advanced Malware Protection
Real-time URL Analysis
Deliver Quarantine Re-write URLs Drop
Drop
Drop/Quarantine
Drop/Quarantine
Quarantine/Re-write
73 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
3.5M d’emails bloqués chaque
jour
Emails delivered Emails / mo Emails / day Emails / employee / day %
Attempted 124 M 5.6 M 73
Blocked 77 M 3.5 M 46 63%
Delivered 37 M 1.7 M 22 30%
Delivered, marked
“Marketing”
9 M 0.4 M 5 7%
Email Security - Cisco sur Cisco
Malware
Spam
ESA Blocked Emails Emails* / mo Emails / day Emails / employee / day %
By reputation 73 M 3.3 M 43 94%
By spam content 4.3 M 0.2 M 3 5%
By invalid receipts 0.4 M 0.02 M 0.25 1%
74 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Pourquoi Cisco Email Security ? Gartner Magic Quadrant, Email Security Gateways, 2013
The Magic Quadrant is copyrighted 2013 by Gartner, Inc. and
is reused with permission. The Magic Quadrant is a graphical
representation of a marketplace at and for a specific time
period. It depicts Gartner’s analysis of how certain vendors
measure against criteria for that marketplace, as defined by
Gartner. Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant, and does not advise
technology users to select only those vendors placed in the
"Leaders” quadrant. The Magic Quadrant is intended solely
as a research tool, and is not meant to be a specific guide to
action. Gartner disclaims all warranties, express or implied,
with respect to this research, including any warranties of
merchantability or fitness for a particular purpose.
This Magic Quadrant graphic was published by Gartner, Inc.
as part of a larger research note and should be evaluated in
the context of the entire report. The Gartner report is available
upon request from Cisco.
75 75
Cisco Web Security
76
Cisco Security Intelligence Operations (SIO)
L’architecture de Sécurité Web Cisco
Filtrage URL Application Visibility and Control (AVC)
Data Loss
Prevention (DLP)*
Moniteur de Trafic de Niveau 4
(On-premise)
Défense Anti-Malware
PROTECTION CONTROLE
Management & Reporting Centralisés
WW
W
Autorise
WWW Accès limité
WWW Bloque
WWW
*Third-party DLP integration available on-premises
77
Moniteur de Traffic de Niveau 4 Détection des postes déjà infectés
Utilisateurs
Cisco WSA
Network Layer Analysis
Règles Anti-Malware automatiques
Bloque le trafic malicieux
• Scanne tous les ports et protocoles
• Détecte le malware qui bypasse le port 80
• Empêche les zombies de communiquer avec leur serveur de contrôle
• MAJ automatiques
• Listes de serveurs et adresses IP malicieuses en temps réel
Packet and Header
Inspection
Internet
Disponible sur WSA & et sur ASA en tant que “Botnet Traffic Filter”
78
Défense Anti-Malware à trois niveaux
Bon score: le site est affiché sans être scanné
Score
intermédiaire: les
sites sont scannés
par 1 ou plusieurs
moteurs
Mauvais score: le
site est bloqué
URL’s
demandées
Moteur Anti-
Malware Cisco® SIO Déchiffrement
SSL
basé sur la
catégorie ou
réputation
+ FILE REPUTATION (AMP)
BLOCKED
79
Scan Anti-Malware en temps réel Dynamic Vectoring & Streaming
ANALYSE HEURISTIQUE ET A BASE DE SIGNATURES
• Multi-scanning intelligent
• Bases de signatures multiples
• Déchiffre le trafic SSL si nécessaire
• Scanning en mode streaming pour éviter
les problèmes de latence
• MAJ automatiques
Détection Heuristique Identifie des comportements inhabituels
Anti-malware Scanning
Scans Parallèles, Scanning en mode streaming
Inspection à base de signatures Reconnait les menaces connues
Moteurs anti malware multiples
80
Advanced Malware Protection sur WSA
WWW
Time of Request
Time of Response
Cisco® SIO
URL Filtering
Reputation Filter
Dynamic Content Analysis (DCA)
Signature-based Anti-Malware Engines
Advanced Malware Protection
Block
WWW
Block
WWW
Block
WWW
Allow
WWW Warn
WWW WWW Partial
Block
Block
WWW
Block
WWW
Block
WWW
81 81
Démonstration
82 C97-728331-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
6.5M de sites malicieux bloqués chaque jour
Web Security Appliance – Cisco sur Cisco
Malware Blocked in One Day: • 441K – Trojan Horse
• 61K - Other Malware
• 29K - Encrypted Files (monitored)
• 16.4K - Adware Messages
• 1K – Trojan Downloaders
• 55 - Phishing URLs
• 22 - Commercial System Monitors
• 5 - Worms
• 3 - Dialers
Cisco Web Traffic Stats:
• 330-360M web visits/day
• 6-7M (2%) blocked
WSA Blocked Transactions:
• 93.5% - Web Reputation
• 4.5% - URL Category
• 2% - Anti-Malware
83 C97-728331-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud Web Security
8
3
A Cloud Based Premium Service
Real-time scanning of all inbound and outbound HTTP/S
web content
Robust, fast, scalable and
reliable global datacenter
infrastructure
Flexible deployment options
via Cisco attach model and direct to
cloud
Full support for roaming users
Centrally managed granular web
filtering policies, with web 2.0
visibility and control
Close to real-time reporting with cloud retention, as part of
the standard offering
Www
84 C97-728331-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Multiple proxies within
each Datacenter
2X
2X
• Multiple datacenters
• SP managed datacenter
Global Datacenter Footprint
8
4
85
Flexible Deployment Options On- and Off-premises
Deployment
Options
Connection
Methods
On-premises Cloud
Cloud
Firewall Router Roaming
Virtual Next Generation
Firewall
Roaming
Appliance
Appliance
Redirectors
WCCP PAC File Explicit WCCP PAC File Explicit
86
Internet
Cisco Web Security Appliance
• Consistent policy, security, and reporting for all users
• Single-box solution for faster deployments, reduced complexity
• Uses AnyConnect for remote and mobility
• Integrates easily in your existing Cisco infrastructure
or
AAA
Employees
Cisco WSA
Headquarters/Branc
hes
Internet
87
WSA
ASA
On-Premise
AnyConnect Secure Mobility, form Factor Choice
AnyConnect Client
Redirect to
Premise or Cloud
Mobile User
Cloud Web Security
88
Internet
Cisco Cloud Web Security Integration
Internet
• Eliminates Backhaul
• Speeds Deployment
• Extends Value of Existing
Investments
Employees
Cisco ASA
Headquarters Branch Office
Cloud Web Security
Employees
Cisco ISR G2
VPN
89 C97-728331-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Retrospective Security & Continuous Analysis
Additional Point-in-time Protection
AMP File Reputation Retrospection
Cognitive Threat Analytics (CTA)
Advanced Malware Protection (AMP)
File Reputation & Sandboxing
Advanced Threat Defense
90 C97-728331-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Across the Whole Attack ContinuumCWS with AMP & CTA
BEFORE Discover Enforce Harden
DURING Detect Block Defend
AFTER Scope
Contain Remediate
Web Reputation
Usage Controls
Malware Signature
Outbreak Intelligence
File Rep / Sandbox
File Retrospection
Application Controls
Threat Analytics
Active Reporting AMP
AMP
CTA
CTA
AMP
91 C97-728331-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CTA - Analyzing Network Traffic Behavior
Potential
Threat
Behavioral
Analysis
Anomaly
Detection
Machine
Learning
No more rule sets
Discovers threats on its own…
just turn it on
Normal… or not?
Spots symptoms of infection using
behavioral anomaly detection
algorithms and trust modeling
Security that evolves
Uses machine learning to learn
from what it sees and adapt over
time
Reduced time to discovery
Active, continuous monitoring to
stop the spread of an attack
92
Pourquoi Cisco Web Security? Gartner Magic Quadrant, Web Security Gateways, 2013
The Magic Quadrant is copyrighted 2013 by Gartner, Inc. and
is reused with permission. The Magic Quadrant is a graphical
representation of a marketplace at and for a specific time
period. It depicts Gartner’s analysis of how certain vendors
measure against criteria for that marketplace, as defined by
Gartner. Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant, and does not advise
technology users to select only those vendors placed in the
"Leaders” quadrant. The Magic Quadrant is intended solely
as a research tool, and is not meant to be a specific guide to
action. Gartner disclaims all warranties, express or implied,
with respect to this research, including any warranties of
merchantability or fitness for a particular purpose.
This Magic Quadrant graphic was published by Gartner, Inc.
as part of a larger research note and should be evaluated in
the context of the entire report. The Gartner report is available
upon request from Cisco.
93