Cisco 2015 Midyear Security Report Slide Deck
28
2015 Midyear Security Report Download at http :// cs.co /MSR15SL
-
Upload
cisco-security -
Category
Technology
-
view
989 -
download
6
Transcript of Cisco 2015 Midyear Security Report Slide Deck
2015 Midyear Security Report
Download at http://cs.co/MSR15SL
2© 2015 Cisco and/or its affiliates. All rights reserved.
Changes in Attack Behavior
Speed Agility Adaptability Destruction
3© 2015 Cisco and/or its affiliates. All rights reserved.
Patchwork of Security Products Creates Complex Environment for Organizations
Large Well-Established Players
Only better information sharing in the security industry will enable integration of solutions from niche innovators and long-standing players.
Organizations are Caught in Between
Niche Vendors
4© 2015 Cisco and/or its affiliates. All rights reserved.
• Blocked threats: 19,692,200,000 threats per day
• Blocked threats w/ spam: 2,557,767 blocks/sec
• Web requests per day: 16.9 billion requests per day
A View Across Cisco’s Global Telemetry
5© 2015 Cisco and/or its affiliates. All rights reserved.
Speed meets new levels of sophistication.
Malicious Actors Are More Innovative and Quicker to Adapt
6© 2015 Cisco and/or its affiliates. All rights reserved.
Adversaries’ Agility is Their Strength
Constant upgrades increased Angler penetration rate to 40% Twice as effective than other exploit kits in 2014
Compromised System
Flash Vulnerabilities
Retargeting
Ransomware
AnglerContinually throwing different
‘hooks’ in the water to increase the chances of compromise
Encrypted Malicious Payload MacrosSocial
Engineering
IP Changing Domain Shadowing
More Being
Developed
Daily
TTD
SecurityMeasures
Web Blocking IP Blocking Retrospective Analysis Antivirus Endpoint SolutionsEmail Scanning
Kevin Parra
I changed penetration to compromise
7© 2015 Cisco and/or its affiliates. All rights reserved.
Patching: A Window of OpportunityUsers not moving quickly to the latest Flash versions or updating the patches creates an opportunity for Angler and other exploits to target the vulnerability.
8© 2015 Cisco and/or its affiliates. All rights reserved.
RombertikMalware evolves to not only steal data—if detected, it can destroy the targeted system.
Destructive if Modified• Destroy master
boot record
• Render computer inoperable on restart
Gain Access• Spam
• Phishing
• Social engineering
Evade Detection• Write random data to memory
960 million times
Extract User Data• Deliver user information
back to adversaries
Anti-Analysis Persistence Malicious Behavior
9© 2015 Cisco and/or its affiliates. All rights reserved.
The Top Vulnerability Categories Are Persistent
CWE-119Buffer Errors
471
CWE-20Input Validation
244CWE-399Resource
Management Errors
238
CWE-200 Information
Leak/Disclosure
138
CWE-264Permissions, Privileges &
Access Control
155
10© 2015 Cisco and/or its affiliates. All rights reserved.
Malvertising UpdateAdware MultiPlug abandons its URL-encoding scheme for evading detection and increased its effectiveness at compromising users
Numbers of Compromised Users:New URL Scheme vs. Old URL Scheme
The new URL scheme dramatically outpaces the old one.
11© 2015 Cisco and/or its affiliates. All rights reserved.
The “version”: the number of times that Cisco updated alerts as multiple vendors attempted to identify and correct these vulnerabilities in their products
9Versions
Open SSL(FREAK)
1Version
QEMU Virtual Floppy Disk Controller(VENOM)
22Versions
Open SSL (Heartbleed)
25Versions
GNU Bash (Shellshock)
15Versions
GNU C glibc(Ghost)
Patch management processes minimize awareness, coordination and implementation nightmares
Open-Source Patching: Software Supply Chain Management is Critical
32Versions
SSL 3.0 Fallback(POODLE)
12© 2015 Cisco and/or its affiliates. All rights reserved.
Web-Based Attacks Have Been Holding Steady
Java PDF FlashSilverlight
December 2014–May 2015
13© 2015 Cisco and/or its affiliates. All rights reserved.
The Evolution of Ransomware: Data, Not Systems, Are the Targets
TORRansomware is now completely automated through the anonymous web network.
$300-$500Adversaries have done their market research. Ransoms are not exorbitant.
Personal Files
Financial Data
Emails
Photo
14© 2015 Cisco and/or its affiliates. All rights reserved.
Dridex: Operationalizing Fast FluxThe damage is done and the campaign has moved on before antivirus detection.
Campaign StartDetected By
Outbreak FiltersAntivirus Engine
Finally Detects DridexBut Adversaries Have
Accomplished Penetration and Have Moved on
15© 2015 Cisco and/or its affiliates. All rights reserved.
Risk of Malware Encounters by Vertical IndustriesAlthough the electronics industry has the highest attack-to-traffic ratio, no industry is immune to attack.
It is only a matter of time before attackers see the potential in high-volume,low–block rate verticals.
16© 2015 Cisco and/or its affiliates. All rights reserved.
Countries with higher block ratios have many Web servers and compromised hosts on networks within their borders.
Russia 0.936
Japan 1.134China 4.126
Hong Kong 6.255
France 4.197
Germany 1.277
Poland 1.421
Canada 0.863
U.S. 0.760
Brazil 1.135
Malware on a Global ScaleMalicious actors do not respect country boundaries. Malware Traffic
Expected Traffic
17© 2015 Cisco and/or its affiliates. All rights reserved.
Time to DetectionThe current industry TTD rate of 200 days is not acceptable.
46200 VSHOURSDAYS
Industry Cisco
18© 2015 Cisco and/or its affiliates. All rights reserved.
Analysis and Observations
Reducing the Window of Exposure
19© 2015 Cisco and/or its affiliates. All rights reserved.
The Dilemma
Build Buy Be Left Behind
20© 2015 Cisco and/or its affiliates. All rights reserved.
Global Governance Not Ready to Deal with Cyber Challenges and Geopolitical InterestsThree examples of efforts that, while steps in the right direction, could create difficulties in practice:
Better harmonization in rule making is required to keep pace with the bad actors.
Big Picture Approach Shared Access Approach Tighter Control Approach
21© 2015 Cisco and/or its affiliates. All rights reserved.
Customers Must Demand Trustworthy Products from Their VendorsVendors need to be held accountable for vetting security products end to end.
Secure Development Secure Hardware Secure Deployment Secure Supply Chain and Lifecycle
22© 2015 Cisco and/or its affiliates. All rights reserved.
Services Fill the Gap
With the speed and variation of attacks increasing and the security talent pool shrinking, many organizations will rely more on outside vendors for the expertise to manage the risk environment.
PersonnelAssessments
Automation/ Analytics
Emerging Business Models Flexibility
Privacy Policy
23© 2015 Cisco and/or its affiliates. All rights reserved.
Point Solutions Do Not Keep Pace.
The Need for anIntegrated Threat Defense
24© 2015 Cisco and/or its affiliates. All rights reserved.
Attackers Are Exploiting Point Solutions with Increasing Speed
NGIPS
Malware
Sandbox
IAM
Antivirus
IDSFirewall
VPN
NGFW
Data
25© 2015 Cisco and/or its affiliates. All rights reserved.
Data
Attackers Are Exploiting Point Solutions with Increasing Speed
NGIPS
MalwareSandbox
IAM
Antivirus
IDSFirewall
VPN
NGFW
Time to detection:
200 Days
26© 2015 Cisco and/or its affiliates. All rights reserved.
Only an Integrated Threat Defense Can Keep Pace
Data
Systemic Response
Time to detection: as little as
46 Hours
27© 2015 Cisco and/or its affiliates. All rights reserved.
• Adversaries rapidly refine their ability to evade detection
• Point solutions create weak points in security defenses
• An integrated threat defense built on trustworthy products
and services is the best defense
Conclusion
28© 2015 Cisco and/or its affiliates. All rights reserved.
Download your copy >> http://cs.co/MSR15SL
2015 Midyear Security Report
