Les solutions de Cybersécurité Cisco

1 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Les techniques de Cybersécurité

Frédéric HER Christophe SARRAZIN

Consultant Sécurité, Europe du Sud

[email protected]

Consultant Sécurité, Europe du Sud

[email protected]

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Le problème actuel

Nouveaux Usages Evolution constante

des menaces

Complexité &

Fragmentation

3

“On ne resout pas un probleme avec les modes de pensee

qui l’ont engendre ”


Le nouveau modèle de sécurité

BEFORE Discover

Enforce

Harden

AFTER Scope

Contain

Remediate

Attack Continuum

Network Endpoint Mobile Virtual Cloud

Detect

Block

Defend

DURING

Point in Time Continuous

5

L’évolution des menaces

Menaces

Réponse

Virus, vers

Spyware / Rootkits

APTs / Cyberware

Surface d’attaques

augmentée (Mobilité & Cloud)

INTELLIGENCE & ANALYSE

Aujourd’hui

REPUTATION & SANDBOXING

2010

SECURITE DU POSTE DE TRAVAIL (AV)

2000

PERIPHERIE RESEAU (IDS/IPS)

2005

6

Extend Attack Surface

Lateral Movement

Control Infiltrate

Compromised Site

& Exploit Server

Advanced Cyber Threats

Users & Applications

CNC

WWW

Data Exfiltration

7

Défendre avec intelligence : Cisco SIO

Connexion SMTP

légitime?

Contenu malicieux ou non désiré?

Zombies vers des serveurs

CNC?

Actions hostiles ou utilisateurs déviants ?

Contenus malicieux sur le poste de

travail ?

WWW

Reputation Signatures

Signatures

Recherche

sur les

menaces

Domain

Registration

Inspection des

Contenus

Spam Traps,

Honeypots,

Crawlers

Blocklists &

Réputation

Partenariats

Platform-specific Rules & Logic

Cisco Security Intelligence Operations

8

La couverture étendue de Cisco SIO

100TB Security

Intelligenc

e

1.6M Dispositifs

déployés

13B Requêtes

Web

150 000 Micro-

applications

1,000 Application

s

93B Messages

Email

35% Email des

Entreprise

s

5 500 Signatures

IPS

150M Endpoints

Déployés

3-5 min MAJ

5B Connexions

Emails

4.5B Bloquages

d’emails

9

…and web exploits can be difficult to detect Just a blog amongst plenty….

• URLs in browser: 1

• HTTP Gets: 162

• Images: 66 from 18 domains including 5 separate 1x1 pixel invisible tracking images

• Scripts: 87 from 7 domains

• Cookies: 118 from 15 domains

• 8 Flash objects from 4 domains

10

…and web exploits can be difficult to detect Just a blog amongst plenty….

11

Day 0 Zero-day Malware

In the wild

Day 14 Cisco IPS Signature

C&C Server Blocked

Day 16 1st Anti-Virus

Signature Deployed

Day 17 2nd Anti-Virus

Signature Deployed

Security Advisory

Issued

IE Patched

Cisco SIO Proactive Defense Traditional Response

Day 0 Zero-day Malware

Blocked by Cisco

Day 18 3rd Anti-Virus

Signatures Deployed

Internet Explorer (IE) Zero-Day Vulnerability

Multiple Attack Vectors, Multiple Layers of Defense

• SIO cross-platform intelligence

• Blocked zero-day threat

• Blocked 40+ “parked” domains

• Blocked exploit server & CNC

• 18 day lead time

12

La réputation en action New York Times: victime d’une attaque via une publicité

• Publicité apparemment légitime qui génère en réalité 3 redirections vers des liens web

• Destination finale: protection-check07.com

Faux Anti--Virus

Un pop-up apparaît qui simule un logiciel AV, qui demande à l’utilisateur d’acheter un logiciel pour nettoyer la machine.

Score de Réputation Web : -9.3

Action par défaut : BLOCK

Le site du NYT est bien autorisé

mais la redirection vers le lien

malicieux est bloquée

13

Consolidation des serveurs des pirates Il est très important de connaitre la réputation de ces serveurs

http://www.cisco.com/web/offers/lp/2014-annual-security-report/index.html









14

Outbreak Intelligence Des moteurs heuristiques s’ajoutant aux signatures et à la réputation

15

Header

Body of Objects

Cross-Ref Table

Trailer

L’Anti-Virus scanne le

fichier

Nous pensons connaitre la

structure d’un fichier PDF

et à quoi il devrait

ressembler

D’après les signatures,

c’est un fichier sain

16

%PDF-1.4 (version)

%Comments

1 0 obj << /Type /Page >> endobj 2 0 obj << /Type /Action /S /JS >> endobj

xref

trailer

Nous connaissons les choses

qui peuvent être exploitées,

donc les scanlets

décomposent le fichier,

l’analysent et les algorithmes

recherchent les exploitations

malicieuses potentielles

Après inspection nous

trouvons :

• Pas de mots anglais

• Headers incorrects

• Proportion élevée de

contenu Javascript

• Javascript spécifiques

• Fonctions “exploitables”

• Autres indicateurs

OI prend la décision que ce

fichier est potentiellement

dangereux


Outbreak Intelligence contre Signature Detection

17

• Ce graphique montre la part quotidienne de menaces bloquées par OI et par les signatures AV traditionnelles

• En 2013, 22% des malware provenant d’Internet ont été bloquées par Cisco Outbreak Intelligence avant que des signatures ne soient disponibles

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

01-janv.-13 01-févr.-13 01-mars-13 01-avr.-13 01-mai-13 01-juin-13 01-juil.-13 01-août-13 01-sept.-13 01-oct.-13 01-nov.-13 01-déc.-13

Bloquages quotidiens, 2013 (Source: Cisco Cloud Web Security)

Signature Outbreak Intelligence™


Outbreak Intelligence contre Signature Detection

18

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 19

Cisco AMP


1.6 million global sensors

100 TB of data received per day

150 million+ deployed endpoints

600+ engineers, technicians,

and researchers

35% worldwide email traffic

13 billion web requests

24x7x365 operations

40+ languages

Cisco SIO + Sourcefire VRT Collective security intelligence for the Broadest Visibility on the Internet

10I000 0II0 00 0III000 II1010011 101 1100001 110

110000III000III0 I00I II0I III0011 0110011 101000 0110 00

I00I III0I III00II 0II00II I0I000 0110 00

180,000+ File Samples per Day

FireAMP™ Community

Advanced Microsoft

and Industry Disclosures

Snort and ClamAV Open Source Communities

Honeypots

Sourcefire AEGIS™ Program

Private and Public Threat Feeds

Dynamic Analysis

101000 0II0 00 0III000 III0I00II II II0000I II0

1100001110001III0 I00I II0I III00II 0II00II 101000 0110 00

100I II0I III00II 0II00II I0I000 0II0 00 Cisco®

SIO

Sourcefire

VRT®

(Vulnerability

Research Team)

Cisco Collective

Security Intelligence

Email Endpoints Web Networks IPS Devices

WWW


Amp : Reputation Filtering and Behavioral Detection

(Sha-256) (Sanboxing) (Hash +

détails)

(Structural information

Referred DLLs

PE header)

(VRT

Correlation) (AV) (Network Monitoring)


Actual Disposition = Bad = Blocked

Antivirus

Sandboxing

Initial Disposition = Clean

Point-in-time Detection

Retrospective Detection,

Analysis Continues

Initial Disposition = Clean

Cisco- Sourcefire

Blind to scope of

compromise

Sleep Techniques

Unknown Protocols

Encryption

Polymorphism

Actual Disposition = Bad = Too Late!!

Turns back time

Visibility and

Control are Key

Not 100%

Analysis Stops

Beyond the Event Horizon


• Trajectory – Determine scope by tracking malware in

motion and activity

• File Trajectory – Visibility across organization, centering

on a given file

• Device Trajectory – Deep visibility into file activity on a

single system

Retrospective Security Always Watching… Never Forgets… Turns Back Time

• Continuous Analysis - Retrospective detection of malware beyond

event horizon


File Trajectory

• What systems were infected?

• Who was infected first (“patient 0”) and when did it happen?

• What was the entry point?

• When did it happen?

• What else did it bring in?

Looks ACROSS the organization and answers:

Quickly understand the scope of malware problem

Network

+

Endpoint


An unknown file is present

on IP: 10.4.10.183, having

been downloaded from

Firefox

At 10:57, the unknown file is

from IP 10.4.10.183 to IP:

10.5.11.8

Seven hours later the file is

then transferred to a third

device (10.3.4.51) using an

SMB application

The file is copied yet to a

fourth device (10.5.60.66)

through the same SMB

application a half hour later

The Cisco Collective Security

Intelligence Cloud has learned

this file is malicious and a

retrospective event is raised for

all four devices immediately.

At the same time, a device with

the FireAMP endpoint connector

reacts to the retrospective event

and immediately stops and

quarantines the newly detected

malware

8 hours after the first attack,

the Malware tries to re-enter

the system through the original

point of entry but is recognized

and blocked.

26

Device Trajectory

• How did the threat get onto the system?

• How bad is my infection on a given device?

• What communications were made?

• What don’t I know?

• What is the chain of events?

Looks DEEP into a device and helps answer:

Endpoint


AMP is context-aware

Data shows the bad and the good

Context helps you decide about the rest


The Power of Continuous Analysis

Point-in-time security sees a

lighter, bullet, cufflink, pen &

cigarette case…

Wouldn’t it be nice to know if

you’re dealing with something

more deadly?


• VRT powered insight into Advanced Malware behavior

• Original file, network capture and screen shots of malware execution

• Understand root cause and remediation

File Analysis

FireAMP & Clients Cisco-Sourcefire

VRT

Sandbox Analysis

Fast and Safe File Forensics

Infected

File

File 4E7E9331D22190F

D41CACFE2FC843

F

Infected

File


D41CACFE2FC843

F

Infected

File


D41CACFE2FC843

F

Advanced malware analysis without advanced investment


1) File Capture

File Extraction and Sandbox Execution

Malware Alert!

2) File Storage

4) Execution Report

Available In Firesight Management

Network Traffic

Collective Security Intelligence

Sandbox

3) Send to Sandbox


• Managed and Deployed from the Cloud

• File Activity (Created/Edit/Move/Execute)

•One-to-One/Spero/Ethos

•Simple and Advanced Custom Detections

• Retrospective Alerting and Quarantine

• Application Control

• Network Flow Correlation

•Black/White Lists

• Dynamic Analysis

AMP Cloud

FireAMP for Endpoints

Windows

Mac OSX Android

32

FireSIGHT

Management Console

ASA with

Sourcefire Sensor

FirePOWER Services on the ASA

File Submitted for

Dynamic Analysis

File Disposition queried

against AMP Cloud

(SHA256, Spero)

- AMP Cloud

- VRT Dynamic Analysis Cloud

Endpoint

Connectors

Windows Mac OSX Android

33

FireSIGHT Management

FireAMP FirePOWER

ASA (NGFW)

ESA

WSA

CWS

Dynamic Analysis

Dynamic Analysis FireAMP Private Cloud (Appliance)

Events /

Correlation

Cloud Connected

On-Premises

Endpoint Network Gateway Sandbox

Cisco has the most comprehensive strategy for Advanced Malware Protection.

AMP Everywhere

34

NSS Labs breach detection systems security value map (Avril 2014)

https://www.nsslabs.com/reports/breach-detection-systems-bds-comparative-analysis-report

35 35

Cisco Threat Defense

36

Defense Strategies

Signature/Reputation-based

Threat Detection

Behavioral-based

Threat Detection

Network

Perimeter

Firewalls

IPS/IDS Honeypots

Network

Interior

Email Content Inspection

Web Content Inspection

Cisco’s Cyber Threat

Defense Solution

37

Example Targeted Attack - Kill Chain

• Malicious USB Stick

• Social Engineering

• Email with malicious attachment

• Public WLAN MITM

• Malicious Office document

• HW key logger

• Server application vulnerability

• Drive-by-Download

• Any other attack vector…

Initial Infection by 0-Day

38

Kill Chain: Post Breach

Final Target reached, security infrastructure

bypassed

• Data Leakage

• Damage

• Data Manipulation (e.g. Source Code)

Command and

Control Channel

C&C Server

39

Collect Information by Netflow Track the attacker

Router# show flow monitor CYBER-MONITOR cache

…

IPV4 SOURCE ADDRESS: 192.168.100.100

IPV4 DESTINATION ADDRESS: 192.168.20.6

TRNS SOURCE PORT: 47321

TRNS DESTINATION PORT: 443

INTERFACE INPUT: Gi0/0/0

IP TOS: 0x00

IP PROTOCOL: 6

ipv4 next hop address: 192.168.20.6

tcp flags: 0x1A

interface output: Gi0/1.20

counter bytes: 1482

counter packets: 23

timestamp first: 12:33:53.358

timestamp last: 12:33:53.370

ip dscp: 0x00

ip ttl min: 127

ip ttl max: 127

application name: nbar secure-http

…

Netflow Record

40

How does it work in a network – Baselining and Anomaly Detection based on Netflow

4

0

41

CRISIS REGION

Company with Legacy

Monitoring Tools

Stop Security Problems BEFORE They Become Crises Im

pact

to th

e B

usin

ess

( $

)

Time

credit card data compromised

*

attack identified

*

vulnerability closed

*

CRISIS REGION

Security Problems

“Worm outbreaks can impact revenue by up to $250k

per hour.”

F500 Media Conglomerate

attack

onset

*

42

CRISIS REGION

Stop Security Problems BEFORE They Become Crises

Impa

ct to

the

Bus

ines

s (

$ )

Time

credit card data compromised

*

attack identified

*

vulnerability closed

*

CRISIS REGION

Security Problems

“Worm outbreaks can impact revenue by up to $250k

per hour. StealthWatch pays for itself in 30 minutes.”

F500 Media Conglomerate

attack

onset

*

StealthWatch

Reduces MTTK

* attack

thwarted

* early warning

* attack

identified

* vulnerability closed

Company with StealthWatch

Company with Legacy

Monitoring Tools

43

Attack Penetration, Propagation, and Exfiltration

Network Reconnaissance Data Leakage

Internally Propagating

Malware Botnet Command

And Control

44

NetFlow v5 and NetFlow v9 Which to Use for Threat Detection?

NetFlow v5

NetFlow v5 Captures Essential Information Regarding Traffic Patterns • Source/dest IP and port

• Packet counts

• Byte counts

• Flow duration

• I/O interfaces

NetFlow v9 Extends NetFlow v5 by Adding: • Numerous TCP flags/counters

• Flow direction

• Fragmentation flags

• ICMP and IGMP info

• Header stats

• Time-to-live

• DSCP/TOS info

• Destination routing info

NetFlow v5 Is Useful, However, NetFlow v9 Delivers Deeper Insight

NetFlow v9

Useful for Layers 3 and 4 Traffic Pattern Analysis

Provides Insight to Malformed Packets, Protocol Manipulation, and Direction of Traffic

45

Interface

ToS

Protocol

Source IP Address

Destination IP Address

Source Port

Destination Port

Deep Packet (Payload)

Inspection

Introduction to NBAR Network-Based Application Recognition

Data Link Layer

Header

IP Header

TCP or

UDP Header

Data

Traditional NetFlow

Flexible NetFlow with NBAR

• Classifies traffic by protocol (Layers 4–7)

• Supports over 600 applications and protocols

• Provides visibility into which application protocols are running on which ports and to where

• Useful in identifying stealthy behaviour (ex. hiding file transfers over port 80)

46

Developing Patterns Through Context Identity and Application Visibility

Users/Devices Cisco Identity

Services Engine (ISE)

Network Based Application Recognition (NBAR)

NetFlow Secure Event Logging (NSEL)

47

CTD Architecture: Minimum Required Components

StealthWatch

Management

Console

Flow

htt

ps

StealthWatch

FlowCollector

Cisco ASA Firewall,

NetFlow/sFlow-enabled Cisco Routers and

Switches

Unified

Security

Monitoring

48

Cyber Threat Defense Solution (CTD) Overview

StealthWatch FlowCollector*

StealthWatch Management

Console*

Management

StealthWatch FlowReplicator (optional – replicates NetFlow

and other protocols)

Other Traffic Analysis Software

Cisco ISE

StealthWatch FlowSensor* OR

Cisco Netflow Generation Appliance (NGA) (optional – monitors traffic and generates

NetFlow )

Netflow enabled device

Non-Netflow enabled device

SS

L

NetFlow NetFlow

Ne

tFlo

w

* Virtual or Physical Edition

49

Flow Exporters

Flow Collectors

Management and Reporting

Scalability

X 25 up to 25 collectors per StealthWatch System

StealthWatch FC for NetFlow

StealthWatch Management Console

X 2 full redundancy between primary and secondary

X 2000 up to 2000 exporters and/or 120,000 flows per second

User Interface X everyone customizable views for Virtualization, Network, and Security Teams

Physical Virtual

routers and switches FlowSensor VE FlowSensor

3 Million flows per second

scalability

50

CSIRT NetFlow Collection at Cisco

RTP San Jose

Amsterdam

Bangalore

Sydney

Tokyo

15.6 billion flows / day

90 day retention

51

Cisco CTD Solution

Active Alarms

Alarms

Top

Applications

Flow collection

trend

52

Cisco CTD Solution: Attack Detection without Signatures

High Concern Index indicates a significant

number of suspicious events that deviate from

established baselines

Host Groups Host CI CI% Alarms Alerts

Desktops 10.10.101.118 338,137,280 8656% High Concern index Ping, Ping_Scan, TCP_Scan

Monitor and baseline activity for a host and within host groups.

53

The Art is putting it in the right context Not everything is what it seems to be…

5

3

54

5

4

The Art is putting it in the right context …this use case might be different

55

Obtain Context through the Cisco ISE Attribute flows and behaviors to a user and device

55

Policy Start

Active

Time

Alarm Source Source

Host

Groups

Source User

Name

Device

Type

Switch Port

Desktops &

Trusted

Wireless

Jan 3, 2013 Suspect Data Loss 10.10.101.89 Atlanta,

Desktops

John Chambers Apple-iPad Cat 7/42

56

Detecting Command and Control

What to analyze:

• Countries

• Applications

• Uploads/Downloads ratio

• Time of day

• Repeated connections

• Beaconing - Repeated

dead connections

• Long lived flows

• Known C&C servers

Periodic “phone home” activity

StealthWatch Method of Detection:

Host Lock Violation

Suspect Long Flow

Beaconing Host

Bot Command & Control Server

Bot Infected Host – Attempted C&C

Bot Infected Host – Successful C&C

57

Zeus Credential Capture Example

User logs into

cisco.com userid and password

58

Zeus Detection Alarm Details

59

Detecting Suspect Data Loss

Policy Start Active

Time

Alarm Source Source

Host

Group

Source

Username

Target Details

Inside Hosts 8-Feb-2012 Suspect Data

Loss

10.34.74.123 Wired

Data

Bob Multiple

Hosts

Observed 4.08G bytes. Policy

Maximum allows up to 81.92M

bytes.

5

9

60

Infection Tracking

Tertiary Infection

Secondary Infection

Initial Infection

6

0

61 61

Cisco Email Security

62 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

L’évolution des menaces provenant de l’Email

Menaces

????

Demain

BAS VOLUMES HAUTE VALEUR $$

Aujourd’hui

VOLUMES ELEVES VALEUR $$ BASSE

Passé

Attaques ciblées

Targeted Phishing

Covert, Sponsored Targeted Attacks

Blended Threats

Advanced Persistent Threats

Phishing

Spam

Attachment-based

Slammer

Worms

Network Evasions Polymorphic Code

Code Red Image Spam

Alertes Virales

Custom URL

Botnets Conficker

Stuxnet


Il y a une grande volatilité Retour à plus de 85% de spams

http://www.senderbase.org/static/spam/#tab=1




64

Pourquoi la réputation est fondamentale Aggrégation et Corrélation de milliards de données dans un seul score


Management

L’architecture de Sécurité Email Cisco

Antivirus & Outbreak Filters

Défense face aux menaces

Antispam

Sécurité des Données

Chiffrement

Data Loss Prevention

Protection Flux Entrants Contrôle des Flux Sortants

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=sOYtlybfBU6_4M&tbnid=47D4vJHleAPz6M:&ved=0CAUQjRw&url=http://aws.amazon.com/disaster-recovery/&ei=GYt0UbGFL43riQLahYHoAw&bvm=bv.45512109,d.cGE&psig=AFQjCNEUb0tSs-xKIJqrBkniEz0bwoJHdw&ust=1366678669217832


Défense anti-spam à deux niveaux

Bon score: les mails sont délivrés

Score intermédiaire: le

débit est limité et les

messages sont envoyés à

l’anti-spam

• Taux de bloquage : > 99%

• Faux positifs < 1 sur 1

million

Mauvais score: la

connexion TCP est

bloquée et les messages

ne sont pas reçus sur le

réseau

Mails entrants

Bons, mauvais

ou

inconnus/suspici

eux

What

Cisco

Anti-Spam,

IMS

When Who

How Where

Cisco® SIO


Défense anti-virus à deux niveaux

Virus Outbreak Filters Advantage

http://www.senderbase.org

• Temps moyen de protection additionnelle : + de 13h

• Total d’attaques bloquées : 291

• Protection totale incrémentale : + de 157 jours/360 Virus

Filter

Dynamic

Quarantine Cisco® SIO

Virus Outbreak Filters Moteurs Anti-Virus

Détection

Zero Hour

Choix de

moteurs



69

Sécurisation des URL dans les Emails avec Outbreak Filters

Information Update

Dear Mr. Paulo Roberto Borges,

We are contacting you in order to inform about a

mandatory update of your personal data, which is being

conducted after Bank A and Bank B merge. To begin the

update, please click on the link and download the

protection program.

Protection Module 3.0 (2011)

Best regards, Bank A

Bank A

[email protected]

Après

http://www.threatlink.com

Avant

http://secure-web.cisco.com/auth=X&URL=www.threatlink.com

70

Malware

bloqué

http://secure-web.cisco.com…

The requested web page has been blocked

http://www.threatlink.com

Cisco Email and web Security protects your organization’s network

from malicious software. Malware is designed to look like a legitimate

email or website which accesses your computer, hides itself in your

system, and damages files.

Cisco Security

Sécurisation des URL dans les Emails avec Outbreak Filters

71

Outbreak Filters stoppe les attaques Phishing et Mixtes

72

Advanced Malware Protection sur ESA

Cisco® SIO

SenderBase Reputation Filtering

Anti-Spam & Spoofing Prevention

AV Scanning & Advanced Malware Protection

Real-time URL Analysis

Deliver Quarantine Re-write URLs Drop

Drop

Drop/Quarantine

Drop/Quarantine

Quarantine/Re-write


3.5M d’emails bloqués chaque

jour

Emails delivered Emails / mo Emails / day Emails / employee / day %

Attempted 124 M 5.6 M 73

Blocked 77 M 3.5 M 46 63%

Delivered 37 M 1.7 M 22 30%

Delivered, marked

“Marketing”

9 M 0.4 M 5 7%

Email Security - Cisco sur Cisco

Malware

Spam

ESA Blocked Emails Emails* / mo Emails / day Emails / employee / day %

By reputation 73 M 3.3 M 43 94%

By spam content 4.3 M 0.2 M 3 5%

By invalid receipts 0.4 M 0.02 M 0.25 1%


Pourquoi Cisco Email Security ? Gartner Magic Quadrant, Email Security Gateways, 2013

The Magic Quadrant is copyrighted 2013 by Gartner, Inc. and

is reused with permission. The Magic Quadrant is a graphical

representation of a marketplace at and for a specific time

period. It depicts Gartner’s analysis of how certain vendors

measure against criteria for that marketplace, as defined by

Gartner. Gartner does not endorse any vendor product or

service depicted in the Magic Quadrant, and does not advise

technology users to select only those vendors placed in the

"Leaders” quadrant. The Magic Quadrant is intended solely

as a research tool, and is not meant to be a specific guide to

action. Gartner disclaims all warranties, express or implied,

with respect to this research, including any warranties of

merchantability or fitness for a particular purpose.

This Magic Quadrant graphic was published by Gartner, Inc.

as part of a larger research note and should be evaluated in

the context of the entire report. The Gartner report is available

upon request from Cisco.

75 75

Cisco Web Security

76

Cisco Security Intelligence Operations (SIO)

L’architecture de Sécurité Web Cisco

Filtrage URL Application Visibility and Control (AVC)

Data Loss

Prevention (DLP)*

Moniteur de Trafic de Niveau 4

(On-premise)

Défense Anti-Malware

PROTECTION CONTROLE

Management & Reporting Centralisés

WW

W

Autorise

WWW Accès limité

WWW Bloque

WWW

*Third-party DLP integration available on-premises

77

Moniteur de Traffic de Niveau 4 Détection des postes déjà infectés

Utilisateurs

Cisco WSA

Network Layer Analysis

Règles Anti-Malware automatiques

Bloque le trafic malicieux

• Scanne tous les ports et protocoles

• Détecte le malware qui bypasse le port 80

• Empêche les zombies de communiquer avec leur serveur de contrôle

• MAJ automatiques

• Listes de serveurs et adresses IP malicieuses en temps réel

Packet and Header

Inspection

Internet

Disponible sur WSA & et sur ASA en tant que “Botnet Traffic Filter”

78

Défense Anti-Malware à trois niveaux

Bon score: le site est affiché sans être scanné

Score

intermédiaire: les

sites sont scannés

par 1 ou plusieurs

moteurs

Mauvais score: le

site est bloqué

URL’s

demandées

Moteur Anti-

Malware Cisco® SIO Déchiffrement

SSL

basé sur la

catégorie ou

réputation

+ FILE REPUTATION (AMP)

BLOCKED

79

Scan Anti-Malware en temps réel Dynamic Vectoring & Streaming

ANALYSE HEURISTIQUE ET A BASE DE SIGNATURES

• Multi-scanning intelligent

• Bases de signatures multiples

• Déchiffre le trafic SSL si nécessaire

• Scanning en mode streaming pour éviter

les problèmes de latence

• MAJ automatiques

Détection Heuristique Identifie des comportements inhabituels

Anti-malware Scanning

Scans Parallèles, Scanning en mode streaming

Inspection à base de signatures Reconnait les menaces connues

Moteurs anti malware multiples

80

Advanced Malware Protection sur WSA

WWW

Time of Request

Time of Response

Cisco® SIO

URL Filtering

Reputation Filter

Dynamic Content Analysis (DCA)

Signature-based Anti-Malware Engines

Advanced Malware Protection

Block

WWW

Block

WWW

Block

WWW

Allow

WWW Warn

WWW WWW Partial

Block

Block

WWW

Block

WWW

Block

WWW

81 81

Démonstration


6.5M de sites malicieux bloqués chaque jour

Web Security Appliance – Cisco sur Cisco

Malware Blocked in One Day: • 441K – Trojan Horse

• 61K - Other Malware

• 29K - Encrypted Files (monitored)

• 16.4K - Adware Messages

• 1K – Trojan Downloaders

• 55 - Phishing URLs

• 22 - Commercial System Monitors

• 5 - Worms

• 3 - Dialers

Cisco Web Traffic Stats:

• 330-360M web visits/day

• 6-7M (2%) blocked

WSA Blocked Transactions:

• 93.5% - Web Reputation

• 4.5% - URL Category

• 2% - Anti-Malware


Cloud Web Security

8

3

A Cloud Based Premium Service

Real-time scanning of all inbound and outbound HTTP/S

web content

Robust, fast, scalable and

reliable global datacenter

infrastructure

Flexible deployment options

via Cisco attach model and direct to

cloud

Full support for roaming users

Centrally managed granular web

filtering policies, with web 2.0

visibility and control

Close to real-time reporting with cloud retention, as part of

the standard offering

Www


Multiple proxies within

each Datacenter

2X

2X

• Multiple datacenters

• SP managed datacenter

Global Datacenter Footprint

8

4

85

Flexible Deployment Options On- and Off-premises

Deployment

Options

Connection

Methods

On-premises Cloud

Cloud

Firewall Router Roaming

Virtual Next Generation

Firewall

Roaming

Appliance

Appliance

Redirectors

WCCP PAC File Explicit WCCP PAC File Explicit

86

Internet

Cisco Web Security Appliance

• Consistent policy, security, and reporting for all users

• Single-box solution for faster deployments, reduced complexity

• Uses AnyConnect for remote and mobility

• Integrates easily in your existing Cisco infrastructure

or

AAA

Employees

Cisco WSA

Headquarters/Branc

hes

Internet

87

WSA

ASA

On-Premise

AnyConnect Secure Mobility, form Factor Choice

AnyConnect Client

Redirect to

Premise or Cloud

Mobile User

Cloud Web Security

88

Internet

Cisco Cloud Web Security Integration

Internet

• Eliminates Backhaul

• Speeds Deployment

• Extends Value of Existing

Investments

Employees

Cisco ASA

Headquarters Branch Office

Cloud Web Security

Employees

Cisco ISR G2

VPN


Retrospective Security & Continuous Analysis

Additional Point-in-time Protection

AMP File Reputation Retrospection

Cognitive Threat Analytics (CTA)

Advanced Malware Protection (AMP)

File Reputation & Sandboxing

Advanced Threat Defense


Security Across the Whole Attack ContinuumCWS with AMP & CTA

BEFORE Discover Enforce Harden

DURING Detect Block Defend

AFTER Scope

Contain Remediate

Web Reputation

Usage Controls

Malware Signature

Outbreak Intelligence

File Rep / Sandbox

File Retrospection

Application Controls

Threat Analytics

Active Reporting AMP

AMP

CTA

CTA

AMP


CTA - Analyzing Network Traffic Behavior

Potential

Threat

Behavioral

Analysis

Anomaly

Detection

Machine

Learning

No more rule sets

Discovers threats on its own…

just turn it on

Normal… or not?

Spots symptoms of infection using

behavioral anomaly detection

algorithms and trust modeling

Security that evolves

Uses machine learning to learn

from what it sees and adapt over

time

Reduced time to discovery

Active, continuous monitoring to

stop the spread of an attack

92

Pourquoi Cisco Web Security? Gartner Magic Quadrant, Web Security Gateways, 2013

The Magic Quadrant is copyrighted 2013 by Gartner, Inc. and

is reused with permission. The Magic Quadrant is a graphical

representation of a marketplace at and for a specific time

period. It depicts Gartner’s analysis of how certain vendors

measure against criteria for that marketplace, as defined by

Gartner. Gartner does not endorse any vendor product or

service depicted in the Magic Quadrant, and does not advise

technology users to select only those vendors placed in the

"Leaders” quadrant. The Magic Quadrant is intended solely

as a research tool, and is not meant to be a specific guide to

action. Gartner disclaims all warranties, express or implied,

with respect to this research, including any warranties of

merchantability or fitness for a particular purpose.

This Magic Quadrant graphic was published by Gartner, Inc.

as part of a larger research note and should be evaluated in

the context of the entire report. The Gartner report is available

upon request from Cisco.

Les solutions de Cybersécurité Cisco

Technology

Transcript of Les solutions de Cybersécurité Cisco