Cisco Customer EducationMalware, Malware Everywhere - Battle 21st Century Security Threats with Cisco

This session was recorded via Cisco WebEx! You can watch the live session recording via the following URL:

https://acecloud.webex.com/acecloud/lsr.php?RCID=2a9e13dcb37a4721b5c9fc97052488bb

Thanks for your interest and participation!

This session was recorded via Cisco WebEx! You can watch the live session recording via the following URL:

https://acecloud.webex.com/acecloud/lsr.php?RCID=9179b646be6a4f03a3480b1a1db8d72b

Cisco Customer EducationMalware, Malware Everywhere - Battle 21st Century Security Threats with Cisco

This session was recorded via Cisco WebEx! You can watch the live session recording via the following URL:

https://acecloud.webex.com/acecloud/lsr.php?RCID=2a9e13dcb37a4721b5c9fc97052488bb

Thanks for your interest and participation!

This session was recorded via Cisco WebEx! You can watch the live session recording via the following URL:

https://acecloud.webex.com/acecloud/lsr.php?RCID=a95525d3a4d94e6887d6edc67ddd0e24

Connect using the audio conference box or you can call into the meeting:1. Toll-Free: (866) 432-99032. Enter Meeting ID: 201 146 961 3. Press “1” to join the conference.

Presentation Agenda

► Welcome from Cisco

► Security in the 21st Century

► Mid-Year Security Report

► Talos and Advanced Malware Protection

► Next Generation Threat Protection

► Conclusion

Priors:Cisco Sales and Channels (11 yrs)President and CEO (6 yrs) - Cisco Premier Partner Director of Sales (2 yrs) - Cisco Silver PartnerFinancial Analyst (7 yrs) - Sprint Corporation

About Your HostBrian AveryTerritory Business ManagerCisco Systems, Inc.bravery@cisco.com

► Conclusion

Who Is Cisco?

Cisco Confidential 5

Computer scientists, Len Bosack and Sandy Lerner found Cisco Systems

Bosack and Lerner run network cables between two different buildings on the Stanford University campus

A technology has to be invented to deal with disparate local area protocols; the multi-protocol router is born

1984

WellFleet

SynOptics

3Com

ACC

DEC

Proteon

IBM

Bay Networks

Newbridge

Cabletron

Ascend

Fore

Xylan

3ComNortel

Ericsson

Alcatel

JuniperLucent

Siemens

NECFoundry

Redback

Riverstone

Extreme AristaHP

Avaya

Juniper

Huawei

Aruba

Brocade

Checkpoint

Fortinet

ShoreTel

Polycom

Microsoft

F5

Riverbed

Dell

Internet of Everything

1990 –1995 1996 – 2000 2001 – 2007 2008 – Today

The Landscape is Constantly

Changing

Leading for Nearly 30 Years

2016

Cisco Confidential 7

Who Is Cisco?

Chuck Robbins,CEO, Cisco

• Dow Jones Industrial AverageFortune 100 Company (AAPL, CSCO, INTC, MSFT)

• $117B Market Capitalization

• $49.6B in Revenue

• $10B in Annual Net Profits

• $34B More Cash than Debt

• $6.3B in Research and Development

http://finance.yahoo.com/q/ks?s=CSCO+Key+Statistics

No. 1Voice

41%

No. 1TelePresence

50%

No. 1Web

Conferencing43%

No. 1Wireless LAN

50%

No. 2x86 Blade Servers

29%

No. 1RoutingEdge/Core/

Access

47%

No. 1Security

31%

No. 1SwitchingModular/Fixed

65%

No. 1Storage Area

Networks47%

Market Leadership Matters

CCE is an educational session for current and prospective Cisco customers

Designed to help you understand the capabilities and business benefits of Cisco technologies

Allow you to interact directly with Cisco subject matter experts and ask questions

Offer assistance if you need/want more information, demonstrations, etc.

What Is the Cisco Customer Education Series?

Security in the 21st Century

Cisco Confidential 11© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Remember This Movie?

http://www.imdb.com/title/tt0086567/

Global Cybercrime Market $450B‒$1T

It’s All About The MoneyIndustrial Hackers Are Making Big Money with Innovative Tactics

1990 1995 2000 2005 2010 2015 2020

Viruses1990–2000

Worms2000–2005

Spyware and Rootkits2005–Today

APTs CyberwareToday +

Phishing, Low Sophistication Hacking Becomes

an Industry Sophisticated Attacks, Complex Landscape

of large companies targeted by malicious traffic95% of organizations interacted

with websites hosting malware100% 1. Cybercrime is lucrative, barrier to entry is low2. Hackers are smarter and have the resources to compromise your organization3. Malware is extremely sophisticated and complex4. Cybercrime is now a formal, for-profit industry

Source: 2014 Cisco Annual Security Report

Cisco Confidential 13© 2013-2014 Cisco and/or its affiliates. All rights reserved.

High Profile Breaches

As of 12/31/2014 http://www.idtheftcenter.org/images/breach/DataBreachReports_2014.pdf

1,000,000

70,000,000

56,000,0002,600,000

1,100,000

And Yet…Organizations of every size are targets

60% of UK small businesses were compromised in 2014 (2014 Information Security Breaches Survey)

100% of corporate networks examined had malicious traffic(Cisco 2014 Annual Security Report)

41% of targeted attacks are against organizations with fewer than 500 employees (July 2014 The National Cyber Security Alliance (NCSA)

41% of targeted attacks are against organizations with fewer than 500 employees (July 2014 The National Cyber Security Alliance (NCSA)

Today’s cyber-threat reality

If you know you are going to be compromised, how should you do security

differently?

Why? Because you’ll never be able to prevent 100% of

attacks.

Your environmentwill get breached –it’s not an “IF” it’s a

“WHEN”

The Attack Surface

Attack surface – web browsers

More than

85% of the companies studied were affected each month by malicious browser extensions

Users becoming complicit enablers of attacksUntrustworthy sources

Clickfraud and Adware

Outdated browsers 10% 64%IE requests running latest version

Chrome requests running latest version

vs

Attack surface – user error on web

Attackers:Shifts in the attack vectors

Java

Silverlight

PDF

Flash

Java drop 34%

Silverlight rise 228%

PDF and Flash steady

Log Volume

2015 Cisco Annual Security Report

Attack surface – web applications

Attackers:

Malvertising is on the rise: low-limit exfiltration makes infection hard to detect

In October 2014, there is a spike of

250%

Compromising without clicking

Ransomware and Exploit Kits, e.g. Cryptowallversion 4

Encryption technique allows per-target customization

Marking systems and files have already been encrypted

Using Bitcoin for anonymous payment

Dual deadlines for:1.Cost increase2.Deleting data

Phishing and Social Engineering

Attackers:

A growing appetite to leverage targeted phishing campaigns

Example: Snowshoe SPAM attack

SPAM up

250%

Attack surface - email

Social EngineeringWaiting for his plane

Meet Brian, an employee at Sysco (not Cisco).

He is catching up on life using the public Wi-Fi at Starbucks prior to a meeting.

Brian decides to check on Facebook where his Mom had posted pictures of her vacation.

Social EngineeringChecks his email

Brian then gets an email from his mom.

The email says she’s having a great vacation and took a video she wants him to see. In the email is a link to what looks to be a normal video link.

Your Tropical Getaway

Joe,

Thank you for choosing us. We look forward to seeing you.

Before your arrival, please verify your information here: www.vacationresort.com

Best,Resort Team

No problem, right? Everything looks normal. After all, his mom IS on vacation.

And the video site has an https: so it looks trustworthy, so he clicks the link.

Social EngineeringJoe is now infected

Brian opens the link and a video of the resort plays.

Although he doesn’t know it, Brian’s device has been compromised by a Silverlight based video exploit.

The malware now starts to harvest Brian’s confidential information:

• Passwords

• Credentials

• Company access authorizations

Why did the cybercriminal target Brian?

Cisco Security Overview

Too Many Disparate Security Products Mean Gaps in Protection

Fragmented offerings across multiple vendors

Cost

Higher total cost to build and run

Overall performance

Less communication between components

Time to detection

More lag in finding threats

Too Many Disparate Security Products Mean Gaps in Protection

vs

Fragmented offerings across multiple vendors

Streamlined advanced security solution

Cost

Lower opex and easier to manage

Higher total cost to build and run

Overall performance

Less communication between components

Better communication and integration

Time to detection

Faster time to detection

More lag in finding threats

Antivirus

Legacy IPSInitial Disposition = Clean Actual Disposition = Bad

Too Late!!

Analysis Stops

Even

t Hor

izon Sleep Techniques

Unknown ProtocolsEncryptionPolymorphism

Blind to scope of compromise

Point-in-Time Detection Tools Alone Are Insufficient and Provide Limited or No Visibility Into Threats Once They Get in

Not 100%

I'm going for fearsome here, but I just don't feel it!

I'm think I'm just coming off as annoying.

Competitors

What’s Needed to Protect Against Advanced Threats That Manage to Slip by YourFront-Line Defenses?

Deep Visibility

Control

+

Defending Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum

BeforeDiscover EnforceHarden

DuringDetect Block

Defend

AfterScope

ContainRemediate

Attack Continuum

Data Center/Servers EndpointsEmail and Web Network Mobile

Threat intelligence and analytics

Point-in-Time detection

Retrospective security and continuous analysis

Defending Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum

BeforeDiscover EnforceHarden

DuringDetect Block

Defend

AfterScope

ContainRemediate

FireSIGHT and pxGrid

ASA VPN

OpenDNS Meraki

Advanced Malware Protection

Network as Enforcer

NGIPS

ESA/WSA

CWSSecure Access + Identity Services ThreatGRID

Attack Continuum

Cisco Advanced Malware Protection

AMP

Cisco Advanced Malware Protection

Software-as-a-ServiceCloud Managed

Subscription Based

THREAT LANDSCAPE

1.5 Million

THREAT LANDSCAPE

THREAT LANDSCAPE

Cisco Secur i ty Decreases Time to Detect ion

42

Current Industry Average (TTD)

100 days- Source: 2016 Cisco Annual Security Report

Cisco Secur i ty Decreases Time to Detect ion

43

100 days to 13.8 hours- Source: 2016 Cisco Annual Security Report

Point in Time Protection

Point-in-Time DetectionAMP Delivers the First Line of Defense, Blocking Known and Emerging Threats with Point-in-Time Defenses

One-to-one signature

Fuzzy finger-printing

Machine learning

Advanced analytics

Static and dynamic analysis (sandboxing)

Offer better accuracy and dispositioning

Block known and emerging threats

Protect your business with no lag

Automatically stop as many threats as possible, known and unknown

Dynamic Analysis

Machine Learning

Fuzzy ger-printing

Advanced Analytics

Indications of Compromise

Device Flow Correlation

Behavioral Detection: ExamplePoint-in-Time Detection Retrospective Security

Cisco Collective Security Intelligence

Collective Security Intelligence Cloud

File of unknown disposition is encountered1

File replicates itself and this information is communicated to the cloud

2

File communicates with malicious IP addresses or starts downloading files with known malware disposition

3

Combination of activities indicates a compromise and the behavior is reported to the cloud and AMP client

4

These indications are prioritized and reported to security team as possible compromise

5

namic alysis

Advanced Analytics

Device Flow Correlation

Behavioral Detection: ExamplePoint-in-Time Detection Retrospective Security

Cisco Collective Security Intelligence

Collective Security Intelligence Cloud

IP: 64.233.160.0

Device Flow Correlation monitors communications of a host on the network

1

Two unknown files are seen communicating with a particular IP address

2

One is sending information to the IP address, the other is receiving commands from the IP address

3

Collective Security Intelligence Cloud recognizes the external IP as a confirmed, malicious site

4

Unknown files are identified as malware because of the association

5

TrajectoryBehavioralIndications

of Compromise

BreachHunting

nuous ysis

Attack Chain Weaving

Behavioral Indications of Compromise: Example

Point-in-Time Detection Retrospective Security

Cisco Collective Security Intelligence

Behavioral Indications of Compromise uses continuous analysis and retrospection to monitor systems for suspicious and unexplained activity… not just signatures!

Using the power of Attack Chain Weaving, Cisco® AMP is able to recognize patterns and activities of a given file, and identify an action to look for across your environment rather than a file fingerprint or signature

An unknown file is admitted into the network

1The unknown file copies itself to multiple machines

2Duplicates content from the hard drive

3Sends duplicate content to anunknown IP address

4

How Malware Gets In to Your Network

Breach Prevention Rapid Breach Detection, Response, Remediation Threat Intelligence

But Point-in-Time Detection Alone Will Never Be100% Effective

Continuous Analysis and Retrospective SecurityOnly AMP Continuously Monitors and Analyzes All File Activity, Regardless of Disposition

Across all control points

To answer the questions that matter…

Take advantage of key capabilities

Web

WWW

EndpointsEmail Network

Mobile

Track it’s rate of progression and how it spread

See what it is doingIdentify a threat’s point of origin

See where it's been Surgically targetand remediate

Continuous Analysis and Retrospective Security

0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110

1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

Web

WWW

Endpoints NetworkEmail DevicesIPS

File Fingerprint and Metadata

Process Information

Continuous feed

Continuous analysis

File and Network I/O

Breadth and Control points:

Telemetry Stream

Talos + Threat Grid Intelligence

TrajectoryBehavioralIndications

of Compromise

Threat Hunting

Retrospective Detection

If Something Gets in, Retrospective Security Helps You Find Answers to the Most PressingSecurity Questions

What happened?Where did the malware come from?Where has the malware been?What is it doing?How do we stop it?

See AMP in Action!

See Where It Entered the System

What happened?

Track threat’s origin and progression: • How did it get into the system• What is the point of origin• What was the attack vector

Where has the malware been?What is it doing?How do we stop it?

Where did the malware come from?

See AMP in Action!

See Everywhere That It Has Been

What happened?Where did the malware come from?Where has the malware been?

What is it doing?How do we stop it?

Track infected areas in the system: • Where is the attack now• What other endpoints have seen it• Where should I focus my response• Where is still safe

See AMP in Action!

Determine What the Malware Is Doing

What happened?Where did the malware come from?Where has the malware been?What is it doing?

How do we stop it?

Understand the details of how themalware works: • What is it trying to do, in plain English• How does the malware behave• Get detailed information vital for

incident response

See AMP in Action!

Stop It with a Few Clicks

Where did the malware come from?Where has the malware been?What is it doing?

Knowing the details above,surgically remediate: • Stop it at the source and all infected areas• Simply right click, add to a blocklist, and

remediate the malware from theentire system

What happened?

How do we stop it?

See AMP in Action!

The Leader in Security Effectiveness

99.2% Security Effectiveness rating in BDS testing, the highest of all vendors tested.

Only vendor to block 100% of evasion techniquesduring testing.

Excellent performance with minimal impact on network, endpoint, or application latency.

Download the flysheet and full report here.

Cisco AMP offers superior security effectiveness, excellent performance, and provides security across more attack vectors than any other vendor

Next-Generation Security

The AMP Everywhere ArchitectureAMP Protection Across the Extended Network for an Integrated Threat Defense

AMPThreat Intelligence

Cloud

Windows OS Android Mobile Virtual MAC OSCentOS, Red Hat Linux for servers and datacenters

AMP on Web and Email Security Appliances

AMP on Cisco® ASA Firewall with Firepower Services

AMP Private Cloud Virtual Appliance

AMP on Firepower NGIPS Appliance

(AMP for Networks)

AMP on Cloud Web Security and Hosted Email

CWS/CTA

Threat GridMalware Analysis + Threat

Intelligence Engine

AMP on ISR with Firepower Services

AMP for Endpoints

AMP for Endpoints

Remote Endpoints

AMP for Endpoints can be launched from AnyConnect

AMP on MerakiMX Appliances

Cisco Confidential 61© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Introducing Cisco Adaptive Security Appliances

Industry’s First Threat-Focused NGFW

• Integrating defense layers helps organizations get the best visibility

• Enable dynamic controls to automatically adapt

• Protect against advanced threats across the entire attack continuum

Proven Cisco ASA firewalling

Industry leading NGIPS and AMP

Cisco ASA with FirePOWERServices Next-Generation

Firewall (NGFW)

Cisco ASA with FirePOWER Services

Cisco Confidential 62© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Superior Integrated & Multilayered Protection

Cisco ASA

URL Filtering(Subscription)FireSIGHT

Analytics & Automation

Advanced Malware

Protection(Subscription)

Application Visibility & ControlNetwork Firewall

Routing | Switching

Clustering & High Availability

WWW

Cisco Collective Security Intelligence Enabled

Built-in Network Profiling

Intrusion Prevention

(Subscription)

World’s most widely deployed, enterprise-class ASA stateful firewall

Granular Cisco® Application Visibility and Control (AVC)

Industry-leading FirePOWERnext-generation IPS (NGIPS)

Reputation- and category-based URL filtering

Advanced malware protection

Identity-Policy Control & VPN

Cisco Confidential 63© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Malware

Client applications

Operating systems

Mobile Devices

VOIP phones

Routers & switches

Printers

C & C Servers

Network Servers

Users

File transfers

Web applications

Applicationprotocols

Threats

No other NGFW offers this level of visibility• The more infrastructure you see, the better protection you get

Typical IPS

Typical NGFW

Cisco ASA with FirePOWER Services

Cisco Confidential 64© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Meraki MR Wireless LAN

Meraki MX Security

Appliances

Meraki MS Ethernet Switches

Cisco Meraki - Cloud Managed Networking

Meraki SMEEnterprise Mobility

ManagementMC

Communications

Application ControlTraffic Shaping, Content Filtering, Web Caching

SecurityNG Firewall, Client VPN, Site to Site VPN, IDS/IPS

NetworkingNAT/DHCP, 3G/4G Cellular, Static Routing, Link Balancing

Best IPS SOURCEfire IDS / IPS, updated every day

Anti-MalwareAdvanced Malware Protection powered by Cisco Sourcefire and Talos

Content Filtering 4+ billions URLS, updated in real-time

Geo-basedsecurity Block attackers from rogue countries

AV / anti-phishing Kaspersky AV, updated every hour

PCI compliance PCI L1 certified cloud-based management

Enterprise License Advanced Security License

Stateful firewall

Site to site VPN

Branch routing

Internet load-balancing (over dual WAN)

Application control

Web caching

Intelligent WAN (IWAN)

Client VPN

`

All enterprise features, plus

Content filtering (with Google SafeSearch)

Kaspersky Anti-Virus and Anti-Phishing

SourceFire IPS / IDS

Geo-based firewall rules

Advanced Malware Protection (AMP)

Cisco Email Security

Cisco Confidential 69© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Cisco SensorBase: Email Reputation Database

Complaint Reports IP Blacklists and Whitelists

Domain Blacklist and Safelists

Compromised Host Lists

Website Composition Data

Other DataGlobal Volume Data

Message Composition Data

Spam Traps

+100-10

IP Reputation Score

Breadth and quality of data make the difference

Cisco Confidential 70© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Cisco Email Security Architecture

Threat Defense

Antispam

Antivirus and Virus Outbreak Filter

Data Security

Data Loss Prevention

Encryption

Management

Cisco Email Security

ReportingMessage Track

Management

Allow Warn

AdminHQ

Anti-Spam and

Anti-Virus

Mail Flow Policies Data Loss

Protection Encryption

Before DuringX XXX

Inbound Email

Outbound Email

CiscoAppliance Virtual

Talos

Block Partial Block

Outbound Liability

BeforeAfterDuring

Tracking User click Activity

(Anti-Phish)

File Sandboxing & Retrospection

X X XXX

Cloud

ContentControls

X

EmailReputation

AcceptanceControls File

ReputationAnti-SpamAnti-Virus Outbreak

Filters

X

Mail FlowPolicies Graymail

ManagementSafe Unsubscribe

X

Anti-PhishThreatGrid URL Rep & Cat

Cisco Security and OpenDNS

A system for relating names and numbers

Domain = IP Address Amazon.com =

205.251.242.103 Like a library of phone books

What is DNS?Domain Name System

AUTHORITATIVE DNSOwns and publishes the “phone books”

DOMAIN REGISTRAR Maps and records names to #s in “phone books”

RECURSIVE DNSLooks up & remembers

the #s for each name

Types of DNS

Malware validated as “known bad” –91% of all malware - use the Domain Name Service in one of these three ways:

• To gain command and control • To exfiltrate data • To redirect traffic

Few companies are monitoring DNS for security purposes (or monitoring DNS at all).

91%

DNS and Malware

76 CONFIDENTIAL

INTERNET

MALWAREBOTNETS/C2PHISHING

SANDBOXPROXY

NGFWNETFLOW

AV AV

AV AV

AV

AV

AV AV

ROUTER/UTM

AV AV

ROUTER/UTM

HERE?

& HERE?

& HERE?

& HERE?

& HERE?

OR HERE?

Where Do You Enforce Security?

CHALLENGES

Too Many Alerts via Appliances & AV

Wait Until Payloads Reaches Target

Every Payload Scan Slows Things Down

Too Much Time to Deploy Everywhere

BENEFITS

Alerts Reduced 2x; Improves Your SIEM

Traffic & Payloads Never Reach Target

Internet Access Is Faster; Not Slower

Provision Globally in UNDER 30 MINUTES

HQ

Branch Branch

Mobile

Mobile

OpenDNS Works With Everything You Use

FUTURE-PROOF EXTENSIBILITY

ANY NETWORK

Routers, Wi-Fi, SDN

ANY ENDPOINTVPN, IoE ANY

TECHNOLOGYFirewalls, Gateways

SECURE APIs OPEN TO EVERYONE

SECURITY PROVIDERS

FireEye, Cisco, Check

Point

NETWORK PROVIDERS

Meraki, Aruba,Aerohive

CUSTOMERSIn-houseSecurity Systems

Where Does Umbrella Fit?

INTERNET

ON NETWORK

ALLOTHER

TRAFFICWEB

TRAFFICEMAIL

TRAFFIC

INTERNETALL

OTHERTRAFFIC

WEBTRAFFIC

EMAILTRAFFIC

OFF NETWORK

ASAblocks inline by IP, URLor packet

ESA/CESblocks by sender

or content

WSA/CWSblocks by URL or content via proxy

ESA/CESblocks by sender

or content

CWSblocks by URL or content via proxy

Umbrellablocks by domainas well as IP or URL

Umbrellablocks by domainas well as IP or URL

Network As A SensorNework As An Enforcer

Insider Threats

With lateral movement of advanced persistent threats,even external attacks eventually become internal threats

95% of all cybercrimeis user-triggered by

disguisedmalicious links

One out of four breaches are caused by malicious insiders

Two out of three breaches exploit weak

or stolen passwords

Cisco Stealthwatch: Ubiquitous visibility via flow telemetry

81

… your infrastructure is the source:

InternetAmador

Delta

Solano

Border

DMZ

Virtual Hosts

PerimeterDatacenter

WAN Hub

WAN

Access

IDFDatacenter

WAN

DMZ

Access

FlowFlow

Flow

Flow

Flow

Flow

Flow

Flow

Flow

Flow

Flow

Flow

Flow

Flow

FlowFlow

81

enterprise network

Attacker

Perimeter(Inbound)

Perimeter(Outbound)

Infiltration and Backdoor establishment

1

C2 Server

Admin Node

Reconnaissance and Network Traversal

2

Exploitation and Privilege Elevation

3

Staging and Persistence (Repeat 2,3,4)

4

Data Exfiltration

5

Anatomy of a Data Breach

July 2016

Cisco 2016Midyear Cybersecurity ReportHighlights

Asymmetric battles are greater than our ability to respond

Persistent Attacks

Overwhelmed Defenders

Innovative Methods

Fragile Infrastructure

Shifting Tactics

Rising Vulnerabilities

Encryption Dilemma

Global Operations

Security practitioners need to identify and constrain the operational space of the adversaries

Current Threat Landscape

• Evolution of Ransomware• Advances in Malicious

Tradecraft• Questionable Network Hygiene

Encryption technique allows per-target customization

Marking systems and files have already been encrypted

Using Bitcoin for anonymous payment

Dual deadlines for:1.Cost increase2.Deleting data

Ransomware

Self-propagating• Utilization of a vulnerability in a widely deployed product • Replication to all available drives• File infections • Limited brute-force activity • Resilient command and control • Use of other backdoors

Ransomware 2.0

Modular• Autorun.Inf/USB Mass Storage Propagation• Authentication Infrastructure Exploits• Command and Control/Reporting Infections• Rate Limiter• RFC 1918 Target Address Limiter

Attack Vectors: Servers on the HorizonAdversaries expand focus from client-side attacks to server-side attack

In April, Cisco estimated that 10% of all Jboss servers worldwide were compromised.

Adobe Flash vulnerabilities continue to be leveraged by exploit kits.

Lower volume malware for dropping payloadsWormTrojanTrojan-FlashTrojan-RansomwareTrojan-DropperAndroid-Trojan

Attack Methods: A Spectrum of Opportunity

Higher volume malware for gaining accessWindows BinariesFacebook ScamsRedirectorsPacked BinariesAndroid AdwareTrojans

Exploit Kit Activity: Adobe Flash and MalvertisingAdobe Flash and Microsoft Silverlight vulnerabilities are leveraged by most exploit kits

Nuclear Magnitude Angler Neutrino RIGFlash

CVE-2015-7645

CVE-2015-8446

CVE-2015-8651

CVE-2016-1019

CVE-2016-1001

CVE-2016-4117

Silverlight

CVE-2016-0034

Vuln

erab

ilitie

s

Malware Use of HTTPS:HTTPS increased 300% for ad-injectors in the last 4 months.

Ad injection is the biggest contributor. Adversaries are using HTTPS traffic to expand time to operate.

300%Increased

in 4 months

2016 Midyear Cybersecurity Report

www.cisco.com/go/mcr2016

Conclusion

Cisco Provides Threat Intelligence,Point-in-Time Detection, and Continuous Analysis of Files to Defeat Advanced Threats

Attack Continuum

Data Center/Servers EndpointsEmail and Web Network Mobile

Before During AfterBefore

Discover EnforceHarden

DuringDetect Block

Defend

AfterScope

ContainRemediate

Threat intelligence and analytics

Point-in-Time detection

Retrospective security and continuous analysis

Thank You and Next Steps

Brian Averybravery@cisco.com

www.

Learn more about Cisco Security:www.cisco.com/go/security/

Contact Your Cisco Partnerhttps://tools.cisco.com/WWChannels/LOCATR/performBasicSearch.do

• CCE sessions are held weekly on a variety of topics• CCE sessions can help you understand the

capabilities and business benefits of Cisco technologies

• Watch replays of past events and register for upcoming events!

Visit http://cs.co/cisco101 for details

Join us again for a future Cisco Customer Education Event

Thank you.