Cisco / RightFax Fax Software and Fax Server Solutions & Cisco
Threat-Centric Security Solutions Solutions The Problem is Threats C97-734778-00 © 2015 Cisco...
Transcript of Threat-Centric Security Solutions Solutions The Problem is Threats C97-734778-00 © 2015 Cisco...
3 C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
http://www.networkworld.com/article/2989827/security/cisco-disrupts-60m-ransomware-biz.html
About Angler Exploit Kit
4 © 2015 Cisco and/or its affiliates. All rights reserved.
Adversaries’ Agility is Their Strength
Constant upgrades increased Angler penetration rate to 40% Twice as effective than other exploit kits in 2014
Compromised System
Flash Vulnerabilities
i
Retargeting
Ransomware
Angler Continually throwing different
‘hooks’ in the water to increase the chances of compromise
Encrypted Malicious Payload Macros Social
Engineering
IP Changing Domain
Shadowing More Being
Developed
Daily
TTD
Security Measures
Web Blocking IP Blocking Retrospective Analysis Antivirus Endpoint Solutions Email Scanning
5 © 2015 Cisco and/or its affiliates. All rights reserved.
Patching: A Window of Opportunity Users not moving quickly to the latest Flash versions or updating the patches creates an opportunity for Angler and other exploits to target the vulnerability.
Angler Exploit Vulnerability
User Activity
Update Published
Version
15.0.0.246
16.0.0.235
16.0.0.257
16.0.0.287
16.0.0.296
16.0.0.305
17.0.0.134
17.0.0.169
17.0.0.188
CVE-2015-0310
CVE-2015-0313
CVE-2015-0336
CVE-2015-0359
CVE-2015-0390
1 FEB 1 MAR 1 APR 1 MAY 1 JUN
Evolution
Thre
ats
Res
pons
e
6 or its affiliates. All rights reserved. CiC scosco PublPublicic C97-7347778-078-00 © 2015 Cisco and/o
Worms
Spyware / Rootkits
APTs / Cyberware
Increased Attack Surface (Mobility & Cloud)
INTELLIGENCE & ANALYTICS Today
or tsi
GLOBAL REPUTATION & SANDBOXING 2010
HOST-BASED (ANTI-VIRUS) 2000
NETWORK PERIMETER (IDS/IPS) 2005
7 C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Visibility and Context, Security Services
A Threat-Centric and Operational Security Model
Attack Continuum
Firewall
NG FW
VPN
UTM
NG IPS
Web
Advanced Malware Protection
Network Behavior Analysis
Sandboxing
BEFORE Detect Block
Defend
DURING AFTER Discover Enforce Harden
Scope Contain
Remediate
Secure Access + Identity Management
8 C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
TALOS : Collective Security Intelligence
IPS Rules
Malware Protection
Reputation Feeds
Vulnerability Database Updates
Sourcefire AEGIS™ Program
Private and Public
Threat Feeds Sandnets FireAMP™
Community Honeypots
Advanced Microsoft and Industry Disclosures
SPARK Program Snort and ClamAV
Open Source Communities
File Samples (>1.1 Million per
Day)
Cisco Talos
(Talos Security Intelligence and Research Group)
les
Sandboxing Machine Learning
Big Data Infrastructure
10C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Building a Visibility Architecture
Why? • Automation • Contextualization • Anomaly Detection • Event-driven Security
11C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Central Management, Intelligence and Context • FireSIGHT
• Central Management • Policy Definition • Event Analysis • Correlation • Network Map (Users, devices, apps, etc)
• FirePOWER + Firepower Services on ASA • Real-time traffic analysis • Access Control • Passive acquisition
events - IPS - Intelligence - File - Malware - Access Control - Flow - Discovery
FireSIGHT Management Centre
Processes
Generates
events
•••••
Centre
12C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
FireSiGHT Management Centre SecOPS Workflows -FireSIGHT Management Center
NGFW/NGIPS Management
Forensics / Log Management
Network AMP / Trajectory
Vulnerability Management
Incident Control System
Adaptive Security Policy
Retrospective Analysis
Correlated SIEM Eventing
Network-Wide / Client Visibility
Visibility Categories Threats Users Web Applications Application Protocols File Transfers Malware Command & Control Servers Client Applications Network Servers Operating Systems Routers & Switches Mobile Devices Printers VoIP Phones Virtual Machines
FireSIGHT
13C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
FireSIGHT Brings Visibility CATEGORIES EXAMPLES Cisco
FireSIGHT TYPICAL
IPS TYPICAL
NGFW
Threats Attacks, Anomalies
Users AD, LDAP, POP3
Web Applications Facebook Chat, Ebay
Application Protocols HTTP, SMTP, SSH
File Transfers PDF, Office, EXE, JAR
Malware Conficker, Flame
Command & Control Servers
C&C Security Intelligence
Client Applications Firefox, IE, BitTorrent
Network Servers Apache 2.3.1, IIS4
Operating Systems Windows, Linux
Routers & Switches Cisco, Nortel, Wireless
Mobile Devices iPhone, Android, Jail
Printers HP, Xerox, Canon
VoIP Phones Cisco, Avaya, Polycom
Virtual Machines VMware, Xen, RHEV
14C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
FireSIGHT Fuels Automation
IT Insight Spot rogue hosts, anomalies, policy
violations, and more
Impact Assessment Threat correlation reduces actionable
events by up to 99%
Automated Tuning Adjust IPS policies automatically
based on network change
User Identification Associate users with security
and compliance events
14 144
15C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Correlates all intrusion events to an impact of the attack against the target
Impact Assessment IMPACT FLAG
ADMINISTRATOR ACTION
WHY
Act Immediately, Vulnerable
Event corresponds to vulnerability mapped to host
Investigate, Potentially Vulnerable
Relevant port open or protocol in use, but no vuln mapped
Good to Know, Currently Not Vulnerable
Relevant port not open or protocol not in use
Good to Know, Unknown Target
Monitored network, but unknown host
Good to Know, Unknown Network
Unmonitored network
16C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco FireSIGHT Context Collection Platform
IPS Events
Malware Backdoors Exploit Kits
Web App Attacks CnC Connections
Admin Privilege Escalations
SI Events
Connections to Known CnC IPs
Malware Events
Malware Detections Office/PDF/Java Compromises
Malware Executions Dropper Infections
17C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Detects if new application appears or traffic profile changes • Identify Hacked Hosts • Useful in static environments: Scada, DMZ, MEDTEC...
FireSIGHT : Detecting Anomalies
Reduced Risk and Cost
ALERT Host has suddenly started
to use SSH client and outgoing traffic volume has
increased by 3 ssh
18C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Use pre-defined or custom script to initiate automatic actions • E.g, Quarantine device with ISE API
FireSIGHT : Automated Responses
Reduced Risk and Cost
Indications Of Compromise - IPS event impact 1 - Malware - Communication with BOTNET QUARANTINE
I S E
change VLAN or
SGT
19C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
OpenAppID – First OSS Application and Control
• OpenAppID Language Documentation o Accelerate the identification and
protection for new cloud-delivered applications
• Special Snort engine with OpenAppID preprocessor
o Detect apps on network o Report usage stats o Block apps by policy o Snort rule language extensions to enable
app specification o Append ‘App Name’ to IPS events
• Library of Open App ID Detectors o Over 1000 new detectors to use with
Snort preprocessor o Extendable sample detectors
22C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
FirePOWER Services available on all ASA platforms
SMB
250 Mbps AVC 125 Mbps AVC+IPS 20K/50K* Connections 5,000 CPS
ASA 5506W-X Integrated Wireless AP
SMB Branch Locations
ASA 5506H-X Ruggedized
450 Mbps AVC 250 Mbps AVC+IPS 100K Connections 10,000 CPS
ASA 5508-X
850 Mbps AVC 450 Mbps AVC+IPS 250k Connections 20,000 CPS
ASA 5516-X
ASA 5506-X
250 Mbps AVC 125 Mbps AVC+IPS 20K/50K* Connections 5,000 CPS
250 Mbps AVC 125 Mbps AVC+IPS 20K/50K* Connections 5,000 CPS
*Requires Security Plus licenses
22 2222
23C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
FirePOWER Services available on all ASA platforms
Branch Locations
300 Mbps AVC 150 Mbps AVC+IPS 100K Connections 10,000 CPS
ASA 5512-X
500 Mbps AVC 250 Mbps AVC+IPS 250K Connections 15,000 CPS
ASA 5515-X
Branch Locations Small/Medium Internet Edge
1.1 Gbps AVC 650 Mbps AVC+IPS 500K Connections 20,000 CPS
ASA 5525-X
1.5 Gbps AVC 1 Gbps AVC+IPS 750K Connections 30,000 CPS
ASA 5545-X
1.750 Gbps AVC 1.250 Gbps AVC+IPS 1M Connections 50,000 CPS
ASA 5555-X
23 2323
24C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
FirePOWER Services available on all ASA platforms
ASA 5585-SSP10 ASA 5585-SSP20
Campus / Data Center
4.5 Gbps AVC 2 Gbps AVC+ IPS 500K Connections 40,000 CPS
7 Gbps AVC 3.5 Gbps AVC+ IPS 1M Connections 75,000 CPS
Enterprise Internet Edge
ASA 5585-SSP40
ASA 5585-SSP60
10 Gbps AVC 6 Gbps AVC+ IPS 1.8M Connections 120,000 CPS
15 Gbps AVC 10 Gbps AVC+ IPS 4M Connections 160,000 CPS
24 2424
25C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
FirePOWER 9300 – High-end Platform
Supervisor
Application deployment and orchestration Network attachment (10/40/100GE) and traffic distribution Clustering base layer for Cisco® ASA, NGFW, and NGIPS
Security Modules
Embedded packet and flow classifier and crypto hardware Cisco (ASA, NGFW, and NGIPS) and third-party (DDoS, load-balancer) applications Standalone or clustered within (up to 240 Gbps) and across (1 Tbps+) chassis
2626266 662626 6 6 66266666 22626CC97C97C97-CC97-C9C97C97-7-7-77C97-C97-C97-C97-C977CCC977-CC 7-7-7-79797 7347734773734773733433477347477773477373734737773734734734773477734747347347344473477344744778-078-078-078-0778-078-078-078888-08-078-08-077878-0878-078-08-08-0-078788 0 ©0 © 0 © 0 © 0 0 © 0 © 0 © ©©©©© 0 ©0 © ©0 ©©©0 ©© ©00 © © 20152012015201201202020152015201501515555555202015150 52015520220111115012010115 CiCCiCCCiCCiCiCiCiCiCCCCiCCCiCCiCCCCC sco scoosscoscscssscssscscs oscoscscsccscco and/and/and///d/or ior ior ior or its ats ats ats ats affilffilffilffilffilffiliateiateiateateiatetes. As. As. As. AAs. All rllll rll rll rightightghghightightgh s res res res reservservservrvrvvervrved.ed.ed.eeded CiCiCCCCiscoscoscocoscoc PublPublPPublPublblblPubPublbbb ic ic cic c
28C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP: Advanced Malware Protection
Host-based AMP
• Small agent • Monitors file access (move/copy/execute) • Gathers features (fingerprint & attributes) • Retrieves the file’s disposition (clean, malware, unknown)
Private Cloud / SaaS Manager
Sourcefire Sensor or ASA FirePower Services
FireSIGHT Management Center
No agent needed
AMP Malware license
#
#
Detection Services & Big Data analytics
Network-based AMP AMP for hosts desktop (Win, MAC, Linux) and mobile devices (Android)
29C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Prevention Framework: Ethos Engine • ETHOS = Fuzzy Fingerprinting using static/
passive heuristics
• Polymorphic variants of a threat that often have the same structural properties
• Not concerned with binary contents
• Higher multiplicity • Capture original and variants
30C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
SPERO = Machine Learning using active heuristics
Protection technic: Spero Engine
Data
Data
Feature Vectors Machine Learning Algorithm
Predictive Model
Decision Trees
Hypothesis Customer Data
Expected Label [Disposition]
Featureprint (file)
Labels Performance Monitoring
Clean Unknown Malware
Clean/Dirty samples
System environment export, keyboard API hook, DLL loaded,
31C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Plan A: The Protection Framework
1-to-1 Signatures
Ethos
Spero
IOCs
Dynamic Analysis
Advanced Analytics
Device Flow Correlation
All prevention solution < 100% protection
32C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Actual Disposition = Bad = Blocked
Antivirus Sandboxing
Initial Disposition = Clean
Point-in-time Detection
Retrospective Detection, Analysis Continues
Initial Disposition = Clean
Cisco AMP
Blind to scope of compromise
Sleep Techniques
Unknown Protocols
Encryption
Polymorphism
Actual Disposition = Bad = Too Late!!
Turns back time Visibility and Control are Key
Not 100%
Analysis Stops
Plan B: Retrospective Security • When you can’t detect 100%, visibility is critical
34C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Trajectory – Network Level
35C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
There Are Several Ways You Can Deploy AMP
AMP Advanced Malware Protection
Deploy- ment Options AMP on Email and Web;
Cisco® ASA; CWS
AMP for Networks
(AMP on FirePOWER Network Appliance)
AMP for Endpoints AMP Private Cloud Virtual
Appliance
Method License with ESA, WSA, CWS, or ASA customers
Snap into your network
Install lightweight connector on endpoints
On-premises Virtual Appliance
Ideal for New or existing Cisco CWS, Email /Web Security, ASA customers
IPS/NGFW customers
Windows, Linux, Windows OS for POS, Mac, Android; can also deploy from AnyConnect client
High-Privacy Environments
Details
ESA/WSA: Prime visibility into email/web CWS: web and advanced malware protection in a cloud-delivered service AMP capabilities on ASA with FirePOWER Services
Wide visibility inside network
Broad selection of features- before, during, and after an attack
Comprehensive threat protection and response Granular visibility and control Widest selection of AMP features
Private Cloud option for those with high-privacy requirements Can deploy full air-gapped mode or cloud proxy mode For endpoints and networks
Windows/MAC Mobile
37C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network as a Sensor: Lancope StealthWatch
pxGrid
Real-time visibility at all network layers • Data Intelligence throughout network • Assets discovery • Network profile • Security policy monitoring • Anomaly detection • Accelerated incident response
Cisco ISE
Mitigation Action
Context Information NetFlow
38C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Integrated Threat Defense (Detection & Containment)
Employee
Employee
Supplier
Quarantine
Shared Server
Server
High Risk Segment
Internet
Lancope StealthWatch
Event: TCP SYN Scan Source IP: 10.4.51.5 Role: Supplier Response: Quarantine
ISE Change Authorization
Quarantine
Network Fabric
39C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Quarantine from StealthWatch
41C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Mid-Year Security Report, 2015 • Time to Detection (TTD) : industry average : 200 days vs. Cisco : 46 hours
NSS Labs, Breach Detection Systems report 2014 „AMP was the leader in numerous categories. AMP not only scored a 99
percent overall breach detection rating, but was the leader in lowest cost-of-ownership”
NSS Labs, Breach Detection Systems report 2015 • “ 99.2% Security Effectiveness rating – the highest of all vendors tested • Only vendor to block 100% of all evasion techniques during testing • Excellent performance with minimal impact on endpoint or application
latency”
How Effective is AMP?