Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Cisco Customer Education Hackers, Botnets and Malware - Oh My!
Battle 21st Century Threats with Cisco Next-Gen Security
This session was recorded via Cisco WebEx! You can watch the live session recording via the following URL:
https://acecloud.webex.com/acecloud/lsr.php?RCID=9e08229bfa2b47b1a1f14a196b772b9e
Thanks for your interest and participation!
Cisco Customer Education Hackers, Botnets and Malware - Oh My!
Battle 21st Century Threats with Cisco Next-Gen Security
Connect using the audio conference box or you can call into the meeting:
1. Toll-Free: (866) 432-9903
2. Enter Meeting ID: 201 331 482 and your attendee ID number.
3. Press “1” to join the conference.
Presentation Agenda
► Welcome from Cisco
► Security in the 21st Century
► Conclusion
► There’s Big Money in Hacking
► Introducing Cisco Security About Your Host Brian Avery Territory Business Manager, Cisco Systems, Inc.
Cisco Confidential 4 © 2013- 2014 C isco and/or its affiliates . All rights reserved.
Who Is Cisco?
Cisco Confidential 5 © 2013- 2014 C isco and/or its affiliates . All rights reserved.
C omputer s c ientis ts , Len Bos ack and S andy Lerner found C is co S ys tems
B osack and Lerner run network cables between two different buildings on the S tanford Univers ity campus
A technology has to be invented to deal with disparate local area protocols ; the multi- protocol router is born
1984
Cisco Confidential 6
Who Is Cisco?
Chuck Robbins, CEO, Cisco
• Dow Jones Industrial Average Fortune 100 Company
• $145B Market Capitalization
• $48B in Revenue
• $8B in Annual Profits
• $33B More Cash than Debt
• $5.9B in Research and Development
http:/ / finance.yahoo.com/q/ks?s=CSCO+Key+Statistics
Cisco Confidential 7 © 2013- 2014 C isco and/or its affiliates . All rights reserved.
Market Leadership Matters
No. 1
Voice
39%
No. 1
TelePresence
43%
No. 1
Web Conferencing
41%
No. 1
Wireless LAN
50%
No. 2
x86 Blade Servers 27%
No. 1
Routing Edge/Core/
Access
45%
No. 1
Security
33%
No. 1
Switching Modular/Fixed
64%
No. 1
Storage Area Networks
47%
Q1CY14
Cisco Confidential 8 © 2013- 2014 C isco and/or its affiliates . All rights reserved.
§ C C E is an educational s es s ion for current and pros pective C is co cus tomers
§ Des igned to help you unders tand the capabilities and bus ines s benefits of C is co technologies
§ Allow you to interact directly with C is co s ubject matter experts and as k ques tions
§ Offer as s is tance if you need/want more information, demons trations , etc .
What Is the Cisco Customer Education Series?
Cisco Confidential 9 C97-731719-02 © 2014 Cisco and/or its affiliates. All rights reserved.
Security in the 21st Century
Cisco Confidential 10 C97-731719-02 © 2014 Cisco and/or its affiliates. All rights reserved.
Remember This Movie?
http://www.imdb.com/title/tt0086567/
Cisco Confidential 11 C97-731719-02 © 2014 Cisco and/or its affiliates. All rights reserved.
Setec Astronomy!
http://www.imdb.com/title/tt0105435/
There’s Big Money in Hacking
Cisco Confidential 13 C97-731719-02 © 2014 Cisco and/or its affiliates. All rights reserved.
1990 2020 2015 2010 2005 2000 1995
Phishing, Low Sophistication
Hacking Becomes an Industry
Sophisticated Attacks, Complex
Landscape
Viruses 1990–2000
Worms 2000–2005
Spyware and Rootkits 2005–Today
APTs Cyberware Today +
The Industrialization of Hacking The Industrialization of Hacking
Cisco Confidential 14 C97-731719-02 © 2014 Cisco and/or its affiliates. All rights reserved.
http://www.popsci.com/dark-web-revealed
Cisco Confidential 15 C97-731719-02 © 2014 Cisco and/or its affiliates. All rights reserved.
The Problem is “The Easy Button”
As of 12/31/2014 http://www.idtheftcenter.org/images/breach/DataBreachReports_2014.pdf
Total Breaches in 2014 - 783 Records Exposed – 85,611,528
1,000,000
70,000,000
56,000,000 2,600,000
1,100,000
Cisco Confidential 16 © 2013- 2014 C isco and/or its affiliates . All rights reserved.
Attack Vectors
§ Virus
§ Trojan
§ W orm
§ Phis hing
§ S ocial Engineering
§ Malware
§ S pyware
§ Botnets
§ Hacking
§ Malic ious W eb S ites
§ OS Vulnerabilities
§ S o much more…
Cisco Confidential 17 C97-731719-02 © 2014 Cisco and/or its affiliates. All rights reserved.
But… I am just a small fish in a BIG pond.
Yet organizations of every size are targets
Adversaries are attacking you And using you By targeting your organization’s: To attack your enterprise customers and partners:
Customer data
Intellectual property
Company secrets
60% of UK small businesses were compromised in 2014 (2014 Information Security Breaches Survey)
100% of corporate networks examined had malicious traffic (Cisco 2014 Annual Security Report)
41% of targeted attacks are against organizations with fewer than 500 employees (July 2014 The National Cyber Security Alliance (NCSA)
Multiple Point Solutions
Traditionally your security options have been limited
Difficult integrations leave security gaps
Costly & time-consuming setup and support
Unified Threat Management
(UTM)
Stateful Firewall
VPN
Malware Analysis
Limited threat effectiveness
Dynamic Threat Landscape
It is a Community that hides in plain sight
avoids detection, and attacks swiftly
60% of data is stolen in hours
54% of breaches
remain undiscovered for months
100% of companies connect to domains that host
malicious files or services
If you knew you were going to be compromised, would you do security differently?
The Question Is No Longer if Malware Will Get Into Your Network
Where do I start?
How bad is the situation?
What systems were affected?
What did the threat do?
How do we recover?
How do we keep it from happening again?
Confirm Infection
Analyze Malware
Malware Proliferation
Remediate Search Network Traffic
Search Device Logs
Scan Devices
Define Rules (from
profile)
Build Test Bed
Static & Dynamic Analysis
Device Analysis
Network Analysis
Proliferation Analysis
Notification Quarantine Triage
Malware Profile
Stop
Search for Re-infection
Update Profile
Confirm
Infection Identified
Cannot Identify Infection No Infection
It’s How Quickly You Can Detect the Infection, Understand Scope, and Remediate the Problem
Introducing Cisco Security
Defending Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum
Attack Continuum
Before Discover Enforce Harden
During Detect Block
Defend
After Scope
Contain Remediate
Network Endpoint Mobile Virtual Cloud Email & Web
Point in Time Continuous
Defending Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum
Attack Continuum
Before Discover Enforce Harden
During Detect Block
Defend
After Scope
Contain Remediate
FireSIGHT and pxGrid
ASA VPN
NGFW Meraki
Advanced Malware Protection
Network as Enforcer
NGIPS
ESA/WSA
CWS Secure Access + Identity Services ThreatGRID
ASA
NGFW
VPN
Secure Access + Identity Services
NGIPS
CWS
Advanced Malware Protection
Network as Enforcer
Stay protected against the latest threats with regular updates pushed automatically
Identify advanced threats quickly with industry-leading threat research
Get industry-specific threat intelligence tailored to your business
Catch advanced threats endpoints miss with Cisco’s reverse engineers and threat analysts
Deploy the smartest threat defense available
00I00 I00I0I II0I0I 0II0I I0I00I0I0 0II0I0II 0I00I0I I0 00 II0III0I 0II0II0I II00I0I0 0I00I0I00 I0I0 I0I0 I00I0I00
III00II 0II00II I0I0II0II0 I0 I0 I00 00I0 I000 0II0 00
III00II I000I0I I000I0I I000I0I II 0I00 I0I000 0II0 00 00I I0I0I0 I0I0III000 I0I00I0I 0II0I0 I00I0I0I0I 000
II0II0I0I0I I0I0I0I 0I0I0I0I 0I0I00I0 I0I0I0I 0II0I0I0I
0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I0 00I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I
III00II 0II00II I0I000 0II0 00I0I00 I0 I000I0I 0II 0I0I0I
III00II 0II00II 0I0I0I0I 0I I0 I00 000II0 I0I0 0II0 00
Email Endpoints Web Networks NGIPS Devices
WWW
24 ñ 7 ñ 365 Operations Jan
600+ Researchers
Research Response
Threat Intelligence
• Monitors 35% of the world’s email traffic
• Receives 1.1 million incoming malware samples daily
• Performs 4.9 billion AV and web filtering blocks per month
• Processes 100 terabytes of security intelligence daily
Talos
Before After
Advanced Malware Protection
AMP Delivers Integrated…
Retrospective Security Additional Point-in-Time Protection
File Reputation and Sandboxing Continuous Analysis
AMP Strengthens the First Line of Detection
Reputation Filtering and File Sandboxing
All detection is less than 100%
Dynamic Analysis
Machine Learning
Fuzzy Fingerprinting
Advanced Analytics
One-to-One Signature
With Real-Time Malware Scanning Dynamic Vectoring and Streaming
► Optimizes efficiency and catch rate with intelligent multi-scanning
► Enhances coverage with multiple signature scanning engines
► Identifies encrypted malicious traffic by decrypting and scanning SSL traffic
► Improves user experience with parallel scanning for fastest analysis
► Provides the latest coverage with automated updates
Heuristics Detection Identify Unusual Behaviors
Anti-Malware Scanning
Parallel Scans, Stream Scanning
Signature Inspection Identify Known Behaviors
Multiple Anti-malware
Scanning Engines
Signature and Heuristic Analysis
These applications are affected
What
The breach affected these areas
Where
This is the scope of exposure over time
When
Here is the origin and progression of the threat
How
Focus on these users first
Who
AMP Provides Contextual Awareness and Visibility That Allows You to Take Control of an Attack Before It Causes Damage
And Continues to Analyze What Happens Along the Attack Continuum
0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110
1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
Web
WWW
Endpoints Network Email Devices
IPS
File Fingerprint and Metadata
Process Information
Continuous feed
Continuous analysis
File and Network I/O
Breadth and Control points:
Telemetry Stream
Talos + Threat Grid Intelligence
Trajectory Behavioral Indications
of Compromise
Threat Hunting
Retrospective Detection
And the Power to Surgically Contain and Remediate
There Are Several Ways You Can Deploy AMP AMP
Advanced Malware Protection
Deployment Options Email and Web; AMP
on Cisco® ASA CWS
AMP for Networks (AMP on FirePOWER Network
Appliance)
AMP for Endpoints AMP Private Cloud Virtual Appliance
Method License with ESA, WSA, CWS, or ASA customers Snap into your network Install lightweight
connector on endpoints On-premises Virtual Appliance
Ideal for New or existing Cisco CWS, Email /Web Security, ASA customers
IPS/NGFW customers Windows, Mac, Android, virtual machines
High-Privacy Environments
Details
§ ESA/WSA: Prime visibility into email/web
§ CWS: web and advanced malware protection in a cloud-delivered service
§ AMP capabilities on ASA with FirePOWER Services
§ Wide visibility inside network
§ Broad selection of features- before, during, and after an attack
§ Comprehensive threat protection and response
§ Granular visibility and control
§ Widest selection of AMP features
§ Private Cloud option for those with high-privacy requirements
§ For endpoints and networks
PC/MAC Mobile Virtual
Cisco Web Security
Web Security Is More Important Than Ever Before
The web is a popular attack vector for criminals
Without proper control, your own users can put your business at risk
Increased cloud adoption creates greater vulnerabilities
Compromise of the business
Breach of trust
Breach of security
Money, Jobs, and Company Reputations Are on the Line
Heartbleed String of Pearls Shell Shock Zeus
Superior Flexibility Advanced Threat Protection
Cisco Web Security Delivers…
Comprehensive Defense
Deploy, manage, and scale easily to fit your business
Protect against advanced threats with adaptive web
security
Defend and control with best-in-class, cloud-delivered web
security
It Starts with Usage Controls and an Active Defense
Comprehensive Defense
Web Usage Control
Web Usage Control
Web Filtering
Block over 50 million known malicious sites
Web Reputation
Restrict access to sites based on assigned reputation score
Dynamic Content Analysis
Categorize webpage content and block sites automatically
Web Usage Reporting
Gain greater visibility into how web resources are used
Roaming Laptop-User Protection
Extend security beyond the network to include mobile users
Application Visibility and Control
Regulate access to individual website components and apps
Outbreak Intelligence
Identify unknown malware and zero-hour outbreaks in real time
Centralized Cloud Management
Enforce policies from a single, centralized location
And Combats Evolving Threats and Advanced Malware
Advanced Threat Protection
Cisco® Advanced Malware Protection (AMP)
File Reputation Increase the accuracy of threat detection by examining every aspect of a file
File Sandboxing Determine the malicious intent of a file before it enters the network
File Retrospection Identify a breach faster by tracking a file’s disposition over time
The Solution Works with Your Evolving Business Model
Superior Flexibility
Multiple Traffic Redirection Methods Connect Cisco® CWS to your current infrastructure
ASA / ASAv
Standalone WSA / WSAv
ISR G2
AnyConnect®
$ $ $
True Security as a Service Manage CapEx and OpEx as your business grows
1.6 million global sensors
100 TB of data received per day
150 million+ deployed endpoints
600+ engineers, technicians, and researchers
35% worldwide email traffic
13 billion web requests
24-hour daily operations
40+ languages
Cisco Web Security with AMP Built on Talos: Superior Security Intelligence
10I000 0II0 00 0III000 II1010011 101 1100001 110 110000III000III0 I00I II0I III0011 0110011 101000 0110 00
I00I III0I III00II 0II00II I0I000 0110 00
180,000+ file samples per day
FireAMP™ community
Advanced Microsoft and industry disclosures
Snort and ClamAV open source communities
Honeypots
Sourcefire AEGIS™ program
Private and public threat feeds
Dynamic analysis
101000 0II0 00 0III000 III0I00II II II0000I II0 1100001110001III0 I00I II0I III00II 0II00II 101000 0110 00
100I II0I III00II 0II00II I0I000 0II0 00 Cisco® SIO
Sourcefire®
Vulnerability Research Team
(VRT)
Email Endpoints Web Networks IPS Devices
WWW
Cisco Talos
WSA or CWS
Reputation Analysis The Power of Real-Time Context
Suspicious Domain Owner
Server in High Risk Location
Dynamic IP Address
Domain Registered
< 1 Min 192.1.0.68 example.com Example.org 17.0.2.12 Beijing London San Jose Kiev HTTP SSL HTTPS
Domain Registered > 2 Year
Domain Registered < 1 Month
Web Server < 1 Month
Who How Where When
0101 1100110 1100 111010000 110 0001110 00111 010011101 11000 0111 0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100 0010 010 10010111001 10 100111 010 00010 0101 110011 011 001 110100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000
010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
-10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 IP Reputation Score
Loss of Productivity Is a Threat How Much Bandwidth and Time Is Being Wasted?
Facebook time: 2,110,516 minutes or 35,175 hours, 1465 days, 4.1 years # of Facebook likes: 3,925,407 at 1 second per like. That’s almost 1100 hours per day, or 45 days just liking things
Bytes on YouTube video playback: 11,344,463,363,245 or 10 TB
Pandora: 713,884,303,727 or 0.6 TB
Total browsing time per day: 2,270,690,423 or 4,320 years Total bytes per day: 70,702,617,989,737 or 64 TB; over 15% from YouTube
Source: Cloud Web Security Report
Time and Volume Quotas Intelligent Controls of Bandwidth Usage
► Control web usage to meet administrative policies, such as: - Total bandwidth used during work hours - Total bandwidth per day used for social media categories
► Configure polices to restrict access based on the amount of data (in bytes) and time
► Quotas are applicable to HTTP, HTTPS, and FTP traffic
► Configured under access policies and decryption policies
► Create custom end-user notifications of warnings when a quota is close, as well as when exceeded
Acceptable Use Controls Beyond URL Filtering
URL Filtering
► Constantly updated URL database covering over 50 million sites worldwide
► Real-time dynamic categorization for unknown URLs
HTTP://
Application Visibility and Control (AVC)
Hundreds of Apps
Application Behavior
150,000+ Micro-Apps
► Control over mobile, collaborative, and web 2.0 applications
► Assured policy control over which apps can be used by which users and devices
► Granular enforcement of behaviors within applications
► Visibility of activity across the network
Next-Generation Firewall
Cisco Confidential 48 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Focus on the Apps…
101 010011101 1100001110001110 1001 1101 1110011 011001
01 1100001 1100 0111010011101 1100001110001110 1001 1101 1
The Problem with Legacy Next-Generation Firewalls
Legacy NGFWs can reduce attack surface area but advanced malware often evades security controls.
…but miss the threat
Multiple Point Solutions
Traditionally your security options have been limited
Difficult integrations leave security gaps
Costly & time-consuming setup and support
Unified Threat Management
(UTM)
Stateful Firewall
VPN
Malware Analysis
Limited threat effectiveness
Multiple Point Solutions
Unified Threat Management
(UTM)
Stateful Firewall
VPN
Malware Analysis
Only Cisco delivers a threat-focused NGFW
Superior Protection Threat-centric defense across the attack continuum
Simplified Management Extensive control through a simpler user experience
Exceptional Value Low TCO with enterprise-grade protection
Cisco ASA with FirePOWER Services Next-Generation Firewall
(NGFW)
URL Filtering
Advanced Malware Protection (AMP)
Application Visibility and Control (AVC)
Next-Gen Intrusion Prevention System (NGIPS)
Reduce your threat exposure
Network Firewalling
Block unauthorized access and activity by controlling traffic flow
Application Visibility and Control (AVC)
Tailor application behavior to reduce attack surface and risk of data loss
URL Filtering
Restrict access to specific sites and sub-sites, as well as categories of sites
VPN Capabilities
Protect both site-to-site connections and remote users with granular control
WWW
Before After
Next Generation Intrusion Prevention System (NGIPS) Detect and prevent threats from entering your network
Malware
Client applications
Operating systems
Mobile Devices
VOIP phones
Routers & switches
Printers
C & C Servers
Network Servers
Users
File transfers
Web applications
Application protocols
Threats
No other NGFW offers this level of visibility The more infrastructure you see, the better protection you get
Typical IPS
Typical NGFW
Cisco ASA with FirePOWER Services
Before After
Cisco Confidential 53 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco ASA with FirePOWER Services
• IPS, URL, Advanced Malware Protection (AMP) Subscription Services
• One- and Three-Year Term Options
• SmartNET • Software Application Support
plus Upgrades
• FireSIGHT Management Center (HW Appliance or Virtual)
• Cisco Security Manager (CSM) or ASDM
Base Hardware
• New ASA 5585-X Bundle SKUs with FirePOWER Services Module
• New ASA 5500-X SKUs running FirePOWER Services Software
• FirePOWER Services Spare Module/Blade for ASA 5585-X Series
• FirePOWER Services Software • Hardware includes Application Visibility
and Control (AVC)
Security Subscription Services
Management
Support
Anyconnect
Simply and securely work anywhere on any device
Cisco AnyConnect Secure Mobility Client Extending Control of Context to the Endpoint
§ Delivers reliable and transparent secure remote access for the off-premises users
§ All major devices supported (PC, Mac, Android, IOS, more)
Helps ensure endpoint integrity § Multiple authentication
options § Comprehensive posture
checks
Provides automatic secure connectivity § End-to-end encryption § Integrated web security § Per-app VPN for mobile
Differentiate Mobile Access Connect Only Approved Applications over VPN
Provides a fast, convenient and flexible approach to turn on Advanced Malware Protection (AMP)
Reduce the potential for nonapproved applications to compromise enterprise data
Support a range of remote users and endpoints (employees, partners, contractors), streamlining IT operations
Selectively Tunnels Traffic Through VPN
www
VPN
Microsoft Office
SharePoint
SAP
Verint
Streamline Endpoint Compliance Posture Check and Secure VPN Access with Unified Agent and Cisco ISE 1.3
Supports device posture and authorization across multiple access methods
Simplifies management with only one agent to manage
Prevents noncompliant devices from accessing the network
Simplified Connectivity Always-on User Experience
Automatically negotiates a hotspot, with no user intervention required
Selects optimal gateway to deliver high-performance access
Enforces enterprise connection by authorizing right user and device
Off Premises
Advanced Secure Endpoint Access Protect More for Today’s Threat-Centric Environment
Check posture and remediate to help ensure compliance
Filter for web threats (appliance or cloud) to enhance security
Encrypts data in motion, offering additional protection
Web Security
Network as Enforcer
Cisco Confidential 61 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
You Can’t Protect What You Can’t See The Network Gives Deep and Broad Visibility
010101001011
010101001011
010101001011
010101001011
Cisco Confidential 62 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
What Can the Network Do for You? Network as Sensor
Detect Anomalous Traffic Flows, Malware e.g. Communication with Malicious Hosts, Internal Malware Propagation, Data Exfiltration
Detect App Usage, User Access Policy Violations e.g. Maintenance Contractor Accessing Financial Data
Detect Rogue Devices, APs and More e.g. Maintenance Contractor Connecting an Unauthorized AP in Bank Branch to Breach
Cisco Confidential 63 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
NetFlow – The Heart of Network as a Sensor Path to Self Learning Networks
Network Flows are Attack Signatures
A Powerful Information Source for Every Network Conversation
Each and Every Network Conversation over an Extended Period of Time
Source and Destination IP Address, IP Ports, Time, Data Transferred, and More
Stored for Future Analysis
A Critical Tool to Identify a Security Breach
Identify Anomalous Activity
Reconstruct the Sequence of Events
Forensic Evidence and Regulatory Compliance
NetFlow for Full Details, NetFlow-Lite for 1/n Samples
Cisco Confidential 64 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
NetFlow – The Heart of Network as a Sensor Example: NetFlow Alerts With Lancope StealthWatch
Denial of Service SYN Half Open; ICMP/UDP/Port Flood
Worm Propagation Worm Infected Host Scans and Connects to the Same Port Across Multiple Subnets, Other Hosts Imitate the Same Above Behavior
Fragmentation Attack Host Sending Abnormal # Malformed Fragments.
Botnet Detection When Inside Host Talks to Outside C&C Server
for an Extended Period of Time
Host Reputation Change Inside Host Potentially Compromised or
Received Abnormal Scans or Other Malicious Attacks
Network Scanning TCP, UDP, Port Scanning Across Multiple Hosts
Data Exfiltration Large Outbound File Transfer VS. Baseline
Cisco Confidential 65 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
NetFlow – The Heart of Network as a Sensor NetFlow in Action: As an Attack Progresses
Breach Stages Detection Vulnerability Exploration Attacker Scans IP Addresses and Ports to Explore Vulnerabilities (OS, User, App.)
1 § NetFlow Can Detect on Scans Across IP Address Ranges § NetFlow Can Detect on Scans Down IP Ports on Every
IP Address
Install Malware on 1st Host Attacker Installs Software to Gain Access 2 § NetFlow Can Detect on Inbound Admin Traffic From an
Unexpected Location
Connection to “Command and Control” Malware Creates Outbound Connection With C&C System for Further Instructions
3 § NetFlow Can Detect Outbound Connections to Known C&C IP Addresses
Spreading Malware to Other Hosts Attack Other Systems on the Intranet Through Vulnerability Exploitation
4 § NetFlow Can Detect Scans Across IP Address Ranges
by Internal Hosts § NetFlow Can Detect Scans Down IP Ports on Every IP
Address by Internal Hosts
Data Exfiltration Export Data to a 3rd Party Server 5
§ NetFlow Can Detect Extended Flows (HTTP, FTP, GETMAIL, MAPIGET and More) and Data Transfer to New External Hosts
Cisco Confidential 66 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
What Can the Network Do for You? Network as Enforcer
Segment the Network to Contain the Attack TrustSec - Secure Group Tagging, VRF, ISE and More
Encrypt the Traffic to Protect the Data in Motion MACsec for Wired, DTLS for Wireless, IPSec/SSL for WAN and More
Secure The Branch and Remote Users for Direct Internet Access Anyconnect, IWAN, Cloud Web Security and More
Identity Services
Cisco Identity Services Engine (ISE)
NETWORK / USER CONTEXT
How
What Who
Where When
Access Policy Compromised
Device
CXO Level Secure Access
BYOD Employee
User
Guest Visitor
INTEGRATED PARTNER ECOSYSTEM
ü MINIMIZE NETWORK UNKNOWNS ü REDUCE YOUR ATTACK SURFACE
ü ENFORCE THE RIGHT LEVEL OF ACCESS CONTROL ü CONTAIN MALICIOUS NETWORK THREATS
Role-Based Secure Access with ISE Confidential
Patient Records
Internal Employee Intranet
Internet
ü Acquires Important Context & Identity from the Network ü Implements Context-Aware Classification & Policy ü Provides Differentiated Access to the Network
Who: Guest What: iPad Where: Office
Who: Doctor What: Laptop Where: Office
Who: Doctor What: iPad Where: Office
Supports 1M Registered Endpoints and 250K ACTIVE, Concurrent Endpoints
Streamlining BYOD and Enterprise Mobility Reducing the Complexity of Managing BYOD and Device Onboarding
Integrated Native Certificate Authority for Devices
Customizable Branded Experiences
Easy User Onboarding with Self-Service Device Portals
Improved Device Recognition Desktop & Mobile Ready!
Comprehensive Device Security with Posture and EMM
Dynamic Control with Rich Contextual Profiling Simple Identity Simply Isn’t Helpful Enough Anymore
POOR context awareness à “Simple Identity” - Who are you? à IP Address 192.168.1.51
RESULT: Any user, Any device, Anywhere gets on the network
EXTENSIVE context awareness à “RICHER Identity”
RESULT: The Right user, on Right device, from the Right place is granted the RIGHT ACCESS
Who? à Bob
Where? à Building 200, 1st Floor
What? à Tablet
When? à 11:00 AM EST on April 10th
Enterprise Mobility Management Integrations Enforce True Device Compliance for All Mobile Devices
Sees ALL devices on the network
Requires devices to comply with EMM policy
Provides guest access to non-EMM devices
Sees unregistered devices on the network?
Forces EMM Policy Compliance?
Keeps noncompliant devices off network?
ISE + EMM Together
EMM Secures Actual Device
Cisco ISE Secures Network Access
SOLUTION
Conclusion
Defending Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum
Attack Continuum
Before Discover Enforce Harden
During Detect Block
Defend
After Scope
Contain Remediate
Network Endpoint Mobile Virtual Cloud Email & Web
Point in Time Continuous
Only Cisco Security Can Deliver… Visibility and Control Across the Full Attack Continuum
Attack Continuum
Before Discover Enforce Harden
During Detect Block
Defend
After Scope
Contain Remediate
FireSIGHT and pxGrid
ASA VPN
NGFW Meraki
Advanced Malware Protection
Cognitive
NGIPS
ESA/WSA
CWS Secure Access + Identity Services ThreatGRID
Cisco Confidential 76 © 2013- 2014 C isco and/or its affiliates . All rights reserved.
Thank You and Next Steps
Brian Avery bravery@ cis co.com
C ontact Your C is co Partner https ://tools .c isco.com/WW C hannels/LOC ATR/performBasicS earch.do
www.
Learn more about C is co S ecurity: www.cis co.com/go/s ecurity/
Cisco Confidential 77 © 2013- 2014 C isco and/or its affiliates . All rights reserved.
§ C C E s es s ions are held weekly on a variety of topics
§ C C E s es s ions can help you unders tand the capabilities and bus ines s benefits of C is co technologies
§ W atch replays of pas t events and regis ter for upcoming events !
Vis it http://cs .co/c is co101 for details
Join us again for a future Cisco Customer Education Event
Thank you.