Secure Digital Business by Gaining Full Visibility and ...· Cisco 2017 Annual Cybersecurity Report

  • View
    213

  • Download
    1

Embed Size (px)

Text of Secure Digital Business by Gaining Full Visibility and ...· Cisco 2017 Annual Cybersecurity Report

  • Cisco Confidential 2016 Cisco and/or its affiliates. All rights reserved. 1

    Secure Digital Business by Gaining Full Visibility and Security across Your Network

    Presented by:

    Henry Ong

    Technical Manager GSSO, Cisco ASEA

    March 2017

    ASEAN

  • w

    If you knew you were going to be compromised, would you do security differently

    Its no longer a question of if youll be breached, its a question of when

  • 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

    65% of CEOs say their risk management approach is falling behind. In a new reality where security breaches come at a daily rate, we must move away from trying to achieve the impossible perfect protection and instead invest in detection and response. Organizations should move their investments from 90 percent prevention and 10 percent detection and response to a 60/40 split.

    Peter SondergaardSenior VP and Global Head of Research

    Gartner

  • Nov 2015

    Jan 2016

    Apr 2016 July 2016

    Nov. 2016

    Time To Evolve TTE Vs Time To Detection TTD Reducing TTD Forces Adversaries to Speed Up Their Effort Just to Keep Up

    Median TTD in Hours

    Percentage of Total Unique Hashes

    Locky Ransomware

    Cisco 2017 Annual Cybersecurity Report

  • 5 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

    Endpoints Endpoints

    AMP Threat Intelligence Cloud

    Meraki MX

    ISR with FirePOWER Services

    ASA Firewall with FirePOWER Services

    FirePOWER NGIPS Appliance

    (AMP for Networks) AMP Private Cloud Virtual Appliance

    Web and Email Security Appliances

    AMP for Endpoints

    Network Edge

    AMP for Endpoints

    CentOS, Red Hat Linux for servers and datacenters

    Windows OS Android Mobile Virtual MAC OS Cloud Web Security and Hosted Email

    CWS/ CES

    Data Center

    Threat Grid Malware Analysis + Threat

    Intelligence Engine

    Protection Across the Extended Network See It Once, Protect Everywhere

    Branch

  • 6 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

    Continuously Visibility Of Malware Propagation

    Reduce The Time To Scope A Malware Breach

  • We detected the latest Java 0-day 2 days before it was announced and were clean 40 minutes after it was first seen. A Cisco Power Utility Customer

    Continuously Visibility Of Activities on Devices

    Understand Root Causes After A Compromise And Reduce TTR

  • Adding DNS as the 1st Layer of Security

    91.3% of malware uses DNS

    68% of organizations dont monitor it

    A blind spot for attackers to gain command and control, exfiltrate data and redirect traffic

    Source : Cisco 2016 Cybersecurity Report

  • First line

    PROXY NETFLOW NGFW

    SANDBOX

    AV AV

    AV AV AMP

    AMP

    AV AV

    ROUTER/UTM

    AV AV

    ROUTER/UTM

    Mid layer

    Last line

    Mid layer

    Last line

    Mid layer

    Perimeter

    Perimeter Perimeter

    Endpoint

    Endpoint

    Internet Malware

    C2 Callbacks

    Phishing

    Challenges Too many alerts via appliances and AV

    Wait until payloads reaches target

    Too much time to deploy everywhere

    Benefits Malicious traffic and pay-loads never reach target

    Alerts reduced 2-10x; Improves your SIEM

    Provision globally in under 30 minutes

  • Enforcement Built Into Foundation Of Internet

    Safe request

    Malicious request

    ANY DEVICE ON NETWORK

    ROAMING LAPTOP

    BRANCH OFFICES

    Cisco Umbrella provides: Connection for safe requests

    Prevention for malicious requests

    Proxy inspection for risky requests

  • Cisco Talos feeds Cisco WBRS Partner feeds

    Custom URL block list

    Requests for risky domains Intelligent proxy

    URL inspection

    File inspection AV Engines Cisco AMP

    AMP retrospective updates

  • COMPROMISED SITES AND

    MALVERTISING

    PHISHING SPAM

    Blocked by Umbrella

    Blocked by Cisco AMP for Endpoints

    Web link

    Web redirect

    C2

    File drop

    Email attachment

    EXPLOIT KIT

    DOMAINS

    Angler

    Nuclear

    Rig

    C2

    RANSOMWARE PAYLOAD

    Malicious Infrastructure

    Encryption Key Infrastructure

    Blocked by Email Security

    Prevent & Contain Malware with: Cisco Umbrella & AMP for Endpoints

  • Scenario 1 : Ransomware Protection by Cisco Umbrella

    Scenario 2 : Ransomware Protection by Cisco AMP for Endpoint

    Scenario 3 : System infected with Ransomware Executable

    Prevent & Contain Ransomware Cisco Umbrella & AMP for Endpoints

    Demo

  • 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14

    PaaS IaaS

    Cisco Cloudlock Cloud Access Security Broker (CASB)

    Users Data Apps

    SaaS

  • 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15

    Cisco Cloudlock addresses customers most critical cloud security use cases

    Discover and Control

    User and Entity Behavior Analytics

    Cloud Data Loss Prevention (DLP) Apps Firewall

    Cloud Malware

    Shadow IT/OAuth Discovery and Control

    Data Exposures and Leakages

    Privacy and Compliance Violations

    Compromised Accounts

    Insider Threats

  • Network security architects should accept the reality that, in 2016, it is unreasonable to expect that they can build perimeter defenses that will block every attack and prevent every security breach

    Lawrence Orans, Gartner, Network and Gateway Security Primer for 2016

    January 22, 2016

    Instead, they need to adopt new products and/or services that will enable the network to be an integral part of a strategy that focuses on detecting and responding to security incidents.

  • 17 C97-736515-00 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

  • Dissecting a Data Breach

    Reconnaissance

    Target acquisition

    Infiltration point

    Footprint expansion

    Staging

    Data Exfiltration Information monetized after breach

    Exploration

  • 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19

  • Network as the Platform for Security

    During Detect Block

    Defend

    After Scope

    Contain Remediate

    Before Discover Enforce Harden

    Network as a Sensor

    Network as an Enforcer

    Network As The Platform To Deliver Intelligence, Visibility And Control To Defend Critical Assets.

  • Cisco Network as a Sensor (NaaS)

    Detect Anomalous Traffic Flows, Malware

    Identify User Access Policy Violations

    Obtain Broad Visibility into All Network Traffic

  • NetFlow for Dynamic Network Awareness Understand Network Behavior and Establish a Networks Normal

    Network Flows Highlight Attack Signatures

    A Powerful Information Source for Every Network Conversation

    Each and Every Network Conversation over an Extended Period of Time

    Source and Destination IP Address, IP Ports, Time, Data Transferred, and More

    Stored for Future Analysis

    A Critical Tool to Identify a Security Breach

    Identify Anomalous Activity

    Reconstruct the Sequence of Events

    Forensic Evidence and Regulatory Compliance

    NetFlow for Full Details, NetFlow-Lite for 1/n Samples

  • Behavioral and Anomaly Detection Behavioral Algorithms Are Applied to Build Security Events

    SECURITY EVENTS (94 +)

    ALARM CATEGORY RESPONSE

    Addr_Scan/tcp Addr_Scan/udp Bad_Flag_ACK** Beaconing Host Bot Command Control Server Bot Infected Host - Attempted Bot Infected Host - Successful Flow_Denied . . ICMP Flood . . Max Flows Initiated Max Flows Served . Suspect Long Flow Suspect UDP Activity SYN Flood .

    Concern

    Exfiltration

    C&C

    Recon

    Data Hoarding

    Exploitation

    DDoS Target

    Alarm Table

    Host Snapshot

    Email

    Syslog / SIEM

    Mitigation

    COLLECT AND ANALYZE FLOWS

    FLOWS

  • 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24

    Cisco Identity Services Engine (ISE) Adding Visibility and Context to NetFlow

    INTEGRATED PARTNER CONTEXT

    NETWORK / USER CONTEXT

    How

    What Who

    Where When

    Send Contextual Data Collected From Users, Devices, And Networks To Stealthwatch For Advanced Insights And NetFlow Analytics

  • Cisco Network as an Enforcer (NaaE)

    Implement Access Controls to Secure Resources

    Contain the Scope of an Attack on the Network

    Quarantine Threats, Reduce Time-to-Remediation

  • 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26

    Identity Services Engine

    Oracle

    AD

    SAP

    Tablet

    Laptop

    Desktop

    What are you?

    Mitsue (sales)

    Shree (HR)

    Santoso (IT)

    Who are you?

    Japan

    India

    India

    Where are you connecting?

    19:30

    16:00

    16:00

    When are you connecting? VPN

    WiFi

    Wired

    How are you connecting?

    Network as an Enforcer Identity-Based Access Control

  • 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27

    Identity Serv