Lewis Tan CISSP, OPST

Regional Sales Specialist, ATS Asia

Simple and Effective Security

Branch office

HQ

Airport

Productivity

Productivity File share

Productivity File share

CRM

Deny Allow access

Productivity File share

Connected

Apps

CRM

Allow access

Risks Faced Using Cloud

• Users not protected by traditional security stack

• Gaps in visibility and coverage

• Expose sensitive info (inadvertently or

maliciously)

• Users can install and use risky apps on their

own

The way we work has changed

49% of the workforce

are mobile

82%admit to not

using the VPN

70%increase in

SaaS usage

70% of branch offices

have DIA

25% of corporate

data bypass

perimeter security

, security must too

Infrastructure

as a Service (IaaS)

Platform

as a Service (PaaS)SaaS

People People People

Data Data Data

Applications Applications Applications

Runtime Runtime Runtime

Middleware Middleware Middleware

Operating system Operating system Operating system

Virtual network Virtual network Virtual network

Hypervisor Hypervisor Hypervisor

Servers Servers Servers

Storage Storage Storage

Physical network Physical network Physical network

Cloud shared responsibility – SaaS/PaaS/IaaS

CSR responsibilityCustomer responsibility

Security Weaknesses of Native Cloud Service Providers

Single Platform OnlySolves Fewer

Problems

Lack of Security

Expertise

& Focus

UpchargeNo Incident

ManagementWeak Remediation

Capabilities

1

Key questions for Cloud Usage

ApplicationsDataUsers/Accounts

Who is doing what in

my cloud applications?

How do I detect account

compromises?

Are malicious insiders

extracting information?

Do I have toxic and

regulated data in the cloud?

Do I have data that is being

shared inappropriately?

How do I detect policy

violations?

How can I monitor app

usage and risk?

Do I have any 3rd party

connected apps?

How do I revoke risky apps?

Keys to the kingdom: third-party appsLet’s start with an example

Personalizing the attack

Bernd@cloudlock.com

******

OAuth-connected apps have extensive access to corporate environments

The attackers gained

a persistent connection

to the victim’s identity

Cloudlock CyberLab estimates:

Approximately 300,000corporations have been infected

On Average 0.65%got infected per organization within the first

2 hrs.

of employees

May 3rd 2017, Google OAuth Attack Aftermath

Do you know all the apps that are accessing your cloud data?

Yes or No?

Your security challenges

Malware and

ransomware

Gaps in visibility

and talent shortage

Budget Competition Difficult to

manage security

To be effective, cloud security must be

Simple Open Automated

Services

Leveraging the Attack Continuum to shift the conversations to

business outcomes!

Before During After

Branch Operational

Technology

CloudData

Center

Endpoint CampusEdge

SECURITY EVERYWHERE

250+Full Time Threat

Intel Researchers

MILLIONSOf Telemetry

Agents

4Global Data

Centers

1100+Threat Traps

100+Threat Intelligence

Partners

THREAT INTEL Per Day

1.5 MILLIONDaily Malware

Samples

600 BILLIONDaily Email

Messages, 86% SPAM

16 BILLIONDaily Web

Requests

Honeypots

Open Source

Communities

Vulnerability

Discovery (Internal)

Product

Telemetry

Internet-Wide

Scanning

20 BILLION

Threats Blocked

INTEL SHARING

Why Cisco - Eff icacy

Customer Data

Sharing

Programs

Service Provider

Coordination

Program

Open

Source

Intel

Sharing

3rd Party Programs

(MAPP)

Industry

Sharing

Partnerships

(ISACs)

500+

Participants

*Google : 3.5B searches/day

Branch office

Simple & Effective Cloud Security

CloudLock / Stealthwatch CloudSecure Usage of Cloud Services

Umbrella / Amp for EndpointsSecure Access to Internet

HQ Roaming

Cisco Cloudlock addresses customers’ most critical cloud security use cases

Discover and Control

User and Entity

Behavior Analytics

Cloud Data Loss

Prevention (DLP)Apps Firewall

Cloud Malware

Shadow IT/OAuth

Discovery and Control

Data Exposures

and Leakages

Privacy and

Compliance Violations

Compromised

Accounts

Insider Threats

Multi-Cloud

SWC SaaS Portal

Stealthwatch

Cloud

Hybrid-Cloud

How Cisco Security helps

Victimredirected

to attacker’s

domain

Attackergains access

to OAuth token

Attackerhas persistent

access to the

victims’ account

Victimopens email

and clicks link

Victimgrants access

to their account

Cloudlockrevokes OAuth token

Umbrellablocks user redirect to

malicious domain.

Attacker never

receives OAuth token

if blocked here.

Umbrella

Investigateused to research

attacker’s infrastructure

Email

Security blocks

malicious

emails

Google Docs would

like to

Read, send, delete,

manage your email

Manage your

contacts

AllowDeny

Stopping Attacks Before It Happens

• Wouldn’t it be great if you could...

Best Defenses

Stop Ransomware

from running

on endpoints

DNS

Stop Ransomware

from arriving

by email

Stop Ransomware

from using DNS or

arriving by the web

Introducing Umbrella – Simple & Effective DNS Security

Overview

Authoritative DNS

Owns and publishes

the “phone books”

Domain registrar

Maps and records names

to #s in “phone books”

Recursive DNS

Looks up and remembers

the #s for each name

Our view of the internet

140Brequests per day

15Kenterprise customers

100Mdaily active

users

160+countriesworldwide

INTELLIGENCE

Our efficacy

3M+daily new

domain names

Discover

60K+daily malicious

destinations

Identify

7M+malicious destinations while resolving DNS

Enforce

INTELLIGENCE

Intelligence to see attacks before launched

Data

Cisco Talos feed of malicious

domains

Cisco Threat Grid file-based

intelligence (1.5M+ daily

samples)

Umbrella DNS data —

125B requests per day

Security researchers

Industry renown researchers

Build models that can

automatically classify and

score domains and IPs

Models

Dozens of models continuously

analyze millions of live events

per second

Automatically uncover malware,

ransomware, and other threats

What is Umbrella?

a) DNS Securityb) Ransomware Protection for all

devicesc) Protecting you when you are on

network onlyd) All of the abovee) A + B

WHY?

Top Use Cases Using Umbrella

OFF-NETWORK SECURITY

50% of PCs are already mobile1

DIRECT-TO-NET OFFICES / GUEST WIFI

70% of offices already go direct2

PROACTIVE AND PREDICTIVE SECURITY

70-90% of malware is unique to each org3

IMPROVED INCIDENT

RESPONSE

Only 4% of alerts are investigated per

week

SIMPLIFIED SECURITY & VISIBILITY

Mean time-to-contain threats 26-39 hours4

Sources: (1) Gartner, (2) Forrester, (3) Verizon,

Enterprise-wide deployment in minutes

DEPLOYMENT

Existing

DNS/DHCP servers,

Wi-Fi APs

Simple config

change to

redirect DNS

ISR4K(today)

WLC(today)

Network footprint

Provisioning and policies per VLAN/SSID;

tags for granular filtering and reporting

Out-of-the-box integration

(Umbrella virtual appliance also available)

Meraki MR

Endpoint footprint

Granular filtering and

reporting on- & off-network

(Umbrella roaming client

also available)

AnyConnect roaming module

Cisco Security Connector

vEdge(future)

Protecting Your Endpoints

Typically

updates 2

times a day

Typically once a

week older

machines once a

month or never

Can take hrs /

Days to complete

a full Scan

Should Ransomware happen, would you pay the ransom?

a) Yesb) Noc) Depends on

value of data

Permanent Innovation makes Prevention a Non Ending Game

BRKSEC-2139 39

1. Cyber Criminal Organizations are like IT companies

2. Security companies innovate Every Day to Protect youBetter

3. Cyber Criminals innovate Every Day to Breach youBetter

INTERNET

MALWARE

C2/BOTNETS

PHISHING

AV

AV

AV AV

ROUTER/UTM

AV AV

ROUTER/UTM

SANDBOX

PROXY

NGFW

NETFLOW

AV AV

AV AV

MID

LAYER

LAST

LAYERMID

LAYER

LAST

LAYER

MID

LAYER

FIRST

LAYER

Where Do You Enforce Security?

Perimeter

Perimeter Perimeter

Endpoint

Endpoint

CHALLENGES

Too Many Alerts via Appliances & AV

Wait Until Payloads Reaches Target

Too Much Time to Deploy Everywhere

BENEFITS

Alerts Reduced 2-10x; Improves Your SIEM

Traffic & Payloads Never Reach Target

Contain Malware if already inside

Internet is faster not slower

AMP AMPAMP AMP

AMP AMP

AMP AMP

AMP

AMP

Data At Rest

Intra Cloud Traffic

Public / Private Cloud

How are we helping customers today with Umbrella?

Next Steps

Easiest security trial you’ll ever deploy

UmbrellaStart blocking in minutes

Signup1

2 Point your DNS

3 Done