The Case for Pervasive Security in a Multicloud World · The Case for Pervasive Security in a Multicloud World Released April 2017 ... InfoSec threat intelligence discovers abuse

Marisa Chancellor

Sr. Director, Information SecurityMarch, 27, 2018

The Case for Pervasive Security in a Multicloud World

Released April 2017

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

The new Multicloud world

Public and hybrid clouds drive flexibility

Anytime cloud access keeps us productive

SaaS applications speeds up the business


53%manage over half of their infrastructure in the cloud

Ease of use (46%)

Scalability (48%)

Lack of internal workforce (41%)

Better security (57%)

Appeal:

The cloudOrganizations increase reliance on the cloud


Threat landscape


Network-based ransomware

Network-BasedRansomware

Worm

WannaCry and Nyetya: rapid-moving, self-propagating network-based attacks

With active, unpatched machines, these automated worms will attack again. Have you secured your network?


Exposed development systems

To reduce risk of exposure to DevOps ransomware attacks

• Develop solid standards for secure deployment

• Maintain active awareness of the company’s public infrastructure

• Keep DevOps technologies up to date and patched

• Conduct vulnerability scans

80%Memcache

100%MongoDB

75%CouchDB

20%Docker

75%Elasticsearch

Source: Rapid7

Percentage of DevOps servers left WIDE OPEN is creating a huge ransomware risk

Option_01


Malicious binaries and encryption

Increase

November 2016

19%

12% Increase

268%70%

50%

38%

Global encrypted web traffic Malicious sandbox binaries with encryption

October 2017

Attackers embrace encryption to conceal their command-and-control activity


High severity vulnerabilities and patch management

MS17-010 DetectionsPatches double as organizations realize potential threat

Exploited vulnerability makes headlines

Microsoft warnsof vulnerability

Num

ber

of D

ete

ctions

Month Source: Qualys

High severity is driven by headlines

We need a better way to improve patch management processes


Security at Cisco


Trust across the security landscapeSix foundational pillars

Transparency and validation

Data protection/privacy

Trusted enterprise

Value chain security

Trustworthy systems

Trusted cloud

Security and Trust

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

122K workforce

170 countries

~3M IP addresses

215K infra devices

275K total hosts

2500+ IT applications

26K connected Cisco virtual offices

Defending Cisco What we must protect

• 300 partner extranet connections

• 600+ Cloud ASPs

• 16 major Internet connections

• ~47 TB bandwidth used daily

• 50+ and growing portfolio of Cloud offers: WebEx, Meraki, Umbrella

• 1350 labs

• 180+ acquisitions

Option 2

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

47TB traffic inspected

710 security devices

4TB security data collected

1.2T security events

7.6B DNS records

14.7M intrusions alerts (iDS/IPS w/AMP)

350M web transactions

28B NetFlows

22 incidents managed

Defending Cisco A day in security

• 6,385,333 internet threats blocked (WSA w/AMP)

• 2,509,724 email threats blocked(ESA w/AMP)

• 282,767 host/antivirus threats blocked

• 17,000 files analyzed

• (AMP/threat grid)

Option 2


Approach


Digital security architecture framework – circa 2007

Network services

Cisco network DLPIDSFW VPN ….

Email Encryption

PGPData security

Network and system management

Logging Logging

Logging Logging

Monitoring

AlertingAD LDAP

Device security CSAAltiris CredentAV

Application and service security

Platform security

XML GWAudit XML GWAudit


Digital security architecture framework – circa 2017

Identity and access management

Data protection program

Integrated threat defense

Monitoring everything and maturing responses

Network Identity Devices Data ApplicationMonitoring and

response

Policy and standards

Security architecture

Threat landscapeLaws and regulations

TechnologyCustomer and

business requirementsRisk appetite


Use cases


Previous Sandbox solution was not integrated with IT Infra. This led to increased support cost, complexity and limited capabilities

Deploy AMP natively on existing IT security Infra and leverage an on-prem Threat Grid private cloud

Our malware detection capability end to end saw a 3x improvement in detection capabilities, while reducing our engineering investment by 50%.

Challenge

Solution

Result

Web and email security

appliances

Threat Grid AMP

FireSIGHT Management Center

AMP for Networks

AMP for Endpoints

Cloud enabled AMP

Advanced malware protection


The inability to examine encrypted traffic reduces visibility of threats active on the network.

Encrypted Traffic Analytics allows enhanced telemetry to be sent to Stealthwatch. Select events are sent to Cognitive Threat Analytics for additional analysis of potential malware.

This allowed us to use our existing infrastructure to gain insights into malicious activity that was previously unseen. We had over 99% success in true positive identification of malware within encrypted sessions using this technology.

Challenge

Solution

ResultETA Stealthwatch CTA

ETA, Stealthwatch and CognitiveSeeing the unseen at machine speed


WannaCry – By the numbers

59

Machines infected

450K

Windows 7

Days patch available>150 Countries

Economic impactPaidRansom

NSA

$30098% 0.07% >$1B


WannaCry response timeline

Day 0 Day 1-2 Day 3 Day 4 Day 5Day -50 Day 6

MS PatchMS Patch deployed as part of standard desktop security practice - March 23rd

All managed desktop systems patched

EVMP InfoSec threat intelligence discovers abuse of exploit and enacts Emergency Vulnerablity Management Plan

DAT Updates and Patches Auditing and correction of permissive Network ACL’s

AV Dat updates pushed

USM ReportingOngoing patch compliance now included as part of USM

Access ProtectionCSIRT enables Sourcefire signature

Access ProtectionDev/Stage IT systems Patched fo

Sourcefire IPS signatures turned into active plays

OpenDNS “killswitch” sinkhole deployed

IT Systems Patched All reamining Managed IT systems patched (accelerated)

SMBv1 DisablementAdditonal step to mitigate risk of spread. Patch reporting improved

Day 0 Day 1-2 Day 4 Day 5Day -50 Day 6

Monitoring and ReportingFixing systems not updating as expected.

Additional CSIRT monitoring


Process vs. technology


Strategic, Operational, and Tactical Issues

26%can be

addressed by products alone

74% might also require people and/or processes to address

People

Products Policies

An overemphasis on product solutions can leave openings for attackers


Pervasive security


Pervasive security framework

Trusted Resources (Private/Third Party/Hybrid Cloud)

Validated Identity

People

Governance & Operational Excellence

Adaptive Defense (Detect, Respond, Mitigate)


Governance and Operational Excellence

Comprehensive Telemetry, Integrated Intelligence, Pervasive Detection, Playbooks

Trusted Resources (Private/Third Party/Hybrid Cloud )

Validated Identity

People


Adaptive & Integrated Defense (Detect, Respond, Mitigate)

• Standards & Policies • Risk Assessments

• Vulnerability Management• Analytics, Metrics & Reporting

• Privacy Engineering• Architecture Reviews

• COBC • Targeted Awareness

• Security Primes & Advocates• Partner Security Architects

• Security Training (Ninja, SKE, EMS) • Business Partnerships

Identity• Federated (Inbound/outbound)• Strong Multi-Factor

• Posture AssessmentContextual Access ControlLocation, Time, Role• Separation

(User<->Admin)

Endpoint• Profiling• Registration

Users

Network• ESA/WSA• AnyConnect

• Pervasive Protection• Adaptive Access

& Control

Service• Application• Endpoint

• NGFW/IPS• AMP

Data• Ownership • Accountability• Visibility

• Host• XaaS

• ISE• ACI

Accountability


Unified security metrics

0

20

40

60

80

100

Q1FY12 Q1FY16 Q1FY17 Q1FY18

SLA on-time closure % Vulnerability open %

* = Pre USM Reporting

*

Imple

menta

tion

Sustained Performance


People


Validated Identity

People• COBC • Targeted Awareness





(User<->Admin)


Users



& Control


• NGFW/IPS• AMP


• Host• XaaS

• ISE• ACI





Accountability




Security education campaign – Phishing

• Phishing is #1 source of endpoint compromise

• Different levels of sophistication and difficulty each quarter

• Remember it only takes one Phish to compromise YOU

Q1New Doctor

Q2Background Check

Q3Account Closing

Q4Plan Recruitment


Partner Security Architect

InfoSec Team

• Security SMEs

• Security architecture reviews

• Trusted advisors

• Establishes security technology baselines

• Formal approval for exceptions

• Establishes corporate security policies andguidelines

Expanding accountability

Service Executive

1 or more primes

Service Owner

1 or more primes

Service Security Prime

• CSO of the Service

• Single point of accountability

• Increase communication and awareness around security


Validated identity

People


Validated IdentityIdentity• Federated (Inbound/outbound)• Strong Multi-Factor


(User<->Admin)




& Control


• NGFW/IPS• AMP


• Host• XaaS

• ISE• ACI








Users Accountability




Trusted device and differentiated access

28% Increase in worker satisfaction

500KEliminated per year in device upgrade spend

56%Case load lowered per device

$

Trusted device

More controls needed to scale access and services

Remote Wipe (Cisco Data)

Anti-Malware

Encryption (Cisco Data)

Minimum OS

Software Patching

Rooted Device Detection (Mobile Devices Only)

Device Registration

Password/Screen-lock Enforcement

Hardware/Software Inventory


Trusted device and differentiated access

ISE Enabled Policy

Differentiated access

Trusted device

More controls needed to scale access and services

Remote Wipe (Cisco Data)

Anti-Malware

Encryption (Cisco Data)

Minimum OS

Software Patching

Rooted Device Detection (Mobile Devices Only)

Device Registration

Password/Screen-lock Enforcement

Hardware/Software Inventory

IdentityApplication and data

Network

Content

WorkforceData

ID Management

Cisco ISE

Devices

InstantMessaging

Conferencing

Tagging

SDN

Cisco pxGrid

Policy Management


Trusted resources

Validated Identity

People

Trusted Resources (Private/Third Party/Hybrid Cloud )Integrated Defense• ESA/WSA• AnyConnect


& Control

CASPR• Application• Endpoint

• NGFW/IPS• AMP

Data Protection• Ownership • Accountability• Visibility

• Host• XaaS

• ISE• ACI








Users



(User<->Admin)


Accountability




FireSIGHTManagement Center

100%**

Cloud enabled AMP

Integrated threat defense

1% of all WSA transactions blocked

NG-IPS 83xx and VM series deployed

Passive and Inline capabilities

25K+ quarterly alerts

80 WSAs/30 ESA Deployed

3K+ email files blocked by AMP monthly

14 TG appliancesDeployed

On-Prem Sandboxing

10K+ files analyzed every 24hrs.

Analytics Engine

Machine Learning Engine

10K+ agents deployed

13 iPOPs Globally

Eight Global Appliances Deployed

**Deployment Progress Completion

AMP for Endpoints10%**

AMP for Networks50%**

Threat Grid/AMP100%**

AMP’d Web and Email100%**




Adaptive defense

People

Trusted Resources (Private/Third Party/Hybrid Cloud )Network• ESA/WSA• AnyConnect


& Control


• NGFW/IPS• AMP


• Host• XaaS

• ISE• ACI








Users Accountability

Validated IdentityIdentity• Federated (Inbound/outbound)• Strong Multi-Factor


(User<->Admin)


Adaptive Defense (Detect, Respond, Mitigate)Comprehensive Telemetry, Integrated Intelligence, Pervasive Detection, Playbooks


Adaptive defenseEnabling active response to threats

Information Sharing

Network Services

Detection Tools

Playbook

Collect/analyze

1.2T events throughout network

47TB traffic inspected

15B NetFlows analyzed/day

4.8B DNS records

4TB data collected and analyzed

~200 Plays

Mitigate Remediate


Adaptive defenseEnabling active response to threats

Cisco.com

What are we trying to protect?

Active Directory Servers

End User Laptop

DoS attackSQL InjectionDirectory Traversal

What are the threats?

Lateral Movement Account Compromise Malware

MalwarePhishing AttacksDriveby Download

NetFlow monitoringIPS/IDS detectionSystem Logs

How do we detect them?

NetFlow alertsUser Activity HIPS logs

HIPS/AV logsESA logsWSA logs

Engage ISPInvestigate

How do we respond?

P1 incidentInvestigate

ReimageInvestigate


Key Takeaways

A time of anytime cloud access, SaaS applications and moreIt’s a new Multicloud world

Ransomware and exposed development systems are sign of the times

Threat landscape continues to expand

Digital security architecture must address entire threat landscape

Approach to security must keep pace

Implement architectural approach to security, automate processes to reduce time to react and contain attacks

Adopt integrated defense approach

Option_01


Q&A


Thank You

Documents

The Case for Pervasive Security in a Multicloud World · The Case for Pervasive Security in a Multicloud World Released April 2017 ... InfoSec threat intelligence discovers abuse