Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Marisa Chancellor
Sr. Director, Information SecurityMarch, 27, 2018
The Case for Pervasive Security in a Multicloud World
Released April 2017
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The new Multicloud world
Public and hybrid clouds drive flexibility
Anytime cloud access keeps us productive
SaaS applications speeds up the business
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
53%manage over half of their infrastructure in the cloud
Ease of use (46%)
Scalability (48%)
Lack of internal workforce (41%)
Better security (57%)
Appeal:
The cloudOrganizations increase reliance on the cloud
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Threat landscape
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Network-based ransomware
Network-BasedRansomware
Worm
WannaCry and Nyetya: rapid-moving, self-propagating network-based attacks
With active, unpatched machines, these automated worms will attack again. Have you secured your network?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Exposed development systems
To reduce risk of exposure to DevOps ransomware attacks
• Develop solid standards for secure deployment
• Maintain active awareness of the company’s public infrastructure
• Keep DevOps technologies up to date and patched
• Conduct vulnerability scans
80%Memcache
100%MongoDB
75%CouchDB
20%Docker
75%Elasticsearch
Source: Rapid7
Percentage of DevOps servers left WIDE OPEN is creating a huge ransomware risk
Option_01
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Malicious binaries and encryption
Increase
November 2016
19%
12% Increase
268%70%
50%
38%
Global encrypted web traffic Malicious sandbox binaries with encryption
October 2017
Attackers embrace encryption to conceal their command-and-control activity
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
High severity vulnerabilities and patch management
MS17-010 DetectionsPatches double as organizations realize potential threat
Exploited vulnerability makes headlines
Microsoft warnsof vulnerability
Num
ber
of D
ete
ctions
Month Source: Qualys
High severity is driven by headlines
We need a better way to improve patch management processes
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security at Cisco
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Trust across the security landscapeSix foundational pillars
Transparency and validation
Data protection/privacy
Trusted enterprise
Value chain security
Trustworthy systems
Trusted cloud
Security and Trust
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
122K workforce
170 countries
~3M IP addresses
215K infra devices
275K total hosts
2500+ IT applications
26K connected Cisco virtual offices
Defending Cisco What we must protect
• 300 partner extranet connections
• 600+ Cloud ASPs
• 16 major Internet connections
• ~47 TB bandwidth used daily
• 50+ and growing portfolio of Cloud offers: WebEx, Meraki, Umbrella
• 1350 labs
• 180+ acquisitions
Option 2
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
47TB traffic inspected
710 security devices
4TB security data collected
1.2T security events
7.6B DNS records
14.7M intrusions alerts (iDS/IPS w/AMP)
350M web transactions
28B NetFlows
22 incidents managed
Defending Cisco A day in security
• 6,385,333 internet threats blocked (WSA w/AMP)
• 2,509,724 email threats blocked(ESA w/AMP)
• 282,767 host/antivirus threats blocked
• 17,000 files analyzed
• (AMP/threat grid)
Option 2
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Approach
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Digital security architecture framework – circa 2007
Network services
Cisco network DLPIDSFW VPN ….
Email Encryption
PGPData security
Network and system management
Logging Logging
Logging Logging
Monitoring
AlertingAD LDAP
Device security CSAAltiris CredentAV
Application and service security
Platform security
XML GWAudit XML GWAudit
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Digital security architecture framework – circa 2017
Identity and access management
Data protection program
Integrated threat defense
Monitoring everything and maturing responses
Network Identity Devices Data ApplicationMonitoring and
response
Policy and standards
Security architecture
Threat landscapeLaws and regulations
TechnologyCustomer and
business requirementsRisk appetite
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Use cases
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Previous Sandbox solution was not integrated with IT Infra. This led to increased support cost, complexity and limited capabilities
Deploy AMP natively on existing IT security Infra and leverage an on-prem Threat Grid private cloud
Our malware detection capability end to end saw a 3x improvement in detection capabilities, while reducing our engineering investment by 50%.
Challenge
Solution
Result
Web and email security
appliances
Threat Grid AMP
FireSIGHT Management Center
AMP for Networks
AMP for Endpoints
Cloud enabled AMP
Advanced malware protection
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The inability to examine encrypted traffic reduces visibility of threats active on the network.
Encrypted Traffic Analytics allows enhanced telemetry to be sent to Stealthwatch. Select events are sent to Cognitive Threat Analytics for additional analysis of potential malware.
This allowed us to use our existing infrastructure to gain insights into malicious activity that was previously unseen. We had over 99% success in true positive identification of malware within encrypted sessions using this technology.
Challenge
Solution
ResultETA Stealthwatch CTA
ETA, Stealthwatch and CognitiveSeeing the unseen at machine speed
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
WannaCry – By the numbers
59
Machines infected
450K
Windows 7
Days patch available>150 Countries
Economic impactPaidRansom
NSA
$30098% 0.07% >$1B
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
WannaCry response timeline
Day 0 Day 1-2 Day 3 Day 4 Day 5Day -50 Day 6
MS PatchMS Patch deployed as part of standard desktop security practice - March 23rd
All managed desktop systems patched
EVMP InfoSec threat intelligence discovers abuse of exploit and enacts Emergency Vulnerablity Management Plan
DAT Updates and Patches Auditing and correction of permissive Network ACL’s
AV Dat updates pushed
USM ReportingOngoing patch compliance now included as part of USM
Access ProtectionCSIRT enables Sourcefire signature
Access ProtectionDev/Stage IT systems Patched fo
Sourcefire IPS signatures turned into active plays
OpenDNS “killswitch” sinkhole deployed
IT Systems Patched All reamining Managed IT systems patched (accelerated)
SMBv1 DisablementAdditonal step to mitigate risk of spread. Patch reporting improved
Day 0 Day 1-2 Day 4 Day 5Day -50 Day 6
Monitoring and ReportingFixing systems not updating as expected.
Additional CSIRT monitoring
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Process vs. technology
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Strategic, Operational, and Tactical Issues
26%can be
addressed by products alone
74% might also require people and/or processes to address
People
Products Policies
An overemphasis on product solutions can leave openings for attackers
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Pervasive security
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Pervasive security framework
Trusted Resources (Private/Third Party/Hybrid Cloud)
Validated Identity
People
Governance & Operational Excellence
Adaptive Defense (Detect, Respond, Mitigate)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Governance and Operational Excellence
Comprehensive Telemetry, Integrated Intelligence, Pervasive Detection, Playbooks
Trusted Resources (Private/Third Party/Hybrid Cloud )
Validated Identity
People
Governance & Operational Excellence
Adaptive & Integrated Defense (Detect, Respond, Mitigate)
• Standards & Policies • Risk Assessments
• Vulnerability Management• Analytics, Metrics & Reporting
• Privacy Engineering• Architecture Reviews
• COBC • Targeted Awareness
• Security Primes & Advocates• Partner Security Architects
• Security Training (Ninja, SKE, EMS) • Business Partnerships
Identity• Federated (Inbound/outbound)• Strong Multi-Factor
• Posture AssessmentContextual Access ControlLocation, Time, Role• Separation
(User<->Admin)
Endpoint• Profiling• Registration
Users
Network• ESA/WSA• AnyConnect
• Pervasive Protection• Adaptive Access
& Control
Service• Application• Endpoint
• NGFW/IPS• AMP
Data• Ownership • Accountability• Visibility
• Host• XaaS
• ISE• ACI
Accountability
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Unified security metrics
0
20
40
60
80
100
Q1FY12 Q1FY16 Q1FY17 Q1FY18
SLA on-time closure % Vulnerability open %
* = Pre USM Reporting
*
Imple
menta
tion
Sustained Performance
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
People
Trusted Resources (Private/Third Party/Hybrid Cloud )
Validated Identity
People• COBC • Targeted Awareness
• Security Primes & Advocates• Partner Security Architects
• Security Training (Ninja, SKE, EMS) • Business Partnerships
Identity• Federated (Inbound/outbound)• Strong Multi-Factor
• Posture AssessmentContextual Access ControlLocation, Time, Role• Separation
(User<->Admin)
Endpoint• Profiling• Registration
Users
Network• ESA/WSA• AnyConnect
• Pervasive Protection• Adaptive Access
& Control
Service• Application• Endpoint
• NGFW/IPS• AMP
Data• Ownership • Accountability• Visibility
• Host• XaaS
• ISE• ACI
Governance & Operational Excellence
• Standards & Policies • Risk Assessments
• Vulnerability Management• Analytics, Metrics & Reporting
• Privacy Engineering• Architecture Reviews
Accountability
Comprehensive Telemetry, Integrated Intelligence, Pervasive Detection, Playbooks
Adaptive & Integrated Defense (Detect, Respond, Mitigate)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security education campaign – Phishing
• Phishing is #1 source of endpoint compromise
• Different levels of sophistication and difficulty each quarter
• Remember it only takes one Phish to compromise YOU
Q1New Doctor
Q2Background Check
Q3Account Closing
Q4Plan Recruitment
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Partner Security Architect
InfoSec Team
• Security SMEs
• Security architecture reviews
• Trusted advisors
• Establishes security technology baselines
• Formal approval for exceptions
• Establishes corporate security policies andguidelines
Expanding accountability
Service Executive
1 or more primes
Service Owner
1 or more primes
Service Security Prime
• CSO of the Service
• Single point of accountability
• Increase communication and awareness around security
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Validated identity
People
Trusted Resources (Private/Third Party/Hybrid Cloud )
Validated IdentityIdentity• Federated (Inbound/outbound)• Strong Multi-Factor
• Posture AssessmentContextual Access ControlLocation, Time, Role• Separation
(User<->Admin)
Endpoint• Profiling• Registration
Network• ESA/WSA• AnyConnect
• Pervasive Protection• Adaptive Access
& Control
Service• Application• Endpoint
• NGFW/IPS• AMP
Data• Ownership • Accountability• Visibility
• Host• XaaS
• ISE• ACI
Governance & Operational Excellence
• Standards & Policies • Risk Assessments
• Vulnerability Management• Analytics, Metrics & Reporting
• Privacy Engineering• Architecture Reviews
• COBC • Targeted Awareness
• Security Primes & Advocates• Partner Security Architects
• Security Training (Ninja, SKE, EMS) • Business Partnerships
Users Accountability
Comprehensive Telemetry, Integrated Intelligence, Pervasive Detection, Playbooks
Adaptive & Integrated Defense (Detect, Respond, Mitigate)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Trusted device and differentiated access
28% Increase in worker satisfaction
500KEliminated per year in device upgrade spend
56%Case load lowered per device
$
Trusted device
More controls needed to scale access and services
Remote Wipe (Cisco Data)
Anti-Malware
Encryption (Cisco Data)
Minimum OS
Software Patching
Rooted Device Detection (Mobile Devices Only)
Device Registration
Password/Screen-lock Enforcement
Hardware/Software Inventory
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Trusted device and differentiated access
ISE Enabled Policy
Differentiated access
Trusted device
More controls needed to scale access and services
Remote Wipe (Cisco Data)
Anti-Malware
Encryption (Cisco Data)
Minimum OS
Software Patching
Rooted Device Detection (Mobile Devices Only)
Device Registration
Password/Screen-lock Enforcement
Hardware/Software Inventory
IdentityApplication and data
Network
Content
WorkforceData
ID Management
Cisco ISE
Devices
InstantMessaging
Conferencing
Tagging
SDN
Cisco pxGrid
Policy Management
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Trusted resources
Validated Identity
People
Trusted Resources (Private/Third Party/Hybrid Cloud )Integrated Defense• ESA/WSA• AnyConnect
• Pervasive Protection• Adaptive Access
& Control
CASPR• Application• Endpoint
• NGFW/IPS• AMP
Data Protection• Ownership • Accountability• Visibility
• Host• XaaS
• ISE• ACI
Governance & Operational Excellence
• Standards & Policies • Risk Assessments
• Vulnerability Management• Analytics, Metrics & Reporting
• Privacy Engineering• Architecture Reviews
• COBC • Targeted Awareness
• Security Primes & Advocates• Partner Security Architects
• Security Training (Ninja, SKE, EMS) • Business Partnerships
Users
Identity• Federated (Inbound/outbound)• Strong Multi-Factor
• Posture AssessmentContextual Access ControlLocation, Time, Role• Separation
(User<->Admin)
Endpoint• Profiling• Registration
Accountability
Comprehensive Telemetry, Integrated Intelligence, Pervasive Detection, Playbooks
Adaptive & Integrated Defense (Detect, Respond, Mitigate)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
FireSIGHTManagement Center
100%**
Cloud enabled AMP
Integrated threat defense
1% of all WSA transactions blocked
NG-IPS 83xx and VM series deployed
Passive and Inline capabilities
25K+ quarterly alerts
80 WSAs/30 ESA Deployed
3K+ email files blocked by AMP monthly
14 TG appliancesDeployed
On-Prem Sandboxing
10K+ files analyzed every 24hrs.
Analytics Engine
Machine Learning Engine
10K+ agents deployed
13 iPOPs Globally
Eight Global Appliances Deployed
**Deployment Progress Completion
AMP for Endpoints10%**
AMP for Networks50%**
Threat Grid/AMP100%**
AMP’d Web and Email100%**
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Comprehensive Telemetry, Integrated Intelligence, Pervasive Detection, Playbooks
Adaptive & Integrated Defense (Detect, Respond, Mitigate)
Adaptive defense
People
Trusted Resources (Private/Third Party/Hybrid Cloud )Network• ESA/WSA• AnyConnect
• Pervasive Protection• Adaptive Access
& Control
Service• Application• Endpoint
• NGFW/IPS• AMP
Data• Ownership • Accountability• Visibility
• Host• XaaS
• ISE• ACI
Governance & Operational Excellence
• Standards & Policies • Risk Assessments
• Vulnerability Management• Analytics, Metrics & Reporting
• Privacy Engineering• Architecture Reviews
• COBC • Targeted Awareness
• Security Primes & Advocates• Partner Security Architects
• Security Training (Ninja, SKE, EMS) • Business Partnerships
Users Accountability
Validated IdentityIdentity• Federated (Inbound/outbound)• Strong Multi-Factor
• Posture AssessmentContextual Access ControlLocation, Time, Role• Separation
(User<->Admin)
Endpoint• Profiling• Registration
Adaptive Defense (Detect, Respond, Mitigate)Comprehensive Telemetry, Integrated Intelligence, Pervasive Detection, Playbooks
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Adaptive defenseEnabling active response to threats
Information Sharing
Network Services
Detection Tools
Playbook
Collect/analyze
1.2T events throughout network
47TB traffic inspected
15B NetFlows analyzed/day
4.8B DNS records
4TB data collected and analyzed
~200 Plays
Mitigate Remediate
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Adaptive defenseEnabling active response to threats
Cisco.com
What are we trying to protect?
Active Directory Servers
End User Laptop
DoS attackSQL InjectionDirectory Traversal
What are the threats?
Lateral Movement Account Compromise Malware
MalwarePhishing AttacksDriveby Download
NetFlow monitoringIPS/IDS detectionSystem Logs
How do we detect them?
NetFlow alertsUser Activity HIPS logs
HIPS/AV logsESA logsWSA logs
Engage ISPInvestigate
How do we respond?
P1 incidentInvestigate
ReimageInvestigate
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Key Takeaways
A time of anytime cloud access, SaaS applications and moreIt’s a new Multicloud world
Ransomware and exposed development systems are sign of the times
Threat landscape continues to expand
Digital security architecture must address entire threat landscape
Approach to security must keep pace
Implement architectural approach to security, automate processes to reduce time to react and contain attacks
Adopt integrated defense approach
Option_01
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Q&A
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Thank You