cisco security everywhere

Cisco Security Everywhere

Cluj-Napoca

Dan Gavojdea – Security Specialist – Cisco Systems

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

50 billionnew networkeddevices by 2020

3/4of employees uses

MULTIPLE DEVICES for work

56%of information workers

spend time workingOUTSIDE THE OFFICE

100%of IT staff

STRUGGLEto keep up withmobile needs

Demand for Mobility

There are two types of

customers…

How would you do

security differently if you

knew you were going to

be hacked?

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9

Cisco Security Architecture

ADMIN

NGFW

Filter

URL

Leading Threat Intelligence

Research Group

I0I00I00I0I 0II0 I00I0 00I0II0 00I0I00I 0I0II00I0 I00I 0I00 I0I00 II0I 0 II0 I I0I00I0II0I I0II 00I 0I0

00II0I0II0I0I0II 0I00II

II0I 00I0

0 I00000I0

0

00I00I0I00I00I0I00I0II00II00I0 I00I 000 I0I 0I0II000I0 0I00 I0II00 I0I000I00I0

0I 0

00I0

0I0

I00I

Roaming User

00II0

I 0I0

0II0

0I0

0I 0

00I0

0I0

II0I0I00I00I 000I00I00 I0I00I0II0 0II00I0 I00I 0I00 I0I00 00I00I0I00I00I0I00I0II00II00I0 I00I 0I00 I0I00 II0I0II0II 00II0III0I 0II0I00I 0II0II0I0I 0I0II0I 00I00I000II0I II0I0II0

000I0II0II0I 00I0I0

00II0

I00

I

0I0

0I0

0 III0I 00I00I 000I00I0II0I I0I0 00 I0I I00I0II 00I00I0I 00I0I00I0 00II0I0I 00II0II0I

00I0II0I0 0II

AMP for Endpoints

00I00I0I00I00I0I00I0II00II00I0 I00I 0I00 I00I 0I0 I000I I0 0I00II 00I0 I0I 00I I0I 00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00 I0I0I0I00 I0I0 I0I0 0I0 I0I00 I00 I0I I00 0I0II 00II00I 0 I00I0 0I0I0 00I0I0 I00I I0I 0I0I 0I I0 0 I00I I0I0 I00I 0I0I 0I0 0I0I0 I0 0 I0 0 I 0I0 0 I 0 I0I0 0I0I I0I0 I0 0 I00 I0 0I0 0 I0 I00 I 00 I0 0 I 0I0 0I0 0 I0 0 I 0 0I 0I

0I0 I00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00II0 0I0I0I00 I0I0 I0I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00 0II0I000II0I0I 0I0II0

I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 0I0I 0I00 00II0I 00I00I I00I0 00I 0000I00I00II0I 00I00I 00I00II0I I00I I0I0 I00I 0I0I 0I0 0I0I0 I0 0 I0 0 I 0I0 0 I 0 I0I0 0I0I I0I0 I0 0 I00 0

I00I0II00I0I00II0I0

0II0II0I000I0I000II

0I00I00I0I00I00I0

00II0 II0I 00I0

0I 0I0

0I

00I0

I0I0

I00I0

00II0I 00II0I0II0 0II0II0I 00I0I)I00II0I0 00I0I00 00II0II0I 0I0I 00II0II000I00I

000I00I00 I0I00

CTA

II00I0

I00I 0

I00 I0

I00 II0

I 0 II0

I I0I0

0I0

II0I I0

00I0

0I

0I0

I0II0

0I0

I0III0

0I0

I0I0

I0I0

I0I0

0II0

I0II

000II0

II00I0

0I0

I II0 II0II 0II II00I0 I00I 0I00 I0I00 II0I 0 II0 I I0I00I0II0I I0I00I 0II0I 0II0 0II0I I00I0I 000II0I 00II00I I0II00I

00II0I0III000I 0I0I II00I0 I00I 0I00 I0I00 II0I 0 II0 I I0I00I0II0I I0I00I 0I0I 00II 0II0I 0II0I0II00I00 00II0I0II0I0I

00I000I0I00I 0000I

II0I0

II 00II0

I00 0

0I0

0I0

0I

I0I0I0 I0I00III0 0I

0II II0I00 0I00II0

AMP for

Endpoints

Endpoint User

I00I0II00I0I00II0I0

0II0II0I000I0I000II

0I00I00I0I00I00I0

00II0

VPN

DATACENTER

I00I

00I0

II0

II000II

0 0

0II

0II

0I0

000I0

0I 00I0

I II

0000I0

I0I0

00I0

I000I0

I0I

0II

II0

I0 II0

0I0

I0000 0

000 II0

II0 0

0II

0I 000000II

I

0II

II0

I0 II0

0I0

I0000 0

000 II0

II0 0

0II

0I 000000II

I

I0I II0II0

0I

000II0

00I0

I

000II0

00I0

I

0I 0I0I0 II00I0

I0II00I0 II00I0

NGFW

AMP for Network

00I0 0000I 00 00I 0I I0II I00I I0I00I

I0II0I

I0I0I0 I0I00II0 I0I0I0 0I0I00 I0II0 0I0I

00I0II II0I00 0I0I 000II0I 00I00 I0I00 000

I00

Block

Warn

Allow

Cloud Option

Network Traffic

Flow

Analysis

Vector TRAFFIC

AMP for Content

I00I0II00I0I00II0I0

0II0II0I000I0I000II

0I00I00I0I00I00I0

00II0

Web & Email Security

Dynamic Malware

Analysis

NGIPS

NGIPS

0I0II0I00II0

I

Cloud Access Security

CLOUD APPS

Intelligent cybersecurity to protect against advanced threats

Identity

Services

Trustsec

PEOPLE & DEVICES

Vector

CLOUD APPS

Vector

ASAv

Vector

CES ESA

Lancope

Stealthwatch

ASA

AnyConnect VPN

Cloud Access Security

AMP Threat Grid

CWS WSA

ASA

ISE

0I0I0 II0I0

PEOPLE & DEVICES

WEB & EMAIL CLOUD APPSWEB & EMAIL

AMP for Endpoints

AMP for Content

AMP for Network

AMP for

Endpoints

NGIPSv

NGIPS

NGIPS

The Security Problem

New Business Models

Dynamic Threat Landscape

Complexity of security solutions

The Industrialization of Hacking

20001990 1995 2005 2010 2015 2020

Viruses1990–2000

Worms2000–2005

Spyware and Rootkits2005–Today

APTs CyberwareToday +

Hacking Becomesan Industry

Sophisticated Attacks, Complex Landscape

Phishing, Low Sophistication

Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public

Security Challenges

Changing

Business Models

Dynamic

Threat Landscape

Complexity

and Fragmentation

A community that hides in plain sight avoids detection and attacks swiftly

50%Of attacks last year

were basic attacks

54%of breaches remain

undiscovered for

MONTHS

YEARSMONTHSWEEKSHOURSSTART

85%intrusions

aren’t discovered for

WEEKS

51%increase of companies

reporting a $10M loss

or more in the last

YEAR

Dangerous Times

Nation State

Political

Insider

Criminal

Confidential

Data

A Security Executives’ business challengesWho, What, Where, When…

Game the

Stock Price

Steal Customer

Data

Damage

the Brand

Fraud

Industrial Espionage

Pivot Through Us To

Attack Customers

Exploit the

Network

Steal IP

HOW

What are the acceptable

risks?

Where do you think your

greatest vulnerabilities lie?

Are you compliant?

19

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco

Confidential

Who is responsible ?

Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public

Point-in-Time Malware Detection Alone is not 100% Effective

It will catch But only takes

99% 1%of threats to cause a breach

Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public

AMP provides contextual awareness and visibility that allows you to take control of an attack before it causes damage

Who

What

Where

When

How

Focus on these

users first

These applications

are affected

The breach impacted

these areas

This is the scope of

exposure over time

Here is the origin and

progression

of the threat

Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public

Cisco’s AMP Everywhere Strategy Means Protection Across the Extended Network

MAC

AMP for

Networks

PC

AMP for

Cloud Web Security

& Hosted Email

CWS

Virtual

AMP on Web & Email

Security Appliances

Mobile

AMP on ASA Firewall

with FirePOWER

Services

AMP for Endpoints

AMP Private Cloud

Virtual ApplianceAMP Threat Grid

Dynamic Malware Analysis +

Threat Intelligence Engine

Mapping to the Holistic Threat Continuum

ControlEnforceHarden

DetectBlock

Defend

ScopeContain

Remediate

Infrastructure

and Protocols

Network

Firewall

Next-Generation

Firewall (NGFW)Next-Generation

IPS (NGIPS)

Web Security

Content Filtering

Mobile Users

Remote Access

VPN

Email Security

SSL Decryption

and Inspection

Network ForensicsAdvanced Malware

Protection (AMP)

Incident Response

Open Source

Custom Tools

Context-Awareness Attribution

CLUS:

AMP

Data Center

Cisco Security Investment & Innovation(2013-2015)

Sourcefire

Acquisition closed

Security

for ACI

RSAC:

AMP Everywhere

OpenAppID

Managed Threat

Defense

Black Hat:

2014 MSR & Talos

2014 ASR

Global Security

Sales Organization

Neohapsis

Acquired

AMP Everywhere

Incident Response

Service

Cisco ASA with

FirePOWER Services

for Mid-Size, Branch

Offices and Industrial

environments

ThreatGRID

acquired

Cisco ASA with

FirePOWER Services

Security & Trust

Organization

InterOp NY:

ISE 1.3 / AC 4.0 / CTD 2.0

EN integrations

Intent

OpenDNS

Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public

NSS Labs ReportComparative Testing on Breach Detection Systems

Who is NSS Labs?NSS Labs, one of the best and most thorough independent

testing bodies in the industry, performed comparative

testing on Breach Detection Systems.

What was measured?

Security Effectiveness of Breach Detection Systems

• HTTP/Email Malware, Exploits, Evasions, and False

Positive Rate

Total Cost of Ownership per protected Mbps

What Cisco-Sourcefire

products were tested?

AMP Everywhere

• AMP for Networks and AMP for Endpoints (TCO

calculations include this set of FireAMP connectors)

• FirePOWER 8120 (with AMP subscription)*

What competitor

products were

evaluated?

FireEye, AhnLab, Fortinet, TrendMicro, Fidelis

BDS Methodology v1.5

[The methodology] utilizes real threats

and attack methods that exist in the

wild and are actually being used by

cyber-criminals and other threat

actors. This is the real thing, not

facsimile; systems under test (SUT)

are real stacks connected to a live

internet feed.

--NSS Labs

*Dedicated AMP Appliances (AMP8150/AP7150) were not shipping at the time of the test, otherwise one would have been used

Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public

Se

cu

rity

Eff

ec

tive

ne

ss

TCO per Protected-Mbps

The ResultsCisco AMP is a Leader in Security Effectiveness and TCO and offers Best Protection Value

Cisco Advanced Malware

Protection

Best Protection Value

99.0% Breach Detection

Rating

Lowest TCO per Protected-

Mbps

Other Products Do Not Provide

Retrospective Security After a

Breach

NSS Labs Security Value Map (SVM) for Breach Detection Systems

Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public

AMP Case Studies

Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public

Block Threats Before They Breach

Challenge

Experienced security team of 7 supporting over

120 locations needed greater intelligence to

quickly identify and stop threats. Current

defenses alerted personnel and logged details

but did nothing to aid investigation of the issue.

SolutionAugmented intrusion prevention systems with

FireAMP for Endpoint.

Result

After installation of FireAMP, a targeted attack

was identified and remediated in half a day. 7

days after the initial attack, new business

processes and intelligences implemented by

FireAMP resulted in the immediate mitigation of a

second targeted attack.

BEFORE

Bank Case Study

2106 Security Report

• Blocked threats: 19,692,200,000 threats per day

• Blocked threats w/ spam: 2,557,767 blocks/sec

Talos Detection Content

Talos

NGFW

ESA

Threat

GRID

AMP

Cloud

WSA

NGIPS

Security Bundles

Ask for a DEMO !

dgavojde@cisco.com

Dan Gavojdea

Securitatea informatica pentru dezvoltatorii de aplicații si soluții

Bogdan Voiculescu

Net Brinel - Presales Consultant

2 Martie 2016

About sandboxing technology

Sandbox definition

A sandbox has the objective of detecting malware by executing the suspicious code in a protected environment and to analyze its behavior.

It’s used for zero-day and stealthy attacks.

Stalling code

Execution of code is delayed so that the sandbox times out. Malware doesn’t just sleep, it gives the appearance of activity – useless operation, everything is normal –Malware Analysis System Blind SPOT.

Blind spot in a Sandbox

“Hooks” are inserted into a program to get notifications (callbacks) – whenever certain functions or library are called. This forces program modifications that is identified by malware. Also, sandbox is not able to see any instruction that malware execute between calls.

Where is the Human ?

User behavioral monitoring allows Malware to detect user interaction before execution. Activities done by a human have random character that are very hard to replicate – page scrolling, mouse movement, mouse clicks etc. – suspicious unnatural behavior DETECTED.

Diagnosing the Sandbox

Malware is able to scan for• VM registry keys• running processes• disk size• remote communication and other specific VM characteristics

About Antivirus Solution

https://media.blackhat.com/bh-us-12/Briefings/Flynn/bh-us-12-Flynn-intrusion-along-the-kill-chain-WP.pdf

Don’t believe us…

Let’s test it !

Cisco PxGrid – Platform Exchange

Thank you !