cybersecurity: game planning for success lunch and learn event, april 10th
TRANSCRIPT
www.utgsolutions.com@utgsolutions 205.413.4274
B u s i n e s s • D r i v e n • Te c h n o l o g y
Agenda•Intro
•Game Planning for SuccessUTG -Derrick Helms, CISSP
•Cisco AMPCisco – Chris Robb
•Q&A
•Drawing for ASA 5506-X and 2 $100 Visa Cards!
CyberSecurity -Game Planning for Success
Derrick Helms, CISSP
Headlines
There is a multi-billion dollar global industry targeting your prized assets
$450 Billionto
$1 TrillionSocial
Security$1
MobileMalware
$150
$Bank
Account Info>$1000 depending
on account type and balance
FacebookAccounts$1 for an
account with 15 friends
Credit CardData
$0.25-$60
MalwareDevelopment
$2500(commercial
malware)
DDoS
DDoS asA Service~$7/hour
Spam$50/500K
emails MedicalRecords
>$50
Exploits$1000-$300K
Industrialization of Hacking
Cisco Advanced Malware Protection
Chris Robb - Cisco
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Spyware & Rootkits
2010
Viruses
2000
Worms
2005
APTsCyberware
Today +
Anti-virus(Host)
IDS/IPS (Network)
Anti-malware(Host+Network)
Intelligence and Analytics
(Host+Network+Cloud)
Enterprise Response
The World Has Changed:The Industrialization of Hacking
In the news…what do these all have in common?Home Depot
Over 50 UPS Franchises hit by data breach4.5M Records stolen from US Health Giant
Goodwill
Russian Hackers steal 4.5B recordsMeet Me Social Network User’s Passwords Stolen
Insider breach at Las Vegas Brain and Spine Surgery Center
Florida bank notifies roughly 72,000 customers of breech
Los Angeles based health system breached
Payment cards used on Wireless Emporium website compromisedAlbertson’s stores CC data hacked
$100,000 bitcoin loss due to hack
Microsoft’s Twitter Account Hacked Sony’s Twitter Account Hacked
Russian PM’s Twitter hacked – “I resign”
NRC Computers hacked 3 times
Ferguson police offices computers hacked Norwegian oil industry under attack
Saudi TV website hacked by Libyan
Sony suffer DOS attack
Dairy Queen hacked
JP Morgan
What Can We Learn From Sony 12/04/2014: What has happened at Sony Pictures Entertainment over the past week reads like a blockbuster screenplay—or a chief executive’s nightmare: Hackers target a major company, disabling its internal systems and leaking documents revealing long-held secrets, from coming products to executive pay.
12/05/2014: The Sony data breach continues to get worse. First, it was exposed budgets, layoffs and 3,800 SSNs, then it was passwords. Now, it's way more social security numbers—including Sly Stallone's.
The Wall Street Journal reports that analysis of the documents leaked so far included the Social Security numbers of 47,000 current and former Sony Pictures workers. That included Sylvester Stallone, Rebel Wilson, and Anchorman director, Judd Apatow. The Journal reports that the SSNs are found alongside salary information, home addresses, and contract details.
What Can We Learn From Traditional Point in Time Solutions
We Tested all of These Solutions
“Captive portal”
“It matches the pattern”
“No false positives,no false negatives”
ApplicationControl
FW/VPN
IDS/IPSUTM
NAC
AV
PKI
“Block or Allow”
“Fix the Firewall”
“No key, no access”
Sandboxing
“Detect the Unknown”
Threat Analytics
“Outside looking in”
The Best Point in Time Protection Protects you 90 + % of the time
Even Sandboxing Has Holes
Antivirus
Sandboxing
Initial Disposition = Clean
Actual Disposition = Bad Too Late!!
Not 100%
Analysis Stops
Even
t Hor
izon
Sleep TechniquesUnknown ProtocolsEncryptionPolymorphism
Blind to scope of compromise
Recap of Issues that need to be fixed by security providers • Targeted attacks / advanced persistent threats are hard to detect
• Malware’s has an ecosystem of components and it’s important to understand what that ecosystem is and which part of any solution addresses those ecosystem components.
• Malware’s intensions are nefarious in nature, but the components are built just like standard software so it can easily hide in your environment
• Don’t get caught up in the catch rate game because no security solution protects you 100%. what about the files they missed? The industry average to find a file that got by your defenses is 200 days .
• Do traditional point in time solutions like Email ,Content ,Next Gen Firewall, IPS, AV and Sandbox solution give you the visibility you need? Be honest with yourself do they allow you to proactively reduce your attack surface
• Regardless of your security solutions always back up your data because no one is 100% !!!!!!!
AMP goes beyond point-in-time detection
BEFOREDiscoverEnforce Harden
DURINGDetect Block Defend
AFTERScope
ContainRemediate
Network Endpoint Mobile Virtual Email & Web
ContinuousPoint-in-time
Attack Continuum
Cloud
Continuous Protection when advanced malware evades point-in-time detection
Antivirus
SandboxingInitial Disposition = Clean
Point-in-time Detection
Initial Disposition = Clean
AMP
Actual Disposition = Bad = Too Late!!
Not 100%
Analysis Stops
Sleep Techniques
Unknown Protocols
Encryption
Polymorphism
Retrospective Detection,Analysis Continues
AMP Everywhere Strategy
AMP
CONTINUOUSLY RECORD ACTIVITY REGARDLESS OF DISPOSITION
Data we are sending to AMP Cloud
AMP CLOUD
RECORDING
PRIVATE CLOUD
AMP for Endpoint: Device Trajectory / Incident Analysis
AMP for Endpoint: Vulnerability Detection
Low Prevalence
Speed Matters: Time to Detection (TTD)The current industry TTD rate of 100 to 200 days is not acceptable.
17.5200 VSHOURSDAYS
Industry Cisco
Cisco 2015Midyear Security Report• Speed of Innovation > ~40% Efficacy• Point products >> weak defenses• Integrated Threat Defense is needed
Cisco Minimizes the Time to Detect Breaches
Cisco Advanced Malware Protection Built on Unmatched Collective Security Intelligence
1.6 millionglobal sensors100 TBof data received per day150 million+ deployed endpoints600engineers, technicians, and researchers35% worldwide email traffic
13 billionweb requests
24x7x365 operations
4.3 billion web blocks per day
40+ languages
1.1 million incoming malware samples per day
AMP Community
Private/Public Threat Feeds
Talos Security Intelligence
AMP Threat Grid Intelligence
AMP Threat Grid Dynamic Analysis10 million files/month
Advanced Microsoft and Industry Disclosures
Snort and ClamAV Open Source Communities
AEGIS Program
Email Endpoints Web Networks IPS Devices
WWW
Automatic updates
in real time
101000 0110 00 0111000 111010011 101 1100001 1101100001110001110 1001 1101 1110011 0110011 101000 0110 00
1001 1101 1110011 0110011 101000 0110 00 101000 0110 00 0111000 111010011 101 1100001 1100001110001110 1001 1101 1110011 0110011 10100
1001 1101 1110011 0110011 101000 0110 00 Cisco®
Collective Security
IntelligenceCisco Collective
Security Intelligence Cloud
AMPAdvanced Malware Protection
3.5 BILLION SEARCHES
TODAY
19.6 BILLION THREATS BLOCKED
TODAY
AMP Offers Point-in-Time and Retrospective Protection
Point-in-Time Protection
File Reputation & Sandboxing
Dynamic Analysis
Machine Learning
Fuzzy Finger-printing
Advanced Analytics
One-to-OneSignature
How Cisco Made a Better Sandbox Allow you to Interact with Malware with Glove Box Outside Looking In approach no Hooks
Prioritize threats Context-driven Malware Analytics
SAMPLE Glove Box ThreatGrid Video
Sample ThreatGrid Report
THREAT INTELLIGENCE
Visibility, Analytics, People.
Private WAN
FW
FW
Secure Web
IPS
ISE
AMP
AMP
AMP
AMPVPN
ISE
Endpoints
Data Centers
Offices/Plants
Secure Email
IPS
Internet
AMP
Cisco’s Threat Defense Strategy
77%email phishing
malicious web-download
19%
0.3%Network attack
4%Direct Install
99.2% Block Rate (#1)17 Hour Detection Time (#1)
FW
Sample AMP for Endpoints Reports
Introducing Threat Grid Everywhere
Suspicious file
Analysis report
Edge
Endpoints
Firewalls & UTM
EmailSecurity
SecurityAnalytics
Web Security
EndpointSecurity
NetworkSecurity
3rd PartyIntegration
S E C U R I T Y
Securitymonitoring platforms
Deep Packet Inspection
Gov, Risk, Compliance
SIEM
Dynamic Analysis
Static Analysis
Threat Intelligence
AMP Threat Grid
Cisco Security Solutions Network Security Solutions
Suspicious file
Premium content feeds
Security Teams
Automatically submit suspicious files
Automated analysis, from edge to endpoint
Submission
Analyst or system (API)submits suspicious sample toThreat Grid.
Suspicious file
Edge
Endpoints
ASA w/FPS ESA
Next Gen IPSWSA
AMP forEndpoints
AMP for Networks
Easily integrate with partner solutions
Security Analytics NessusXPSEnCaseEnterprise 360
API
Our robust REST API streamlines partner integration
AMP Threat Grid: Key Differentiators
Data Fidelity & Performance
Scalability & Flexibility
Usability
Context & Data Enrichment
Integration &Architecture
• Proprietary analysis delivers unparalleled insight into malicious activity• High-speed, automated analysis and adjustable runtimes• Does not expose any tags or indicators that malware can use to detect that it is being observed
• 100,000s of samples analyzed daily (6-10 million per month)• SaaS delivery (no hardware) or Appliance (as needed)
• Search and correlate all data elements of a single sample against billons of sample artifacts collected and analyzed over years (global and historic context)
• Enable the analyst to better understand the relevancy of sample in question to one’s environment
• Clearly presented information for all levels of the IT Security team:- Tier 1-3 SOC Analysts, Incident Responders & Forensic Investigators, and Threat Intel Analysts
• Web portal, Glovebox (User Interaction), Video Replay, Threat Score, Behavioral Indicators and more
• Architected from the ground up with an API to integrate with existing IT security solutions (Automatically receive submissions from other solutions and pull the results into your environment)
• Create custom threat intelligence feeds with context or leverage automated batch feeds
AMP for Networks AMP Appliance
NextGen Firewall ,IPS , URL & AMP
The AMP appliance was designed to run all fire power features Nextgen Firewall IPS , URL and Advanced Malware Protection (AMP).
The AMP Appliance was built on the FP platform and has had its CPU and memory optimized to run all the security features and maintain performance throughput numbers per the AMP for Networks datasheet.
The AMP Appliance also includes a Hardware Storage pack / SSD drive to store files for later analysis must have this for AMP capabilities .
Fire Power Appliance NextGEN firewall IPS &URL
The Fire Power appliance was designed to run the fire power features NextgenFirewall IPS & URL filtering
If you want to turn on Advanced Malware Protection (AMP) capabilities at a later date you can but you will need to buy and install the hardware Storage pack / SSD drive and the AMP software.
Keep in mind when you turn on the AMP features you will see a performance hit so you will need to make sure the FP appliance is sized correctly for the customers environment
If a customer wants AMP always try go with the AMP appliance with new purchases
ASA X-series with SSD / SW blade
Firewall with VPN ,NextgenFirewall IPS, URL & AMP
The ASA X-series with SSD / SW bladewas designed to run all fire power features Nextgen Firewall IPS URL and Advanced Malware Protection ( AMP ) you can also run traditional firewall and VPN capabilities
Keep in mind when you turn on the more advanced fire power features you will see a performance hit so you will need to size this appliance correctly for the customers environment
Retrospection in Action
Correlation with AMP for endpoints would show file was cleaned / Quarantined
How Cisco AMP Works: Network File Trajectory Use Case
An unknown file is present onIP: 10.4.10.183, having been downloaded from Firefox
At 10:57, the unknown file is from IP 10.4.10.183 to IP: 10.5.11.8
Seven hours later the file is then transferred to a third device (10.3.4.51) using anSMB application
The file is copied yet again onto a fourth device (10.5.60.66) through the same SMB application a half hour later
The Cisco® Collective Security Intelligence Cloud has learned this file is malicious and a retrospective event is raised for all fourdevices immediately.
At the same time, a device with the AMP for Endpoints connector reacts to the retrospective event and immediately stops and quarantines the newlydetected malware
Eight hours after the first attack, the Malware tries to re-enter the system through the original point of entry but is recognized and blocked.
© 2014 Cisco and/or its affiliates. All rights reserved. 53
AMPThreat Intelligence
Cloud
Windows OS Android Mobile Virtual MAC OSCentOS, Red Hat
Linux for datacenters
AMP on Web & Email Security AppliancesAMP on Cisco® ASA Firewall
with Firepower Services
AMP Private Cloud Virtual Appliance
AMP on Firepower NGIPS Appliance
(AMP for Networks)
AMP on Cloud Web Security & Hosted Email
CWS/CTA
Threat GridMalware Analysis + Threat
Intelligence Engine
AMP on ISR with Firepower Services
The AMP Everywhere ArchitectureAMP Protection across the Extended Network for an Integrated Threat Defense
AMP for Endpoints
AMP for Endpoints
remote endpoints
AMP for Endpoints can be launched from AnyConnect
© 2014 Cisco and/or its affiliates. All rights reserved. 54
Identify Solution Options
Customer Need Feature WSA, ESA, CWS Network Endpoint
I want to be able to define policies for malware… File Reputation ✔ ✔ ✔
I want to be able to isolate suspected malware for threat analysis… Sandboxing ✔ ✔ ✔
I want to be able to backtrack if malware makes it into my system… Retrospective Security ✔ ✔ ✔
I need to identify compromised devices on my network… Indications of Compromise ✔ ✔
I want to track how a file has been behaving… File Analysis ✔ ✔
I want to track how threats traverse the network… File Trajectory ✔ ✔
I want to see system activities, relationships and events … Device Trajectory ✔
I want to search large sets of data for compromises… Elastic Search ✔
I want to be able to stop the spread of malware with custom tools… Outbreak Control ✔
© 2014 Cisco and/or its affiliates. All rights reserved. 55
Understanding The Different Platforms
• Detect and block malware attempting to enter through email or web gateways
• Receive extensive reporting, URL/Message tracking and remediation prioritization
• Add-on to an existing appliance or in the cloud
AMP for Content
• Detect and block malware attempting to enter the network
• Detect breaches using multi-source indications of compromise
• Contain malware and its communications
AMP for Networks
• Detect breaches by analyzing indications of compromise
• Uncover an infection, trace its path, analyze its behavior
• Remediate the threat quickly and eliminate the risk of reinfection
AMP for Endpoints
Cisco Confidential 56C97-732872-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco AMP is the Leader in Security EffectivenessCisco AMP offers superior security effectiveness, excellent performance, and provides security across more attack vectors than any other vendor
• 99.2% Security Effectiveness rating in BDS testing, the highest of all vendors tested.
• Only vendor to block 100% of evasiontechniques during testing.
• Excellent performance with minimal impact on network, endpoint, or application latency.
Cisco Confidential 57C97-732872-00 © 2014 Cisco and/or its affiliates. All rights reserved.
“So do any network security vendors understand data center and what’s needed to accommodate network security? Cisco certainly does.”
“Cisco is disrupting the advanced threat defense industry.”
“… AMP will be one of the most beneficial aspects of the [Sourcefire] acquisition.”
“Based on our (Breach Detection Systems) reports, Advanced Malware Protection from Cisco should be on everyone’s short list.”
2014 Vendor Rating for Security: Positive
RecognitionMarket
“The AMP products will provide deeper capability to Cisco's role in providing secure services for the Internet of Everything (IoE).”
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
Cisco AMP for Network OptionsHelping you choose the correct appliance for your environment
For more info Click the following Link
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
Cisco AMP for Networks Dedicated AppliancesThe AMP appliance was purpose built to run to run the following software on one appliance . Nextgen Firewall, Sourcefire IPS and AMP ( advanced malware protection)
AMP Appliance + AMP Subscription Bundles
http://www.cisco.com/c/en/us/products/collateral/security/amp-appliances/datasheet-c78-733182.html
For more info Click the following Link
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
Cisco FP/ FirePower Dedicated AppliancesThe FP Appliance was purpose built to run to run the following software on one appliance . Nextgen Firewall, and Sourcefire IPS ***If you want to run AMP (Advanced Malware Protection) on a New purchase you should always position the AMP Appliance ***
AMP Appliance + AMP Subscription Bundles
http://www.cisco.com/c/en/us/products/collateral/security/firepower-8000-series-appliances/datasheet-c78-732955.pdf
For more info Click the following Link
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
Cisco ASA AppliancesASA Cisco has added the capability to run Nextgen Firewall, Sourcefire IPS and AMP ( advanced malware protection) make sure you have the bandwidth conversation with your customers and what they can expect with full functionality turned on
ASA + AMP Subscription Bundles
http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html