swiss networking day 2014 cloud cyber security service...

© 2014 Cisco and/or its affiliates. All rights reserved. 1© 2014 Cisco and/or its affiliates. All rights reserved. 1

Cloud Cyber Security Service: Enabling Seamless Distributed ArchitecturesMarkus Frey

Consulting System Engineer

8. Mai 2014

Swiss Networking Day 2014

© 2014 Cisco and/or its affiliates. All rights reserved. 2

Cisco Security Architecture

SMB / Branch

Campus Data Center

Internet

ASA

ISR

IPS

ASA

Email

Web ISE

ADWireless

Switch

Router

Content Policy

ISR-G2 Integrated Services

CSM

ASA

ASAv ASAvASAv ASAv

Hypervisor

Virtual Data Center

Physical Data Center

SIO

Remote

Devices

Acce

ss

Cloud Security

Gateway

Cloud Security

Gateway

ASAv in the

Fabric (ACI)


Agenda

Threat Landscape

Cisco Security Intelligence in the Cloud

Seamless Distributed Architectures

Future ?


Agenda

Threat Landscape



Future ?


Our Web Security Problems Aren’t Getting Any Easier

Data LossAcceptable Use ViolationsMalware Infections

Customers are challenged with today’s evolving threat landscape


All are smart, all had security,

All were seriously compromised.

Today’s Reality…


The Security Problem

Changing

Business Models

Dynamic

Threat Landscape

Complexity

and Fragmentation


The Industrialization of Hacking

20001990 1995 2005 2010 2015 2020

Viruses1990–2000

Worms2000–2005

Spyware and Rootkits2005–Today

APTs CyberwareToday +

Hacking Becomesan Industry

Sophisticated Attacks, Complex Landscape

Phishing, Low Sophistication


Agenda

Threat Landscape



Future ?


To defend against advanced threats requires greater visibility and control

BEFOREDiscoverEnforceHarden

DURINGDetect Block Defend

AFTERScope

ContainRemediate

Network Endpoint Mobile Virtual Email & Web

ContinuousPoint-in-time

Attack Continuum

Cloud


1.6 millionglobal sensors

100 TBof data received per day

150 million+ deployed endpoints

600+engineers, technicians,

and researchers

35% worldwide email traffic

13 billionweb requests

24x7x365 operations

40+languages


10I000 0II0 00 0III000 II1010011 101 1100001 110

110000III000III0 I00I II0I III0011 0110011 101000 0110 00

I00I III0I III00II 0II00II I0I000 0110 00

180,000+ File Samples per Day

FireAMP™ Community

Advanced Microsoft

and Industry Disclosures

Snort and ClamAV Open Source Communities

Honeypots

Sourcefire AEGIS™ Program

Private and Public Threat Feeds

Dynamic Analysis

101000 0II0 00 0III000 III0I00II II II0000I II0

1100001110001III0 I00I II0I III00II 0II00II 101000 0110 00

100I II0I III00II 0II00II I0I000 0II0 00 Cisco®

SIO

Sourcefire

VRT®

(Vulnerability

Research Team)

Cisco Collective

Security Intelligence

Cisco Security Devices

Email Endpoints Web Networks IPS Devices

WWW


Cisco Web Security with AMP (advanced malware protection) defends across the full attack continuum

BEFOREDiscoverEnforce Harden

DURINGDetect Block Defend

AFTERScope

ContainRemediate

Attack Continuum

Web Reputation

Usage Controls

Malware Signature

File Reputation

File Sanboxing

File Retrospection

Application Controls

Threat Analytics

Actionable Reporting


Reputation AnalysisThe power of real-time context

Suspicious

Domain Owner

Server in High

Risk Location

Dynamic IP

Address

Domain

Registered

< 1 Min

192.1.0.68example

.comExample.org17.0.2.12 BeijingLondonSan JoseKiev HTTPSSLHTTPS

Domain

Registered

> 2 Year

Domain

Registered

< 1 Month

Web server

< 1 Month

Who HowWhere When

0010 010 10010111001 10 100111 010 00010 0101 1100110 1100 111010000 110 0001110 00111 010011101 11000 0111 0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101

0010 010 10010111001 10 100111 010 00010 0101 110011 011 001 110100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101

0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101

-10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10

IP Reputation Score


AMP strengthens the first line of detection

Reputation Filtering and File Sandboxing

Dynamic

Analysis

Machine

Learning

Fuzzy

Finger-printing

Advanced

Analytics

One-to-One

Signature

All detection is less than 100%


0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110

1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

But most importantly AMP provides continuous retrospective security

Breadth and Control points:

File Fingerprint and Metadata

File and Network I/O

Process Information

Telemetry

Stream

Continuous feed

Web

WWW

Endpoints NetworkEmail

Continuous analysis

DevicesIPS


0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110

1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

Breadth and Control points:

File Fingerprint and Metadata

File and Network I/O

Process Information

Telemetry

Stream

Continuous feed

Web

WWW

Endpoints NetworkEmail

Continuous analysis

DevicesIPS

That continues to analyze what happens along the attack continuum

11000 0111 0001110 1001

1101 1110011 0110011 101000 0110 00

0010 010 10010111001 10 100111

Retrospection

Detects malicious files that initially pass through

perimeter defenses• Proactive Blocking

• URL Tracking

• Extensive Reporting

• Remediation Prioritization

Supported ActionsCisco Security Devices


Agenda

Threat Landscape



Future ?


Flexible Deployment Options On- and Off-premises

Deployment

Options

Connection

Methods

On-premises Cloud

Cloud

Firewall / IPSRouter Roaming

Virtual NGFW

Roaming

Appliance

Appliance

Redirectors

WCCP PAC File Explicit WCCP PAC File Explicit

Advanced

Malware

Protection

Integrated on box – Licensed Plug-in Integrated - License


Securing the Campus and Edge

Internet

ISP A

ISP B

Layer 2 Security: Layer 2 protection provided by Catalyst Integrated Security Features, including port

security, Dynamic ARP inspection, IP source guard, DHCP snooping, private VLANs, QoS, NetFlow,

ERSPAN, SPAN, MACsec hop-by-hop encryption. Identity-aware user and device access with TrustSec.

Email and Web Security: Email scanning, threat protection, data loss

prevention, and spam filtering

Context-based Edge Security: User/app/device/policy. SIO and cloud-based policy/ anti-malware

protection. Hybrid-Hosted Email Security and encryption

Firewall and IPS:

NGFW protection

w/context, app

inspection, and policy.

NGIPS traffic inspection,

including signature

matching, event

correlation, advanced

malware protection, and

reputation filtering

Context-Aware Policy Management: Device profiling and policy

enforcement via Cisco ISE.

Remote Access: Authenticated and

encrypted granular user/group-based

access control. AnyConnect VPN.

Network Foundation Protection: Device hardening, data, control and

management plane protection. 802.1X-based access control with Cisco

ISE and TrustSec.

Secure WAN and DMZ: Data confidentiality and integrity with IPSec VPN and PKI.

ISE

ESA

ESA

WSA/

CWS

WSA/C

WS

IPS

IPS

ASA

ASA

CES

CWS

AnyConnect


Agenda

Threat Landscape



Future ?


IoT and Mobile – Massively increasing Attack Surface


Thank You

swiss networking day 2014 cloud cyber security service...

Documents