swiss networking day 2014 cloud cyber security service...
TRANSCRIPT
© 2014 Cisco and/or its affiliates. All rights reserved. 1© 2014 Cisco and/or its affiliates. All rights reserved. 1
Cloud Cyber Security Service: Enabling Seamless Distributed ArchitecturesMarkus Frey
Consulting System Engineer
8. Mai 2014
Swiss Networking Day 2014
© 2014 Cisco and/or its affiliates. All rights reserved. 2
Cisco Security Architecture
SMB / Branch
Campus Data Center
Internet
ASA
ISR
IPS
ASA
Web ISE
ADWireless
Switch
Router
Content Policy
ISR-G2 Integrated Services
CSM
ASA
ASAv ASAvASAv ASAv
Hypervisor
Virtual Data Center
Physical Data Center
SIO
Remote
Devices
Acce
ss
Cloud Security
Gateway
Cloud Security
Gateway
ASAv in the
Fabric (ACI)
© 2014 Cisco and/or its affiliates. All rights reserved. 3
Agenda
Threat Landscape
Cisco Security Intelligence in the Cloud
Seamless Distributed Architectures
Future ?
© 2014 Cisco and/or its affiliates. All rights reserved. 4
Agenda
Threat Landscape
Cisco Security Intelligence in the Cloud
Seamless Distributed Architectures
Future ?
© 2014 Cisco and/or its affiliates. All rights reserved. 5
Our Web Security Problems Aren’t Getting Any Easier
Data LossAcceptable Use ViolationsMalware Infections
Customers are challenged with today’s evolving threat landscape
© 2014 Cisco and/or its affiliates. All rights reserved. 6
All are smart, all had security,
All were seriously compromised.
Today’s Reality…
© 2014 Cisco and/or its affiliates. All rights reserved. 7
The Security Problem
Changing
Business Models
Dynamic
Threat Landscape
Complexity
and Fragmentation
© 2014 Cisco and/or its affiliates. All rights reserved. 8
The Industrialization of Hacking
20001990 1995 2005 2010 2015 2020
Viruses1990–2000
Worms2000–2005
Spyware and Rootkits2005–Today
APTs CyberwareToday +
Hacking Becomesan Industry
Sophisticated Attacks, Complex Landscape
Phishing, Low Sophistication
© 2014 Cisco and/or its affiliates. All rights reserved. 10
Agenda
Threat Landscape
Cisco Security Intelligence in the Cloud
Seamless Distributed Architectures
Future ?
© 2014 Cisco and/or its affiliates. All rights reserved. 11
To defend against advanced threats requires greater visibility and control
BEFOREDiscoverEnforceHarden
DURINGDetect Block Defend
AFTERScope
ContainRemediate
Network Endpoint Mobile Virtual Email & Web
ContinuousPoint-in-time
Attack Continuum
Cloud
© 2014 Cisco and/or its affiliates. All rights reserved. 12
1.6 millionglobal sensors
100 TBof data received per day
150 million+ deployed endpoints
600+engineers, technicians,
and researchers
35% worldwide email traffic
13 billionweb requests
24x7x365 operations
40+languages
Cisco Security Intelligence in the Cloud
10I000 0II0 00 0III000 II1010011 101 1100001 110
110000III000III0 I00I II0I III0011 0110011 101000 0110 00
I00I III0I III00II 0II00II I0I000 0110 00
180,000+ File Samples per Day
FireAMP™ Community
Advanced Microsoft
and Industry Disclosures
Snort and ClamAV Open Source Communities
Honeypots
Sourcefire AEGIS™ Program
Private and Public Threat Feeds
Dynamic Analysis
101000 0II0 00 0III000 III0I00II II II0000I II0
1100001110001III0 I00I II0I III00II 0II00II 101000 0110 00
100I II0I III00II 0II00II I0I000 0II0 00 Cisco®
SIO
Sourcefire
VRT®
(Vulnerability
Research Team)
Cisco Collective
Security Intelligence
Cisco Security Devices
Email Endpoints Web Networks IPS Devices
WWW
© 2014 Cisco and/or its affiliates. All rights reserved. 13
Cisco Web Security with AMP (advanced malware protection) defends across the full attack continuum
BEFOREDiscoverEnforce Harden
DURINGDetect Block Defend
AFTERScope
ContainRemediate
Attack Continuum
Web Reputation
Usage Controls
Malware Signature
File Reputation
File Sanboxing
File Retrospection
Application Controls
Threat Analytics
Actionable Reporting
© 2014 Cisco and/or its affiliates. All rights reserved. 14
Reputation AnalysisThe power of real-time context
Suspicious
Domain Owner
Server in High
Risk Location
Dynamic IP
Address
Domain
Registered
< 1 Min
192.1.0.68example
.comExample.org17.0.2.12 BeijingLondonSan JoseKiev HTTPSSLHTTPS
Domain
Registered
> 2 Year
Domain
Registered
< 1 Month
Web server
< 1 Month
Who HowWhere When
0010 010 10010111001 10 100111 010 00010 0101 1100110 1100 111010000 110 0001110 00111 010011101 11000 0111 0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101
0010 010 10010111001 10 100111 010 00010 0101 110011 011 001 110100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101
0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101
-10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10
IP Reputation Score
© 2014 Cisco and/or its affiliates. All rights reserved. 15
AMP strengthens the first line of detection
Reputation Filtering and File Sandboxing
Dynamic
Analysis
Machine
Learning
Fuzzy
Finger-printing
Advanced
Analytics
One-to-One
Signature
All detection is less than 100%
© 2014 Cisco and/or its affiliates. All rights reserved. 16
0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110
1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
But most importantly AMP provides continuous retrospective security
Breadth and Control points:
File Fingerprint and Metadata
File and Network I/O
Process Information
Telemetry
Stream
Continuous feed
Web
WWW
Endpoints NetworkEmail
Continuous analysis
DevicesIPS
© 2014 Cisco and/or its affiliates. All rights reserved. 17
0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110
1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
Breadth and Control points:
File Fingerprint and Metadata
File and Network I/O
Process Information
Telemetry
Stream
Continuous feed
Web
WWW
Endpoints NetworkEmail
Continuous analysis
DevicesIPS
That continues to analyze what happens along the attack continuum
11000 0111 0001110 1001
1101 1110011 0110011 101000 0110 00
0010 010 10010111001 10 100111
Retrospection
Detects malicious files that initially pass through
perimeter defenses• Proactive Blocking
• URL Tracking
• Extensive Reporting
• Remediation Prioritization
Supported ActionsCisco Security Devices
© 2014 Cisco and/or its affiliates. All rights reserved. 19
Agenda
Threat Landscape
Cisco Security Intelligence in the Cloud
Seamless Distributed Architectures
Future ?
© 2014 Cisco and/or its affiliates. All rights reserved. 20
Flexible Deployment Options On- and Off-premises
Deployment
Options
Connection
Methods
On-premises Cloud
Cloud
Firewall / IPSRouter Roaming
Virtual NGFW
Roaming
Appliance
Appliance
Redirectors
WCCP PAC File Explicit WCCP PAC File Explicit
Advanced
Malware
Protection
Integrated on box – Licensed Plug-in Integrated - License
© 2014 Cisco and/or its affiliates. All rights reserved. 21
Securing the Campus and Edge
Internet
ISP A
ISP B
Layer 2 Security: Layer 2 protection provided by Catalyst Integrated Security Features, including port
security, Dynamic ARP inspection, IP source guard, DHCP snooping, private VLANs, QoS, NetFlow,
ERSPAN, SPAN, MACsec hop-by-hop encryption. Identity-aware user and device access with TrustSec.
Email and Web Security: Email scanning, threat protection, data loss
prevention, and spam filtering
Context-based Edge Security: User/app/device/policy. SIO and cloud-based policy/ anti-malware
protection. Hybrid-Hosted Email Security and encryption
Firewall and IPS:
NGFW protection
w/context, app
inspection, and policy.
NGIPS traffic inspection,
including signature
matching, event
correlation, advanced
malware protection, and
reputation filtering
Context-Aware Policy Management: Device profiling and policy
enforcement via Cisco ISE.
Remote Access: Authenticated and
encrypted granular user/group-based
access control. AnyConnect VPN.
Network Foundation Protection: Device hardening, data, control and
management plane protection. 802.1X-based access control with Cisco
ISE and TrustSec.
Secure WAN and DMZ: Data confidentiality and integrity with IPSec VPN and PKI.
ISE
ESA
ESA
WSA/
CWS
WSA/C
WS
IPS
IPS
ASA
ASA
CES
CWS
AnyConnect
© 2014 Cisco and/or its affiliates. All rights reserved. 24
Agenda
Threat Landscape
Cisco Security Intelligence in the Cloud
Seamless Distributed Architectures
Future ?
© 2014 Cisco and/or its affiliates. All rights reserved. 25
IoT and Mobile – Massively increasing Attack Surface