threat-centric security solutions - cisco...web applications facebook chat, ebay application...

42
György Ács Security Consulting Systems Engineer 3 rd November 2015 Threat-Centric Security Solutions

Upload: others

Post on 09-Jul-2020

3 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

György Ács Security Consulting Systems Engineer

3rd November 2015

Threat-Centric Security Solutions

Page 2: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

The Problem is Threats

Page 3: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

3 C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

http://www.networkworld.com/article/2989827/security/cisco-disrupts-60m-ransomware-biz.html

About Angler Exploit Kit

Page 4: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

4 © 2015 Cisco and/or its affiliates. All rights reserved.

Adversaries’ Agility is Their Strength

Constant upgrades increased Angler penetration rate to 40% Twice as effective than other exploit kits in 2014

Compromised System

Flash Vulnerabilities

i

Retargeting

Ransomware

Angler Continually throwing different

‘hooks’ in the water to increase the chances of compromise

Encrypted Malicious Payload Macros Social

Engineering

IP Changing Domain

Shadowing More Being

Developed

Daily

TTD

Security Measures

Web Blocking IP Blocking Retrospective Analysis Antivirus Endpoint Solutions Email Scanning

Page 5: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

5 © 2015 Cisco and/or its affiliates. All rights reserved.

Patching: A Window of Opportunity Users not moving quickly to the latest Flash versions or updating the patches creates an opportunity for Angler and other exploits to target the vulnerability.

Angler Exploit Vulnerability

User Activity

Update Published

Version

15.0.0.246

16.0.0.235

16.0.0.257

16.0.0.287

16.0.0.296

16.0.0.305

17.0.0.134

17.0.0.169

17.0.0.188

CVE-2015-0310

CVE-2015-0313

CVE-2015-0336

CVE-2015-0359

CVE-2015-0390

1 FEB 1 MAR 1 APR 1 MAY 1 JUN

Page 6: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

Evolution

Thre

ats

Res

pons

e

6 or its affiliates. All rights reserved. CiC scosco PublPublicic C97-7347778-078-00 © 2015 Cisco and/o

Worms

Spyware / Rootkits

APTs / Cyberware

Increased Attack Surface (Mobility & Cloud)

INTELLIGENCE & ANALYTICS Today

or tsi

GLOBAL REPUTATION & SANDBOXING 2010

HOST-BASED (ANTI-VIRUS) 2000

NETWORK PERIMETER (IDS/IPS) 2005

Page 7: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

7 C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Visibility and Context, Security Services

A Threat-Centric and Operational Security Model

Attack Continuum

Firewall

NG FW

VPN

UTM

NG IPS

Email

Web

Advanced Malware Protection

Network Behavior Analysis

Sandboxing

BEFORE Detect Block

Defend

DURING AFTER Discover Enforce Harden

Scope Contain

Remediate

Secure Access + Identity Management

Page 8: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

8 C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

TALOS : Collective Security Intelligence

IPS Rules

Malware Protection

Reputation Feeds

Vulnerability Database Updates

Sourcefire AEGIS™ Program

Private and Public

Threat Feeds Sandnets FireAMP™

Community Honeypots

Advanced Microsoft and Industry Disclosures

SPARK Program Snort and ClamAV

Open Source Communities

File Samples (>1.1 Million per

Day)

Cisco Talos

(Talos Security Intelligence and Research Group)

les

Sandboxing Machine Learning

Big Data Infrastructure

Page 9: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

http://talosintel.com/vulnerability-reports/

Page 10: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

10C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Building a Visibility Architecture

Why? •  Automation •  Contextualization •  Anomaly Detection •  Event-driven Security

Page 11: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

11C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Central Management, Intelligence and Context •  FireSIGHT

•  Central Management •  Policy Definition •  Event Analysis •  Correlation •  Network Map (Users, devices, apps, etc)

•  FirePOWER + Firepower Services on ASA •  Real-time traffic analysis •  Access Control •  Passive acquisition

events -  IPS -  Intelligence -  File -  Malware -  Access Control -  Flow -  Discovery

FireSIGHT Management Centre

Processes

Generates

events

•••••

Centre

Page 12: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

12C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

FireSiGHT Management Centre SecOPS Workflows -FireSIGHT Management Center

NGFW/NGIPS Management

Forensics / Log Management

Network AMP / Trajectory

Vulnerability Management

Incident Control System

Adaptive Security Policy

Retrospective Analysis

Correlated SIEM Eventing

Network-Wide / Client Visibility

Visibility Categories Threats Users Web Applications Application Protocols File Transfers Malware Command & Control Servers Client Applications Network Servers Operating Systems Routers & Switches Mobile Devices Printers VoIP Phones Virtual Machines

FireSIGHT

Page 13: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

13C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

FireSIGHT Brings Visibility CATEGORIES EXAMPLES Cisco

FireSIGHT TYPICAL

IPS TYPICAL

NGFW

Threats Attacks, Anomalies

Users AD, LDAP, POP3

Web Applications Facebook Chat, Ebay

Application Protocols HTTP, SMTP, SSH

File Transfers PDF, Office, EXE, JAR

Malware Conficker, Flame

Command & Control Servers

C&C Security Intelligence

Client Applications Firefox, IE, BitTorrent

Network Servers Apache 2.3.1, IIS4

Operating Systems Windows, Linux

Routers & Switches Cisco, Nortel, Wireless

Mobile Devices iPhone, Android, Jail

Printers HP, Xerox, Canon

VoIP Phones Cisco, Avaya, Polycom

Virtual Machines VMware, Xen, RHEV

Page 14: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

14C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

FireSIGHT Fuels Automation

IT Insight Spot rogue hosts, anomalies, policy

violations, and more

Impact Assessment Threat correlation reduces actionable

events by up to 99%

Automated Tuning Adjust IPS policies automatically

based on network change

User Identification Associate users with security

and compliance events

14 144

Page 15: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

15C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Correlates all intrusion events to an impact of the attack against the target

Impact Assessment IMPACT FLAG

ADMINISTRATOR ACTION

WHY

Act Immediately, Vulnerable

Event corresponds to vulnerability mapped to host

Investigate, Potentially Vulnerable

Relevant port open or protocol in use, but no vuln mapped

Good to Know, Currently Not Vulnerable

Relevant port not open or protocol not in use

Good to Know, Unknown Target

Monitored network, but unknown host

Good to Know, Unknown Network

Unmonitored network

Page 16: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

16C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco FireSIGHT Context Collection Platform

IPS Events

Malware Backdoors Exploit Kits

Web App Attacks CnC Connections

Admin Privilege Escalations

SI Events

Connections to Known CnC IPs

Malware Events

Malware Detections Office/PDF/Java Compromises

Malware Executions Dropper Infections

Page 17: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

17C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

•  Detects if new application appears or traffic profile changes •  Identify Hacked Hosts •  Useful in static environments: Scada, DMZ, MEDTEC...

FireSIGHT : Detecting Anomalies

Reduced Risk and Cost

ALERT Host has suddenly started

to use SSH client and outgoing traffic volume has

increased by 3 ssh

Page 18: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

18C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

•  Use pre-defined or custom script to initiate automatic actions •  E.g, Quarantine device with ISE API

FireSIGHT : Automated Responses

Reduced Risk and Cost

Indications Of Compromise - IPS event impact 1 - Malware - Communication with BOTNET QUARANTINE

I S E

change VLAN or

SGT

Page 19: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

19C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

OpenAppID – First OSS Application and Control

•  OpenAppID Language Documentation o  Accelerate the identification and

protection for new cloud-delivered applications

•  Special Snort engine with OpenAppID preprocessor

o  Detect apps on network o  Report usage stats o  Block apps by policy o  Snort rule language extensions to enable

app specification o  Append ‘App Name’ to IPS events

•  Library of Open App ID Detectors o  Over 1000 new detectors to use with

Snort preprocessor o  Extendable sample detectors

Page 20: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

Demo Time !

Page 21: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

Next Generation Firewall Platforms

Page 22: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

22C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

FirePOWER Services available on all ASA platforms

SMB

250 Mbps AVC 125 Mbps AVC+IPS 20K/50K* Connections 5,000 CPS

ASA 5506W-X Integrated Wireless AP

SMB Branch Locations

ASA 5506H-X Ruggedized

450 Mbps AVC 250 Mbps AVC+IPS 100K Connections 10,000 CPS

ASA 5508-X

850 Mbps AVC 450 Mbps AVC+IPS 250k Connections 20,000 CPS

ASA 5516-X

ASA 5506-X

250 Mbps AVC 125 Mbps AVC+IPS 20K/50K* Connections 5,000 CPS

250 Mbps AVC 125 Mbps AVC+IPS 20K/50K* Connections 5,000 CPS

*Requires Security Plus licenses

22 2222

Page 23: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

23C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

FirePOWER Services available on all ASA platforms

Branch Locations

300 Mbps AVC 150 Mbps AVC+IPS 100K Connections 10,000 CPS

ASA 5512-X

500 Mbps AVC 250 Mbps AVC+IPS 250K Connections 15,000 CPS

ASA 5515-X

Branch Locations Small/Medium Internet Edge

1.1 Gbps AVC 650 Mbps AVC+IPS 500K Connections 20,000 CPS

ASA 5525-X

1.5 Gbps AVC 1 Gbps AVC+IPS 750K Connections 30,000 CPS

ASA 5545-X

1.750 Gbps AVC 1.250 Gbps AVC+IPS 1M Connections 50,000 CPS

ASA 5555-X

23 2323

Page 24: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

24C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

FirePOWER Services available on all ASA platforms

ASA 5585-SSP10 ASA 5585-SSP20

Campus / Data Center

4.5 Gbps AVC 2 Gbps AVC+ IPS 500K Connections 40,000 CPS

7 Gbps AVC 3.5 Gbps AVC+ IPS 1M Connections 75,000 CPS

Enterprise Internet Edge

ASA 5585-SSP40

ASA 5585-SSP60

10 Gbps AVC 6 Gbps AVC+ IPS 1.8M Connections 120,000 CPS

15 Gbps AVC 10 Gbps AVC+ IPS 4M Connections 160,000 CPS

24 2424

Page 25: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

25C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

FirePOWER 9300 – High-end Platform

Supervisor

  Application deployment and orchestration   Network attachment (10/40/100GE) and traffic distribution   Clustering base layer for Cisco® ASA, NGFW, and NGIPS

Security Modules

  Embedded packet and flow classifier and crypto hardware   Cisco (ASA, NGFW, and NGIPS) and third-party (DDoS, load-balancer) applications   Standalone or clustered within (up to 240 Gbps) and across (1 Tbps+) chassis

Page 26: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

2626266 662626 6 6 66266666 22626CC97C97C97-CC97-C9C97C97-7-7-77C97-C97-C97-C97-C977CCC977-CC 7-7-7-79797 7347734773734773733433477347477773477373734737773734734734773477734747347347344473477344744778-078-078-078-0778-078-078-078888-08-078-08-077878-0878-078-08-08-0-078788 0 ©0 © 0 © 0 © 0 0 © 0 © 0 © ©©©©© 0 ©0 © ©0 ©©©0 ©© ©00 © © 20152012015201201202020152015201501515555555202015150 52015520220111115012010115 CiCCiCCCiCCiCiCiCiCiCCCCiCCCiCCiCCCCC sco scoosscoscscssscssscscs oscoscscsccscco and/and/and///d/or ior ior ior or its ats ats ats ats affilffilffilffilffilffiliateiateiateateiatetes. As. As. As. AAs. All rllll rll rll rightightghghightightgh s res res res reservservservrvrvvervrved.ed.ed.eeded CiCiCCCCiscoscoscocoscoc PublPublPPublPublblblPubPublbbb ic ic cic c

Page 27: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

Against Modern Targeted Attack: Advance Malware Protection

Page 28: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

28C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

AMP: Advanced Malware Protection

Host-based AMP

•  Small agent •  Monitors file access (move/copy/execute) •  Gathers features (fingerprint & attributes) •  Retrieves the file’s disposition (clean, malware, unknown)

Private Cloud / SaaS Manager

Sourcefire Sensor or ASA FirePower Services

FireSIGHT Management Center

No agent needed

AMP Malware license

#

#

Detection Services & Big Data analytics

Network-based AMP AMP for hosts desktop (Win, MAC, Linux) and mobile devices (Android)

Page 29: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

29C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Prevention Framework: Ethos Engine •  ETHOS = Fuzzy Fingerprinting using static/

passive heuristics

•  Polymorphic variants of a threat that often have the same structural properties

•  Not concerned with binary contents

•  Higher multiplicity •  Capture original and variants

Page 30: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

30C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

SPERO = Machine Learning using active heuristics

Protection technic: Spero Engine

Data

Data

Feature Vectors Machine Learning Algorithm

Predictive Model

Decision Trees

Hypothesis Customer Data

Expected Label [Disposition]

Featureprint (file)

Labels Performance Monitoring

Clean Unknown Malware

Clean/Dirty samples

System environment export, keyboard API hook, DLL loaded,

Page 31: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

31C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Plan A: The Protection Framework

1-to-1 Signatures

Ethos

Spero

IOCs

Dynamic Analysis

Advanced Analytics

Device Flow Correlation

All prevention solution < 100% protection

Page 32: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

32C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Actual Disposition = Bad = Blocked

Antivirus Sandboxing

Initial Disposition = Clean

Point-in-time Detection

Retrospective Detection, Analysis Continues

Initial Disposition = Clean

Cisco AMP

Blind to scope of compromise

Sleep Techniques

Unknown Protocols

Encryption

Polymorphism

Actual Disposition = Bad = Too Late!!

Turns back time Visibility and Control are Key

Not 100%

Analysis Stops

Plan B: Retrospective Security • When you can’t detect 100%, visibility is critical

Page 33: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

Trajectory - Application and Host Level

Page 34: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

34C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Trajectory – Network Level

Page 35: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

35C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

There Are Several Ways You Can Deploy AMP

AMP Advanced Malware Protection

Deploy- ment Options AMP on Email and Web;

Cisco® ASA; CWS

AMP for Networks

(AMP on FirePOWER Network Appliance)

AMP for Endpoints AMP Private Cloud Virtual

Appliance

Method License with ESA, WSA, CWS, or ASA customers

Snap into your network

Install lightweight connector on endpoints

On-premises Virtual Appliance

Ideal for New or existing Cisco CWS, Email /Web Security, ASA customers

IPS/NGFW customers

Windows, Linux, Windows OS for POS, Mac, Android; can also deploy from AnyConnect client

High-Privacy Environments

Details

  ESA/WSA: Prime visibility into email/web   CWS: web and advanced malware protection in a cloud-delivered service   AMP capabilities on ASA with FirePOWER Services

  Wide visibility inside network

  Broad selection of features- before, during, and after an attack

  Comprehensive threat protection and response   Granular visibility and control   Widest selection of AMP features

  Private Cloud option for those with high-privacy requirements   Can deploy full air-gapped mode or cloud proxy mode   For endpoints and networks

Windows/MAC Mobile

Page 36: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

Network as a Sensor and Enforcer

Page 37: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

37C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Network as a Sensor: Lancope StealthWatch

pxGrid

Real-time visibility at all network layers • Data Intelligence throughout network • Assets discovery • Network profile • Security policy monitoring • Anomaly detection • Accelerated incident response

Cisco ISE

Mitigation Action

Context Information NetFlow

Page 38: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

38C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Integrated Threat Defense (Detection & Containment)

Employee

Employee

Supplier

Quarantine

Shared Server

Server

High Risk Segment

Internet

Lancope StealthWatch

Event: TCP SYN Scan Source IP: 10.4.51.5 Role: Supplier Response: Quarantine

ISE Change Authorization

Quarantine

Network Fabric

Page 39: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

39C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Quarantine from StealthWatch

Page 40: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

Summary

Page 41: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame

41C97-734778-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Mid-Year Security Report, 2015 •  Time to Detection (TTD) : industry average : 200 days vs. Cisco : 46 hours

NSS Labs, Breach Detection Systems report 2014 „AMP was the leader in numerous categories. AMP not only scored a 99

percent overall breach detection rating, but was the leader in lowest cost-of-ownership”

NSS Labs, Breach Detection Systems report 2015 • “ 99.2% Security Effectiveness rating – the highest of all vendors tested •  Only vendor to block 100% of all evasion techniques during testing •  Excellent performance with minimal impact on endpoint or application

latency”

How Effective is AMP?

Page 42: Threat-Centric Security Solutions - Cisco...Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame