threat defense on enterprise mobility
TRANSCRIPT
The Internet of Everything is changing Everything
Intelligent Threat Defense for the Enterprise Mobility
Nikos Mourtzinos, CCIE #9763
Global Security Sales Organization
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Any Device to Any Cloud
PRIVATE CLOUD
PUBLIC CLOUD
HYBRID CLOUD
Changing Business Models
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Internet of Things…and Everything
Every company becomes a technology company,
Every company becomes a security company
Cisco Confidential 5 ©2014 Cisco and/or its affiliates. All rights reserved.
The Industrialization of Hacking
2000 1990 1995 2005 2010 2015 2020
Viruses 1990–2000
Worms 2000–2005
Spyware and Rootkits 2005–Today
APTs Cyberware Today +
Hacking Becomes an Industry
Sophisticated Attacks, Complex Landscape
Phishing, Low Sophistication
Cisco Confidential 6 ©2014 Cisco and/or its affiliates. All rights reserved.
How Industrial Hackers Monetize the Opportunity
Social Security
$1
Medical
Record
>$50
DDOS
as a Service
~$7/hour
Cisco Confidential 6 ©2014 Cisco and/or its affiliates. All rights reserved.
WELCOME TO THE HACKERS’ ECONOMY Source: RSA/CNBC
DDoS
Credit
Card Data
$0.25-$60
Bank Account Info
>$1000 depending on account
type and balance
$
Exploits
$1000-$300K
Account
$1 for an account
with 15 friends
Spam
$50/500K emails
Malware
Development
$2500 (commercial malware)
Global
Cybercrime
Market:
$450B
Mobile Malware
$150
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
What do these companies have in common ?
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Cyber attacks are one of the unfortunate realities of doing business today.
All were smart, all had security All were seriously compromised.
Today’s Reality….
Cisco Confidential 9 ©2014 Cisco and/or its affiliates. All rights reserved.
“Five Things Boards Should do about Cybersecurity NOW”
Many Organizations have Cybersecurity tucked away in
IT departments. It’s time to bring it up and dust it off.
Know the scope of risk to the organization 2
Decide what your crown jewels are 3
Know the regulations 4
Know where to spend 5
Understand the problem 1
Cisco Confidential 9 ©2014 Cisco and/or its affiliates. All rights reserved.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
The Security Problem
Changing
Business Models
Dynamic
Threat Landscape
Complexity
and Fragmentation
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Collective Security Intelligence
NGFW
Secure Access + Policy Control
VPN NGIPS
Web Security
Email Security
Advanced Malware Protection
Network Behavior Analysis
BEFORE Discover
Enforce
Harden
AFTER Scope
Contain
Remediate
Attack Continuum
Detect
Block
Defend
DURING
Cisco Threat-Centric Security Model
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Enhanced Security & Cost Savings
Superior Network
Visibility
Rogue hosts, Vulnerabilities,
Applications, OS, Servers, Mobiles
Impact Assessment &
Correlation
Industry Leading
Threat Detection
Threat correlation reduces
actionable events by up to 99%
Automated Tuning
Adjust IPS policies automatically
based on network changes
Continuous Analysis,
Trajectory
Remediation
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Network Servers
Operating Systems
Routers and
Switches
Mobile Devices
Printers
VoIP Phones
Virtual Machines
Client Applications
Files
Users
Web Applications
Application Protocols
Services
Malware
Command and Control
Servers
Vulnerabilities
NetFlow
Network Behavior
Processes
Cisco Sees More Than the Competition
Rogue hosts, Vulnerabilities,
Applications, OS, Servers, Mobiles
Superior Network
Visibility
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Superior Network Visibility Geolocation
Superior Network
Visibility
Rogue hosts, Vulnerabilities,
Applications, OS, Servers, Mobiles
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Automated Tuning
Adjust IPS policies automatically
based on network changes
Automated Tuning
• Automated Recommended Rules customized & based on Customer’s Infrastructure
• Automated IPS Policies based on network changes
• Simplifies Operations & Reduces Costs
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Impact Assessment & Correlation Impact Assessment &
Correlation
Determine the relevance and impact of
the attack
With automated impact assessment,
intrusion events requiring manual
investigation are typically reduced
by more than 90%.
1
2
3
4
0
IMPACT FLAG ADMINISTRATOR
ACTION
Act Immediately;
Vulnerable
Investigate;
Potentially
Vulnerable
Good to Know;
Currently Not
Vulnerable
Good to Know;
Unknown Target
Good to Know;
Unknown Network
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Actual Disposition = Bad = Blocked
NGFW
NGIPS
Initial Disposition = unknown
Point-in-time Detection
Retrospective Detection, Analysis Continues
Initial Disposition = unknown
Continuous
Blind to scope of
compromise
Sleep Techniques
Unknown Protocols
Encryption
Polymorphism
Actual Disposition = Bad = Too Late!!
Turns back time Visibility and Control are Key
Not 100%
Analysis Stops Continuous Analysis,
Trajectory
Remediation
Remediation
18 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Control
Cisco
AnyConnect®
Cisco
IPS
Cisco CWS
WWW
Cisco WSA Cisco ASA Cisco ESA
Visibility
WWW
Web
Endpoints
Devices
Networks
IPS
Cisco Security Intelligence Outstanding cloud-based global threat intelligence
1.6 million global sensors
100 TB of data received per day
150 million+ deployed endpoints
35% worldwide email traffic
16 billion web requests
24x7x365 operations
40+ languages
600+ engineers, technicians, and researchers
80+ PH.D., CCIE, CISSP, AND MSCE users
More than US$100
million spent on dynamic research and development
3- to 5- minute updates
5,500+ IPS signatures produced
8 million+ rules per day
200+ parameters tracked
70+ publications produced
Info
rmation
U
pd
ate
s
Industry Leading
Threat Detection
Big Analytics
Sandbox
Advanced Malware
SIO
Sourcefire VRT
ThreatGrid
Cognitive Security
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Threats by the Numbers
7399 CVE Entries in 2013 a 10% increase from 2012
1,100,000 Incoming Malware Samples Per Day, Increasing Daily –
400K AV Blocks
4.2 Billion Web Filtering Blocks Per Day
peak of
6.4 Billion daily blocks
1 Billion Reputation Queries Per Day
Industry Leading
Threat Detection
The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and
exposures
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Industry Leading Threat Detection Industry Leading
Threat Detection
Cisco
Best Protection Value
99.2%
Security
Effectiveness
The NGFW Security Value Map
shows the placement of Cisco
ASA with FirePOWER Services
as compared to other vendors.
Cisco achieved 99.2 percent in
security effectiveness and now all
can be confident that they will
receive the best protections
possible
Source: NSS Labs 2014
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
NSS Labs Next-Generation Firewall Reports: Cisco ASA with FirePOWER Services Excels
http://www.cisco.com/web/offers/NSSLabsReportNGFW.html?keycode=000551632
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Perimeter Security
Firewall
IPS
Web Sec
Email Sec
Customized Threat Bypasses Security Gateways
Security Inside Perimeter
AMP
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
The User to Device Ratio Has Changed
What is all this stuff
on my network?!!!
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
COMMON POLICY, MANAGEMENT & CONTEXT
Who/What is currently connected on the Network ? How Do I Control Who and What Access the Network/Resources? How to Quarantine a User ?
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Who What Where When How
Virtual machine client, IP device, guest, employee, and remote user
Cisco Identity
Services Engine
Wired Wireless VPN
Business-Relevant
Policies
Identity Context Policy Management Increases Operational
Efficiency
Onboarding & Remediation
Increases Productivity and Improves
User Experience
Device Profiling & Posture Provides Comprehensive Secure Access
Mobile Device Management
Network Enforcement Decreases Operational Costs
All-in-One Enterprise Policy Control
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Cisco Identity Services Engine
Who?
When?
Where?
How?
What?
Employee Guest
Personal Device Company Asset
Wired Wireless VPN
@ Coffee Shop Headquarters
Weekends (8:00am – 5:00pm)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
802.1x,
MAC-Authentication Bypass (MAB)
Web Authentication
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Non-User Device
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Guest Management
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
ISE 1.3.1 Mobile Enablement with AnyConnect 4.0
Configuration
Email & Calendar
Network Access (Wi-Fi / VPN)
Exchange Active Sync
Restriction (camera usage)
App Distribution / Public Stores
Compliance Enforcement Set the PIN lock
Enable Passcode - Screen Lock
Enable Disk Encryption
Restrict Jailbroken device
Security
Locate lost/stolen Device
Lock /Unlock Device
Remote Wipe Device
Remove / Unenroll Device
from Network
Restore factory default
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Putting It All Together
?
Event History
How
What
Who
Where
When
NGFW
Secure Access / Policy Control
VPN
Discover, Enforce, Harden
BEFORE
NGIPS
Web Security
Email Security
Detect, Block, Defend
DURING
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Putting It All Together
How
What
Who
Where
When
Event History
NGFW
Secure Access / Policy Control
VPN
Discover, Enforce, Harden
BEFORE
NGIPS
Web Secuirty
Email Security
Detect, Block, Defend
DURING Advanced Malware Protection
Network Behavior Analysis
Scope, Contain, Remediate
AFTER
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Putting It All Together
Event History
How
What
Who
Where
When
NGFW
Secure Access / Identity Services
VPN
Discover, Enforce, Harden
BEFORE
NGIPS
Web Secuirty
Email Security
Detect, Block, Defend
DURING Advanced Malware Protection
Network Behavior Analysis
Scope, Contain, Remediate
AFTER
Patient ZERO
How The Malware Spread
STOP The Malware From Spreading
REMEDIATE
© 2014 Cisco and/or its affiliates. All rights reserved. 35
Continuous File Analytics
Sandbox Reputation Determination
Visibility, Context and Control • Determine Scope:
• File Trajectory: systems impacted, point of entry,
file type, protocol, direction, etc…
• Correlated contextual events: Users, apps, threats, etc…
• Retrospective Detection
• IoC Determination
Intelligent Cybersecurity with Integrated Threat Defense in action
3
AMP for Endpoints • Integrated or standalone
• PC, mobile & virtual
• Malware Detection
• Automated IoC detection
• Trajectory
• File Analysis
• Outbreak Control
AMP for Networks,
Sandbox • Malware detection/blocking
• File detection/blocking
• CNC detection/blocking
• File Dynamic Analysis
• Threat Analytics
4
Wired Wireless VPN
Contextual and Consistent Policies across the entire
Campus Network & D/C (User/Device/Access method,
Network location), BYOD, Device Profiling
1
Security Gateways • NGFW
• NGIPS
• Web Security Gateways
• Email Security Gateways
• AMP Services for Gateways
Identity & Control
2
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Ecosystem and Integration
Combined API Framework
BEFORE Policy and
Control
AFTER Analysis and Remediation
Detection and Blocking
DURING
Infrastructure & Mobility
NAC Vulnerability Management Custom Detection Full Packet Capture Incident Response
SIEM Visualization Network Access Taps
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
“So do any network security vendors understand data center and what’s needed to accommodate network security? Cisco certainly does.”
“Cisco is disrupting the advanced threat defense industry.”
“… AMP will be one of the most beneficial aspects of the [Sourcefire] acquisition.”
“Based on our (Breach Detection Systems) reports, Advanced Malware Protection from Cisco should be on everyone’s short list.”
2014 Vendor Rating for Security: Positive
Recognition Market
“The AMP products will provide deeper
capability to Cisco's role in providing
secure services for the Internet of
Everything (IoE).”
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Your First step to Threat Focused Security FirePOWER Services for ASA
Start today!
• Bring the worlds most secure firewall platform capabilities to the top cyber-security platform
• Let us show you what you are missing
• Put Cisco in behind of your existing NGFW to show you what threats you aren’t seeing