Cybersecurity Before - During - After An Integrated Security Strategy

Transcription

1 Cybersecurity Before - During - After An Integrated Security Strategy Peter Romness Business Development Manager Public SectorCybersecurity Cisco Systems Inc. 1

2 Mobility Cloud Threat IOT Consumercentric market dynamics require an end to end security architecture 2

3 Threat Evolution Enterprise Enterprise Anti-virus IDS/IPS Reputation (global) Intelligence & Analytics Response Response (Host based) (Network Perimeter) & Sandboxing (Cloud) INCREASED ATTACK SURFACE(MOBILITY+Cloud +IoT) APTs CYBERWARE SPYWARE / ROOTKITS Threats Threats WORMS Today 3

4 Examples of CyberThreats in the News Stuxnet/ Flame Zeus (Zitmo) Threat Characteristics: Night Dragon Crypto Locker Bypass the perimeter (Initial Infection Vector) Shamoon Citadel Spread laterally on internal network where detection abilities were limited Kaptoxa SpyEye(Spitmo) (Propagation Mechanism) (Target) Evade traditional detection techniques Red October Shady Rat (Persistence Mechanism) DUNIHI Sykipot 4

5 Cyber Threats Initial Infection Vector Effectivenessof Phishing More than95%of all attacks tied to State-Affiliated espionage employed Phishing as a means of establishing a foothold in their intended victims systems. - Verizon Data Breach Report -ThreatSim 5

6 IT Megatrends are creating the Any to Any problem Infrastructure Infrastructure public Apps Apps // Services Services Any Device, Any Cloud hybrid tenants Workloads Workloads private Endpoint Endpoint Proliferation Proliferation Blending Blending of of Personal Personal Access Access Assets Assets through through Services Services Reside Reside & & Business Business Use Use MultipleMethods MultipleMethods In In Many Many Clouds Clouds 6

7 Threat Landscape Cyber Activities 104% increase in reported incidents by US Government Agencies from %increase in attacks againstus Critical Infrastructure % increase in incidents involving PII from More sophisticated every day Minute Zero Cyber Crime Money Embarrassment Espionage Assets Targeted 1 75% Point of Sale systems 20% E-Commerce Systems 5% Other (espionage etc ) Verizon Data Breach Report; US House Intelligence; NSA; Bloomberg; GAO; 2012 Norton Cybercrime Report 7

8 Cyber Threats, Detection, and Response Malicious Traffic & Vulnerabilities 100% - Corporate Networks found to have visible malicious traffic 95% - Corporate organizations that admit to having been breached 14% - year of year growth of reported vulnerabilities and threats Breach Discovery Methods 82%External Party Fraud Detection Org., LE, Customer 13% Internal Detection Users, Audits, Equipment 5% Unkown Response *416 Average number of days an Advanced Persistent Threat sits on your network before detection! 7 - Now down to approximately 300 days / 10 months Verizon Data BreachReport 2013; US House Intelligence; SANS; Bloomberg; Cisco Annual Security Report 2013; ESG Mandiant 8

9 Loss of Revenue Cost of Cyber Breach $1T/year private sector revenue loss from cyberespionage $100B/year Cost of Cybercrime inus % of Americans have been victims of anidentitybreach $194 per record US average $233 per record US Healthcare average Initial PII Breach Costs State / Local Government 1 $11 - $13 perrecord based on known breaches $5 - $6 fornotification and credit checks $6 - $7 forremediation Constituent / customer confidencelost= added costs USHouse Intelligence; McAfee/CSIS, Ponemon/Symantec Bloomberg; NCSA; SANS/NORSE 9

10 Cybersecurity Concerns Internal Government Damage Policies Regulations Malware State Regulations Revenue Customer NIST Policy Loss Reputation DOD 8570 Anonymous PII Theft Intellectual Hackers Property Theft Embarrassment Advanced Education Persistent NERC SAM 8500 CIP Threat Partners Protecting National Insider Threat DISA STIG Money Theft MS-ISAC Security Espionage 10

11 New Cybersecurity Model 11

12 Policy Regulations Standards Presentation Session Content Security Education Application Transport Network Data Link Attack Supply Chain Anti-Counterfeit Disti-Channels Advanced Services Partner Trusted Systems Distribution Delivery Physical Vendor Security User Network Systems Attack Continuum Network Governance Cybersecurity Scope 12

13 The New Security Model Attack Continuum Network BEFORE DURING AFTER Control Detect Scope Enforce Block Contain Harden Defend Remediate Endpoint Mobile Point in time Virtual Cloud Continuous 13

14 Mapping Integrated Solutions Attack Continuum BEFORE DURING AFTER Control Detect Scope Enforce Block Contain Harden Defend Remediate Secure Identity & Mobility Solution Malware Detection and Defense Solution Cyber Continuous Monitoring Solution Cloud - Virtual and Physical Consistency 14

15 Secure Identity & Mobility 15

16 Secure Identity and Mobility Identity and Context Centric Policy Platform WHERE WHEN WHAT Business-Relevant Policies Security Policy Attributes WHO HOW Centralized Identity Policy Engine (Identity Services Engine) DynamicPolicy Monitoring User and Devices & Reporting Security PolicyEnforcement in the Network Application Controls 16

17 Secure Identity/Mobility in Everyday Life Access to the right resources basedonwho, What, When,Where and How User DevicesAccess set by policy Confidential Resources Laptop at Home Office General Resources iphone at Starbucks Internet Personal ipad 17

18 Malware Defense Defense and and Detection Detection Solution Solution 18

19 Cisco smalware Detection &Defense Solution A multi-layered approach tonetwork protection with threat intelligence information provided by CiscoSIO Cisco/SourceFireSecurity Intelligence Operations SIO/VRT Web and AMP Security Appliances ASA Firewall with AMP + IPS/NGIPS Botnet Filters Untrusted Networks Trusted Enterprise Network Enterprise Resources Connectionsto untrusted networks must be checkedin depth by multiplelayersof defense beforereaching enterprise resources 19

20 CiscoThreatIntelligence Security Intelligence Operation / Vulnerability Research Team SIO VRT Telemetryfrom1.6Mdevices worldwide 30B+ queries daily, 30% ofall Web traffic 500+securityspecialists / 24/7/365 / 40 languages URL reputation scores for Web, >7,500IPS signatures and >8 million rulesdaily 2.1M Telemetry Points Open Source Input 6,000 Threat Reports / day NSS Labs 100% Detection rate SIO/VRTEnables Importance of Reputation & WebTrafficAnalysis, feeds Reputation Information to IPS etc Viewintoboth & Web traffic dramatically improvesdetection 80% of spam contains URLs is a key distribution vector for Web-basedmalware SenderBase Malware is a keydistribution vectorforspamzombie infections WEB Security Appliances Security Appliances 20

21 Cyber Threat Defense Secure Secure Internal Internal Monitoring Monitoring 21

22 Internal Monitoring: The Need Customized Threat Bypasses Security Gateways Customized Threat Enters from Inside Firewall Threat Spreads Inside Perimeter IPS N-AV Threat Spreads to Devices Web Sec Sec Perimeter security stops many threats but Sophisticated Cyber Threats Evade Existing Security Constructs Fingerprints of Threat are Found Only in Network Fabric 22

23 Cyber Threat Defense Monitor, collect and analyze network trafficto detect anomalies Cybersecurity Anomaly Detection (Stealthwatch) NetFlow: Switches,Routers, and Firewalls Security Enabled Network Identity Services Context:NBAR/AVC Engine Cyber Threat Detection -enhances efficiencyand effectiveness of analysis andprovideskey insight into internal activity across the network 23

24 Beyond the Event Horizon Analysis Stops Addresses limitations of point-in-time detection Point-in-time Detection Not 100% Antivirus Sleep Sleep Techniques Techniques Blind to scope of compromise Unknown Unknown Protocols Protocols Encryption Encryption Polymorphism Polymorphism Sandboxing Actual Disposition = Bad = Too Late!! Initial Disposition = Clean Retrospective Detection, Analysis Continues Turns back time Continuous Visibility and Control are Key Initial Disposition = Clean Actual Disposition = Bad = Blocked 24

25 Secure Virtualization in in the the DataCenter DataCenter 25

26 SecuringVirtualized Computing Resources Nexus1000v/CSR1000v Ensures policy-based network and security services to allvm s Network visibility at the hypervisorlevel VMRouting andnetflowsource Virtual Security Gateway Provides trusted access to secure virtual data center. Trust zones access is controlled and monitored through established security policies Network Visibility ASA v Built onasafirewall code base proven firewall Tenant-edge tovmspecific policies Automated policy based provisioning SAN NetflowGeneration Appliance ProvidesNetFlowfrom non-netflowdevices High capacity for large flow areas LAN Cisco extends the secure network fabric into the Hypervisor 26

27 Comprehensive Security Portfolio Firewall & NGFW IPS & NGIPS AdvancedMalware Protection Cisco Sourcefire Web Security Cisco ASA 5500-X Series Cisco IPS 4300Series LancopeStealthwatch Cisco Web Security Appliance (WSA) Cisco ASA 5500-X Series integrated IPS Cisco ASA 5500-X w/ NGFW license FireAMP Cisco Virtual Web Security Appliance (vwsa) FirePOWERNGIPS Cisco ASA 5585-X w/ NGFW blade FireAMPMobile Cisco Cloud Web Security FirePOWER NGIPS w/ Application Control FirePOWER NGFW FireAMP Virtual FirePOWER Virtual NGIPS AMP for FirePOWERlicense Dedicated AMP FirePOWER appliance Security VPN NAC + Identity Services Cisco Security Appliance (ESA) Cisco Virtual Security Appliance (vesa) Cisco Identity Services Engine (ISE) Cisco Cloud Security Cisco Access Control Server (ACS) CiscoAnyConnectVPN UTM Meraki MX Advanced Malware ProtectionIntegratedwith Cisco ContentSecurity AMP Now Available on and Web Security Devices and Cisco Cloud Web Security Add on Licensing 27

28 Cisco Managed Threat Defense Service NEW Cisco Managed Threat Defense is a fully managed, security analyst delivered service that defends against zero-day attacks, and advanced persistent threats with monitoring, inspection and correlation from our security operations center, 24 hours a day, 7 days a week. BusinessValue Out of Band deployment ensures minimal impact / disruption to infrastructure availability Reduce security costs by migrating processes to a third party Improve security posture through accurate detection of advanced threats SecurityValue Provides high-fidelity detection to reduce unnecessary investigation Lets you make true network behavior anomaly detection an operational reality Uses full-packet capture to reduce and eliminate false positives Uses global threat intelligence to defend against known threats and anomalies Service Service availability availability inus, inus, CanadaandAPJC CanadaandAPJC fromcisco fromcisco and and our our Partners Partners 28

29 Other SecurityServices fromcisco and our Partners Plan / Design / Implement Technology Solutions Security policy Security plan, build SOC plan, build Security architecture roadmap Audits / Assessments TrustSec ISE 802.1x ASAinc.migration and web security VPN NAC Optimization Online security readiness assessment SDA and SDA for ICS Security posture assessment Network device security assessment Security optimization Firewall conversion Identity management DDoSmitigation readiness assessment Operate Customer Enablement Remote management services Change management and configuration SecurityIntelliShieldalert manager IR&R planning and implementation Online security consulting Online security education Online security training range SOC build, operate, transfer 29

30 CyberThreat Defense Future Application Centric Infrastructure AI-based Threat Detection www Increase Telemetry for Reputation Identity Analysis FW NextGenFirewall IPS NexGenIPS AMP Self-Learning and Evasion Resistance Global ThreatIntelligence Improve ThreatDetection: ArtificialIntelligence Based Anomaly Software Defined Networks: Application Centric / Security = Killer App 30

31 Human Firewall IT Management & Workforce Education Promote Formal Education and Training SANS Institute / MS-ISAC / University System Certifications Certified Cybersecurity Analyst CCNA CCNP-CCIE Security Tracks CISSP User Training Cyber Threats Compromise Instructions Monthly Updates Cyber Testing Security Assessment Network Penetration Testing Etc Cyber Exercises 31

32 Cybersecurity What to do next Leverage Cisco Core Network Maximize investment in Cisco Core Netflow,TrustSec, NBAR, AVC Strategically add Cisco Security products and services SIO/VRT Real time intelligence ISE, ASA, WSA,ESA, NGIPS, AMP Partner with industry leaders Lancope, Arbor,Splunk, Services 32

33 33

34 Cyber Policy ISO/IEC 27001:2005(replaced ) coversall types of organizations Specifiesthe requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall businessrisks 34

35 Cyber Policy NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. Conductworld-classresearch. Closecollaboration with industry, that advances the nation's technologyinfrastructure 35

36 Cyber Policy All50 statesrepresented Principalmembers are generally Chief Cyber Security Officers (or equivalents) from their state. StateHomeland SecurityOffices Lawenforcement and others in the physical security field. 36