Protection Against Advanced Persistent Threats

Transcription

1 Protection Against Advanced Persistent Threats Peter Mesjar Systems Engineer, CCIE October 2014

2 Agenda Modern Threats Advanced Malware Protection Solution Why Cisco? Cisco Public 2

3 The Problem are Threats Cisco Public 3

4 So, What is Malware like these days? Malware APTs as a VIRUSES MACRO VIRUSES WORMS HACKERS SPYWARE / ROOTKITS MALWARE Service Mobile Malware SDKS Cisco Public 4

5 APT / Advanced Malware Is now a tool for financial gain Uses formal Development Techniques Standard Sandbox aware Quality Assurance to evade detection 24/7 Tech support available Has become a math problem End Point AV Signatures ~20 Million Total KNOWN Malware Samples ~100 M AV Efficacy Rate ~50% Cisco Public 5

6 An Example Out of the 45 different pieces of malware planted on the Times systems over the course of three months, just one of those programs was spotted by the Symantec antivirus software the Times used... The other 44 were only found in post-breach investigation months later Cisco Public 6

7 Introducing Virtest: Virus Total s evil twin Russian Malware Service - For malware authors (bad guys) Paid for services (inc bitcoins) 1) Upload your malware 2) Choose AV engine(s) 3) Wait Cisco Public 7

8 The Reality: Organizations Are Under Attack 95% of large companies are targeted by malicious traffic, and 100% of organizations have interacted with websites that host malware Cisco Annual Security Report Neiman Marcus breach 350,000 credit cards stolen Target Breach, December million credit cards stolen 70 million personal records stolen and many more Cisco Public 8

9 Little Focus on Response Prevention Historic investment here Based on a forensic analysis going back months, it appears hackers broke into The Times computers on Sept. 13. NY Times, Jan 30, 2013 According to US Cert, the average time from breach to discover is 486 days and normally the person breached finds out from a 3 rd party US CERT Incident Response Need more focus and investment here. Cisco Public 9

10 If you knew you were going to be compromised, would you do security differently? Cisco Public 10

11 The New Security Model Attack Continuum BEFORE Control Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall/NGFW VPN NGIPS Advanced Malware Protection UTM Vulnerability mgmt Web Security Network Behavior Analysis NAC + Identity Services Security Retrospective Security Visibility and Context Cisco Public 11

12 Advanced Malware Protection, Solution AFTER Cisco Public 12

13 We Provide Continuous Analysis Point-in-time Detection Antivirus Sandboxing Analysis Stops Not 100% Sleep Techniques Unknown Protocols Encryption Polymorphism Blind to scope of compromise Initial Disposition = Clean Actual Disposition = Bad = Too Late!! Retrospective Detection, Analysis Continues Continuous Turns back time Visibility and Control are Key Initial Disposition = Clean Actual Disposition = Bad = Blocked Addresses limitations of point-in-time detection Cisco Public 13

14 Point in Time Detection Point-in-time security sees a lighter, bullet, cufflink, pen & cigarette case Wouldn t it be nice to know if you re dealing with something more deadly? vs Continuous Analysis Cisco Public 14

15 Our Approach for Advanced Malware Protection Network AMP Retrospective Security Continuous File Analytics Reputation Determination Firesight management AMP Malware license Sourcefire Sensor # No Need for Client # Client based AMP Small code (like a printer driver) Desktop and mobile devices Checking of file copying / execution /moving Traps fingerprint & attributes Queries cloud for file disposition Cisco Public 16

16 When You Have Been Breached Questions that Need Answers The Complexity of the Problem that AMP Solves Confirm Infection Where do I start? How did the threat get onto the system? What systems were impacted? What did the threat do? How do we recover? How do we keep it from happening again? Notification Quarantine Triage Analyze Malware Build Test Bed Malware Proliferation Remediate Static Analysis Search Network Traffic Search for Re-infection Device Analysis Search Device Logs Cannot Identify Infection Network Analysis Update Profile Scan Devices Confirm Stop No Infection Proliferation Analysis Malware Profile Define Rules (from profile) Infection Identified Cisco Public 17

17 AMP Console Cisco Public 18

18 19

19 One Step Remediation Cisco Public 20

20 Cisco Public 21

21 Cisco Public 22

22 File Trajectory Cisco Public 23

23 The Results Major US utility company Responsible for protecting a variety of assets, including nuclear power plants FireAMP detected a system compromised via a remote Java exploit 2 days before the Java exploit was announced Took incident response time from several hours to 15 minutes per compromised machine Able to rapidly determine if a user who claimed to be spearphished actually were spearphished Remediated what appeared to be an internal network DoS by discovering a misconfigured system Cisco Public 24

24 Private Cloud Local Decision (VM) Capability Private Cloud Public Cloud File/Device Trajectory Threat Root Cause IOC and alerting Simple and Custom detection Cloud Lookups/Retrospective Alerting File Analysis * (ThreatGrid integration) Cisco Public 25

25 Android : new target Cisco Annual Security Report Mobile devices as targets (99% Android) Most visible mobile malwares Cisco Cloud Web Security reports Cisco Public 27

26 Android Risks Many ways to monetize attacks Device often tied directly to billing system <iframe style Can be more susceptible than PC Easier to to locate personal data than PC Users often use default apps such as "Contacts" and "Gallery and often will store full personal data Personal information on devices often difficult to change Gmail address tied to Google Play Device identifier (phone number, mac address, IMEI, IMSI) Lots of free apps readily available from Google Play Easy to install and try Cisco Public 28

27

28

29 Why Cisco? Cisco Public 33

30 Sourcefire Advanced Malware Protection Complete solution suite to protect the extended network FireAMP for hosts, virtual and mobile devices Dedicated Advanced Malware Protection (AMP) appliance Advanced Malware Protection for FirePOWER (NGIPS, NGFW) Cisco and Web Security Appliances Cisco Public 34

31 NSS Labs Report Comparative Testing on Breach Detection Systems Who is NSS Labs? What was measured? What Cisco-Sourcefire products were tested? What competitor products were evaluated? NSS Labs, one of the best and most thorough independent testing bodies in the industry, performed comparative testing on Breach Detection Systems. Security Effectiveness of Breach Detection Systems HTTP/ Malware, Exploits, Evasions, and False Positive Rate Total Cost of Ownership per protected Mbps AMP Everywhere AMP for Networks and AMP for Endpoints (TCO calculations include this set of FireAMP connectors) FirePOWER 8120 (with AMP subscription)* FireEye, AhnLab, Fortinet, TrendMicro, Fidelis BDS Methodology v1.5 [The methodology] utilizes real threats and attack methods that exist in the wild and are actually being used by cyber-criminals and other threat actors. This is the real thing, not facsimile; systems under test (SUT) are real stacks connected to a live internet feed. --NSS Labs *Dedicated AMP Appliances (AMP8150/AP7150) were not shipping at the time of the test, otherwise one would have been used Cisco Public 35

32 Security Effectiveness The result (1/2) Cisco AMP is a Leader in Security Effectiveness and TCO and offers Best Protection Value NSS Labs Security Value Map (SVM) for Breach Detection Systems Cisco Advanced Malware Protection Best Protection Value 99.0% Breach Detection Rating Lowest TCO per Protected-Mbps TCO per Protected-Mbps Cisco Public 36

33 The result (2/2) Cisco AMP is a Leader in Security Effectiveness and TCO and offers Best Protection Value Cisco-Sourcefire AMP Results For Detection Capability Only Cisco Advanced Malware Protection Best Protection Value 99.0% Breach Detection Rating Lowest TCO per Protected-Mbps Cisco Public 37

34 Conclusion A Revolutionary Approach Attackers are determined and resourceful Malware still getting on devices, detection not 100% Point-in-time detection is not sufficient Integrated response required to be effective Cisco FireAMP solves business problems Where do I start? What is the scope and how bad is the situation? What was the point and method of entry? Can I control and remediate across the network and endpoints? Provides an Architecture - AMP everywhere Our database of common threats gives you upfront defense Our real-time behavioral tracking, background information on the prevalence of software, and malware sandboxing allows you to quickly separate out the innocuous software, understand what the attacker did, how far he or she moved, what kind of tools they are using Our threat defense tools allow you to rapidly remove previously unrecognized threats without waiting on big AV firms to respond Cisco Public 38

35 Thank you.