Cybersecurity Module 2: Trends in Malware - Joshua McCloud Malware issues (00:24)

Transcription

1 Cybersecurity Module 2: Trends in Malware - Joshua McCloud Malware issues (00:24) Historical malware examples (00:24) So I think a lot of you are here, undoubtedly, because you've been hearing about everything that's been going on with malware. We, every week practically, hear something in the news about somebody who was attacked, somebody who's lost money, somebody whose reputation has been compromised, and some very sophisticated piece of malware is behind it. I'd like to review some of the most recent high-level events that we've seen in these terms. So if we go back a couple of years, not even that far back, you probably remember one of the most significant attacks involving malware in probably recent history. This is incredibly sophisticated. This happened in Iran to their Natanz Nuclear Processing Facility where they take, you know, low-grade uranium fuel, enrich it into high-grade, and they were attacked by a virus, which came to be known as Stuxnet. This was something that was developed by the U.S. government and Israel, as it was later attributed, but they've never formally admitted to it, but all the evidence seems to point in that direction. And this was extremely sophisticated, because this malware was customized for that specific environment in the nuclear processing facility in Iran, and how they got it into that environment certainly required more than just computer hacking. It required a lot of human intelligence, perhaps compromising people, espionage agents, and malware was just one part of it that was ultimately used to destroy some of the centrifuges there. If we fast-forward a little bit, look at more of a corporate example, the offices of RSA, a security company, were compromised not too long ago. A lot of you may know RSA. They're a company that develops various security products, one of them being these one-time secure password tokens. So if you use it-- if you have a bank where you have to enter a one-time PIN before you log in, that all comes from RSA, and one of the things that happened to RSA is, one of their employees received an with an Excel document attached to it, and that Excel document had a piece of malware attached to it. The malware infected the computer, spread into the network, and eventually compromised the proprietary algorithm that RSA uses for these one-time PIN generations. Now, the consequences of this attack are pretty far-reaching, and we don't know everything that may have come out of it. One thing that is thought is that the compromise of these PINs allowed people to get into Lockheed Martin's infrastructure and steal blueprints for some military projects. So the consequences here can be incredibly serious Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 1 of 15

2 Even more recently, the Saudi Arabian oil industry was compromised. You may have heard of this attack known as Shamoon, and this is a virus that infected around 30,000 workstations inside Aramco and did a range of things, from stealing information, providing remote backdoor access to the computers. It was a pretty comprehensive penetration, and we're not exactly sure, though there is speculation, what the ultimate goal of this attack was. Was it simply to disrupt their operations, or is there something larger at stake? And that feeds into one of the most recent high-profile attacks that we've seen within the past couple of weeks. A company known as Telvent, based in Canada, was attacked by an unknown virus, an unknown piece of malware. They believe that some Chinese hackers were behind it, a group known as the Comment Group, but all of this is fairly vague. What they do know is that the malware was able to steal some blueprints to software that they use for controlling systems, industrial control systems known as SCADA, and what the ultimate aim of this attack is is unknown. It could be that the information will be used in a subsequent attack. And all of this is a growing problem, not just in its severity but in our ability to deal with it. Scope of malware issue (03:57) If we look at some of the statistics, we're only capturing about 50%-- 53% of the malware out there, so of all the downloads that we're doing, only about 53% of it is being caught by our antivirus, our firewall, our intrusion protection systems. 47%, roughly, is going unnoticed. On average, every day, we're seeing two new pieces of malware appear. That means something that has never been seen before. Now, there are a number of statistics on this that you sometimes see out there. You will hear very often the antivirus industry saying, "We're seeing thousands and thousands, like, 12,000 new pieces of malware a day." That's--that's a slightly misleading statistic, because, in fact, what they're mostly seeing is modifications to existing malware, maybe something that is changed slightly in the code or some functionality that's been augmented, but if we look at actual brand-new pieces of malware, we're getting about two per day, but that's still a lot. That's over 700 per year. And these are doing things that haven't been done before, and it's dangerous, because when we look at the breaches, security breaches out there, so, like, 49% of those security breaches involve some form of malware, so they're-- they're crucial to the attacks. And it's just growing exponentially. A statistic I recently saw: over the past year, the number of domains issuing malware has grown by over 200%. So we're not catching it. It's a significant threat. We're not catching as much as we need to be, and it's a problem that's very much growing. So we haven't really properly defined malware yet. There are a lot of definitions out there Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 2 of 15

3 What is malware? (05:39) Definition (05:39) I pulled this one up from Wikipedia, and I think it does a pretty good job of capturing what this is about. Malware is short for malicious software. It's an agglutination of those two words there, and critically, what it's used to do is disrupt computer operations, gather sensitive information, or gain access to some private infrastructure. Now, when we think about malware, there are a number of key characteristics that can define its behavior. Key characteristics (06:04) It's software that is designed to infect a system. That means to find some vulnerabilities inside that system, get inside, and establish a foothold that allows it to do something, usually nefarious. Malware's designed to conceal itself. The longer it can stay on the system and hide itself from detection, the more effectively it can do its job. It obviously proliferates, and in more modern circumstances, we're seeing it proliferate in a lot more effective ways. That means it gets inside a machine, it infects it, it hides itself, and then it copies itself to another machine, spreading and looking for information and other things that it can compromise. And compromising is ultimately what the malware is all about. It's trying to get in there and understand what secrets you might have, what information it can exfiltrate, and get that out. And who knows, again, what the end goal is for this malware? Some people use it to steal passwords. Some people use it to steal blueprints. Other people use it as a way of stealing money. There are many angles, and those angles are growing because of the nature of malware. As I say, you know, malware is designed to do a number of different things, but there are actually various subcategories of malware. Subcategories (07:20) Malware is a general, broad term, but if we look more specifically, there are terms within that describe particular behavior of malware. Here you have a list of general types of malware. So viruses, viruses are malware that attach themselves to other things. So it may attach itself to a spreadsheet or to an application and uses that as a vehicle to infect a system. A worm is a type of malware that is capable of doing the infection and the spreading all on its own, so it is a self-sustaining program that's written to get into a system and propagate itself. Trojan horse is a type of malware that usually masquerades as something else. So somebody may try to convince you that your system has a virus on it, and in order to inoculate yourself, you need to download a software package, when it turns out that, in fact, that software that you downloaded to get rid of the virus actually contains malware. And this is something we see a lot about out there, 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 3 of 15

4 people using what we describe as social engineering techniques, compromising people's naiveté or uncertainty about the information they receive in an and getting them to click a link that takes them to a bad location, and they ultimately download something malicious. Rootkit is a type of malware that very specifically focuses on opening up access to a machine so that somebody remotely can control it or take information off there, and spyware is a little bit of a variant of that where it's a type of malware designed to spy on the system, to monitor it, to see what type of activities are going on. And adware is not necessarily the most nefarious thing out there. It's usually a piece of malware that gets onto a system and displays advertisements, whether you want them or not. All of these are types of malware. They perform specific functions, but oftentimes, they're used in conjunction with each other. In fact, one piece of malware can incorporate a number of these different functions. One of the challenges in malware is understanding, as I've talked before, what is the purpose? Players/purpose/goal (09:25) What is the goal behind this malware? And that very much depends on who's using it. In the past, I think we would largely think of malware in terms of some hacker or super intelligent person who's written this software to go out there and crack into super secret sites. Certainly that still goes on out there, but malware, in many ways, is increasingly a means to an end. When we talk about the Stuxnet example that was very sophisticated, advanced malware pre-created by a wellfunded government, the United States and the Israeli government. What was their purpose? Was their purpose just to hack in to the Iran facilities and see what was going on? Or did they have a more strategic aim, to prevent, perhaps, Iran from getting nuclear weapons? So malware, in that case, was a means to an end, and governments see this as a form of warfare. In fact, they describe it as the fifth dimension of warfare. You have land, sea, air, space, and now cyberspace, the cyber dimension. Organized crime is getting very big behind malware. When it comes to organized crime, you know, generally, they don't care how they make money. They just care that they do make money. So organized crime will get into drugs, human trafficking, prostitution, arms distribution, all of these things. Well, if there's money to be made someplace, they will go into that as well, and increasingly, organized crime is involved in malware activities. And they've got a range of very sophisticated businesses around this. One, for example, is that if you have a piece of malware that you've written, but you, perhaps, don't have the wherewithal to get it distributed-- you want somebody else who has a network or who has ideas on how to distribute it to do it for you-- you can approach certain companies which will take your malware, and for a fee, for every, you know, X number of workstations it gets installed on, 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 4 of 15

5 you pay them. And you can pay them more if they get it installed on workstations, let's say, in high-security areas or in countries like the U.S. versus China versus Russia, et cetera. Terrorists are also leveraging malware. It may not just be for direct attacks. They oftentimes will use malware to gain funds in order to conduct their operations, and not too long ago, this was revealed with an Indonesian terrorist organization known as, I believe, Islamic-- Jemaah Islamiyah, where it was revealed that they were using malware and hacking techniques to get money by compromising AT&T's network, which was then funneled into terrorist activities. And we certainly see a lot of activists who develop and use malware. In fact, many activists are really doing it to draw attention to a cause. And then, of course, there's a catchall category we might call opportunists, people who are unscrupulous, who just want to find a way to make a quick buck, who want to test out their skills. But these-- this broader landscape of actors has complicated the creation of malware and what it's ultimately being used for. What are the end goals? And the work that each of these different communities is doing on malware feeds into other people. So if an activist creates a piece of malware for one purpose, there's nothing to stop an organized crime organization for using that malware for their purposes or even the government using the networks built by organized crime for their purpose. There's an example that I think is really interesting that stands out in this case. In 2007, the Estonian government decided to relocate a Russian war memorial, and that was followed by several days of riots and protests. And then after that, they came under a large and sustained Denial of Service attack, which is an attack where a lot of computers which are under the control of somebody-- this is known as a botnet-- was used to send traffic to the various government websites, then caused that website to come down. It is thought that this network of botnets was developed by an organized crime organization, and then the Russian government borrowed it temporarily in order to use it for this particular type of attack. So you can see, there's a very complex interrelationship growing between the people behind the malware and how they're developing that malware out there. But malware is not necessarily something new. It's something that's been around for a while. It's-- from the earliest days, I think one of the earliest pieces of malware, at least that's widely known, is the Morris worm. That came out in 1998, and it was very sophisticated for its time. It was a piece of software as a worm that was designed to probe a computer system for vulnerabilities-- a port that's open-- using some things known as Remote Procedure Calls and then get itself onto that system. And then after it infects that system, it would start to overwrite the memory of the system, getting the system essentially to run the code that the worm has contained in itself. And from that, that system would then become infected and further propagate the worm Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 5 of 15

6 Flash forward to 2001, a pretty popular virus known as Nimda started to use a more sophisticated technique for infecting machines. It would use scams, things known as phishing, where you try to convince somebody that what they've got is a legitimate sent to them by a legitimate person, and attached to that is something they want you to click on. And so Nimda would use those vectors, and it would download itself onto a PC, overwrite system files, and open up the system for administrative control to somebody outside the network. Going forward, in 2005, we saw an interesting case of malware, and this is one that I don't think started out initially as malware, but it really turned into a type of malware. In 2005, Sony, trying to deal with copy protection for their CDs, put some software on their music CDs such that when a person installed that CD in a computer, this software would be copied onto the computer, and the purpose of the software was to keep people from copying the music, but what it did is, it opened up certain vulnerabilities on the system. And as hackers out there found out about this software and what it did, it gave them the ability to hack into the system and take a degree of control of it. So this was not necessarily designed to be malware, but because of the vulnerabilities it created, it ended up, in a sense, becoming a type of malware. And these are just a few of the examples. Literally, you could spend days and days talking about high-profile attacks, different types of malware. What's clear, as you can see from the graph, is that over time, the complexity and the consequences of malware have gotten more significant. So when we look at today, modern malware, it's off the charts how complex and how focused it is. Modern malware (16:24) Let's just take a look inside modern malware, and we can see some really interesting, sophisticated characteristics. One thing about modern malware is that it's become extremely targeted. If we think back to Stuxnet, that piece of malware, that was very specifically targeted to a particular environment. If that malware was able to get inside a particular type of network and knew what it was looking for, something called a programmable logic control built by Siemens-- so a specific device by a specific manufacturer in a specific configuration-- and if it found that, it would go into attack mode, but if it didn't, it wouldn't. So it obviously takes a lot for somebody to write that, but increasingly, instead of just writing a general piece of malware and throwing it out there, people are spending the time to figure out what it is they want to go after and then write the malware to specifically go after that. Another thing we see in malware today, which is pretty baffling-- it's something known as-- they've become polymorphic. Now, this is just a fancy name, because, you know, in the industry, we sometimes like to have fancy names to make it seem like what we're doing is complicated or difficult. "Polymorphic" really just means "better." Something changes itself-- that it changed itself on the outside or the inside, that over time, this is something that has the ability to selfchange. And that's one of the things we're seeing with modern malware, that 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 6 of 15

7 every time malware gets installed and propagates, it changes. It does this sometimes by changing how it's encrypted. A lot of modern malware will encrypt itself so that people can't figure out what's going on with it. Oh, was there a note there? Okay, sorry to keep-- sorry. Somebody just passed me a note, and I'm trying to juggle a couple things. So, you know, as it gets into a system, it will oftentimes encrypt itself so that people can't-- reverse engineering it-- reverse engineer it and figure out what's going on. And then when it gets copied to another machine, it will re-encrypt itself in a different way so that each time the essential functionality of the malware remains the same, but to outside appearances, it looks the same. I'm sorry. It looks different. It looks like a completely new piece of malware. So ultimately, we have to really be concerned about that, because that is doing a good job of evading what, you know, we're trying to do in terms of defending it. Modern malware is also very persistent. It has a way of not only copying itself to a lot of different systems but also getting itself on there-- Looks like my camera angle has just been changed here, so I'm going to try to deal with this. It's different here, so I apologize for that. So one of the things is that modern malware has a good way of obscuring its presence on infrastructure. It will oftentimes obscure the fact that it's running by fooling the system into thinking that it's actually not running. If you look at the processes on the system, you won't see that there's this extra piece of software there. It will cloak itself by using standard file naming conventions, hiding itself, and then take what's called a low and slow approach to propagation, which means that it won't send out a burst of network activity. It will send little bits of traffic out, trying to find weaknesses in the environment, and copy itself in a way that won't, hopefully, you know, on its case, raise itself to the level of detection. And the other thing is that modern malware is increasingly part of what's known as a botnet, meaning it's under some type of remote control. And this means that somebody has installed malware on a number of different machines out there. Those machines have become bots or slaves, and they report back to and communicate with a centralized command and control server. And this is incredibly powerful. It gives people the ability to direct the activities of a whole fleet of systems out there. It gives them the ability to update the malware itself. So, you know, if somebody's written a signature to discover it out there, they can say, "Uh-oh, I need to make changes to this malware here, so let me push out an update." So with all of these changes in malware, the other thing that we have to think about is that malware is not just necessarily used alone for a particular purpose. Increasingly, we are seeing malware used with other activities to form a wider integrated attack. We can very often characterize an attack by a series of steps, and in each of these steps, malware may or may not be used Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 7 of 15

8 First step, very often, is that somebody will scout a particular environment. They also call this fingerprinting. This is trying to find out what systems are inside that environment. What's going on? What are the potential avenues of attack or vulnerability? Malware may or may not be used in this, but this can just be one part of attack, not the attack itself. And then the next step is often some type of infiltration. So once the malware has figured out the environment out there, it tries to find a way in. And there are some really clever ways that people have found to get around traditional security systems. Why sit there and try to hack through a firewall or some type of other security system when you can get inside their network in a completely different way? One way that we've heard about is at conferences. We all sometimes go to IT conferences, and we visit vendors' booths, and a lot of times, those vendors will have giveaways, like USB sticks. Well, some people have gone up to those vendors' booths and left behind some USB sticks. So somebody comes along. They pick it up. They connect it to their laptop, and unbeknownst to them, a malicious piece of software got copied to their hard drive. And the next time they go into the office, that malware has an open door into the infrastructure. No complicated hacking going on. Of course, then once it gets into the environment, the malware needs to spread. It needs to spread both from a resilience perspective but also because it needs to be able to find vulnerabilities. Depending on what the end goal of the malware is, it's looking for high-value targets, maybe internal servers with proprietary information, financial details. And then ultimately, somewhere out of that is the attack. And as I say, ultimately, it's hard to know what the actual attack is. It could be to disrupt a nuclear power plant or a control facility. It could be to exfiltrate information. But the important thing is, we don't just need to focus on the attack itself. Increasingly, we need to look at the pattern that constitutes the integrated attack, because all along this chain, malware may or may not be used, and it's not necessarily the attack that we're seeing out there. Defense against malware (23:14) So this may seem pretty grim, you know, when we talk about the sophistication of malware and this kind of cat-and-mouse game, each trying to stay ahead of each other, the security researchers trying to get ahead of malware, and the virus and malware writers finding a new way around it. It can be quite a difficult task for how to deal with this, but what's important is not just the technology that we have in place. Certainly, we do need things like antivirus software, firewalls, intrusion protection devices, and new generation devices that do some pretty nifty things. What's important is to have a more modern approach to how we deal with the malware problem, recognizing that it's not simply a technology issue. One of the first key fundamental things to approaching how we can secure ourselves in our-- in this environment is to take what we describe as an architectural perspective Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 8 of 15

9 Now, I'm not gonna go into much detail, but I will give you an understanding of what this is. But, you know, from a quick sense, architecture is about taking a broader view of the challenge that you're faced with, not simply looking at things in terms of a technology problem that requires a technology solution but thinking from the business as well. What are you trying to achieve, and what are the different ways, including technology, you can about achieving it? Another key thing is to begin to look differently at how we approach the threat. I'm gonna talk about this in just a bit, but increasingly, intelligence is becoming a key asset for addressing the malware problem and also having greater context on the information about the threats out there. And then finally, we need to be able to protect the infrastructure as it serves the purposes of the business, because the infrastructure is out there for businesses to conduct their activities. People need to access information and access their , and we need to be able to keep that secure, and increasingly, that security requires automation and needs to be policy-based. So let's look at each of these approaches in turn. And one thing I want to emphasize here: I'm not gonna talk about any specific technology or product. That's not the purpose of the session. The purposes of this is really to help you understand what malware is, the challenge it poses, and then how we can address it through approaches. There are products and solutions out there, and we will certainly go over those in subsequent sessions, but I want you to understand the bigger picture. Part of that bigger picture is taking the architectural view. Architectural perspective (25:34) An architecture really defines an approach. It's about how you look at a problem from a broader perspective and a higher-level view. When we think about security, protecting ourselves from malware, what is the purpose of what we're doing out there? I think some people may have looked at this and said, "Well, the goal of our security is to eliminate vulnerability inside of our network." Now, that sounds like a good goal, but does that goal necessarily guarantee security? Because you may find out that you've eliminated all the vulnerabilities in your network, but yet somebody's found a backdoor way to do it. So are you secure? Have you achieved your goal? With an architectural approach, one of the most important starting places is by defining, what is your goal? What are you trying to do? Are you just trying to eliminate vulnerabilities, or are you trying to keep sensitive information from being compromised? Are you trying to protect valuable assets? Are you trying to prevent the disruption of a nuclear power facility? You really have to start with thinking of security in terms of your end goals before you start to go down the road of, "What products, what solutions, and what processes do I need to undertake?" From goals, then we need to look at how we can realize and implement those goals in a particular environment. Hold on a second. Sorry. My laptop just froze for a second. And this is the area of policy 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 9 of 15

10 and governance. This is, again, more at the business level, but this is how we translate our goals into something that functions within the business. So policy is really the rules of the business. What are you allowed to do, and what are you not allowed to do? And governance is about how you put those into place and make sure that they're being implemented effectively. So if we try to achieve our security goals, we certainly have to have policies, things that define how people are allowed to use the infrastructure, what they're allowed to do when they're inside of the network, and then ways to check that that behavior is being honored and respected. And, of course, we need operations, because technology alone does not make us secure. People, processes, technology, and other things together need to be combined in an operational way that allows people to implement the policy and the governance rule that ultimately achieve our goal. And at the end of it, then ultimately, we will have some sort of underlying infrastructure, and that infrastructure that we really need has to be a platform. And when we talk about a platform, what we mean is an end-to-end capability, not a collection of individual devices but something that is connected, that has the ability to share information, that provides a feel of trust, meaning that this device does what it's supposed to do, and you have a high degree of confidence in that, that it's resilient, because it's not just a question of blocking attacks. We get attacked, and we will get attacked in the future. The question is, can we withstand the attack? And how does the platform play a role in ensuring that level of resiliency? And then increasingly, having visibility throughout our infrastructure-- we need to be able to see what's going on in all locations and all times in order to really understand if our network is being used for the purpose-- network and infrastructure-- is being used for the purpose it intended and if we're achieving our security goals. Now, I recognize this is a little bit high-level, and some of you may not be familiar with architecture or the concept and the various ways of going about doing it, but conceptually, it's really just about taking a broader view of the picture and not thinking solely in terms of technology and product as the way to solve this challenge. Intelligence-led and contextual (29:16) Now, the next issue has to do with one of the innovative ways we can approach this challenge. So we've got architecture, which helps to guide what we do, but we also need some advanced tools and capabilities, given the complexity and sophistication of modern malware. One of the things that, you know, has historically been the approach to dealing with security threats, whether it's malware, viruses, all sorts of things, is to look 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 10 of 15

11 for what we know about, right? If you know about a virus, you write a signature that will then look for that virus in your environment. That works great if you know what you're looking for, but as we mentioned, modern malware is very sneaky. It changes itself. It hides itself. So we can't necessarily rely solely on these signature-based methods. What we need is a way of trying to get ahead of the problem, because once we find something in our environment, in many ways, it may be too late. We've already been attacked. How do we prevent this from happening? How do we, you know, close the barn doors, essentially, before the horse gets out, if you're familiar with that inspection-- the expression. And this is where the role of intelligence comes in. What I'd like to show you here is a graph that a colleague of mine came up with, and I think it's a great way of illustrating the value of intelligence and what it means to dealing with modern malware. Here we see two lines in this graph. The vertical line is capacity, which describes our capacity to deal with certain situations. And the normality line, the horizontal line, describes, you know, how normal things are on a day-to-day basis. So we wake up. We have our breakfast. We go to the office. We have lunch. We come home, dinner, go to bed. All of those things are normal activities. But when an event happens, suddenly we're thrown out of this normal environment. And let's say that this event is some type of catastrophic attack on a power facility. Somebody's used malware to attack the power facility, brought it down, and the consequence is-- is that, let's say, at the hottest time of year, there's no electricity or cooling for residents in a city. That will take us away from the normality line, and it will also impact our capacity in two ways. In one way, it will require us to increase the amount of resources we use to address the situation. So suddenly, we're going to involve law enforcement. We're going to involve emergency responders. We're gonna be throwing a lot of resources at the problem as this event occurs. And then, of course, as the problem is addressed and things start to return to normality, then we'll see a reduction in the amount of resources we deploy. But conversely, at the same time that we're hit by this event, our capacity to respond and deal with emergency situations is reduced, because if our resources are deployed in one place, then we can't address another situation. Everything that we talk about on this side of the line of the normality curve describes essentially how we approach security today. It's about responding to it, finding that virus, and recovering from it, cleaning it and disinfecting it, and this is obviously not enough. What we need to try to do is get ahead of this curve, and everything ahead of this curve is what we generally describe as intelligence. And that's about anticipating the attack or tackling it far upstream before we get hit. And all of these activities are why intelligence agencies exist Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 11 of 15

12 And what they do is, they plan. They try to think about, "What are the consequences if somebody took a power facility off-line?" They analyze situations. Who could be behind this? What could they possibly be trying to do? And what can we do to perhaps prevent that from happening? And they monitor. They look for things that are telltale signs that an attack may be coming. Everything on this side of the normality line can be described as the stages of preventing and preparing for an attack. And I would say we now increasingly need to balance between the two sides. In our security approach, we focus largely on impact reduction, trying to keep something from happening. When it happens, we deal with it, and then we clean up afterwards, but more and more, we need to focus on the left side, risk reduction where we leverage intelligence, which is collecting information about the outside environment, about what other people are seeing, analyzing it, and it's using it in a way that gives us some indication of what might be coming so we can tackle it far upstream, which means that we don't have to deal with the cost and the degradation of capacity when this event happens. Now, context plays into this as well. As you notice, I mention two things, intelligence and context. Now, this is in a way that I like to talk about context. You see before you a split screen, and on either side of the screen, you see two figures. Some of you may look at these two figures and say, "Well, what I'm seeing on both sides is a letter." Some of you may look at it and say, "What I'm seeing on both sides is a number." Well, you may be right. You may not. There's really no way to be certain just by looking at these two things, but when we bring in context, suddenly, we've shed some light on what's going on. We can now make a better determination of what we're seeing, so that it turns out what's on the left side of the screen is actually a letter, the letter B, and what's on the right side of the screen is actually a number, the number 13. And this is where context comes in into the role of intelligence in a modern approach. Just looking at the signatures or the core piece of malware out there is no longer enough, because malware hides itself. We need to look at the context of it, and that means looking at, what workstation is this malware getting installed on potentially? Who is using this workstation? What do they have access to? And what is the broader behavior surrounding this malware? Since the malware is increasingly operating across the network, we can see certain behaviors that we might describe as anomaly, and increasingly, by finding these anomalous behaviors, these things that are outside of the normal scope of things, we can develop a level of context that tells us if we're really finding malware. So this is one of the key approaches. We need to be able to bring together intelligence, which is information outside of the traditional scope of what we're trying to protect so that we can get ahead of the problem, and then context, which is all sorts of information in our-- in our infrastructure that can maybe give 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 12 of 15

13 us a clue as to what we're seeing and whether or not that is something that's anomalous. When you bring these things together, we develop a new level of insight that is beyond simply looking for what we already know. It's about looking for things before they happen to us and finding things that are unknown but perhaps are anomalous and out of context in our environment. And this brings us to the third core. Automated and policy-based (36:04) We've talked about a high-level approach based on architecture, looking at the broader goals and the operations around how you secure yourself, looking at the role of intelligence and context and how that can help us prevent and uncover malware, but ultimately, the business still needs to function. It--the infrastructure is out there for a purpose, for people to conduct their day-to-day activity. Now, when we think about traditional security, it's been very much about building static perimeters. People put things in place, security controlled, and then they fit people into little boxes or devices into little boxes. So, for example, we determine that only certain users are allowed access to the infrastructure. We say that they can only use certain devices on that infrastructure. There are only certain ways that they can connect to that infrastructure, maybe only through the office headquarters. And then the resources that they're allowed to access are limited as well. This maybe has served us well for a period of time, but the problem is, this doesn't reflect the reality of modern business. The reality is that all of these things have left the perimeter. They're, in many ways, outside the static perimeter that we built. So users are no longer just the users who work at the company. Sometimes they are partners. Sometimes they are contractors. Sometimes they are guests visiting your network, and they want to get access to the network. Devices are no longer just the thing that IT issues you. If you've heard of bring-- the Bring Your Own Device movement or Bring Your Own Application, now everybody, in many cases, is using whatever kind of device they want to use, an Apple laptop, an Intel PC, an iphone, an ipad, et cetera. IT doesn't necessarily have control over what you use. And they have less control over how you access the infrastructure. It's not just about connecting from the headquarters location. You may be on the road. You may be at a Starbucks. You may be someplace that IT wouldn't normally expect you to connect from, but you still need to get access to that information. And information itself, the resources you want to access, that's also moved outside of the static perimeter. With the advent of virtualization and cloud computing, we now see our information being pushed into new locations running on public clouds or community clouds. So in all of these cases, the idea of having a static perimeter not only doesn't work in protecting us. It doesn't serve the business. So what we need to do is, in many ways, refix the perimeter, and this is where automation and a policy-based approach come in Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 13 of 15

14 In many ways, we could say the modern perimeter is not a static perimeter. It's not just firewalled computers and devices. In modern circumstances, the modern perimeter is identity and policy. And what that means is the ability to know what's on your network, what, who is connecting to your network, and how it's being used across all of the different devices in your infrastructure and at all the different layers, the application layer, the network layer, the device layer. Identity and policy is about being able to know, first of all, who is connecting to your infrastructure? Being able to literally identify that to a person and know, is this person somebody who belongs on our network? And what resources and rights do they have? What permissions and access do they have on the infrastructure? What kind of device is being used? How are they accessing the infrastructures? We need to know if it's an Android-based device, an ios-based device, a PC, a Macintosh, what have you, and what type of hardware is it running on. And again, policy gives us a level of control over permitting or denying that use. Also, where are people connecting from, and when are they connecting? Are they connecting from the office or from a remote location, during business hours or outside of business hours? And then ultimately, what are they trying to get access to? The information about being able to identify each of these, know what they are, and associate them with a policy is what is the modern perimeter, because this is what allows us to draw dynamic boundaries over interactions so that you can say, "This person is allowed to access the infrastructure "using this device in this location to get access to that resource." Monitor it, and control it. So we very much now rely on identity and policy as the modern boundary or the perimeter rather than simply locking everything down and ensuring that our security controls are very static. So we've covered a lot of territory here, and, of course, there's a lot more that we can go into, but the key thing I want to impress upon you is that though malware is a growing problem-- it's growing in sophistication; it's becoming more complicated, more targeted; the actors behind it are becoming broader in their goals, perhaps more undeterminable-- even though it's a growing problem out there, we don't need to lose hope. What we need to do is adjust our approach to how we deal with this situation, and as I've mentioned, it's not just about technology. In fact, technology, in many ways, is the final thing we bring in after we have done a lot of other things, and that means taking an architectural approach where we start with, what are the goals? What are we trying to achieve? How are we gonna put those goals, if there's a goal, in an achievable way into practice in the business? How are we gonna run the operations to make sure we're doing secure things? And then ultimately, of course, use the correct infrastructure to secure ourselves. One thing I want to make clear: I'm in no way saying that we're getting rid of old security infrastructure, antivirus, firewall, intrusion protection. These all serve a 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 14 of 15

15 very important, crucial piece in the overall security puzzle. What we need to do is augment it by adding certain capability such as leveraging intelligence and context so that we start looking for information that helps us get ahead of the problem, that gives us a risk mitigation approach rather than simply a vulnerability capture or elimination, that allows us to look at the problem not solely as one individual thing but how that thing appears in context in a way that will tell us whether or not we actually have a problem. And then, of course, drawing perimeters that support the business, that allow the business to be secure, but support the way people work in the modern world, and identity and policy are the bases. So with all of this said, you know, what I really want to emphasize is that it's not just about modern technology and modern network infrastructure, modern design. It's about a modern approach and using all of these capabilities and this new perspective to really deal with the challenge we see in malware. With that, I'd like to thank you very much, and I will turn it back over to my colleague Emma for wrap-up Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 15 of 15