The Art of Modern Threat Defense. Paul Davis Director, Advanced Threats Security Solution Architects

Transcription

1 The Art of Modern Threat Defense Paul Davis Director, Advanced Threats Security Solution Architects January 2016

2 Goal of Presentation Who Am I A New World of Pain How we are treating the symptoms Silver Bullets Doing the same thing every time, and expecting a different outcome The solution is within our grasp But change start with you The future architecture Call to action Cisco 3

3 Goal of Presentation Show The New Art of Advanced Threat Defense A New Way to Approach Building Security Infrastructure Give us a chance to defeat new attacks Where ever they hit us Create a dialog on how to improve Cisco 4

4 Who Am I IT - 25 years IT Security - 15 years Incident Coordination - 10 years Roles VP of Delivery ThreatGRID EDS General Motors CISO EDS Dow Chemical CSO VP, Unisys global MSSP business Incident Leader Business roles Systems Engineer Technical Architect DBA Recovering Developer Systems Integration Threat Intelligence SOCs Incident Response MSSPs Dir of Sec Ops Cisco 5

5 A New World of Pain More Publicity Wider scope of impact Incident Response teams getting bigger Forensics Attribution Transactional APT Regulatory BIA Business people are taking notice Governments are taking notice Security budgets are growing (slowly) Ratio of CAPEX to OPEX is shifting to the right (still) Cisco 6

6 A Future Approach 1. Great for known attacks 2. Not great for agile response 3. No cross data sharing DNS SIM Not good for 0days Web Consoles IPS Network NetFlow Endpoint Firewall Cisco 7

7 Analysis CWS Cloud Access Control AMP Threat Grid Identity Management SIEM Threat Intelligence AMP Cloud Log Management Tools: - Isolated Threat Visualizatoin Intel - Defenseless Console - Limited integration trustsec There is the SIEM but tends to be Overloaded, and reactive to IT events Router Switch Firewall IPS/IDS Web Proxy Proxy Network Forensics NetFlow VPN Endpoint pxgrid Time is money, my friend (and increased risk) Cisco 8

8 Today s Reaction to Advanced Threats The Problem Isolated solutions Constrained to signatures, no proactive defense Not possible to have multiple layers of defense responding Assumes all traffic goes through as many layers as possible Event driven No Silver Bullets Cisco 9

9 A New Model is Required Retain the layers of defense idea Tools integrated Solution collaboration So we can build our Silver Gun Cross vendor integration More vectors of security awareness in our tools And it needs a. Cisco 10

10 Think about The Expanding Vectors of Security Knowledge Identity External Intelligence IT Events Device 7 Dimensions Of Security Transaction The Threat Intelligence Lifecycle Management Engine 1. Collective Trust Location 2. Enrich 3. Evaluate 4.Communicate 5. Monitor Cisco 11

11 A New Architecture Model Systems will be able to broadcast threat intelligence Systems will be able to act on threat intelligence Next generation of security control solution needed Automatic triage Automated intelligence driven response Aided business risk evaluation Multiple response methods Predictions Better enterprise security consoles SIEM as we know it will fade away Threat Intelligence will become more actionable Cisco 12

12 A Future Approach Big Data HumInt DNS Automated Analysis Machine Learning SIM Web A Broker of Intelligence Consoles IPS Network NetFlow Endpoint Firewall Cisco 13

13 A Future Approach HumInt Automated Analysis Machine Learning DNS Web Big Data A Broker of Intelligence SIM Consoles IPS Network NetFlow Endpoint Firewall Cisco 14

14 The Cisco Security Portfolio Talos / AS Threat Grid CTA/CWS OpenDNS WSA WSA ISE AMP Clou d SIM Consoles SourceFire AMP for Networks Lancope AMP for Endpoint ASA with FirePower Cisco 15

15 So What Are We Talking About Leveraging the power of each security tool As part of a cohesive automated response system Distributing intelligence As opposed to point solution security response Re-enabling our layers of defense Enabling a new level of response to kill chains Supporting the new world of: Porous networks More mobility More cyber crime More advanced attacks Cisco 16

16 The Give me feedback Start talking to your management about the need for greater intelligence and automation Look at pxgrid and TrustSec Push for solutions that give you the ability to build a silver gun Cisco 17

17 Cisco 18