Sikkerhed i infrastrukturen. Christian Heinel Country Lead, Security Cisco Denmark

Transcription

1

2 Sikkerhed i infrastrukturen Christian Heinel Country Lead, Security Cisco Denmark

3 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

4 The Pervasiveness of Malicious Traffic High-Threat Malware Government and Military Hijacked Infrastructure Sites without Content Suspect FTP Suspect VPN Education via Threat(s) Pornography Connections to domains that are known malware threat sites or threat vectors. Suspicious and excessive traffic going to places not typically contacted by the public. Connections to known hijacked infrastructure or compromised sites. Connections to blank sites that may have code on them to inject malware into systems. Unexpected connections to irregular FTP sites. Connections from within an organization to suspicious VPN sites. Connections to universities in suspicious places, potentially serving as pivot points for other kinds of malware. Very high volume of attempts to connect to known pornography sites. 100% 100% 96% 92% 88% 79% 71% 50% 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

5 How well do you detect a breach? 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5

6 Our Security Perspective 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6

7 The Problem is Threats 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

8 If you knew that you would be compromised in 2014 would you do security differently? 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

9 The New Security Model Attack Continuum BEFORE Control Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Network Endpoint Mobile Virtual Cloud Point in time Continuous 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9

10 Mapping Technologies to the Model Attack Continuum BEFORE Control Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall Patch Mgmt IPS IDS AMD App Control Vuln Mgmt Anti-Virus FPC Log Mgmt VPN IAM/NAC /Web Forensics SIEM Visibility and Context 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10

11 Any Device to Any Cloud PUBLIC CLOUD HYBRID CLOUD PRIVATE CLOUD 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11

12 The Internet of Everything 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12

13 Threats are evolving Industry Response Antivirus (Host-Based) IDS/IPS Reputation (Global) (Network Perimeter) and Sandboxing AI and Analytics (Cloud) Worms Spyware and Rootkits APTs Cyberware Increased Attack Surface Tomorrow 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13

14 Addressing the Entire Attack Continuum

15 Addressing the Entire Continuum Attack Continuum BEFORE Control Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall VPN NGIPS Advanced Malware Protection NGFW UTM Web Security Network Behavior Analysis NAC + Identity Services Security Visibility and Context 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15

16

17 Cisco Identity Services Engine (ISE) Delivering the Visibility and Control for Secure Network Access Network Who Partner Context Data What Where When Cisco ISE Consistent Secure Access Policy How

18 ISE Integration ASA integration: CoA, TrustSec, Posture, AnyConnect CyberThreat Defense Integration MDM integration SIEM integration

19 Mobile Device Management Security Information and Event Management (SIEM) and Threat Defense ISE 1.2 BDM 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19

20 30B WEB REQUESTS 100 TB DATA RECEIVED PER DAY 150M DEPLOYED ENDPOINTS 1.6M DEPLOYED DEVICES 35% WORLDWIDE TRAFFIC

21

22 Addressing the Entire Continuum Attack Continuum BEFORE Control Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall VPN NGIPS Advanced Malware Protection NGFW UTM Web Security Network Behavior Analysis NAC + Identity Services Security Visibility and Context 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22

23 Better Together PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 Leveraging A Powerful Community PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 Leadership The Path Up and Right Sourcefire has been a leader in the Gartner Magic Quadrant for IPS since As of December 2013 Source: Gartner (December 2013) 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25

26 Sourcefire s Security Solutions NEXT- GENERATION FIREWALL Management Center APPLIANCES VIRTUAL NEXT- GENERATION INTRUSION PREVENTION CONTEXTUAL AWARENESS ADVANCED MALWARE PROTECTION HOSTS VIRTUAL MOBILE COLLECTIVE SECURITY INTELLIGENCE APPLIANCES VIRTUAL 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26

27 FireSIGHT Full Stack Visibility CATEGORIES EXAMPLES SOURCEFIRE FireSIGHT TYPICAL IPS Threats Attacks, Anomalies Users AD, LDAP, POP3 Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame Command & Control Servers C&C Security Intelligence Client Applications Firefox, IE6, BitTorrent Network Servers Apache 2.3.1, IIS4 Operating Systems Windows, Linux Routers & Switches Cisco, Nortel, Wireless Mobile Devices iphone, Android, Jail Printers HP, Xerox, Canon VoIP Phones Avaya, Polycom Virtual Machines VMware, Xen, RHEV Information Superiority Contextual Awareness TYPICAL NGFW 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27

28 AMP Everywhere! Advanced Malware Protection

29 Addressing the Entire Continuum Attack Continuum BEFORE Control Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall VPN NGIPS Advanced Malware Protection NGFW UTM Web Security Network Behavior Analysis NAC + Identity Services Security Visibility and Context 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29

30 NSS report from a few weeks ago 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30

31 Cisco Advanced Malware Protection Built on unmatched collective security intelligence Cisco Sourcefire SIO VRT Cisco Collective (Vulnerability Research Team) Security Intelligence WWW Endpoints Web Networks IPS Devices 180,000+ File Samples per Day FireAMP Community 1.6 million global sensors 100 TB of data received per day 150 million+ deployed endpoints 600+ engineers, technicians, and researchers 35% worldwide traffic 13 billion web requests 24x7x365 operations 40+ languages Advanced Microsoft and Industry Disclosures Snort and ClamAV Open Source Communities Honeypots Sourcefire AEGIS Program Private and Public Threat Feeds Dynamic Analysis 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31

32 Beyond the Event Horizon Analysis Stops Addresses limitations of point-in-time detection Point- in-?me Detec?on An?virus Sandboxing Ini?al Disposi?on = Clean Not 100% Sleep Techniques Unknown Protocols Encryption Polymorphism Actual Disposi?on = Bad = Too Late!! Blind to scope of compromise Retrospec?ve Detec?on, Analysis Con?nues Con?nuous Turns back 5me Visibility and Control are Key Ini?al Disposi?on = Clean Actual Disposi?on = Bad = Blocked 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32

33 Cisco Advanced Malware Protection delivers Point in Time Protection Retrospective Security File Reputation & Sandboxing Continuous Analysis 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33

34 Delivers the first line of detection All detection is less than 100% One-to-One Signature Fuzzy Finger-printing Machine Learning Advanced Analytics Dynamic Analysis Reputation Filtering and File Sandboxing 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34

35 That continues to analyze what happens along the attack continuum Breadth and Control points: WWW Endpoints Web Network IPS Devices Advanced levels of detection, tracking and response Telemetry Stream File Fingerprint and Metadata File and Network I/O Retrospection Process Information Continuous feed Retrospective Detection Behavioral Indications of Compromise Trajectory Threat Hunting Continuous analysis 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35

36 Giving you the assurance and visibility to know exactly where to start Who What Where When How Focus on these users first These applications are affected The breach impacted these areas This is the scope of exposure over time Here is the origin and progression of the threat 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36

37 There are several ways you can deploy AMP Cisco Advanced Malware Protection Deployment Options and Web Network Appliance Endpoint Method License with ESA or WSA Snap into your network Install on endpoints Ideal for New or existing Cisco or Web Security customers IPS/NGFW customers Windows, Mac, Android, VMs 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37

38 Addressing the Entire Continuum Attack Continuum BEFORE Control Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall VPN NGIPS Advanced Malware Protection NGFW UTM Web Security Network Behavior Analysis NAC + Identity Services Security Visibility and Context 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38

39 Cognitive Threat Analytics

40 Cisco Cloud Web Security Security Across all of the Attach Continuum BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Web Reputation Malware Signature File Retrospection AMP Usage Controls Outbreak Intel. Threat Analytics CTA Application Controls File Rep / Sandbox AMP Active Reporting CTA 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40

41 CWS Premium Threats Tab CWS C Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41

42 Flexible Deployment Options On and Off Premise On-premises Cloud Deployment Options Cloud Connectors/ Redirects Router Firewall Appliance Roaming Client Options Implicit Explicit C Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42

43 Cisco Cloud Web Security Advanced Threat Defense Additional Point-in-time Protection Retrospective Security & Continuous Analysis Advanced Malware Protection (AMP) File Reputation & Sandboxing AMP File Rep. Retrospection Cognitive Threat Analytics (CTA) 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43

44 Cognitive Threat Analytics Analyzing Network Traffic Behaviors Behavioral Analysis Reduced time to discovery Active, continuous monitoring to stop the spread of an attack Normal or not? Spots symptoms of infection using behavioral anomaly detection algorithms and trust modeling THREAT Security that evolves Uses machine learning to learn from what it sees and adapt over time Anomaly Detection Machine Learning No more rule sets Discovers threats on its own just turn it on CTA is a cloud-based solution that reduces time to discover threats operating inside the network 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44

45 Cognitive Threat Analytics Example Detection Categories Generated Domains Files with Multiple Extensions Data Transfer via URL MALWARE BEHAVIOR Data Transfer via URL params WPAD misuse Nonbrowser Traffic 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45

46 Cognitive Threat Analytics Layered Detection Engine Detection Filtering Classification / Layer 1 Classification / Layer 2 Data Agent 1 Agent 2 Agent 3. Agent N Trust Modeling Layer WPAD Generated Domain. Data Exfiltration Malware 1 Malware 2. Malware N Incidents Individual Detectors Correlation & Memory Unsupervised Learning Supervised Learning Anomalous Malicious Malware 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46

47 CTA / Active Threats Report Unique detections Discovering new threats & Customized C&C channels Using AI, ML, big data, we are discovering New Frontiers of Security Intelligence 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47

48 CALL TO ACTION visit the booths and demos 1. Cyber Threat Defense 2. SourceFire 3. Next Gen Firewall 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48

49 CWS Premium Threats Tab Incident Overview CWS Incidents in time List of incidents with details C Cisco and/or its affiliates. All rights reserved. Priority Probability Incident type Identity IP reputation Malware activity Time Stamp Feedback Cisco Confidential 49

50 CWS Premium Threats Tab Attacker s behavior CWS Incident information summary Attackers behavior representation C Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50

51 CWS Premium Threats Tab Attacker s technique CWS Details of the malicious requests of Data Transfer Through URL To Raw IP activity C Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51

52 CWS Premium Threats Tab File Retrospective Incident generated by File Retrospective CWS Incident generated Feb 10th - 2 Days File Retrospection File downloaded by the user on Feb 8th C Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52

53