Cybersecurity Before - During - After An Integrated Security Strategy Peter Romness Business Development Manager Public SectorCybersecurity Cisco Systems Inc. 1
Mobility Cloud Threat IOT Consumercentric market dynamics require an end to end security architecture 2
Threat Evolution Enterprise Enterprise Anti-virus IDS/IPS Reputation (global) Intelligence & Analytics Response Response (Host based) (Network Perimeter) & Sandboxing (Cloud) INCREASED ATTACK SURFACE(MOBILITY+Cloud +IoT) APTs CYBERWARE SPYWARE / ROOTKITS Threats Threats WORMS 2000 2005 2010 Today 3
Examples of CyberThreats in the News Stuxnet/ Flame Zeus (Zitmo) Threat Characteristics: Night Dragon Crypto Locker Bypass the perimeter (Initial Infection Vector) Shamoon Citadel Spread laterally on internal network where detection abilities were limited Kaptoxa SpyEye(Spitmo) (Propagation Mechanism) (Target) Evade traditional detection techniques Red October Shady Rat (Persistence Mechanism) DUNIHI Sykipot 4
Cyber Threats Initial Infection Vector Effectivenessof Phishing More than95%of all attacks tied to State-Affiliated espionage employed Phishing as a means of establishing a foothold in their intended victims systems. - Verizon Data Breach Report -ThreatSim 5
IT Megatrends are creating the Any to Any problem Infrastructure Infrastructure public Apps Apps // Services Services Any Device, Any Cloud hybrid tenants Workloads Workloads private Endpoint Endpoint Proliferation Proliferation Blending Blending of of Personal Personal Access Access Assets Assets through through Services Services Reside Reside & & Business Business Use Use MultipleMethods MultipleMethods In In Many Many Clouds Clouds 6
Threat Landscape Cyber Activities 104% increase in reported incidents by US Government Agencies from 2009 2013 52%increase in attacks againstus Critical Infrastructure 2011 2012 144% increase in incidents involving PII from 2009-2013 More sophisticated every day Minute Zero 5 5 5 Cyber Crime Money Embarrassment Espionage Assets Targeted 1 75% Point of Sale systems 20% E-Commerce Systems 5% Other (espionage etc ) 2 3 4 5 6 Verizon Data Breach Report; US House Intelligence; NSA; Bloomberg; GAO; 2012 Norton Cybercrime Report 7
Cyber Threats, Detection, and Response Malicious Traffic & Vulnerabilities 100% - Corporate Networks found to have visible malicious traffic 95% - Corporate organizations that admit to having been breached 14% - year of year growth of reported vulnerabilities and threats 5 3 5 Breach Discovery Methods 82%External Party Fraud Detection Org., LE, Customer 13% Internal Detection Users, Audits, Equipment 5% Unkown 1 1 1 Response *416 Average number of days an Advanced Persistent Threat sits on your network before detection! 7 - Now down to approximately 300 days / 10 months 1 2 3 4 5 6 7 Verizon Data BreachReport 2013; US House Intelligence; SANS; Bloomberg; Cisco Annual Security Report 2013; ESG Mandiant 8
Loss of Revenue Cost of Cyber Breach $1T/year private sector revenue loss from cyberespionage $100B/year Cost of Cybercrime inus 1 2 26% of Americans have been victims of anidentitybreach $194 per record US average $233 per record US Healthcare average 5 3 6 Initial PII Breach Costs State / Local Government 1 $11 - $13 perrecord based on known breaches $5 - $6 fornotification and credit checks $6 - $7 forremediation Constituent / customer confidencelost= added costs 2 3 4 5 6 USHouse Intelligence; McAfee/CSIS, Ponemon/Symantec Bloomberg; NCSA; SANS/NORSE 9
Cybersecurity Concerns Internal Government Damage Policies Regulations Malware State Regulations Revenue Customer NIST Policy Loss Reputation DOD 8570 Anonymous PII Theft Intellectual Hackers Property Theft Embarrassment Advanced Education Persistent NERC SAM 8500 CIP Threat Partners Protecting National Insider Threat DISA STIG Money Theft MS-ISAC Security Espionage 10
New Cybersecurity Model 11
Policy Regulations Standards Presentation Session Content Security Education Application Transport Network Data Link Attack Supply Chain Anti-Counterfeit Disti-Channels Advanced Services Partner Trusted Systems Distribution Delivery Physical Vendor Security User Network Systems Attack Continuum Network Governance Cybersecurity Scope 12
The New Security Model Attack Continuum Network BEFORE DURING AFTER Control Detect Scope Enforce Block Contain Harden Defend Remediate Endpoint Mobile Point in time Virtual Cloud Continuous 13
Mapping Integrated Solutions Attack Continuum BEFORE DURING AFTER Control Detect Scope Enforce Block Contain Harden Defend Remediate Secure Identity & Mobility Solution Malware Detection and Defense Solution Cyber Continuous Monitoring Solution Cloud - Virtual and Physical Consistency 14
Secure Identity & Mobility 15
Secure Identity and Mobility Identity and Context Centric Policy Platform WHERE WHEN WHAT Business-Relevant Policies Security Policy Attributes WHO HOW Centralized Identity Policy Engine (Identity Services Engine) DynamicPolicy Monitoring User and Devices & Reporting Security PolicyEnforcement in the Network Application Controls 16
Secure Identity/Mobility in Everyday Life Access to the right resources basedonwho, What, When,Where and How User DevicesAccess set by policy Confidential Resources Laptop at Home Office General Resources iphone at Starbucks Internet Personal ipad 17
Malware Defense Defense and and Detection Detection Solution Solution 18
Cisco smalware Detection &Defense Solution A multi-layered approach tonetwork protection with threat intelligence information provided by CiscoSIO Cisco/SourceFireSecurity Intelligence Operations SIO/VRT Web and Email AMP Security Appliances ASA Firewall with AMP + IPS/NGIPS Botnet Filters Untrusted Networks Trusted Enterprise Network Enterprise Resources Connectionsto untrusted networks must be checkedin depth by multiplelayersof defense beforereaching enterprise resources 19
CiscoThreatIntelligence Security Intelligence Operation / Vulnerability Research Team SIO VRT Telemetryfrom1.6Mdevices worldwide 30B+ queries daily, 30% ofall Web traffic 500+securityspecialists / 24/7/365 / 40 languages URL reputation scores for Web, Email >7,500IPS signatures and >8 million rulesdaily 2.1M Telemetry Points Open Source Input 6,000 Threat Reports / day NSS Labs 100% Detection rate SIO/VRTEnables Importance of Reputation Email & WebTrafficAnalysis, feeds Reputation Information to IPS etc Viewintobothemail & Web traffic dramatically improvesdetection 80% of spam contains URLs Emailis a key distribution vector for Web-basedmalware SenderBase Malware is a keydistribution vectorforspamzombie infections EMAIL WEB Security Appliances Security Appliances 20
Cyber Threat Defense Secure Secure Internal Internal Monitoring Monitoring 21
Internal Monitoring: The Need Customized Threat Bypasses Security Gateways Customized Threat Enters from Inside Firewall Threat Spreads Inside Perimeter IPS N-AV Threat Spreads to Devices Web Sec Email Sec Perimeter security stops many threats but Sophisticated Cyber Threats Evade Existing Security Constructs Fingerprints of Threat are Found Only in Network Fabric 22
Cyber Threat Defense Monitor, collect and analyze network trafficto detect anomalies Cybersecurity Anomaly Detection (Stealthwatch) NetFlow: Switches,Routers, and Firewalls Security Enabled Network Identity Services Context:NBAR/AVC Engine Cyber Threat Detection -enhances efficiencyand effectiveness of analysis andprovideskey insight into internal activity across the network 23
Beyond the Event Horizon Analysis Stops Addresses limitations of point-in-time detection Point-in-time Detection Not 100% Antivirus Sleep Sleep Techniques Techniques Blind to scope of compromise Unknown Unknown Protocols Protocols Encryption Encryption Polymorphism Polymorphism Sandboxing Actual Disposition = Bad = Too Late!! Initial Disposition = Clean Retrospective Detection, Analysis Continues Turns back time Continuous Visibility and Control are Key Initial Disposition = Clean Actual Disposition = Bad = Blocked 24
Secure Virtualization in in the the DataCenter DataCenter 25
SecuringVirtualized Computing Resources Nexus1000v/CSR1000v Ensures policy-based network and security services to allvm s Network visibility at the hypervisorlevel VMRouting andnetflowsource Virtual Security Gateway Provides trusted access to secure virtual data center. Trust zones access is controlled and monitored through established security policies Network Visibility ASA v Built onasafirewall code base proven firewall Tenant-edge tovmspecific policies Automated policy based provisioning SAN NetflowGeneration Appliance ProvidesNetFlowfrom non-netflowdevices High capacity for large flow areas LAN Cisco extends the secure network fabric into the Hypervisor 26
Comprehensive Security Portfolio Firewall & NGFW IPS & NGIPS AdvancedMalware Protection Cisco Sourcefire Web Security Cisco ASA 5500-X Series Cisco IPS 4300Series LancopeStealthwatch Cisco Web Security Appliance (WSA) Cisco ASA 5500-X Series integrated IPS Cisco ASA 5500-X w/ NGFW license FireAMP Cisco Virtual Web Security Appliance (vwsa) FirePOWERNGIPS Cisco ASA 5585-X w/ NGFW blade FireAMPMobile Cisco Cloud Web Security FirePOWER NGIPS w/ Application Control FirePOWER NGFW FireAMP Virtual FirePOWER Virtual NGIPS AMP for FirePOWERlicense Dedicated AMP FirePOWER appliance Email Security VPN NAC + Identity Services Cisco Email Security Appliance (ESA) Cisco Virtual Email Security Appliance (vesa) Cisco Identity Services Engine (ISE) Cisco Cloud Email Security Cisco Access Control Server (ACS) CiscoAnyConnectVPN UTM Meraki MX Advanced Malware ProtectionIntegratedwith Cisco ContentSecurity AMP Now Available on E-mail and Web Security Devices and Cisco Cloud Web Security Add on Licensing 27
Cisco Managed Threat Defense Service NEW Cisco Managed Threat Defense is a fully managed, security analyst delivered service that defends against zero-day attacks, and advanced persistent threats with monitoring, inspection and correlation from our security operations center, 24 hours a day, 7 days a week. BusinessValue Out of Band deployment ensures minimal impact / disruption to infrastructure availability Reduce security costs by migrating processes to a third party Improve security posture through accurate detection of advanced threats SecurityValue Provides high-fidelity detection to reduce unnecessary investigation Lets you make true network behavior anomaly detection an operational reality Uses full-packet capture to reduce and eliminate false positives Uses global threat intelligence to defend against known threats and anomalies Service Service availability availability inus, inus, CanadaandAPJC CanadaandAPJC fromcisco fromcisco and and our our Partners Partners 28
Other SecurityServices fromcisco and our Partners Plan / Design / Implement Technology Solutions Security policy Security plan, build SOC plan, build Security architecture roadmap Audits / Assessments TrustSec ISE 802.1x ASAinc.migration Email and web security VPN NAC Optimization Online security readiness assessment SDA and SDA for ICS Security posture assessment Network device security assessment Security optimization Firewall conversion Identity management DDoSmitigation readiness assessment Operate Customer Enablement Remote management services Change management and configuration SecurityIntelliShieldalert manager IR&R planning and implementation Online security consulting Online security education Online security training range SOC build, operate, transfer 29
CyberThreat Defense Future Application Centric Infrastructure AI-based Threat Detection www Increase Telemetry for Reputation Identity Analysis FW NextGenFirewall IPS NexGenIPS AMP Self-Learning and Evasion Resistance Global ThreatIntelligence Improve ThreatDetection: ArtificialIntelligence Based Anomaly Software Defined Networks: Application Centric / Security = Killer App 30
Human Firewall IT Management & Workforce Education Promote Formal Education and Training SANS Institute / MS-ISAC / University System Certifications Certified Cybersecurity Analyst CCNA CCNP-CCIE Security Tracks CISSP User Training Cyber Threats Compromise Instructions Monthly Updates Cyber Testing Security Assessment Network Penetration Testing Etc Cyber Exercises 31
Cybersecurity What to do next Leverage Cisco Core Network Maximize investment in Cisco Core Netflow,TrustSec, NBAR, AVC Strategically add Cisco Security products and services SIO/VRT Real time intelligence ISE, ASA, WSA,ESA, NGIPS, AMP Partner with industry leaders Lancope, Arbor,Splunk, Services 32
ppromness@cisco.com 33
Cyber Policy ISO/IEC 27001:2005(replaced 177799) coversall types of organizations Specifiesthe requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall businessrisks 34
Cyber Policy NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. Conductworld-classresearch. Closecollaboration with industry, that advances the nation's technologyinfrastructure 35
Cyber Policy All50 statesrepresented Principalmembers are generally Chief Cyber Security Officers (or equivalents) from their state. StateHomeland SecurityOffices Lawenforcement and others in the physical security field. 36