Protection Against Advanced Persistent Threats

Similar documents
EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

Cisco Advanced Malware Protection

Cisco Advanced Malware Protection. Ross Shehov Security Virtual Systems Engineer March 2016

Cisco Advanced Malware Protection for Endpoints

Cisco Advanced Malware Protection for Endpoints

SourceFireNext-Generation IPS

Cisco and Sourcefire. AGILE SECURITY : Security for the Real World. Stefano Volpi

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

Cisco Security Strategy Update Integrated Threat Defense. Oct 28, 2015

Next Generation Firewalls and Sandboxing

Requirements When Considering a Next- Generation Firewall

BEFORE. DURING. AFTER. CISCO'S INTEGRATED SECURITY STRATEGY NIALL MOYNIHAN CISCO EMEAR

Content Security: Protect Your Network with Five Must-Haves

Cisco Security: Moving to Security Everywhere. #TIGcyberSec. Stefano Volpi

Braindumps QA

Addressing the Full Attack Continuum: Before, During, and After an Attack. It s Time for a New Security Model

Evolution Of Cyber Threats & Defense Approaches

REVOLUTIONIZING ADVANCED THREAT PROTECTION

Deploying Next Generation Firewall with ASA and Firepower services

NetDefend Firewall UTM Services

How To Protect Your Network From Attack From A Virus And Attack From Your Network (D-Link)

Intelligent Cybersecurity for the Real World

Integrating MSS, SEP and NGFW to catch targeted APTs

Security Intelligence Services.

Cisco Cybersecurity Pocket Guide 2015

Breach Found. Did It Hurt?

Cisco ASA und FirePOWER Services

Threat-Centric Security Solutions. György Ács Security Consulting Systems Engineer 3 rd November 2015

Cyb T er h Threat D f e ense S l o uti tion Moritz Wenz, Lancope 1

McAfee Network Security Platform

NetDefend Firewall UTM Services

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

Modular Network Security. Tyler Carter, McAfee Network Security

Palo Alto Networks. October 6

Fighting Advanced Threats

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

IBM Endpoint Manager Product Introduction and Overview

End to End Security do Endpoint ao Datacenter

Cybersecurity: An Innovative Approach to Advanced Persistent Threats

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

Symantec Advanced Threat Protection: Network

Sourcefire Next-Generation IPS

Cisco ASA with FirePOWER Services. October 2014

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

Streamlined Malware Incident Response with EnCase

IBM Security Strategy

Product Roadmap Symantec Endpoint Protection Suzanne Konvicka & Paul Murgatroyd

Simple security is better security Or: How complexity became the biggest security threat

CONTINUOUS MONITORING THE MISSING PIECE TO SECURITY OPERATION (SOC) TODAY

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

Unified Security, ATP and more

Network that Know. Rasmus Andersen Lead Security Sales Specialist North & RESE

STRATEGIC ADVANTAGE: CONSULTING & ISIGHT INTELLIGENCE

The Hillstone and Trend Micro Joint Solution

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

GOOD GUYS VS BAD GUYS: USING BIG DATA TO COUNTERACT ADVANCED THREATS. Joe Goldberg. Splunk. Session ID: SPO-W09 Session Classification: Intermediate

5 Steps to Advanced Threat Protection

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

An Old Dog Had Better Learn Some New Tricks

INTRODUCING isheriff CLOUD SECURITY

Market Guide for Network Sandboxing

Network as a Sensor and Enforcer Leverage the Network to Protect Against and Mitigate Threats

Persistence Mechanisms as Indicators of Compromise

Cisco Web Security: Protection, Control, and Value

How Lastline Has Better Breach Detection Capabilities. By David Strom December 2014

Cisco & Big Data Security

ENABLING FAST RESPONSES THREAT MONITORING

How To Protect Your Endpoints From Advanced Threats

When less is more (Spear-Phishing and Other Methods to Steal Data) Alexander Raczyński

Advanced Endpoint Protection

Endpoint Threat Detection without the Pain

Securing the endpoint and your data

you us MSSP are a Managed Security Service Provider looking to offer Advanced Malware Protection Services

How To Build Security By Silo

A Case for Managed Security

Defending Against Cyber Attacks with SessionLevel Network Security

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

Retail Security: Enabling Retail Business Innovation with Threat-Centric Security.

Protecting the un-protectable Addressing Virtualisation Security Challenges

Combating a new generation of cybercriminal with in-depth security monitoring

Secure Your Mobile Workplace

Cybersecurity Before - During - After An Integrated Security Strategy

THE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE

The Need for Intelligent Network Security: Adapting IPS for today s Threats

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

Malware, Zero Day and Advanced Attack Protection Analysis Zscaler Internet Security and FireEye Web MPS

Cloud Based Secure Web Gateway

Cisco Advanced Malware Protection Sandboxing Capabilities

The Cloud App Visibility Blindspot

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS. Junos WebApp Secure Junos Spotlight Secure

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

overview Enterprise Security Solutions

Transcription:

Protection Against Advanced Persistent Threats Peter Mesjar Systems Engineer, CCIE 17428 October 2014

Agenda Modern Threats Advanced Malware Protection Solution Why Cisco? Cisco Public 2

The Problem are Threats Cisco Public 3

So, What is Malware like these days? Malware APTs as a VIRUSES MACRO VIRUSES WORMS HACKERS SPYWARE / ROOTKITS MALWARE Service Mobile Malware SDKS 1985 1995 2000 2005 2010 2013 Cisco Public 4

APT / Advanced Malware Is now a tool for financial gain Uses formal Development Techniques Standard Sandbox aware Quality Assurance to evade detection 24/7 Tech support available Has become a math problem End Point AV Signatures ~20 Million Total KNOWN Malware Samples ~100 M AV Efficacy Rate ~50% http://www.pcworld.com/article/2150743/antivirus-is-dead-says-maker-of-norton-antivirus.html Cisco Public 5

An Example Out of the 45 different pieces of malware planted on the Times systems over the course of three months, just one of those programs was spotted by the Symantec antivirus software the Times used... The other 44 were only found in post-breach investigation months later http://www.forbes.com/sites/andygreenberg/2013/01/31/symantec-gets-a-black-eye-in-chinese-hack-of-new-york-times/ Cisco Public 6

Introducing Virtest: Virus Total s evil twin Russian Malware Service - For malware authors (bad guys) Paid for services (inc bitcoins) 1) Upload your malware 2) Choose AV engine(s) 3) Wait Cisco Public 7

The Reality: Organizations Are Under Attack 95% of large companies are targeted by malicious traffic, and 100% of organizations have interacted with websites that host malware. -2014 Cisco Annual Security Report Neiman Marcus breach 350,000 credit cards stolen Target Breach, December 2013 40 million credit cards stolen 70 million personal records stolen and many more http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data Cisco Public 8

Little Focus on Response Prevention Historic investment here Based on a forensic analysis going back months, it appears hackers broke into The Times computers on Sept. 13. NY Times, Jan 30, 2013 According to US Cert, the average time from breach to discover is 486 days and normally the person breached finds out from a 3 rd party US CERT Incident Response Need more focus and investment here. Cisco Public 9

If you knew you were going to be compromised, would you do security differently? Cisco Public 10

The New Security Model Attack Continuum BEFORE Control Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall/NGFW VPN NGIPS Advanced Malware Protection UTM Vulnerability mgmt Web Security Network Behavior Analysis NAC + Identity Services Email Security Retrospective Security Visibility and Context Cisco Public 11

Advanced Malware Protection, Solution AFTER Cisco Public 12

We Provide Continuous Analysis Point-in-time Detection Antivirus Sandboxing Analysis Stops Not 100% Sleep Techniques Unknown Protocols Encryption Polymorphism Blind to scope of compromise Initial Disposition = Clean Actual Disposition = Bad = Too Late!! Retrospective Detection, Analysis Continues Continuous Turns back time Visibility and Control are Key Initial Disposition = Clean Actual Disposition = Bad = Blocked Addresses limitations of point-in-time detection Cisco Public 13

Point in Time Detection Point-in-time security sees a lighter, bullet, cufflink, pen & cigarette case Wouldn t it be nice to know if you re dealing with something more deadly? vs Continuous Analysis Cisco Public 14

Our Approach for Advanced Malware Protection Network AMP Retrospective Security Continuous File Analytics Reputation Determination Firesight management AMP Malware license Sourcefire Sensor # No Need for Client # Client based AMP Small code (like a printer driver) Desktop and mobile devices Checking of file copying / execution /moving Traps fingerprint & attributes Queries cloud for file disposition Cisco Public 16

When You Have Been Breached Questions that Need Answers The Complexity of the Problem that AMP Solves Confirm Infection Where do I start? How did the threat get onto the system? What systems were impacted? What did the threat do? How do we recover? How do we keep it from happening again? Notification Quarantine Triage Analyze Malware Build Test Bed Malware Proliferation Remediate Static Analysis Search Network Traffic Search for Re-infection Device Analysis Search Device Logs Cannot Identify Infection Network Analysis Update Profile Scan Devices Confirm Stop No Infection Proliferation Analysis Malware Profile Define Rules (from profile) Infection Identified Cisco Public 17

AMP Console Cisco Public 18

19

One Step Remediation Cisco Public 20

Cisco Public 21

Cisco Public 22

File Trajectory Cisco Public 23

The Results Major US utility company Responsible for protecting a variety of assets, including nuclear power plants FireAMP detected a system compromised via a remote Java exploit 2 days before the Java exploit was announced Took incident response time from several hours to 15 minutes per compromised machine Able to rapidly determine if a user who claimed to be spearphished actually were spearphished Remediated what appeared to be an internal network DoS by discovering a misconfigured system Cisco Public 24

Private Cloud Local Decision (VM) Capability Private Cloud Public Cloud File/Device Trajectory Threat Root Cause IOC and alerting Simple and Custom detection Cloud Lookups/Retrospective Alerting File Analysis * (ThreatGrid integration) Cisco Public 25

Android : new target Cisco Annual Security Report Mobile devices as targets (99% Android) Most visible mobile malwares Cisco Cloud Web Security reports Cisco Public 27

Android Risks Many ways to monetize attacks Device often tied directly to billing system <iframe style Can be more susceptible than PC Easier to to locate personal data than PC Users often use default apps such as "Contacts" and "Gallery and often will store full personal data Personal information on devices often difficult to change Gmail email address tied to Google Play Device identifier (phone number, mac address, IMEI, IMSI) Lots of free apps readily available from Google Play Easy to install and try Cisco Public 28

Why Cisco? Cisco Public 33

Sourcefire Advanced Malware Protection Complete solution suite to protect the extended network FireAMP for hosts, virtual and mobile devices Dedicated Advanced Malware Protection (AMP) appliance Advanced Malware Protection for FirePOWER (NGIPS, NGFW) Cisco Email and Web Security Appliances Cisco Public 34

NSS Labs Report Comparative Testing on Breach Detection Systems Who is NSS Labs? What was measured? What Cisco-Sourcefire products were tested? What competitor products were evaluated? NSS Labs, one of the best and most thorough independent testing bodies in the industry, performed comparative testing on Breach Detection Systems. Security Effectiveness of Breach Detection Systems HTTP/Email Malware, Exploits, Evasions, and False Positive Rate Total Cost of Ownership per protected Mbps AMP Everywhere AMP for Networks and AMP for Endpoints (TCO calculations include this set of FireAMP connectors) FirePOWER 8120 (with AMP subscription)* FireEye, AhnLab, Fortinet, TrendMicro, Fidelis BDS Methodology v1.5 [The methodology] utilizes real threats and attack methods that exist in the wild and are actually being used by cyber-criminals and other threat actors. This is the real thing, not facsimile; systems under test (SUT) are real stacks connected to a live internet feed. --NSS Labs *Dedicated AMP Appliances (AMP8150/AP7150) were not shipping at the time of the test, otherwise one would have been used Cisco Public 35

Security Effectiveness The result (1/2) Cisco AMP is a Leader in Security Effectiveness and TCO and offers Best Protection Value NSS Labs Security Value Map (SVM) for Breach Detection Systems Cisco Advanced Malware Protection Best Protection Value 99.0% Breach Detection Rating Lowest TCO per Protected-Mbps TCO per Protected-Mbps Cisco Public 36

The result (2/2) Cisco AMP is a Leader in Security Effectiveness and TCO and offers Best Protection Value Cisco-Sourcefire AMP Results For Detection Capability Only Cisco Advanced Malware Protection Best Protection Value 99.0% Breach Detection Rating Lowest TCO per Protected-Mbps Cisco Public 37

Conclusion A Revolutionary Approach Attackers are determined and resourceful Malware still getting on devices, detection not 100% Point-in-time detection is not sufficient Integrated response required to be effective Cisco FireAMP solves business problems Where do I start? What is the scope and how bad is the situation? What was the point and method of entry? Can I control and remediate across the network and endpoints? Provides an Architecture - AMP everywhere Our database of common threats gives you upfront defense Our real-time behavioral tracking, background information on the prevalence of software, and malware sandboxing allows you to quickly separate out the innocuous software, understand what the attacker did, how far he or she moved, what kind of tools they are using Our threat defense tools allow you to rapidly remove previously unrecognized threats without waiting on big AV firms to respond Cisco Public 38

Thank you.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information