Threat-Centric Security Solutions György Ács Security Consulting Systems Engineer 3 rd November 2015
The Problem is Threats
About Angler Exploit Kit http://www.networkworld.com/article/2989827/security/cisco-disrupts-60m-ransomware-biz.html 3
Adversaries Agility is Their Strength Flash Vulnerabilities Angler Continually throwing different hooks in the water to increase the chances of compromise Security Measures Web Blocking IP Blocking Email Scanning Retrospective Analysis Antivirus Endpoint Solutions IP Changing Compromised System Domain Shadowing Retargeting Ransomware Encrypted Malicious Payload Macros Social Engineering TTD More Being Developed Daily Constant upgrades increased Angler penetration rate to 40% Twice as effective than other exploit kits in 2014 2015 Cisco and/or its affiliates. All rights reserved. 4
Patching: A Window of Opportunity Users not moving quickly to the latest Flash versions or updating the patches creates an opportunity for Angler and other exploits to target the vulnerability. CVE-2015-0313 CVE-2015-0359 Version 15.0.0.246 16.0.0.235 16.0.0.257 16.0.0.287 16.0.0.296 16.0.0.305 17.0.0.134 17.0.0.169 17.0.0.188 Update Published Angler Exploit Vulnerability User Activity 1 FEB 1 MAR 1 APR 1 MAY 1 JUN CVE-2015-0310 CVE-2015-0336 CVE-2015-0390 2015 Cisco and/or its affiliates. All rights reserved. 5
Evolution Threats Response HOST-BASED (ANTI-VIRUS) 2000 NETWORK PERIMETER (IDS/IPS) 2005 Spyware / Rootkits GLOBAL REPUTATION & SANDBOXING 2010 APTs / Cyberware INTELLIGENCE & ANALYTICS Today Increased Attack Surface (Mobility & Cloud) Worms C97-734778-00 2015 Cisco and/o or its affiliates. All rights reserved. Ci sco Public 6
A Threat-Centric and Operational Security Model Attack Continuum BEFORE DURING AFTER Discover Enforce Harden Detect Block Defend Scope Contain Remediate Firewall VPN NG IPS Advanced Malware Protection NG FW UTM Email Network Behavior Analysis Secure Access + Identity Management Web Sandboxing Visibility and Context, Security Services 7
TALOS : Collective Security Intelligence Malware Protection Reputation Feeds IPS Rules Cisco Talos (Talos Security Intelligence and Research Group) Vulnerability Database Updates Sandboxing Machine Learning Big Data Infrastructure Private and Public Threat Feeds Sandnets File Samples (>1.1 Million per Day) FireAMP Community Honeypots Sourcefire AEGIS Program Advanced Microsoft and Industry Disclosures SPARK Program Snort and ClamAV Open Source Communities 8
http://talosintel.com/vulnerability-reports/
Building a Visibility Architecture Why? Automation Contextualization Anomaly Detection Event-driven Security 10
Central Management, Intelligence and Context FireSIGHT Management Centre Processes events FireSIGHT Central Management Policy Definition Event Analysis Correlation Network Map (Users, devices, apps, etc) Generates events - IPS - Intelligence - File - Malware - Access Control - Flow - Discovery FirePOWER + Firepower Services on ASA Real-time traffic analysis Access Control Passive acquisition 11
FireSiGHT Management Centre SecOPS Workflows -FireSIGHT Management Center FireSIGHT NGFW/NGIPS Management Forensics / Log Management Network AMP / Trajectory Vulnerability Management Incident Control System Adaptive Security Policy Retrospective Analysis Correlated SIEM Eventing Network-Wide / Client Visibility Visibility Categories Threats Users Web Applications Application Protocols File Transfers Malware Command & Control Servers Client Applications Network Servers Operating Systems Routers & Switches Mobile Devices Printers VoIP Phones Virtual Machines 12
FireSIGHT Brings Visibility CATEGORIES EXAMPLES Cisco FireSIGHT TYPICAL IPS TYPICAL NGFW Threats Attacks, Anomalies Users AD, LDAP, POP3 Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame Command & Control Servers C&C Security Intelligence Client Applications Firefox, IE, BitTorrent Network Servers Apache 2.3.1, IIS4 Operating Systems Windows, Linux Routers & Switches Cisco, Nortel, Wireless Mobile Devices iphone, Android, Jail Printers HP, Xerox, Canon VoIP Phones Cisco, Avaya, Polycom Virtual Machines VMware, Xen, RHEV 13
FireSIGHT Fuels Automation IT Insight Spot rogue hosts, anomalies, policy violations, and more Impact Assessment Threat correlation reduces actionable events by up to 99% Automated Tuning Adjust IPS policies automatically based on network change User Identification Associate users with security and compliance events 14 14
Impact Assessment IMPACT FLAG ADMINISTRAT OR ACTION WHY Correlates all intrusion events to an impact of the attack against the target Act Immediately, Vulnerable Event corresponds to vulnerability mapped to host Investigate, Potentially Vulnerable Relevant port open or protocol in use, but no vuln mapped Good to Know, Currently Not Vulnerable Relevant port not open or protocol not in use Good to Know, Unknown Target Monitored network, but unknown host Good to Know, Unknown Network Unmonitored network 15
Cisco FireSIGHT Context Collection Platform IPS Events SI Events Malware Events Malware Backdoors Exploit Kits Web App Attacks CnC Connections Admin Privilege Escalations Connections to Known CnC IPs Malware Detections Office/PDF/Java Compromises Malware Executions Dropper Infections 16
FireSIGHT : Detecting Anomalies Detects if new application appears or traffic profile changes Identify Hacked Hosts Useful in static environments: Scada, DMZ, MEDTEC... Reduced Risk and Cost ssh ALERT Host has suddenly started to use SSH client and outgoing traffic volume has increased by 3 17
FireSIGHT : Automated Responses Use pre-defined or custom script to initiate automatic actions E.g, Quarantine device with ISE API Reduced Risk and Cost change VLAN or SGT I S E Indications Of Compromise - IPS event impact 1 - Malware - Communication with BOTNET QUARANTINE 18
OpenAppID First OSS Application and Control OpenAppID Language Documentation o Accelerate the identification and protection for new cloud-delivered applications Special Snort engine with OpenAppID preprocessor o Detect apps on network o Report usage stats o Block apps by policy o Snort rule language extensions to enable app specification o Append App Name to IPS events Library of Open App ID Detectors o Over 1000 new detectors to use with Snort preprocessor o Extendable sample detectors 19
Demo Time!
Next Generation Firewall Platforms
FirePOWER Services available on all ASA platforms 250 Mbps AVC 125 Mbps AVC+IPS 20K/50K* Connections 5,000 CPS 250 Mbps AVC 125 Mbps AVC+IPS 20K/50K* Connections 5,000 CPS 250 Mbps AVC 125 Mbps AVC+IPS 20K/50K* Connections 5,000 CPS 450 Mbps AVC 250 Mbps AVC+IPS 100K Connections 10,000 CPS 850 Mbps AVC 450 Mbps AVC+IPS 250k Connections 20,000 CPS ASA 5516-X ASA 5508-X ASA 5506-X ASA 5506W-X Integrated Wireless AP ASA 5506H-X Ruggedized SMB Branch Locations *Requires Security Plus licenses 22 22
FirePOWER Services available on all ASA platforms 300 Mbps AVC 150 Mbps AVC+IPS 100K Connections 10,000 CPS 500 Mbps AVC 250 Mbps AVC+IPS 250K Connections 15,000 CPS 1.1 Gbps AVC 650 Mbps AVC+IPS 500K Connections 20,000 CPS 1.5 Gbps AVC 1 Gbps AVC+IPS 750K Connections 30,000 CPS ASA 5545-X 1.750 Gbps AVC 1.250 Gbps AVC+IPS 1M Connections 50,000 CPS ASA 5555-X ASA 5525-X ASA 5512-X ASA 5515-X Branch Locations Small/Medium Internet Edge 23 23
FirePOWER Services available on all ASA platforms ASA 5585-SSP60 ASA 5585-SSP10 4.5 Gbps AVC 2 Gbps AVC+ IPS 500K Connections 40,000 CPS ASA 5585-SSP20 7 Gbps AVC 3.5 Gbps AVC+ IPS 1M Connections 75,000 CPS ASA 5585-SSP40 10 Gbps AVC 6 Gbps AVC+ IPS 1.8M Connections 120,000 CPS 15 Gbps AVC 10 Gbps AVC+ IPS 4M Connections 160,000 CPS Campus / Data Center Enterprise Internet Edge 24 24
FirePOWER 9300 High-end Platform Supervisor Application deployment and orchestration Network attachment (10/40/100GE) and traffic distribution Clustering base layer for Cisco ASA, NGFW, and NGIPS Security Modules Embedded packet and flow classifier and crypto hardware Cisco (ASA, NGFW, and NGIPS) and third-party (DDoS, load-balancer) applications Standalone or clustered within (up to 240 Gbps) and across (1 Tbps+) chassis 25
C97-7347 4778-0 78-0 0 2015 Ci sco and/ d/or its affil ffiliate iate tes. All right s reserv erv rved. Cisco Publ ic 26
Against Modern Targeted Attack: Advance Malware Protection
AMP: Advanced Malware Protection Network-based AMP Detection Services & Big Data analytics AMP for hosts desktop (Win, MAC, Linux) and mobile devices (Android) FireSIGHT Management Center Private Cloud / SaaS Manager AMP Malware license Sourcefire Sensor or ASA FirePower Services # No agent needed # Host-based AMP Small agent Monitors file access (move/copy/execute) Gathers features (fingerprint & attributes) Retrieves the file s disposition (clean, malware, unknown) 28
Prevention Framework: Ethos Engine ETHOS = Fuzzy Fingerprinting using static/ passive heuristics Polymorphic variants of a threat that often have the same structural properties Not concerned with binary contents Higher multiplicity Capture original and variants 29
Protection technic: Spero Engine SPERO = Machine Learning using active heuristics Clean/ Dirty samples Hypothesis Featureprint (file) Customer Data Data Feature Vectors Machine Learning Algorithm Predictive Model Decision Trees Expected Label [Disposition] Data Clean Labels System environment export, keyboard API hook, DLL loaded, Performance Monitoring Unknown Malware 30
Plan A: The Protection Framework 1-to-1 Signatures Spero Device Flow Correlation Dynamic Analysis Ethos IOCs Advanced Analytics All prevention solution < 100% protection 31
Plan B: Retrospective Security When you can t detect 100%, visibility is critical Analysis Stops Point-in-time Detection Not 100% Antivirus Sandboxing Sleep Techniques Unknown Protocols Encryption Polymorphism Blind to scope of compromise Initial Disposition = Clean Actual Disposition = Bad = Too Late!! Retrospective Detection, Analysis Continues Cisco AMP Turns back time Visibility and Control are Key Initial Disposition = Clean Actual Disposition = Bad = Blocked 32
Trajectory - Application and Host Level
Trajectory Network Level 34
There Are Several Ways You Can Deploy AMP AMP Advanced Malware Protection Deployment Options AMP on Email and Web; Cisco ASA; CWS AMP for Networks (AMP on FirePOWER Network Appliance) Windows/MAC Mobile AMP for Endpoints AMP Private Cloud Virtual Appliance Method License with ESA, WSA, CWS, or ASA customers Snap into your network Install lightweight connector on endpoints On-premises Virtual Appliance Ideal for New or existing Cisco CWS, Email /Web Security, ASA customers IPS/NGFW customers Windows, Linux, Windows OS for POS, Mac, Android; can also deploy from AnyConnect client High-Privacy Environments Details ESA/WSA: Prime visibility into email/web CWS: web and advanced malware protection in a clouddelivered service AMP capabilities on ASA with FirePOWER Services Wide visibility inside network Broad selection of features- before, during, and after an attack Comprehensive threat protection and response Granular visibility and control Widest selection of AMP features Private Cloud option for those with high-privacy requirements Can deploy full airgapped mode or cloud proxy mode For endpoints and networks 35
Network as a Sensor and Enforcer
Network as a Sensor: Lancope StealthWatch Context Information NetFlow pxgrid Cisco ISE Mitigation Action Real-time visibility at all network layers Data Intelligence throughout network Assets discovery Network profile Security policy monitoring Anomaly detection Accelerated incident response 37
Integrated Threat Defense (Detection & Containment) Employee ISE Change Authorization Quarantine Supplier Server Lancope StealthWatch Event: TCP SYN Scan Source IP: 10.4.51.5 Role: Supplier Response: Quarantine Network Fabric Quarantine High Risk Segment Shared Server Internet Employee 38
Quarantine from StealthWatch 39
Summary
How Effective is AMP? Cisco Mid-Year Security Report, 2015 Time to Detection (TTD) : industry average : 200 days vs. Cisco : 46 hours NSS Labs, Breach Detection Systems report 2014 AMP was the leader in numerous categories. AMP not only scored a 99 percent overall breach detection rating, but was the leader in lowest costof-ownership NSS Labs, Breach Detection Systems report 2015 99.2% Security Effectiveness rating the highest of all vendors tested Only vendor to block 100% of all evasion techniques during testing Excellent performance with minimal impact on endpoint or application latency 41