Cisco Web and Email Security Overview

14,546 views

Published on

The top two attack vectors for malware are email and web browsers. Watering-hole attacks conceal malware on member-based sites and phishing scams can target individuals with personal details. This PPT describes a different security approach to protect against these threats while achieving business growth, efficiency and lowered expenses. The presentation features Cisco Email, Web and Cloud Web Security and covers basic features, offers, benefits, newest features and product integrations. Watch the webinar: http://cs.co/9004BGqvy

Published in: Technology
0 Comments
26 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
14,546
On SlideShare
0
From Embeds
0
Number of Embeds
179
Actions
Shares
0
Downloads
515
Comments
0
Likes
26
Embeds 0
No embeds

No notes for slide
  • We always talk about the top two attack vectors being email and Web security. What do we mean by that and why do we say that?

    Web Security has 3 characteristics that make it one of the top attack vectors:

    Large exposure – email and web account for a comparatively huge amount of traffic
    Large attack surface – browsers, applications, pictures, etc.
    Low entry barrier for attackers – running existing exploit, something that’s already packaged and ready to go – easy to create a domain or send out one million emails from one hacked account : downloading an exploit kit is easy, nobody uses one account to send a million emails anymore
  • Starting with exposure – look at the right in this slide at the numbers of how many blocks Talos sees on a daily basis are attributed to web traffic. 80%. This is an enormous risk exposure for users.

    Add spam into this and you see 2,557,767 blocks/sec


    Notes on new numbers:
    19.6 Billion Threats blocked per day = Web Blocks + Spam w/ Malicious attachment

    2.5 Million Threats blocked per second = The 19.6 Billion blocks + all Spam messages with attachments or not
  • If we just look at email, we see the large exposure that people have to spam through their email
  • Furthermore, the attack surface for web and email is huge. For example, you see with snowshoe spam that attackers are sending low volumes of spam from a large set of IP addresses to avoid detection. They have any amount of IP addresses at their availability to continue doing this. They can also use legitimate, but hacked, accounts to do this.


    Spam plays still plays a key role in helping online criminals carry out their campaigns; relying on the exploitation of users to plant malware on devices or steal credentials.
    In 2014, spam volume has increased 250 percent
    Snowshoe spam, sending low volumes of spam from a large set of IP addresses to avoid detection, is emerging.
    Malicious actors often steal valid email credentials from users with malicious spam messages and then send spam from compromised, yet reputable, accounts.
    This means spam is now more dangerous with low volume spam messages enjoying high/no reputation, making this malicious spam, often the first step (phishing email) in a blended attack, very hard to detect.
    Spammers morph messages to evade detection by tweaking successful messages so that their basic structure remains the same, but the messages are different enough that they can evade spam filters – seen as high as 95 variations of the same message.

  • Now take the attack surface. The web vector contains applications and other entry points that attackers use to deliver viruses and carry out other malicious activities.
     
    Once installed, malicious browser extensions can steal information, and become a major source of data leakage. Every time a user opens a new webpage with a compromised browser, that extension collects data. The attackers can then exfiltrate detailed information about every internal or external webpage that the user visits. They are also gathering highly sensitive information embedded in the URL, including user credentials, customer data, and details about an organization’s internal APIs and infrastructure.
     
    According to the 2016 Cisco Annual Security Report, or ASR, browser infections are occurring at an alarming rate:

    A full 85 percent of the 45 companies in our sample were affected every month by malicious browser extensions—a finding that underscores the massive scale of these operations. Because infected browsers are often considered a relatively minor threat, they can go undetected or unresolved for days or even longer—giving attackers more time and opportunity to carry out their campaigns.
  • The attack surface even includes whatever browser version you are using

    Users loading compromised malvertising ad-ons from untrustworthy sources
    Users in highly targeted industries almost twice as likely to succumb to Clickfraud and Adware
    Not updating browsers: 10% of IE requests running latest version vs. 64% of Chrome requests running latest version
  • The attack surface for web also includes applications

    Java exploits drop 34 percent, as Java is now falling out of favor with Java security improving, making it harder to exploit.
    A significant rise in Silverlight attacks of 228 percent, though still low in volume of attacks.
    Flash attacks (3 percent decrease) and PDF (7 percent increase) holding relatively steady.
    There was an 88 percent overall average decline of exploit kit activity from May through November 2014. Even with this decline, we continue to see serious breaches occurring at an alarming rate.
  •  
    As you can see in this slide, encrypted HTTPS traffic has become a vital component of web security.
     
    Research conducted as part of the 2016 ASR revealed that encrypted traffic, particularly HTTPS, has reached a tipping point. While not yet representing the majority of transactions, HTTPS will soon become the dominant form of traffic on the Internet. In fact, our research shows that it already consistently represents over 50 percent of bytes transferred. This is due to overhead and the larger content that is sent via HTTPS, such as transfers to file storage sites.
     
    What’s unfortunate is that many customers equate HTTPS traffic with “safe” traffic. However, what it really means is that you’re blind to what’s inside the HTTPS request, not that the request itself is encrypted and therefore safe.
  • Barriers to web and email attacks are extremely low for the attackers. In the case of malvertising, they only need customers to visit a site in order to accomplish their mission.

    Malvertising: Criminals are using a ‘freemium-type model’ – similar to the legitimate tactic to give software away free but charge for additional features. In their case it is a sophisticated and multipronged technique for distributing malware, making money from many individual users in small increments by persistently infecting their browsers.
    Users are often tricked to download malicious toolbars that inject malicious ads into pages visited by users contributing to a persistent state of infection.
    Looking at 70 companies and 886,646 users and hosts from January through November 2014 we found a maximum infection rate of 1751 users in a given month.
    Affected users jumped 250% in October 2014
  • CryptoWall is one ransomware variant that has shown gradual evolution over the past year with CryptoWall 2 and Cryptowall 3. Despite global efforts to detect and disrupt the distribution of CryptoWall, adversaries have continued to innovate and evolve their craft, leading to the release of CryptoWall 4.

    For readers that may not be familiar, ransomware is malicious software that is designed to hold users' files (such as photos, documents, and music) for ransom by encrypting their contents and demanding the user pay a fee to decrypt their files. Typically, users are exposed to ransomware via email phishing campaigns and exploit kits. The core functionality of CryptoWall 4 remains the same as it continues to encrypt users’ files and then presents a message demanding the user pay a ransom. However, Talos observed several new developments in CryptoWall 4 from previous versions. For example, several encryption algorithms used for holding users’ file for ransom have changed.

    http://blog.talosintel.com/2015/12/cryptowall-4.html
  • Today, people aren’t just sending email from their desktop computers anymore. They’re using mobile devices or laptops to send email from coffee shops, corporate headquarters, home offices, airports, nearly everywhere you can imagine. Fueling this change is the need to be always connected. By 2016, (according to the Pew Internet and American Life Project Report, May 2011), at least 50 percent of enterprise email users will rely primarily on a browser, tablet, or mobile client instead of a desktop client.

    But it isn’t just the tools to send and receive email that are changing. The threats to email are evolving, too.
  • Meet Joe CFO. He’s sitting in the airport waiting to head home. He’s excited to go back for a well deserved vacation.

    T: He’s using the public airport Wi-Fi to check his email
  • Joe just received an email from what appears to be his vacation resort.

    It is asking him to verify his information – a credit card number, dinner reservations, or any number of things.

    It wants him to verify by clicking on an embedded URL link.

    T: Joe is drawn to the link.
  • Everything seems fine. There is a factor of trust, since Joe is going on vacation and the email is from a vacation resort.

    The email may even be from a trusted site that has been compromised.

    T: Joe clicks on the link.
  • A resort video plays. Although he doesn’t know it, Joe has been taken to a website with a flash-based video exploit and it has downloaded malware onto his machine.

    The malware begins to harvest his information. Joe’s passwords, credentials, and company access authorizations have all been compromised.

    He has unknowingly given hackers the ability to steal sensitive company and customer information.

    T: Enjoy your vacation Joe.
  • Today’s reality has 3 outcomes for your business:

    Your environment will be breached
    When it is, it will probably happen because of an infected email
    And if hackers use command and control on your system, they will probably get access via web

    T: All of this means, you need a smarter solution.

    <click>
  • THE BEST WAY TO COMMUNICATE THE TOTALITY OF THE CHALLENGE IS TO LOOK AT THE ATTACK CONTINUUM. THIS IS WHAT OUR CUSTOMERS ARE DEALING WITH, WHEN TRYING TO DEFEND THEIR NETWORKS.

    THE REASON WE USE THIS NEW SECURITY MODEL IS TO ACCENTUATE, THAT A SILVER BULLET IS NOT FEASIBLE….ITS A BIGGER PROBLEM.

    THERE ARE THREE STAGES TO AN ATTACK: BEFORE, DURING, AND AFTER

    LETS LOOK AT BEFORE AN ATTACK –

    BEFORE AN ATTACK:
    CUSTOMERS NEED TO KNOW WHAT THEY ARE DEFENDING….YOU NEED TO KNOW WHATS ON YOUR NETWORK TO BE ABLE TO DEFEND IT – DEVICES / OS / SERVICES / APPLICATIONS / USERS
    THEY NEED TO IMPLEMENT ACCESS CONTROLS, ENFORCE POLICY AND BLOCK APPLICATIONS AND OVERALL ACCESS TO ASSETS.
    THIS IS WHERE CUSTOMERS SPEND MOST OF THEIR TIME AND MONEY….THE HOPE IS TO REDUCE THE ATTACKABLE SURFACE SPACE OF THE NETWORK.
    UNFORTUNATELY, ATTACKERS HAVE A RELATIVELY EASY TIME PENETRATING THE PERIMETER OF A NETWORK EVEN WITH GOOD ACCESS CONTROLS.

    DURING THE ATTACK:
    WHEN ATTACKS GET THROUGH, WE NEED TO BE ABLE TO DETECT THEM
    MUST HAVE THE BEST DETECTION OF THREATS THAT YOU CAN GET
    ONCE WE DETECT ATTACKS, WE CAN BLOCK THEM AND DEFEND the ENVIRONMENT

    AFTER THE ATTACK:
    INVARIABLY ATTACKS WILL BE SUCCESSFUL, AND Customers NEED TO BE ABLE TO DETERMINE THE SCOPE OF THE DAMAGE, CONTAIN THE EVENT, REMEDIATE, AND BRING OPERATIONS BACK TO NORMAL

    ALSO NEED TO ADDRESS A BROAD RANGE OF ATTACK VECTORS, WITH SOLUTIONS THAT OPERATE EVERYWHERE THE THREAT CAN MANIFEST ITSELF – ON THE NETWORK, ENDPOINT, MOBILE DEVICES, VIRTUAL AND CLOUD ENVIRONMENTS.

    IN THE NEW SECURITY MODEL YOUR SECURITY SOLUTIONS CANT BE EFFECTIVE AT A POINT IN TIME, BUT THEY MUST BE ALWAYS ON, LISTENING , LOOKING FOR CHANGE…IN OTHER WORDS…CONTINUOS IN THEIR CAPABILITY.
  •  Cisco Web Security offers a plethora of features to suit your business needs.

    Let’s start with a high level view of what both CWS and WSA offer together:
     
    • Big data analytics and collective global security intelligence
    • Reputation filtering
    • Real-time malware scanning
    • Web usage controls
    • Application visibility and control (AVC)
    • Data loss prevention (DLP)
    • Threat protection and remediation
    • Flexible deployment options
     
    When deciding either/or, the most basic differentiation between the two offerings is this question:  
    Does the customer prefer Cloud or Appliance?

    Cisco Cloud Web Security is the cloud delivered solution that is ideal for a highly distributed organization. CWS data centers around the world act as proxies for web requests, which works well for geographically distributed organizations.
     
    Cisco Web Security Appliance is an ideal solution for an organization with a centralized user population.
     
    Besides the inherent differences between a cloud and on-premises offering, the following is a comprehensive, though not exhaustive, list of some of the detailed differences between CWS and WSA.
     
    Following the visual on the slide, we can start with Outbreak Intelligence. CWS has Outbreak Intelligence which is contextual based malware detection. CWS always uses 2 signature-based AV engines: Sophos and Kaspersky. All files get scanned by both AV’s as well as by Outbreak Intelligence (heuristics based), and if any of these engines detect the file as malicious it will be blocked. WSA does not use Outbreak Intelligence, but the L4 traffic monitoring engine can detect malicious activity without the need of signatures. WSA uses 3 signature-based engines and the admin can decide which of the 3 to use (any combination): Webroot, McAfee, and Sophos.

    Keeping with the visual on the slide, WSA has layer 4 scanning abilities while CWS does not. Because WSA is an on-premise device it can be used to monitor “level 4” network activity, i.e. not limited only to HTTP and HTTPS traffic. This means that other threats or undesirable traffic coming in and out of the network to/from the internet can be detected. As only HTTP and HTTPS traffic gets sent to CWS in the cloud, it does not have this or an equivalent capability. However, CTA on CWS also helps with that (see below).

    CWS has CTA for advanced, cloud powered zero day breach detection while WSA doesn’t. CTA is roadmapped for WSA in Q1 FY16.

    What is not on the slide is that WSA has caching which provides a better customer experience – this is functional with CWS when deploying via the WSA as a redirection method. Furthermore, WSA offers time & bandwidth quota’s, which are only available on CWS with standalone deployment. WSA also has IPv6 support, which is roadmapped for CWS.

    Going back to the visual, you can see here that WSA has stronger DLP options than CWS. Only ICAP (Internet Content Adaption Protocol) is relevant for the DLP on the WSA. It is used to send content to something else (DLP system in this case) for checking before onward transmission . CWS only has OCSP which is not DLP.

    CWS is the only offering that provides split-tunnel functionality for remote users even when not deployed via VPN. To get this functionality the AnyConnect Secure Mobility client must be downloaded.

    Looking at the AMP area on the infographic, both solutions have PDF, EXE and MSFT Office file support on AMP

    Looking down at the Log Extraction area on the bottom right corner, both WSA and CWS can do log extraction. Considering WSA is an appliance which is local, log export or “extraction” is extremely straightforward. It’s not a WSA thing, but more of a hardware proxy thing. As the WSA is an on-premise device, it is much easier to export the logs from the device directly into another platform such as a SIEM and the export is a standard feature of the WSA. As the CWS logs are in the cloud it is necessary to “extract” them back to the customer’s network. Log extraction from WSA and CWS both integrate with SIEM and other tools.

  • Cisco Email security provides protection across the attack continuum.

    Before an attack with Reputation Filtering,
    During an attack with Signature, Antivirus and spam scanning; URL scanning; File reputation; and sandboxing
    And after an attack with continuous retrospection – the ability to identify malicious malware that crossed the wire undetected.
  • To deliver protection in all phases and continuously monitor effectively, you need constant and dynamic support from the cloud.

    There are multiple inputs that you’ll need to process to get the kind of intelligence and insight you need to deliver security effectively -- for both point-in-time and continuous monitoring capabilities.

    Notice that the data cited in this slide looks familiar to what you’ll see from other vendors. But look at the scale of Cisco’s numbers. That kind of volume is how Cisco delivers such a high level of protection.

    Processing 35% of the world’s email traffic, being able to mine that data for insight into vendor relationships, run reputation against it, with millions of sensors that feed us input. That’s the Cisco difference.

    We combine that processing, data mining, and analytics with the intelligence provided by the Research Response every day. That intelligence includes relationships with all the big vendors – Microsoft, Adobe, and Apple. It includes nearly 200,000 unique files that are processed and executed virtually every single day, as we look for artifacts or indications of compromise.

    There’s a global network of honeypots and much more. Cisco’s intelligence operation feeds its data and findings to our research team, which promotes the design of capabilities that only we can deliver because its based on continuous monitoring on a global scale.

    It’s all delivered through our cloud platform, called Collective Security Intelligence, which allows you to take advantage of advanced analytics based on IPS rule, firewall category, and other information pushed out across the protection continuum. 
  • …That is visibility-driven, threat–focused with a platform based approach. Pervasive, continuous and always-on.
     
    At Cisco, our mission states our focus… Intelligent cybersecurity for the real world.
  • There are three components to the Hybrid offering, reporting, policy and Hybrid SKUs
    So moving from left to right, we have…
    Hybrid reporting Available today and provides a consolidated view of user activity across multiple WSAs and Cloud Web Security. This capability is enabled by the Web Security Reporting Application V4.0 will be release this week and will we cover more on reporting in a moment.
     
    Next…
     
    Hybrid policy which provides a way in which a common malware and web filtering policy can be managed for the on premises users and those utilising cloud web security. The common policy is achieved by importing a previously exported WSA policy into CWS. This is currently in developed and targeted for availability in June.
    Lastly, we have the hybrid SKU bundle, orderable today.
    The Hybrid Bundle includes both WSA and CWS components and allows the customers the flexibility to consume Cisco’s Web Security offerings in any way they want. The customer purchases a total number of users and can change choose the mix of on-premises to cloud users that’s suitable for them. As they transition more users to the cloud they can also change the relative mix at any time. We will be covering this in more detail later but first, let’s take a closer look at hybrid reporting then common policy.
  • Now we move on to protection of mobile users.
    One web security solution for all users and devices
    How does it work?
    The current offering is a Mobile browser that can be used to browse safely which is pushed onto the device through a corporate MDM solution.
    Replaces the native browser
    Basically, CWS works as a proxy. The model is:
    User makes web request => request is re-directed to CWS proxy => request goes to internet or is blocked => if request is blocked, the user receives the access denied view shown above
    CWS Mobile Browser will be shown as a browser on the mobile device, users will only be able to use it by going through the browser

    The goal of the Cloud Web Security (CWS) Secure Browser is to provide a web browser on iOS and Android mobile devices that will forward the device users web traffic to the CWS cloud.

    Why a mobile browser?
    No existing CWS solution for iOS or Android roaming devices.
    Biggest competitors have a similar component in their mobile security solution.
    Together with customer’s MDM solution, enforce customer AUP on BYOD devices.
  • Another important element of Cisco Web Security is the Cisco Identity Services Engine, or ISE, which can be used to set policy with the WSA. For example, a doctor on a laptop in his office can access confidential patient records online. That same doctor using his iPad in his office cannot – but he does have access to browsing the internal employee intranet.
  • WIRe reporting provides over 10,000 report variations to meet your specific needs.

    Detailed reporting dashboards offer high-level overviews of usage with multiple views for quick insight. They also provide visibility into policy blocks, malware blocks, and website activity from sites like Facebook.

  • Administrators and management want more visibility into threats. Specifically, they want to track messages with malicious links, including who clicked on the link and the results of their actions
    End users who click on these links need education on email borne threats and these reports would help identify those users

    URL Click Tracking allows administrators to track the end users who click on URLs that have been rewritten by the ESA
    Reports show:
    Top users who clicked on malicious URLs
    The top malicious URLs clicked by end users
    Date/time, rewrite reason, and action taken on the URLs

  • Starting with 10 billion requests a day, anomaly detection and trust modeling let you focus on the 1% of requests that actually matter.

    <click>

    Then, using event classification and entity modeling you can find out what type of threat it is, and where it is on your system.

    Finally, using relationship modelling, you can understand if a threat is a one-off attack or part of a larger global campaign.

    From 10 billion requests per day, down to 1-50 thousand incidents, CTA can comb through big data in near real-time.

    This means you not only get the visibility you need, you get it when you need it.

    T: Together, AMP and CTA help you determine the right course of action.

    <click>
  • Graymail has become more of a problem and both users and administrators are leery of clicking unsubscribe links which may harvest addresses or have drive-by download malware on the target web site
    These aggressive marketing messages are not spam, but considered as such by the end users as they didn’t “opt in” to receive them.
    Administrators want to be able to better control this type of mail and allow for safe unsubscribes for their end users
    End users wish to stop the tide of garbage coming in their inbox. The recipient wants a way to stop it, yet not have to worry about malicious threats

    Graymail messages are categorized into Marketing, Social Networking, and Bulk messages
    Using an un-subscribe mechanism, the end user can indicate to the sender that they would like to “opt-out” of receiving such emails in the future.
    Since mimicking an un-subscribe mechanism is a popular phishing technique, end users are wary of clicking on the unsubscribe links
    The Graymail solution will provide:
    Protection against malicious threats masquerading as unsubscribe links
    A uniform interface for all subscription management to end-users
    Better visibility to the email administrators and end-users into such emails

  • When a snowshoe spammer uses a large number of IP addresses and domains, traditional spam filters are not effective. Enhanced contextual awareness can analyze the content - looking at words, patterns, and photos - of the email to identify it as snowshoe spam. As we analyze it, we can recognize them as snowshoe spam.

    Once we identify an email as snowshoe spam, we can classify it and group others with similar characteristics using automation and auto-classification WITHOUT having to analyze the full email.

    Talos receives security intelligence from millions of sensors and honey pots around the globe. This intelligence can be used to catch snowshoe spam.

  • Unified Policy allows you to set policy for the cloud or the appliance all from the same place, saving previous administrative time and maintaining the same levels of protection across remote users as well as users in HQ. This is one-directional from CWS to WSA.

    Web Usage Reporting provides full visibility into how Web resources are used. With over 10,000 customizable reports that can convey over 100 different attributes for each request, you can ensure that business-critical applications are not being affected by non-business-related traffic. You can see traffic by user or by application with customizable reportlets and dashboards for easy visualization. Furthermore, you can see reports for your cloud and application users from the same screen with the Web Security Reporting Application. This is one-directional from the WSA to CWS.
  • ZixGateway with Cisco Technology, ZCT, is an email encryption appliance that delivers simple, secure management of email encryption services. Deployed completely on-premises, ZCT works in conjunction with your Cisco Email Security Appliance (ESA). Automation offers peace of mind for businesses and a simplified experience for employees, who no longer have to worry about making the right decision or taking the right steps to encrypt each email. More than 70 percent of emails using ZCT technology are sent and received transparently. ZCT also provides an optimal mobile experience for both senders and recipients.
  • The platform is built on Cisco’s Unified Computing System (or UCS) server platforms. This means you are getting all the web and email security performance you need from the single provider you trust the most; Cisco.
     
     
    There are three main platform sizes for the x90 to fit your needs. The 190 for smaller groups of users and then the 390 and the 690 for increasing amounts of capacity that can serve larger groups of users.
  • The x90 platform involves three specific performance increases. First, the hardware maintains a high level of responsiveness and speed while providing you the best features and functionality. This is possible through increased Central Processing Unit cores (or CPU). We are also providing increased memory and raw disk storage capacity. This means that you can store your web and email security data for a longer period of time, allowing you better access to your data for reporting.
  • With this hardware launch, the 190 provides large performance benefits. The CPU core count has tripled and there is now 1.2 TB of raw hard disk space available.
     
    Even with the performance increases for the x390, the box itself takes up a smaller amount of space. Now, you have a high-performing solution that fits within your space constraints.
     
    For the larger groups of users, we are introducing an entirely new offering with even more storage and capacity. The 690x provides 4.8TB of storage on the Email Security Appliance, and 9.6TB on the Web Security and Security Management Appliances.
  • Before we end, I encourage you to visit Cisco.com/go/websecurity
    http://www.cisco.com/c/en/us/products/security/web-security-appliance/web-email-security.html
    https://info.sourBefore we end, I encourage you to visit Cisco.com/go/websecurity to learn more about the solution and how it can improve web security at your organization.
     
    While you’re there, you can see how we’re updating and adapting the solution every day to better serve customer security needs.
     
    Last, contact us to set up a free trial created especially for your company needs and challenges.

    [Cisco.com/go/websecurity
    http://www.cisco.com/c/en/us/products/security/web-security-appliance/web-email-security.html
    https://info.sourcefire.com/ContentSecurityOfferPage.html
    use the instant eval form for CWS: https://instanteval.cws.sco.cisco.com/provisioning/index#/]cefire.com/ContentSecurityOfferPage.html
    use the instant eval form for CWS: https://instanteval.cws.sco.cisco.com/provisioning/index#/
  • Cisco Web and Email Security Overview

    1. 1. Story Tweedie-Yates Product Marketing Manager – Cisco Web Security February 16, 2016 Protection for the top two attack vectors Cisco Web and Email Security
    2. 2. Top 2 attack vectors Threats from a user’s perspective Before, during and after: a security framework Cisco Web and Email Security tour Demos Get Started Agenda
    3. 3. Top 2 Attack Vectors
    4. 4. Exposure – web blocks 82,000 Virus Blocks 181 Million Spyware Blocks 818 Million Web Blocks Daily Web Breakdown Daily Yearly 19.7 Billion 7.2 Trillion Total Threats Blocked
    5. 5. Exposure- email blocks
    6. 6. Large Attack Surface
    7. 7. Attackers: A growing appetite to leverage targeted phishing campaigns Example: Snowshoe SPAM attack SPAM up 250% Attack surface - email
    8. 8. Attack surface – web browsers More than 85%of the companies studied were affected each month by malicious browser extensions
    9. 9. Users becoming complicit enablers of attacks Untrustworthy sources Clickfraud and Adware Outdated browsers 10% 64% IE requests running latest version Chrome requests running latest version vs Attack surface – user error on web
    10. 10. Attackers: Shifts in the attack vectors Java Silverlight PDF Flash Java drop 34% Silverlight rise 228% PDF and Flash steady Log Volume 2015 Cisco Annual Security Report Attack surface – web applications
    11. 11. Attack surface – web protocol Encrypted traffic is increasing. It represents over 50% of bytes transferred. Individual Privacy Government Compliance Organizational Security The growing trend of web encryption creates a false sense of security and blind spots for defenders https://
    12. 12. Low Barriers to Entry
    13. 13. Attackers: Malvertising is on the rise: low-limit exfiltration makes infection hard to detect In October 2014, there is a spike of 250% Compromising without clicking
    14. 14. Exploit Kits, e.g. Cryptowall version 4 • Notorious ransomware • Version 1 first seen in 2014 • Distributed via Exploitkits and Phishing Emails • Fast Evolution CRYPTOWALL 4.0
    15. 15. Threats from a user’s perspective
    16. 16. Web and email are portable Mobile Coffee shop Corporate Home Airport
    17. 17. Sample attacking: Joe CFO Waiting for his plane Meet Joe. He is heading home for a well deserved vacation. He’s catching up on email using the airport Wi-Fi while he waits for his flight.
    18. 18. Sample attacking: Joe CFO Checks his email Joe just got an email from his vacation resort. Your Tropical Getaway Joe, Thank you for choosing us. We look forward to seeing you. Before your arrival, please verify your informationhere: www.vacationresort.com Best, Resort Team
    19. 19. Sample attacking: Joe CFO Instinctively, he clicks on the link No problem, right? Everything looks normal. The site may even be a trusted site, or maybe a site that is newly minted. Your Tropical Getaway Joe, Thank you for choosing us. We look forward to seeing you. Before your arrival, please verify your informationhere: www.vacationresort.com Best, Resort Team
    20. 20. Sample attacking: Joe CFO Joe is now infected Joe opens the link and the resort video plays. Although he doesn’t know it, Joe’s machine has been compromised by a Silverlight based video exploit. The malware now starts to harvest Joe’s confidential information: • Passwords • Credentials • Company access authorizations
    21. 21. Today’s cyber-threat reality Hackers will likely command and control your environment via web You’ll most likely be infected via email Your environment will get breached
    22. 22. Before, during and after: a security framework
    23. 23. The Attack Continuum Network Endpoint Mobile Virtual Cloud Point in Time ContinuousThreat Intelligence X DURING Detect Block Defend AFTER Scope Contain Remediate BEFORE Discover Enforce Harden
    24. 24. Key: Cisco Web Security After Outbreak Intelligence Reporting Log Extraction Management Allow Warn Block Partial Block HQ Client Authentication Methods Talos www CWS Only WSA / WSAv Only Web Filtering Web Reputation Application Visibility & Control Webpage www.website.com Anti- Malware File Reputation File Sandboxing File Retrospection Cognitive Threat Analytics DLP Integration Hybrid CWS WSA Roaming UserBranch Office WCCP ASA Load Balancer WSA PBR ISR G2 AnyConnect AnyConnectExplicit/PAC Explicit/PAC Traffic Redirection Methods Campus Office BYOD User Admin WSA X X X X X X ISR 4k
    25. 25. Cisco Email Security Reporting Message Track Management Allow Warn Admin HQ Anti-Spam and Anti-Virus Mail Flow Policies Data Loss Protection Encryption Before DuringX XX X Inbound Email Outbound Email Cisco Appliance Virtual Talos Block Partial Block Outbound Liability Before AfterDuring Tracking User click Activity (Anti-Phish) File Sandboxing & Retrospection X X XXX Cloud Content Controls X Email Reputation Acceptance Controls File Reputation Anti-Spam Anti-Virus Outbreak Filters X Mail Flow Policies Graymail Management Safe Unsubscribe X Anti-PhishThreatGrid URL Rep & Cat
    26. 26.  1.1 million file samples per day  AMP community  Advanced Microsoft and industry disclosures  Snort and ClamAV open source communities  AMP TG Intelligence  AEGIS™ program  Private and public threat feeds  10 million files per month - AMP TG Dynamic analysis Talos: before, during and after 10I000 0II0 00 0III000 II1010011 101 1100001 110 110000III000III0 I00I II0I III0011 0110011 101000 0110 00 I00I III0I III00II 0II00II I0I000 0110 00 1010000II0000III000III0I00IIIIII0000III0 1100001110001III0I00III0IIII00II0II00II101000011000 100III0IIII00II0II00III0I0000II000 Cisco® Talos Threat Intelligence Research Response ESA/WSA/CWS Email Endpoints Web Networks IPS Devices WWW 1.6 million global sensors 100 TB of data received per day 150 million+ deployed endpoints 600+ engineers, technicians, and researchers 35% worldwide email traffic 13 billion web requests 24x7x365 operations 40+ languages
    27. 27. Cisco Web and Email Security tour
    28. 28. Complete Solution Pervasive Continuous Always On 28© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Feature Tour Map
    29. 29. Strategic Imperatives Network-Integrated, Broad Sensor Base, Context and Automation Continuous Advanced Threat Protection, Cloud-Based Security Intelligence Agile and Open Platforms, Built for Scale, Consistent Control, Management EndpointNetwork Mobile Virtual Cloud Visibility-Driven Threat-Focused Platform-Based
    30. 30. Email and Web Security new feature tour map Cloud Web Security (CWS) Web Security Appliance (WSA) Email Security Appliance (ESA) Cloud Email Security (CES) Cognitive Threat Analytics Web Interaction Tracking Anti-snowshoe Unified Reporting/Policy Visibility-Driven Graymail X90 hardware ISE Integration Hybrid Email GUI Mobile Browser ISR 4k Connector Zix Encryption Threat Focused Platform Based
    31. 31. Visibility Driven
    32. 32. Internet MDM Solution Scancenter Policy CWS Mobile Browser
    33. 33. Identity Services Engine Integration And Extending User Identity and Context Acquires important context and identity from the network Monitors and provides visibility into unauthorized access Provides differentiated access to the network Cisco TrustSec® provides segmentation throughout the network Cisco Web Security Appliance provides web security and policy enforcement Available only on WSA Confidential Patient Records Internal Employee Intranet Who: Guest What: iPad Where: Office Who: Doctor What: iPad Where: Office Internet Who: Doctor What: Laptop Where: Office WSA Consistent Secure Access Policy Cisco® Identity Services Engine
    34. 34. Admin HQ Traffic Redirections Get the Intelligence You Need Over 10,000 Report Variations Customize Dashboards 70+ pre- defined reports Quick Analysis  High-level overview with customizable widgets  One-click drill down into widgets  Customized login screen for each admin
    35. 35. Web Interaction Tracking Enabling tracking of URLs rewritten by policy G App 1 App 2 App 5App 3 App 4 App 6 App 7 Rewritten URL: 2asyncfs.com Click Time: 09:23:25 12 Jan 2015 Re-write reason: Outbreak Action taken: Blocked Rewritten URL: 5asynxsf.com Click Time: 11:01:13 09 Mar 2015 Re-write reason: Policy Action taken: Allowed Rewritten URL: 8esynttp.com Click Time: 16:17:44 15 Jun 2015 Re-write reason: Outbreak Action taken: Blocked User A User B User C Potentially malicious URLs Filtering Rewritten URLs Monitor users from a single pane of glass
    36. 36. Threat Focused
    37. 37. Here’s an example of how CTA works Near real-time processing 1K-50K incidents per day10B requests per day +/- 1% is anomalous 10M events per day HTTP(S) Request Classifier X Classifier A Classifier H Classifier Z Classifier K Classifier M Cluster 1 Cluster 2 Cluster 3 HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request Cluster 1 Cluster 2 Cluster 3 HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) RequestHTTP(S) Request HTTP(S) Request HTTP(S) RequestHTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) RequestHTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request Anomaly Detection Trust Modeling Classification Entity Modeling Relationship Modeling HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request CONFIRMED threats (spanning multiple users) DETECTED threats (unique)
    38. 38. Graymail management Threat Defense Security Graymail Detection Bulk Social Network Marketing Quarantine • Whitelist – Allow Sender • Blacklist – Block Sender • Release – Safe unsubscribe Block Add Safe Unsubscribe Link Verdict Request Reputation Filter Anti-spam Anti-virus Advanced Malware Protection
    39. 39. Anti-Snowshoe Enhancements Enhanced contextual awareness for the anti-spam engine, with unique cloud-based Bayesian learning Increase automation and auto-classification of emails for faster response Global expansion of sensor coverage for early visibility “Building on the multi-layer defense strategy for effective protection against snowshoe spam”
    40. 40. Platform Based
    41. 41. Unified Reporting With unified reporting and policy management Unified Policies Roaming user HQ Cloud Web Security Graphical User Interface WSA Roaming user HQ Web Security Reporting Application WSA    
    42. 42. Hybrid Email
    43. 43. Email Encryption Zix Gateway with Cisco Technology Automate encryption for employees Automate delivery to the most secure, most convenient method Exchange encrypted email transparently Provide the optimal mobile experience
    44. 44. Cisco Unified Computing System (Cisco UCS) 190 New Web and Email Security Hardware Platform 390 690
    45. 45. New Hardware Platforms • Security Management Appliance • Web Security Appliance WSA-S170 WSA-S380 WSA-S680 WSA-S190 WSA-S390 WSA-S690 SMA-M170 SMA-M380 SMA-M680 SMA-M190 SMA-M390 SMA-M690 = PerformanceIncreased memory Raw disk storage capacity + Central Processing Units (CPUs)
    46. 46. Backhauling Traffic $$$ HeadquartersBranch Internet ISR 4k Save money on bandwidth in your branch Direct Internet Access with GRE over IPSec
    47. 47. Cisco Web and Email Security roadmap Visibility Driven Threat Focused Platform Based Recent Releases Email Web Interaction Tracking Email Graymail Management WSA with CTA ZCT Email Encryption WSA and CWS Unified Policy Email and Web Appliance New Hardware CWS Mobile Browser Hybrid Email Current Projects Email DLP Auto-remediation for 0365 (Email) Threat Grid Integration (CWS) Hybrid Web Security Future Chromebook Support (CWS) Http 2.0 (WSA) Email Shortlinks Integration with Firepower Management Center (WSA) Many of the products and features described herein remain in varying stages of development and will be offered on a when-and-if-available basis. This roadmap is subject to change at the sole discretion of Cisco, and Cisco will have no liability for delay in the delivery or failure to deliver any of the products or features set forth in this document.
    48. 48. Demos New CWS GUI CTA Email Innovations
    49. 49. Web security customer requirements Large amounts of https traffic Detailed web and HR reporting Need for deep inspection and control with AVC Name Password OK Cancel ******* Login_ID Corporate network Proxy Roaming user https
    50. 50. Get Started Today with Cisco Learn more on the website1 See and share what’s new2 Ask for your free trial3

    ×