Bloquer les attaques de nouvelle génération avec les solutions de sécurité Web de Cisco
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Bloquer les attaques de nouvelle génération avec les solutions de sécurité Web de Cisco

on

  • 297 views

Cette présentation est consacrée aux solutions de sécurité Web de Cisco. Elle traitera les sujets suivants : ...

Cette présentation est consacrée aux solutions de sécurité Web de Cisco. Elle traitera les sujets suivants :
• Introduction sur les nouvelles menaces
• Les mécanismes de sécurité proactifs contre les attaques 0 Day
• Les solutions physiques, virtuelles et SAS pour se protéger efficacement
• L’analyse rétroactive des attaques

Statistics

Views

Total Views
297
Views on SlideShare
293
Embed Views
4

Actions

Likes
0
Downloads
17
Comments
0

1 Embed 4

http://www.slideee.com 4

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Bloquer les attaques de nouvelle génération avec les solutions de sécurité Web de Cisco Presentation Transcript

  • 1. 1C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Les techniques de Cybersécurité Frédéric HER Christophe SARRAZIN Consultant Sécurité, Europe du Sud csarrazi@cisco.com Consultant Sécurité, Europe du Sud fher@cisco.com
  • 2. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 Le problème actuel Nouveaux Usages Evolution constante des menaces Complexité & Fragmentation
  • 3. 3 “On ne résout pas un problème avec les modes de pensée qui l’ont engendré”
  • 4. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Le nouveau modèle de sécurité BEFORE Discover Enforce Harden AFTER Scope Contain Remediate Attack Continuum Network Endpoint Mobile Virtual Cloud Detect Block Defend DURING Point in Time Continuous
  • 5. 5 L’évolution des menaces MenacesRéponse Virus, vers Spyware / Rootkits APTs / Cyberware Surface d’attaques augmentée (Mobilité & Cloud) INTELLIGENCE & ANALYSE Aujourd’hui REPUTATION & SANDBOXING 2010 SECURITE DU POSTE DE TRAVAIL (AV) 2000 PERIPHERIE RESEAU (IDS/IPS) 2005
  • 6. 6 Défendre avec intelligence : Cisco SIO Connexion SMTP légitime? Contenu malicieux ou non désiré? Zombies vers des serveurs CNC? Actions hostiles ou utilisateurs déviants ? Contenus malicieux sur le poste de travail ? WWW Reputation Signatures Signatures Recherche sur les menaces Domain Registration Inspection des Contenus Spam Traps, Honeypots, Crawlers Blocklists & Réputation Partenariats Platform-specific Rules & Logic Cisco Security Intelligence Operations
  • 7. 7 La couverture étendue de Cisco SIO 100TB Security Intelligenc e 1.6M Dispositifs déployés 13B Requêtes Web 150 000 Micro- applications 1,000 Application s 93B Messages Email 35% Email des Entreprise s 5 500 Signatures IPS 150M Endpoints Déployés 3-5 min MAJ 5B Connexions Emails 4.5B Bloquages d’emails
  • 8. 8 La réputation en action New York Times: victime d’une attaque via une publicité • Publicité apparemment légitime qui génère en réalité 3 redirections vers des liens web • Destination finale: protection-check07.com Faux Anti--Virus Un pop-up apparaît qui simule un logiciel AV, qui demande à l’utilisateur d’acheter un logiciel pour nettoyer la machine. Score de Réputation Web : -9.3 Action par défaut : BLOCK Le site du NYT est bien autorisé mais la redirection vers le lien malicieux est bloquée
  • 9. 9 Consolidation des serveurs des pirates Il est très important de connaitre la réputation de ces serveurs http://www.cisco.com/web/offers/lp/2014-annual-security-report/index.html
  • 10. 10 Outbreak Intelligence Des moteurs heuristiques s’ajoutant aux signatures et à la réputation
  • 11. 11 Header Body of Objects Cross-Ref Table Trailer L’Anti-Virus scanne le fichier Nous pensons connaitre la structure d’un fichier PDF et à quoi il devrait ressembler D’après les signatures, c’est un fichier sain
  • 12. 12 %PDF-1.4 (version) %Comments 1 0 obj << /Type /Page >> endobj 2 0 obj << /Type /Action /S /JS >> endobj xref trailer Nous connaissons les choses qui peuvent être exploitées, donc les scanlets décomposent le fichier, l’analysent et les algorithmes recherchent les exploitations malicieuses potentielles Après inspection nous trouvons : • Pas de mots anglais • Headers incorrects • Proportion élevée de contenu Javascript • Javascript spécifiques • Fonctions “exploitables” • Autres indicateurs OI prend la décision que ce fichier est potentiellement dangereux
  • 13. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 Outbreak Intelligence contre Signature Detection 13 • Ce graphique montre la part quotidienne de menaces bloquées par OI et par les signatures AV traditionnelles • En 2013, 22% des malware provenant d’Internet ont été bloquées par Cisco Outbreak Intelligence avant que des signatures ne soient disponibles 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 01-janv.-13 01-févr.-13 01-mars-13 01-avr.-13 01-mai-13 01-juin-13 01-juil.-13 01-août-13 01-sept.-13 01-oct.-13 01-nov.-13 01-déc.-13 Bloquages quotidiens, 2013 (Source: Cisco Cloud Web Security) Signature Outbreak Intelligence™
  • 14. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1414 Cisco AMP
  • 15. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 1.6 million global sensors 100 TB of data received per day 150 million+ deployed endpoints 600+ engineers, technicians, and researchers 35% worldwide email traffic 13 billion web requests 24x7x365 operations 40+ languages Cisco SIO + Sourcefire VRT Collective security intelligence for the Broadest Visibility on the Internet 10I000 0II0 00 0III000 II1010011 101 1100001 110 110000III000III0 I00I II0I III0011 0110011 101000 0110 00 I00I III0I III00II 0II00II I0I000 0110 00 180,000+ File Samples per Day FireAMP™ Community Advanced Microsoft and Industry Disclosures Snort and ClamAV Open Source Communities Honeypots Sourcefire AEGIS™ Program Private and Public Threat Feeds Dynamic Analysis 1010000II0000III000III0I00IIIIII0000III0 1100001110001III0I00III0IIII00II0II00II101000011000 100III0IIII00II0II00III0I0000II000 Cisco® SIO Sourcefire VRT® (Vulnerability Research Team) Cisco Collective Security Intelligence Email Endpoints Web Networks IPS Devices WWW
  • 16. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Amp : Reputation Filtering and Behavioral Detection (Sha-256) (Sanboxing)(Hash + détails) (Structural information Referred DLLs PE header) (VRT Correlation) (AV) (Network Monitoring)
  • 17. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Actual Disposition = Bad = Blocked Antivirus Sandboxing Initial Disposition = Clean Point-in-time Detection Retrospective Detection, Analysis Continues Initial Disposition = Clean Cisco- Sourcefire Blind to scope of compromise Sleep Techniques Unknown Protocols Encryption Polymorphism Actual Disposition = Bad = Too Late!! Turns back time Visibility and Control are Key Not 100% Analysis Stops Beyond the Event Horizon
  • 18. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 • Trajectory – Determine scope by tracking malware in motion and activity • File Trajectory – Visibility across organization, centering on a given file • Device Trajectory – Deep visibility into file activity on a single system Retrospective Security Always Watching… Never Forgets… Turns Back Time • Continuous Analysis - Retrospective detection of malware beyond event horizon
  • 19. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 File Trajectory • What systems were infected? • Who was infected first (“patient 0”) and when did it happen? • What was the entry point? • When did it happen? • What else did it bring in? Looks ACROSS the organization and answers: Quickly understand the scope of malware problem Network + Endpoint
  • 20. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 An unknown file is present on IP: 10.4.10.183, having been downloaded from Firefox At 10:57, the unknown file is from IP 10.4.10.183 to IP: 10.5.11.8 Seven hours later the file is then transferred to a third device (10.3.4.51) using an SMB application The file is copied yet to a fourth device (10.5.60.66) through the same SMB application a half hour later The Cisco Collective Security Intelligence Cloud has learned this file is malicious and a retrospective event is raised for all four devices immediately. At the same time, a device with the FireAMP endpoint connector reacts to the retrospective event and immediately stops and quarantines the newly detected malware 8 hours after the first attack, the Malware tries to re-enter the system through the original point of entry but is recognized and blocked.
  • 21. 21 Device Trajectory • How did the threat get onto the system? • How bad is my infection on a given device? • What communications were made? • What don’t I know? • What is the chain of events? Looks DEEP into a device and helps answer: Endpoint
  • 22. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 AMP is context-aware Data shows the bad and the good Context helps you decide about the rest
  • 23. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 The Power of Continuous Analysis Point-in-time security sees a lighter, bullet, cufflink, pen & cigarette case… Wouldn’t it be nice to know if you’re dealing with something more deadly?
  • 24. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 • VRT powered insight into Advanced Malware behavior • Original file, network capture and screen shots of malware execution • Understand root cause and remediation File Analysis FireAMP & Clients Cisco-Sourcefire VRT Sandbox Analysis Fast and Safe File Forensics Infected File File 4E7E9331D22190F D41CACFE2FC843 F Infected File File 4E7E9331D22190F D41CACFE2FC843 F Infected File File 4E7E9331D22190F D41CACFE2FC843 F Advanced malware analysis without advanced investment
  • 25. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 1) File Capture File Extraction and Sandbox Execution Malware Alert! 2) File Storage 4) Execution Report Available In Firesight Management Network Traffic Collective Security Intelligence Sandbox 3) Send to Sandbox
  • 26. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 • Managed and Deployed from the Cloud • File Activity (Created/Edit/Move/Execute) •One-to-One/Spero/Ethos •Simple and Advanced Custom Detections • Retrospective Alerting and Quarantine • Application Control • Network Flow Correlation •Black/White Lists • Dynamic Analysis AMP Cloud FireAMP for Endpoints Windows Mac OSX Android
  • 27. 27 FireSIGHT Management Console ASA with Sourcefire Sensor FirePOWER Services on the ASA File Submitted for Dynamic Analysis File Disposition queried against AMP Cloud (SHA256, Spero) - AMP Cloud - VRT Dynamic Analysis Cloud Endpoint Connectors Windows Mac OSX Android
  • 28. 28 FireSIGHT Management FireAMP FirePOWER ASA (NGFW) ESA WSA CWS Dynamic Analysis Dynamic AnalysisFireAMP Private Cloud (Appliance) Events / Correlation Cloud Connected On-Premises Endpoint Network Gateway Sandbox Cisco has the most comprehensive strategy for Advanced Malware Protection. AMP Everywhere
  • 29. 29 NSS Labs breach detection systems security value map (Avril 2014) https://www.nsslabs.com/reports/breach-detection-systems-bds-comparative-analysis-report
  • 30. 3030 Cisco Email Security
  • 31. 31C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential L’évolution des menaces provenant de l’Email Menaces ???? Demain BAS VOLUMES HAUTE VALEUR $$ Aujourd’hui VOLUMES ELEVES VALEUR $$ BASSE Passé Attaques ciblées Targeted Phishing Covert, Sponsored Targeted Attacks Blended Threats Advanced Persistent Threats Phishing Spam Attachment-based Slammer Worms Network Evasions Polymorphic Code Code Red Image Spam Alertes Virales Custom URL Botnets Conficker Stuxnet
  • 32. 32C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Il y a une grande volatilité Retour à plus de 85% de spams http://www.senderbase.org/static/spam/#tab=1
  • 33. 33 Pourquoi la réputation est fondamentale Aggrégation et Corrélation de milliards de données dans un seul score
  • 34. 34C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Management L’architecture de Sécurité Email Cisco Antivirus & Outbreak Filters Défense face aux menaces Antispam Sécurité des Données Chiffrement Data Loss Prevention Protection Flux Entrants Contrôle des Flux Sortants
  • 35. 35C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Défense anti-spam à deux niveaux Bon score: les mails sont délivrés Score intermédiaire: le débit est limité et les messages sont envoyés à l’anti-spam • Taux de bloquage : > 99% • Faux positifs < 1 sur 1 million Mauvais score: la connexion TCP est bloquée et les messages ne sont pas reçus sur le réseau Mails entrants Bons, mauvais ou inconnus/suspici eux What Cisco Anti-Spam, IMS WhenWho HowWhere Cisco® SIO
  • 36. 36C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Défense anti-spam à deux niveaux Bon score: les mails sont délivrés Score intermédiaire: le débit est limité et les messages sont envoyés à l’anti-spam • Taux de bloquage : > 99% • Faux positifs < 1 sur 1 million Mauvais score: la connexion TCP est bloquée et les messages ne sont pas reçus sur le réseau Mails entrants Bons, mauvais ou inconnus/suspici eux What Cisco Anti-Spam, IMS WhenWho HowWhere Cisco® SIO
  • 37. 37C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Défense anti-virus à deux niveaux Virus Outbreak Filters Advantage http://www.senderbase.org • Temps moyen de protection additionnelle : + de 13h • Total d’attaques bloquées : 291 • Protection totale incrémentale : + de 157 jours/360 Virus Filter Dynamic Quarantine Cisco® SIO Virus Outbreak Filters Moteurs Anti-Virus Détection Zero Hour Choix de moteurs
  • 38. 38 Sécurisation des URL dans les Emails avec Outbreak Filters Information Update Dear Mr. Paulo Roberto Borges, We are contacting you in order to inform about a mandatory update of your personal data, which is being conducted after Bank A and Bank B merge. To begin the update, please click on the link and download the protection program. Protection Module 3.0 (2011) Best regards, Bank A Bank A pborges@email.com Après http://www.threatlink.com Avant http://secure-web.cisco.com/auth=X&URL=www.threatlink.com
  • 39. 39 Malware bloqué http://secure-web.cisco.com… The requested web page has been blocked http://www.threatlink.com Cisco Email and web Security protects your organization’s network from malicious software. Malware is designed to look like a legitimate email or website which accesses your computer, hides itself in your system, and damages files. Cisco Security Sécurisation des URL dans les Emails avec Outbreak Filters
  • 40. 40 Outbreak Filters stoppe les attaques Phishing et Mixtes
  • 41. 41 Advanced Malware Protection sur ESA Cisco® SIO SenderBase Reputation Filtering Anti-Spam & Spoofing Prevention AV Scanning & Advanced Malware Protection Real-time URL Analysis Deliver Quarantine Re-write URLs Drop Drop Drop/Quarantine Drop/Quarantine Quarantine/Re-write
  • 42. 42C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3.5M d’emails bloqués chaque jour Emails delivered Emails / mo Emails / day Emails / employee / day % Attempted 124 M 5.6 M 73 Blocked 77 M 3.5 M 46 63% Delivered 37 M 1.7 M 22 30% Delivered, marked “Marketing” 9 M 0.4 M 5 7% Email Security - Cisco sur Cisco Malware Spam ESA Blocked Emails Emails* / mo Emails / day Emails / employee / day % By reputation 73 M 3.3 M 43 94% By spam content 4.3 M 0.2 M 3 5% By invalid receipts 0.4 M 0.02 M 0.25 1%
  • 43. 43C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Pourquoi Cisco Email Security ? Gartner Magic Quadrant, Email Security Gateways, 2013 The Magic Quadrant is copyrighted 2013 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner’s analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders” quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from Cisco.
  • 44. 4444 Cisco Web Security
  • 45. 45 Cisco Security Intelligence Operations (SIO) L’architecture de Sécurité Web Cisco Filtrage URL Application Visibility and Control (AVC) Data Loss Prevention (DLP)* Moniteur de Trafic de Niveau 4 (On-premise) Défense Anti-Malware PROTECTION CONTROLE Management & Reporting Centralisés WW W AutoriseWWW Accès limitéWWW BloqueWWW *Third-party DLP integration available on-premises
  • 46. 46 Moniteur de Traffic de Niveau 4 Détection des postes déjà infectés Utilisateurs Cisco WSA Network Layer Analysis Règles Anti-Malware automatiques Bloque le trafic malicieux • Scanne tous les ports et protocoles • Détecte le malware qui bypasse le port 80 • Empêche les zombies de communiquer avec leur serveur de contrôle • MAJ automatiques • Listes de serveurs et adresses IP malicieuses en temps réel Packet and Header Inspection Internet Disponible sur WSA & et sur ASA en tant que “Botnet Traffic Filter”
  • 47. 47 Défense Anti-Malware à trois niveaux Bon score: le site est affiché sans être scanné Score intermédiaire: les sites sont scannés par 1 ou plusieurs moteurs Mauvais score: le site est bloqué URL’s demandées Moteur Anti- Malware Cisco® SIO Déchiffrement SSL basé sur la catégorie ou réputation + FILE REPUTATION (AMP) BLOCKED
  • 48. 48 Scan Anti-Malware en temps réel Dynamic Vectoring & Streaming ANALYSE HEURISTIQUE ET A BASE DE SIGNATURES • Multi-scanning intelligent • Bases de signatures multiples • Déchiffre le trafic SSL si nécessaire • Scanning en mode streaming pour éviter les problèmes de latence • MAJ automatiques Détection Heuristique Identifie des comportements inhabituels Anti-malware Scanning Scans Parallèles, Scanning en mode streaming Inspection à base de signatures Reconnait les menaces connues Moteurs anti malware multiples
  • 49. 49 Advanced Malware Protection sur WSA WWW Time of Request Time of Response Cisco® SIO URL Filtering Reputation Filter Dynamic Content Analysis (DCA) Signature-based Anti-Malware Engines Advanced Malware Protection BlockWWW BlockWWW BlockWWW AllowWWW WarnWWW WWW Partial Block BlockWWW BlockWWW BlockWWW
  • 50. 50C97-728331-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6.5M de sites malicieux bloqués chaque jour Web Security Appliance – Cisco sur Cisco Malware Blocked in One Day: • 441K – Trojan Horse • 61K - Other Malware • 29K - Encrypted Files (monitored) • 16.4K - Adware Messages • 1K – Trojan Downloaders • 55 - Phishing URLs • 22 - Commercial System Monitors • 5 - Worms • 3 - Dialers Cisco Web Traffic Stats: • 330-360M web visits/day • 6-7M (2%) blocked WSA Blocked Transactions: • 93.5% - Web Reputation • 4.5% - URL Category • 2% - Anti-Malware
  • 51. 51 Pourquoi Cisco Web Security? Gartner Magic Quadrant, Web Security Gateways, 2013 The Magic Quadrant is copyrighted 2013 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner’s analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders” quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from Cisco.
  • 52. 52