Your SlideShare is downloading. ×
  • Like
Les solutions de Cybersécurité Cisco
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Les solutions de Cybersécurité Cisco

  • 890 views
Published

En 2014 les Cyber attaques sont de plus en plus sophistiquées avec de véritables entités dédiées au développement de malwares de nouvelle génération. Que ce soit des entreprises privées ou des …

En 2014 les Cyber attaques sont de plus en plus sophistiquées avec de véritables entités dédiées au développement de malwares de nouvelle génération. Que ce soit des entreprises privées ou des instituts d'État, chacun doit se protéger et être en mesure d'analyser et de contrer ces nouvelles menaces.

Cisco a introduit sur le marché des solutions de protection anti-malware innovantes. Ces solutions sont maintenant implémentées dans la plupart des équipements de sécurité Cisco, que ce soit dans les Proxy Web ou Mail mais également, dans les sondes IPS, dans des appliances dédiés ou sur les postes de travail.

Cisco met à disposition de ces clients, son expertise sécurité avec une analyse en temps réel dans le cloud de ces attaques, et une analyse rétrospective des évènements qui ont précédés cette attaque.

Ce sont l'ensemble de ces technologies que nous vous invitons à venir découvrir dans cette présentation

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
890
On SlideShare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
47
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. 1C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Les techniques de Cybersécurité Frédéric HER Christophe SARRAZIN Consultant Sécurité, Europe du Sud csarrazi@cisco.com Consultant Sécurité, Europe du Sud fher@cisco.com
  • 2. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 Le problème actuel Nouveaux Usages Evolution constante des menaces Complexité & Fragmentation
  • 3. 3 “On ne résout pas un problème avec les modes de pensée qui l’ont engendré”
  • 4. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Le nouveau modèle de sécurité BEFORE Discover Enforce Harden AFTER Scope Contain Remediate Attack Continuum Network Endpoint Mobile Virtual Cloud Detect Block Defend DURING Point in Time Continuous
  • 5. 5 L’évolution des menaces MenacesRéponse Virus, vers Spyware / Rootkits APTs / Cyberware Surface d’attaques augmentée (Mobilité & Cloud) INTELLIGENCE & ANALYSE Aujourd’hui REPUTATION & SANDBOXING 2010 SECURITE DU POSTE DE TRAVAIL (AV) 2000 PERIPHERIE RESEAU (IDS/IPS) 2005
  • 6. 6 Extend Attack Surface Lateral Movement Control Infiltrate Compromised Site & Exploit Server Advanced Cyber Threats Users & Applications CNC WWW Data Exfiltration
  • 7. 7 Défendre avec intelligence : Cisco SIO Connexion SMTP légitime? Contenu malicieux ou non désiré? Zombies vers des serveurs CNC? Actions hostiles ou utilisateurs déviants ? Contenus malicieux sur le poste de travail ? WWW Reputation Signatures Signatures Recherche sur les menaces Domain Registration Inspection des Contenus Spam Traps, Honeypots, Crawlers Blocklists & Réputation Partenariats Platform-specific Rules & Logic Cisco Security Intelligence Operations
  • 8. 8 La couverture étendue de Cisco SIO 100TB Security Intelligenc e 1.6M Dispositifs déployés 13B Requêtes Web 150 000 Micro- applications 1,000 Application s 93B Messages Email 35% Email des Entreprise s 5 500 Signatures IPS 150M Endpoints Déployés 3-5 min MAJ 5B Connexions Emails 4.5B Bloquages d’emails
  • 9. 9 …and web exploits can be difficult to detect Just a blog amongst plenty…. • URLs in browser: 1 • HTTP Gets: 162 • Images: 66 from 18 domains including 5 separate 1x1 pixel invisible tracking images • Scripts: 87 from 7 domains • Cookies: 118 from 15 domains • 8 Flash objects from 4 domains
  • 10. 10 …and web exploits can be difficult to detect Just a blog amongst plenty….
  • 11. 11 Day 0 Zero-day Malware In the wild Day 14 Cisco IPS Signature C&C Server Blocked Day 16 1st Anti-Virus Signature Deployed Day 17 2nd Anti-Virus Signature Deployed Security Advisory Issued IE Patched Cisco SIO Proactive Defense Traditional Response Day 0 Zero-day Malware Blocked by Cisco Day 18 3rd Anti-Virus Signatures Deployed Internet Explorer (IE) Zero-Day Vulnerability Multiple Attack Vectors, Multiple Layers of Defense • SIO cross-platform intelligence • Blocked zero-day threat • Blocked 40+ “parked” domains • Blocked exploit server & CNC • 18 day lead time
  • 12. 12 La réputation en action New York Times: victime d’une attaque via une publicité • Publicité apparemment légitime qui génère en réalité 3 redirections vers des liens web • Destination finale: protection-check07.com Faux Anti--Virus Un pop-up apparaît qui simule un logiciel AV, qui demande à l’utilisateur d’acheter un logiciel pour nettoyer la machine. Score de Réputation Web : -9.3 Action par défaut : BLOCK Le site du NYT est bien autorisé mais la redirection vers le lien malicieux est bloquée
  • 13. 13 Consolidation des serveurs des pirates Il est très important de connaitre la réputation de ces serveurs http://www.cisco.com/web/offers/lp/2014-annual-security-report/index.html
  • 14. 14 Outbreak Intelligence Des moteurs heuristiques s’ajoutant aux signatures et à la réputation
  • 15. 15 Header Body of Objects Cross-Ref Table Trailer L’Anti-Virus scanne le fichier Nous pensons connaitre la structure d’un fichier PDF et à quoi il devrait ressembler D’après les signatures, c’est un fichier sain
  • 16. 16 %PDF-1.4 (version) %Comments 1 0 obj << /Type /Page >> endobj 2 0 obj << /Type /Action /S /JS >> endobj xref trailer Nous connaissons les choses qui peuvent être exploitées, donc les scanlets décomposent le fichier, l’analysent et les algorithmes recherchent les exploitations malicieuses potentielles Après inspection nous trouvons : • Pas de mots anglais • Headers incorrects • Proportion élevée de contenu Javascript • Javascript spécifiques • Fonctions “exploitables” • Autres indicateurs OI prend la décision que ce fichier est potentiellement dangereux
  • 17. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Outbreak Intelligence contre Signature Detection 17 • Ce graphique montre la part quotidienne de menaces bloquées par OI et par les signatures AV traditionnelles • En 2013, 22% des malware provenant d’Internet ont été bloquées par Cisco Outbreak Intelligence avant que des signatures ne soient disponibles 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 01-janv.-13 01-févr.-13 01-mars-13 01-avr.-13 01-mai-13 01-juin-13 01-juil.-13 01-août-13 01-sept.-13 01-oct.-13 01-nov.-13 01-déc.-13 Bloquages quotidiens, 2013 (Source: Cisco Cloud Web Security) Signature Outbreak Intelligence™
  • 18. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 Outbreak Intelligence contre Signature Detection 18
  • 19. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1919 Cisco AMP
  • 20. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 1.6 million global sensors 100 TB of data received per day 150 million+ deployed endpoints 600+ engineers, technicians, and researchers 35% worldwide email traffic 13 billion web requests 24x7x365 operations 40+ languages Cisco SIO + Sourcefire VRT Collective security intelligence for the Broadest Visibility on the Internet 10I000 0II0 00 0III000 II1010011 101 1100001 110 110000III000III0 I00I II0I III0011 0110011 101000 0110 00 I00I III0I III00II 0II00II I0I000 0110 00 180,000+ File Samples per Day FireAMP™ Community Advanced Microsoft and Industry Disclosures Snort and ClamAV Open Source Communities Honeypots Sourcefire AEGIS™ Program Private and Public Threat Feeds Dynamic Analysis 1010000II0000III000III0I00IIIIII0000III0 1100001110001III0I00III0IIII00II0II00II101000011000 100III0IIII00II0II00III0I0000II000 Cisco® SIO Sourcefire VRT® (Vulnerability Research Team) Cisco Collective Security Intelligence Email Endpoints Web Networks IPS Devices WWW
  • 21. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 Amp : Reputation Filtering and Behavioral Detection (Sha-256) (Sanboxing)(Hash + détails) (Structural information Referred DLLs PE header) (VRT Correlation) (AV) (Network Monitoring)
  • 22. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 Actual Disposition = Bad = Blocked Antivirus Sandboxing Initial Disposition = Clean Point-in-time Detection Retrospective Detection, Analysis Continues Initial Disposition = Clean Cisco- Sourcefire Blind to scope of compromise Sleep Techniques Unknown Protocols Encryption Polymorphism Actual Disposition = Bad = Too Late!! Turns back time Visibility and Control are Key Not 100% Analysis Stops Beyond the Event Horizon
  • 23. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 • Trajectory – Determine scope by tracking malware in motion and activity • File Trajectory – Visibility across organization, centering on a given file • Device Trajectory – Deep visibility into file activity on a single system Retrospective Security Always Watching… Never Forgets… Turns Back Time • Continuous Analysis - Retrospective detection of malware beyond event horizon
  • 24. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 File Trajectory • What systems were infected? • Who was infected first (“patient 0”) and when did it happen? • What was the entry point? • When did it happen? • What else did it bring in? Looks ACROSS the organization and answers: Quickly understand the scope of malware problem Network + Endpoint
  • 25. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 An unknown file is present on IP: 10.4.10.183, having been downloaded from Firefox At 10:57, the unknown file is from IP 10.4.10.183 to IP: 10.5.11.8 Seven hours later the file is then transferred to a third device (10.3.4.51) using an SMB application The file is copied yet to a fourth device (10.5.60.66) through the same SMB application a half hour later The Cisco Collective Security Intelligence Cloud has learned this file is malicious and a retrospective event is raised for all four devices immediately. At the same time, a device with the FireAMP endpoint connector reacts to the retrospective event and immediately stops and quarantines the newly detected malware 8 hours after the first attack, the Malware tries to re-enter the system through the original point of entry but is recognized and blocked.
  • 26. 26 Device Trajectory • How did the threat get onto the system? • How bad is my infection on a given device? • What communications were made? • What don’t I know? • What is the chain of events? Looks DEEP into a device and helps answer: Endpoint
  • 27. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 AMP is context-aware Data shows the bad and the good Context helps you decide about the rest
  • 28. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 The Power of Continuous Analysis Point-in-time security sees a lighter, bullet, cufflink, pen & cigarette case… Wouldn’t it be nice to know if you’re dealing with something more deadly?
  • 29. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 • VRT powered insight into Advanced Malware behavior • Original file, network capture and screen shots of malware execution • Understand root cause and remediation File Analysis FireAMP & Clients Cisco-Sourcefire VRT Sandbox Analysis Fast and Safe File Forensics Infected File File 4E7E9331D22190F D41CACFE2FC843 F Infected File File 4E7E9331D22190F D41CACFE2FC843 F Infected File File 4E7E9331D22190F D41CACFE2FC843 F Advanced malware analysis without advanced investment
  • 30. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 1) File Capture File Extraction and Sandbox Execution Malware Alert! 2) File Storage 4) Execution Report Available In Firesight Management Network Traffic Collective Security Intelligence Sandbox 3) Send to Sandbox
  • 31. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 • Managed and Deployed from the Cloud • File Activity (Created/Edit/Move/Execute) •One-to-One/Spero/Ethos •Simple and Advanced Custom Detections • Retrospective Alerting and Quarantine • Application Control • Network Flow Correlation •Black/White Lists • Dynamic Analysis AMP Cloud FireAMP for Endpoints Windows Mac OSX Android
  • 32. 32 FireSIGHT Management Console ASA with Sourcefire Sensor FirePOWER Services on the ASA File Submitted for Dynamic Analysis File Disposition queried against AMP Cloud (SHA256, Spero) - AMP Cloud - VRT Dynamic Analysis Cloud Endpoint Connectors Windows Mac OSX Android
  • 33. 33 FireSIGHT Management FireAMP FirePOWER ASA (NGFW) ESA WSA CWS Dynamic Analysis Dynamic AnalysisFireAMP Private Cloud (Appliance) Events / Correlation Cloud Connected On-Premises Endpoint Network Gateway Sandbox Cisco has the most comprehensive strategy for Advanced Malware Protection. AMP Everywhere
  • 34. 34 NSS Labs breach detection systems security value map (Avril 2014) https://www.nsslabs.com/reports/breach-detection-systems-bds-comparative-analysis-report
  • 35. 3535 Cisco Threat Defense
  • 36. 36 Defense Strategies Signature/Reputation-based Threat Detection Behavioral-based Threat Detection Network Perimeter Firewalls IPS/IDS Honeypots Network Interior Email Content Inspection Web Content Inspection Cisco’s Cyber Threat Defense Solution
  • 37. 37 Example Targeted Attack - Kill Chain • Malicious USB Stick • Social Engineering • Email with malicious attachment • Public WLAN MITM • Malicious Office document • HW key logger • Server application vulnerability • Drive-by-Download • Any other attack vector… Initial Infection by 0-Day
  • 38. 38 Kill Chain: Post Breach Final Target reached, security infrastructure bypassed • Data Leakage • Damage • Data Manipulation (e.g. Source Code) Command and Control Channel C&C Server
  • 39. 39 Collect Information by Netflow Track the attacker Router# show flow monitor CYBER-MONITOR cache … IPV4 SOURCE ADDRESS: 192.168.100.100 IPV4 DESTINATION ADDRESS: 192.168.20.6 TRNS SOURCE PORT: 47321 TRNS DESTINATION PORT: 443 INTERFACE INPUT: Gi0/0/0 IP TOS: 0x00 IP PROTOCOL: 6 ipv4 next hop address: 192.168.20.6 tcp flags: 0x1A interface output: Gi0/1.20 counter bytes: 1482 counter packets: 23 timestamp first: 12:33:53.358 timestamp last: 12:33:53.370 ip dscp: 0x00 ip ttl min: 127 ip ttl max: 127 application name: nbar secure-http … Netflow Record
  • 40. 40 How does it work in a network – Baselining and Anomaly Detection based on Netflow 4
  • 41. 41 CRISIS REGION Company with Legacy Monitoring Tools Stop Security Problems BEFORE They Become CrisesImpacttotheBusiness($) Time credit card data compromised * attack identified * vulnerability closed * CRISIS REGION Security Problems “Worm outbreaks can impact revenue by up to $250k per hour.” F500 Media Conglomerate attack onset *
  • 42. 42 CRISIS REGION Stop Security Problems BEFORE They Become CrisesImpacttotheBusiness($) Time credit card data compromised * attack identified * vulnerability closed * CRISIS REGION Security Problems “Worm outbreaks can impact revenue by up to $250k per hour. StealthWatch pays for itself in 30 minutes.” F500 Media Conglomerate attack onset * StealthWatch Reduces MTTK *attack thwarted *early warning *attack identified * vulnerability closed Company with StealthWatch Company with Legacy Monitoring Tools
  • 43. 43 Attack Penetration, Propagation, and Exfiltration Network Reconnaissance Data Leakage Internally Propagating Malware Botnet Command And Control
  • 44. 44 NetFlow v5 and NetFlow v9 Which to Use for Threat Detection? NetFlow v5 NetFlow v5 Captures Essential Information Regarding Traffic Patterns • Source/dest IP and port • Packet counts • Byte counts • Flow duration • I/O interfaces NetFlow v9 Extends NetFlow v5 by Adding: • Numerous TCP flags/counters • Flow direction • Fragmentation flags • ICMP and IGMP info • Header stats • Time-to-live • DSCP/TOS info • Destination routing info NetFlow v5 Is Useful, However, NetFlow v9 Delivers Deeper Insight NetFlow v9 Useful for Layers 3 and 4 Traffic Pattern Analysis Provides Insight to Malformed Packets, Protocol Manipulation, and Direction of Traffic
  • 45. 45 Interface ToS Protocol Source IP Address Destination IP Address Source Port Destination Port Deep Packet (Payload) Inspection Introduction to NBAR Network-Based Application Recognition Data Link Layer Header IP Header TCP or UDP Header Data Traditional NetFlow Flexible NetFlow with NBAR • Classifies traffic by protocol (Layers 4–7) • Supports over 600 applications and protocols • Provides visibility into which application protocols are running on which ports and to where • Useful in identifying stealthy behaviour (ex. hiding file transfers over port 80)
  • 46. 46 Developing Patterns Through Context Identity and Application Visibility Users/Devices Cisco Identity Services Engine (ISE) Network Based Application Recognition (NBAR) NetFlow Secure Event Logging (NSEL)
  • 47. 47 CTD Architecture: Minimum Required Components StealthWatch Management Console Flow https StealthWatch FlowCollector Cisco ASA Firewall, NetFlow/sFlow-enabled Cisco Routers and Switches Unified Security Monitoring
  • 48. 48 Cyber Threat Defense Solution (CTD) Overview StealthWatch FlowCollector* StealthWatch Management Console* Management StealthWatch FlowReplicator (optional – replicates NetFlow and other protocols) Other Traffic Analysis Software Cisco ISE StealthWatch FlowSensor* OR Cisco Netflow Generation Appliance (NGA) (optional – monitors traffic and generates NetFlow ) Netflow enabled device Non-Netflow enabled device SSL NetFlow NetFlow NetFlow * Virtual or Physical Edition
  • 49. 49 Flow Exporters Flow Collectors Management and Reporting Scalability X 25 up to 25 collectors per StealthWatch System StealthWatch FC for NetFlow StealthWatch Management Console X 2 full redundancy between primary and secondary X 2000 up to 2000 exporters and/or 120,000 flows per second User Interface X everyone customizable views for Virtualization, Network, and Security Teams Physical Virtual routers and switches FlowSensor VEFlowSensor 3 Million flows per second scalability
  • 50. 50 CSIRT NetFlow Collection at Cisco RTP San Jose Amsterdam Bangalore Sydney Tokyo 15.6 billion flows / day 90 day retention
  • 51. 51 Cisco CTD Solution Active Alarms Alarms Top Applications Flow collection trend
  • 52. 52 Cisco CTD Solution: Attack Detection without Signatures High Concern Index indicates a significant number of suspicious events that deviate from established baselines Host Groups Host CI CI% Alarms Alerts Desktops 10.10.101.118 338,137,280 8656% High Concern index Ping, Ping_Scan, TCP_Scan Monitor and baseline activity for a host and within host groups.
  • 53. 53 The Art is putting it in the right context Not everything is what it seems to be… 5
  • 54. 54 5 The Art is putting it in the right context …this use case might be different
  • 55. 55 Obtain Context through the Cisco ISE Attribute flows and behaviors to a user and device 55 Policy Start Active Time Alarm Source Source Host Groups Source User Name Device Type Switch Port Desktops & Trusted Wireless Jan 3, 2013 Suspect Data Loss 10.10.101.89 Atlanta, Desktops John Chambers Apple-iPad Cat 7/42
  • 56. 56 Detecting Command and Control What to analyze: • Countries • Applications • Uploads/Downloads ratio • Time of day • Repeated connections • Beaconing - Repeated dead connections • Long lived flows • Known C&C servers Periodic “phone home” activity StealthWatch Method of Detection: Host Lock Violation Suspect Long Flow Beaconing Host Bot Command & Control Server Bot Infected Host – Attempted C&C Bot Infected Host – Successful C&C
  • 57. 57 Zeus Credential Capture Example User logs into cisco.com userid and password
  • 58. 58 Zeus Detection Alarm Details
  • 59. 59 Detecting Suspect Data Loss Policy Start Active Time Alarm Source Source Host Group Source Username Target Details Inside Hosts 8-Feb-2012 Suspect Data Loss 10.34.74.123 Wired Data Bob Multiple Hosts Observed 4.08G bytes. Policy Maximum allows up to 81.92M bytes. 5
  • 60. 60 Infection Tracking Tertiary Infection Secondary Infection Initial Infection 6
  • 61. 6161 Cisco Email Security
  • 62. 62C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential L’évolution des menaces provenant de l’Email Menaces ???? Demain BAS VOLUMES HAUTE VALEUR $$ Aujourd’hui VOLUMES ELEVES VALEUR $$ BASSE Passé Attaques ciblées Targeted Phishing Covert, Sponsored Targeted Attacks Blended Threats Advanced Persistent Threats Phishing Spam Attachment-based Slammer Worms Network Evasions Polymorphic Code Code Red Image Spam Alertes Virales Custom URL Botnets Conficker Stuxnet
  • 63. 63C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Il y a une grande volatilité Retour à plus de 85% de spams http://www.senderbase.org/static/spam/#tab=1
  • 64. 64 Pourquoi la réputation est fondamentale Aggrégation et Corrélation de milliards de données dans un seul score
  • 65. 65C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Management L’architecture de Sécurité Email Cisco Antivirus & Outbreak Filters Défense face aux menaces Antispam Sécurité des Données Chiffrement Data Loss Prevention Protection Flux Entrants Contrôle des Flux Sortants
  • 66. 66C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Défense anti-spam à deux niveaux Bon score: les mails sont délivrés Score intermédiaire: le débit est limité et les messages sont envoyés à l’anti-spam • Taux de bloquage : > 99% • Faux positifs < 1 sur 1 million Mauvais score: la connexion TCP est bloquée et les messages ne sont pas reçus sur le réseau Mails entrants Bons, mauvais ou inconnus/suspici eux What Cisco Anti-Spam, IMS WhenWho HowWhere Cisco® SIO
  • 67. 67C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Défense anti-spam à deux niveaux Bon score: les mails sont délivrés Score intermédiaire: le débit est limité et les messages sont envoyés à l’anti-spam • Taux de bloquage : > 99% • Faux positifs < 1 sur 1 million Mauvais score: la connexion TCP est bloquée et les messages ne sont pas reçus sur le réseau Mails entrants Bons, mauvais ou inconnus/suspici eux What Cisco Anti-Spam, IMS WhenWho HowWhere Cisco® SIO
  • 68. 68C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Défense anti-virus à deux niveaux Virus Outbreak Filters Advantage http://www.senderbase.org • Temps moyen de protection additionnelle : + de 13h • Total d’attaques bloquées : 291 • Protection totale incrémentale : + de 157 jours/360 Virus Filter Dynamic Quarantine Cisco® SIO Virus Outbreak Filters Moteurs Anti-Virus Détection Zero Hour Choix de moteurs
  • 69. 69 Sécurisation des URL dans les Emails avec Outbreak Filters Information Update Dear Mr. Paulo Roberto Borges, We are contacting you in order to inform about a mandatory update of your personal data, which is being conducted after Bank A and Bank B merge. To begin the update, please click on the link and download the protection program. Protection Module 3.0 (2011) Best regards, Bank A Bank A pborges@email.com Après http://www.threatlink.com Avant http://secure-web.cisco.com/auth=X&URL=www.threatlink.com
  • 70. 70 Malware bloqué http://secure-web.cisco.com… The requested web page has been blocked http://www.threatlink.com Cisco Email and web Security protects your organization’s network from malicious software. Malware is designed to look like a legitimate email or website which accesses your computer, hides itself in your system, and damages files. Cisco Security Sécurisation des URL dans les Emails avec Outbreak Filters
  • 71. 71 Outbreak Filters stoppe les attaques Phishing et Mixtes
  • 72. 72 Advanced Malware Protection sur ESA Cisco® SIO SenderBase Reputation Filtering Anti-Spam & Spoofing Prevention AV Scanning & Advanced Malware Protection Real-time URL Analysis Deliver Quarantine Re-write URLs Drop Drop Drop/Quarantine Drop/Quarantine Quarantine/Re-write
  • 73. 73C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3.5M d’emails bloqués chaque jour Emails delivered Emails / mo Emails / day Emails / employee / day % Attempted 124 M 5.6 M 73 Blocked 77 M 3.5 M 46 63% Delivered 37 M 1.7 M 22 30% Delivered, marked “Marketing” 9 M 0.4 M 5 7% Email Security - Cisco sur Cisco Malware Spam ESA Blocked Emails Emails* / mo Emails / day Emails / employee / day % By reputation 73 M 3.3 M 43 94% By spam content 4.3 M 0.2 M 3 5% By invalid receipts 0.4 M 0.02 M 0.25 1%
  • 74. 74C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Pourquoi Cisco Email Security ? Gartner Magic Quadrant, Email Security Gateways, 2013 The Magic Quadrant is copyrighted 2013 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner’s analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders” quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from Cisco.
  • 75. 7575 Cisco Web Security
  • 76. 76 Cisco Security Intelligence Operations (SIO) L’architecture de Sécurité Web Cisco Filtrage URL Application Visibility and Control (AVC) Data Loss Prevention (DLP)* Moniteur de Trafic de Niveau 4 (On-premise) Défense Anti-Malware PROTECTION CONTROLE Management & Reporting Centralisés WW W AutoriseWWW Accès limitéWWW BloqueWWW *Third-party DLP integration available on-premises
  • 77. 77 Moniteur de Traffic de Niveau 4 Détection des postes déjà infectés Utilisateurs Cisco WSA Network Layer Analysis Règles Anti-Malware automatiques Bloque le trafic malicieux • Scanne tous les ports et protocoles • Détecte le malware qui bypasse le port 80 • Empêche les zombies de communiquer avec leur serveur de contrôle • MAJ automatiques • Listes de serveurs et adresses IP malicieuses en temps réel Packet and Header Inspection Internet Disponible sur WSA & et sur ASA en tant que “Botnet Traffic Filter”
  • 78. 78 Défense Anti-Malware à trois niveaux Bon score: le site est affiché sans être scanné Score intermédiaire: les sites sont scannés par 1 ou plusieurs moteurs Mauvais score: le site est bloqué URL’s demandées Moteur Anti- Malware Cisco® SIO Déchiffrement SSL basé sur la catégorie ou réputation + FILE REPUTATION (AMP) BLOCKED
  • 79. 79 Scan Anti-Malware en temps réel Dynamic Vectoring & Streaming ANALYSE HEURISTIQUE ET A BASE DE SIGNATURES • Multi-scanning intelligent • Bases de signatures multiples • Déchiffre le trafic SSL si nécessaire • Scanning en mode streaming pour éviter les problèmes de latence • MAJ automatiques Détection Heuristique Identifie des comportements inhabituels Anti-malware Scanning Scans Parallèles, Scanning en mode streaming Inspection à base de signatures Reconnait les menaces connues Moteurs anti malware multiples
  • 80. 80 Advanced Malware Protection sur WSA WWW Time of Request Time of Response Cisco® SIO URL Filtering Reputation Filter Dynamic Content Analysis (DCA) Signature-based Anti-Malware Engines Advanced Malware Protection BlockWWW BlockWWW BlockWWW AllowWWW WarnWWW WWW Partial Block BlockWWW BlockWWW BlockWWW
  • 81. 8181 Démonstration
  • 82. 82C97-728331-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6.5M de sites malicieux bloqués chaque jour Web Security Appliance – Cisco sur Cisco Malware Blocked in One Day: • 441K – Trojan Horse • 61K - Other Malware • 29K - Encrypted Files (monitored) • 16.4K - Adware Messages • 1K – Trojan Downloaders • 55 - Phishing URLs • 22 - Commercial System Monitors • 5 - Worms • 3 - Dialers Cisco Web Traffic Stats: • 330-360M web visits/day • 6-7M (2%) blocked WSA Blocked Transactions: • 93.5% - Web Reputation • 4.5% - URL Category • 2% - Anti-Malware
  • 83. 83C97-728331-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cloud Web Security A Cloud Based Premium Service Real-time scanning of all inbound and outbound HTTP/S web content Robust, fast, scalable and reliable global datacenter infrastructure Flexible deployment options via Cisco attach model and direct to cloud Full support for roaming users Centrally managed granular web filtering policies, with web 2.0 visibility and control Close to real-time reporting with cloud retention, as part of the standard offering Www
  • 84. 84C97-728331-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Multiple proxies within each Datacenter 2X 2X • Multiple datacenters • SP managed datacenter Global Datacenter Footprint
  • 85. 85 Flexible Deployment Options On- and Off-premises Deployment Options Connection Methods On-premises Cloud Cloud FirewallRouter Roaming Virtual Next Generation Firewall Roaming Appliance Appliance Redirectors WCCP PAC File Explicit WCCP PAC File Explicit
  • 86. 86 Internet Cisco Web Security Appliance • Consistent policy, security, and reporting for all users • Single-box solution for faster deployments, reduced complexity • Uses AnyConnect for remote and mobility • Integrates easily in your existing Cisco infrastructure or AAA Employees Cisco WSA Headquarters/Branc hes Internet
  • 87. 87 WSA ASA On-Premise AnyConnect Secure Mobility, form Factor Choice AnyConnect Client Redirect to Premise or Cloud Mobile User Cloud Web Security
  • 88. 88 Internet Cisco Cloud Web Security Integration Internet • Eliminates Backhaul • Speeds Deployment • Extends Value of Existing Investments Employees Cisco ASA Headquarters Branch Office Cloud Web Security Employees Cisco ISR G2 VPN
  • 89. 89C97-728331-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Retrospective Security & Continuous Analysis Additional Point-in-time Protection AMP File Reputation Retrospection Cognitive Threat Analytics (CTA) Advanced Malware Protection (AMP) File Reputation & Sandboxing Advanced Threat Defense
  • 90. 90C97-728331-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Security Across the Whole Attack Continuum CWS with AMP & CTA BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Web Reputation Usage Controls Malware Signature Outbreak Intelligence File Rep / Sandbox File Retrospection Application Controls Threat Analytics Active ReportingAMP AMP CTA CTA AMP
  • 91. 91C97-728331-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CTA - Analyzing Network Traffic Behavior Potential Threat Behavioral Analysis Anomaly Detection Machine Learning No more rule sets Discovers threats on its own… just turn it on Normal… or not? Spots symptoms of infection using behavioral anomaly detection algorithms and trust modeling Security that evolves Uses machine learning to learn from what it sees and adapt over time Reduced time to discovery Active, continuous monitoring to stop the spread of an attack
  • 92. 92 Pourquoi Cisco Web Security? Gartner Magic Quadrant, Web Security Gateways, 2013 The Magic Quadrant is copyrighted 2013 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner’s analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders” quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from Cisco.
  • 93. 93