0
1C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1C97-728331-00 © 2013 Cisco and...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Le problème actuel
Nouveaux Usages Evolution...
3
“On ne résout pas un problème avec les modes de pensée
qui l’ont engendré”
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Le nouveau modèle de sécurité
BEFORE
Discove...
5
L’évolution des menaces
MenacesRéponse
Virus, vers
Spyware / Rootkits
APTs / Cyberware
Surface d’attaques
augmentée
(Mob...
6
Extend Attack
Surface
Lateral
Movement
Control Infiltrate
Compromised Site
& Exploit Server
Advanced Cyber Threats
Users...
7
Défendre avec intelligence : Cisco SIO
Connexion
SMTP
légitime?
Contenu
malicieux ou
non désiré?
Zombies vers
des serveu...
8
La couverture étendue de Cisco SIO
100TB
Security
Intelligenc
e
1.6M
Dispositifs
déployés
13B
Requêtes
Web
150 000
Micro...
9
…and web exploits can be difficult to detect
Just a blog amongst plenty….
• URLs in browser: 1
• HTTP Gets: 162
• Images...
10
…and web exploits can be difficult to detect
Just a blog amongst plenty….
11
Day 0
Zero-day Malware
In the wild
Day 14
Cisco IPS Signature
C&C Server Blocked
Day 16
1st Anti-Virus
Signature Deploy...
12
La réputation en action
New York Times: victime d’une attaque via une publicité
• Publicité apparemment légitime qui gé...
13
Consolidation des serveurs des pirates
Il est très important de connaitre la réputation de ces serveurs
http://www.cisc...
14
Outbreak Intelligence
Des moteurs heuristiques s’ajoutant aux signatures et à la réputation
15
Header
Body of Objects
Cross-Ref Table
Trailer
L’Anti-Virus scanne le
fichier
Nous pensons connaitre la
structure d’un ...
16
%PDF-1.4 (version)
%Comments
1 0 obj
<<
/Type /Page
>>
endobj
2 0 obj
<<
/Type /Action
/S /JS
>>
endobj
xref
trailer
No...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Outbreak Intelligence contre Signature Dete...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Outbreak Intelligence contre Signature Dete...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1919
Cisco AMP
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
1.6 million
global sensors
100 TB
of data r...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Amp : Reputation Filtering and Behavioral D...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Actual Disposition = Bad = Blocked
Antiviru...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
• Trajectory – Determine scope by tracking ...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
File Trajectory
• What systems were infecte...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
An unknown file is present
on IP: 10.4.10.1...
26
Device Trajectory
• How did the threat get onto the system?
• How bad is my infection on a given device?
• What communi...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
AMP is context-aware
Data shows the bad and...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
The Power of Continuous Analysis
Point-in-t...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
• VRT powered insight into Advanced Malware...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
1) File Capture
File Extraction and Sandbox...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
• Managed and Deployed from the Cloud
• Fil...
32
FireSIGHT
Management Console
ASA with
Sourcefire Sensor
FirePOWER Services on the ASA
File Submitted for
Dynamic Analys...
33
FireSIGHT Management
FireAMP FirePOWER
ASA (NGFW)
ESA
WSA
CWS
Dynamic Analysis
Dynamic AnalysisFireAMP Private Cloud (A...
34
NSS Labs
breach detection systems security value map (Avril 2014)
https://www.nsslabs.com/reports/breach-detection-syst...
3535
Cisco Threat Defense
36
Defense Strategies
Signature/Reputation-based
Threat Detection
Behavioral-based
Threat Detection
Network
Perimeter
Fire...
37
Example Targeted Attack - Kill Chain
• Malicious USB Stick
• Social Engineering
• Email with malicious attachment
• Pub...
38
Kill Chain: Post Breach
Final Target reached, security infrastructure
bypassed
• Data Leakage
• Damage
• Data Manipulat...
39
Collect Information by Netflow
Track the attacker
Router# show flow monitor CYBER-MONITOR cache
…
IPV4 SOURCE ADDRESS: ...
40
How does it work in a network –
Baselining and Anomaly Detection based on Netflow
4
41
CRISIS REGION
Company with Legacy
Monitoring Tools
Stop Security Problems BEFORE They Become CrisesImpacttotheBusiness(...
42
CRISIS REGION
Stop Security Problems BEFORE They Become
CrisesImpacttotheBusiness($)
Time
credit card data compromised
...
43
Attack Penetration, Propagation, and Exfiltration
Network Reconnaissance Data Leakage
Internally Propagating
Malware
Bo...
44
NetFlow v5 and NetFlow v9
Which to Use for Threat Detection?
NetFlow v5
NetFlow v5 Captures Essential
Information Regar...
45
Interface
ToS
Protocol
Source IP Address
Destination IP Address
Source Port
Destination Port
Deep Packet (Payload)
Insp...
46
Developing Patterns Through Context
Identity and Application Visibility
Users/Devices
Cisco Identity
Services Engine
(I...
47
CTD Architecture: Minimum Required Components
StealthWatch
Management
Console
Flow
https
StealthWatch
FlowCollector
Cis...
48
Cyber Threat Defense Solution (CTD)
Overview
StealthWatch
FlowCollector*
StealthWatch
Management
Console*
Management
St...
49
Flow Exporters
Flow Collectors
Management
and Reporting
Scalability
X 25
up to 25 collectors per
StealthWatch System
St...
50
CSIRT NetFlow Collection at Cisco
RTP
San Jose
Amsterdam
Bangalore
Sydney
Tokyo
15.6 billion flows / day
90 day retenti...
51
Cisco CTD Solution
Active Alarms
Alarms
Top
Applications
Flow collection
trend
52
Cisco CTD Solution:
Attack Detection without Signatures
High Concern Index indicates a significant
number of suspicious...
53
The Art is putting it in the right context
Not everything is what it seems to be…
5
54
5
The Art is putting it in the right context
…this use case might be different
55
Obtain Context through the Cisco ISE
Attribute flows and behaviors to a user and device
55
Policy Start
Active
Time
Ala...
56
Detecting Command and Control
What to analyze:
• Countries
• Applications
• Uploads/Downloads ratio
• Time of day
• Rep...
57
Zeus Credential Capture Example
User logs into
cisco.com userid and password
58
Zeus Detection
Alarm Details
59
Detecting Suspect Data Loss
Policy Start Active
Time
Alarm Source Source
Host
Group
Source
Username
Target Details
Insi...
60
Infection Tracking
Tertiary Infection
Secondary Infection
Initial Infection
6
6161
Cisco Email Security
62C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
L’évolution des menaces proven...
63C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Il y a une grande volatilité
R...
64
Pourquoi la réputation est fondamentale
Aggrégation et Corrélation de milliards de données dans un seul score
65C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Management
L’architecture de S...
66C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Défense anti-spam à deux nivea...
67C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Défense anti-spam à deux nivea...
68C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Défense anti-virus à deux nive...
69
Sécurisation des URL dans les Emails avec Outbreak Filters
Information Update
Dear Mr. Paulo Roberto Borges,
We are con...
70
Malware
bloqué
http://secure-web.cisco.com…
The requested web page has
been blocked
http://www.threatlink.com
Cisco Ema...
71
Outbreak Filters stoppe les attaques Phishing et Mixtes
72
Advanced Malware Protection sur ESA
Cisco® SIO
SenderBase Reputation Filtering
Anti-Spam & Spoofing Prevention
AV Scann...
73C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
3.5M d’emails bloqués chaque
j...
74C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Pourquoi Cisco Email Security ...
7575
Cisco Web Security
76
Cisco Security Intelligence Operations (SIO)
L’architecture de Sécurité Web Cisco
Filtrage URL
Application Visibility
a...
77
Moniteur de Traffic de Niveau 4
Détection des postes déjà infectés
Utilisateurs
Cisco
WSA
Network
Layer
Analysis
Règles...
78
Défense Anti-Malware à trois niveaux
Bon score: le site est affiché sans être scanné
Score
intermédiaire: les
sites son...
79
Scan Anti-Malware en temps réel
Dynamic Vectoring & Streaming
ANALYSE HEURISTIQUE ET A BASE DE SIGNATURES
• Multi-scann...
80
Advanced Malware Protection sur WSA
WWW
Time of Request
Time of Response
Cisco® SIO
URL Filtering
Reputation Filter
Dyn...
8181
Démonstration
82C97-728331-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
6.5M de sites malicieux bloqué...
83C97-728331-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud Web Security
A Cloud Bas...
84C97-728331-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Multiple proxies within
each D...
85
Flexible Deployment Options
On- and Off-premises
Deployment
Options
Connection
Methods
On-premises Cloud
Cloud
Firewall...
86
Internet
Cisco Web Security Appliance
• Consistent policy, security, and reporting for all users
• Single-box solution ...
87
WSA
ASA
On-Premise
AnyConnect Secure Mobility, form Factor Choice
AnyConnect Client
Redirect to
Premise or Cloud
Mobile...
88
Internet
Cisco Cloud Web Security Integration
Internet
• Eliminates Backhaul
• Speeds Deployment
• Extends Value of Exi...
89C97-728331-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Retrospective Security &
Conti...
90C97-728331-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Across the Whole Atta...
91C97-728331-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CTA - Analyzing Network Traffi...
92
Pourquoi Cisco Web Security?
Gartner Magic Quadrant, Web Security Gateways, 2013
The Magic Quadrant is copyrighted 2013...
93
Upcoming SlideShare
Loading in...5
×

Les solutions de Cybersécurité Cisco

1,151

Published on

En 2014 les Cyber attaques sont de plus en plus sophistiquées avec de véritables entités dédiées au développement de malwares de nouvelle génération. Que ce soit des entreprises privées ou des instituts d'État, chacun doit se protéger et être en mesure d'analyser et de contrer ces nouvelles menaces.

Cisco a introduit sur le marché des solutions de protection anti-malware innovantes. Ces solutions sont maintenant implémentées dans la plupart des équipements de sécurité Cisco, que ce soit dans les Proxy Web ou Mail mais également, dans les sondes IPS, dans des appliances dédiés ou sur les postes de travail.

Cisco met à disposition de ces clients, son expertise sécurité avec une analyse en temps réel dans le cloud de ces attaques, et une analyse rétrospective des évènements qui ont précédés cette attaque.

Ce sont l'ensemble de ces technologies que nous vous invitons à venir découvrir dans cette présentation

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,151
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
55
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Les solutions de Cybersécurité Cisco "

  1. 1. 1C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Les techniques de Cybersécurité Frédéric HER Christophe SARRAZIN Consultant Sécurité, Europe du Sud csarrazi@cisco.com Consultant Sécurité, Europe du Sud fher@cisco.com
  2. 2. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 Le problème actuel Nouveaux Usages Evolution constante des menaces Complexité & Fragmentation
  3. 3. 3 “On ne résout pas un problème avec les modes de pensée qui l’ont engendré”
  4. 4. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Le nouveau modèle de sécurité BEFORE Discover Enforce Harden AFTER Scope Contain Remediate Attack Continuum Network Endpoint Mobile Virtual Cloud Detect Block Defend DURING Point in Time Continuous
  5. 5. 5 L’évolution des menaces MenacesRéponse Virus, vers Spyware / Rootkits APTs / Cyberware Surface d’attaques augmentée (Mobilité & Cloud) INTELLIGENCE & ANALYSE Aujourd’hui REPUTATION & SANDBOXING 2010 SECURITE DU POSTE DE TRAVAIL (AV) 2000 PERIPHERIE RESEAU (IDS/IPS) 2005
  6. 6. 6 Extend Attack Surface Lateral Movement Control Infiltrate Compromised Site & Exploit Server Advanced Cyber Threats Users & Applications CNC WWW Data Exfiltration
  7. 7. 7 Défendre avec intelligence : Cisco SIO Connexion SMTP légitime? Contenu malicieux ou non désiré? Zombies vers des serveurs CNC? Actions hostiles ou utilisateurs déviants ? Contenus malicieux sur le poste de travail ? WWW Reputation Signatures Signatures Recherche sur les menaces Domain Registration Inspection des Contenus Spam Traps, Honeypots, Crawlers Blocklists & Réputation Partenariats Platform-specific Rules & Logic Cisco Security Intelligence Operations
  8. 8. 8 La couverture étendue de Cisco SIO 100TB Security Intelligenc e 1.6M Dispositifs déployés 13B Requêtes Web 150 000 Micro- applications 1,000 Application s 93B Messages Email 35% Email des Entreprise s 5 500 Signatures IPS 150M Endpoints Déployés 3-5 min MAJ 5B Connexions Emails 4.5B Bloquages d’emails
  9. 9. 9 …and web exploits can be difficult to detect Just a blog amongst plenty…. • URLs in browser: 1 • HTTP Gets: 162 • Images: 66 from 18 domains including 5 separate 1x1 pixel invisible tracking images • Scripts: 87 from 7 domains • Cookies: 118 from 15 domains • 8 Flash objects from 4 domains
  10. 10. 10 …and web exploits can be difficult to detect Just a blog amongst plenty….
  11. 11. 11 Day 0 Zero-day Malware In the wild Day 14 Cisco IPS Signature C&C Server Blocked Day 16 1st Anti-Virus Signature Deployed Day 17 2nd Anti-Virus Signature Deployed Security Advisory Issued IE Patched Cisco SIO Proactive Defense Traditional Response Day 0 Zero-day Malware Blocked by Cisco Day 18 3rd Anti-Virus Signatures Deployed Internet Explorer (IE) Zero-Day Vulnerability Multiple Attack Vectors, Multiple Layers of Defense • SIO cross-platform intelligence • Blocked zero-day threat • Blocked 40+ “parked” domains • Blocked exploit server & CNC • 18 day lead time
  12. 12. 12 La réputation en action New York Times: victime d’une attaque via une publicité • Publicité apparemment légitime qui génère en réalité 3 redirections vers des liens web • Destination finale: protection-check07.com Faux Anti--Virus Un pop-up apparaît qui simule un logiciel AV, qui demande à l’utilisateur d’acheter un logiciel pour nettoyer la machine. Score de Réputation Web : -9.3 Action par défaut : BLOCK Le site du NYT est bien autorisé mais la redirection vers le lien malicieux est bloquée
  13. 13. 13 Consolidation des serveurs des pirates Il est très important de connaitre la réputation de ces serveurs http://www.cisco.com/web/offers/lp/2014-annual-security-report/index.html
  14. 14. 14 Outbreak Intelligence Des moteurs heuristiques s’ajoutant aux signatures et à la réputation
  15. 15. 15 Header Body of Objects Cross-Ref Table Trailer L’Anti-Virus scanne le fichier Nous pensons connaitre la structure d’un fichier PDF et à quoi il devrait ressembler D’après les signatures, c’est un fichier sain
  16. 16. 16 %PDF-1.4 (version) %Comments 1 0 obj << /Type /Page >> endobj 2 0 obj << /Type /Action /S /JS >> endobj xref trailer Nous connaissons les choses qui peuvent être exploitées, donc les scanlets décomposent le fichier, l’analysent et les algorithmes recherchent les exploitations malicieuses potentielles Après inspection nous trouvons : • Pas de mots anglais • Headers incorrects • Proportion élevée de contenu Javascript • Javascript spécifiques • Fonctions “exploitables” • Autres indicateurs OI prend la décision que ce fichier est potentiellement dangereux
  17. 17. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Outbreak Intelligence contre Signature Detection 17 • Ce graphique montre la part quotidienne de menaces bloquées par OI et par les signatures AV traditionnelles • En 2013, 22% des malware provenant d’Internet ont été bloquées par Cisco Outbreak Intelligence avant que des signatures ne soient disponibles 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 01-janv.-13 01-févr.-13 01-mars-13 01-avr.-13 01-mai-13 01-juin-13 01-juil.-13 01-août-13 01-sept.-13 01-oct.-13 01-nov.-13 01-déc.-13 Bloquages quotidiens, 2013 (Source: Cisco Cloud Web Security) Signature Outbreak Intelligence™
  18. 18. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 Outbreak Intelligence contre Signature Detection 18
  19. 19. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1919 Cisco AMP
  20. 20. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 1.6 million global sensors 100 TB of data received per day 150 million+ deployed endpoints 600+ engineers, technicians, and researchers 35% worldwide email traffic 13 billion web requests 24x7x365 operations 40+ languages Cisco SIO + Sourcefire VRT Collective security intelligence for the Broadest Visibility on the Internet 10I000 0II0 00 0III000 II1010011 101 1100001 110 110000III000III0 I00I II0I III0011 0110011 101000 0110 00 I00I III0I III00II 0II00II I0I000 0110 00 180,000+ File Samples per Day FireAMP™ Community Advanced Microsoft and Industry Disclosures Snort and ClamAV Open Source Communities Honeypots Sourcefire AEGIS™ Program Private and Public Threat Feeds Dynamic Analysis 1010000II0000III000III0I00IIIIII0000III0 1100001110001III0I00III0IIII00II0II00II101000011000 100III0IIII00II0II00III0I0000II000 Cisco® SIO Sourcefire VRT® (Vulnerability Research Team) Cisco Collective Security Intelligence Email Endpoints Web Networks IPS Devices WWW
  21. 21. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 Amp : Reputation Filtering and Behavioral Detection (Sha-256) (Sanboxing)(Hash + détails) (Structural information Referred DLLs PE header) (VRT Correlation) (AV) (Network Monitoring)
  22. 22. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 Actual Disposition = Bad = Blocked Antivirus Sandboxing Initial Disposition = Clean Point-in-time Detection Retrospective Detection, Analysis Continues Initial Disposition = Clean Cisco- Sourcefire Blind to scope of compromise Sleep Techniques Unknown Protocols Encryption Polymorphism Actual Disposition = Bad = Too Late!! Turns back time Visibility and Control are Key Not 100% Analysis Stops Beyond the Event Horizon
  23. 23. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 • Trajectory – Determine scope by tracking malware in motion and activity • File Trajectory – Visibility across organization, centering on a given file • Device Trajectory – Deep visibility into file activity on a single system Retrospective Security Always Watching… Never Forgets… Turns Back Time • Continuous Analysis - Retrospective detection of malware beyond event horizon
  24. 24. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 File Trajectory • What systems were infected? • Who was infected first (“patient 0”) and when did it happen? • What was the entry point? • When did it happen? • What else did it bring in? Looks ACROSS the organization and answers: Quickly understand the scope of malware problem Network + Endpoint
  25. 25. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 An unknown file is present on IP: 10.4.10.183, having been downloaded from Firefox At 10:57, the unknown file is from IP 10.4.10.183 to IP: 10.5.11.8 Seven hours later the file is then transferred to a third device (10.3.4.51) using an SMB application The file is copied yet to a fourth device (10.5.60.66) through the same SMB application a half hour later The Cisco Collective Security Intelligence Cloud has learned this file is malicious and a retrospective event is raised for all four devices immediately. At the same time, a device with the FireAMP endpoint connector reacts to the retrospective event and immediately stops and quarantines the newly detected malware 8 hours after the first attack, the Malware tries to re-enter the system through the original point of entry but is recognized and blocked.
  26. 26. 26 Device Trajectory • How did the threat get onto the system? • How bad is my infection on a given device? • What communications were made? • What don’t I know? • What is the chain of events? Looks DEEP into a device and helps answer: Endpoint
  27. 27. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 AMP is context-aware Data shows the bad and the good Context helps you decide about the rest
  28. 28. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 The Power of Continuous Analysis Point-in-time security sees a lighter, bullet, cufflink, pen & cigarette case… Wouldn’t it be nice to know if you’re dealing with something more deadly?
  29. 29. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 • VRT powered insight into Advanced Malware behavior • Original file, network capture and screen shots of malware execution • Understand root cause and remediation File Analysis FireAMP & Clients Cisco-Sourcefire VRT Sandbox Analysis Fast and Safe File Forensics Infected File File 4E7E9331D22190F D41CACFE2FC843 F Infected File File 4E7E9331D22190F D41CACFE2FC843 F Infected File File 4E7E9331D22190F D41CACFE2FC843 F Advanced malware analysis without advanced investment
  30. 30. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 1) File Capture File Extraction and Sandbox Execution Malware Alert! 2) File Storage 4) Execution Report Available In Firesight Management Network Traffic Collective Security Intelligence Sandbox 3) Send to Sandbox
  31. 31. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 • Managed and Deployed from the Cloud • File Activity (Created/Edit/Move/Execute) •One-to-One/Spero/Ethos •Simple and Advanced Custom Detections • Retrospective Alerting and Quarantine • Application Control • Network Flow Correlation •Black/White Lists • Dynamic Analysis AMP Cloud FireAMP for Endpoints Windows Mac OSX Android
  32. 32. 32 FireSIGHT Management Console ASA with Sourcefire Sensor FirePOWER Services on the ASA File Submitted for Dynamic Analysis File Disposition queried against AMP Cloud (SHA256, Spero) - AMP Cloud - VRT Dynamic Analysis Cloud Endpoint Connectors Windows Mac OSX Android
  33. 33. 33 FireSIGHT Management FireAMP FirePOWER ASA (NGFW) ESA WSA CWS Dynamic Analysis Dynamic AnalysisFireAMP Private Cloud (Appliance) Events / Correlation Cloud Connected On-Premises Endpoint Network Gateway Sandbox Cisco has the most comprehensive strategy for Advanced Malware Protection. AMP Everywhere
  34. 34. 34 NSS Labs breach detection systems security value map (Avril 2014) https://www.nsslabs.com/reports/breach-detection-systems-bds-comparative-analysis-report
  35. 35. 3535 Cisco Threat Defense
  36. 36. 36 Defense Strategies Signature/Reputation-based Threat Detection Behavioral-based Threat Detection Network Perimeter Firewalls IPS/IDS Honeypots Network Interior Email Content Inspection Web Content Inspection Cisco’s Cyber Threat Defense Solution
  37. 37. 37 Example Targeted Attack - Kill Chain • Malicious USB Stick • Social Engineering • Email with malicious attachment • Public WLAN MITM • Malicious Office document • HW key logger • Server application vulnerability • Drive-by-Download • Any other attack vector… Initial Infection by 0-Day
  38. 38. 38 Kill Chain: Post Breach Final Target reached, security infrastructure bypassed • Data Leakage • Damage • Data Manipulation (e.g. Source Code) Command and Control Channel C&C Server
  39. 39. 39 Collect Information by Netflow Track the attacker Router# show flow monitor CYBER-MONITOR cache … IPV4 SOURCE ADDRESS: 192.168.100.100 IPV4 DESTINATION ADDRESS: 192.168.20.6 TRNS SOURCE PORT: 47321 TRNS DESTINATION PORT: 443 INTERFACE INPUT: Gi0/0/0 IP TOS: 0x00 IP PROTOCOL: 6 ipv4 next hop address: 192.168.20.6 tcp flags: 0x1A interface output: Gi0/1.20 counter bytes: 1482 counter packets: 23 timestamp first: 12:33:53.358 timestamp last: 12:33:53.370 ip dscp: 0x00 ip ttl min: 127 ip ttl max: 127 application name: nbar secure-http … Netflow Record
  40. 40. 40 How does it work in a network – Baselining and Anomaly Detection based on Netflow 4
  41. 41. 41 CRISIS REGION Company with Legacy Monitoring Tools Stop Security Problems BEFORE They Become CrisesImpacttotheBusiness($) Time credit card data compromised * attack identified * vulnerability closed * CRISIS REGION Security Problems “Worm outbreaks can impact revenue by up to $250k per hour.” F500 Media Conglomerate attack onset *
  42. 42. 42 CRISIS REGION Stop Security Problems BEFORE They Become CrisesImpacttotheBusiness($) Time credit card data compromised * attack identified * vulnerability closed * CRISIS REGION Security Problems “Worm outbreaks can impact revenue by up to $250k per hour. StealthWatch pays for itself in 30 minutes.” F500 Media Conglomerate attack onset * StealthWatch Reduces MTTK *attack thwarted *early warning *attack identified * vulnerability closed Company with StealthWatch Company with Legacy Monitoring Tools
  43. 43. 43 Attack Penetration, Propagation, and Exfiltration Network Reconnaissance Data Leakage Internally Propagating Malware Botnet Command And Control
  44. 44. 44 NetFlow v5 and NetFlow v9 Which to Use for Threat Detection? NetFlow v5 NetFlow v5 Captures Essential Information Regarding Traffic Patterns • Source/dest IP and port • Packet counts • Byte counts • Flow duration • I/O interfaces NetFlow v9 Extends NetFlow v5 by Adding: • Numerous TCP flags/counters • Flow direction • Fragmentation flags • ICMP and IGMP info • Header stats • Time-to-live • DSCP/TOS info • Destination routing info NetFlow v5 Is Useful, However, NetFlow v9 Delivers Deeper Insight NetFlow v9 Useful for Layers 3 and 4 Traffic Pattern Analysis Provides Insight to Malformed Packets, Protocol Manipulation, and Direction of Traffic
  45. 45. 45 Interface ToS Protocol Source IP Address Destination IP Address Source Port Destination Port Deep Packet (Payload) Inspection Introduction to NBAR Network-Based Application Recognition Data Link Layer Header IP Header TCP or UDP Header Data Traditional NetFlow Flexible NetFlow with NBAR • Classifies traffic by protocol (Layers 4–7) • Supports over 600 applications and protocols • Provides visibility into which application protocols are running on which ports and to where • Useful in identifying stealthy behaviour (ex. hiding file transfers over port 80)
  46. 46. 46 Developing Patterns Through Context Identity and Application Visibility Users/Devices Cisco Identity Services Engine (ISE) Network Based Application Recognition (NBAR) NetFlow Secure Event Logging (NSEL)
  47. 47. 47 CTD Architecture: Minimum Required Components StealthWatch Management Console Flow https StealthWatch FlowCollector Cisco ASA Firewall, NetFlow/sFlow-enabled Cisco Routers and Switches Unified Security Monitoring
  48. 48. 48 Cyber Threat Defense Solution (CTD) Overview StealthWatch FlowCollector* StealthWatch Management Console* Management StealthWatch FlowReplicator (optional – replicates NetFlow and other protocols) Other Traffic Analysis Software Cisco ISE StealthWatch FlowSensor* OR Cisco Netflow Generation Appliance (NGA) (optional – monitors traffic and generates NetFlow ) Netflow enabled device Non-Netflow enabled device SSL NetFlow NetFlow NetFlow * Virtual or Physical Edition
  49. 49. 49 Flow Exporters Flow Collectors Management and Reporting Scalability X 25 up to 25 collectors per StealthWatch System StealthWatch FC for NetFlow StealthWatch Management Console X 2 full redundancy between primary and secondary X 2000 up to 2000 exporters and/or 120,000 flows per second User Interface X everyone customizable views for Virtualization, Network, and Security Teams Physical Virtual routers and switches FlowSensor VEFlowSensor 3 Million flows per second scalability
  50. 50. 50 CSIRT NetFlow Collection at Cisco RTP San Jose Amsterdam Bangalore Sydney Tokyo 15.6 billion flows / day 90 day retention
  51. 51. 51 Cisco CTD Solution Active Alarms Alarms Top Applications Flow collection trend
  52. 52. 52 Cisco CTD Solution: Attack Detection without Signatures High Concern Index indicates a significant number of suspicious events that deviate from established baselines Host Groups Host CI CI% Alarms Alerts Desktops 10.10.101.118 338,137,280 8656% High Concern index Ping, Ping_Scan, TCP_Scan Monitor and baseline activity for a host and within host groups.
  53. 53. 53 The Art is putting it in the right context Not everything is what it seems to be… 5
  54. 54. 54 5 The Art is putting it in the right context …this use case might be different
  55. 55. 55 Obtain Context through the Cisco ISE Attribute flows and behaviors to a user and device 55 Policy Start Active Time Alarm Source Source Host Groups Source User Name Device Type Switch Port Desktops & Trusted Wireless Jan 3, 2013 Suspect Data Loss 10.10.101.89 Atlanta, Desktops John Chambers Apple-iPad Cat 7/42
  56. 56. 56 Detecting Command and Control What to analyze: • Countries • Applications • Uploads/Downloads ratio • Time of day • Repeated connections • Beaconing - Repeated dead connections • Long lived flows • Known C&C servers Periodic “phone home” activity StealthWatch Method of Detection: Host Lock Violation Suspect Long Flow Beaconing Host Bot Command & Control Server Bot Infected Host – Attempted C&C Bot Infected Host – Successful C&C
  57. 57. 57 Zeus Credential Capture Example User logs into cisco.com userid and password
  58. 58. 58 Zeus Detection Alarm Details
  59. 59. 59 Detecting Suspect Data Loss Policy Start Active Time Alarm Source Source Host Group Source Username Target Details Inside Hosts 8-Feb-2012 Suspect Data Loss 10.34.74.123 Wired Data Bob Multiple Hosts Observed 4.08G bytes. Policy Maximum allows up to 81.92M bytes. 5
  60. 60. 60 Infection Tracking Tertiary Infection Secondary Infection Initial Infection 6
  61. 61. 6161 Cisco Email Security
  62. 62. 62C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential L’évolution des menaces provenant de l’Email Menaces ???? Demain BAS VOLUMES HAUTE VALEUR $$ Aujourd’hui VOLUMES ELEVES VALEUR $$ BASSE Passé Attaques ciblées Targeted Phishing Covert, Sponsored Targeted Attacks Blended Threats Advanced Persistent Threats Phishing Spam Attachment-based Slammer Worms Network Evasions Polymorphic Code Code Red Image Spam Alertes Virales Custom URL Botnets Conficker Stuxnet
  63. 63. 63C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Il y a une grande volatilité Retour à plus de 85% de spams http://www.senderbase.org/static/spam/#tab=1
  64. 64. 64 Pourquoi la réputation est fondamentale Aggrégation et Corrélation de milliards de données dans un seul score
  65. 65. 65C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Management L’architecture de Sécurité Email Cisco Antivirus & Outbreak Filters Défense face aux menaces Antispam Sécurité des Données Chiffrement Data Loss Prevention Protection Flux Entrants Contrôle des Flux Sortants
  66. 66. 66C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Défense anti-spam à deux niveaux Bon score: les mails sont délivrés Score intermédiaire: le débit est limité et les messages sont envoyés à l’anti-spam • Taux de bloquage : > 99% • Faux positifs < 1 sur 1 million Mauvais score: la connexion TCP est bloquée et les messages ne sont pas reçus sur le réseau Mails entrants Bons, mauvais ou inconnus/suspici eux What Cisco Anti-Spam, IMS WhenWho HowWhere Cisco® SIO
  67. 67. 67C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Défense anti-spam à deux niveaux Bon score: les mails sont délivrés Score intermédiaire: le débit est limité et les messages sont envoyés à l’anti-spam • Taux de bloquage : > 99% • Faux positifs < 1 sur 1 million Mauvais score: la connexion TCP est bloquée et les messages ne sont pas reçus sur le réseau Mails entrants Bons, mauvais ou inconnus/suspici eux What Cisco Anti-Spam, IMS WhenWho HowWhere Cisco® SIO
  68. 68. 68C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Défense anti-virus à deux niveaux Virus Outbreak Filters Advantage http://www.senderbase.org • Temps moyen de protection additionnelle : + de 13h • Total d’attaques bloquées : 291 • Protection totale incrémentale : + de 157 jours/360 Virus Filter Dynamic Quarantine Cisco® SIO Virus Outbreak Filters Moteurs Anti-Virus Détection Zero Hour Choix de moteurs
  69. 69. 69 Sécurisation des URL dans les Emails avec Outbreak Filters Information Update Dear Mr. Paulo Roberto Borges, We are contacting you in order to inform about a mandatory update of your personal data, which is being conducted after Bank A and Bank B merge. To begin the update, please click on the link and download the protection program. Protection Module 3.0 (2011) Best regards, Bank A Bank A pborges@email.com Après http://www.threatlink.com Avant http://secure-web.cisco.com/auth=X&URL=www.threatlink.com
  70. 70. 70 Malware bloqué http://secure-web.cisco.com… The requested web page has been blocked http://www.threatlink.com Cisco Email and web Security protects your organization’s network from malicious software. Malware is designed to look like a legitimate email or website which accesses your computer, hides itself in your system, and damages files. Cisco Security Sécurisation des URL dans les Emails avec Outbreak Filters
  71. 71. 71 Outbreak Filters stoppe les attaques Phishing et Mixtes
  72. 72. 72 Advanced Malware Protection sur ESA Cisco® SIO SenderBase Reputation Filtering Anti-Spam & Spoofing Prevention AV Scanning & Advanced Malware Protection Real-time URL Analysis Deliver Quarantine Re-write URLs Drop Drop Drop/Quarantine Drop/Quarantine Quarantine/Re-write
  73. 73. 73C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3.5M d’emails bloqués chaque jour Emails delivered Emails / mo Emails / day Emails / employee / day % Attempted 124 M 5.6 M 73 Blocked 77 M 3.5 M 46 63% Delivered 37 M 1.7 M 22 30% Delivered, marked “Marketing” 9 M 0.4 M 5 7% Email Security - Cisco sur Cisco Malware Spam ESA Blocked Emails Emails* / mo Emails / day Emails / employee / day % By reputation 73 M 3.3 M 43 94% By spam content 4.3 M 0.2 M 3 5% By invalid receipts 0.4 M 0.02 M 0.25 1%
  74. 74. 74C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Pourquoi Cisco Email Security ? Gartner Magic Quadrant, Email Security Gateways, 2013 The Magic Quadrant is copyrighted 2013 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner’s analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders” quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from Cisco.
  75. 75. 7575 Cisco Web Security
  76. 76. 76 Cisco Security Intelligence Operations (SIO) L’architecture de Sécurité Web Cisco Filtrage URL Application Visibility and Control (AVC) Data Loss Prevention (DLP)* Moniteur de Trafic de Niveau 4 (On-premise) Défense Anti-Malware PROTECTION CONTROLE Management & Reporting Centralisés WW W AutoriseWWW Accès limitéWWW BloqueWWW *Third-party DLP integration available on-premises
  77. 77. 77 Moniteur de Traffic de Niveau 4 Détection des postes déjà infectés Utilisateurs Cisco WSA Network Layer Analysis Règles Anti-Malware automatiques Bloque le trafic malicieux • Scanne tous les ports et protocoles • Détecte le malware qui bypasse le port 80 • Empêche les zombies de communiquer avec leur serveur de contrôle • MAJ automatiques • Listes de serveurs et adresses IP malicieuses en temps réel Packet and Header Inspection Internet Disponible sur WSA & et sur ASA en tant que “Botnet Traffic Filter”
  78. 78. 78 Défense Anti-Malware à trois niveaux Bon score: le site est affiché sans être scanné Score intermédiaire: les sites sont scannés par 1 ou plusieurs moteurs Mauvais score: le site est bloqué URL’s demandées Moteur Anti- Malware Cisco® SIO Déchiffrement SSL basé sur la catégorie ou réputation + FILE REPUTATION (AMP) BLOCKED
  79. 79. 79 Scan Anti-Malware en temps réel Dynamic Vectoring & Streaming ANALYSE HEURISTIQUE ET A BASE DE SIGNATURES • Multi-scanning intelligent • Bases de signatures multiples • Déchiffre le trafic SSL si nécessaire • Scanning en mode streaming pour éviter les problèmes de latence • MAJ automatiques Détection Heuristique Identifie des comportements inhabituels Anti-malware Scanning Scans Parallèles, Scanning en mode streaming Inspection à base de signatures Reconnait les menaces connues Moteurs anti malware multiples
  80. 80. 80 Advanced Malware Protection sur WSA WWW Time of Request Time of Response Cisco® SIO URL Filtering Reputation Filter Dynamic Content Analysis (DCA) Signature-based Anti-Malware Engines Advanced Malware Protection BlockWWW BlockWWW BlockWWW AllowWWW WarnWWW WWW Partial Block BlockWWW BlockWWW BlockWWW
  81. 81. 8181 Démonstration
  82. 82. 82C97-728331-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6.5M de sites malicieux bloqués chaque jour Web Security Appliance – Cisco sur Cisco Malware Blocked in One Day: • 441K – Trojan Horse • 61K - Other Malware • 29K - Encrypted Files (monitored) • 16.4K - Adware Messages • 1K – Trojan Downloaders • 55 - Phishing URLs • 22 - Commercial System Monitors • 5 - Worms • 3 - Dialers Cisco Web Traffic Stats: • 330-360M web visits/day • 6-7M (2%) blocked WSA Blocked Transactions: • 93.5% - Web Reputation • 4.5% - URL Category • 2% - Anti-Malware
  83. 83. 83C97-728331-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cloud Web Security A Cloud Based Premium Service Real-time scanning of all inbound and outbound HTTP/S web content Robust, fast, scalable and reliable global datacenter infrastructure Flexible deployment options via Cisco attach model and direct to cloud Full support for roaming users Centrally managed granular web filtering policies, with web 2.0 visibility and control Close to real-time reporting with cloud retention, as part of the standard offering Www
  84. 84. 84C97-728331-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Multiple proxies within each Datacenter 2X 2X • Multiple datacenters • SP managed datacenter Global Datacenter Footprint
  85. 85. 85 Flexible Deployment Options On- and Off-premises Deployment Options Connection Methods On-premises Cloud Cloud FirewallRouter Roaming Virtual Next Generation Firewall Roaming Appliance Appliance Redirectors WCCP PAC File Explicit WCCP PAC File Explicit
  86. 86. 86 Internet Cisco Web Security Appliance • Consistent policy, security, and reporting for all users • Single-box solution for faster deployments, reduced complexity • Uses AnyConnect for remote and mobility • Integrates easily in your existing Cisco infrastructure or AAA Employees Cisco WSA Headquarters/Branc hes Internet
  87. 87. 87 WSA ASA On-Premise AnyConnect Secure Mobility, form Factor Choice AnyConnect Client Redirect to Premise or Cloud Mobile User Cloud Web Security
  88. 88. 88 Internet Cisco Cloud Web Security Integration Internet • Eliminates Backhaul • Speeds Deployment • Extends Value of Existing Investments Employees Cisco ASA Headquarters Branch Office Cloud Web Security Employees Cisco ISR G2 VPN
  89. 89. 89C97-728331-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Retrospective Security & Continuous Analysis Additional Point-in-time Protection AMP File Reputation Retrospection Cognitive Threat Analytics (CTA) Advanced Malware Protection (AMP) File Reputation & Sandboxing Advanced Threat Defense
  90. 90. 90C97-728331-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Security Across the Whole Attack Continuum CWS with AMP & CTA BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Web Reputation Usage Controls Malware Signature Outbreak Intelligence File Rep / Sandbox File Retrospection Application Controls Threat Analytics Active ReportingAMP AMP CTA CTA AMP
  91. 91. 91C97-728331-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CTA - Analyzing Network Traffic Behavior Potential Threat Behavioral Analysis Anomaly Detection Machine Learning No more rule sets Discovers threats on its own… just turn it on Normal… or not? Spots symptoms of infection using behavioral anomaly detection algorithms and trust modeling Security that evolves Uses machine learning to learn from what it sees and adapt over time Reduced time to discovery Active, continuous monitoring to stop the spread of an attack
  92. 92. 92 Pourquoi Cisco Web Security? Gartner Magic Quadrant, Web Security Gateways, 2013 The Magic Quadrant is copyrighted 2013 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner’s analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders” quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from Cisco.
  93. 93. 93
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×