0
Before. During. After.
Intelligent Cybersecurity for
Australia
Ken Boal
Vice President, Cisco ANZ
July 31, 2014
2© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Security Innovation
Anthony Stitt
General Manager of ...
3© 2013-2014 Cisco and/or its affiliates. All rights reserved.
The Security Problem
Changing
Business Models
Dynamic
Threa...
4© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Under Embargo
until Wed. Aug. 6
Compromised Secure
Encrypte...
5© 2013-2014 Cisco and/or its affiliates. All rights reserved.
To defend against these advanced threats requires greater
v...
6© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Strategic Imperatives
Network-Integrated,
Broad Sensor Base...
7© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Visibility Driven
CATEGORIES EXAMPLES
CISCO TYPICAL
IPS
TYP...
8© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Threat Focused
180,000+ File Samples per Day
FireAMP™ Commu...
9© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Threat Focused: NSS Labs results
• IPS effectiveness leader...
10© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Platform Based: Delivering on roadmap
AMP
Protection
Metho...
11© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Platform-Based Security Architecture
Management
Security
S...
12© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Open Source Security Philosophy
Complex Security Problems ...
13© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Industry Panel and Q&A
Gary Hale
Director
Cisco Threat Res...
14© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Panelists
• Dr. Jason Smith, Technical Director, Australia...
Demonstration Overview
July 31 2014
Matt Carling
Cisco Threat
Response,
Intelligence and
Development
(TRIAD)
Gary Spiteri
...
16© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Visibility and Context
The New Security Model
Attack Conti...
17© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Building a Visibility Architecture
17
• Why?
• Automation
...
18© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Types of Visibility
Asset/Network
• Network topology
• As...
19© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Scenario
Home Enterprise
Employee
Internet
Internet
Employ...
20© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Network Telemetry – Cisco IOS NetFlow in a Nutshell
21© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Putting It All Together
Devices Internal Network
Visibilit...
22© 2013-2014 Cisco and/or its affiliates. All rights reserved.
NetFlow
Capable
Internal
Hosts
Management
Lancope’s
Stealt...
23© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Cyber Threat Defence
Built-in Rules
Quickly find unu...
24© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Network File Trajectory
NetFlow
Capable
Cisco Next Generat...
25© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Network File Trajectory – Tracking
Tracking Senders /
Rece...
26© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Example Cisco Solution Lifecycle
Cisco Cyber Threat Defenc...
27© 2013-2014 Cisco and/or its affiliates. All rights reserved.
How Cisco Managed Threat Defence (MTD) Delivers
Cutting-ed...
28© 2013-2014 Cisco and/or its affiliates. All rights reserved.
About Cisco Managed Threat Defence
 Announced in April 20...
29© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Managed Threat
Defence
Machine-Learning
Managed Threat
Def...
30© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Invitation to View the
Demonstrations
Thank you.
Upcoming SlideShare
Loading in...5
×

Before. During. After. Intelligent Cybersecurity for Australia

904

Published on

Cisco Australia and New Zealand hosted a Cybersecurity day in Sydney recently.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
904
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
148
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Before. During. After. Intelligent Cybersecurity for Australia"

  1. 1. Before. During. After. Intelligent Cybersecurity for Australia Ken Boal Vice President, Cisco ANZ July 31, 2014
  2. 2. 2© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Security Innovation Anthony Stitt General Manager of Security, Cisco ANZ
  3. 3. 3© 2013-2014 Cisco and/or its affiliates. All rights reserved. The Security Problem Changing Business Models Dynamic Threat Landscape Complexity and Fragmentation
  4. 4. 4© 2013-2014 Cisco and/or its affiliates. All rights reserved. Under Embargo until Wed. Aug. 6 Compromised Secure Encrypted Connections Currently, OpenSSL is complex & difficult to implement correctly and test for vulnerabilities. Decline in total quantity, increase in variety of Exploit Kits Despite heightened competition, number of exploit kits has dropped by 87% since Paunch arrested last year. Malvertising Internet ad spend now outpaces all other forms of media and is more prevalent as adversaries are able to launch highly targeted campaigns. POS Exploitation Data on magnetic strips of credit cards can be used to create fake credit cards and then used for fraudulent in-store purchases. 0110100101 10110101 0101110101 0011 0101 0110100101 10110101 0101110101 0011 0101 0110100101 10110101 0101110101 0011 0101 010101 10110101 0101110101 0011 Cisco 2014 Mid-Year Security Report
  5. 5. 5© 2013-2014 Cisco and/or its affiliates. All rights reserved. To defend against these advanced threats requires greater visibility and control across the full attack continuum BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Network Endpoint Mobile Virtual Email & Web ContinuousPoint-in-time Attack Continuum Cloud
  6. 6. 6© 2013-2014 Cisco and/or its affiliates. All rights reserved. Strategic Imperatives Network-Integrated, Broad Sensor Base, Context and Automation Continuous Advanced Threat Protection, Cloud-Based Security Intelligence Agile and Open Platforms, Built for Scale, Consistent Control, Management Visibility-Driven Threat-Focused Platform-Based Network Endpoint Mobile Virtual Cloud
  7. 7. 7© 2013-2014 Cisco and/or its affiliates. All rights reserved. Visibility Driven CATEGORIES EXAMPLES CISCO TYPICAL IPS TYPICAL NGFW Threats Attacks, Anomalies ✔ ✔ ✔ Users AD, LDAP, POP3 ✔ ✗ ✔ Web Applications Facebook Chat, Ebay ✔ ✗ ✔ Application Protocols HTTP, SMTP, SSH ✔ ✗ ✔ File Transfers PDF, Office, EXE, JAR ✔ ✗ ✔ Malware Conficker, Flame ✔ ✗ ✗ Command & Control Servers C&C Security Intelligence ✔ ✗ ✗ Client Applications Firefox, IE6, BitTorrent ✔ ✗ ✗ Network Servers Apache 2.3.1, IIS4 ✔ ✗ ✗ Operating Systems Windows, Linux ✔ ✗ ✗ Routers & Switches Cisco, Nortel, Wireless ✔ ✗ ✗ Mobile Devices iPhone, Android, Jail ✔ ✗ ✗ Printers HP, Xerox, Canon ✔ ✗ ✗ VoIP Phones Avaya, Polycom ✔ ✗ ✗ Virtual Machines VMware, Xen, RHEV ✔ ✗ ✗ Contextual Awareness Information Superiority
  8. 8. 8© 2013-2014 Cisco and/or its affiliates. All rights reserved. Threat Focused 180,000+ File Samples per Day FireAMP™ Community, 3+ million Advanced Microsoft and Industry Disclosures Snort and ClamAV Open Source Communities Honeypots Sourcefire AEGIS™ & SPARK Programs Private and Public Threat Feeds Dynamic Analysis Automatic Updates every 3-5 minutes 1.6 million global sensors 100 TB of data received per day 150 million+ deployed endpoints 600+ engineers, technicians, and researchers 35% worldwide email traffic 13 billion web requests 24x7x365 operations 40+ languages Email Endpoints Web Networks IPS Devices WWW 10I000 0II0 00 0III000 II1010011 101 1100001 110 110000III000III0 I00I II0I III0011 0110011 101000 0110 00 I00I III0I III00II 0II00II I0I000 0110 00 1010000II0000III000III0I00IIIIII0000III0 1100001110001III0I00III0IIII00II0II00II101000011000 100III0IIII00II0II00III0I0000II000 Sourcefire VRT® (Vulnerability Research Team) Cisco® SIO Cisco Collective Security Intelligence
  9. 9. 9© 2013-2014 Cisco and/or its affiliates. All rights reserved. Threat Focused: NSS Labs results • IPS effectiveness leader for many years in NSS Labs testing • Cisco Advanced Malware Protection was ranked among the top solutions in NSS Labs’ latest Security Value Map (SVM) for Breach Detection Systems (BDS), earning a “Recommended” rating. • NSS Labs measured AMP’s effectiveness and TCO per protected Mbps, finding that the solution delivered top protection faster than all other vendors – far outpacing competitive solutions. • The results of NSS Labs’ rigorous testing further validates Cisco’s continuous approach to defending customers against advanced threats from the cloud to the network to the endpoint and across the attack continuum – before, during and after an attack.
  10. 10. 10© 2013-2014 Cisco and/or its affiliates. All rights reserved. Platform Based: Delivering on roadmap AMP Protection Method Ideal for Content License with ESA or WSA New or existing Cisco Email or Web Security customers Network Stand Alone Solution -or- Enable AMP on FirePOWER Appliance IPS/NGFW customers Endpoint Install on endpoints Windows, Mac, Android, VMs Cisco Threat Intelligence Threat Vector Email and Web Networks Devices 10I000 0II0 00 0III000 II1010011 101 1100001 110 110000III000III0 I00I II0I III0011 0110011 101000 0110 00 I00I III0I III00II 0II00II I0I000 0110 00 1010000II0000III000III0I00IIIIII0000III0 1100001110001III0I00III0IIII00II0II00II101000011000 100III0IIII00II0II00III0I0000II000 Sourcefire VRT® (Vulnerability Research Team) Cisco® SIO Cisco Collective Security Intelligence NEW
  11. 11. 11© 2013-2014 Cisco and/or its affiliates. All rights reserved. Platform-Based Security Architecture Management Security Services and Applications Security Services Platform Infrastructure Element Layer Common Security Policy & Management Common Security Policy and Management Orchestration Security Mgt APIs Cisco ONE APIs Platform APIs Cloud Intelligence APIs Appliance Virtual Cloud Access Control Context Awareness Content Inspection Application Visibility Threat Prevention Device API: OnePK™, OpenFlow, CLI Cisco Networking Operating Systems (Enterprise, Data Center, Service Provider) Route–Switch–ComputeASIC Data Plane Software Data Plane APIs APIs Cisco Security Applications Third-Party Security Applications
  12. 12. 12© 2013-2014 Cisco and/or its affiliates. All rights reserved. Open Source Security Philosophy Complex Security Problems Solved Through Open Source Build with the community to solve complex security problems Engage with users and developers to strengthen everyone’s solutions Community Collaboration Demonstrate technical excellence, trustworthiness and thought leadership Trust
  13. 13. 13© 2013-2014 Cisco and/or its affiliates. All rights reserved. Industry Panel and Q&A Gary Hale Director Cisco Threat Response, Intelligence and Development (TRIAD)
  14. 14. 14© 2013-2014 Cisco and/or its affiliates. All rights reserved. Panelists • Dr. Jason Smith, Technical Director, Australian Government Computer Emergency Response Team (CERT Australia), Attorney- General's Department • Gary Blair, Adjunct Professor of the Edith Cowen University Security Research Institute, ECU and International Fellow of the International Cyber Policy Centre, Australian International Policy Institute • Alastair MacGibbon, General Manager of Security, Dimension Data Australia • Steve Martino, Global VP of Information Security, Cisco
  15. 15. Demonstration Overview July 31 2014 Matt Carling Cisco Threat Response, Intelligence and Development (TRIAD) Gary Spiteri Security Sales Sourcefire FireAMP Steve Lawford Cisco Cyber Range Vijay Sharma Cisco Services Managed Threat Defence Terry MacDonald Cisco Services Managed Threat Defence
  16. 16. 16© 2013-2014 Cisco and/or its affiliates. All rights reserved. Visibility and Context The New Security Model Attack Continuum Firewall App Control VPN Patch Mgmt Vuln Mgmt IAM/NAC IPS Anti-Virus Email/Web IDS FPC Forensics AMD Log Mgmt SIEM BEFORE Detect Block Defend DURING AFTER Discover Enforce Harden Scope Contain Remediate 16
  17. 17. 17© 2013-2014 Cisco and/or its affiliates. All rights reserved. Building a Visibility Architecture 17 • Why? • Automation • Contextualization • Anomaly Detection • Event-driven Security • What visibility is important?
  18. 18. 18© 2013-2014 Cisco and/or its affiliates. All rights reserved. Types of Visibility Asset/Network • Network topology • Asset profiles Address Hardware platform/class Operating System Open Ports/Services Vendor/Version of client or server software Attributes • Vulnerabilities User • Location • Access profile • Behaviours File/Data/Process • Motion • Execution • Metadata • Origination • Parent Security • Point-in-time events • Telemetry • Retrospection 18
  19. 19. 19© 2013-2014 Cisco and/or its affiliates. All rights reserved. Scenario Home Enterprise Employee Internet Internet Employee
  20. 20. 20© 2013-2014 Cisco and/or its affiliates. All rights reserved. Network Telemetry – Cisco IOS NetFlow in a Nutshell
  21. 21. 21© 2013-2014 Cisco and/or its affiliates. All rights reserved. Putting It All Together Devices Internal Network Visibility, Context, and Control Use Cisco NetFlow Data to Extend Visibility to the Access Layer Unify Into a Single Pane of Glass for Detection, Investigation and Reporting Enrich Flow Data With Identity, Events and Application to Create Context WHO WHAT WHERE WHEN HOWHardware- enabled Cisco NetFlow Switch Cisco ISE Cisco ISR G2 + NBAR Cisco ASA + NSEL Context
  22. 22. 22© 2013-2014 Cisco and/or its affiliates. All rights reserved. NetFlow Capable Internal Hosts Management Lancope’s StealthWatch FlowCollector Lancope’s StealthWatch Management Console Cisco Identity Services Engine (ISE) 1. Compromised internal host opens connections to other hosts 2. Infrastructure generates a record of the event using NetFlow 3. Collection and analysis of NetFlow data 4. Contextual information added to NetFlow analysis 5. Suspect Worm Propagation Alarm triggered Network as a Sensor - Suspect Worm / Lateral Propagation External Network Internal Network
  23. 23. 23© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Cyber Threat Defence Built-in Rules Quickly find unusual data exfiltration details Propagation Map
  24. 24. 24© 2013-2014 Cisco and/or its affiliates. All rights reserved. Network File Trajectory NetFlow Capable Cisco Next Generation Intrusion Prevention System (NGIPS) w/FireAMP Cisco FireSIGHT Management Central 1. Unknown File is received, SHA 256 is done on file. 2. Collection of file data Sent for Malware Cloud Lookup/sandboxing 3. File Disposition is unknown. Org policy is not to block 4. File Disposition changed to Malware - can now be blocked, tracked, removedInternal Network SIO/VRT/Cloud Sandbox Internal Hosts External Network
  25. 25. 25© 2013-2014 Cisco and/or its affiliates. All rights reserved. Network File Trajectory – Tracking Tracking Senders / Receivers over Attack Continuum File Disposition Change to MALWARE History of the File as it spreads Host Details
  26. 26. 26© 2013-2014 Cisco and/or its affiliates. All rights reserved. Example Cisco Solution Lifecycle Cisco Cyber Threat Defence (CTD) + Advanced Malware Protection (AMP) + Cisco Identity Service Engine (ISE) + Cisco TrustSec Working Together StealthWatch Management Console 2. AMP: Neutral File Disposition Cisco Defence Center with FireSIGHT Lancope StealthWatch Management Console 3. Unusual Flows Analyzed Cisco Defence Center with FireSIGHT 4. AMP: Malware Disposition 7. Use Lancope StealthWatch & Cisco FireSIGHT Management Center to remediate, track malware 1. Recording of all flows Cisco NGIPS w/ FireAMP 5. Cisco Next Generation Intrusion Prevention System (NGIPS) blocking Command and Control Cisco ISE 6. Cisco ISE Providing Policy & Context 8. Cisco Security Group Tag (SGT) provides dynamic segmentation/ quarantine
  27. 27. 27© 2013-2014 Cisco and/or its affiliates. All rights reserved. How Cisco Managed Threat Defence (MTD) Delivers Cutting-edge Capabilities for Customers Cisco® Managed Threat Defence:  Employs intelligent analytics and up-to- date security intelligence to identify both known and unknown threats  Operationalises your security incident lifecycle  Manages threats while you continue to manage your network  Is an out-of-band solution that keeps all collected telemetry on your premises for privacy Security Incident Remediation Detection Mitigation Confirmation
  28. 28. 28© 2013-2014 Cisco and/or its affiliates. All rights reserved. About Cisco Managed Threat Defence  Announced in April 2014, Cisco Managed Threat Defence is our next- generation analytics and mitigation platform  Extends the Cisco OpenSOC software platform with additional capabilities and service to deliver deep analysis of your network traffic with high fidelity and consistency for containment and remediation Cloud analytics Enhanced analytics algorithms Security intelligence feeds 24x7 remote monitoring and support OpenSOC
  29. 29. 29© 2013-2014 Cisco and/or its affiliates. All rights reserved. Managed Threat Defence Machine-Learning Managed Threat Defence Knowledge-Based Combining Expert Knowledge and Machine Learning Managed Security Services (e.g. CMS) or In-House SOC  Typically best deployed enterprise-wide (internal plus perimeter)  Monitor and manage security events: Firewall permit/deny, IPS trigger, syslog event, sandbox trap, etc.  99% effective  Focused on key (high-value) assets, e.g. data center, choke points  Finds things that we do know we’re looking for  Uses intelligence feeds – third party and Cisco® SIO  Low latency / near real time using Flume streaming ingest  Focused on key (high- value) assets, e.g. data center, choke points  Finds things that we don’t know we’re looking for – anomalies based on machine learning  Latency dependent on traffic volumes  ‘Big data’ map reduces technology
  30. 30. 30© 2013-2014 Cisco and/or its affiliates. All rights reserved. Invitation to View the Demonstrations
  31. 31. Thank you.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×