Joe CFO for CiscoLive Berlin 2016 Email and Web Security Presentation
1. Bruce Johnson
Senior Product Marketing Manager
February 10, 2016
Cisco Web and Email Security
New Ways to Protect from
the Top Threat Vectors
2. Email: Leading Threat Vector
Data Loss
Acceptable Use
Violations
Malware Infections
IPv6 Spam
Blended Threats
Targeted
Attacks
APTs
Advanced Malware
Rootkits
Worms Trojan Horse
205.6 Billion
Emails per Day in 2015
and Growing - Radicati
6. Joe CFO
Waiting for his plane
Meet Joe. He is heading
home for a well deserved
vacation.
He’s catching up on email
using the airport Wi-Fi while
he waits for his flight.
BEFORE
7. Joe CFO
Checks his email
Joe just got an email from
his vacation resort with a
confirmation link.
www.beautiful-hawaii.com
BEFORE
Your Tropical Getaway
Joe,
Thank you for choosing us. We look forward to seeing you.
Before your arrival, please verify your information here:
www.vacationresort.com
Best,
Resort Team
8. Joe CFO
Instinctively, he clicks on the link
No problem, right?
Everything looks normal.
The site may even be a
trusted site,
or maybe a site that is
newly minted.
BEFORE
Your Tropical Getaway
Joe,
Thank you for choosing us. We look forward to seeing you.
Before your arrival, please verify your information here:
www.vacationresort.com
Best,
Resort Team
9. DURING
Joe CFO
Joe is now infected
Joe opens the link and the resort video
plays.
Although he doesn’t know it, Joe’s
machine has been compromised by a
flash-based video exploit.
The malware now starts to harvest
Joe’s confidential information:
•Passwords
•Credentials
•Company access authorizations
11. Meet Joe. He is heading
home for a well deserved
vacation.
Instant Replay with Cisco Security
BEFORE
Waiting for his plane
How Cisco Protects You
12. Joe just got an email from
his vacation resort.
Instant Replay with Cisco Email Security
DURING
Checks his email
How Cisco Protects You
Your Tropical Getaway
Joe,
Thank you for choosing us. We look forward to seeing you.
Before your arrival, please verify your information here:
www.vacationresort.com
Best,
Resort Team
13. No problem, right?
Everything looks normal.
Instant Replay with Cisco Web Security
DURING
Instinctively, he clicks on the link
How Cisco Protects You
Deploys malware protection
Traces phone home traffic
Conducts 200 pt. website “credit check”
Controls social media micro-app policy
Activates embedded protection
Your Tropical Getaway
Joe,
Thank you for choosing us. We look forward to seeing you.
Before your arrival, please verify your information here:
www.vacationresort.com
Best,
Resort Team
Traces “phone home” traffic
14. Joe opens the link and the
resort video plays.
Instant Replay with Cisco AMP for Email & Web Security
DURING
Joe is protected
How Cisco Protects You
Isolates unknown files through sandboxing
Evaluates file reputation
Registers files
15. After a relaxing vacation,
Joe returns home protected
and unaware that the threat
even existed. (and he still
has a job!)
Joe CFO arrives home
AFTER
Joe is protected
16. After a few days, a file
begins to behave
maliciously.
Joe CFO arrives home
AFTER
Joe is protected
How Cisco Protects You
Identifies polymorphic attacks
Discovers patient zero and zero +1
Analyzes threats retrospectively
17. Layered Email and Web Security
Best Defense for Complex Threats
Come by the Email
and Web Security
Booth and Learn
More
T: There are new challenges during every stage of an attack.
Cisco Web security provides protection across the attack continuum.
We start with Web Reputation, Usage and application controls
During an attack your protected with :
Malware Signature
File reputation
And file sandboxing for dynamic analysis
And after an attack with continuous retrospection – the ability to identify malicious malware that crossed the wire undetected – using file retrospection, threat analytics and actionable reporting capabilities.
If it was your house that was going to be broken into, certainly. The same should be true for your system, after all both represent your personal information, property and safety.
Allow me to present a use case. Let’s consider an email based spear phishing attack and how it would unfold across the attack continuum.
The target will be Joe. He’s a CFO on his way home to enjoy some vacation time.
Joe’s going to receive an email from what looks like a trusted site. In reality, the email is a targeted attack and contains a compromised link.
We’ll look at two versions of this case: one in which Joe is unprotected, and one in which Joe is protected by Cisco security products.
T: First, let’s look a scenario where Joe is not protected.
Meet Joe CFO. He’s sitting in the airport waiting to head home. He’s excited to go back for a well deserved vacation.
T: He’s using the public airport Wi-Fi to check his email
Joe just received an email from what appears to be his vacation resort.
It is asking him to verify his information – a credit card number, dinner reservations, or any number of things.
It wants him to verify by clicking on an embedded URL link.
T: Joe is drawn to the link.
Everything seems fine. There is a factor of trust, since Joe is going on vacation and the email is from a vacation resort.
The email may even be from a trusted site that has been compromised.
T: Joe clicks on the link.
A resort video plays. Although he doesn’t know it, Joe has been taken to a website with a flash-based video exploit and it has downloaded malware onto his machine.
The malware begins to harvest his information. Joe’s passwords, credentials, and company access authorizations have all been compromised.
He has unknowingly given hackers the ability to steal sensitive company and customer information.
T: Enjoy your vacation Joe.
As a company CFO, Joe is an attractive target. In order to secure his and his company’s information, Joe needs the best possible protection.
In a moment we’ll explore the second version of the case. This time, Joe will have Cisco’s Talos and layered defense products to protect him, his company’s information, and his job.
T: Before that, allow me to briefly expand on Cisco’s Talos.
Meet Joe again. He’s using the public airport Wi-Fi to check his email.
He is accessing his corporate network via an encrypted VPN from Cisco.
His mobile devices are being managed through Cisco’s Identity Services Engine.
Cloud security and split tunneling are implemented for further protection, and Talos inoculates his device against malware.
Lastly our indexing can us to track patterns of behavior and analyze it for harmful patters. So that we can identify complex attacks even if they are made up of seemingly benign actions.
T: Before an attack even happens, Joe is actively being defended.
He receives an email from what appears to be his vacation resort.
As Joe opens the email, Cisco’s email security appliance and Talos spring into action. They provide an email credit check, conduct a 200 point inspection, rewrite or redirect URLs and enforce corporate security policy.
It seems that the resort staff are asking Joe to verify his information by clicking on a hyperlinked web address.
T: Joe is drawn to the link while Cisco continues to protect him.
Everything seems fine. The email address is legitimate and the site it links to appears to be legitimate as well.
Joe clicks on the link while his defenses take action.
Cisco’s security products activate embedded protection and conduct a 200 point website “credit check.” They deploy malware protection, control social media micro-app policy and trace phone home traffic.
T: Joe’s browser opens the web page.
A resort video plays. Though he doesn’t know it, Joe has been taken to a malicious website that begins to download files onto his machine. But this time, Joe is protected.
Cisco security products register the downloaded files and evaluate their reputations. They isolate unknown and suspicious files through sandboxing and update the Talos database in order to inoculate against further attacks.
T: Joe can now enjoy his vacation without the worry of a security threat.
T: Joe returns home with his devices and data secure.
Now let’s say that a file appears to be legitimate. It passes through Joe’s defenses and is loaded onto his device. Three days later a timer goes off, and the file begins to behave maliciously. Joe is now the target of a polymorphic attack.
Thankfully for Joe, Cisco security products analyze threats retrospectively. They identify the polymorphic attack, discover patient zero and trace the file’s trajectory to discover if anyone else has been attacked.
All discoveries are cataloged and added to the Talos database to inoculate even further.
T: With Cisco security, the damages can be traced, scoped and remediated.