SlideShare a Scribd company logo

Anatomy Of An Attack

Cisco Canada
Cisco Canada

The document discusses an anatomy of a cyber attack and Cisco's cloud security solutions. It begins with an overview of the stages of a typical cyber attack from initial reconnaissance through widespread expansion. It then provides examples of recent ransomware attacks and how Cisco products like Umbrella and Cloudlock can help map attacker infrastructure and block malicious activity. The document concludes by explaining how the work environment has changed with more cloud usage and mobility, and how Cisco's cloud security solutions provide visibility and control over cloud apps and user behavior.

Technology
1 of 52
Download to read offline
© 2016 Cisco and/or its affiliates. All rights reserved. 1 Anatomy of an Attack Chris Parker-James Consulting Systems Engineer January 30th, 2018 Cisco Connect
© 2016 Cisco and/or its affiliates. All rights reserved. 2 Agenda Anatomy of an Attack What’s Changed? Cisco’s Solution Cisco Umbrella Cisco Cloudlock Why Cisco?
© 2016 Cisco and/or its affiliates. All rights reserved. 3 Anatomy of a cyber attack Reconnaissance and infrastructure setup Domain registration, IP, ASN Intel Monitor adaption based on results Target expansion Wide-scale expansion Defense signatures built Patient zero hit
© 2016 Cisco and/or its affiliates. All rights reserved. 4© 2016 Cisco and/or its affiliates. All rights reserved. 4 Locky/Wannacry Ransomware
© 2016 Cisco and/or its affiliates. All rights reserved. 5 Mapping attacker infrastructure SEP 12-26 DAYS Umbrella AUG 17 LOCKY *.7asel7[.]top ? Domain → IP Association ? IP → Sample Association ? IP → Network Association ? IP → Domain Association ? WHOIS Association ? Network → IP Association
© 2016 Cisco and/or its affiliates. All rights reserved. 6 91.223.89.201185.101.218.206 600+ Threat Grid files SHA256:0c9c328eb66672e f1b84475258b4999d6df008 *.7asel7[.]top LOCKY Domain → IP Association AS 197569IP → Network Association 1,000+ DGA domains ccerberhhyed5frqa[.]8211fr[.]top IP → Domain Association IP → Sample Association CERBER Mapping attacker infrastructure
© 2016 Cisco and/or its affiliates. All rights reserved. 7 -26 DAYS AUG 21 Umbrella JUL 18 JUL 21 Umbrella JUL 14 -7 DAYS jbrktqnxklmuf[.]info mhrbuvcvhjakbisd[.]xyz LOCKY LOCKY DGA Network → Domain Association DGA Threat detected same day domain was registered. Threat detected before domain was registered. DOMAIN REGISTERED JUL 22-4 DAYS Mapping attacker infrastructure
© 2016 Cisco and/or its affiliates. All rights reserved. 8© 2016 Cisco and/or its affiliates. All rights reserved. 8 Google OAuth attack
© 2016 Cisco and/or its affiliates. All rights reserved. 9 Sequence of events (1 of 2) Attacker sets up infrastructure and fake app; sends phishing email Victim opens email and clicks link 1 2 ! Victim is sent to Google’s OAuth page for authentication and to grant permissions. Then the user will be redirected to an attacker-controlled website Joe has invited you to view a document Open in Docs
© 2016 Cisco and/or its affiliates. All rights reserved. 10 Sequence of events (2 of 2) On the backend… If allowed, Google provisions an OAuth token, appends it to redirect_uri, and instructs victim’s browser to redirect to attacker’s domain Attacker gains access to OAuth token once the user is redirected to one of the attacker-controlled domains Note: users were redirected to these domains whether they clicked Deny or Allow 4 5 g-cloud[.]win Attacker uses the granted privileges (email contacts, delete emails, etc.) 6 Victim prompted to allow/deny access 3 Uses access to send emails from victim’s account and propagate the worm Google Docs would like to Read, send, delete, manage your email Manage your contacts AllowDeny
© 2016 Cisco and/or its affiliates. All rights reserved. 11 How Cisco Security can help Victim redirected to attacker’s domain Attacker gains access to OAuth token Attacker Has persistent access to the victims’ account Victim opens email and clicks link Victim grants access to their account If attack is successful, Cloudlock revokes OAuth token Umbrella blocks user redirect to malicious domain. Attacker never receives OAuth token if blocked here. Umbrella Investigate used to research attacker’s infrastructure Email Security blocks malicious emails Joe has invited you to view a document Open in Docs Google Docs would like to Read, send, delete, manage your email Manage your contacts AllowDeny
© 2016 Cisco and/or its affiliates. All rights reserved. 12© 2016 Cisco and/or its affiliates. All rights reserved. 12 The way we work has changed.
© 2016 Cisco and/or its affiliates. All rights reserved. 13 Branch office What’s changed Apps, data, and identities move to the cloud Business drives use of cloud apps and collaboration is easier No longer need VPN to get work done Branch offices have direct internet access HQ Roaming
© 2016 Cisco and/or its affiliates. All rights reserved. 14 Branch office How risk is different today Users not protected by traditional security stack Gaps in visibility and coverage Expose sensitive info (inadvertently or maliciously) Users can install and use risky apps on their own HQ Roaming
© 2016 Cisco and/or its affiliates. All rights reserved. 15 Branch office Our solution Umbrella Secure access to the internet Cloudlock Secure usage of cloud apps HQ Roaming
© 2016 Cisco and/or its affiliates. All rights reserved. 16 Cisco cloud security Shared focus, complementary use cases Visibility and control Threat protection Forensics Data protection Malware / ransomware Cloudlock For Shadow IT and connected cloud apps (OAuth) Protect cloud accounts from compromise and malicious insiders Analyze audit cloud logs Assess cloud data risk and ensure compliance Prevent cloud-native (OAuth) attacks Umbrella For all internet activity Stop connections to malicious internet destinations Investigate attacks with internet-wide visibility Block C2 callbacks and prevent data exfiltration Prevent initial infection and C2 callbacks
© 2016 Cisco and/or its affiliates. All rights reserved. 17 Cisco Umbrella Secure access to the internet
© 2016 Cisco and/or its affiliates. All rights reserved. 18 First line of defense against internet threats Umbrella See Visibility to protect access everywhere Learn Intelligence to see attacks before they launch Block Stop threats before connections are made
© 2016 Cisco and/or its affiliates. All rights reserved. 19 Umbrella Start blocking in minutes Easiest security product you’ll ever deploy Signup1 2 Point your DNS 3 Done
© 2016 Cisco and/or its affiliates. All rights reserved. 20 How fast do we resolve DNS requests? Measured in milliseconds Source: MSFT Office 365 Researcher, ThousandEyes Blog Post, May 2017 157 130 119 92 78 75 74 50 45 33 SafeDNS FreeDNS DNS.WATCH Comodo Level3 OpenNIC Verisign Dyn Umbrella Google Overall 75 132 106 39 17 38 43 12 17 25 North America 135 41 34 44 32 52 43 31 31 29 Europe/ EMEA 197 275 268 198 167 119 112 80 59 39 Asia/ APC 184 225 218 119 110 108 140 73 99 42 Latin America 322 195 169 164 171 81 176 165 23 38 Africa
© 2016 Cisco and/or its affiliates. All rights reserved. 21 Enterprise-wide deployment in minutes DEPLOYMENT Cisco endpoint § No additional agents to deploy with AnyConnect § Or Umbrella roaming client works alongside other VPNs for DNS and IP redirection AnyConnect WLAN controller ISR 4K Cisco networking § Out-of-the-box integration § Use of tags for granular filtering and reporting § Policies per VLAN/SSID Other network devices DNS/DHCP servers Wireless APs § Simple configuration change to redirect DNS § Policies for corporate and guests
© 2016 Cisco and/or its affiliates. All rights reserved. 22 Where does Umbrella fit? Malware C2 Callbacks Phishing HQ Sandbox NGFW Proxy Netflow AV AV BRANCH Router/UTM AV AV ROAMING AV First line It all starts with DNS Precedes file execution and IP connection Used by all devices Port agnostic
© 2016 Cisco and/or its affiliates. All rights reserved. 23 Built into foundation of the internet Umbrella provides: Connection for safe requests Prevention for user and malware- initiated connections Proxy inspection for risky URLs Safe request Blocked request
© 2016 Cisco and/or its affiliates. All rights reserved. 24 Cisco Talos feeds Cisco WBRS Partner feeds Custom URL block list Requests for “risky” domainsIntelligent proxy URL inspection File inspection AV Engines Cisco AMP ENFORCEMENT
© 2016 Cisco and/or its affiliates. All rights reserved. 25 Prevents connections before and during the attack Command and control callback Malicious payload drop Encryption keys Updated instructions Web and email-based infection Malvertising / exploit kit Phishing / web link Watering hole compromise Stop data exfiltration and ransomware encryption ENFORCEMENT
© 2016 Cisco and/or its affiliates. All rights reserved. 26 Our view of the internet 100Brequests per day 12Kenterprise customers 85Mdaily active users 160+countries worldwide INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 27 Intelligence to see attacks before launched Data § Cisco Talos feed of malicious domains, IPs, and URLs § Umbrella DNS data — 100B requests per day Security researchers § Industry renown researchers § Build models that can automatically classify and score domains and IPs Models § Dozens of models continuously analyze millions of live events per second § Automatically uncover malware, ransomware, and other threats INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 28 Statistical models Guilt by inference § Co-occurrence model § Geolocation Model § Secure rank model Guilt by association § Predictive IP Space Modeling § Passive DNS and WHOIS Correlation Patterns of guilt § Spike rank model § Natural Language Processing rank model § Live DGA prediction INTELLIGENCE 2M+ live events per second 11B+ historical events
© 2016 Cisco and/or its affiliates. All rights reserved. 29 Co-occurrence model Domains guilty by inference a.com b.com c.com x.com d.com e.com f.com time - time + Co-occurrence of domains means that a statistically significant number of identities have requested both domains consecutively in a short timeframe Possible malicious domain Possible malicious domain Known malicious domain INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 30 Spike rank model Patterns of guilt y.com DAYS DNSREQUESTS Massive amount of DNS request volume data is gathered and analyzed DNS request volume matches known exploit kit pattern and predicts future attack DGA MALWARE EXPLOIT KIT PHISHING y.com is blocked before it can launch full attack INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 31 Predictive IP Space Monitoring Guilt by association Pinpoint suspicious domains and observe their IP’s fingerprint Identify other IPs – hosted on the same server – that share the same fingerprint Block those suspicious IPs and any related domains DOMAIN 209.67.132.476 209.67.132.477 209.67.132.478 209.67.132.479 INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 32 ‘Sender Rank’ model: predict domains related to spammers Identify queries to spam reputation services Our 85M+ users leverage email reputation services check for spam; we see requests made to check domains found in emails MAIL SERVERS REPUTATION SERVICES a.spam.ru. checkspam.com b.spam.ru. checkspam.com Domain of service Domain of sender Model aggregates hourly graphs per domain Short bursts of 1000s of “Hailstorm” spam uses many FQDNs, e.g. subdomains, to hide from reputation services a.spam.ru … b.spam.ru z.spam.ru spam.ru suspect domain identified Model identifies owners of “Hailstorm” domains After confirmation, query WHOIS records to get registrant of sender domain ? ? ? Type of domain Domain popularity Historical activity Confirm “Hailstorm” domain check behavior patterns Block 10,000s of domains before new attacks happen Attackers often register more domains to embed links in phishing or C2 callbacks in malware badguy Model automatically places registrants on a watch list New domains registered at a future time Model automatically verifies new domains New malicious domain blocked by Umbrella INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 33 1. Any user (free or paid) requests the domain1 2. Every minute, we sample from our streaming DNS logs. 3. Check if domain was seen before & if whitelisted2. 4. If not, add to category, and within minutes, DNS resolvers are updated globally. Domains used in an attack. Umbrella’s Auto- WHOIS model may predict as malicious. Attackers register domains. Before expiration3, if any user requests this domain, it’s logged or blocked as newly seen. Later, Umbrella statistical models or reputation systems identify as malicious. ‘Newly Seen Domains’ category reduces risk of the unknown EVENTS 1. May have predictively blocked it already, and likely the first requestor was a free user. 2. E.g. domain generated for CDN service. 3. Usually 24 hours, but modified for best results, as needed. Reputation systems protected Cisco Umbrella 24 HOURS protected DAYS TO WEEKS not yet a threat not yet a threat unprotected potentially unprotected MINUTES INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 34 Our efficacy 3M+daily new domain names Discover 60K+daily malicious destinations Identify 7M+malicious destinations while resolving DNS Enforce INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 35 What sets Umbrella apart from competitors Easiest connect-to-cloud deployment Fastest and most reliable cloud infrastructure Broadest coverage of malicious destinations and files Most open platform for integration Most predictive intelligence to stop threats earlier
© 2016 Cisco and/or its affiliates. All rights reserved. 36 Cisco Cloudlock Secure usage of cloud apps
© 2016 Cisco and/or its affiliates. All rights reserved. 37 User Cloudlock can provide visibility and control over global cloud activities
© 2016 Cisco and/or its affiliates. All rights reserved. 38 Key questions organizations have ApplicationsDataUsers/Accounts § Who is doing what in my cloud applications? § How do I detect account compromises? § Are malicious insiders extracting information? § Do I have toxic and regulated data in the cloud? § Do I have data that is being shared inappropriately? § How do I detect policy violations? § How can I monitor app usage and risk? § Do I have any 3rd party connected apps? § How do I revoke risky apps?
© 2016 Cisco and/or its affiliates. All rights reserved. 39 Cisco Cloudlock addresses customers’ most critical cloud security use cases Discover and Control User and Entity Behavior Analytics Cloud Data Loss Prevention (DLP) Apps Firewall Cloud Malware Shadow IT/OAuth Discovery and Control Data Exposures and Leakages Privacy and Compliance Violations Compromised Accounts Insider Threats
© 2016 Cisco and/or its affiliates. All rights reserved. 40 Here’s an example of why you need cloud user security North America 9:00 AM ET Login Africa 10:00 AM ET Data export§ Distance from the US to the Central African Republic: 7362 miles § At a speed of 800 mph, it would take 9.2 hours to travel between them In one hour
© 2016 Cisco and/or its affiliates. All rights reserved. 41 Have you ever been to 68 countries in one week?
© 2016 Cisco and/or its affiliates. All rights reserved. 42 More than 24,000 files per organization publicly accessible Data exposure per organization Accessible by external collaborators Accessible publicly Accessible organization-wide 2% 10% 12% 24,000 files publicly accessible per organization of external sharing done with non-corporate email addresses70% Source: Cloudlock CyberLab
© 2016 Cisco and/or its affiliates. All rights reserved. 43 33 mins 22 mins 18mins 17mins 15mins 10mins Consider “connected” cloud apps: Pokémon Go Daily time spent in Pokémon Go by average iOS user Pokémon Go breaks another record: Higher daily average user time than Facebook, Snapchat, and Instagram Source: SensorTower 40 30 20 10 0 Pokémon Go This imag e Facebook Snapchat Twitter Instagram Slither Time to reach 100 million users worldwide An Unusual Start: Pokémon Go breaking all mobile gaming records globally. 1 month (estimated) 4.5 yrs 7 yrs 16 yrs 75 yrs YEAR OF LAUNCH 1878 1879 1900 2004 2016 This imag e
© 2016 Cisco and/or its affiliates. All rights reserved. 44 Identities Data Apps Cisco Cloudlock Cloud Access Security Broker (CASB)
© 2016 Cisco and/or its affiliates. All rights reserved. 45 Public APIs Cisco NGFW / Umbrella Managed Users Managed Devices Managed Network Unmanaged Users Unmanaged Devices Unmanaged Network CASB – API Access (cloud to cloud)
© 2016 Cisco and/or its affiliates. All rights reserved. 46 Cloudlock has over 70 pre-defined policies PII § SSN/ID numbers § Driver license numbers § Passport numbers Education § Inappropriate content § Student loan application information § FERPA compliance General § Email address § IP address § Passwords/ login information PHI § HIPAA § Health identification numbers (global) § Medical prescriptions PCI § Credit card numbers § Bank account numbers § SWIFT codes
© 2016 Cisco and/or its affiliates. All rights reserved. 47 Cloudlock provides automated response actions Detect Alert (Admin/Users) Security Workflows Response Actions API Integrations
© 2016 Cisco and/or its affiliates. All rights reserved. 48 Smartest Intelligence CyberLab, crowd-sourced community trust ratings Proven Track Record Deployed at over 700 organizations and supporting deployments over 750,000 users FedRAMP In Process The only FedRAMP In Process CASB working towards an Authority to Operate via Agency Authorization Cisco Ecosystem Integrated, architectural approach to security, vendor viability Cloud-Native Full value instantly, no disruption Differentiators Cisco Cloudlock
© 2016 Cisco and/or its affiliates. All rights reserved. 49© 20136 Cisco and/or its affiliates. All rights reserved. 49 Why Cisco Cloud Security?
© 2016 Cisco and/or its affiliates. All rights reserved. 50 Why customers love Cisco cloud security Cisco cloud security Most effective protection Simplest to deploy and manage Most open platform Most reliable
© 2016 Cisco and/or its affiliates. All rights reserved. 51 Real customer results “Deployed to 30,000 employees in less than 60 minutes” “Reduced infections by 98%...saved 1.7 months of user downtime per year” “Cut incident response time by 25-30%” Umbrella “Reduced public exposure by 62% in one day” “Intelligently reduced OAuth-connected apps by 34% in one week” “Deployed to 125,000 employees in less than 5 minutes” Cloudlock
Thank you.

Recommended

Anatomy of an Attack
Anatomy of an AttackAnatomy of an Attack
Anatomy of an AttackCisco Canada
 
Cisco connect winnipeg 2018 anatomy of an attack
Cisco connect winnipeg 2018 anatomy of an attackCisco connect winnipeg 2018 anatomy of an attack
Cisco connect winnipeg 2018 anatomy of an attackCisco Canada
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Security
 
Presentation cisco iron port email & web security
Presentation cisco iron port email & web securityPresentation cisco iron port email & web security
Presentation cisco iron port email & web securityxKinAnx
 
Presentation cisco iron port e-mail security solution
Presentation cisco iron port e-mail security solutionPresentation cisco iron port e-mail security solution
Presentation cisco iron port e-mail security solutionxKinAnx
 
Hands on Security - Disrupting the Kill Chain Breakout Session
Hands on Security - Disrupting the Kill Chain Breakout SessionHands on Security - Disrupting the Kill Chain Breakout Session
Hands on Security - Disrupting the Kill Chain Breakout SessionSplunk
 
Cisco Content Security
Cisco Content SecurityCisco Content Security
Cisco Content SecurityCisco Canada
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 

Recommended

Anatomy of an Attack
Anatomy of an AttackAnatomy of an Attack
Anatomy of an AttackCisco Canada
 
Cisco connect winnipeg 2018 anatomy of an attack
Cisco connect winnipeg 2018 anatomy of an attackCisco connect winnipeg 2018 anatomy of an attack
Cisco connect winnipeg 2018 anatomy of an attackCisco Canada
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Security
 
Presentation cisco iron port email & web security
Presentation cisco iron port email & web securityPresentation cisco iron port email & web security
Presentation cisco iron port email & web securityxKinAnx
 
Presentation cisco iron port e-mail security solution
Presentation cisco iron port e-mail security solutionPresentation cisco iron port e-mail security solution
Presentation cisco iron port e-mail security solutionxKinAnx
 
Hands on Security - Disrupting the Kill Chain Breakout Session
Hands on Security - Disrupting the Kill Chain Breakout SessionHands on Security - Disrupting the Kill Chain Breakout Session
Hands on Security - Disrupting the Kill Chain Breakout SessionSplunk
 
Cisco Content Security
Cisco Content SecurityCisco Content Security
Cisco Content SecurityCisco Canada
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 
Cloud Crime Ops
Cloud Crime OpsCloud Crime Ops
Cloud Crime OpsGreg Foss
 
IronPort
IronPortIronPort
IronPortNetwax Lab
 
Anticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They OccurAnticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They OccurSkybox Security
 
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security ChallengesInfosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security ChallengesSkybox Security
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overviewCisco Canada
 
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...Jacob Tranter
 
Next Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension Inc.
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinSplunk
 
OFFICE 365 SECURITY
OFFICE 365 SECURITYOFFICE 365 SECURITY
OFFICE 365 SECURITYSylvain Martinez
 
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...Cisco Security
 
Palestra Filipi Pires - Ransomware – Existe proteção para isso?
Palestra Filipi Pires - Ransomware – Existe proteção para isso?Palestra Filipi Pires - Ransomware – Existe proteção para isso?
Palestra Filipi Pires - Ransomware – Existe proteção para isso?BHack Conference
 
Cisco NGFW AMP
Cisco NGFW AMPCisco NGFW AMP
Cisco NGFW AMPCisco Canada
 
How to Recover from a Ransomware Disaster
How to Recover from a Ransomware DisasterHow to Recover from a Ransomware Disaster
How to Recover from a Ransomware DisasterSpanning Cloud Apps
 
Infographic: Stop Attacks Hiding Under the Cover of SSL Encryption
Infographic: Stop Attacks Hiding Under the Cover of SSL EncryptionInfographic: Stop Attacks Hiding Under the Cover of SSL Encryption
Infographic: Stop Attacks Hiding Under the Cover of SSL EncryptionBlue Coat
 
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...Skybox Security
 
Preventing Today's Malware
Preventing Today's MalwarePreventing Today's Malware
Preventing Today's MalwareDavid Perkins
 
Revolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionRevolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionBlue Coat
 
Cisco amp for endpoints
Cisco amp for endpointsCisco amp for endpoints
Cisco amp for endpointsCisco Canada
 
Content Analysis System and Advanced Threat Protection
Content Analysis System and Advanced Threat ProtectionContent Analysis System and Advanced Threat Protection
Content Analysis System and Advanced Threat ProtectionBlue Coat
 
Esteban Próspero
Esteban PrósperoEsteban Próspero
Esteban PrósperoClusterCba
 
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Canada
 
Cisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of AttackCisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of AttackCisco Canada
 

More Related Content

What's hot

Cloud Crime Ops
Cloud Crime OpsCloud Crime Ops
Cloud Crime OpsGreg Foss
 
Anticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They OccurAnticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They OccurSkybox Security
 
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security ChallengesInfosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security ChallengesSkybox Security
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overviewCisco Canada
 
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...Jacob Tranter
 
Next Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension Inc.
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinSplunk
 
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...Cisco Security
 
Palestra Filipi Pires - Ransomware – Existe proteção para isso?
Palestra Filipi Pires - Ransomware – Existe proteção para isso?Palestra Filipi Pires - Ransomware – Existe proteção para isso?
Palestra Filipi Pires - Ransomware – Existe proteção para isso?BHack Conference
 
How to Recover from a Ransomware Disaster
How to Recover from a Ransomware DisasterHow to Recover from a Ransomware Disaster
How to Recover from a Ransomware DisasterSpanning Cloud Apps
 
Infographic: Stop Attacks Hiding Under the Cover of SSL Encryption
Infographic: Stop Attacks Hiding Under the Cover of SSL EncryptionInfographic: Stop Attacks Hiding Under the Cover of SSL Encryption
Infographic: Stop Attacks Hiding Under the Cover of SSL EncryptionBlue Coat
 
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...Skybox Security
 
Preventing Today's Malware
Preventing Today's MalwarePreventing Today's Malware
Preventing Today's MalwareDavid Perkins
 
Revolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionRevolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionBlue Coat
 
Cisco amp for endpoints
Cisco amp for endpointsCisco amp for endpoints
Cisco amp for endpointsCisco Canada
 
Content Analysis System and Advanced Threat Protection
Content Analysis System and Advanced Threat ProtectionContent Analysis System and Advanced Threat Protection
Content Analysis System and Advanced Threat ProtectionBlue Coat
 
Esteban Próspero
Esteban PrósperoEsteban Próspero
Esteban PrósperoClusterCba
 

What's hot (20)

Cloud Crime Ops
Cloud Crime OpsCloud Crime Ops
Cloud Crime Ops
 
IronPort
IronPortIronPort
IronPort
 
Anticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They OccurAnticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They Occur
 
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security ChallengesInfosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overview
 
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...
 
Next Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA Compliance
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
 
OFFICE 365 SECURITY
OFFICE 365 SECURITYOFFICE 365 SECURITY
OFFICE 365 SECURITY
 
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
 
Palestra Filipi Pires - Ransomware – Existe proteção para isso?
Palestra Filipi Pires - Ransomware – Existe proteção para isso?Palestra Filipi Pires - Ransomware – Existe proteção para isso?
Palestra Filipi Pires - Ransomware – Existe proteção para isso?
 
Cisco NGFW AMP
Cisco NGFW AMPCisco NGFW AMP
Cisco NGFW AMP
 
How to Recover from a Ransomware Disaster
How to Recover from a Ransomware DisasterHow to Recover from a Ransomware Disaster
How to Recover from a Ransomware Disaster
 
Infographic: Stop Attacks Hiding Under the Cover of SSL Encryption
Infographic: Stop Attacks Hiding Under the Cover of SSL EncryptionInfographic: Stop Attacks Hiding Under the Cover of SSL Encryption
Infographic: Stop Attacks Hiding Under the Cover of SSL Encryption
 
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...
 
Preventing Today's Malware
Preventing Today's MalwarePreventing Today's Malware
Preventing Today's Malware
 
Revolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionRevolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat Protection
 
Cisco amp for endpoints
Cisco amp for endpointsCisco amp for endpoints
Cisco amp for endpoints
 
Content Analysis System and Advanced Threat Protection
Content Analysis System and Advanced Threat ProtectionContent Analysis System and Advanced Threat Protection
Content Analysis System and Advanced Threat Protection
 
Esteban Próspero
Esteban PrósperoEsteban Próspero
Esteban Próspero
 

Similar to Anatomy Of An Attack

Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Canada
 
Cisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of AttackCisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of AttackCisco Canada
 
Cisco Connect Halifax 2018 Anatomy of attack
Cisco Connect Halifax 2018 Anatomy of attackCisco Connect Halifax 2018 Anatomy of attack
Cisco Connect Halifax 2018 Anatomy of attackCisco Canada
 
Two for Attack: Web and Email Content Protection
Two for Attack: Web and Email Content ProtectionTwo for Attack: Web and Email Content Protection
Two for Attack: Web and Email Content ProtectionCisco Canada
 
The Next Generation Security
The Next Generation SecurityThe Next Generation Security
The Next Generation SecurityCybera Inc.
 
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...Amazon Web Services
 
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...Amazon Web Services
 
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...Amazon Web Services
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsCisco Canada
 
Seminar on Phishing Protection
Seminar on Phishing ProtectionSeminar on Phishing Protection
Seminar on Phishing ProtectionCristian Garcia G.
 
Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherLancope, Inc.
 
Next Generation Security
Next Generation SecurityNext Generation Security
Next Generation SecurityCisco Canada
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromPROIDEA
 
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...Cristian Garcia G.
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesEncryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesTrend Micro
 

Similar to Anatomy Of An Attack (20)

Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attack
 
Cisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of AttackCisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of Attack
 
Cisco Connect Halifax 2018 Anatomy of attack
Cisco Connect Halifax 2018 Anatomy of attackCisco Connect Halifax 2018 Anatomy of attack
Cisco Connect Halifax 2018 Anatomy of attack
 
Two for Attack: Web and Email Content Protection
Two for Attack: Web and Email Content ProtectionTwo for Attack: Web and Email Content Protection
Two for Attack: Web and Email Content Protection
 
The Next Generation Security
The Next Generation SecurityThe Next Generation Security
The Next Generation Security
 
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
 
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
 
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced Threats
 
Seminar on Phishing Protection
Seminar on Phishing ProtectionSeminar on Phishing Protection
Seminar on Phishing Protection
 
Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better Together
 
Next Generation Security
Next Generation SecurityNext Generation Security
Next Generation Security
 
Network Security
Network SecurityNetwork Security
Network Security
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin Nystrom
 
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
The Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and LancopeThe Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and Lancope
 
Network security
Network securityNetwork security
Network security
 
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesEncryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
 
Network security
Network securityNetwork security
Network security
 

More from Cisco Canada

Cisco connect montreal 2018 net devops
Cisco connect montreal 2018 net devopsCisco connect montreal 2018 net devops
Cisco connect montreal 2018 net devopsCisco Canada
 
Cisco connect montreal 2018 iot demo kinetic fr
Cisco connect montreal 2018 iot demo kinetic frCisco connect montreal 2018 iot demo kinetic fr
Cisco connect montreal 2018 iot demo kinetic frCisco Canada
 
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco connect montreal 2018 - Network Slicing: Horizontal VirtualizationCisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco connect montreal 2018 - Network Slicing: Horizontal VirtualizationCisco Canada
 
Cisco connect montreal 2018 secure dc
Cisco connect montreal 2018 secure dcCisco connect montreal 2018 secure dc
Cisco connect montreal 2018 secure dcCisco Canada
 
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla nsCisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla nsCisco Canada
 
Cisco connect montreal 2018 vision mondiale analyse locale
Cisco connect montreal 2018 vision mondiale analyse localeCisco connect montreal 2018 vision mondiale analyse locale
Cisco connect montreal 2018 vision mondiale analyse localeCisco Canada
 
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec CiscoCisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec CiscoCisco Canada
 
Cisco connect montreal 2018 collaboration les services webex hybrides
Cisco connect montreal 2018 collaboration les services webex hybridesCisco connect montreal 2018 collaboration les services webex hybrides
Cisco connect montreal 2018 collaboration les services webex hybridesCisco Canada
 
Integration cisco et microsoft connect montreal 2018
Integration cisco et microsoft connect montreal 2018Integration cisco et microsoft connect montreal 2018
Integration cisco et microsoft connect montreal 2018Cisco Canada
 
Cisco connect montreal 2018 compute v final
Cisco connect montreal 2018 compute v finalCisco connect montreal 2018 compute v final
Cisco connect montreal 2018 compute v finalCisco Canada
 
Cisco connect montreal 2018 saalvare md-program-xr-v2
Cisco connect montreal 2018 saalvare md-program-xr-v2Cisco connect montreal 2018 saalvare md-program-xr-v2
Cisco connect montreal 2018 saalvare md-program-xr-v2Cisco Canada
 
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...Cisco Canada
 
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...Cisco Canada
 
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Canada
 
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...Cisco Canada
 
Cisco Connect Toronto 2018 DevNet Overview
Cisco Connect Toronto 2018 DevNet OverviewCisco Connect Toronto 2018 DevNet Overview
Cisco Connect Toronto 2018 DevNet OverviewCisco Canada
 
Cisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018 DNA assuranceCisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018 DNA assuranceCisco Canada
 
Cisco Connect Toronto 2018 network-slicing
Cisco Connect Toronto 2018 network-slicingCisco Connect Toronto 2018 network-slicing
Cisco Connect Toronto 2018 network-slicingCisco Canada
 
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Connect Toronto 2018 the intelligent network with cisco merakiCisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Connect Toronto 2018 the intelligent network with cisco merakiCisco Canada
 
Cisco Connect Toronto 2018 sixty to zero
Cisco Connect Toronto 2018 sixty to zeroCisco Connect Toronto 2018 sixty to zero
Cisco Connect Toronto 2018 sixty to zeroCisco Canada
 

More from Cisco Canada (20)

Cisco connect montreal 2018 net devops
Cisco connect montreal 2018 net devopsCisco connect montreal 2018 net devops
Cisco connect montreal 2018 net devops
 
Cisco connect montreal 2018 iot demo kinetic fr
Cisco connect montreal 2018 iot demo kinetic frCisco connect montreal 2018 iot demo kinetic fr
Cisco connect montreal 2018 iot demo kinetic fr
 
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco connect montreal 2018 - Network Slicing: Horizontal VirtualizationCisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
 
Cisco connect montreal 2018 secure dc
Cisco connect montreal 2018 secure dcCisco connect montreal 2018 secure dc
Cisco connect montreal 2018 secure dc
 
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla nsCisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
 
Cisco connect montreal 2018 vision mondiale analyse locale
Cisco connect montreal 2018 vision mondiale analyse localeCisco connect montreal 2018 vision mondiale analyse locale
Cisco connect montreal 2018 vision mondiale analyse locale
 
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec CiscoCisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
 
Cisco connect montreal 2018 collaboration les services webex hybrides
Cisco connect montreal 2018 collaboration les services webex hybridesCisco connect montreal 2018 collaboration les services webex hybrides
Cisco connect montreal 2018 collaboration les services webex hybrides
 
Integration cisco et microsoft connect montreal 2018
Integration cisco et microsoft connect montreal 2018Integration cisco et microsoft connect montreal 2018
Integration cisco et microsoft connect montreal 2018
 
Cisco connect montreal 2018 compute v final
Cisco connect montreal 2018 compute v finalCisco connect montreal 2018 compute v final
Cisco connect montreal 2018 compute v final
 
Cisco connect montreal 2018 saalvare md-program-xr-v2
Cisco connect montreal 2018 saalvare md-program-xr-v2Cisco connect montreal 2018 saalvare md-program-xr-v2
Cisco connect montreal 2018 saalvare md-program-xr-v2
 
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
 
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
 
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
 
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
 
Cisco Connect Toronto 2018 DevNet Overview
Cisco Connect Toronto 2018 DevNet OverviewCisco Connect Toronto 2018 DevNet Overview
Cisco Connect Toronto 2018 DevNet Overview
 
Cisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018 DNA assuranceCisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018 DNA assurance
 
Cisco Connect Toronto 2018 network-slicing
Cisco Connect Toronto 2018 network-slicingCisco Connect Toronto 2018 network-slicing
Cisco Connect Toronto 2018 network-slicing
 
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Connect Toronto 2018 the intelligent network with cisco merakiCisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
 
Cisco Connect Toronto 2018 sixty to zero
Cisco Connect Toronto 2018 sixty to zeroCisco Connect Toronto 2018 sixty to zero
Cisco Connect Toronto 2018 sixty to zero
 

Recently uploaded

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 

Recently uploaded (20)

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 

Anatomy Of An Attack

  • 1. © 2016 Cisco and/or its affiliates. All rights reserved. 1 Anatomy of an Attack Chris Parker-James Consulting Systems Engineer January 30th, 2018 Cisco Connect
  • 2. © 2016 Cisco and/or its affiliates. All rights reserved. 2 Agenda Anatomy of an Attack What’s Changed? Cisco’s Solution Cisco Umbrella Cisco Cloudlock Why Cisco?
  • 3. © 2016 Cisco and/or its affiliates. All rights reserved. 3 Anatomy of a cyber attack Reconnaissance and infrastructure setup Domain registration, IP, ASN Intel Monitor adaption based on results Target expansion Wide-scale expansion Defense signatures built Patient zero hit
  • 4. © 2016 Cisco and/or its affiliates. All rights reserved. 4© 2016 Cisco and/or its affiliates. All rights reserved. 4 Locky/Wannacry Ransomware
  • 5. © 2016 Cisco and/or its affiliates. All rights reserved. 5 Mapping attacker infrastructure SEP 12-26 DAYS Umbrella AUG 17 LOCKY *.7asel7[.]top ? Domain → IP Association ? IP → Sample Association ? IP → Network Association ? IP → Domain Association ? WHOIS Association ? Network → IP Association
  • 6. © 2016 Cisco and/or its affiliates. All rights reserved. 6 91.223.89.201185.101.218.206 600+ Threat Grid files SHA256:0c9c328eb66672e f1b84475258b4999d6df008 *.7asel7[.]top LOCKY Domain → IP Association AS 197569IP → Network Association 1,000+ DGA domains ccerberhhyed5frqa[.]8211fr[.]top IP → Domain Association IP → Sample Association CERBER Mapping attacker infrastructure
  • 7. © 2016 Cisco and/or its affiliates. All rights reserved. 7 -26 DAYS AUG 21 Umbrella JUL 18 JUL 21 Umbrella JUL 14 -7 DAYS jbrktqnxklmuf[.]info mhrbuvcvhjakbisd[.]xyz LOCKY LOCKY DGA Network → Domain Association DGA Threat detected same day domain was registered. Threat detected before domain was registered. DOMAIN REGISTERED JUL 22-4 DAYS Mapping attacker infrastructure
  • 8. © 2016 Cisco and/or its affiliates. All rights reserved. 8© 2016 Cisco and/or its affiliates. All rights reserved. 8 Google OAuth attack
  • 9. © 2016 Cisco and/or its affiliates. All rights reserved. 9 Sequence of events (1 of 2) Attacker sets up infrastructure and fake app; sends phishing email Victim opens email and clicks link 1 2 ! Victim is sent to Google’s OAuth page for authentication and to grant permissions. Then the user will be redirected to an attacker-controlled website Joe has invited you to view a document Open in Docs
  • 10. © 2016 Cisco and/or its affiliates. All rights reserved. 10 Sequence of events (2 of 2) On the backend… If allowed, Google provisions an OAuth token, appends it to redirect_uri, and instructs victim’s browser to redirect to attacker’s domain Attacker gains access to OAuth token once the user is redirected to one of the attacker-controlled domains Note: users were redirected to these domains whether they clicked Deny or Allow 4 5 g-cloud[.]win Attacker uses the granted privileges (email contacts, delete emails, etc.) 6 Victim prompted to allow/deny access 3 Uses access to send emails from victim’s account and propagate the worm Google Docs would like to Read, send, delete, manage your email Manage your contacts AllowDeny
  • 11. © 2016 Cisco and/or its affiliates. All rights reserved. 11 How Cisco Security can help Victim redirected to attacker’s domain Attacker gains access to OAuth token Attacker Has persistent access to the victims’ account Victim opens email and clicks link Victim grants access to their account If attack is successful, Cloudlock revokes OAuth token Umbrella blocks user redirect to malicious domain. Attacker never receives OAuth token if blocked here. Umbrella Investigate used to research attacker’s infrastructure Email Security blocks malicious emails Joe has invited you to view a document Open in Docs Google Docs would like to Read, send, delete, manage your email Manage your contacts AllowDeny
  • 12. © 2016 Cisco and/or its affiliates. All rights reserved. 12© 2016 Cisco and/or its affiliates. All rights reserved. 12 The way we work has changed.
  • 13. © 2016 Cisco and/or its affiliates. All rights reserved. 13 Branch office What’s changed Apps, data, and identities move to the cloud Business drives use of cloud apps and collaboration is easier No longer need VPN to get work done Branch offices have direct internet access HQ Roaming
  • 14. © 2016 Cisco and/or its affiliates. All rights reserved. 14 Branch office How risk is different today Users not protected by traditional security stack Gaps in visibility and coverage Expose sensitive info (inadvertently or maliciously) Users can install and use risky apps on their own HQ Roaming
  • 15. © 2016 Cisco and/or its affiliates. All rights reserved. 15 Branch office Our solution Umbrella Secure access to the internet Cloudlock Secure usage of cloud apps HQ Roaming
  • 16. © 2016 Cisco and/or its affiliates. All rights reserved. 16 Cisco cloud security Shared focus, complementary use cases Visibility and control Threat protection Forensics Data protection Malware / ransomware Cloudlock For Shadow IT and connected cloud apps (OAuth) Protect cloud accounts from compromise and malicious insiders Analyze audit cloud logs Assess cloud data risk and ensure compliance Prevent cloud-native (OAuth) attacks Umbrella For all internet activity Stop connections to malicious internet destinations Investigate attacks with internet-wide visibility Block C2 callbacks and prevent data exfiltration Prevent initial infection and C2 callbacks
  • 17. © 2016 Cisco and/or its affiliates. All rights reserved. 17 Cisco Umbrella Secure access to the internet
  • 18. © 2016 Cisco and/or its affiliates. All rights reserved. 18 First line of defense against internet threats Umbrella See Visibility to protect access everywhere Learn Intelligence to see attacks before they launch Block Stop threats before connections are made
  • 19. © 2016 Cisco and/or its affiliates. All rights reserved. 19 Umbrella Start blocking in minutes Easiest security product you’ll ever deploy Signup1 2 Point your DNS 3 Done
  • 20. © 2016 Cisco and/or its affiliates. All rights reserved. 20 How fast do we resolve DNS requests? Measured in milliseconds Source: MSFT Office 365 Researcher, ThousandEyes Blog Post, May 2017 157 130 119 92 78 75 74 50 45 33 SafeDNS FreeDNS DNS.WATCH Comodo Level3 OpenNIC Verisign Dyn Umbrella Google Overall 75 132 106 39 17 38 43 12 17 25 North America 135 41 34 44 32 52 43 31 31 29 Europe/ EMEA 197 275 268 198 167 119 112 80 59 39 Asia/ APC 184 225 218 119 110 108 140 73 99 42 Latin America 322 195 169 164 171 81 176 165 23 38 Africa
  • 21. © 2016 Cisco and/or its affiliates. All rights reserved. 21 Enterprise-wide deployment in minutes DEPLOYMENT Cisco endpoint § No additional agents to deploy with AnyConnect § Or Umbrella roaming client works alongside other VPNs for DNS and IP redirection AnyConnect WLAN controller ISR 4K Cisco networking § Out-of-the-box integration § Use of tags for granular filtering and reporting § Policies per VLAN/SSID Other network devices DNS/DHCP servers Wireless APs § Simple configuration change to redirect DNS § Policies for corporate and guests
  • 22. © 2016 Cisco and/or its affiliates. All rights reserved. 22 Where does Umbrella fit? Malware C2 Callbacks Phishing HQ Sandbox NGFW Proxy Netflow AV AV BRANCH Router/UTM AV AV ROAMING AV First line It all starts with DNS Precedes file execution and IP connection Used by all devices Port agnostic
  • 23. © 2016 Cisco and/or its affiliates. All rights reserved. 23 Built into foundation of the internet Umbrella provides: Connection for safe requests Prevention for user and malware- initiated connections Proxy inspection for risky URLs Safe request Blocked request
  • 24. © 2016 Cisco and/or its affiliates. All rights reserved. 24 Cisco Talos feeds Cisco WBRS Partner feeds Custom URL block list Requests for “risky” domainsIntelligent proxy URL inspection File inspection AV Engines Cisco AMP ENFORCEMENT
  • 25. © 2016 Cisco and/or its affiliates. All rights reserved. 25 Prevents connections before and during the attack Command and control callback Malicious payload drop Encryption keys Updated instructions Web and email-based infection Malvertising / exploit kit Phishing / web link Watering hole compromise Stop data exfiltration and ransomware encryption ENFORCEMENT
  • 26. © 2016 Cisco and/or its affiliates. All rights reserved. 26 Our view of the internet 100Brequests per day 12Kenterprise customers 85Mdaily active users 160+countries worldwide INTELLIGENCE
  • 27. © 2016 Cisco and/or its affiliates. All rights reserved. 27 Intelligence to see attacks before launched Data § Cisco Talos feed of malicious domains, IPs, and URLs § Umbrella DNS data — 100B requests per day Security researchers § Industry renown researchers § Build models that can automatically classify and score domains and IPs Models § Dozens of models continuously analyze millions of live events per second § Automatically uncover malware, ransomware, and other threats INTELLIGENCE
  • 28. © 2016 Cisco and/or its affiliates. All rights reserved. 28 Statistical models Guilt by inference § Co-occurrence model § Geolocation Model § Secure rank model Guilt by association § Predictive IP Space Modeling § Passive DNS and WHOIS Correlation Patterns of guilt § Spike rank model § Natural Language Processing rank model § Live DGA prediction INTELLIGENCE 2M+ live events per second 11B+ historical events
  • 29. © 2016 Cisco and/or its affiliates. All rights reserved. 29 Co-occurrence model Domains guilty by inference a.com b.com c.com x.com d.com e.com f.com time - time + Co-occurrence of domains means that a statistically significant number of identities have requested both domains consecutively in a short timeframe Possible malicious domain Possible malicious domain Known malicious domain INTELLIGENCE
  • 30. © 2016 Cisco and/or its affiliates. All rights reserved. 30 Spike rank model Patterns of guilt y.com DAYS DNSREQUESTS Massive amount of DNS request volume data is gathered and analyzed DNS request volume matches known exploit kit pattern and predicts future attack DGA MALWARE EXPLOIT KIT PHISHING y.com is blocked before it can launch full attack INTELLIGENCE
  • 31. © 2016 Cisco and/or its affiliates. All rights reserved. 31 Predictive IP Space Monitoring Guilt by association Pinpoint suspicious domains and observe their IP’s fingerprint Identify other IPs – hosted on the same server – that share the same fingerprint Block those suspicious IPs and any related domains DOMAIN 209.67.132.476 209.67.132.477 209.67.132.478 209.67.132.479 INTELLIGENCE
  • 32. © 2016 Cisco and/or its affiliates. All rights reserved. 32 ‘Sender Rank’ model: predict domains related to spammers Identify queries to spam reputation services Our 85M+ users leverage email reputation services check for spam; we see requests made to check domains found in emails MAIL SERVERS REPUTATION SERVICES a.spam.ru. checkspam.com b.spam.ru. checkspam.com Domain of service Domain of sender Model aggregates hourly graphs per domain Short bursts of 1000s of “Hailstorm” spam uses many FQDNs, e.g. subdomains, to hide from reputation services a.spam.ru … b.spam.ru z.spam.ru spam.ru suspect domain identified Model identifies owners of “Hailstorm” domains After confirmation, query WHOIS records to get registrant of sender domain ? ? ? Type of domain Domain popularity Historical activity Confirm “Hailstorm” domain check behavior patterns Block 10,000s of domains before new attacks happen Attackers often register more domains to embed links in phishing or C2 callbacks in malware badguy Model automatically places registrants on a watch list New domains registered at a future time Model automatically verifies new domains New malicious domain blocked by Umbrella INTELLIGENCE
  • 33. © 2016 Cisco and/or its affiliates. All rights reserved. 33 1. Any user (free or paid) requests the domain1 2. Every minute, we sample from our streaming DNS logs. 3. Check if domain was seen before & if whitelisted2. 4. If not, add to category, and within minutes, DNS resolvers are updated globally. Domains used in an attack. Umbrella’s Auto- WHOIS model may predict as malicious. Attackers register domains. Before expiration3, if any user requests this domain, it’s logged or blocked as newly seen. Later, Umbrella statistical models or reputation systems identify as malicious. ‘Newly Seen Domains’ category reduces risk of the unknown EVENTS 1. May have predictively blocked it already, and likely the first requestor was a free user. 2. E.g. domain generated for CDN service. 3. Usually 24 hours, but modified for best results, as needed. Reputation systems protected Cisco Umbrella 24 HOURS protected DAYS TO WEEKS not yet a threat not yet a threat unprotected potentially unprotected MINUTES INTELLIGENCE
  • 34. © 2016 Cisco and/or its affiliates. All rights reserved. 34 Our efficacy 3M+daily new domain names Discover 60K+daily malicious destinations Identify 7M+malicious destinations while resolving DNS Enforce INTELLIGENCE
  • 35. © 2016 Cisco and/or its affiliates. All rights reserved. 35 What sets Umbrella apart from competitors Easiest connect-to-cloud deployment Fastest and most reliable cloud infrastructure Broadest coverage of malicious destinations and files Most open platform for integration Most predictive intelligence to stop threats earlier
  • 36. © 2016 Cisco and/or its affiliates. All rights reserved. 36 Cisco Cloudlock Secure usage of cloud apps
  • 37. © 2016 Cisco and/or its affiliates. All rights reserved. 37 User Cloudlock can provide visibility and control over global cloud activities
  • 38. © 2016 Cisco and/or its affiliates. All rights reserved. 38 Key questions organizations have ApplicationsDataUsers/Accounts § Who is doing what in my cloud applications? § How do I detect account compromises? § Are malicious insiders extracting information? § Do I have toxic and regulated data in the cloud? § Do I have data that is being shared inappropriately? § How do I detect policy violations? § How can I monitor app usage and risk? § Do I have any 3rd party connected apps? § How do I revoke risky apps?
  • 39. © 2016 Cisco and/or its affiliates. All rights reserved. 39 Cisco Cloudlock addresses customers’ most critical cloud security use cases Discover and Control User and Entity Behavior Analytics Cloud Data Loss Prevention (DLP) Apps Firewall Cloud Malware Shadow IT/OAuth Discovery and Control Data Exposures and Leakages Privacy and Compliance Violations Compromised Accounts Insider Threats
  • 40. © 2016 Cisco and/or its affiliates. All rights reserved. 40 Here’s an example of why you need cloud user security North America 9:00 AM ET Login Africa 10:00 AM ET Data export§ Distance from the US to the Central African Republic: 7362 miles § At a speed of 800 mph, it would take 9.2 hours to travel between them In one hour
  • 41. © 2016 Cisco and/or its affiliates. All rights reserved. 41 Have you ever been to 68 countries in one week?
  • 42. © 2016 Cisco and/or its affiliates. All rights reserved. 42 More than 24,000 files per organization publicly accessible Data exposure per organization Accessible by external collaborators Accessible publicly Accessible organization-wide 2% 10% 12% 24,000 files publicly accessible per organization of external sharing done with non-corporate email addresses70% Source: Cloudlock CyberLab
  • 43. © 2016 Cisco and/or its affiliates. All rights reserved. 43 33 mins 22 mins 18mins 17mins 15mins 10mins Consider “connected” cloud apps: Pokémon Go Daily time spent in Pokémon Go by average iOS user Pokémon Go breaks another record: Higher daily average user time than Facebook, Snapchat, and Instagram Source: SensorTower 40 30 20 10 0 Pokémon Go This imag e Facebook Snapchat Twitter Instagram Slither Time to reach 100 million users worldwide An Unusual Start: Pokémon Go breaking all mobile gaming records globally. 1 month (estimated) 4.5 yrs 7 yrs 16 yrs 75 yrs YEAR OF LAUNCH 1878 1879 1900 2004 2016 This imag e
  • 44. © 2016 Cisco and/or its affiliates. All rights reserved. 44 Identities Data Apps Cisco Cloudlock Cloud Access Security Broker (CASB)
  • 45. © 2016 Cisco and/or its affiliates. All rights reserved. 45 Public APIs Cisco NGFW / Umbrella Managed Users Managed Devices Managed Network Unmanaged Users Unmanaged Devices Unmanaged Network CASB – API Access (cloud to cloud)
  • 46. © 2016 Cisco and/or its affiliates. All rights reserved. 46 Cloudlock has over 70 pre-defined policies PII § SSN/ID numbers § Driver license numbers § Passport numbers Education § Inappropriate content § Student loan application information § FERPA compliance General § Email address § IP address § Passwords/ login information PHI § HIPAA § Health identification numbers (global) § Medical prescriptions PCI § Credit card numbers § Bank account numbers § SWIFT codes
  • 47. © 2016 Cisco and/or its affiliates. All rights reserved. 47 Cloudlock provides automated response actions Detect Alert (Admin/Users) Security Workflows Response Actions API Integrations
  • 48. © 2016 Cisco and/or its affiliates. All rights reserved. 48 Smartest Intelligence CyberLab, crowd-sourced community trust ratings Proven Track Record Deployed at over 700 organizations and supporting deployments over 750,000 users FedRAMP In Process The only FedRAMP In Process CASB working towards an Authority to Operate via Agency Authorization Cisco Ecosystem Integrated, architectural approach to security, vendor viability Cloud-Native Full value instantly, no disruption Differentiators Cisco Cloudlock
  • 49. © 2016 Cisco and/or its affiliates. All rights reserved. 49© 20136 Cisco and/or its affiliates. All rights reserved. 49 Why Cisco Cloud Security?
  • 50. © 2016 Cisco and/or its affiliates. All rights reserved. 50 Why customers love Cisco cloud security Cisco cloud security Most effective protection Simplest to deploy and manage Most open platform Most reliable
  • 51. © 2016 Cisco and/or its affiliates. All rights reserved. 51 Real customer results “Deployed to 30,000 employees in less than 60 minutes” “Reduced infections by 98%...saved 1.7 months of user downtime per year” “Cut incident response time by 25-30%” Umbrella “Reduced public exposure by 62% in one day” “Intelligently reduced OAuth-connected apps by 34% in one week” “Deployed to 125,000 employees in less than 5 minutes” Cloudlock