SlideShare a Scribd company logo

Cisco connect winnipeg 2018 anatomy of an attack

Cisco Canada
Cisco Canada

The document describes the anatomy of a cyber attack from initial reconnaissance through wide-scale target expansion. It provides details on specific ransomware attacks and how Cisco security solutions like Umbrella and Cloudlock can help protect against different stages of an attack by blocking connections to malicious infrastructure, revoking access tokens, and investigating attacker infrastructure. The document also discusses how the distributed and cloud-based nature of work introduces new security risks and how Cisco's solutions provide visibility and protection for internet and cloud application activity from all locations.

Technology
1 of 61
Download to read offline
© 2017 Cisco and/or its affiliates. All rights reserved. 1 Anatomy of an Attack Chris Parker-James Consulting Systems Engineer May 29th 2018 Cisco Connect
© 2016 Cisco and/or its affiliates. All rights reserved. 2 Agenda Anatomy of an Attack What’s Changed? Cisco’s Solution Cisco Umbrella Cisco Cloudlock Why Cisco?
© 2016 Cisco and/or its affiliates. All rights reserved. 3 Anatomy of a cyber attack Reconnaissance and infrastructure setup Domain registration, IP, ASN Intel Monitor adaption based on results Target expansion Wide-scale expansion Defense signatures built Patient zero hit
© 2016 Cisco and/or its affiliates. All rights reserved. 4© 2016 Cisco and/or its affiliates. All rights reserved. 4 Locky/Wannacry Ransomware
© 2016 Cisco and/or its affiliates. All rights reserved. 5 Mapping attacker infrastructure SEP 12-26 DAYS Umbrella AUG 17 LOCKY *.7asel7[.]top ? Domain → IP Association ? IP → Sample Association ? IP → Network Association ? IP → Domain Association ? WHOIS Association ? Network → IP Association
© 2016 Cisco and/or its affiliates. All rights reserved. 6 91.223.89.201185.101.218.206 600+ Threat Grid files SHA256:0c9c328eb66672e f1b84475258b4999d6df008 *.7asel7[.]top LOCKY Domain → IP Association AS 197569IP → Network Association 1,000+ DGA domains ccerberhhyed5frqa[.]8211fr[.]top IP → Domain Association IP → Sample Association CERBER Mapping attacker infrastructure
© 2016 Cisco and/or its affiliates. All rights reserved. 7 -26 DAYS AUG 21 Umbrella JUL 18 JUL 21 Umbrella JUL 14 -7 DAYS jbrktqnxklmuf[.]info mhrbuvcvhjakbisd[.]xyz LOCKY LOCKY DGA Network → Domain Association DGA Threat detected same day domain was registered. Threat detected before domain was registered. DOMAIN REGISTERED JUL 22-4 DAYS Mapping attacker infrastructure
© 2016 Cisco and/or its affiliates. All rights reserved. 8© 2016 Cisco and/or its affiliates. All rights reserved. 8 Google OAuth attack
© 2016 Cisco and/or its affiliates. All rights reserved. 9 Sequence of events (1 of 2) Attacker sets up infrastructure and fake app; sends phishing email Victim opens email and clicks link 1 2 ! Victim is sent to Google’s OAuth page for authentication and to grant permissions. Then the user will be redirected to an attacker-controlled website Joe has invited you to view a document Open in Docs
© 2016 Cisco and/or its affiliates. All rights reserved. 10 Sequence of events (2 of 2) On the backend… If allowed, Google provisions an OAuth token, appends it to redirect_uri, and instructs victim’s browser to redirect to attacker’s domain Attacker gains access to OAuth token once the user is redirected to one of the attacker-controlled domains Note: users were redirected to these domains whether they clicked Deny or Allow 4 5 g-cloud[.]win Attacker uses the granted privileges (email contacts, delete emails, etc.) 6 Victim prompted to allow/deny access 3 Uses access to send emails from victim’s account and propagate the worm Google Docs would like to Read, send, delete, manage your email Manage your contacts AllowDeny
© 2016 Cisco and/or its affiliates. All rights reserved. 11 How Cisco Security can help Victim redirected to attacker’s domain Attacker gains access to OAuth token Attacker Has persistent access to the victims’ account Victim opens email and clicks link Victim grants access to their account If attack is successful, Cloudlock revokes OAuth token Umbrella blocks user redirect to malicious domain. Attacker never receives OAuth token if blocked here. Umbrella Investigate used to research attacker’s infrastructure Email Security blocks malicious emails Joe has invited you to view a document Open in Docs Google Docs would like to Read, send, delete, manage your email Manage your contacts AllowDeny
© 2016 Cisco and/or its affiliates. All rights reserved. 12© 2016 Cisco and/or its affiliates. All rights reserved. 12 The way we work has changed.
© 2016 Cisco and/or its affiliates. All rights reserved. 13 Branch office What’s changed Apps, data, and identities move to the cloud Business drives use of cloud apps and collaboration is easier No longer need VPN to get work done Branch offices have direct internet access HQ Roaming
© 2016 Cisco and/or its affiliates. All rights reserved. 14 Branch office How risk is different today Users not protected by traditional security stack Gaps in visibility and coverage Expose sensitive info (inadvertently or maliciously) Users can install and use risky apps on their own HQ Roaming
© 2016 Cisco and/or its affiliates. All rights reserved. 15 Branch office Our solution Umbrella Secure access to the internet Cloudlock Secure usage of cloud apps HQ Roaming
© 2016 Cisco and/or its affiliates. All rights reserved. 16 Cisco cloud security Shared focus, complementary use cases Visibility and control Threat protection Forensics Data protection Malware / ransomware Cloudlock For Shadow IT and connected cloud apps (OAuth) Protect cloud accounts from compromise and malicious insiders Analyze audit cloud logs Assess cloud data risk and ensure compliance Prevent cloud-native (OAuth) attacks Umbrella For all internet activity Stop connections to malicious internet destinations Investigate attacks with internet-wide visibility Block C2 callbacks and prevent data exfiltration Prevent initial infection and C2 callbacks
© 2016 Cisco and/or its affiliates. All rights reserved. 17 Cisco Umbrella Secure access to the internet
© 2016 Cisco and/or its affiliates. All rights reserved. 18 First line of defense against internet threats Umbrella See Visibility to protect access everywhere Learn Intelligence to see attacks before they launch Block Stop threats before connections are made
© 2016 Cisco and/or its affiliates. All rights reserved. 19 Umbrella Start blocking in minutes Easiest security product you’ll ever deploy Signup1 2 Point your DNS 3 Done
© 2016 Cisco and/or its affiliates. All rights reserved. 20 Visibility and protection for all activity, anywhere HQ Mobile Branch Roaming IoT ALL PORTS AND PROTOCOLS ON-NETWORK OFF-NETWORK Umbrella All office locations Any device on your network Roaming laptops Every port and protocol ENFORCEMENT
© 2016 Cisco and/or its affiliates. All rights reserved. 21 Where does Umbrella fit? Malware C2 Callbacks Phishing HQ Sandbox NGFW Proxy Netflow AV AV BRANCH Router/UTM AV AV ROAMING AV First line It all starts with DNS Precedes file execution and IP connection Used by all devices Port agnostic
© 2016 Cisco and/or its affiliates. All rights reserved. 22 Enterprise-wide deployment in minutes DEPLOYMENT Existing DNS/DHCP servers, Wi-Fi APs Simple config change to redirect DNS ISR4K (today) WLC (today) Network footprint § Provisioning and policies per VLAN/SSID; tags for granular filtering and reporting § Out-of-the-box integration (Umbrella virtual appliance also available) Meraki MR (future) Endpoint footprint Granular filtering and reporting on- & off-network (Umbrella roaming client also available) AnyConnect roaming module Cisco Security Connector vEdge (future)
© 2016 Cisco and/or its affiliates. All rights reserved. 23 Intelligent proxy Deeper inspection Built into foundation of the internet Safe Original destinations Security controls § DNS and IP enforcement § Risky domain inspection through proxy § SSL decryption available Blocked Modified destination Internet traffic On and off-network Destinations Original destination or block page ENFORCEMENT
© 2016 Cisco and/or its affiliates. All rights reserved. 24 Cisco Talos feeds Cisco WBRS Partner feeds Custom URL block list Requests for “risky” domainsIntelligent proxy URL inspection File inspection AV Engines Cisco AMP ENFORCEMENT
© 2016 Cisco and/or its affiliates. All rights reserved. 25 Prevents connections before and during the attack Command and control callback Malicious payload drop Encryption keys Updated instructions Web and email-based infection Malvertising / exploit kit Phishing / web link Watering hole compromise Stop data exfiltration and ransomware encryption ENFORCEMENT
© 2016 Cisco and/or its affiliates. All rights reserved. 26 Our view of the internet 125Brequests per day 15Kenterprise customers 90Mdaily active users 160+countries worldwide INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 27 Intelligence to see attacks before launched Data § Cisco Talos feed of malicious domains, IPs, and URLs § Umbrella DNS data — 100B requests per day Security researchers § Industry renown researchers § Build models that can automatically classify and score domains and IPs Models § Dozens of models continuously analyze millions of live events per second § Automatically uncover malware, ransomware, and other threats INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 28 Statistical models Guilt by inference § Co-occurrence model § Geolocation Model § Secure rank model Guilt by association § Predictive IP Space Modeling § Passive DNS and WHOIS Correlation Patterns of guilt § Spike rank model § Natural Language Processing rank model § Live DGA prediction INTELLIGENCE 2M+ live events per second 11B+ historical events
© 2016 Cisco and/or its affiliates. All rights reserved. 29 Co-occurrence model Domains guilty by inference a.com b.com c.com x.com d.com e.com f.com time - time + Co-occurrence of domains means that a statistically significant number of identities have requested both domains consecutively in a short timeframe Possible malicious domain Possible malicious domain Known malicious domain INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 30 Spike rank model Patterns of guilt y.com DAYS DNSREQUESTS Massive amount of DNS request volume data is gathered and analyzed DNS request volume matches known exploit kit pattern and predicts future attack DGA MALWARE EXPLOIT KIT PHISHING y.com is blocked before it can launch full attack INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 31 Predictive IP Space Monitoring Guilt by association Pinpoint suspicious domains and observe their IP’s fingerprint Identify other IPs – hosted on the same server – that share the same fingerprint Block those suspicious IPs and any related domains DOMAIN 209.67.132.476 209.67.132.477 209.67.132.478 209.67.132.479 INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 32 Host Infrastructure Location of the server IP addresses mapped to domain Hosted across 28+ countries DNS Requesters Location of the network and off-network device IP addresses requesting the domain Only US-based customers requesting a .RU TLD IP geo-location analysis
© 2016 Cisco and/or its affiliates. All rights reserved. 33 ‘Live DGA Prediction’ Predict 100,000s of future domains Combine newly-identified configs with DGA to identity C2 domains continuously + DGA Configs b.com c.com, d.com, … Automate reverse engineering Combine C2 domain pairs and known DGA to identify unknown configs Configs a.com b.com DGA + Live DNS log stream Identify millions of domains, many used by DGAs and unregistered a1.com a2.com b1.com c2.com Automate blocking pool of C2 domains Used by thousands of malicious samples now and in the future fgpxmvlsxpsp.me[.]uk beuvgwyhityq[.]info gboondmihxgc.com pwbbjkwnkstp[.]com bggwbijqjckk[.]me yehjvoowwtdh.com ctwnyxmbreev[.]com upybsnuuvcye[.]net quymxcbsjbhh.info vgqoosgpmmur.it automated at an unparalleled scale INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 34 ‘Sender Rank’ model: predict domains related to spammers Identify queries to spam reputation services Our 85M+ users leverage email reputation services check for spam; we see requests made to check domains found in emails MAIL SERVERS REPUTATION SERVICES a.spam.ru. checkspam.com b.spam.ru. checkspam.com Domain of service Domain of sender Model aggregates hourly graphs per domain Short bursts of 1000s of “Hailstorm” spam uses many FQDNs, e.g. subdomains, to hide from reputation services a.spam.ru … b.spam.ru z.spam.ru spam.ru suspect domain identified Model identifies owners of “Hailstorm” domains After confirmation, query WHOIS records to get registrant of sender domain ? ? ? Type of domain Domain popularity Historical activity Confirm “Hailstorm” domain check behavior patterns Block 10,000s of domains before new attacks happen Attackers often register more domains to embed links in phishing or C2 callbacks in malware badguy Model automatically places registrants on a watch list New domains registered at a future time Model automatically verifies new domains New malicious domain blocked by Umbrella INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 35 1. Any user (free or paid) requests the domain1 2. Every minute, we sample from our streaming DNS logs. 3. Check if domain was seen before & if whitelisted2. 4. If not, add to category, and within minutes, DNS resolvers are updated globally. Domains used in an attack. Umbrella’s Auto- WHOIS model may predict as malicious. Attackers register domains. Before expiration3, if any user requests this domain, it’s logged or blocked as newly seen. Later, Umbrella statistical models or reputation systems identify as malicious. ‘Newly Seen Domains’ category reduces risk of the unknown EVENTS 1. May have predictively blocked it already, and likely the first requestor was a free user. 2. E.g. domain generated for CDN service. 3. Usually 24 hours, but modified for best results, as needed. Reputation systems protected Cisco Umbrella 24 HOURS protected DAYS TO WEEKS not yet a threat not yet a threat unprotected potentially unprotected MINUTES INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 36 New analysis and categories to combat DNS tunneling INTELLIGENCE Malware (e.g. PisLoader) Hidden whitelist (e.g. AV updates) DNS Tunneling VPN* *NEW CATEGORIES: These are allowed by default, but can be blocked. And domains in these categories may have already been categorized as Malware or Botnet (a.k.a. C2 callbacks) by many other Umbrella statistical models. Potentially Harmful Domains* Undetermined100B+ DNS requests daily Machine learning detects domains with excessive # of subdomains or characters and invalid characters or encoded data. Plus, detects clients requesting excessive # of subdomains over a time period. Manually identify commercial services (e.g. YourFreedom) or benign uses every hour Streaming signature-based jobs Automatically identify malicious or potential data exfiltration or open-source tools (e.g. DNS2TCP) Batch behavior-based jobs plus researcher inspection
© 2016 Cisco and/or its affiliates. All rights reserved. 37 Umbrella statistical models are 5X more relevant than external intelligence RELEVANCY measures the extent that each threat source provides intelligence that is blocking active threats recently seen across our customer base. Higher relevancy = better coverage against active threats Umbrella statistical models have high relevancy because models quickly adapt to evolving threat landscape. 58% 11% Umbrella Statistical Models 3rd party feeds 5X
© 2016 Cisco and/or its affiliates. All rights reserved. 38 Our efficacy 3M+daily new domain names Discover 60K+daily malicious destinations Identify 7M+malicious destinations while resolving DNS Enforce INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 39 What sets Umbrella apart from competitors Easiest connect-to-cloud deployment Fastest and most reliable cloud infrastructure Broadest coverage of malicious destinations and files Most open platform for integration Most predictive intelligence to stop threats earlier
© 2016 Cisco and/or its affiliates. All rights reserved. 40 Cisco Cloudlock Secure usage of cloud apps
© 2016 Cisco and/or its affiliates. All rights reserved. 41 User Cloudlock can provide visibility and control over global cloud activities
© 2016 Cisco and/or its affiliates. All rights reserved. 42 Key questions organizations have ApplicationsDataUsers/Accounts § Who is doing what in my cloud applications? § How do I detect account compromises? § Are malicious insiders extracting information? § Do I have toxic and regulated data in the cloud? § Do I have data that is being shared inappropriately? § How do I detect policy violations? § How can I monitor app usage and risk? § Do I have any 3rd party connected apps? § How do I revoke risky apps?
© 2016 Cisco and/or its affiliates. All rights reserved. 43 Cisco Cloudlock addresses customers’ most critical cloud security use cases Discover and Control User and Entity Behavior Analytics Cloud Data Loss Prevention (DLP) Apps Firewall Cloud Malware Shadow IT/OAuth Discovery and Control Data Exposures and Leakages Privacy and Compliance Violations Compromised Accounts Insider Threats
© 2016 Cisco and/or its affiliates. All rights reserved. 44 Here’s an example of why you need cloud user security North America 9:00 AM ET Login Africa 10:00 AM ET Data export§ Distance from the US to the Central African Republic: 7362 miles § At a speed of 800 mph, it would take 9.2 hours to travel between them In one hour
© 2016 Cisco and/or its affiliates. All rights reserved. 45 Have you ever been to 68 countries in one week?
© 2016 Cisco and/or its affiliates. All rights reserved. 46 Cisco Cloudlock addresses customers’ most critical cloud security use cases Discover and Control User and Entity Behavior Analytics Cloud Data Loss Prevention (DLP) Apps Firewall Cloud Malware Shadow IT/OAuth Discovery and Control Data Exposures and Leakages Privacy and Compliance Violations Compromised Accounts Insider Threats
© 2016 Cisco and/or its affiliates. All rights reserved. 47 More than 24,000 files per organization publicly accessible Data exposure per organization Accessible by external collaborators Accessible publicly Accessible organization-wide 2% 10% 12% 24,000 files publicly accessible per organization of external sharing done with non-corporate email addresses70% Source: Cloudlock CyberLab
© 2016 Cisco and/or its affiliates. All rights reserved. 48 Cisco Cloudlock addresses customers’ most critical cloud security use cases Discover and Control User and Entity Behavior Analytics Cloud Data Loss Prevention (DLP) Apps Firewall Cloud Malware Shadow IT/OAuth Discovery and Control Data Exposures and Leakages Privacy and Compliance Violations Compromised Accounts Insider Threats
© 2016 Cisco and/or its affiliates. All rights reserved. 49 33 mins 22 mins 18mins 17mins 15mins 10mins Consider “connected” cloud apps: Pokémon Go Daily time spent in Pokémon Go by average iOS user Pokémon Go breaks another record: Higher daily average user time than Facebook, Snapchat, and Instagram Source: SensorTower 40 30 20 10 0 Pokémon Go The pictur e can't be displa yed. Facebook Snapchat Twitter Instagram Slither Time to reach 100 million users worldwide An Unusual Start: Pokémon Go breaking all mobile gaming records globally. 1 month (estimated) 4.5 yrs 7 yrs 16 yrs 75 yrs YEAR OF LAUNCH 1878 1879 1900 2004 2016 The pictur e can't be displa yed.
© 2016 Cisco and/or its affiliates. All rights reserved. 50 Consider Pokémon Go of all organizations have employees who granted access to Pokémon Go using their corporate credentials of an organization’s employees have installed Pokémon Go on average 44% 5.8%
© 2016 Cisco and/or its affiliates. All rights reserved. 51 278,131156,79677,6505,500 2014 2015 2016 2017 OAuth is not restricted to a few, isolated apps
© 2016 Cisco and/or its affiliates. All rights reserved. 52 More than 25% of those apps are of high risk 27% 219,000 Third-party apps Percent of installs by risk high risk 58% medium risk 15% low risk Source: Cloudlock CyberLab
© 2016 Cisco and/or its affiliates. All rights reserved. 53 Cisco Cloudlock Cloud Access Security Broker (CASB) Users Data Apps SaaS
© 2016 Cisco and/or its affiliates. All rights reserved. 54 Public APIs Cisco NGFW / Umbrella Managed Users Managed Devices Managed Network Unmanaged Users Unmanaged Devices Unmanaged Network CASB – API Access (cloud to cloud)
© 2016 Cisco and/or its affiliates. All rights reserved. 55 Cloudlock has over 70 pre-defined policies PII § SSN/ID numbers § Driver license numbers § Passport numbers Education § Inappropriate content § Student loan application information § FERPA compliance General § Email address § IP address § Passwords/ login information PHI § HIPAA § Health identification numbers (global) § Medical prescriptions PCI § Credit card numbers § Bank account numbers § SWIFT codes
© 2016 Cisco and/or its affiliates. All rights reserved. 56 Cloudlock provides automated response actions Detect Alert (Admin/Users) Security Workflows Response Actions API Integrations
© 2016 Cisco and/or its affiliates. All rights reserved. 57 Smartest Intelligence CyberLab, crowd-sourced community trust ratings Proven Track Record Deployed at over 700 organizations and supporting deployments over 750,000 users FedRAMP In Process The only FedRAMP In Process CASB working towards an Authority to Operate via Agency Authorization Cisco Ecosystem Integrated, architectural approach to security, vendor viability Cloud-Native Full value instantly, no disruption Differentiators Cisco Cloudlock
© 2016 Cisco and/or its affiliates. All rights reserved. 58© 20136 Cisco and/or its affiliates. All rights reserved. 58 Why Cisco Cloud Security?
© 2016 Cisco and/or its affiliates. All rights reserved. 59 Why customers love Cisco cloud security Cisco cloud security Most effective protection Simplest to deploy and manage Most open platform Most reliable
© 2016 Cisco and/or its affiliates. All rights reserved. 60 Real customer results “Deployed to 30,000 employees in less than 60 minutes” “Reduced infections by 98%...saved 1.7 months of user downtime per year” “Cut incident response time by 25-30%” Umbrella “Reduced public exposure by 62% in one day” “Intelligently reduced OAuth-connected apps by 34% in one week” “Deployed to 125,000 employees in less than 5 minutes” Cloudlock
Thank you.

Recommended

Anatomy Of An Attack
Anatomy Of An AttackAnatomy Of An Attack
Anatomy Of An Attack
Cisco Canada
 
Anatomy of an Attack
Anatomy of an AttackAnatomy of an Attack
Anatomy of an Attack
Cisco Canada
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security Overview
Cisco Security
 
Hands on Security - Disrupting the Kill Chain Breakout Session
Hands on Security - Disrupting the Kill Chain Breakout SessionHands on Security - Disrupting the Kill Chain Breakout Session
Hands on Security - Disrupting the Kill Chain Breakout Session
Splunk
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
Symantec Brasil
 
Cisco Content Security
Cisco Content SecurityCisco Content Security
Cisco Content Security
Cisco Canada
 
Presentation cisco iron port email & web security
Presentation cisco iron port email & web securityPresentation cisco iron port email & web security
Presentation cisco iron port email & web security
xKinAnx
 
OFFICE 365 SECURITY
OFFICE 365 SECURITYOFFICE 365 SECURITY
OFFICE 365 SECURITY
Sylvain Martinez
 

Recommended

Anatomy Of An Attack
Anatomy Of An AttackAnatomy Of An Attack
Anatomy Of An Attack
Cisco Canada
 
Anatomy of an Attack
Anatomy of an AttackAnatomy of an Attack
Anatomy of an Attack
Cisco Canada
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security Overview
Cisco Security
 
Hands on Security - Disrupting the Kill Chain Breakout Session
Hands on Security - Disrupting the Kill Chain Breakout SessionHands on Security - Disrupting the Kill Chain Breakout Session
Hands on Security - Disrupting the Kill Chain Breakout Session
Splunk
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
Symantec Brasil
 
Cisco Content Security
Cisco Content SecurityCisco Content Security
Cisco Content Security
Cisco Canada
 
Presentation cisco iron port email & web security
Presentation cisco iron port email & web securityPresentation cisco iron port email & web security
Presentation cisco iron port email & web security
xKinAnx
 
OFFICE 365 SECURITY
OFFICE 365 SECURITYOFFICE 365 SECURITY
OFFICE 365 SECURITY
Sylvain Martinez
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overview
Cisco Canada
 
Anticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They OccurAnticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They Occur
Skybox Security
 
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security ChallengesInfosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Skybox Security
 
Cloud Crime Ops
Cloud Crime OpsCloud Crime Ops
Cloud Crime Ops
Greg Foss
 
Infographic: Stop Attacks Hiding Under the Cover of SSL Encryption
Infographic: Stop Attacks Hiding Under the Cover of SSL EncryptionInfographic: Stop Attacks Hiding Under the Cover of SSL Encryption
Infographic: Stop Attacks Hiding Under the Cover of SSL EncryptionBlue Coat
 
How to Take the Ransom Out of Ransomware
How to Take the Ransom Out of RansomwareHow to Take the Ransom Out of Ransomware
How to Take the Ransom Out of Ransomware
marketingunitrends
 
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...
Jacob Tranter
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Splunk
 
Palestra Filipi Pires - Ransomware – Existe proteção para isso?
Palestra Filipi Pires - Ransomware – Existe proteção para isso?Palestra Filipi Pires - Ransomware – Existe proteção para isso?
Palestra Filipi Pires - Ransomware – Existe proteção para isso?
BHack Conference
 
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
Cisco Security
 
How to Recover from a Ransomware Disaster
How to Recover from a Ransomware DisasterHow to Recover from a Ransomware Disaster
How to Recover from a Ransomware Disaster
Spanning Cloud Apps
 
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
AngelGomezRomero
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
Cisco NGFW AMP
Cisco NGFW AMPCisco NGFW AMP
Cisco NGFW AMP
Cisco Canada
 
Preventing Today's Malware
Preventing Today's MalwarePreventing Today's Malware
Preventing Today's Malware
David Perkins
 
Understanding ransomware
Understanding ransomwareUnderstanding ransomware
Understanding ransomware
Prathan Phongthiproek
 
Crack the Code
Crack the CodeCrack the Code
Crack the Code
InnoTech
 
FireEye Portfolio
FireEye PortfolioFireEye Portfolio
FireEye Portfolio
Prime Infoserv
 
Next Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension Inc.
 
Advanced Web Security Deployment
Advanced Web Security DeploymentAdvanced Web Security Deployment
Advanced Web Security Deployment
Cisco Canada
 
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Canada
 
Cisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of AttackCisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Canada
 

More Related Content

What's hot

Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overview
Cisco Canada
 
Anticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They OccurAnticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They Occur
Skybox Security
 
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security ChallengesInfosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Skybox Security
 
Cloud Crime Ops
Cloud Crime OpsCloud Crime Ops
Cloud Crime Ops
Greg Foss
 
Infographic: Stop Attacks Hiding Under the Cover of SSL Encryption
Infographic: Stop Attacks Hiding Under the Cover of SSL EncryptionInfographic: Stop Attacks Hiding Under the Cover of SSL Encryption
Infographic: Stop Attacks Hiding Under the Cover of SSL EncryptionBlue Coat
 
How to Take the Ransom Out of Ransomware
How to Take the Ransom Out of RansomwareHow to Take the Ransom Out of Ransomware
How to Take the Ransom Out of Ransomware
marketingunitrends
 
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...
Jacob Tranter
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Splunk
 
Palestra Filipi Pires - Ransomware – Existe proteção para isso?
Palestra Filipi Pires - Ransomware – Existe proteção para isso?Palestra Filipi Pires - Ransomware – Existe proteção para isso?
Palestra Filipi Pires - Ransomware – Existe proteção para isso?
BHack Conference
 
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
Cisco Security
 
How to Recover from a Ransomware Disaster
How to Recover from a Ransomware DisasterHow to Recover from a Ransomware Disaster
How to Recover from a Ransomware Disaster
Spanning Cloud Apps
 
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
AngelGomezRomero
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
Cisco NGFW AMP
Cisco NGFW AMPCisco NGFW AMP
Cisco NGFW AMP
Cisco Canada
 
Preventing Today's Malware
Preventing Today's MalwarePreventing Today's Malware
Preventing Today's Malware
David Perkins
 
Understanding ransomware
Understanding ransomwareUnderstanding ransomware
Understanding ransomware
Prathan Phongthiproek
 
Crack the Code
Crack the CodeCrack the Code
Crack the Code
InnoTech
 
FireEye Portfolio
FireEye PortfolioFireEye Portfolio
FireEye Portfolio
Prime Infoserv
 
Next Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension Inc.
 
Advanced Web Security Deployment
Advanced Web Security DeploymentAdvanced Web Security Deployment
Advanced Web Security Deployment
Cisco Canada
 

What's hot (20)

Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overview
 
Anticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They OccurAnticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They Occur
 
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security ChallengesInfosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
 
Cloud Crime Ops
Cloud Crime OpsCloud Crime Ops
Cloud Crime Ops
 
Infographic: Stop Attacks Hiding Under the Cover of SSL Encryption
Infographic: Stop Attacks Hiding Under the Cover of SSL EncryptionInfographic: Stop Attacks Hiding Under the Cover of SSL Encryption
Infographic: Stop Attacks Hiding Under the Cover of SSL Encryption
 
How to Take the Ransom Out of Ransomware
How to Take the Ransom Out of RansomwareHow to Take the Ransom Out of Ransomware
How to Take the Ransom Out of Ransomware
 
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
 
Palestra Filipi Pires - Ransomware – Existe proteção para isso?
Palestra Filipi Pires - Ransomware – Existe proteção para isso?Palestra Filipi Pires - Ransomware – Existe proteção para isso?
Palestra Filipi Pires - Ransomware – Existe proteção para isso?
 
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
 
How to Recover from a Ransomware Disaster
How to Recover from a Ransomware DisasterHow to Recover from a Ransomware Disaster
How to Recover from a Ransomware Disaster
 
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Cisco NGFW AMP
Cisco NGFW AMPCisco NGFW AMP
Cisco NGFW AMP
 
Preventing Today's Malware
Preventing Today's MalwarePreventing Today's Malware
Preventing Today's Malware
 
Understanding ransomware
Understanding ransomwareUnderstanding ransomware
Understanding ransomware
 
Crack the Code
Crack the CodeCrack the Code
Crack the Code
 
FireEye Portfolio
FireEye PortfolioFireEye Portfolio
FireEye Portfolio
 
Next Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA Compliance
 
Advanced Web Security Deployment
Advanced Web Security DeploymentAdvanced Web Security Deployment
Advanced Web Security Deployment
 

Similar to Cisco connect winnipeg 2018 anatomy of an attack

Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Canada
 
Cisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of AttackCisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Canada
 
Cisco Connect Halifax 2018 Anatomy of attack
Cisco Connect Halifax 2018 Anatomy of attackCisco Connect Halifax 2018 Anatomy of attack
Cisco Connect Halifax 2018 Anatomy of attack
Cisco Canada
 
Two for Attack: Web and Email Content Protection
Two for Attack: Web and Email Content ProtectionTwo for Attack: Web and Email Content Protection
Two for Attack: Web and Email Content Protection
Cisco Canada
 
Cloudflare_Everywhere_Security_Solution_Brief (1).pdf
Cloudflare_Everywhere_Security_Solution_Brief (1).pdfCloudflare_Everywhere_Security_Solution_Brief (1).pdf
Cloudflare_Everywhere_Security_Solution_Brief (1).pdf
petchphumsanit40
 
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Amazon Web Services
 
The Next Generation Security
The Next Generation SecurityThe Next Generation Security
The Next Generation Security
Cybera Inc.
 
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Amazon Web Services
 
Next Generation Security
Next Generation SecurityNext Generation Security
Next Generation Security
Cisco Canada
 
The Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and LancopeThe Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and Lancope
Cisco Enterprise Networks
 
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Amazon Web Services
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
Lancope, Inc.
 
Seminar on Phishing Protection
Seminar on Phishing ProtectionSeminar on Phishing Protection
Seminar on Phishing Protection
Cristian Garcia G.
 
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...Chrysostomos Christofi
 
Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better Together
Lancope, Inc.
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin Nystrom
PROIDEA
 
IntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptx
IntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptxIntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptx
IntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptx
fuebf
 
Network security
Network securityNetwork security
Network security
Sri Manakula Vinayagar Engineering College
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
Amir Hossein Zargaran
 

Similar to Cisco connect winnipeg 2018 anatomy of an attack (20)

Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attack
 
Cisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of AttackCisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of Attack
 
Cisco Connect Halifax 2018 Anatomy of attack
Cisco Connect Halifax 2018 Anatomy of attackCisco Connect Halifax 2018 Anatomy of attack
Cisco Connect Halifax 2018 Anatomy of attack
 
Two for Attack: Web and Email Content Protection
Two for Attack: Web and Email Content ProtectionTwo for Attack: Web and Email Content Protection
Two for Attack: Web and Email Content Protection
 
Cloudflare_Everywhere_Security_Solution_Brief (1).pdf
Cloudflare_Everywhere_Security_Solution_Brief (1).pdfCloudflare_Everywhere_Security_Solution_Brief (1).pdf
Cloudflare_Everywhere_Security_Solution_Brief (1).pdf
 
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
 
The Next Generation Security
The Next Generation SecurityThe Next Generation Security
The Next Generation Security
 
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
 
Next Generation Security
Next Generation SecurityNext Generation Security
Next Generation Security
 
The Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and LancopeThe Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and Lancope
 
Network Security
Network SecurityNetwork Security
Network Security
 
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
 
Seminar on Phishing Protection
Seminar on Phishing ProtectionSeminar on Phishing Protection
Seminar on Phishing Protection
 
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
 
Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better Together
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin Nystrom
 
IntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptx
IntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptxIntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptx
IntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptx
 
Network security
Network securityNetwork security
Network security
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 

More from Cisco Canada

Cisco connect montreal 2018 net devops
Cisco connect montreal 2018 net devopsCisco connect montreal 2018 net devops
Cisco connect montreal 2018 net devops
Cisco Canada
 
Cisco connect montreal 2018 iot demo kinetic fr
Cisco connect montreal 2018 iot demo kinetic frCisco connect montreal 2018 iot demo kinetic fr
Cisco connect montreal 2018 iot demo kinetic fr
Cisco Canada
 
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco connect montreal 2018 - Network Slicing: Horizontal VirtualizationCisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco Canada
 
Cisco connect montreal 2018 secure dc
Cisco connect montreal 2018 secure dcCisco connect montreal 2018 secure dc
Cisco connect montreal 2018 secure dc
Cisco Canada
 
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla nsCisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco Canada
 
Cisco connect montreal 2018 vision mondiale analyse locale
Cisco connect montreal 2018 vision mondiale analyse localeCisco connect montreal 2018 vision mondiale analyse locale
Cisco connect montreal 2018 vision mondiale analyse locale
Cisco Canada
 
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec CiscoCisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Canada
 
Cisco connect montreal 2018 collaboration les services webex hybrides
Cisco connect montreal 2018 collaboration les services webex hybridesCisco connect montreal 2018 collaboration les services webex hybrides
Cisco connect montreal 2018 collaboration les services webex hybrides
Cisco Canada
 
Integration cisco et microsoft connect montreal 2018
Integration cisco et microsoft connect montreal 2018Integration cisco et microsoft connect montreal 2018
Integration cisco et microsoft connect montreal 2018
Cisco Canada
 
Cisco connect montreal 2018 compute v final
Cisco connect montreal 2018 compute v finalCisco connect montreal 2018 compute v final
Cisco connect montreal 2018 compute v final
Cisco Canada
 
Cisco connect montreal 2018 saalvare md-program-xr-v2
Cisco connect montreal 2018 saalvare md-program-xr-v2Cisco connect montreal 2018 saalvare md-program-xr-v2
Cisco connect montreal 2018 saalvare md-program-xr-v2
Cisco Canada
 
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco Canada
 
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
Cisco Canada
 
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Canada
 
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
Cisco Canada
 
Cisco Connect Toronto 2018 DevNet Overview
Cisco Connect Toronto 2018 DevNet OverviewCisco Connect Toronto 2018 DevNet Overview
Cisco Connect Toronto 2018 DevNet Overview
Cisco Canada
 
Cisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018 DNA assuranceCisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018 DNA assurance
Cisco Canada
 
Cisco Connect Toronto 2018 network-slicing
Cisco Connect Toronto 2018 network-slicingCisco Connect Toronto 2018 network-slicing
Cisco Connect Toronto 2018 network-slicing
Cisco Canada
 
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Connect Toronto 2018 the intelligent network with cisco merakiCisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Canada
 
Cisco Connect Toronto 2018 sixty to zero
Cisco Connect Toronto 2018 sixty to zeroCisco Connect Toronto 2018 sixty to zero
Cisco Connect Toronto 2018 sixty to zero
Cisco Canada
 

More from Cisco Canada (20)

Cisco connect montreal 2018 net devops
Cisco connect montreal 2018 net devopsCisco connect montreal 2018 net devops
Cisco connect montreal 2018 net devops
 
Cisco connect montreal 2018 iot demo kinetic fr
Cisco connect montreal 2018 iot demo kinetic frCisco connect montreal 2018 iot demo kinetic fr
Cisco connect montreal 2018 iot demo kinetic fr
 
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco connect montreal 2018 - Network Slicing: Horizontal VirtualizationCisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
 
Cisco connect montreal 2018 secure dc
Cisco connect montreal 2018 secure dcCisco connect montreal 2018 secure dc
Cisco connect montreal 2018 secure dc
 
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla nsCisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
 
Cisco connect montreal 2018 vision mondiale analyse locale
Cisco connect montreal 2018 vision mondiale analyse localeCisco connect montreal 2018 vision mondiale analyse locale
Cisco connect montreal 2018 vision mondiale analyse locale
 
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec CiscoCisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
 
Cisco connect montreal 2018 collaboration les services webex hybrides
Cisco connect montreal 2018 collaboration les services webex hybridesCisco connect montreal 2018 collaboration les services webex hybrides
Cisco connect montreal 2018 collaboration les services webex hybrides
 
Integration cisco et microsoft connect montreal 2018
Integration cisco et microsoft connect montreal 2018Integration cisco et microsoft connect montreal 2018
Integration cisco et microsoft connect montreal 2018
 
Cisco connect montreal 2018 compute v final
Cisco connect montreal 2018 compute v finalCisco connect montreal 2018 compute v final
Cisco connect montreal 2018 compute v final
 
Cisco connect montreal 2018 saalvare md-program-xr-v2
Cisco connect montreal 2018 saalvare md-program-xr-v2Cisco connect montreal 2018 saalvare md-program-xr-v2
Cisco connect montreal 2018 saalvare md-program-xr-v2
 
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
 
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
 
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
 
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
 
Cisco Connect Toronto 2018 DevNet Overview
Cisco Connect Toronto 2018 DevNet OverviewCisco Connect Toronto 2018 DevNet Overview
Cisco Connect Toronto 2018 DevNet Overview
 
Cisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018 DNA assuranceCisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018 DNA assurance
 
Cisco Connect Toronto 2018 network-slicing
Cisco Connect Toronto 2018 network-slicingCisco Connect Toronto 2018 network-slicing
Cisco Connect Toronto 2018 network-slicing
 
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Connect Toronto 2018 the intelligent network with cisco merakiCisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
 
Cisco Connect Toronto 2018 sixty to zero
Cisco Connect Toronto 2018 sixty to zeroCisco Connect Toronto 2018 sixty to zero
Cisco Connect Toronto 2018 sixty to zero
 

Recently uploaded

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
UiPathCommunity
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
ViralQR
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 

Recently uploaded (20)

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 

Cisco connect winnipeg 2018 anatomy of an attack

  • 1. © 2017 Cisco and/or its affiliates. All rights reserved. 1 Anatomy of an Attack Chris Parker-James Consulting Systems Engineer May 29th 2018 Cisco Connect
  • 2. © 2016 Cisco and/or its affiliates. All rights reserved. 2 Agenda Anatomy of an Attack What’s Changed? Cisco’s Solution Cisco Umbrella Cisco Cloudlock Why Cisco?
  • 3. © 2016 Cisco and/or its affiliates. All rights reserved. 3 Anatomy of a cyber attack Reconnaissance and infrastructure setup Domain registration, IP, ASN Intel Monitor adaption based on results Target expansion Wide-scale expansion Defense signatures built Patient zero hit
  • 4. © 2016 Cisco and/or its affiliates. All rights reserved. 4© 2016 Cisco and/or its affiliates. All rights reserved. 4 Locky/Wannacry Ransomware
  • 5. © 2016 Cisco and/or its affiliates. All rights reserved. 5 Mapping attacker infrastructure SEP 12-26 DAYS Umbrella AUG 17 LOCKY *.7asel7[.]top ? Domain → IP Association ? IP → Sample Association ? IP → Network Association ? IP → Domain Association ? WHOIS Association ? Network → IP Association
  • 6. © 2016 Cisco and/or its affiliates. All rights reserved. 6 91.223.89.201185.101.218.206 600+ Threat Grid files SHA256:0c9c328eb66672e f1b84475258b4999d6df008 *.7asel7[.]top LOCKY Domain → IP Association AS 197569IP → Network Association 1,000+ DGA domains ccerberhhyed5frqa[.]8211fr[.]top IP → Domain Association IP → Sample Association CERBER Mapping attacker infrastructure
  • 7. © 2016 Cisco and/or its affiliates. All rights reserved. 7 -26 DAYS AUG 21 Umbrella JUL 18 JUL 21 Umbrella JUL 14 -7 DAYS jbrktqnxklmuf[.]info mhrbuvcvhjakbisd[.]xyz LOCKY LOCKY DGA Network → Domain Association DGA Threat detected same day domain was registered. Threat detected before domain was registered. DOMAIN REGISTERED JUL 22-4 DAYS Mapping attacker infrastructure
  • 8. © 2016 Cisco and/or its affiliates. All rights reserved. 8© 2016 Cisco and/or its affiliates. All rights reserved. 8 Google OAuth attack
  • 9. © 2016 Cisco and/or its affiliates. All rights reserved. 9 Sequence of events (1 of 2) Attacker sets up infrastructure and fake app; sends phishing email Victim opens email and clicks link 1 2 ! Victim is sent to Google’s OAuth page for authentication and to grant permissions. Then the user will be redirected to an attacker-controlled website Joe has invited you to view a document Open in Docs
  • 10. © 2016 Cisco and/or its affiliates. All rights reserved. 10 Sequence of events (2 of 2) On the backend… If allowed, Google provisions an OAuth token, appends it to redirect_uri, and instructs victim’s browser to redirect to attacker’s domain Attacker gains access to OAuth token once the user is redirected to one of the attacker-controlled domains Note: users were redirected to these domains whether they clicked Deny or Allow 4 5 g-cloud[.]win Attacker uses the granted privileges (email contacts, delete emails, etc.) 6 Victim prompted to allow/deny access 3 Uses access to send emails from victim’s account and propagate the worm Google Docs would like to Read, send, delete, manage your email Manage your contacts AllowDeny
  • 11. © 2016 Cisco and/or its affiliates. All rights reserved. 11 How Cisco Security can help Victim redirected to attacker’s domain Attacker gains access to OAuth token Attacker Has persistent access to the victims’ account Victim opens email and clicks link Victim grants access to their account If attack is successful, Cloudlock revokes OAuth token Umbrella blocks user redirect to malicious domain. Attacker never receives OAuth token if blocked here. Umbrella Investigate used to research attacker’s infrastructure Email Security blocks malicious emails Joe has invited you to view a document Open in Docs Google Docs would like to Read, send, delete, manage your email Manage your contacts AllowDeny
  • 12. © 2016 Cisco and/or its affiliates. All rights reserved. 12© 2016 Cisco and/or its affiliates. All rights reserved. 12 The way we work has changed.
  • 13. © 2016 Cisco and/or its affiliates. All rights reserved. 13 Branch office What’s changed Apps, data, and identities move to the cloud Business drives use of cloud apps and collaboration is easier No longer need VPN to get work done Branch offices have direct internet access HQ Roaming
  • 14. © 2016 Cisco and/or its affiliates. All rights reserved. 14 Branch office How risk is different today Users not protected by traditional security stack Gaps in visibility and coverage Expose sensitive info (inadvertently or maliciously) Users can install and use risky apps on their own HQ Roaming
  • 15. © 2016 Cisco and/or its affiliates. All rights reserved. 15 Branch office Our solution Umbrella Secure access to the internet Cloudlock Secure usage of cloud apps HQ Roaming
  • 16. © 2016 Cisco and/or its affiliates. All rights reserved. 16 Cisco cloud security Shared focus, complementary use cases Visibility and control Threat protection Forensics Data protection Malware / ransomware Cloudlock For Shadow IT and connected cloud apps (OAuth) Protect cloud accounts from compromise and malicious insiders Analyze audit cloud logs Assess cloud data risk and ensure compliance Prevent cloud-native (OAuth) attacks Umbrella For all internet activity Stop connections to malicious internet destinations Investigate attacks with internet-wide visibility Block C2 callbacks and prevent data exfiltration Prevent initial infection and C2 callbacks
  • 17. © 2016 Cisco and/or its affiliates. All rights reserved. 17 Cisco Umbrella Secure access to the internet
  • 18. © 2016 Cisco and/or its affiliates. All rights reserved. 18 First line of defense against internet threats Umbrella See Visibility to protect access everywhere Learn Intelligence to see attacks before they launch Block Stop threats before connections are made
  • 19. © 2016 Cisco and/or its affiliates. All rights reserved. 19 Umbrella Start blocking in minutes Easiest security product you’ll ever deploy Signup1 2 Point your DNS 3 Done
  • 20. © 2016 Cisco and/or its affiliates. All rights reserved. 20 Visibility and protection for all activity, anywhere HQ Mobile Branch Roaming IoT ALL PORTS AND PROTOCOLS ON-NETWORK OFF-NETWORK Umbrella All office locations Any device on your network Roaming laptops Every port and protocol ENFORCEMENT
  • 21. © 2016 Cisco and/or its affiliates. All rights reserved. 21 Where does Umbrella fit? Malware C2 Callbacks Phishing HQ Sandbox NGFW Proxy Netflow AV AV BRANCH Router/UTM AV AV ROAMING AV First line It all starts with DNS Precedes file execution and IP connection Used by all devices Port agnostic
  • 22. © 2016 Cisco and/or its affiliates. All rights reserved. 22 Enterprise-wide deployment in minutes DEPLOYMENT Existing DNS/DHCP servers, Wi-Fi APs Simple config change to redirect DNS ISR4K (today) WLC (today) Network footprint § Provisioning and policies per VLAN/SSID; tags for granular filtering and reporting § Out-of-the-box integration (Umbrella virtual appliance also available) Meraki MR (future) Endpoint footprint Granular filtering and reporting on- & off-network (Umbrella roaming client also available) AnyConnect roaming module Cisco Security Connector vEdge (future)
  • 23. © 2016 Cisco and/or its affiliates. All rights reserved. 23 Intelligent proxy Deeper inspection Built into foundation of the internet Safe Original destinations Security controls § DNS and IP enforcement § Risky domain inspection through proxy § SSL decryption available Blocked Modified destination Internet traffic On and off-network Destinations Original destination or block page ENFORCEMENT
  • 24. © 2016 Cisco and/or its affiliates. All rights reserved. 24 Cisco Talos feeds Cisco WBRS Partner feeds Custom URL block list Requests for “risky” domainsIntelligent proxy URL inspection File inspection AV Engines Cisco AMP ENFORCEMENT
  • 25. © 2016 Cisco and/or its affiliates. All rights reserved. 25 Prevents connections before and during the attack Command and control callback Malicious payload drop Encryption keys Updated instructions Web and email-based infection Malvertising / exploit kit Phishing / web link Watering hole compromise Stop data exfiltration and ransomware encryption ENFORCEMENT
  • 26. © 2016 Cisco and/or its affiliates. All rights reserved. 26 Our view of the internet 125Brequests per day 15Kenterprise customers 90Mdaily active users 160+countries worldwide INTELLIGENCE
  • 27. © 2016 Cisco and/or its affiliates. All rights reserved. 27 Intelligence to see attacks before launched Data § Cisco Talos feed of malicious domains, IPs, and URLs § Umbrella DNS data — 100B requests per day Security researchers § Industry renown researchers § Build models that can automatically classify and score domains and IPs Models § Dozens of models continuously analyze millions of live events per second § Automatically uncover malware, ransomware, and other threats INTELLIGENCE
  • 28. © 2016 Cisco and/or its affiliates. All rights reserved. 28 Statistical models Guilt by inference § Co-occurrence model § Geolocation Model § Secure rank model Guilt by association § Predictive IP Space Modeling § Passive DNS and WHOIS Correlation Patterns of guilt § Spike rank model § Natural Language Processing rank model § Live DGA prediction INTELLIGENCE 2M+ live events per second 11B+ historical events
  • 29. © 2016 Cisco and/or its affiliates. All rights reserved. 29 Co-occurrence model Domains guilty by inference a.com b.com c.com x.com d.com e.com f.com time - time + Co-occurrence of domains means that a statistically significant number of identities have requested both domains consecutively in a short timeframe Possible malicious domain Possible malicious domain Known malicious domain INTELLIGENCE
  • 30. © 2016 Cisco and/or its affiliates. All rights reserved. 30 Spike rank model Patterns of guilt y.com DAYS DNSREQUESTS Massive amount of DNS request volume data is gathered and analyzed DNS request volume matches known exploit kit pattern and predicts future attack DGA MALWARE EXPLOIT KIT PHISHING y.com is blocked before it can launch full attack INTELLIGENCE
  • 31. © 2016 Cisco and/or its affiliates. All rights reserved. 31 Predictive IP Space Monitoring Guilt by association Pinpoint suspicious domains and observe their IP’s fingerprint Identify other IPs – hosted on the same server – that share the same fingerprint Block those suspicious IPs and any related domains DOMAIN 209.67.132.476 209.67.132.477 209.67.132.478 209.67.132.479 INTELLIGENCE
  • 32. © 2016 Cisco and/or its affiliates. All rights reserved. 32 Host Infrastructure Location of the server IP addresses mapped to domain Hosted across 28+ countries DNS Requesters Location of the network and off-network device IP addresses requesting the domain Only US-based customers requesting a .RU TLD IP geo-location analysis
  • 33. © 2016 Cisco and/or its affiliates. All rights reserved. 33 ‘Live DGA Prediction’ Predict 100,000s of future domains Combine newly-identified configs with DGA to identity C2 domains continuously + DGA Configs b.com c.com, d.com, … Automate reverse engineering Combine C2 domain pairs and known DGA to identify unknown configs Configs a.com b.com DGA + Live DNS log stream Identify millions of domains, many used by DGAs and unregistered a1.com a2.com b1.com c2.com Automate blocking pool of C2 domains Used by thousands of malicious samples now and in the future fgpxmvlsxpsp.me[.]uk beuvgwyhityq[.]info gboondmihxgc.com pwbbjkwnkstp[.]com bggwbijqjckk[.]me yehjvoowwtdh.com ctwnyxmbreev[.]com upybsnuuvcye[.]net quymxcbsjbhh.info vgqoosgpmmur.it automated at an unparalleled scale INTELLIGENCE
  • 34. © 2016 Cisco and/or its affiliates. All rights reserved. 34 ‘Sender Rank’ model: predict domains related to spammers Identify queries to spam reputation services Our 85M+ users leverage email reputation services check for spam; we see requests made to check domains found in emails MAIL SERVERS REPUTATION SERVICES a.spam.ru. checkspam.com b.spam.ru. checkspam.com Domain of service Domain of sender Model aggregates hourly graphs per domain Short bursts of 1000s of “Hailstorm” spam uses many FQDNs, e.g. subdomains, to hide from reputation services a.spam.ru … b.spam.ru z.spam.ru spam.ru suspect domain identified Model identifies owners of “Hailstorm” domains After confirmation, query WHOIS records to get registrant of sender domain ? ? ? Type of domain Domain popularity Historical activity Confirm “Hailstorm” domain check behavior patterns Block 10,000s of domains before new attacks happen Attackers often register more domains to embed links in phishing or C2 callbacks in malware badguy Model automatically places registrants on a watch list New domains registered at a future time Model automatically verifies new domains New malicious domain blocked by Umbrella INTELLIGENCE
  • 35. © 2016 Cisco and/or its affiliates. All rights reserved. 35 1. Any user (free or paid) requests the domain1 2. Every minute, we sample from our streaming DNS logs. 3. Check if domain was seen before & if whitelisted2. 4. If not, add to category, and within minutes, DNS resolvers are updated globally. Domains used in an attack. Umbrella’s Auto- WHOIS model may predict as malicious. Attackers register domains. Before expiration3, if any user requests this domain, it’s logged or blocked as newly seen. Later, Umbrella statistical models or reputation systems identify as malicious. ‘Newly Seen Domains’ category reduces risk of the unknown EVENTS 1. May have predictively blocked it already, and likely the first requestor was a free user. 2. E.g. domain generated for CDN service. 3. Usually 24 hours, but modified for best results, as needed. Reputation systems protected Cisco Umbrella 24 HOURS protected DAYS TO WEEKS not yet a threat not yet a threat unprotected potentially unprotected MINUTES INTELLIGENCE
  • 36. © 2016 Cisco and/or its affiliates. All rights reserved. 36 New analysis and categories to combat DNS tunneling INTELLIGENCE Malware (e.g. PisLoader) Hidden whitelist (e.g. AV updates) DNS Tunneling VPN* *NEW CATEGORIES: These are allowed by default, but can be blocked. And domains in these categories may have already been categorized as Malware or Botnet (a.k.a. C2 callbacks) by many other Umbrella statistical models. Potentially Harmful Domains* Undetermined100B+ DNS requests daily Machine learning detects domains with excessive # of subdomains or characters and invalid characters or encoded data. Plus, detects clients requesting excessive # of subdomains over a time period. Manually identify commercial services (e.g. YourFreedom) or benign uses every hour Streaming signature-based jobs Automatically identify malicious or potential data exfiltration or open-source tools (e.g. DNS2TCP) Batch behavior-based jobs plus researcher inspection
  • 37. © 2016 Cisco and/or its affiliates. All rights reserved. 37 Umbrella statistical models are 5X more relevant than external intelligence RELEVANCY measures the extent that each threat source provides intelligence that is blocking active threats recently seen across our customer base. Higher relevancy = better coverage against active threats Umbrella statistical models have high relevancy because models quickly adapt to evolving threat landscape. 58% 11% Umbrella Statistical Models 3rd party feeds 5X
  • 38. © 2016 Cisco and/or its affiliates. All rights reserved. 38 Our efficacy 3M+daily new domain names Discover 60K+daily malicious destinations Identify 7M+malicious destinations while resolving DNS Enforce INTELLIGENCE
  • 39. © 2016 Cisco and/or its affiliates. All rights reserved. 39 What sets Umbrella apart from competitors Easiest connect-to-cloud deployment Fastest and most reliable cloud infrastructure Broadest coverage of malicious destinations and files Most open platform for integration Most predictive intelligence to stop threats earlier
  • 40. © 2016 Cisco and/or its affiliates. All rights reserved. 40 Cisco Cloudlock Secure usage of cloud apps
  • 41. © 2016 Cisco and/or its affiliates. All rights reserved. 41 User Cloudlock can provide visibility and control over global cloud activities
  • 42. © 2016 Cisco and/or its affiliates. All rights reserved. 42 Key questions organizations have ApplicationsDataUsers/Accounts § Who is doing what in my cloud applications? § How do I detect account compromises? § Are malicious insiders extracting information? § Do I have toxic and regulated data in the cloud? § Do I have data that is being shared inappropriately? § How do I detect policy violations? § How can I monitor app usage and risk? § Do I have any 3rd party connected apps? § How do I revoke risky apps?
  • 43. © 2016 Cisco and/or its affiliates. All rights reserved. 43 Cisco Cloudlock addresses customers’ most critical cloud security use cases Discover and Control User and Entity Behavior Analytics Cloud Data Loss Prevention (DLP) Apps Firewall Cloud Malware Shadow IT/OAuth Discovery and Control Data Exposures and Leakages Privacy and Compliance Violations Compromised Accounts Insider Threats
  • 44. © 2016 Cisco and/or its affiliates. All rights reserved. 44 Here’s an example of why you need cloud user security North America 9:00 AM ET Login Africa 10:00 AM ET Data export§ Distance from the US to the Central African Republic: 7362 miles § At a speed of 800 mph, it would take 9.2 hours to travel between them In one hour
  • 45. © 2016 Cisco and/or its affiliates. All rights reserved. 45 Have you ever been to 68 countries in one week?
  • 46. © 2016 Cisco and/or its affiliates. All rights reserved. 46 Cisco Cloudlock addresses customers’ most critical cloud security use cases Discover and Control User and Entity Behavior Analytics Cloud Data Loss Prevention (DLP) Apps Firewall Cloud Malware Shadow IT/OAuth Discovery and Control Data Exposures and Leakages Privacy and Compliance Violations Compromised Accounts Insider Threats
  • 47. © 2016 Cisco and/or its affiliates. All rights reserved. 47 More than 24,000 files per organization publicly accessible Data exposure per organization Accessible by external collaborators Accessible publicly Accessible organization-wide 2% 10% 12% 24,000 files publicly accessible per organization of external sharing done with non-corporate email addresses70% Source: Cloudlock CyberLab
  • 48. © 2016 Cisco and/or its affiliates. All rights reserved. 48 Cisco Cloudlock addresses customers’ most critical cloud security use cases Discover and Control User and Entity Behavior Analytics Cloud Data Loss Prevention (DLP) Apps Firewall Cloud Malware Shadow IT/OAuth Discovery and Control Data Exposures and Leakages Privacy and Compliance Violations Compromised Accounts Insider Threats
  • 49. © 2016 Cisco and/or its affiliates. All rights reserved. 49 33 mins 22 mins 18mins 17mins 15mins 10mins Consider “connected” cloud apps: Pokémon Go Daily time spent in Pokémon Go by average iOS user Pokémon Go breaks another record: Higher daily average user time than Facebook, Snapchat, and Instagram Source: SensorTower 40 30 20 10 0 Pokémon Go The pictur e can't be displa yed. Facebook Snapchat Twitter Instagram Slither Time to reach 100 million users worldwide An Unusual Start: Pokémon Go breaking all mobile gaming records globally. 1 month (estimated) 4.5 yrs 7 yrs 16 yrs 75 yrs YEAR OF LAUNCH 1878 1879 1900 2004 2016 The pictur e can't be displa yed.
  • 50. © 2016 Cisco and/or its affiliates. All rights reserved. 50 Consider Pokémon Go of all organizations have employees who granted access to Pokémon Go using their corporate credentials of an organization’s employees have installed Pokémon Go on average 44% 5.8%
  • 51. © 2016 Cisco and/or its affiliates. All rights reserved. 51 278,131156,79677,6505,500 2014 2015 2016 2017 OAuth is not restricted to a few, isolated apps
  • 52. © 2016 Cisco and/or its affiliates. All rights reserved. 52 More than 25% of those apps are of high risk 27% 219,000 Third-party apps Percent of installs by risk high risk 58% medium risk 15% low risk Source: Cloudlock CyberLab
  • 53. © 2016 Cisco and/or its affiliates. All rights reserved. 53 Cisco Cloudlock Cloud Access Security Broker (CASB) Users Data Apps SaaS
  • 54. © 2016 Cisco and/or its affiliates. All rights reserved. 54 Public APIs Cisco NGFW / Umbrella Managed Users Managed Devices Managed Network Unmanaged Users Unmanaged Devices Unmanaged Network CASB – API Access (cloud to cloud)
  • 55. © 2016 Cisco and/or its affiliates. All rights reserved. 55 Cloudlock has over 70 pre-defined policies PII § SSN/ID numbers § Driver license numbers § Passport numbers Education § Inappropriate content § Student loan application information § FERPA compliance General § Email address § IP address § Passwords/ login information PHI § HIPAA § Health identification numbers (global) § Medical prescriptions PCI § Credit card numbers § Bank account numbers § SWIFT codes
  • 56. © 2016 Cisco and/or its affiliates. All rights reserved. 56 Cloudlock provides automated response actions Detect Alert (Admin/Users) Security Workflows Response Actions API Integrations
  • 57. © 2016 Cisco and/or its affiliates. All rights reserved. 57 Smartest Intelligence CyberLab, crowd-sourced community trust ratings Proven Track Record Deployed at over 700 organizations and supporting deployments over 750,000 users FedRAMP In Process The only FedRAMP In Process CASB working towards an Authority to Operate via Agency Authorization Cisco Ecosystem Integrated, architectural approach to security, vendor viability Cloud-Native Full value instantly, no disruption Differentiators Cisco Cloudlock
  • 58. © 2016 Cisco and/or its affiliates. All rights reserved. 58© 20136 Cisco and/or its affiliates. All rights reserved. 58 Why Cisco Cloud Security?
  • 59. © 2016 Cisco and/or its affiliates. All rights reserved. 59 Why customers love Cisco cloud security Cisco cloud security Most effective protection Simplest to deploy and manage Most open platform Most reliable
  • 60. © 2016 Cisco and/or its affiliates. All rights reserved. 60 Real customer results “Deployed to 30,000 employees in less than 60 minutes” “Reduced infections by 98%...saved 1.7 months of user downtime per year” “Cut incident response time by 25-30%” Umbrella “Reduced public exposure by 62% in one day” “Intelligently reduced OAuth-connected apps by 34% in one week” “Deployed to 125,000 employees in less than 5 minutes” Cloudlock