Introducing the New Cisco PowerPoint Templates

Transcription

Protection Against Advanced
Persistent Threats
Peter Mesjar
Systems Engineer, CCIE 17428
October 2014
Agenda

Modern Threats

Advanced Malware Protection Solution

Why Cisco?
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
2
The Problem are Threats
Cisco Public
3
So, What is Malware like these days?
Malware
VIRUSES
1985
MACRO
VIRUSES
1995
WORMS
HACKERS
SPYWARE /
ROOTKITS
APTs
MALWARE
as a
Service
Mobile
Malware
SDKS
2000
2005
2010
2013
Cisco Public
4
APT / Advanced Malware

Is now a tool for financial gain
• Uses formal Development Techniques
• Standard Sandbox aware
• Quality Assurance to evade detection
• 24/7 Tech support available
• Has become a math problem
• End Point AV Signatures ~20 Million
• Total KNOWN Malware Samples ~100 M
• AV Efficacy Rate ~50%
http://www.pcworld.com/article/2150743/antivirus-is-dead-says-maker-of-norton-antivirus.html
Cisco Public
5
An Example
Out of the 45 different pieces of malware
planted on the Times‘ systems over the
course of three months, just one of those
programs was spotted by the Symantec
antivirus software the Times used... The
other 44 were only found in…post-breach
investigation months later
http://www.forbes.com/sites/andygreenberg/2013/01/31/symantec-gets-a-black-eye-in-chinese-hack-of-new-york-times/
Cisco Public
6
Introducing Virtest: Virus Total’s evil twin
• Russian Malware Service
- For malware authors
(bad guys)
• Paid for services (inc bitcoins)
• 1) Upload your malware
• 2) Choose AV engine(s)
• 3) Wait…
Cisco Public
7
The Reality: Organizations Are Under Attack

“95% of large companies are targeted by
malicious traffic, and 100% of organizations
have interacted with websites that host
malware.” -2014 Cisco Annual Security Report

Neiman Marcus breach
 350,000 credit cards stolen

Target Breach, December 2013
 40 million credit cards stolen
 70 million personal records stolen
…and many more
http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data
Cisco Public
8
Little Focus on Response…
Prevention
Historic
investment
here
“…According to US Cert,
the average time from
breach to discover is 486
days and normally the
person breached finds out
from a 3rd party ”
US CERT
“Based on a forensic analysis
going back months, it appears
hackers broke into The Times
computers on Sept. 13.”
NY Times, Jan 30, 2013
Incident
Response
Need more
focus and investment
here.
Cisco Public
9
If you knew you were going to
be compromised, would you
do security differently?
Cisco Public
10
The New Security Model
Attack Continuum
BEFORE
DURING
AFTER
Control
Enforce
Harden
Detect
Block
Defend
Scope
Contain
Remediate
Firewall/NGFW
VPN
NGIPS
Advanced Malware Protection
UTM
Vulnerability mgmt
Web Security
Network Behavior Analysis
Email Security
Retrospective Security
NAC + Identity Services
Visibility and Context
Cisco Public
11
Advanced Malware Protection,
Solution
AFTER
Cisco Public
12
We Provide Continuous
Analysis
Analysis Stops
Point-in-time Detection
Not 100%
Antivirus
Sleep Techniques
Unknown Protocols
Blind to scope of
compromise
Encryption
Polymorphism
Sandboxing
Initial Disposition = Clean
Actual Disposition = Bad = Too Late!!
Retrospective Detection,
Analysis Continues
Turns back time
Continuous
Visibility and
Control are Key
Initial Disposition = Clean
Actual Disposition = Bad = Blocked
Addresses limitations of point-in-time detection
Cisco Public
13
Point in Time Detection…
Point-in-time security sees a
lighter, bullet, cufflink, pen &
cigarette case…
Wouldn’t it be nice to know if
you’re dealing with something
more deadly?
… vs Continuous Analysis
Cisco Public
14
Our Approach for Advanced Malware Protection
Retrospective Security
• Continuous File Analytics
Network AMP
• Reputation Determination
✖
✔
Firesight management
#
Sourcefire Sensor
#
Client based AMP
AMP
Malware
license
No Need for Client
•
•
•
•
•
Small code (like a printer driver)
Desktop and mobile devices
Checking of file copying / execution /moving
Traps fingerprint & attributes
Cisco Public
Queries cloud for file disposition
16
When You Have Been Breached
Questions that Need Answers
The Complexity of the Problem that AMP Solves
Confirm Infection
Where do I start?
•
How did the threat get onto the
system?
•
What systems
were impacted?
•
What did the threat do?
•
How do we recover?
•
How do we keep it from
happening again?
Notification
Quarantine
Triage
Confirm
Stop
Analyze Malware
Build Test
Bed
Cannot Identify Infection
Static
Analysis
Device
Analysis
Network
Analysis
Update Profile
Malware Proliferation
Remediate
Search
Network
Traffic
Search
Device
Logs
Scan
Devices
No Infection
Infection Identified
•
Proliferation
Analysis
Malware
Profile
Define
Rules
(from
profile)
Search for Re-infection
Cisco Public
17
AMP Console
Cisco Public
18
19
One Step Remediation
Cisco Public
20
Cisco Public
21
Cisco Public
22
File Trajectory
Cisco Public
23
The Results

Major US utility company
• Responsible for protecting a variety of assets, including nuclear power plants
• FireAMP detected a system compromised via a remote Java exploit 2 days before the
Java exploit was announced
• Took incident response time from several hours to 15 minutes per compromised machine
• Able to rapidly determine if a user who claimed to be spearphished actually were
spearphished
• Remediated what appeared to be an internal network DoS by discovering a misconfigured
system
Cisco Public
24
Private Cloud – Local Decision (VM)
Capability
Private Cloud
Public
Cloud
File/Device Trajectory
✔
✔
Threat Root Cause
✔
✔
IOC and alerting
✔
✔
Simple and Custom
detection
✔
✔
Cloud
Lookups/Retrospective
Alerting
✔
✔
File Analysis
* (ThreatGrid
integration)
✔
Cisco Public
25
Android : new target – Cisco Annual Security Report
Mobile devices as
targets (99% Android)
Most visible mobile
malwares
Cisco Cloud Web Security reports
Cisco Public
27
Android Risks
• Many ways to monetize attacks
• Device often tied directly to billing system
• Easier to to locate personal data than PC
• Users often use default apps such as "Contacts" and
"Gallery” and often will store full personal data
<iframe style
• Personal information on devices often difficult to change
• Gmail email address tied to Google Play
Can be more
susceptible than PC
• Device identifier (phone number, mac address, IMEI,
IMSI)
• Lots of free apps readily available from Google Play
• Easy to install and try
Cisco Public
28
Why Cisco?
Cisco Public
33
Sourcefire Advanced Malware Protection

Complete solution suite to protect the extended network
FireAMP for hosts, virtual
and mobile devices
Dedicated Advanced Malware
Protection (AMP) appliance
Advanced Malware Protection
for FirePOWER (NGIPS, NGFW)
Cisco Email and Web Security Appliances
Cisco Public
34
NSS Labs Report
Comparative Testing on Breach Detection Systems
Who is NSS Labs?
NSS Labs, one of the best and most thorough independent
testing bodies in the industry, performed comparative
testing on Breach Detection Systems.
What was measured?
Security Effectiveness of Breach Detection Systems
•
HTTP/Email Malware, Exploits, Evasions, and False
Positive Rate
Total Cost of Ownership per protected Mbps
What Cisco-Sourcefire
products were tested?
AMP Everywhere
•
AMP for Networks and AMP for Endpoints (TCO
calculations include this set of FireAMP connectors)
•
FirePOWER 8120 (with AMP subscription)*
What competitor
products were
evaluated?
FireEye, AhnLab, Fortinet, TrendMicro, Fidelis
BDS Methodology v1.5
[The methodology] utilizes real threats
and attack methods that exist in the
wild and are actually being used by
cyber-criminals and other threat
actors. This is the real thing, not
facsimile; systems under test (SUT)
are real stacks connected to a live
internet feed.
--NSS Labs
*Dedicated AMP Appliances (AMP8150/AP7150) were not shipping at the time of the test, otherwise one would have been used
Cisco Public
35
The result (1/2)
Cisco AMP is a Leader in Security Effectiveness and TCO and offers Best
Protection Value
Security Effectiveness
NSS Labs Security Value Map (SVM) for Breach Detection Systems
Cisco Advanced
Malware Protection
Best Protection Value
99.0% Breach
Detection Rating
Lowest TCO per
Protected-Mbps
TCO per Protected-Mbps
Cisco Public
36
The result (2/2)
Cisco AMP is a Leader in Security Effectiveness and TCO and offers Best
Protection Value
Cisco-Sourcefire AMP Results – For Detection Capability Only
Cisco Advanced
Malware Protection
Best Protection Value
99.0% Breach
Detection Rating
Lowest TCO per
Protected-Mbps
Cisco Public
37
Conclusion

A Revolutionary Approach…
• Attackers are determined and resourceful
• Provides an Architecture - AMP everywhere
• Malware still getting on devices, detection not
100%
• Our database of common threats gives you
upfront defense
• Point-in-time detection is not sufficient
• Our real-time behavioral tracking, background
information on the prevalence of software, and
malware sandboxing allows you to quickly
separate out the innocuous software,
understand what the attacker did, how far he
or she moved, what kind of tools they are
using
• Integrated response required to be effective
• Cisco FireAMP solves business problems
• Where do I start?
• What is the scope and how bad is the situation?
• What was the point and method of entry?
• Can I control and remediate across the network
and endpoints?
• Our threat defense tools allow you to rapidly
remove previously unrecognized threats
without waiting on big AV firms to respond
Cisco Public
38
Thank you.

Introducing the New Cisco PowerPoint Templates

Transcription

Similar documents

Cisco Recruitment Session* When

Achieving Fast IT With Continuous Delivery

Virtual Lock for Corporate IP Telephony v 3.0

5.3.4.2 Lab - Hard Drive Maintenance in Windows 7

crescent village - Prime Commercial, Inc.

Cisco.com AEM Integration and Migration

Real, Relevant, Surprising and Fresh: Cisco Brand

Cisco Chooses to Be Smart in Songdo