Cisco Malware Defense Solu2ons Is Your Network a Target for Malware? The primary goal for most malware is financial gain. Criminal networks and the underground market have made reselling personal informa2on, intellectual property, and government secrets profitable for thousands of people. To keep pace with demand for illegally obtained informa2on, the amount of unique malware doubled in 2010 alone. Most organiza2ons’ networks contain informa2on that is valuable to such criminal networks: •  Personal informa2on about employees or ci2zens •  Credit or debit card informa2on •  Intellectual property or government secrets The average cost of a security breach is $3.4 million and can be as high as $31 million*. How Do You Defend Against Malware? You need to defend against malware on three fronts: •  People: Specifically, their behavior while online •  Process: For all employees and especially I.T. professionals •  Technology: Your complete security architecture © 2011 Cisco and/or its affiliates. All Rights Reserved This document focuses on the technologies Cisco offers to defend against malware. Complemen2ng this technology with proper training of employees on responsible online behavior and rigorous security procedures will drama2cally reduce your organiza2on’s risk of falling vic2m to malware. What are the Most Common ABacks? Malware takes on many different forms. These are the most frequently used: •  ASachments to email or instant messages •  URL and browser based exploits such as Java •  Phishing for user informa2on by email, instant message, or social networking sites Web, email, and intrusion preven2on appliances can greatly reduce the threat of common aSacks using signature technology. Defending against the rapidly grow array of less common threats requires technologies that can iden2fy suspicious behavior on the network without signatures. For example, devices that can use global threat informa2on in real‐2me can con2nual adapt to the changing security landscape. * 2009 Annual Study: Cost of Data Breach, Ponemon Ins2tute Cisco Malware Defense Solu2ons Cisco’s Malware Defense SoluEon Cisco’s Security Intelligence Opera2ons is the heartbeat of the malware defense solu2on. It collects global informa2on from over 700,000 devices and distributes threat informa2on in real‐2me all the devices included below. Signature based solu2ons include: •  Cisco IronPort Email Security Appliance •  Cisco IronPort Web Security Appliance Products that add behavior based protec2on include •  Adap2ve Security Appliance (ASA) Botnet Filter •  Cisco Intrusion Preven2on System •  Cisco Services Control Engine Cisco Security Intelligence OperaEons Cisco’s Security Intelligence Opera2ons (SIO) is a cloud‐based service that connects global threat informa2on, reputa2on‐
based services, and sophis2cated analysis to Cisco network security devices. Cisco SIO uses three components to enhance the filters already available in Cisco devices: •  Cisco SensorBase: The world’s largest threat‐monitoring network captures global threat telemetry data from more than 700,000 devices and from 600 third party threat intelligence sources. •  Cisco Threat OperaEons Center: A global team of security analysts and automated systems that extract ac2onable intelligence. •  Dynamic updates: Real‐2me informa2on is automa2cally delivered to devices with best‐prac2ce recommenda‐
2ons for improving your overall security posture. Cisco IronPort Email Security Appliance E‐mail is a common distribu2on technique used to deliver malware. To holis2cally address this issue an organiza2on must manage the amount of SPAM targe2ng its users and look to advanced detec2on techniques to iden2fy poten2al malware. The IronPort C‐Series and X‐Series e‐mail security appliances provide a mul2‐layered approach to this challenge. These devices provide protec2on against SPAM, phishing aSacks and other blended aSacks through Cisco IronPorts Virus Outbreak filters and tradi2onal an2‐virus. Cisco IronPort Web Security Appliance Internet connected enterprises must protect themselves from the array of malware circula2ng the World Wide Web, wai2ng for unsuspec2ng vic2ms. Organiza2ons must be able to provide have a system that can help enforce organiza2onal web use policy, prevent malware from leveraging the web to penetrate the enterprise perimeter yet enable the many produc2ve applica2ons that exist. © 2011 Cisco and/or its affiliates. All Rights Reserved Cisco IronPort web security appliances combine a high‐
performance security plahorm with Cisco IronPort Web Reputa2on technology and the breakthrough Cisco IronPort Dynamic Vectoring and Streaming (DVS) engine. This revolu2onary scanning solu2on enables mul2‐vendor, signature‐based spyware and malware filtering. Cisco AdapEve Security Appliances (ASA) Cisco ASA 5500 Series Adap2ve Security Appliances provide reputa2on‐based control for an IP address or domain name. This has been very successful in comba2ng rogue email or web servers using dynamic or changing IP addresses. The Cisco ASA Botnet Traffic Filter is integrated into all Cisco ASA appliances, and inspects traffic traversing the appliance. The Botnet Traffic Filter monitors all ports and performs a real‐2me lookup in its database of known botnet IP addresses and domain names. Based on this inves2ga2on, the Botnet Traffic Filter will determine if a connec2on aSempt is benign and should be allowed, or if it is a risk and should be tagged for mi2ga2on. Cisco Intrusion PrevenEon System (IPS) The Cisco IPS plays an important role in the overall security posture of an organiza2on and is a cri2cal component of a malware defense solu2on. Cisco’s IPS offers many different form factors and allows an organiza2on to deploy the right form factor based on the loca2on and throughput requirements. Cisco’s network‐based intrusion preven2on iden2fies, classifies, and stops known and unknown threats. Cisco’s IPS is one of the most widely deployed intrusion preven2on systems in the world and provides the following: •  Protec2on against more than 30,000 known threats •  Timely signature updates •  Cisco Global Correla2on to dynamically recognize, evaluate, and stop emerging Internet threats Cisco Services Control Engine The Cisco Services Control Engine (SCE) is a deep packet inspec2on plahorm that can scale up to and beyond 30 Gbps. It can be used as a policy enforcement device in data center and internet gateways as well as in remote offices. The SCE can intelligently detect and classify over 1,000 different protocols and applica2ons for both overt and covert transmission of informa2on. Once a specific applica2on or protocol is detected, the SCE can apply ac2ons like drop, mark, rate limit, packet capture, mirror, redirect, report/alert, or log. The SCE also has the ability to correlate the user to each specific session. Addi2onally, the SCE collects metrics on the network traffic that can be used to discover anomalous ac2vity which could be indica2ve of a covert channel used for data transfers. Learn More For more informa2on, please go to the following website: www.cisco.com/go/cyber