Threat-Centric Security James Weathersby Sr Mgr, Cyber Security Engineers and Architects The Security Problem Changing Business Models Presentation_ID Dynamic Threat Landscape Cisco and/or its affiliates. All rights reserved. Complexity and Fragmentation Cisco Public The Industrialization of Hacking Sophisticated Attacks, Complex Landscape Hacking Becomes an Industry Phishing, Low Sophistication 199 0 Viruses 199 5 1990–2000 Presentation_ID 200 0 Worms 200 5 2000–2005 Cisco and/or its affiliates. All rights reserved. 201 0 201 5 Spyware and Rootkits APTs Cyberware 2005–Today Today + Cisco Public 202 0 ‟ Would you do security differently if you knew you were going to be compromised? The New Security Model Attack Continuum BEFORE DURING AFTER Discover Enforce Harden Detect Block Defend Scope Contain Remediate Network Endpoint Mobile Virtual Cloud Point in Time Continuous Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public The New Security Model Attack Continuum BEFORE DURING AFTER Discover Enforce Harden Detect Block Defend Scope Contain Remediate Firewall Patch Mgmt IPS IDS AMD App Control Vuln Mgmt Antivirus FPC Log Mgmt VPN IAM/NAC Email/Web Forensics SIEM Visibility and Context Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public Lessons of the Attack Continuum Security Technologies have a Scope of Application Due to Scope, there can be no Silver Bullet technologies An advanced, modern approach to security will share information and capabilities across all phases of the Attack Continuum Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public Strategic Imperatives Visibility-Driven Threat-Focused Platform-Based Network-Integrated, Broad Sensor Base, Context and Automation Continuous Advanced Threat Protection, Cloud-Based Security Intelligence Agile and Open Platforms, Built for Scale, Consistent Control, Management Network Presentation_ID Endpoint Mobile Cisco and/or its affiliates. All rights reserved. Virtual Cloud Cisco Public Need Both Breadth and Depth BREADTH Network Endpoint Mobile Virtual Cloud Who What Where When How DEPTH Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public You Can’t Protect What You Can’t See Application Protocols Users NetFlow Web Applications Files Malware Command and Control Servers Services Vulnerabilities Operating Systems Processes Network Servers Presentation_ID Mobile Devices Routers and Switches Client Applications VoIP Phones Printers Cisco and/or its affiliates. All rights reserved. Virtual Machines Cisco Public Network Behavior Threat-Focused ? Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public Detect, Understand, and Stop Threats Collective Security Intelligence Who Event History What ? Where When How Threat Identified Context ISE + Network, Appliances (NGFW/NGIPS) Presentation_ID Recorded Enforcement AMP, CWS, Appliances Cisco and/or its affiliates. All rights reserved. Cisco Public Continuous Advanced Threat Protection Collective Security Intelligence Who Event History What Where When How Context Enforcement Continuous Analysis ISE + Network, Appliances (NGFW/NGIPS) AMP, CWS, Appliances AMP, Threat Defense Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public Today’s Security Appliances WWW Traditional Firewall Functions Presentation_ID VPN Functions ContextAware Functions Cisco and/or its affiliates. All rights reserved. IPS Functions Cisco Public Malware Functions Reduce Complexity and Increase Capability Collective Security Intelligence Centralized Management Appliances, Virtual Network Control Platform Appliances, Virtual Presentation_ID Device Control Platform Host, Mobile, Virtual Cisco and/or its affiliates. All rights reserved. Cloud Services Control Platform Hosted Cisco Public Platform-Based Security Architecture Common Security Policy and Management Management Security Services and Applications Cisco Security Applications Access Context Control Awareness Content Inspection Third Party Security Applications Application Threat Visibility Prevention Common Security Policy & Management Orchestration Security Services Platform Security Management APIs Cisco ONE APIs Physical Appliance Platform APIs Virtual Cloud APIs Infrastructure Element Layer APIs Device API – OnePK, OpenFlow, CLI Cisco Networking Operating Systems (Enterprise, Data Center, Service Provider) ASIC Data Plane Presentation_ID Cloud Intelligence APIs Route – Switch – Compute Cisco and/or its affiliates. All rights reserved. Software Data Plane Cisco Public Enforcement delivered from the Cloud 3M+ Collective Security Intelligence Cloud web security users Telemetry Data Threat Research Advanced Analytics 6GB Web traffic examined, Distributed Enforcement protected every hour 75M Unique hits every hour Cloud Connected Network 10M Mobile Presentation_ID Router Cisco and/or its affiliates. All rights reserved. Firewall Cisco Public Blocks enforced every hour COMMON POLICY, MANAGEMENT & CONTEXT NETWORK ENFORCED POLICY Presentation_ID APPLICATION REPUTATION COMMON MANAGEMENT ACCESS FW SITE REPUTATION SHARED POLICY IPS VPN MALWARE ROLES BASED CONTROLS WEB EMAIL APPLIANCES ROUTERS SWITCHES WIRELESS VIRTUAL Cisco and/or its affiliates. All rights reserved. Cisco Public VISIBILITY ATTACKS CONTROL CLOUD-BASED THREAT INTEL & DEFENSE Open Source to the Community: OpenAppID What is Snort? Snort® is an open source network intrusion prevention and detection system (IDS/IPS). – Snort engine – Snort rules language Created in 1998 by Martin Roesch, developed by Sourcefire. – Sourcefire was acquired by Cisco Systems on October 7th, 2013 Snort combines the benefits of signature, protocol, and anomaly-based inspection. Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and nearly 400,000 registered users, Snort has become the de facto standard for IPS. See more at http://www.snort.org. Never designed to be application aware Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public The Application Problem Volume Closed Isolation There are more With a closed ‘apps’ today than approach, it’s hard ever before; it’s an for a network impossible task for security team to any one vendor to extend detection to develop all bespoke apps that detections and keep only exist within that Without an open approach collaboration is impossible. Therefore the sharing and validation of detection content is stymied pace with app customers network innovation or geography Little User Benefit From A Closed Approach Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public Open Source Security Philosophy Community Collaboration Trust Engage with users and developers to strengthen their solutions Build with the community to solve complex security problems Demonstrate technical excellence, trustworthiness and thought leadership Complex Security Problems Solved Through Open Source Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public OpenAppID Overview What is OpenAppID? An open source application-focused detection language that enables users to create, share and implement custom application detection. Key Advantages New simple language to detect apps Reduces dependency on vendor release cycles Build custom detections for new or specific (ex. Geo-based) app-based threats Easily engage and strengthen detector solutions Application-specific detail with security events Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public Demo Advanced Malware Protection Advanced Malware Protection Deployment Complete solution suite to protect the extended network Dedicated Advanced Malware Protection (AMP) appliance Advanced Malware Protection for FirePOWER (NGIPS, NGFW) FireAMP for hosts, virtual and mobile devices Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public Advanced Malware Detection Detection lattice considers content from each engine for real time file disposition Fuzzy Fingerprinting One-to-One Algorithms identify polymorphic malware Signature-based, 1st line of defense Advanced Analytics Machine Learning Analyzes 400+ attributes for unknown malware Combines data from lattice with global trends Cloud-based delivery results in better protection plus lower storage & compute burden on endpoint Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public Retrospective Security Always Watching… Never Forgets… Turns Back Time Continuous Analysis - Retrospective detection of malware beyond the event horizon Trajectory – Determine scope by tracking malware in motion and activity File Trajectory – Visibility across organization, centering on a given file Device Trajectory – Deep visibility into file activity on a single system Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public Outbreak Control Multiple ways to stop threats and eliminate root causes Simple and specific controls, or Context rich signatures for broader control Simple Custom Detections Advanced Custom Signatures Application Blocking Lists Custom White Lists Device Flow Correlation / IP Blacklists Trusted Apps & Images Stop Connections to Bad Sites Cloud & Client Based Cloud & Client Based Fast & Specific Presentation_ID Families Of Malware Group Policy Control Cisco and/or its affiliates. All rights reserved. Cisco Public File Analysis Fast and Safe File Forensics VRT powered insight into Advanced Malware behavior Original file, network capture and screen shots of malware execution Understand root cause and remediation FireAMP & Clients File Infect File Infect 4E7E9331D2 ed File 2190FD41CA Infect 4E7E9331D2 CFE2FC843F ed 2190FD41CA 4E7E9331D2 File CFE2FC843F ed 2190FD41CA File CFE2FC843F File Sourcefire VRT Sandbox Analysis Advanced malware analysis without advanced investment Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public Indicators of Compromise Big data spotlight on systems at high risk for an active breach Automated compromise analysis & determination Prioritized list of compromised devices Quick links for quick root cause analysis and remediation Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public Demo Only Cisco Delivers Unmatched Visibility Continuous Capability Global Intelligence With Context Point-in-Time and Contiuous Protection Across the Network and Data Center Presentation_ID Cisco and/or its affiliates. All rights reserved. Advanced Threat Protection Complexity Reduction Detects and Stops Advanced Threats Cisco Public Fits and Adapts to Changing Business Models whereever the Threat Manifests