Cisco Presentation Demo - Intelligent Cuber Security for the Real World James Weathersby, Sr Manager, Security Engineers and Architects

Threat-Centric Security
James Weathersby
Sr Mgr, Cyber Security Engineers and Architects
The Security Problem
Changing
Business Models
Presentation_ID
Dynamic
Threat Landscape
Cisco and/or its affiliates. All rights reserved.
Complexity
and Fragmentation
Cisco Public
The Industrialization of Hacking
Sophisticated Attacks,
Complex Landscape
Hacking Becomes
an Industry
Phishing, Low
Sophistication
199
0
Viruses
199
5
1990–2000
Presentation_ID
200
0
Worms
200
5
2000–2005
Cisco and/or its affiliates. All rights reserved.
201
0
201
5
Spyware and
Rootkits
APTs
Cyberware
2005–Today
Today +
Cisco Public
202
0
‟ Would you do security differently if you knew you were
going to be compromised?
The New Security Model
Attack Continuum
BEFORE
DURING
AFTER
Discover
Enforce
Harden
Detect
Block
Defend
Scope
Contain
Remediate
Network
Endpoint
Mobile
Virtual
Cloud
Point in Time Continuous
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
The New Security Model
Attack Continuum
BEFORE
DURING
AFTER
Discover
Enforce
Harden
Detect
Block
Defend
Scope
Contain
Remediate
Firewall
Patch
Mgmt
IPS
IDS
AMD
App Control
Vuln Mgmt
Antivirus
FPC
Log Mgmt
VPN
IAM/NAC
Email/Web
Forensics
SIEM
Visibility and Context
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Lessons of the Attack Continuum
Security Technologies have a Scope of
Application
Due to Scope, there can be no Silver
Bullet technologies
An advanced, modern approach to
security will share information and
capabilities across all phases of the
Attack Continuum
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Strategic Imperatives
Visibility-Driven
Threat-Focused
Platform-Based
Network-Integrated,
Broad Sensor Base,
Context and
Automation
Continuous Advanced
Threat Protection,
Cloud-Based Security
Intelligence
Agile and Open
Platforms,
Built for Scale,
Consistent Control,
Management
Network
Presentation_ID
Endpoint
Mobile
Cisco and/or its affiliates. All rights reserved.
Virtual
Cloud
Cisco Public
Need Both Breadth and Depth
BREADTH
Network
Endpoint
Mobile
Virtual
Cloud
Who
What
Where
When
How
DEPTH
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
You Can’t Protect What You Can’t See
Application
Protocols
Users
NetFlow
Web
Applications
Files
Malware
Command
and Control
Servers
Services
Vulnerabilities
Operating
Systems
Processes
Network
Servers
Presentation_ID
Mobile
Devices
Routers and
Switches
Client
Applications
VoIP
Phones
Printers
Cisco and/or its affiliates. All rights reserved.
Virtual
Machines
Cisco Public
Network
Behavior
Threat-Focused
?
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Detect, Understand, and Stop Threats
Collective Security
Intelligence
Who
Event History
What
?
Where
When
How
Threat
Identified
Context
ISE + Network, Appliances
(NGFW/NGIPS)
Presentation_ID
Recorded
Enforcement
AMP, CWS,
Appliances
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Continuous Advanced Threat Protection
Collective Security
Intelligence
Who
Event History
What
Where
When
How
Context
Enforcement
Continuous Analysis
ISE + Network, Appliances
(NGFW/NGIPS)
AMP, CWS,
Appliances
AMP, Threat Defense
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Today’s Security Appliances
WWW
Traditional
Firewall
Functions
Presentation_ID
VPN
Functions
ContextAware
Functions
Cisco and/or its affiliates. All rights reserved.
IPS
Functions
Cisco Public
Malware
Functions
Reduce Complexity and Increase Capability
Collective Security Intelligence
Centralized
Management
Appliances, Virtual
Network Control
Platform
Appliances, Virtual
Presentation_ID
Device Control
Platform
Host, Mobile, Virtual
Cisco and/or its affiliates. All rights reserved.
Cloud Services
Control Platform
Hosted
Cisco Public
Platform-Based Security Architecture
Common Security Policy and Management
Management
Security
Services and
Applications
Cisco Security Applications
Access
Context
Control
Awareness
Content
Inspection
Third Party Security Applications
Application
Threat
Visibility
Prevention
Common Security Policy & Management
Orchestration
Security
Services
Platform
Security
Management APIs
Cisco ONE
APIs
Physical Appliance
Platform
APIs
Virtual
Cloud
APIs
Infrastructure
Element
Layer
APIs
Device API – OnePK, OpenFlow, CLI
Cisco Networking Operating Systems (Enterprise, Data Center, Service Provider)
ASIC Data Plane
Presentation_ID
Cloud Intelligence
APIs
Route – Switch – Compute
Cisco and/or its affiliates. All rights reserved.
Software Data Plane
Cisco Public
Enforcement delivered from the Cloud
3M+
Collective
Security
Intelligence
Cloud web
security users
Telemetry Data
Threat Research
Advanced Analytics
6GB
Web traffic
examined,
Distributed
Enforcement
protected every
hour
75M
Unique hits every
hour
Cloud
Connected
Network
10M
Mobile
Presentation_ID
Router
Cisco and/or its affiliates. All rights reserved.
Firewall
Cisco Public
Blocks enforced
every hour
COMMON POLICY,
MANAGEMENT &
CONTEXT
NETWORK
ENFORCED
POLICY
Presentation_ID
APPLICATION
REPUTATION
COMMON
MANAGEMENT
ACCESS
FW
SITE
REPUTATION
SHARED
POLICY
IPS
VPN
MALWARE
ROLES BASED
CONTROLS
WEB
EMAIL
APPLIANCES ROUTERS SWITCHES WIRELESS VIRTUAL
Cisco and/or its affiliates. All rights reserved.
Cisco Public
VISIBILITY
ATTACKS
CONTROL
CLOUD-BASED
THREAT INTEL
& DEFENSE
Open Source to the Community: OpenAppID
What is Snort?
 Snort® is an open source network intrusion
prevention and detection system (IDS/IPS).
– Snort engine
– Snort rules language
 Created in 1998 by Martin Roesch, developed by
Sourcefire.
– Sourcefire was acquired by Cisco Systems on October 7th,
2013
 Snort combines the benefits of signature, protocol,
and anomaly-based inspection.
 Snort is the most widely deployed IDS/IPS
technology worldwide. With millions of downloads
and nearly 400,000 registered users, Snort has
become the de facto standard for IPS.
 See more at http://www.snort.org.
 Never designed to be application aware
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
The Application Problem
Volume
Closed
Isolation
There are more
With a closed
‘apps’ today than
approach, it’s hard
ever before; it’s an
for a network
impossible task for
security team to
any one vendor to
extend detection to
develop all
bespoke apps that
detections and keep
only exist within that
Without an open
approach
collaboration is
impossible.
Therefore the
sharing and
validation of
detection content is
stymied
pace with app
customers network
innovation
or geography
Little User Benefit From A Closed Approach
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Open Source Security Philosophy
Community
Collaboration
Trust
Engage with users
and developers to
strengthen their
solutions
Build with the
community to solve
complex security
problems
Demonstrate
technical
excellence,
trustworthiness and
thought leadership
Complex Security Problems Solved Through Open Source
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
OpenAppID Overview
What is OpenAppID?
An open source application-focused detection language that enables
users to create, share and implement custom application detection.
Key Advantages
 New simple language to detect apps
 Reduces dependency on vendor release cycles
 Build custom detections for new or specific (ex. Geo-based) app-based threats
 Easily engage and strengthen detector solutions
 Application-specific detail with security events
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Demo
Advanced Malware Protection
Advanced Malware Protection Deployment
Complete solution suite to protect the extended network
Dedicated Advanced Malware
Protection (AMP) appliance
Advanced Malware Protection
for FirePOWER (NGIPS, NGFW)
FireAMP for hosts, virtual
and mobile devices
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Advanced Malware Detection
Detection lattice considers content from each engine
for real time file disposition
Fuzzy Fingerprinting
One-to-One
Algorithms identify
polymorphic malware
Signature-based,
1st line of defense
Advanced Analytics
Machine Learning
Analyzes 400+ attributes
for unknown malware
Combines data from
lattice with global trends
Cloud-based delivery results in better protection plus lower storage &
compute burden on endpoint
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Retrospective Security
Always Watching… Never Forgets… Turns Back Time
 Continuous Analysis - Retrospective detection
of malware beyond the event horizon
 Trajectory – Determine scope by tracking
malware in motion and activity
 File Trajectory – Visibility across organization, centering on
a given file
 Device Trajectory – Deep visibility into file activity on a
single system
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Outbreak Control
Multiple ways to stop threats and eliminate root causes
 Simple and specific controls, or
 Context rich signatures for broader control
Simple
Custom
Detections
Advanced
Custom
Signatures
Application
Blocking
Lists
Custom
White
Lists
Device Flow
Correlation /
IP Blacklists
Trusted
Apps &
Images
Stop
Connections
to Bad Sites
Cloud & Client Based
Cloud & Client Based
Fast
&
Specific
Presentation_ID
Families
Of
Malware
Group
Policy
Control
Cisco and/or its affiliates. All rights reserved.
Cisco Public
File Analysis
Fast and Safe File Forensics
 VRT powered insight into Advanced Malware behavior
 Original file, network capture and screen shots of malware execution
 Understand root cause and remediation
FireAMP &
Clients
File
Infect
File
Infect
4E7E9331D2
ed
File
2190FD41CA
Infect
4E7E9331D2
CFE2FC843F
ed
2190FD41CA
4E7E9331D2
File
CFE2FC843F
ed
2190FD41CA
File
CFE2FC843F
File
Sourcefire
VRT
Sandbox
Analysis
Advanced malware analysis without advanced investment
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Indicators of Compromise
Big data spotlight on systems at high risk for an active breach
 Automated compromise analysis
& determination
 Prioritized list of compromised
devices
 Quick links for quick root cause
analysis and remediation
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Demo
Only Cisco Delivers
Unmatched
Visibility
Continuous
Capability
Global
Intelligence
With Context
Point-in-Time
and Contiuous
Protection
Across the
Network and
Data Center
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Advanced
Threat
Protection
Complexity
Reduction
Detects and
Stops
Advanced
Threats
Cisco Public
Fits and
Adapts
to Changing
Business
Models
whereever the
Threat
Manifests