Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mitigating Advance Threats Threat-Centric Security

Published byReynard Curtis Modified over 6 years ago

Similar presentations

Presentation on theme: "Mitigating Advance Threats Threat-Centric Security"— Presentation transcript:

1 Mitigating Advance Threats Threat-Centric Security
Cisco Live 2014 6/17/2018 Mitigating Advance Threats Threat-Centric Security Don Fisher Security CSE CCIE # 38758 Intro to Marty,

2 Cisco Live 2014 6/17/2018 Session Objective Provide a detailed review of today’s dynamic threat landscape and outline a threat-centric and operational security model that spans a range of attack vectors to address the full attack continuum – before, during, and after an attack.

3 Security Perspective Cisco Live 2014 6/17/2018
I don’t want to spend too much time talking about the evolution of the industry , but we need to have a bit of perspective. So when people ask, hey Leon, what are you working on at Cisco, what’s the big area of focus right now, this is it…

4 Evolution of Cyber Conflict
Manual Attacks (1980s) Manual Defenses Unplug War Dialing, Phone Phreaking … Mechanized Attacks (1988) Mechanized Defenses Firewall, IDS/IPS Viruses, Worms … Talented Human / Mechanized Attackers (2009) Google, RSA … Targeted Human/Mechanized Defenders Reputation, App-aware Firewall APT, Multi-Step Attacks… DIY Human / Mechanized Attackers (2011) Target, Neiman Marcus … Intelligence Driven Human Defenders Cyrptocurrency Ransoms, Store-bought Credentials ...

5 The Problem is THREATS Cisco Live 2014 6/17/2018
Sure there are others, compliance, but the nastiest, worst and most hurtful challenge the world is dealing

6 The Challenges Come from Every Direction
Sophisticated Attackers Complicit Users Defenders Boardroom Engagement Dynamic Threats Complex Geopolitics Misaligned Policies In world of shifting security requirements and innovative solutions, we’re finding that misaligned security policies and procedures and complicit user behavior are exposing organizations to malicious actors. Security sophistication starts at the top and must align to a formal set of security principles. 

7 A Threat-Centric and Operational Security Model
Attack Continuum BEFORE DURING AFTER Discover Enforce Harden Detect Block Defend Scope Contain Remediate Firewall App Control VPN Patch Mgmt Vuln Mgmt IAM/NAC IPS Anti-Virus /Web IDS FPC Forensics AMD Log Mgmt SIEM Visibility and Context LET’S COMPARE HOW TODAY’S TECHNOLOGIES MAP TO THE ATTACK CONTINUUM WHAT IS INTERESTING IS THAT YOU FIND THAT SPECIFIC TECHNOLOGIES ADDRESS A SPECFIC PHASE OF THE CONTINUUM. OUR GOAL IS TO BRING INNOVATIVE TECHNOLOGIES, PRODUCTS AND SOLUTIONS TO COVER THE ENTIRE ATTACK CONTINUUM, ACROSS ALL POTENTIAL ATTACK VECTORS, AND WITH TECHNOLOGIES THAT OPERATE, NOT ONLY AT A POINT IN TIME, BUT ALSO HAVE A CONTINUOUS CAPABILITY AND CAN AUTOMATE STEPS IN THE PROCESS. AND ALL OF THIS NEEDS TO BE BASED ON A FOUNDATION OF VISIBILITY AND CONTEXT. THE MORE YOU CAN SEE AND PLACE INTO CONTEXT, THE MORE YOU CAN UNDERSTAND AND PROTECT. IT IS OUR AWARENESS TECHNOLOGIES AND INTEGRATION WITH THE NETWORK FABRIC THAT ENABLE US TO SEE MORE SO WE CAN PROTECT MORE. WE CAN ADDRESS THE FULL ATTACK CONTINUUM TO PROVIDE THE BEST SECURITY SOLUTIONS IN THE MARKET.

8 Cisco: Covering the Entire Continuum
Attack Continuum BEFORE DURING AFTER DIscover Enforce Harden Detect Block Defend Scope Contain Remediate ASA VPN NGIPS Advanced Malware Protection NGFW Meraki ESA/WSA Cognitive Secure Access + Identity Services CWS ThreatGRID FireSIGHT & PXGrid IN CLOSING, CISCO SECURITY NOW HAS THE INDUSTRY’S MOST COMPREHENSIVE ADVANCED THREAT PROTECTION COVERING THE ENTIRE ATTACK CONTINUUM AND THE INDUSTRY’S BROADEST SET OF ENFORCEMENT AND REMEDIATION OPTIONS AT ATTACK VECTORS WHERE THREATS MANIFEST THE CISCO SECURITY PRODUCT PORTFOLIO HAS SPECIFIC PLATFORM BASED SOLUTIONS TO SOLVE YOUR CURRENT PROBLEMS, BUT ALSO INTEGRATE INTO AN OVERALL SECURITY SYSTEM. THEY WORK TOGETHER TO PROVIDE PROTECTION THROUGHOUT THE ATTACK CONTINUUM – BEFORE, DURING, AND AFTER AN ATTACK Services

9 Visibility is the Foundation
Workflow (automation) Engine Visibility is the Foundation Breach Understand scope, contain & remediate APIs Threat Focus on the threat – security is about detecting, understanding, and stopping threats Control Set policy to reduce surface area of attack Visibility Broad awareness for context

10 Visibility Must Be Pervasive
Workflow (automation) Engine Visibility Must Be Pervasive BEFORE DURING AFTER Breach APIs Scope Contain Remediate AMP ThreatGRID CTA Threat Detect Block Defend NGIPS ESA/WSA Reputation Control Control Enforce Harden ASA Meraki NGFW ISE VPN NAC Visibility Discover Monitor Inventory Map Network / Devices (FireSIGHT/PXGrid) Users / Applications (FireSIGHT/PXGrid/ISE) Files / Data (FireSIGHT/AMP)

11 Today’s Security Appliances
WWW Context- Aware Functions VPN Functions IPS Functions Traditional Firewall Functions Malware Functions BEING PLATFORM-BASED The key question for most customer is where do you start? We believe It starts with what we’re delivering today – firewall, VPN, IPS, etc. – both in Cisco’s portfolio and in the industry – and move towards a converged model. In essence, move more towards integrated platforms and away from multiple and disparate point-product only solutions convergence. And this convergence is imperative because as we mentioned earlier that in order to deal with today’s threat landscape, be able to scale all while ensuring consistent control you need to look at your security model holistically and gain control across the entire attack continuum - Addressing security at every stage; before during and after attacks. With functions all in silos that is a more challenging process - and one that has become both complex and difficult, if not impossible, to automate – all of which starts to create security gaps.

12 We must integrate more effectively to make more effective security solutions

13 Two Kinds of Integration
Front-end integration Most security technologies have information about the environment that they are defending but do not share it Build a Visibility Architecture to collect information about the composition, configuration and change in the environment being defended Back-end integration Collect and centralize information about what’s happening to the environment and try to figure out what is happening Traditional integration model

14 Building a Visibility Architecture
Why? Automation Contextualization Anomaly Detection Event-driven Security What visibility is important?

15 Types of Visibility Asset/Network User File/Data/Process Security
Network topology Asset profiles Address Hardware platform/class Operating System Open Ports/Services Vendor/Version of client or server software Attributes Vulnerabilities User Location Access profile Behaviors File/Data/Process Motion Execution Metadata Origination Parent Security Point-in-time events Telemetry Retrospection

16 Platform Exchange Grid – pxGrid
I have reputation info! I need threat data… Talos I have application info! I need location & auth-group… pxGrid Context Sharing Single Framework Direct, Secured Interfaces I have sec events! I need reputation… I have NBAR info! I need identity… That Didn’t Work So Well! LET’S ALL SHARE DATA VIA PROPRIETARY APIs! I have location! I need identity… I have NetFlow! I need entitlement… I have MDM info! I need location… I have threat data! I need reputation… I have app inventory info! I need posture… I have firewall logs! I need identity… On the previous slide we outlined how broadly applicable ISE is as a context/control platform across IT infrastructure. This requires the ability to share and receive context from a lot of systems…simultaneously. So how are we (Cisco) going to execute on that? pxGrid. Build 1: Illustrates that most every platform in the IT infrastructure has information to share, but also information it needs to do its job better. Build 2: The way the industry typically has platforms interface is via APIs. But that is typically for sharing specific pieces of info with specific systems. Build 3 & 4: So having a bunch of systems integrate via disparate APIs, is a non-starter in many-to-many platform integration like we’re talking about here. Build 5: pxGrid, on the other hand, enables exactly this sort of many-to-many sharing. It is a single context exchange framework that enables platforms to adopt once and share with many. This is what we’ll use to enable the ISE ecosystem, but it can also be used for any pxGrid adopting platform to share with any other pxGrid adopting platform. And, importantly, pxGrid allows the platforms to customize what specific pieces of information they want to share and with which specific systems. Thus it can share XYZ with System 1 and ABC with System 2…simultaneously. (This is the “direct, secured interfaces”). I have identity & device-type! I need app inventory & vulnerability…

17 Cisco AMP

18 Cisco Advanced Malware Protection Built on unmatched collective security intelligence
Cisco® Collective Security Intelligence Cisco Collective Security Intelligence Cloud 1.6 million global sensors 180,000+ File Samples per Day 100 TB of data received per day AMP Community 150 million+ deployed endpoints 13 billion web requests Private/Public Threat Feeds 600+ engineers, technicians, and researchers 24x7x365 operations 40+ languages 35% worldwide traffic WWW Endpoints Web Networks IPS Devices Automatic Updates every 3-5 minutes So first, AMP is built on unmatched collective security intelligence. This intelligence is collected from Cisco’s security intelligence Operations and the Sourcefire Vulnerabiity Research team and then pushed from the cloud to the AMP client so that the user always has the latest threat intelligence. The intelligence available here is pretty impressive: On one hand you have Cisco’s Security Intelligence Operations that monitors 35% of worldwide traffic and scans 100 terrabytes of data per day in order to build a base of security intelligence. And On the other hand, you have Sourcefire’s Vulnerability Research team that evaluates file samples per day and leverages the collective intelligence of the FireAMP, Snort and ClamAV Open source communities. This makes for an AMP solution that is truly built on big data.

19 AMP Threat Grid Feeds dynamic malware analysis and threat intelligence to the AMP solution
Low Prevalence Files Actionable threat content and intelligence is generated that can be packaged and integrated in to a variety of existing systems or used independently. AMP Threat Grid platform correlates the sample result with millions of other samples and billions of artifacts Actionable Intelligence Analyst or system (API) submits suspicious sample to Threat Grid Threat Score / Behavioral Indicators Big Data Correlation Threat Feeds An automated engine observes, deconstructs, and analyzes using multiple techniques Actionable threat content and intelligence is generated that can be utilized by AMP, or packaged and integrated into a variety of existing systems or used independently. AMP Threat Grid platform correlates the sample result with millions of other samples and billions of artifacts Sample and Artifact Intelligence Database Proprietary techniques for static and dynamic analysis “Outside looking in” approach 300+ Behavioral Indicators AMP Threat Grid feeds dynamic malware analysis and threat intelligence to be utilized by the Amp solution for disposition look ups, sandboxing, and other dynamic analysis features. THIS SLIDE IS FULLY ANIMATED. NO BUILDS. ONCE THE SLIDE IS ON THE SCREEN, DON’T CLICK. IT WILL RUN THROUGH THE ENTIRE SLIDE.

20 Cisco Advanced Malware Protection delivers…
Point in Time Protection Retrospective Security File Reputation & Sandboxing Continuous Analysis As earlier mentioned, there are two capabilities for delivered security: point-in-time and retrospection. The truth is you need both. Consider point-in-time a plan A. You’re going to spend time up front, targeting the assets of your environment, quantifying your areas of weakness, you’ll use tools like vulnerability assessment and management tools, you’ll use patch management, VPN firewalls, things like that. Even IPS, those are tools that you use for the point-in-time detection piece. When it comes to AMP specifically, you’re going to use file reputation, the ability to look at data bases of files, in order to understand whether they are known to be malware, considered to be clean, or considered in the state of unknown for a period of time. And then you use other advanced technologies, but they’re still point-in-time. You’ll execute them in a sandbox, or have virtual execution so you can gain insight into how files behave, and use some of the outputs to determine whether we need to change our mind on a file. That’s leads to our continuous analysis. Most folks don’t have the ability, time or talent needed to take the output from virtual execution and other point-in-time tools to look at them with fresh intelligence every day. Retrospective security takes all of the input just mentioned, all of the relationships we have with businesses and our vulnerability data, and all of the work we do monitoring our security intelligence for insight. And look over new events with fresh intelligence every few hours. We get to look at all the data continuously, with new insight, new intelligence, and the proper understanding. Retrospective security should be considered your plan B. It’s what happens when something gets through all of your point-in-time protection, because you’re always going to be dealing with less than 100% detection. 

21 Delivers the first line of detection
All detection is less than 100% Dynamic Analysis Machine Learning Fuzzy Finger-printing Advanced Analytics One-to-One Signature Reputation Filtering and File Sandboxing Little further, on Plan A, so you can understand some of the things you need to be leveraging for this malware issue. You’re going to have things that give you simple one-to-one signature based matching, you’re going to want to catch the low-hanging fruit quickly, so that you don’t have to go hunting for signs of breach, or indications of breach. You’re going to be able to catch those things and move forward. But then they’re other technologies that play into this space – multi-fingerprinting, which looks for families of malware, things like machine learning, which will look at how files execute and their behavior, detects things like zero day malware as it slides into your environment. And there are other point-in-time technologies that we could spend time to really dig into, advanced analytics, dynamic analysis, but consider them all point-in-time. They’re going to provide some value – at a moment in time, but you need to be looking beyond that moment. All point-in-time detection is less than 100%

22 Integrated Threat Defense

23 Integrated Threat Defense Architecture Concept
CSI Cognitive Endpoint + AnyConnect Threat Environment User Environment Endpoint Mobile device & AnyConnect VPN NGIPS CWS Control Layer ESA VPN Data Center Environment Server Hypervisor WSA APIC / ISE Raw/Uninspected Traffic FireSIGHT Visibility Layer Telemetry/Eventing/Mgmt Streaming Telemetry Inspected Traffic

24 Integrated Threat Defense Architecture Concept
CSI Cognitive Endpoint + AMP & AnyConnect Threat Environment User Environment Endpoint + AMP Mobile device + AMP & AnyConnect VPN NGIPS + AMP CWS + AMP Control Layer ESA + AMP VPN Data Center Environment Server + AMP Hypervisor + AMP WSA + AMP APIC / ISE Raw/Uninspected Traffic FireSIGHT Visibility Layer Telemetry/Eventing/Mgmt Streaming Telemetry Inspected Traffic

25 Our fundamental job is to reduce complexity and increase capability
Challenges None of this works if everything has to be there for any of it to work Each product must stand alone as the best in its class When Cisco products are brought together they gain capability through leveraging each other’s visibility and control mechanisms Our fundamental job is to reduce complexity and increase capability

26 Reduce Complexity and Increase Capability
Collective Security Intelligence Centralized Management Appliances, Virtual Network Control Platform Device Control Platform Cloud Services Control Platform Appliances, Virtual Host, Mobile, Virtual Hosted TODAY’S SECUIRTY IS COMPLEX AND FRAGMENTED. WHAT WE NEED IS A MODEL THAT REDUCES COMPLEXITY, PROVIDES CONSISTENT CONTROLS AND PROVIDES CUSTOMERS WITH FLEXIBILITY AND CHOICE. WE NEED A PLATFORM BASED MODEL THAT PROVIDES CONTROLS ON THE NETWORK, ON DEVICES, AND IN THE CLOUD. EACH PLATFORM SHOULD BE EXTENSIBLE ALLOWING FOR ADDITIONAL SECURITY SERVICES TO BE DELIVERED so that every time THERE IS new innovation, you don’t have to IMPLEMENT ANOTHER POINT PRODUCT. PLATFORMS NEED TO BE AGILE, OPEN, AND SCALE. THEY ALSO NEED TO SUPPORT DIFFERENT FORM FACTORS AND DEPLOYMENT MODELS TO MEET YOUR CHANGING INFRASTRUCTURE NEEDS. WHAT MAKES THIS WORK IS CENTRALIZED MANAGEMENT THAT ALLOWS YOU TO SET UNIFIED POLICIES. THIS SIMPLIFIED MODEL, WITH CENTRALIZED MANAGEMENT IS KEY DRIVER FOR OUR CURRENT ACTIVITIES.

27 Collective Security Intelligence
Malware Protection Reputation Feeds Cisco Talos (Talos Security Intelligence and Research Group) Vulnerability Database Updates IPS Rules Sandboxing Machine Learning Big Data Infrastructure Private and Public Threat Feeds Sandnets File Samples (>1.1 Million per Day) FireAMP™ Community Honeypots Sourcefire AEGIS™ Program Advanced Microsoft and Industry Disclosures SPARK Program Snort and ClamAV Open Source Communities

28 Advanced Threat Protection
Only Cisco Delivers Unmatched Visibility Consistent Control Advanced Threat Protection Complexity Reduction Global Intelligence With the Right Context Consistent Policies Across the Network and Data Center Detects and Stops Advanced Threats Fits and Adapts to Changing Business Models The value Cisco brings customers through the New Security Model and the Strategic Imperatives of being visibility-driven, threat-focused and platform-based across the entire attack continuum is: Unmatched Visibility You will have access to the global intelligence you need with the right context to make informed decisions and take immediate action. Network as a sensor Contextual awareness Utilize global intelligence with big data analytics Open interfaces to visibility tools Consistent Control You can consistently enforce policies across the entire network and have the control you need to accelerate threat detection and response. Unified policy orchestration, language and enforcement Open interfaces to control platforms Extends from data center to cloud to end-point Advanced Threat Protection You will be able to detect, understand and protect against advanced malware/advanced persistent threats across the entire security continuum. Real-time threat analysis Retrospective threat analysis Reduced Complexity You can adapt to the changing dynamics of your business environment quickly , at scale and securely. Integrated security services platforms Unified management Automation Open ecosystem through APIs ACI fabric integration Managed Services

29 Firesight Demo

30 Cisco Live 2014 6/17/2018

31 6/17/2018 Cisco Live 2014

Download ppt "Mitigating Advance Threats Threat-Centric Security"

Similar presentations

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.
© 2015 Cisco and/or its affiliates. All rights reserved. 1 The Importance of Threat-Centric Security William Young Security Solutions Architect It’s Our.

© 2015 Cisco and/or its affiliates. All rights reserved. 1 The Importance of Threat-Centric Security William Young Security Solutions Architect It’s Our.
Unified Logs and Reporting for Hybrid Centralized Management

Unified Logs and Reporting for Hybrid Centralized Management
Cisco Live 2013 4/20/2017.

Cisco Live /20/2017.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.
Web Application Firewall (WAF) RSA ® Conference 2013.

Web Application Firewall (WAF) RSA ® Conference 2013.
1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.

1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.
Alert Logic Security and Compliance Solutions for vCloud Air High-level Overview.

Alert Logic Security and Compliance Solutions for vCloud Air High-level Overview.
Chapter 5: Implementing Intrusion Prevention

Chapter 5: Implementing Intrusion Prevention
Network security Product Group 2 McAfee Network Security Platform.

Network security Product Group 2 McAfee Network Security Platform.
Cisco Quick Hit Briefing

Cisco Quick Hit Briefing
Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.

Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.
Microsoft Azure and ServiceNow: Extending IT Best Practices to the Microsoft Cloud to Give Enterprises Total Control of Their Infrastructure MICROSOFT.

Microsoft Azure and ServiceNow: Extending IT Best Practices to the Microsoft Cloud to Give Enterprises Total Control of Their Infrastructure MICROSOFT.
©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals CHECK POINT MOBILE THREAT PREVENTION.

©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals CHECK POINT MOBILE THREAT PREVENTION.
Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.

Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.
CLOSE THE SECURITY GAP WITH IT SOLUTIONS FROM COMPUTACENTER AND CISCO AUGUST 2014.

CLOSE THE SECURITY GAP WITH IT SOLUTIONS FROM COMPUTACENTER AND CISCO AUGUST 2014.
An Introduction to Deception Based Technology Asif Yaqub Nick Palmer February 5, 2016.

An Introduction to Deception Based Technology Asif Yaqub Nick Palmer February 5, 2016.

Similar presentations

Ads by Google