Behind the Curtain: Exposing Advanced Threats

1. Advanced Threat Solutions seearhar@cisco.com / 647-988-4945 Sean Earhard Advanced Threat Solutions CSE jkerouan@cisco.com / 647-929-5938 Jean-Paul Kerouanton EXPOSING ADVANCED THREATSAMP

2. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 HOW QUICKLY CAN YOURTEAM—AND YOUR SECURITY VENDORS—DELIVER THEANSWERS TO THESE QUESTIONS:  WHERE DID IT ORIGINATE?  HOW DID IT SUCCEED?  HOW MANY MACHINES/USERS?  WHAT IS IT DOING NOW?  HOW CAN IT BE STOPPED?  WITH 100% CONFIDENCE?

3. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 24 HOURS INENTERPRISE SECURITY vs. SYSTEMS WILL SUCCESSFULLY STOP A THREAT 72 32 SYSTEMS WILL BE FOUND TO BE BREACHED 6 24 BREACHED SYSTEMS WILL HAVE BEEN BREACHED FOR OVER A WEEK 1 3 DEPLOYED SYSTEMS HAVING VULNERABLE SOFTWARE 48% 28% MORE LIKELY TO BE BREACHED IF A VULNERABLE APPLICATION EXISTS 62% 39% MORE LIKELY TO BE BREACHED IF THEY HAVE BEEN BREACHED IN THE PAST 35% 38% 20162015

4. B L O C K Protection fails. Today, 1.5M unique threats will be discovered – even 99.9% protection will fail 1,500 times. TYPICAL CYBERSECURITY WORKFLOW vs. TIME REQUIRED × “How are we finding these failures in our environment?” “How do we know we’re responding to the right alerts?” “How long does it take us to answer these questions?” “How long does it take us to find the rest of the machines compromised by the same attack?” “How long does it take us to redefine security in all our tools?” R E S P O N D T O A L E R T S Security tools generate 100’s, even 1,000’s of alerts each day. Any one of those could be a breach in progress. ! I N V E S T I G A T E I N C I D E N T S When a cybersecurity incident impacts the business, the business needs answers: • Where did it start? • How did it succeed? • How long have we been compromised? • How many machines are impacted? • How can it be stopped? ? R E I M A G E + R E C O V E R Reimaging is not recovering. The average compromised machine remains undiscovered for 200+ days. I M P R O V E D E F E N S E Reducing the attack surface means upgrading security policy – but the average organization manages 34-55 security tools.

7. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate THEATTACK CONTINUUM BUDGET BUDGET BUDGETTIME TIME TIME  Firewall  App Control  VPN  Patch Mgmt  Vuln Mgmt  IAM/NAC  IPS  Antivirus  Email/Web  IDS  FPC  Forensics  AMD  Log Mgmt  SIEM  Firewall  App Control  VPN  Patch Mgmt  Vuln Mgmt  IAM/NAC  IPS  Antivirus  Email/Web  IDS  FPC  Forensics  AMD  Log Mgmt  SIEM

8. antivirus point in time threat inspection This population of threats is 100% effective, 100% of the time network point in time threat inspection web point in time threat inspection email point in time threat inspection BEFORE, DURINGANDAFTER INACTION

9. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 LEGACY SECURITY PRODUCTION MODEL 1. mass sample collection MALWARE SAMPLE #A4409K 2. prioritized sample processing MALWARE ANALYSIS #A4409K 3. prioritized detection creation SIGNATURE UPDATE #A4409K 4. signature payload distribution TODAY

10. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 b260653178.exe Firefox user connects to http://www.downloaders.com Downloads an unknown .zip Two files are accessed when the .zip is opened, b260653178.exe, and a PDF. PDF Reader application is opened to read the PDF. Acrobat launches svchost.exe svchost.exe connects to http://192.168.1.12 File #3, connects to 4 IP addresses File #3 opens a dialog window and awaits response. The last unknown file launches calc.exe, hollows the process and begins listening for remote connections Geolocates and then connects to a C&C server 3 files are downloaded but 2 are blocked by AMP File#4 is downloaded AMP Cloud issues a retrospective block ATTACK FLOW EXAMPLE 37% FALSE NEGATIVES ARE COUNTED AS SECURITY ‘WINS’

12. 65% of CEOs say their risk management approach is falling behind. In a new reality where security breaches come at a daily rate, we must move away from trying to achieve the impossible perfect protection and instead invest in detection and response. Organizations should move their investments from 90 percent prevention and 10 percent detection and response to a 60/40 split. Peter Sondergaard Senior VP and Global Head of Research Gartner

14. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 NSS LABS: BREACH DETECTION SYSTEMS  Over 5 billion discrete data elements  Hundreds of victim machines  Collection and analysis of Terabytes of logs  Hundreds of discrete samples used in current campaigns  Exploits, malware, and evasion testing was performed using regularly abused compromise mediums such as web and email—leveraging multiple common document types  Over 100 unique evasion mechanics were tested ONLY VENDOR TO BLOCK 100% OF EVASION TECHNIQUES TOP VENDOR 2 YEARS IN A ROW CISCO AMP RATED 99.2% EFFECTIVE AMP

15. 2015 Gartner MQ for Intrusion Prevention Systems “The Advanced Malware Protection (AMP) products provide a quicker path to adding advanced threat capabilities… competing well against stand-alone and established advanced persistent threat (APT) solution vendors.”

18. Cisco Advanced Malware Protection Built on Unmatched Collective Security Intelligence 1.6 million global sensors 100 TB of data received per day 150 million+ deployed endpoints 600 engineers, technicians, and researchers 35% worldwide email traffic 13 billion web requests 24x7x365 operations 4.3 billion web blocks per day 40+ languages 1.1 million incoming malware samples per day AMP Community Private/Public Threat Feeds Talos Security Intelligence AMP Threat Grid Intelligence AMP Threat Grid Dynamic Analysis 10 million files/month Advanced Microsoft and Industry Disclosures Snort and ClamAV Open Source Communities AEGIS Program Email Endpoints Web Networks IPS Devices WWW Automatic updates in real time 101000 0110 00 0111000 111010011 101 1100001 110 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 1001 1101 1110011 0110011 101000 0110 00 101000 0110 00 0111000 111010011 101 1100001 1100001110001110 1001 1101 1110011 0110011 10100 1001 1101 1110011 0110011 101000 0110 00 Cisco® Collective Security Intelligence Cisco Collective Security Intelligence Cloud AMP Advanced Malware Protection 3.5 BILLION SEARCHES TODAY 18.5B CLOUDAMP 20.1 BILLION THREATS BLOCKED TODAY TALOS THE CISCO SECURITY AND INTELLIGENCE RESEARCH GROUP

19. AMP CONTINUOUSLY RECORD ACTIVITY REGARDLESS OF DISPOSITION

20. AMP CLOUD PRIVATE CLOUD AMP ThreatGrid

21. CONTINUOUS BACKGROUND ANALYSIS vs. AMP CLOUD SYSTEMIC RESPONSE RETROSPECTIVE DETECTION

22. HQ STORE: POS DATA CENTER ENDPOINT MALWARE EVENTS SHARED AMPAMPAMPAMPAMP AMPAMPAMP AMP AMP AMP AMP THREATGRID AMP OR TALOS SECURITY AND INTELLIGENCE RESEARCH FireSIGHT AMP APPLIANCE (NGIPS) AMP CLOUDAMP AMP FOR ENDPOINTS THREATGRID DYNAMIC ANALYSIS CISCO W EB CISCO EMAIL AMP AMP ASA + FPS AMP

24. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 AMP INFRASTRUCTURE AMP ARCHITECTURE TALOS AMP FOR ENDPOINT FIRESIGHT MANAGEMENT CENTER AMP APPLIANCE (NGIPS) AMP THREATGRID DYNAMIC ANALYSIS EQUIVALENT COMPETITIVE ARCHITECTURE

25. B L O C K Protection fails. Today, 1.5M unique threats will be discovered – even 99.9% protection will fail 1,500 times. × ! ? “How are we finding these failures in our environment?”

26. C O N T I N U O U S A N A L Y S I S A N D R E T R O S P E C T I V E S E C U R I T Y AMP blocks threats, but it doesn’t stop there. AMP uses big data analytics to continuously analyze the history of endpoint and network behavior in your environment – uncovering advanced threats and rewinding history to block them.

27. NETWORK: • Start with Blocking: IP, IPS, Files • Tracking Files: Good, Unknown, Bad • Unknown Files = Dynamic Analysis • Retrospective Events ENDPOINT • Tracking Files • Tracking Behavior • Blocking examples: IP, IoC, Files • Dynamic Analysis • Retrospective Events

28. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 L b260653178.exe Firefox user connects to http://www.downloaders.com Downloads an unknown .zip Two files are accessed when the .zip is opened, b260653178.exe, and a PDF. PDF Reader application is opened to read the PDF. Acrobat launches svchost.exe svchost.exe connects to http://192.168.1.12 File #3, connects to 4 IP addresses File #3 opens a dialog window and awaits response. The last unknown file launches calc.exe, hollows the process and begins listening for remote connections Low prevalence analysis delivers a retrospective block Tries to geolocate and then connect to a C&C server 3 files are downloaded but 2 are blocked by AMP File#4 is downloaded AMP Cloud issues a retrospective block DEVICE TRAJECTORY TRIGGERED FILE TRAJECTORY TRIGGERED THREATGRID DYNAMIC ANALYSIS TRIGGERED SNORT RULE ANALYSIS TRIGGERED RETROSPECTIVE BLOCK SYSTEMIC BLOCK LOW PREVALENCE THREATGRID DYNAMIC ANALYSIS TRIGGERED L AMP FOR NETWORK AMP FOR ENDPOINT DETECTION ATTACK FLOW vs. AMP

30. R E S P O N D T O A L E R T S Security tools generate 100’s, even 1,000’s of alerts each day. Any one of those could be a breach in progress. B L O C K Protection fails. Today, 1.5M unique threats will be discovered – even 99.9% protection will fail 1,500 times. × ! ? “How are we finding these failures in our environment?” “How do we know we’re responding to the right alerts?”

31. C O N T I N U O U S A N A L Y S I S A N D R E T R O S P E C T I V E S E C U R I T Y AMP blocks threats, but it doesn’t stop there. AMP uses big data analytics to continuously analyze the history of endpoint and network behavior in your environment – uncovering advanced threats and rewinding history to block them. T H E P O W E R O F C O N T E X T In real-time, AMP Appliances passively discover the environment they are protecting – mapping the vulnerabilities of each host. An attack leveraging actual vulnerabilities of the target host is a true top alerts.

32. • Alert overload example • Unfiltered: List of Intrusion Events • By Impact: List of Intrusion Events • How? Passive Discovery Overview • Endpoint: Vulnerable Software

34. R E S P O N D T O A L E R T S Security tools generate 100’s, even 1,000’s of alerts each day. Any one of those could be a breach in progress. I N V E S T I G A T E I N C I D E N T S When a cybersecurity incident impacts the business, the business needs answers: • Where did it start? • How did it succeed? • How long have we been compromised? • How many machines are impacted? • How can it be stopped? B L O C K Protection fails. Today, 1.5M unique threats will be discovered – even 99.9% protection will fail 1,500 times. TYPICAL CYBERSECURITY WORKFLOW vs. TIME REQUIRED × ! ? “How are we finding these failures in our environment?” “How do we know we’re responding to the right alerts?” “How long does it take us to answer these questions?”

35. C O N T I N U O U S A N A L Y S I S A N D R E T R O S P E C T I V E S E C U R I T Y AMP blocks threats, but it doesn’t stop there. AMP uses big data analytics to continuously analyze the history of endpoint and network behavior in your environment – uncovering advanced threats and rewinding history to block them. T H E P O W E R O F C O N T E X T In real-time, AMP Appliances passively discover the environment they are protecting – mapping the vulnerabilities of each host. An attack leveraging actual vulnerabilities of the target host is a true top alerts. V I S I B I L I T Y + C O N T R O L Because AMP records the history of the environment, your team can quickly scroll back time to discover what happened. • Identify ‘patient zero’ – the first victim. • Determine the attack scope – how malware traversed the organization. • Contain the event, understanding all affected systems. • Remediate quickly, focusing on high-priority events and systems. • Prevent reinfection by identifying the root causes.

36. Workflow: Investigate Incidents • Network • Endpoint

38. R E S P O N D T O A L E R T S Security tools generate 100’s, even 1,000’s of alerts each day. Any one of those could be a breach in progress. I N V E S T I G A T E I N C I D E N T S When a cybersecurity incident impacts the business, the business needs answers: • Where did it start? • How did it succeed? • How long have we been compromised? • How many machines are impacted? • How can it be stopped? B L O C K Protection fails. Today, 1.5M unique threats will be discovered – even 99.9% protection will fail 1,500 times. R E I M A G E + R E C O V E R Reimaging is not recovering. The average compromised machine remains undiscovered for 200+ days. × ! ? “How are we finding these failures in our environment?” “How do we know we’re responding to the right alerts?” “How long does it take us to answer these questions?” “How long does it take us to find the rest of the machines compromised by the same attack?”

39. C O N T I N U O U S A N A L Y S I S A N D R E T R O S P E C T I V E S E C U R I T Y AMP blocks threats, but it doesn’t stop there. AMP uses big data analytics to continuously analyze the history of endpoint and network behavior in your environment – uncovering advanced threats and rewinding history to block them. T H E P O W E R O F C O N T E X T In real-time, AMP Appliances passively discover the environment they are protecting – mapping the vulnerabilities of each host. An attack leveraging actual vulnerabilities of the target host is a true top alerts. V I S I B I L I T Y + C O N T R O L Because AMP records the history of the environment, your team can quickly scroll back time to discover what happened. • Identify ‘patient zero’ – the first victim. • Determine the attack scope – how malware traversed the organization. • Contain the event, understanding all affected systems. • Remediate quickly, focusing on high-priority events and systems. • Prevent reinfection by identifying the root causes. S Y S T E M I C R E S P O N S E AMP works through the cloud, enforcing security response everywhere it is installed. Before we can react to alert, AMP is already blocking on the network, endpoints – even laptops off our network, email and web.

40. Systemic Response • Example Move beyond blind reimaging: • Identify root cause (review) • Roll back time even after reimaging

42. R E S P O N D T O A L E R T S Security tools generate 100’s, even 1,000’s of alerts each day. Any one of those could be a breach in progress. I N V E S T I G A T E I N C I D E N T S When a cybersecurity incident impacts the business, the business needs answers: • Where did it start? • How did it succeed? • How long have we been compromised? • How many machines are impacted? • How can it be stopped? B L O C K Protection fails. Today, 1.5M unique threats will be discovered – even 99.9% protection will fail 1,500 times. R E I M A G E + R E C O V E R Reimaging is not recovering. The average compromised machine remains undiscovered for 200+ days. I M P R O V E D E F E N S E Reducing the attack surface means upgrading security policy – but the average organization manages 34-55 security tools. TYPICAL CYBERSECURITY WORKFLOW vs. TIME REQUIRED × ! ? “How are we finding these failures in our environment?” “How do we know we’re responding to the right alerts?” “How long does it take us to answer these questions?” “How long does it take us to find the rest of the machines compromised by the same attack?” “How long does it take us to redefine security in all our tools?”

43. C O N T I N U O U S A N A L Y S I S A N D R E T R O S P E C T I V E S E C U R I T Y AMP blocks threats, but it doesn’t stop there. AMP uses big data analytics to continuously analyze the history of endpoint and network behavior in your environment – uncovering advanced threats and rewinding history to block them. T H E P O W E R O F C O N T E X T In real-time, AMP Appliances passively discover the environment they are protecting – mapping the vulnerabilities of each host. An attack leveraging actual vulnerabilities of the target host is a true top alerts. “AMP finds what our other tools miss” “We used to have to choose from 1,000’s of alerts…now we know the 4-6 critical alerts for our environment” “What used to take us 2 weeks or 2 months now takes us 2 minutes” “Instead of spending 4 hours each day chasing our tools, we’re blocking everywhere, automatically”“It would have taken 2 hours a day to do what’s being done automatically ” V I S I B I L I T Y + C O N T R O L Because AMP records the history of the environment, your team can quickly scroll back time to discover what happened. • Identify ‘patient zero’ – the first victim. • Determine the attack scope – how malware traversed the organization. • Contain the event, understanding all affected systems. • Remediate quickly, focusing on high-priority events and systems. • Prevent reinfection by identifying the root causes. S Y S T E M I C R E S P O N S E AMP works through the cloud, enforcing security response everywhere it is installed. Before we can react to alert, AMP is already blocking on the network, endpoints – even laptops off our network, email and web. S H A R E D S E C U R I T Y I N T E L L I G E N C E With AMP ThreatGrid, both Cisco industry partners and non- Cisco solutions can benefit from dynamic analysis executed by AMP, automatically improving your defense.

44. Integration • How sharing Threat Intelligence works • Adding integration • Invitation to review your environment?

45. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45 Shares the results of dynamic analysis (sandboxing) of your files, and threat intelligence feeds, with your existing security. • Firewall • IPS/IDS • Gatway/Proxy • Network Taps • SIEM • Log Management • Endpoint Security • Other tools THREATGRID TG THREATGRID OR

46. NEXT STEPS 1. “Cisco AMP” 2. Scoping Call 3. Custom Demo 4. POC Sean Earhard seearhar@cisco.com / 647-988-4945

Behind the Curtain: Exposing Advanced Threats

Estás leyendo una previsualización.

Eche un vistazo a continuación

Behind the Curtain: Exposing Advanced Threats

Más Contenido Relacionado

Presentaciones para usted (20)

A los espectadores también les gustó (14)

Similares a Behind the Curtain: Exposing Advanced Threats (20)

Más de Cisco Canada (20)

Más reciente (20)