Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Similar a Pxosys Webinar Amplify your Security
Similar a Pxosys Webinar Amplify your Security (20)
Último
Último (20)
Pxosys Webinar Amplify your Security
- 1. Amplify your Security (Demo) Cisco Umbrella We are starting shortly
- 2. Amplify your Security (Demo) Cisco Umbrella
- 3. Agenda • Threats Landscape • DNS Security • Why Cisco Umbrella • Cisco Umbrella Demo • Security Integration with Meraki • Q&A
- 5. Avoid to be on News Paper
- 6. 6© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential DNS is used by every device on your network.
- 7. Where does Umbrella fit? Malware C2 Callbacks Phishing HQ Sandbox NGFW Proxy Netflow AV AV BRANCH Router/UTM AV AV ROAMING AV First line Network and endpoint Network and endpoint Endpoint It all starts with DNS – Port agnostic and used by all devices – Precedes file execution and IP connection – Malicious traffic and payloads never reach target – Reduces alerts by 2-10X and improves SIEM – Provision globally in under 30 minutes
- 8. Prevents connections before and during the attack ENFORCEMENT Command and control callback Malicious payload drop Encryption keys Updated instructions Web- and email-based infection Malvertising / exploit kit Phishing / web link Watering hole compromise Stop data exfiltration and ransomware encryption
- 9. How Cisco Umbrella Works badguys.com goodguys.com Umbrella Blocking Landing Page Browsing Session
- 10. Ease data serenity concerns Store data used for Umbrella reports in EU facility Use multi-org console for different storage settings for different locations EU data warehouse facility available CLOUD PLATFORM
- 11. ZERO added latency peer w/ top 500 ISPs & CDNs 2.5% worldwide activity globally-shared DNS cache 100% uptime since 2006 Global Network Built into the Fabric of the Internet 400+ Gbps capacity, protection & global fail-over
- 12. Our view of the internet 125Brequests per day 15Kenterprise customers 90Mdaily active users 160+countries worldwide
- 13. Cisco’s Secure Internet Gateway Vision Threat intelligence, cross-product analytics, APIs, and integrations DNS-Layer Proxy App visibility and control* Sandbox 3rd-Party New product* Leveraging Cisco’s global footprint CASB controls File inspection Inbound inspection* *Future
- 15. Ransomware: mapping attacker infrastructure Domain IP Association IP Sample Association IP Network Association IP Domain Association WHOIS Association Network IP Association -26 DAYS SEP 12 Umbrella AUG 17 *.7asel7[.]top LOCKY
- 16. 91.223.89.201185.101.218.206 600+ Threat Grid files SHA256:0c9c328eb66672ef1b8 4475258b4999d6df008 *.7asel7[.]top LOCKY AS 197569 1,000+ DGA domains ccerberhhyed5frqa[.]8211fr[.]top CERBER IP Domain Association IP Sample Association Domain IP Association IP Network Association
- 17. jbrktqnxklmuf[.]info mhrbuvcvhjakbisd[.]xyz LOCKY LOCKY DGA Network Domain Association DGA Threat detected same day domain was registered. -7 DAYS JUL 21 Umbrella JUL 14 -26 DAYS AUG 21 Umbrella JUL 18 JUL 22-4 DAYS DOMAIN REGISTERED Threat detected before domain was registered.
- 19. Cisco Umbrella & Meraki
- 20. Enterprise-wide deployment in minutes ANY DEVICE ON NETWORK ROAMING LAPTOP On-network coverage With one setting change Integrated with Cisco ISR 4K series and Cisco WLAN controllers Off-network coverage With AnyConnect VPN client integration Or with any VPN using lightweight Umbrella client BRANCH OFFICES
- 21. Q&A Thank you for attending.
- 22. Cisco Umbrella Free Trial What’s Next?
Notas del editor
- Hello and good morning everyone. My name is Ruben Cocheno and I’m the Founder of PXOSYS a Digital Solutions Provider. I have with me as well Andy Hook from Cisco to answer any of your Questions during this Online Session. For the next 40 minutes, I will help you discover on how Cisco Umbrella can Amplify your Security across your Enterprise network from any device from anywhere and keep it safe.
- When it comes to the threat landscape, it’s important to take a look in the rearview mirror once in a while. As with driving, not only do you get a good look at what’s behind you, but you can often spot what’s coming up quick, set to overtake you. We’ve looked out for key stories from the last year or so, not just because they were big events, but because we think these threats, or similar ones, could very well appear in the near future. Take modular threats like Emotet and VPNFilter, for example. These are threats that can deliver an on-demand menu of attacks and threats, depending on which device is infected or the intended goal of the attacker. We saw plenty of such modular threats in recent history, and wouldn’t be surprised if we see more in the future. Email remains the darling delivery method of attackers, with threats from cryptomining to Emotet using it to spread. It’s also highly likely that other threats, such as unauthorized MDM profile, used it too. This highlights how critical it is to keep a close eye on what is coming in through your mailbox. What is the Modus operandi ? Revenue generation continues to be a primary motivation for attackers: malware follows the money. Cryptomining threats, for instance, are laser-focused on this goal. Meanwhile, Emotet has pivoted to a threat distribution network, capitalizing on a variety of options to make money.
- The worst nightmare of every customer, is showing up on the news for the wrong reasons. There multiple cases every single day, when the Press is full on recent breaches due Ransomware and other variants. This cause a chaos in stops organization for a few hours or even days, to calculate the full damage on the Business but also Brand that took years to build and maintain.
- When you think why this is useful from a security perspective, DNS is fundamental to how the internet works and it’s used by every device on your network in order to connect to the internet. We’re tying to do something organizations are already doing. They’re already relying on something to handle their recursive DNS traffic and it’s most likely to be their ISP. So with Umbrella, we’re going to that plus adding security. It turns out that this same mechanism that’s used in all these internet connections is really useful for uncovering where all these malicious activity are on the Internet and then block devices from going there. This data can be analyzed and turned into threat intelligence and more importantly, enforced.
- Think about where you enforce security today. You probably have a range of products in your security stack to protect your network and endpoints—whether it’s at your corporate headquarters, branch offices, or on roaming endpoints including Firewalls, IDS, IPS, maybe proxies or sandboxing, AV on endpoints, email security and the list goes on. When you deploy these solutions they can take time to implement. What we hear from customers is that despite the existing security products deployed —they are still dealing with too many malware infections and phishing attacks. There are many ways that malware can get in, which is why it’s important to have multiple layers of security. We’re a 100% cloud security and hosted on the Internet. Security should start at the DNS layer. We’re not a replacement for other solutions but an additional layer that compliments what you have already. And of course, you can block malware on your network and endpoints, but why wait until malware reaches the endpoint when you can block threats out on the Internet? If you consider how malware is often downloaded or how phishing attacks work and how malware exfiltrates data…it often happens on the Internet.
- Umbrella not only protects against initial infection Umbrella also prevents command and control callbacks (aka C2 callbacks) So even if devices become infected in other ways, Umbrella blocks the communication to an attacker’s server CLICK Stopping data exfiltration or the download of ransomware encryption keys C2 callbacks are blocked using the same DNS enforcement process described a moment ago. And in the event that the malicious payload is designed to bypass DNS and use a direct-to-IP connection, Umbrella goes beyond DNS to provide malicious IP blocking and enforcement.
- Do you have concerns about where your Cisco Umbrella logs are stored? With EU data sovereignty laws, storing EU-citizen data in a US-based data center can complicate things for EU companies. Cisco Umbrella now makes it easy for EU companies to store their log data in the EU. You now have the option to select an EU-based data center in Frankfurt, Germany for your Umbrella log data storage. With our Multi-org console, you can also support both EU or US log storage You can configure Umbrella to have child orgs point to either storage location
- Now let’s talk a bit about the secret sauce that’s working behind the scenes for Umbrella. First is the Umbrella Global Network, which is truly built into the fabric of the Internet. Cisco peer with over 600 of the top ISPs and Content Delivery Networks to exchange BGP routes and ensure we’re routing requests efficiently and not adding any latency over regional DNS providers. Over 30 datacenters around the world and advertised through Anycast We always publish/advertise the same IP addresses which means we’re extremely robust in terms of performance. Cisco Umbrella had 100% uptime of our network since it was first established in 2006 and we publish our system status on our website. And even as the Internet population grows, Umbrella been handling roughly 2% of the world’s activity for the past 5 years—which is actually a huge percentage for a single provider. And it gives Umrbelal the visibility into where attacks are being staged on the Internet. [CLICK] That handle DNS requests from about 85million users every day.
- This shows Cisco’s vision and plan for building a secure internet gateway. Bottom- connecting to the cloud. When you think about cloud solutions, the major challenge is how you get traffic and identity data to the cloud. We do a few things that are different from competitors. 1 we use DNS, which makes it super simple to connect to the cloud. DNS is the first connection point to the cloud. Then on the top part, that’s our vision for cloud security. Now that security is moving to the cloud, we need to reimagine how the network security stack looks in the cloud. Cisco is building a security platform in the cloud that will allow customers to add even more security capabilities in the future. The dark blue circles are all things that are all in play today. enforce security at the DNS-layer to prevent connections to malicious domains and IP at the earliest point have a proxy that can do deeper inspection of risky traffic inspect files from risky domains with file inspection and in the near future, sandboxing for unknown files have a bi-directional API that enables integrations with third parties and most recently, Cisco has been working on an integration with CloudLock Today we’re looking at internet destinations and where employees are going. This could also be done for servers and IoT…the cloud is where we can apply the same technology for those types of use cases. Also today we’re looking at outbound traffic to these destinations, but what if we could look at inbound traffic too? The service will continue to become richer, while at the same time remaining the easiest security product to deploy and manage.
- Let’s look now at a real-world example of a Ransomware attack, and how Umbrella works to block the threat before launched.
- Let’s look now at a real-world example of a Ransomware attack, and how Umbrella works to block the threat before launched. Leveraging our in-depth understanding of Internet infrastructure and statistical models we are able to map and block attackers infrastructure before attackers use it to launch the attack. Details: We start the process with domain already blocked by Umbrella based on our statistical models and is linked with Locky ransomware. Umbrella predictive intelligence blocked by this domain 26 days earlier than a first submission appeared on VT by community As we have a very broad view of the Internet infrastructure we can leverage this and see if we can find more IPs/domains etc. that relate to Locky or other ransomware leveraging various relationships that naturally exists in the Internet.
- The internet itself has many built–in relationships that we can leverage to quickly map attackers infrastructure. We start with one domain and get very quickly to 1000. Details: Domain to IP association - based on DNS information we learn that the domain resolves to two IP address. Both IPs are blocked. Let’s now see what domains are hosted on 185.101.218.206 via IP to Domain association –>more then 1000 DGA like domains linked with Cerber. Looks like Locky and Cerber share the infrastructure. Umbrella and AMP TG integration gives is IP-Sample mapping.->more than 600 samples clearly marked as Cerber ransomware. Focus on 2nd IP 91.223.89.201 and explore new association – IP to Autonomous Systems (for simplicity we refer AS as network). Every public IP belongs to an network typically owned by ISP or large enterprise like Facebook or Google. The IP 91.223.89.201 belongs to network 197569 which is owned by Russian service provider ENERGOMONTAZH ltd. Let’s see what other domains are within the network AS 197569 have been recently spotted by our alg.
- Our statistical models were able to identify and block 2 domains that were generated by DGA alg. several days before the domain has been even register thus eliminating the damage that could be done. This is specially critical for ransomware. Details: What we are doing now is looking what other malicious domains have been recently spotted within this network range. Not very surprisingly two additional domains which clearly look like generated with DGA alg. Compare when Umbrella marked the domains as malicious vs. first evidence available in Virus Total Both domains are related to Locky ransomware. The first domain was registered on July and immediately blocked based using our DGA detection alg. The first evidence on VT was 7days later. The 2nd domain highlights our predictive capabilities even more – 26days earlier. Notice this domain was blocked 4days before it was registered by the attacker With predictive intelligence malicious infrastructures can be blocked in advance to significantly cripple malware operations.
- The infrastructure and related findings can be visualized by OpenGraphiti, our 3D visualization tool. The cluster on the right hand side is linked with IP 185.101.218.206 to which more than 600 samples classified as Cerber Ransomware by AMP ThreatGrid connected during sandboxing The cluster on the left shows hundreds of DGA based domains related to Cerber ransomware Domain generation algorithms (DGA) are algorithms seen in various families of malware that are used to periodically generate a large number of domain names that can be used as rendezvous points with their command and control servers.
- Umbrella is one of the simplest solutions to deploy and manage. Because Umbrella is delivered from the cloud, there is no hardware to install or software to manually update, and the browser-based interface provides quick setup and ongoing management. Many customers deploy enterprise wide in less than 30 minutes. On-network coverage: You can protect all devices on your network – even those you don’t own – by changing one setting in your network server, access point or router. All you have to do is point your DNS requests to the IP address for the Umbrella global network. Umbrella has pre-built integrations with many network devices, including the Cisco ISR 4K series and Cisco Wireless LAN controllers. Umbrella is integrated with Cisco ISR 4K series to provide protection to branch office users, and Cisco Wireless LAN to provide guest Wi—Fi and employee protection. Customers simply upgrade to the latest network device software and configure the connection via an Umbrella API. Off-network coverage: What about laptops connecting off network? If you use Cisco AnyConnect, simply enable the Umbrella roaming security module for protection anywhere — even when the VPN is off. Not a Cisco AnyConnect user? Our lightweight, standalone agent works with any VPN and has been proven in over a million deployments. Our roaming client is a virtual "bump-in-the-wire" for every internet connection. It is transparent to users and does not cause any latency or performance issues because the footprint is very small.