Cisco Advanced Services
1 like3,243 views
The document discusses the state of cybersecurity based on Cisco's 2015 midyear security report. It covers transitions in the cybersecurity industry and within Cisco. It notes that adversaries are adapting quickly by constantly upgrading exploits and malware to evade detection. The document advocates for an integrated threat defense approach to keep pace with evolving attacks.
Cisco Advanced Services
- 1. 1© 2015 Cisco and/or its affiliates. All rights reserved. 16SEP15 Principal & Director, Cisco Security Advisory Cisco 2015 Midyear Security Report & Security Transitions… Cisco Brazil Security Week 2015 Brian J. Tillett, CCSK, CISSP
- 2. 2© 2015 Cisco and/or its affiliates. All rights reserved. • State of Cybersecurity (abridged) -2015 Cisco Midyear Security Report • Transitions across the Cybersecurity Industry • Transitions within Cisco Topics:
- 3. 3© 2015 Cisco and/or its affiliates. All rights reserved. Changes in Attack Behavior Speed Agility Adaptability Destruction
- 4. 4© 2015 Cisco and/or its affiliates. All rights reserved. Adversaries’ Agility is Their Strength Constant upgrades increased Angler penetration rate to 40% Twice as effective than other exploit kits in 2014 Compromised System Flash Vulnerabilities Retargeting Ransomware Angler Continually throwing different ‘hooks’ in the water to increase the chances of compromise EncryptedMalicious Payload Macros Social Engineering IP Changing Domain Shadowing More Being Developed Daily TTD Security Measures Web Blocking IP Blocking Retrospective Analysis Antivirus Endpoint SolutionsEmail Scanning
- 5. 5© 2015 Cisco and/or its affiliates. All rights reserved. Rombertik Malware evolves to not only steal data—if detected, it can destroy the targeted system. Destructive if Modified • Destroy master boot record • Render computer inoperable on restart Gain Access • Spam • Phishing • Social engineering Evade Detection • Write random data to memory 960 million times Extract User Data • Deliver user information back to adversaries Anti-Analysis Persistence Malicious Behavior
- 6. 6© 2015 Cisco and/or its affiliates. All rights reserved. Countries with higher block ratios have many Web servers and compromised hosts on networks within their borders. Russia 0.936 Japan 1.134 China 4.126 Hong Kong 6.255 France 4.197 Germany 1.277 Poland 1.421 Canada 0.863 U.S. 0.760 Brazil 1.135 Malware on a Global Scale Malicious actors do not respect country boundaries. Malware Traffic Expected Traffic
- 7. 7© 2015 Cisco and/or its affiliates. All rights reserved. Reducing Attack Surface & Window of Exposure
- 8. 8© 2015 Cisco and/or its affiliates. All rights reserved. The Dilemma Build Buy Be Left Behind
- 9. 9© 2015 Cisco and/or its affiliates. All rights reserved. Attackers Are Exploiting Point Solutions with Increasing Speed NGIPS Malware Sandbox IAM Antivirus IDS Firewall VPN Email NGFW Data
- 10. 10© 2015 Cisco and/or its affiliates. All rights reserved. Data Attackers Are Exploiting Point Solutions with Increasing Speed NGIPS Malware Sandbox IAM Antivirus IDS Firewall VPN Email NGFW Time to detection: 200 Days Ransomware Now targeting data Domain Shadowing On the rise Dridex 850 unique mutations identified first half 2015 SPAM Rombertik Evolves to evade and destroy Angler Constantly upgrading and innovating Malvertising Mutating to avoid detection
- 11. 11© 2015 Cisco and/or its affiliates. All rights reserved. Only an Integrated Threat Defense Can Keep Pace Data Systemic Response Control Visibility Context Intelligence Reduce time to detection to under 1 Hour
- 12. 2015 Midyear Security Report cisco.com/go/msr2015
- 13. • How does an enterprise measure security? • How to make security a competitive advantage; mission/ business enabler; and not stifle innovation/progress? • How do we get ahead of our adversaries? Ongoing Transitions within Cybersecurity:
- 14. Seatbelts Airbags Antivirus Firewalls Internet Volkswagen Intrusion Detection Antispyware Intrusion Prevention Heuristic Analysis Behavior Analysis System Integrity Access Control Data Loss Prevention Identity Control Sandboxing defense offense Traction Control Stability Control Antilock Braking System Back-up Camera Collision Avoidance Onboard Diagnostics GPS Lane Departure Warning Driving Assistant Connected Highways
- 15. 15© 2015 Cisco and/or its affiliates. All rights reserved. Ongoing Transitions within Cisco:
- 17. Cisco Confidential 17© 2014 Cisco and/or its affiliates. All rights reserved. Internet of Everything Security • IoE Value Chain Assessment • IoE Application Assessment • IoE Device Assessment Application Security • Secure Application Design • Application Assessment • Enterprise SDLC Mobile & Cloud Security • Mobile App & Device Assessment • Cloud Strategy & Architecture • Cloud Application Assessment Strategy, Risk, & Programs • IT Governance • Security Strategy & Policy • IT Risk Assessment • 3rd Party Risk Program • Security Program Development • Identity & Access Management • Incident Readiness & Response Compliance • PCI DSS & PA DSS Assessment • ISO 27001 / 27002 • HIPAA Infrastructure Security • Network Architecture Assessment • Red Team Exercises • Penetration Testing • Social Engineering • SOC Enablement Integration • Cisco Build Services • Security Readiness • Design, Development, Implementation • SOC Build & Integration Assessment • Test Plan Development & Execution • Device Assessment • Validation and Testing • Kick Start Deployment Optimization • Custom Reporting • Cross Integration • Performance Tuning • Optimization Service Remote Managed • Device Health & Welfare • Security Control Management • Security Event Monitoring • Collective Security Intelligence Active Threat Analytics • Advanced Threat Detection & Triage • Anomaly Detection • Customer-Specific Mitigation • Collective Security Intelligence Cisco Security Services Portfolio Optimization Migration Integration Program Strategy Architecture & Design Assessments Product Support Hosted Security Managed Security Managed Services Advisory Integration
- 18. Cisco Confidential 18© 2014 Cisco and/or its affiliates. All rights reserved. Core Security Service Areas Advisory Integration Managed Custom Threat Intelligence Strategy, Assessments, Incident Response Integration Services Security Optimization Services Active Threat Analytics Remote Managed Services & Operations
- 19. Cisco Confidential 19© 2014 Cisco and/or its affiliates. All rights reserved. Core Security Service Areas Advisory Integration Managed Custom Threat Intelligence Strategy, Assessments, Incident Response Integration Services Security Optimization Services Active Threat Analytics Remote Managed Services & Operations
- 20. Cisco Confidential 20© 2014 Cisco and/or its affiliates. All rights reserved. Integration Services Cisco delivers: Plan, Design, Implement Subject Matter Expertise Migration Optimization Services: • Cisco Build Services • Security Readiness • Security Design, Development, Implementation • Security Test Plan and Execution • Security Knowledge Transfer • Security Device Assessment • Security Validation and Testing • Security Kickstart Deployment • Security Custom Reporting • Security Cross Integration Implementation • Security Performance Tuning • Security Optimization Service
- 21. Cisco Confidential 21© 2014 Cisco and/or its affiliates. All rights reserved. Core Security Service Areas Advisory Integration Managed Custom Threat Intelligence Strategy, Assessments, Incident Response Integration Services Security Optimization Services Active Threat Analytics Remote Managed Services & Operations
- 22. Cisco Confidential 22© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Security Program Areas of Analysis
- 23. Cisco Confidential 23© 2014 Cisco and/or its affiliates. All rights reserved. 1 Initial 2 Repeatable 3 Defined 4 Managed 5 Optimized Level 1 – Initial (ad hoc processes) Level 2 – Repeatable (formal processes) Level 3 – Defined (pervasive processes) Level 4 – Managed (effective processes) Level 5 – Optimized (refined processes) • Immature or inconsistent policies and procedures • Various degrees of defined processes • Unpredictable or unstable environment • Inconsistent buy-in across the enterprise • Processes abandoned at time of crisis • Projects frequently exceed budget or are not fully completed • Insufficient measurement of risk • Business objective alignment is not established • Inconsistent use of technology • Undefined enterprise architecture model • Lack of strategic planning • Undefined roles and responsibilities • Minimal senior management involvement in IT risk management • Policies and procedures have been implemented • Project-specific processes are documented, practiced, and enforced • Unique reporting and measurement at project level • Processes followed during crisis • Compliance program being established • Adoption of technology standards • Target enterprise architecture model is defined • Enterprise architecture is being implemented at the component level • Governance approach is being formalized • Procurement based on specific requirements • Varied adherence to architecture standards • Defined roles and responsibilities for IT risk management organization • Senior management is educated on IT risk management • Responsibilities defined enterprise- wide • Enterprise-wide implementation of defined processes • Consistent reporting and defined measurement • Crisis predictable and minimized • Proactive exception management • Compliance program is effective • Enterprise standards leveraged for all projects • Target enterprise architecture model is implemented • Initial alignment with business processes • Acquisitions and purchases governed by enterprise architecture model • Qualitative measurement of performance • Senior management commitment • Measured effectiveness of IT risk organization • Processes are adaptable based on scope/risk • Defined metrics and measurement • Quantitative predictability of performance • Explicit adherence to standards across the enterprise • Pervasive deployment and integration of enterprise architecture model • Benefits of target architecture model are realized • Alignment with business objectives • Risk management used as an enabler to business processes • Planned IT acquisition and investment • Senior management involvement • Accountability for IT risk organization • Processes are continually improved • Measured and increased ROI • Decreased operating expenses • Process feedback incorporated • Business processes reengineered for efficiency and savings • Ability to perform risk modeling • Established business linkage • Risk management enablers provide an increase in top line revenue • No unplanned IT investment • Alignment with corporate strategic plan Cisco Security Capability Maturity Model
- 24. Cisco Confidential 24© 2014 Cisco and/or its affiliates. All rights reserved. Deliverable Graphic Examples: Current State vs. Target State (+full description report on gaps, deficiencies, and paths to overcome) Management Controls Operational Controls Technical Controls Security Governance Policy Management Compliance Management Risk Management Security Strategy Security Architecture Metrics and Measurement Patch Management Vulnerability Management Asset Management Security Monitoring Incident Management Continuity of Operations Identity and Access Management 3rd Party Management Systems Development Lifecycle Information Management Change Management Network Security Wireless Security Host Security Endpoint Security Application Security Data Security Database Security Management Controls Operational Controls Technical Controls Security Governance Policy Management Compliance Management Risk Management Security Strategy Security Architecture Metrics and Measurement Patch Management Vulnerability Management Asset Management Security Monitoring Incident Management Continuity of Operations Identity and Access Management 3rd Party Management Systems Development Lifecycle Information Management Change Management Network Security Wireless Security Host Security Endpoint Security Application Security Data Security Database Security Current State -‐ Example Target State -‐ Example
- 25. Cisco Confidential 25© 2013-2014 Cisco and/or its affiliates. All rights reserved. Joint SPA & NDSA Recommendation Prioritization Prioritization helps the Security Ops management to address the recommendations based on Criticality and Ease of implementation.
- 26. Cisco Confidential 26© 2013-2014 Cisco and/or its affiliates. All rights reserved. Intel Driven Incident Response Intelligence Powered by TalosTM Response Custom Tiers Remediation Post Breach 100 TB Intelligence 1.6M sensors 150 million+ endpoints 35% of email world wide FireAMP™, 3+ million 13B web requests Open Source Communities 180,000+ Files per Day 1B SBRS Queries per Day TALOS Research and Outreach Kill Chain Review Attack Vector Evaluation Threat Actor Landscaping Policy Review & Overhaul Application Penetration Testing Direct Access to Cisco’s Elite CCIEs Future Partnerships for Remediation - Microsoft - Red Hat - More… Rapid Response Incident Coordination & Investigation Breach Containment & Recovery Emergency Established IR Engagement Process Threat & Incident Reviews Rate Relief Readiness Proactive Threat Hunting Intel / IR / SOC Build-outs Custom Training Custom
- 27. Cisco Confidential 27© 2014 Cisco and/or its affiliates. All rights reserved. Custom Threat Intelligence Network Traffic Analysis (CTI) & Traditional Perimeter Protection • Know the “blind spots” • Utilize “zero day” attacks • Test against their copies of the latest detection/prevention technology to ensure not detected • Hardware modifications & firmware injection – visible only to traffic flows • Strive to make their exfiltration look like normal traffic • Use different exfiltration networks for each major target • Make compromises persistent • Implement “self delete” when discovered Need for comprehensive threat visibility 27 INSTRUMENT IDENTIFY REMEDIATE MEASURE
- 28. Cisco Confidential 28© 2014 Cisco and/or its affiliates. All rights reserved. Core Security Service Areas Advisory Integration Managed Custom Threat Intelligence Strategy, Assessments, Incident Response Integration Services Security Optimization Services Active Threat Analytics Remote Managed Services & Operations
- 29. Cisco Confidential 29© 2014 Cisco and/or its affiliates. All rights reserved. DMZUsers Malware Analysis Netflow Collector Identity Mgmt. Data Center Netflow Collector Identity Mgmt. Web Security Email Security Malware Analysis Netflow Collector Identity Mgmt. Talos ATA: A Comprehensive Threat Solution ASA with FIREPOWER Cisco Cloud Security Internet Mobile Endpoints Anywhere / Anytime Cisco Active Threat Analytics ThreatGRIDFirePower Full Packet Cognitive Malware Analysis Application Exhaust
- 30. Cisco Confidential 30© 2014 Cisco and/or its affiliates. All rights reserved. Use Case: Customer Statistics for Two-Week Timeframe Post-investigation incidents/tickets71 269,808 Security Events Unique events113,713 High fidelity events1710 207,99261,816Threat intel sourced Telemetry generated Roughly 20,000 Events/ day to 5 ranked & prioritized Incidents/day
- 31. Cisco Confidential 31© 2014 Cisco and/or its affiliates. All rights reserved. OpenSOC Framework Sources Data Collection Messaging Broker Real-Time Processing Storage Access Analytic Tools Tableau R / Python Power Pivot Web Services Search PCAP Reconstruction Telemetry Sources NetFlow Machine Exhaust HTTP Other Flume Agent B Agent N Agent A Kafka B Topic N Topic PCAP Topic DPI Topic A Topic Storm B Topology N Topology A Topology PCAP Topology DPI Topology Hive Raw Data ORC Elasticsearch Index HBase Packet Table PCAP Passive Tap Traffic Replicator
- 32. Cisco Confidential 32© 2014 Cisco and/or its affiliates. All rights reserved. https://github.com/OpenSOC
- 33. Thank you!