bloquer les attaques de nouvelle génération avec les solutions de sécurité web de cisco
DESCRIPTION
Cette présentation est consacrée aux solutions de sécurité Web de Cisco. Elle traitera les sujets suivants : • Introduction sur les nouvelles menaces • Les mécanismes de sécurité proactifs contre les attaques 0 Day • Les solutions physiques, virtuelles et SAS pour se protéger efficacement • L’analyse rétroactive des attaquesTRANSCRIPT
1 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Les techniques de Cybersécurité
Frédéric HER Christophe SARRAZIN
Consultant Sécurité, Europe du Sud
Consultant Sécurité, Europe du Sud
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Le problème actuel
Nouveaux Usages Evolution constante
des menaces
Complexité &
Fragmentation
3
“On ne resout pas un probleme avec les modes de pensee
qui l’ont engendre ”
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Le nouveau modèle de sécurité
BEFORE Discover
Enforce
Harden
AFTER Scope
Contain
Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Detect
Block
Defend
DURING
Point in Time Continuous
5
L’évolution des menaces
Menaces
Réponse
Virus, vers
Spyware / Rootkits
APTs / Cyberware
Surface d’attaques
augmentée (Mobilité & Cloud)
INTELLIGENCE & ANALYSE
Aujourd’hui
REPUTATION & SANDBOXING
2010
SECURITE DU POSTE DE TRAVAIL (AV)
2000
PERIPHERIE RESEAU (IDS/IPS)
2005
6
Défendre avec intelligence : Cisco SIO
Connexion SMTP
légitime?
Contenu malicieux ou non désiré?
Zombies vers des serveurs
CNC?
Actions hostiles ou utilisateurs déviants ?
Contenus malicieux sur le poste de
travail ?
WWW
Reputation Signatures
Signatures
Recherche
sur les
menaces
Domain
Registration
Inspection des
Contenus
Spam Traps,
Honeypots,
Crawlers
Blocklists &
Réputation
Partenariats
Platform-specific Rules & Logic
Cisco Security Intelligence Operations
7
La couverture étendue de Cisco SIO
100TB Security
Intelligenc
e
1.6M Dispositifs
déployés
13B Requêtes
Web
150 000 Micro-
applications
1,000 Application
s
93B Messages
35% Email des
Entreprise
s
5 500 Signatures
IPS
150M Endpoints
Déployés
3-5 min MAJ
5B Connexions
Emails
4.5B Bloquages
d’emails
8
La réputation en action New York Times: victime d’une attaque via une publicité
• Publicité apparemment légitime qui génère en réalité 3 redirections vers des liens web
• Destination finale: protection-check07.com
Faux Anti--Virus
Un pop-up apparaît qui simule un logiciel AV, qui demande à l’utilisateur d’acheter un logiciel pour nettoyer la machine.
Score de Réputation Web : -9.3
Action par défaut : BLOCK
Le site du NYT est bien autorisé
mais la redirection vers le lien
malicieux est bloquée
9
Consolidation des serveurs des pirates Il est très important de connaitre la réputation de ces serveurs
http://www.cisco.com/web/offers/lp/2014-annual-security-report/index.html
10
Outbreak Intelligence Des moteurs heuristiques s’ajoutant aux signatures et à la réputation
11
Header
Body of Objects
Cross-Ref Table
Trailer
L’Anti-Virus scanne le
fichier
Nous pensons connaitre la
structure d’un fichier PDF
et à quoi il devrait
ressembler
D’après les signatures,
c’est un fichier sain
12
%PDF-1.4 (version)
%Comments
1 0 obj << /Type /Page >> endobj 2 0 obj << /Type /Action /S /JS >> endobj
xref
trailer
Nous connaissons les choses
qui peuvent être exploitées,
donc les scanlets
décomposent le fichier,
l’analysent et les algorithmes
recherchent les exploitations
malicieuses potentielles
Après inspection nous
trouvons :
• Pas de mots anglais
• Headers incorrects
• Proportion élevée de
contenu Javascript
• Javascript spécifiques
• Fonctions “exploitables”
• Autres indicateurs
OI prend la décision que ce
fichier est potentiellement
dangereux
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Outbreak Intelligence contre Signature Detection
13
• Ce graphique montre la part quotidienne de menaces bloquées par OI et par les signatures AV traditionnelles
• En 2013, 22% des malware provenant d’Internet ont été bloquées par Cisco Outbreak Intelligence avant que des signatures ne soient disponibles
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
01-janv.-13 01-févr.-13 01-mars-13 01-avr.-13 01-mai-13 01-juin-13 01-juil.-13 01-août-13 01-sept.-13 01-oct.-13 01-nov.-13 01-déc.-13
Bloquages quotidiens, 2013 (Source: Cisco Cloud Web Security)
Signature Outbreak Intelligence™
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 14
Cisco AMP
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
1.6 million global sensors
100 TB of data received per day
150 million+ deployed endpoints
600+ engineers, technicians,
and researchers
35% worldwide email traffic
13 billion web requests
24x7x365 operations
40+ languages
Cisco SIO + Sourcefire VRT Collective security intelligence for the Broadest Visibility on the Internet
10I000 0II0 00 0III000 II1010011 101 1100001 110
110000III000III0 I00I II0I III0011 0110011 101000 0110 00
I00I III0I III00II 0II00II I0I000 0110 00
180,000+ File Samples per Day
FireAMP™ Community
Advanced Microsoft
and Industry Disclosures
Snort and ClamAV Open Source Communities
Honeypots
Sourcefire AEGIS™ Program
Private and Public Threat Feeds
Dynamic Analysis
101000 0II0 00 0III000 III0I00II II II0000I II0
1100001110001III0 I00I II0I III00II 0II00II 101000 0110 00
100I II0I III00II 0II00II I0I000 0II0 00 Cisco®
SIO
Sourcefire
VRT®
(Vulnerability
Research Team)
Cisco Collective
Security Intelligence
Email Endpoints Web Networks IPS Devices
WWW
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Amp : Reputation Filtering and Behavioral Detection
(Sha-256) (Sanboxing) (Hash +
détails)
(Structural information
Referred DLLs
PE header)
(VRT
Correlation) (AV) (Network Monitoring)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Actual Disposition = Bad = Blocked
Antivirus
Sandboxing
Initial Disposition = Clean
Point-in-time Detection
Retrospective Detection,
Analysis Continues
Initial Disposition = Clean
Cisco- Sourcefire
Blind to scope of
compromise
Sleep Techniques
Unknown Protocols
Encryption
Polymorphism
Actual Disposition = Bad = Too Late!!
Turns back time
Visibility and
Control are Key
Not 100%
Analysis Stops
Beyond the Event Horizon
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
• Trajectory – Determine scope by tracking malware in
motion and activity
• File Trajectory – Visibility across organization, centering
on a given file
• Device Trajectory – Deep visibility into file activity on a
single system
Retrospective Security Always Watching… Never Forgets… Turns Back Time
• Continuous Analysis - Retrospective detection of malware beyond
event horizon
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
File Trajectory
• What systems were infected?
• Who was infected first (“patient 0”) and when did it happen?
• What was the entry point?
• When did it happen?
• What else did it bring in?
Looks ACROSS the organization and answers:
Quickly understand the scope of malware problem
Network
+
Endpoint
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
An unknown file is present
on IP: 10.4.10.183, having
been downloaded from
Firefox
At 10:57, the unknown file is
from IP 10.4.10.183 to IP:
10.5.11.8
Seven hours later the file is
then transferred to a third
device (10.3.4.51) using an
SMB application
The file is copied yet to a
fourth device (10.5.60.66)
through the same SMB
application a half hour later
The Cisco Collective Security
Intelligence Cloud has learned
this file is malicious and a
retrospective event is raised for
all four devices immediately.
At the same time, a device with
the FireAMP endpoint connector
reacts to the retrospective event
and immediately stops and
quarantines the newly detected
malware
8 hours after the first attack,
the Malware tries to re-enter
the system through the original
point of entry but is recognized
and blocked.
21
Device Trajectory
• How did the threat get onto the system?
• How bad is my infection on a given device?
• What communications were made?
• What don’t I know?
• What is the chain of events?
Looks DEEP into a device and helps answer:
Endpoint
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
AMP is context-aware
Data shows the bad and the good
Context helps you decide about the rest
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
The Power of Continuous Analysis
Point-in-time security sees a
lighter, bullet, cufflink, pen &
cigarette case…
Wouldn’t it be nice to know if
you’re dealing with something
more deadly?
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
• VRT powered insight into Advanced Malware behavior
• Original file, network capture and screen shots of malware execution
• Understand root cause and remediation
File Analysis
FireAMP & Clients Cisco-Sourcefire
VRT
Sandbox Analysis
Fast and Safe File Forensics
Infected
File
File 4E7E9331D22190F
D41CACFE2FC843
F
Infected
File
File 4E7E9331D22190F
D41CACFE2FC843
F
Infected
File
File 4E7E9331D22190F
D41CACFE2FC843
F
Advanced malware analysis without advanced investment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
1) File Capture
File Extraction and Sandbox Execution
Malware Alert!
2) File Storage
4) Execution Report
Available In Firesight Management
Network Traffic
Collective Security Intelligence
Sandbox
3) Send to Sandbox
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
• Managed and Deployed from the Cloud
• File Activity (Created/Edit/Move/Execute)
•One-to-One/Spero/Ethos
•Simple and Advanced Custom Detections
• Retrospective Alerting and Quarantine
• Application Control
• Network Flow Correlation
•Black/White Lists
• Dynamic Analysis
AMP Cloud
FireAMP for Endpoints
Windows
Mac OSX Android
27
FireSIGHT
Management Console
ASA with
Sourcefire Sensor
FirePOWER Services on the ASA
File Submitted for
Dynamic Analysis
File Disposition queried
against AMP Cloud
(SHA256, Spero)
- AMP Cloud
- VRT Dynamic Analysis Cloud
Endpoint
Connectors
Windows Mac OSX Android
28
FireSIGHT Management
FireAMP FirePOWER
ASA (NGFW)
ESA
WSA
CWS
Dynamic Analysis
Dynamic Analysis FireAMP Private Cloud (Appliance)
Events /
Correlation
Cloud Connected
On-Premises
Endpoint Network Gateway Sandbox
Cisco has the most comprehensive strategy for Advanced Malware Protection.
AMP Everywhere
29
NSS Labs breach detection systems security value map (Avril 2014)
https://www.nsslabs.com/reports/breach-detection-systems-bds-comparative-analysis-report
30 30
Cisco Email Security
31 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
L’évolution des menaces provenant de l’Email
Menaces
????
Demain
BAS VOLUMES HAUTE VALEUR $$
Aujourd’hui
VOLUMES ELEVES VALEUR $$ BASSE
Passé
Attaques ciblées
Targeted Phishing
Covert, Sponsored Targeted Attacks
Blended Threats
Advanced Persistent Threats
Phishing
Spam
Attachment-based
Slammer
Worms
Network Evasions Polymorphic Code
Code Red Image Spam
Alertes Virales
Custom URL
Botnets Conficker
Stuxnet
32 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Il y a une grande volatilité Retour à plus de 85% de spams
http://www.senderbase.org/static/spam/#tab=1
33
Pourquoi la réputation est fondamentale Aggrégation et Corrélation de milliards de données dans un seul score
34 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Management
L’architecture de Sécurité Email Cisco
Antivirus & Outbreak Filters
Défense face aux menaces
Antispam
Sécurité des Données
Chiffrement
Data Loss Prevention
Protection Flux Entrants Contrôle des Flux Sortants
35 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Défense anti-spam à deux niveaux
Bon score: les mails sont délivrés
Score intermédiaire: le
débit est limité et les
messages sont envoyés à
l’anti-spam
• Taux de bloquage : > 99%
• Faux positifs < 1 sur 1
million
Mauvais score: la
connexion TCP est
bloquée et les messages
ne sont pas reçus sur le
réseau
Mails entrants
Bons, mauvais
ou
inconnus/suspici
eux
What
Cisco
Anti-Spam,
IMS
When Who
How Where
Cisco® SIO
36 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Défense anti-spam à deux niveaux
Bon score: les mails sont délivrés
Score intermédiaire: le
débit est limité et les
messages sont envoyés à
l’anti-spam
• Taux de bloquage : > 99%
• Faux positifs < 1 sur 1
million
Mauvais score: la
connexion TCP est
bloquée et les messages
ne sont pas reçus sur le
réseau
Mails entrants
Bons, mauvais
ou
inconnus/suspici
eux
What
Cisco
Anti-Spam,
IMS
When Who
How Where
Cisco® SIO
37 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Défense anti-virus à deux niveaux
Virus Outbreak Filters Advantage
http://www.senderbase.org
• Temps moyen de protection additionnelle : + de 13h
• Total d’attaques bloquées : 291
• Protection totale incrémentale : + de 157 jours/360 Virus
Filter
Dynamic
Quarantine Cisco® SIO
Virus Outbreak Filters Moteurs Anti-Virus
Détection
Zero Hour
Choix de
moteurs
38
Sécurisation des URL dans les Emails avec Outbreak Filters
Information Update
Dear Mr. Paulo Roberto Borges,
We are contacting you in order to inform about a
mandatory update of your personal data, which is being
conducted after Bank A and Bank B merge. To begin the
update, please click on the link and download the
protection program.
Protection Module 3.0 (2011)
Best regards, Bank A
Bank A
Après
http://www.threatlink.com
Avant
http://secure-web.cisco.com/auth=X&URL=www.threatlink.com
39
Malware
bloqué
http://secure-web.cisco.com…
The requested web page has been blocked
http://www.threatlink.com
Cisco Email and web Security protects your organization’s network
from malicious software. Malware is designed to look like a legitimate
email or website which accesses your computer, hides itself in your
system, and damages files.
Cisco Security
Sécurisation des URL dans les Emails avec Outbreak Filters
40
Outbreak Filters stoppe les attaques Phishing et Mixtes
41
Advanced Malware Protection sur ESA
Cisco® SIO
SenderBase Reputation Filtering
Anti-Spam & Spoofing Prevention
AV Scanning & Advanced Malware Protection
Real-time URL Analysis
Deliver Quarantine Re-write URLs Drop
Drop
Drop/Quarantine
Drop/Quarantine
Quarantine/Re-write
42 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
3.5M d’emails bloqués chaque
jour
Emails delivered Emails / mo Emails / day Emails / employee / day %
Attempted 124 M 5.6 M 73
Blocked 77 M 3.5 M 46 63%
Delivered 37 M 1.7 M 22 30%
Delivered, marked
“Marketing”
9 M 0.4 M 5 7%
Email Security - Cisco sur Cisco
Malware
Spam
ESA Blocked Emails Emails* / mo Emails / day Emails / employee / day %
By reputation 73 M 3.3 M 43 94%
By spam content 4.3 M 0.2 M 3 5%
By invalid receipts 0.4 M 0.02 M 0.25 1%
43 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Pourquoi Cisco Email Security ? Gartner Magic Quadrant, Email Security Gateways, 2013
The Magic Quadrant is copyrighted 2013 by Gartner, Inc. and
is reused with permission. The Magic Quadrant is a graphical
representation of a marketplace at and for a specific time
period. It depicts Gartner’s analysis of how certain vendors
measure against criteria for that marketplace, as defined by
Gartner. Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant, and does not advise
technology users to select only those vendors placed in the
"Leaders” quadrant. The Magic Quadrant is intended solely
as a research tool, and is not meant to be a specific guide to
action. Gartner disclaims all warranties, express or implied,
with respect to this research, including any warranties of
merchantability or fitness for a particular purpose.
This Magic Quadrant graphic was published by Gartner, Inc.
as part of a larger research note and should be evaluated in
the context of the entire report. The Gartner report is available
upon request from Cisco.
44 44
Cisco Web Security
45
Cisco Security Intelligence Operations (SIO)
L’architecture de Sécurité Web Cisco
Filtrage URL Application Visibility and Control (AVC)
Data Loss
Prevention (DLP)*
Moniteur de Trafic de Niveau 4
(On-premise)
Défense Anti-Malware
PROTECTION CONTROLE
Management & Reporting Centralisés
WW
W
Autorise
WWW Accès limité
WWW Bloque
WWW
*Third-party DLP integration available on-premises
46
Moniteur de Traffic de Niveau 4 Détection des postes déjà infectés
Utilisateurs
Cisco WSA
Network Layer Analysis
Règles Anti-Malware automatiques
Bloque le trafic malicieux
• Scanne tous les ports et protocoles
• Détecte le malware qui bypasse le port 80
• Empêche les zombies de communiquer avec leur serveur de contrôle
• MAJ automatiques
• Listes de serveurs et adresses IP malicieuses en temps réel
Packet and Header
Inspection
Internet
Disponible sur WSA & et sur ASA en tant que “Botnet Traffic Filter”
47
Défense Anti-Malware à trois niveaux
Bon score: le site est affiché sans être scanné
Score
intermédiaire: les
sites sont scannés
par 1 ou plusieurs
moteurs
Mauvais score: le
site est bloqué
URL’s
demandées
Moteur Anti-
Malware Cisco® SIO Déchiffrement
SSL
basé sur la
catégorie ou
réputation
+ FILE REPUTATION (AMP)
BLOCKED
48
Scan Anti-Malware en temps réel Dynamic Vectoring & Streaming
ANALYSE HEURISTIQUE ET A BASE DE SIGNATURES
• Multi-scanning intelligent
• Bases de signatures multiples
• Déchiffre le trafic SSL si nécessaire
• Scanning en mode streaming pour éviter
les problèmes de latence
• MAJ automatiques
Détection Heuristique Identifie des comportements inhabituels
Anti-malware Scanning
Scans Parallèles, Scanning en mode streaming
Inspection à base de signatures Reconnait les menaces connues
Moteurs anti malware multiples
49
Advanced Malware Protection sur WSA
WWW
Time of Request
Time of Response
Cisco® SIO
URL Filtering
Reputation Filter
Dynamic Content Analysis (DCA)
Signature-based Anti-Malware Engines
Advanced Malware Protection
Block
WWW
Block
WWW
Block
WWW
Allow
WWW Warn
WWW WWW Partial
Block
Block
WWW
Block
WWW
Block
WWW
50 C97-728331-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
6.5M de sites malicieux bloqués chaque jour
Web Security Appliance – Cisco sur Cisco
Malware Blocked in One Day: • 441K – Trojan Horse
• 61K - Other Malware
• 29K - Encrypted Files (monitored)
• 16.4K - Adware Messages
• 1K – Trojan Downloaders
• 55 - Phishing URLs
• 22 - Commercial System Monitors
• 5 - Worms
• 3 - Dialers
Cisco Web Traffic Stats:
• 330-360M web visits/day
• 6-7M (2%) blocked
WSA Blocked Transactions:
• 93.5% - Web Reputation
• 4.5% - URL Category
• 2% - Anti-Malware
51
Pourquoi Cisco Web Security? Gartner Magic Quadrant, Web Security Gateways, 2013
The Magic Quadrant is copyrighted 2013 by Gartner, Inc. and
is reused with permission. The Magic Quadrant is a graphical
representation of a marketplace at and for a specific time
period. It depicts Gartner’s analysis of how certain vendors
measure against criteria for that marketplace, as defined by
Gartner. Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant, and does not advise
technology users to select only those vendors placed in the
"Leaders” quadrant. The Magic Quadrant is intended solely
as a research tool, and is not meant to be a specific guide to
action. Gartner disclaims all warranties, express or implied,
with respect to this research, including any warranties of
merchantability or fitness for a particular purpose.
This Magic Quadrant graphic was published by Gartner, Inc.
as part of a larger research note and should be evaluated in
the context of the entire report. The Gartner report is available
upon request from Cisco.
52