cisco advanced services
TRANSCRIPT
1 © 2015 Cisco and/or its affiliates. All rights reserved.
16SEP15 Principal & Director, Cisco Security Advisory
Cisco 2015 Midyear Security Report & Security Transitions… Cisco Brazil Security Week 2015
Brian J. Tillett, CCSK, CISSP
2 © 2015 Cisco and/or its affiliates. All rights reserved.
• State of Cybersecurity (abridged) -2015 Cisco Midyear Security Report
• Transitions across the Cybersecurity Industry
• Transitions within Cisco
Topics:
3 © 2015 Cisco and/or its affiliates. All rights reserved.
Changes in Attack Behavior
Speed Agility Adaptability Destruction
4 © 2015 Cisco and/or its affiliates. All rights reserved.
Adversaries’ Agility is Their Strength
Constant upgrades increased Angler penetration rate to 40% Twice as effective than other exploit kits in 2014
Compromised System
Flash Vulnerabilities
Retargeting
Ransomware
Angler Continually throwing different
‘hooks’ in the water to increase the chances of compromise
Encrypted Malicious Payload Macros Social
Engineering
IP Changing Domain Shadowing
More Being
Developed
Daily
TTD
Security Measures Web Blocking IP Blocking Retrospective Analysis Antivirus Endpoint Solutions Email Scanning
5 © 2015 Cisco and/or its affiliates. All rights reserved.
Rombertik Malware evolves to not only steal data—if detected, it can destroy the targeted system.
Destructive if Modified • Destroy master
boot record • Render computer
inoperable on restart
Gain Access • Spam • Phishing • Social engineering
Evade Detection • Write random data to
memory 960 million times
Extract User Data • Deliver user information
back to adversaries
Anti-Analysis Persistence Malicious Behavior
6 © 2015 Cisco and/or its affiliates. All rights reserved.
Countries with higher block ratios have many Web servers and compromised hosts on networks within their borders.
Russia 0.936
Japan 1.134 China 4.126 Hong Kong 6.255
France 4.197 Germany 1.277
Poland 1.421 Canada 0.863
U.S. 0.760
Brazil 1.135
Malware on a Global Scale Malicious actors do not respect country boundaries. Malware Traffic
Expected Traffic
7 © 2015 Cisco and/or its affiliates. All rights reserved.
Reducing Attack Surface & Window of Exposure
9 © 2015 Cisco and/or its affiliates. All rights reserved.
Attackers Are Exploiting Point Solutions with Increasing Speed
NGIPS
Malware Sandbox
IAM
Antivirus
IDS Firewall
VPN
NGFW
Data
10 © 2015 Cisco and/or its affiliates. All rights reserved.
Data
Attackers Are Exploiting Point Solutions with Increasing Speed
NGIPS
Malware Sandbox
IAM
Antivirus
IDS Firewall
VPN
NGFW
Time to detection:
200 Days
RansomwareNow targeting data
DomainShadowingOn the rise
Dridex850 unique mutations
identified first half 2015
SPAM
RombertikEvolves to evadeand destroy
AnglerConstantly upgradingand innovating
MalvertisingMutating to avoid detection
11 © 2015 Cisco and/or its affiliates. All rights reserved.
Only an Integrated Threat Defense Can Keep Pace
Data
Systemic Response
Con
trol
Visibility Context Intelligence
Reduce time to detection to under
1 Hour
• How does an enterprise measure security?
• How to make security a competitive advantage; mission/business enabler; and not stifle innovation/progress?
• How do we get ahead of our adversaries?
Ongoing Transitions within Cybersecurity:
Seatbelts
Airbags
Antivirus
Firewalls
Internet Volkswagen
Intrusion Detection
Antispyware
Intrusion Prevention
Heuristic Analysis
Behavior Analysis
System Integrity
Access Control
Data Loss Prevention
Identity Control
Sandboxing
defense
offense
Traction Control
Stability Control
Antilock Braking System
Back-up Camera
Collision Avoidance
Onboard Diagnostics
GPS
Lane Departure Warning
Driving Assistant
Connected Highways
Momentum in
Sourcefire Acquisition
Security
Cognitive Acquisition
Cisco Security Advisory
AMP Everywhere & FirePOWER
ThreatGRID Acquisition
Active Threat Analytics
OpenDNS
Cisco Confidential 17 © 2014 Cisco and/or its affiliates. All rights reserved.
Internet of Everything Security • IoE Value Chain Assessment • IoE Application Assessment • IoE Device Assessment Application Security • Secure Application Design • Application Assessment • Enterprise SDLC Mobile & Cloud Security • Mobile App & Device Assessment • Cloud Strategy & Architecture • Cloud Application Assessment Strategy, Risk, & Programs • IT Governance • Security Strategy & Policy • IT Risk Assessment • 3rd Party Risk Program • Security Program Development • Identity & Access Management • Incident Readiness & Response Compliance • PCI DSS & PA DSS Assessment • ISO 27001 / 27002 • HIPAA
Infrastructure Security • Network Architecture Assessment • Red Team Exercises • Penetration Testing • Social Engineering • SOC Enablement
Integration • Cisco Build Services • Security Readiness • Design, Development,
Implementation • SOC Build & Integration Assessment • Test Plan Development &
Execution • Device Assessment • Validation and Testing • Kick Start Deployment Optimization • Custom Reporting • Cross Integration • Performance Tuning • Optimization Service
Remote Managed • Device Health & Welfare • Security Control Management • Security Event Monitoring • Collective Security Intelligence
Active Threat Analytics • Advanced Threat Detection &
Triage • Anomaly Detection • Customer-Specific Mitigation • Collective Security Intelligence
Cisco Security Services Portfolio
Optimization
Migration
Integration
Program Strategy
Architecture & Design
Assessments
Product Support Hosted Security Managed Security
ManagedServices
Advisory Integration
Cisco Confidential 18 © 2014 Cisco and/or its affiliates. All rights reserved.
Core Security Service Areas
Advisory Integration
Managed
Custom Threat Intelligence
Strategy, Assessments, Incident Response
Integration Services
Security Optimization Services
Active Threat Analytics
Remote Managed Services & Operations
Cisco Confidential 19 © 2014 Cisco and/or its affiliates. All rights reserved.
Core Security Service Areas
Advisory Integration
Managed
Custom Threat Intelligence
Strategy, Assessments, Incident Response
Integration Services
Security Optimization Services
Active Threat Analytics
Remote Managed Services & Operations
Cisco Confidential 20 © 2014 Cisco and/or its affiliates. All rights reserved.
Integration Services Cisco delivers:
Plan, Design, Implement
Subject Matter Expertise Migration Optimization
Services:
• Cisco Build Services • Security Readiness • Security Design, Development,
Implementation • Security Test Plan and Execution • Security Knowledge Transfer • Security Device Assessment
• Security Validation and Testing • Security Kickstart Deployment • Security Custom Reporting • Security Cross Integration
Implementation • Security Performance Tuning • Security Optimization Service
Cisco Confidential 21 © 2014 Cisco and/or its affiliates. All rights reserved.
Core Security Service Areas
Advisory Integration
Managed
Custom Threat Intelligence
Strategy, Assessments, Incident Response
Integration Services
Security Optimization Services
Active Threat Analytics
Remote Managed Services & Operations
Cisco Confidential 22 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Security Program Areas of Analysis
Cisco Confidential 23 © 2014 Cisco and/or its affiliates. All rights reserved.
1 Initial
2 Repeatable
3 Defined
4 Managed
5 Optimized
Level 1 – Initial (ad hoc processes)
Level 2 – Repeatable (formal processes)
Level 3 – Defined (pervasive processes)
Level 4 – Managed (effective processes)
Level 5 – Optimized (refined processes)
• Immature or inconsistent policies and procedures
• Various degrees of defined processes • Unpredictable or unstable
environment • Inconsistent buy-in across the
enterprise
• Processes abandoned at time of crisis • Projects frequently exceed budget or
are not fully completed • Insufficient measurement of risk • Business objective alignment is not
established • Inconsistent use of technology
• Undefined enterprise architecture model
• Lack of strategic planning
• Undefined roles and responsibilities • Minimal senior management
involvement in IT risk management
• Policies and procedures have been implemented
• Project-specific processes are documented, practiced, and enforced
• Unique reporting and measurement at project level
• Processes followed during crisis
• Compliance program being established • Adoption of technology standards
• Target enterprise architecture model is defined
• Enterprise architecture is being implemented at the component level
• Governance approach is being formalized
• Procurement based on specific requirements
• Varied adherence to architecture standards
• Defined roles and responsibilities for IT risk management organization
• Senior management is educated on IT risk management
• Responsibilities defined enterprise-wide
• Enterprise-wide implementation of defined processes
• Consistent reporting and defined measurement
• Crisis predictable and minimized
• Proactive exception management • Compliance program is effective
• Enterprise standards leveraged for all projects
• Target enterprise architecture model is implemented
• Initial alignment with business processes
• Acquisitions and purchases governed by enterprise architecture model
• Qualitative measurement of performance
• Senior management commitment
• Measured effectiveness of IT risk organization
• Processes are adaptable based on scope/risk
• Defined metrics and measurement • Quantitative predictability of
performance
• Explicit adherence to standards across the enterprise
• Pervasive deployment and integration of enterprise architecture model
• Benefits of target architecture model are realized
• Alignment with business objectives • Risk management used as an
enabler to business processes
• Planned IT acquisition and investment
• Senior management involvement
• Accountability for IT risk organization
• Processes are continually improved
• Measured and increased ROI • Decreased operating expenses • Process feedback incorporated
• Business processes reengineered for efficiency and savings
• Ability to perform risk modeling • Established business linkage • Risk management enablers provide
an increase in top line revenue • No unplanned IT investment
• Alignment with corporate strategic plan
Cisco Security Capability Maturity Model
Cisco Confidential 24 © 2014 Cisco and/or its affiliates. All rights reserved.
Deliverable Graphic Examples: Current State vs. Target State (+full description report on gaps, deficiencies, and paths to overcome)
Management Controls
OperationalControls
Technical Controls
Security Governance
Policy Management
Compliance Management
Risk Management
Security Strategy
Security Architecture
Metrics and Measurement
Patch Management
Vulnerability Management
Asset Management
Security Monitoring
Incident Management
Continuity of Operations
Identity and Access
Management
3rd Party Management
Systems Development
Lifecycle
Information Management
Change Management
Network Security
Wireless Security
Host Security
Endpoint Security
Application Security
Data Security
Database Security
Management Controls
OperationalControls
Technical Controls
Security Governance
Policy Management
Compliance Management
Risk Management
Security Strategy
Security Architecture
Metrics and Measurement
Patch Management
Vulnerability Management
Asset Management
Security Monitoring
Incident Management
Continuity of Operations
Identity and Access
Management
3rd Party Management
Systems Development
Lifecycle
Information Management
Change Management
Network Security
Wireless Security
Host Security
Endpoint Security
Application Security
Data Security
Database Security
Current State -‐ Example
Target State -‐ Example
Cisco Confidential 25 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Joint SPA & NDSA Recommendation Prioritization Prioritization helps the Security Ops management to address the recommendations based on Criticality and Ease of implementation.
Cisco Confidential 26 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Intel Driven Incident Response
Intelligence Powered by TalosTM
Response Custom Tiers
Remediation Post Breach
100 TB Intelligence 1.6M sensors 150 million+ endpoints 35% of email world wide FireAMP™, 3+ million 13B web requests Open Source Communities 180,000+ Files per Day 1B SBRS Queries per Day TALOS Research and Outreach
Kill Chain Review Attack Vector Evaluation Threat Actor Landscaping Policy Review & Overhaul Application Penetration Testing Direct Access to Cisco’s Elite CCIEs Future Partnerships for Remediation - Microsoft - Red Hat - More…
Rapid Response Incident Coordination & Investigation Breach Containment & Recovery
Emergency
Established IR Engagement Process Threat & Incident Reviews Rate Relief
Readiness
Proactive Threat Hunting Intel / IR / SOC Build-outs Custom Training
Custom
Cisco Confidential 27 © 2014 Cisco and/or its affiliates. All rights reserved.
Custom Threat Intelligence
Network Traffic Analysis (CTI) & Traditional Perimeter Protection
• Know the “blind spots”
• Utilize “zero day” attacks
• Test against their copies of the latest detection/prevention technology to ensure not detected
• Hardware modifications & firmware injection – visible only to traffic flows
• Strive to make their exfiltration look like normal traffic
• Use different exfiltration networks for each major target
• Make compromises persistent
• Implement “self delete” when discovered
Need for comprehensive threat
visibility
27
INSTRUMENT IDENTIFY REMEDIATE MEASURE
Cisco Confidential 28 © 2014 Cisco and/or its affiliates. All rights reserved.
Core Security Service Areas
Advisory Integration
Managed
Custom Threat Intelligence
Strategy, Assessments, Incident Response
Integration Services
Security Optimization Services
Active Threat Analytics
Remote Managed Services & Operations
Cisco Confidential 29 © 2014 Cisco and/or its affiliates. All rights reserved.
DMZ Users
Malware Analysis
Netflow Collector
Identity Mgmt.
Data Center
Netflow Collector
Identity Mgmt.
Web Security
Email Security
Malware Analysis
Netflow Collector
Identity Mgmt.
Talos
ATA: A Comprehensive Threat Solution
ASA with FIREPOWER
Cisco Cloud Security Internet
Mobile Endpoints Anywhere / Anytime
Cisco Active Threat Analytics
ThreatGRID FirePower
Full Packet Cognitive
Malware Analysis
Application Exhaust
Cisco Confidential 30 © 2014 Cisco and/or its affiliates. All rights reserved.
Use Case: Customer Statistics for Two-Week Timeframe
Post-investigation incidents/tickets 71
269,808 Security Events
Unique events 113,713
High fidelity events 1710
207,992 61,816 Threat intel sourced Telemetry generated
Roughly 20,000 Events/day to
5 ranked & prioritized Incidents/day
Cisco Confidential 31 © 2014 Cisco and/or its affiliates. All rights reserved.
OpenSOC Framework Sources Data Collection Messaging Broker Real-Time Processing Storage Access
Analytic Tools
Tableau
R / Python
Power Pivot
Web Services
Search
PCAP Reconstruction
Telemetry Sources
NetFlow
Machine Exhaust
HTTP
Other
Flume
Agent B
Agent N
Agent A
Kafka
B Topic
N Topic
PCAP Topic
DPI Topic
A Topic
Storm
B Topology
N Topology
A Topology
PCAP Topology
DPI Topology
Hive
Raw Data
ORC
Elasticsearch
Index
HBase
Packet Table
PCAP Passive
Tap
Traffic Replicator
Cisco Confidential 32 © 2014 Cisco and/or its affiliates. All rights reserved.
https://github.com/OpenSOC