cisco - global home page - content security update · security platform w/ 80m+ malicious requests...
TRANSCRIPT
György Ács
Security Consulting Systems Engineer
3rd November 2015
Content Security Update
Agenda
• Email Security
• Appliance, Cloud, Hybrid
• Web Security
• Web Security Appliance
• Cloud Web Security
• Cognitive Threat Analytics
• OpenDNS
• Cloud Access Security, CAS,
• Elastica
3C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Control
Cisco
AnyConnect®Cisco
IPS
Cisco CWS
WWW
Cisco WSACisco ASACisco ESA
Visibility
WWW
Web
Endpoints
Devices
Networks
IPS
Cisco TALOSOutstanding cloud-based global threat intelligence
1.6 millionglobal sensors
100 TBof data received per day
150 million+ deployed endpoints
35%worldwide email traffic
13 billionweb requests
24x7x365operations
40+languages
600+engineers, technicians, and researchers
80+PH.D., CCIE, CISSP, AND MSCE users
More than US$100
millionspent on dynamic research and development
3- to 5-minute updates
5,500+IPS signatures produced
8 million+rules per day
200+parameters tracked
70+publications produced
Info
rma
tio
nU
pd
ate
s
Cisco® TALOS
Email Security http://beta.senderbase.org/ebc_spam/
5C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Global Spam Volume - last 18 months[Average Daily Email and Spam Volume (Billions)]
Spam : 85.97%
Legitimate : 14.02%
Malware :0.0089%
http://www.senderbase.org/static/spam/#tab=1
6C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contacts• Cisco IronPort Anti-Spam
• Report undetected spam to: [email protected]
• Report false-positives to: [email protected]
• Brightmail Anti-Spam
• Report undetected spam to: [email protected]
• Report false-positives to: [email protected]
• Marketing Spam
• Report marketing spam false positives to: [email protected]
• Report marketing spam false negatives to: [email protected]
7C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Email Security Threat DefenseComplete Inbound Protection
Cisco® TALOS
SenderBase Reputation Filtering
Anti-Spam
Anti-Virus
Outbreak Filters
Real-time URL Analysis
Deliver QuarantineRe-write
URLsDrop
Drop
Drop/Quarantine
Drop/Quarantine
Quarantine/Re-write
Advanced Malware Protection Drop/QuarantineAMP
cws
8C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Reduce the exposure of your users to phishing
• Tie DKIM and SPF together and address their shortcomings
• Identifies actions to take if message authentication fails for sender’s domains
• Allows for sending of aggregate reports back to sending domain to inform of message disposition
DMARCStandardizing Email Authentication
DNS
Serve
r
SIGNED
SIGNEDVerified
Trusted_Partner.com
Trusted_Partner.com
Imposter
Cisco
ESA
Drop/Quarantine
Report
DMARC p=reject
9C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
URL DefenseIntegrated email and web security
Rewrite
Email Contains URL
URL Categorization
Cisco TALOS
BLOCKEDwww.playboy.comBLOCKED
BLOCKEDwww.proxy.orgBLOCKEDDefang
Replace “This URL is blocked by policy”
Send to Cloud
10C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Zero-Hour Malware ProtectionAdvanced Malware Protection
Cloud Powered Zero-Hour
Malware Detection
Advanced Malware Protection Outbreak Filters
Telemetry Based Zero-Hour
Virus and Malware Detection
File
Reputation
File
Sandboxing
Known File
Reputation
Unknown files are
uploaded for
sandboxing
Reputation
updateSourceFire AMP
integration
11C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Outbreak filters defend against blended attacksIntegrated email and web security
Website is
cleanLink is clicked
Website is
blocked Cisco Security
The requested web page
has been blocked
http://www.threatlink.com
Cisco Email and Web Security protects your
organization’s network from malicious software.
Malware is designed to look like a legitimate email or
website which accesses your computer, hides itself
in your system, and damages files.
Dynamic, real-time inspection via HTTP
Cisco TALOS
12C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Outbreak Filters in Action: User Experience
Request for Review
Paul,
I forward my thesis to you for review.
Please open it and provide comments.
www.Personal Site.com/Thesis_Draft.pdf
Hope all’s well since Verizon.
Best regards,
Friend
Frien
d
After
Subject: Request for Review
http://www.threatlink.com/
Before
Subject: [SUSPICIOUS MESSAGE] Request for Review
http://secure-web.Cisco.com/auth=X&URL=www.threatlink.com
WARNING: This appears to be a
malicious email Paul
13C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Identified: Targeted Attack
Content: Malware Payload
Vector: Email
Action: Blocked
Cisco TALOS - Cloud Security Enforcement
Cisco Cloud
Web Security
Request for Review
WARNING: This appears to be a
malicious email
Paul,
I forward my thesis to you for review.
Please open it and provide comments.
www.Personal Site.com/Thesis_Draft.pdf
Hope all’s well since Verizon.
Best regards,
Friend
Frien
d
14C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Malware
Payload Blocked
Cisco Outbreak Filters Defends against Targeted Attacks
http://secure-web.Cisco.com…
The requested web page has been blocked
http://www.threatlink.com
Cisco Email and Web Security protects your
organization’s network from malicious software.
Malware is designed to look like a legitimate email
or website which accesses your computer, hides
itself in your system, and damages files.
Cisco Security
15C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6 SupportDefense for email systems against emerging IPv6 threats
• Supports: IPv4/IPv6 addressing – single or dual stack – with Anti-Spam, Anti-Virus, Content Filters, DLP, Encryption, and more
• Translates: IPv6 in and IPv4 out… or vice versa
• Full reporting and Message Tracking support
IPv6 Addressing
Is your Email Security
filtering content with IPv6
addressing appropriately?
16C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
ESA v9.0 – Feature rich release
• Enhanced File-types support for sandboxing
PDFs, MS Objects,
Inspection within archives and encoded formats
• Anti Snowshoe
• S/MIME signing and encryption
• Larger disk support
• Flexible disk capacity allocation
• Virtual SMA support
• AsyncOS API
17C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco ESA 9.5
• Graymail Detection and Safe Unsubscribing
• Web Interaction Tracking
• System health monitoring enhancements
• Support for On-Premises File Analysis
• Support for TLS v1.2
Continuous Analysis
ESA Local AMP ThreatGrid
Local LAN
Web Security http://beta.senderbase.org/ebc_malware/
Customers Are Challenged with Today’s Evolving Threat Landscape
Data Loss
Acceptable Use Violations
Malware Infections
Web
FilteringCloud Access
Security
Web
ReputationApplication
Visibility and
Control
Parallel AV
ScanningData-Loss
Prevention
File
Reputation
Cognitive
Threat
Analytics*
XX X X
BeforeAfterDuring
X
File
Retrospection
www
Roaming User
Reporting
Log Extraction
Management
Branch Office
www www
Allow Warn Block Partial BlockCampus Office
WCCP Explicit/PACLoad Balancer PBR AnyConnect® Client
AdminTraffic
Redirections
Talos Cisco Web Security Appliance (WSA)
www
HQ
File
Sandboxing
X
Client
Authentication
Technique
* Roadmap feature: Projected release 2H CY15
XCisco® ISE
Appliance Virtual
1. Scans text
Cisco Web Usage ControlsURL Filtering and Dynamic Content Analysis
WWW
URL Database
3. Calculates model document proximity
4. Returns closest category match
2. Scores relevancy
Finance
Adult
Health
Finance Adult Health
AllowWWW WarnWWW WWW Partial
BlockBlockWWW
5. Enforces policy
If Unknown, the
Page Is Analyzed
BlockWWW
WarnWWW
AllowWWW
If Known
BEFORE
Discover
Enforce
Harden
DURING
Detect
Block
Defend
AFTER
Scope
Contain
Remediate
Layer 1
Layer 2
AMP
CTA
CWS PREMIUM
AMP
CTALayer 3
File Reputation Anomaly
detection
Trust
modelingEvent classification Entity modeling
Dynamic
Malware
Analysis
File
Retrospection
Relationship
CTA
AMP Delivers Point-in-Time, Continuous, andRetrospective Security
AMP
Retrospection
Policy AVAMP File
Reputation
File Unknown
Retrospective
Incidents
1
3
AMP Cloud
Know
Where It
All Started
OI
Understand
How It Entered
the System
See Everywhere
It Has Been
Determine
What It
Has Done
Learn
How to
Stop It
AMP Dynamic
Malware Analysis
2
BEFORE
Discover
Enforce
Harden
DURING
Detect
Block
Defend
AFTER
Scope
Contain
Remediate
Combining the Powerof ISE with WSAWSA with ISE Process Flow
Cisco® ISE acquires important context and identity
from the network.
It monitors and provides visibility into
unauthorized access.
Cisco ISE provides differentiated access to the network; Cisco TrustSec® Security provides segmentation throughout the network; and Cisco Web Security Appliance provides web security and policy enforcement.
Consistent Secure
Access Policy
Who: Doctor
What: Laptop
Where: Office
Who: Doctor
What: iPad
Where: Office
Who: Guest
What: iPad
Where: Office
Cisco® I dentity
Service Engine
WSA
Confidential
Patient Records
Internal
Employee Intranet
Internet
BEFORE
Discover
Enforce
Harden
DURING
Detect
Block
Defend
AFTER
Scope
Contain
Remediate
WSA News
WSA / AsyncOS 8.8: ICAPs (for DLP vendors) and AMP ThreatGrid integration
Recommendation : min. WSA 9.0
Cisco Web Security Advanced Reporting App 4.5 : WSA and CWS logs
Referral header support (allow Youtube channel if you have good referral)
WSA logs Cloud Web Security,
CWS
CWS logs
Cloud Based AMP
ThreatGrid
Local AMP ThreatGrid
ICAPs
DLP
vendor
Cognitive Threat Analytics CTA(for CWS, WSA, and other)
• As users go through a web proxy, access logs are generated
Cognitive Threat Analytics
Cisco
Cognitive Threat
Analytics (CTA)
Pro
xy
HTTP/HTTPS
HTTP/HTTPS Headers
(meta data)
Time | IP | URL | User Agent | … 2:45 | 54.62.37.10 | www.google.com | Mozilla (…
2:45 | 68.62.37.10 | www.yahoo.com | Mozilla (…
2:45 | 22.62.37.10 | www.cnn.com | Chrome (…
2:45 | 59.62.37.10 | www.seznam.com | Mozilla (…
Unique threat detection approach
Cognitive Threat Analytics: Key features
Anomaly Detection & Big Data Machine Learning01000111 0100 11 01 1001 00101 1 1 0 10101 01000111
01000111 0100 11 01 1001 11 00 0100 011 101000111
110010100 11 111 0 010 01100 01000 010100 110010100
1001 010 01000 010100101 10 1001 010 01000 1001 010
01000111 0100 11 01 1001 11 00 0100 011 101000111
1001 010 01000 010100101 10 1001 010 01000 1001 010
Understand context
Continuously analyze data
Make decisionsPrevent testing in advance
Always evolve
Find threats faster
Demo Time !
Elastica, Cisco Cloud Access Security
How does Elastica Work?
Gateway
Securlets
Log Files
ElasticaCloudSOC™
AUDIT Shadow IT and Data Risk
INVESTIGATE incidents and respond
PROTECT against intrusions in cloud apps accounts
DETECT exploitations of cloud app accountsStreamIQ™ ThreatScore™
Comprehensive Cloud App Security Stack
1. Direct Upload2. Direct Stream3. On Premise VM
1. PAC files 2. Chaining with Cisco3. Lite Agent (roadmap)
Elastica CloudSOC
Main Goals
Granular Control Intelligent Protection
• External and public content exposures, including compliance risks
• Inbound risky content shared with employees (e.g. malware, IP, etc)
• Risky users and user activities
SHADOW DATA RISK ASSESSMENTSHADOW IT RISK ASSESSMENT
• Analytics on your cloud app risks and compliance issues
• App usage anomalies across your organization
• What apps you should sanction and what apps you should block
SaaS Visibility
Identify Shadow IT &
Monitor cloud app
usage in real time
Gain control of Shadow
Data in a cloud-first,
mobile-first world
Combat evolving threats
using data science
As simple as enabling a feature from the CWS back-office portal
Automated customer provisioning at Elastica
Automated log transfer without any customer setup/deployment effort
Cisco CWS Integration
OpenDNS
Recap DifferentiatorsNote: This is usually our first slide in intro decks
+
World’s Largest Security Platform w/
80M+malicious requests
blocked/day
=
GLOBAL NETWORK
• 80B+ DNS requests/day
• 65M+ biz & home users
• 100% uptime
• Any port, protocol, app
UNIQUE ANALYTICS
• security research team
• automated classification
• BGP peer relationships
• 3D visualization engine
UMBRELLAEnforcementNetwork security service protects any device, anywhere
INVESTIGATEIntelligenceDiscover and predict attacks before they happen
PRODUCTS & TECHNOLOGIES
A New Layer of Breach Protection
UMBRELLA
Threat PreventionNot just threat detection
Turnkey & Custom API IntegrationsDoes not require professional services to setup
Protects On & Off NetworkNot limited to devices forwarding traffic through on-prem appliances
Always Up to DateNo need for device to VPN back to an on-prem server for updates
Block by Domains for All Ports Not just IP addresses or domains only over ports 80/443
A Single, Correlated Source of Information
INVESTIGATE
WHOIS record data
ASN attribution
IP geolocation
IP reputation scores
Domain reputation scores
Domain co-occurrences
Anomaly detection (DGAs, FFNs)
DNS request patterns/geo. distribution
Passive DNS database
Competing Vendors
Not available
Not available
Not available
HARD-CODED IP
@23.4.24.1
“FAST FLUX”
@23.4.24.1
bad.com?
@34.4.2.110
@23.4.34.55
@44.6.11.8
Evolution of Command & Control Callbacks
@129.3.6.3
DOMAIN GENERATION ALGORITHM
bad.com?
@34.4.2.11
0
baa.ru?
bid.cn
@8.2.130.3
@12.3.2.1
@67.44.21.1
Applystatistical models and
human intelligence
Identifyprobable
malicious sites
Ingestmillions of data
points per second
How Our Security Classification Works
a.ru
b.cn
7.7.1.3
e.net
5.9.0.1
p.com/jpg
Demo Time !
Agenda
• Email Security
• Appliance, Cloud, Hybrid
• Web Security
• Web Security Appliance
• Cloud Web Security
• Cognitive Threat Analytics
• OpenDNS
• Cloud Access Security, CAS,
• Elastica