cisco ngips
TRANSCRIPT
Cisco Confidential 2 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Threat Landscape Demands more than Application Control
avoids detection and attacks swiftly
It is a Community that hides in plain sight
60% of data
is stolen in hours
100% of companies connect to domains that host
malicious files or services
54% of breaches
remain undiscovered for months
Cisco Confidential 3 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
‘Defense-in-Depth’ Security Alone Is Not Enough
Manual and Static
Slow, manual inefficient response
Poor Visibility
Undetected multivector
and advanced threats
Siloed Approach
Increased complexity
and reduced effectiveness
Cisco Confidential 4 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Integrated Threat Defense Across the Attack Continuum
Firewall/VPN NGIPS Advanced Malware Protection
BEFORE Control Enforce Harden
DURING Detect Block
Defend
AFTER Scope
Contain Remediate
Attack Continuum
Visibility and Automation
Security Intelligence Granular App Control Retrospective Security
Web Security Modern Threat Control IoCs/Incident Response
Cisco Confidential 5 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
T h r e a t
i n
p l a i n s i g h t
Visibility Is the Key
s
h i d d e n
Cisco Confidential 6 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
FirePOWER Brings Unprecedented Network Visibility
Typical NGFW
FirePOWER Services
Typical IPS
Cisco Confidential 7 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Impact Assessment
Correlates all intrusion events to an impact of the attack against the target
Impact Flag Administrator Action Why
1 Act immediately, vulnerable
Event corresponds to vulnerability mapped to host
2 Investigate, potentially vulnerable
Relevant port open or protocol in use, but no vuln mapped
3 Good to know, currently not vulnerable
Relevant port not open or protocol not in use
4 Good to know, unknown target
Monitored network, but unknown host
0 Good to know, unknown network Unmonitored network
Cisco Confidential 8 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum
Context and Threat Correlation
Priority 1
Priority 2
Priority 3
Impact Assessment
Context and Threat Correlation
Dynamic Security Control
Multi-vector Correlation
Retrospective Security
Cisco Confidential 9 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum
Adapt Policy to Risks
WWW WWW WWW http:// http:// WWW
Dynamic Security Control
WEB
Context and Threat Correlation
Dynamic Security Control
Multi-vector Correlation
Retrospective Security
Cisco Confidential 10 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum
PDF Mail Admin
Request
Admin Request
Multi-vector Correlation
Early Warning for Advanced Threats
Host A
Host B
Host C
3 IoCs
5 IoCs
Context and Threat Correlation
Dynamic Security Control
Multi-vector Correlation
Retrospective Security
Cisco Confidential 11 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Retrospective Security
Shrink Time between Detection and Cure
Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum
Context and Threat Correlation
Dynamic Security Control
Multi-vector Correlation
Retrospective Security
Cisco Confidential 12 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Indications of Compromise (IoCs)
IPS Events
Malware Backdoors Exploit Kits
Web App Attacks CnC Connections
Admin Privilege Escalations
SI Events
Connections to Known CnC IPs
Malware Events
Malware Detections Office/PDF/Java Compromises
Malware Executions Dropper Infections
Cisco Confidential 13 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Integrated Threat Defense at Work
Cisco detects, analyzes and protects against known and emerging threats
Case study:
“String of Paerls” malware campaign
Threat intelligence led to identifying and stopping this complex attack Learn More: http://blogs.cisco.com/security/ a-string-of-paerls
How we did it
• Leveraged data sources across Email, Web, and Advanced Malware Protection products
• Used “Big Data” analytics to link disparate events and malware activity
Results
• Multiple Indications of Compromise (IoCs) identified the malware infection
• Threat mitigated