email to ransomware kill-chain, w/mitigation points · key ingredients passion founded in 1997...
TRANSCRIPT
![Page 1: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/1.jpg)
Welcome
![Page 2: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/2.jpg)
Our Story
4Key Ingredients PASSION
▪ Founded in 1997▪ Started, Managed, and Led by Engineers▪ Known & Recognized for our Engineering
![Page 3: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/3.jpg)
Core Technologies
5Verticals MANAGED
SERVICES
▪ Dedicated Teams for Each Vertical▪ 75% of Our Staff Are Engineers▪ Home Grown Engineers
![Page 4: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/4.jpg)
Commitment
1Pledge
▪ Thrilled for our first engagement ▪ Focused on achieving the next engagements▪ Quick Response and Delivery Times▪ Phenomenal Engineering and Support
PARTNERSHIP
WE ARE YOUR PARTNER- DEDICATED TO SUPERIOR SOLUTIONS- PASSIONATE IN TECHNOLOGY- EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION - COMMITTED TO OUR CONSULTATIVE PARTNERSHIP
![Page 6: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/6.jpg)
THE CHALLENGE:
• Implementing network security products is difficult
• Today’s mobile workforce needs on-network and off-network protection
• Many companies require web filtering and proxy solutions
![Page 7: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/7.jpg)
WHAT IS UMBRELLA:
• Filter and block DNS requests to bad hosts, before TCP/IP connection is even established
• Removes a large bulk of incidents from having to be analyzed by traditional security (firewalls, IDS/IPS, AV, URL filtering, etc.)
• OpenDNS started as a DNS provider (2006)
• Added filtering and blocking features (2007)
• Created business-specific offering (2009)
• Created Umbrella suite (2012) and Investigate feature (2013)
• Cisco acquired OpenDNS (Aug 2015)
![Page 8: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/8.jpg)
WHAT IS DNS?
DNS = Domain Name System
• First step in connection
• Precedes file execution and contact
• Used by all devices, browsers, applications
• Port agnostic
Umbrella
Cisco.com 72.163.4.161
![Page 9: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/9.jpg)
UMBRELLA GLOBAL NETWORKVIEW OF THE INTERNET
125Brequests per day
15Kenterprise customers
90Mdaily active
users
160+countriesworldwide
![Page 10: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/10.jpg)
WHERE DOES UMBRELLA FIT?
Malware
C2 Callbacks
Phishing
HQ
Sandbox
NGFW
Proxy
Netflow
AV AV
BRANCH
Router/UTM
AV AV
ROAMING
AV
First line
Benefits
Block malware before
it hits the enterprise
Contains malware
if already inside
Internet access is faster
Provision globally in minutes
![Page 11: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/11.jpg)
BREADTH TO COVER ALL PORTS AND DEPTH TO INSPECT RISKY DOMAINS
ALLOW, BLOCK, PROXYINTERNET-WIDE TELEMETRY
PREDICTIVE UPDATES
Umbrella / Talos and partner feeds
Custom domain lists
Custom IP lists (future)
UMBRELLA STATISTICAL & MACHINE LEARNING MODELS
DNS and IP layer
▪ Domain request
▪ IP response (DNS-layer)
or connection (IP-layer)
ALLOW OR BLOCK
WBRS / Talos + partner feeds
Custom URL lists
AV
AM
P
HTTP/S layer
▪ URL request
▪ File hash
![Page 12: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/12.jpg)
INTELLIGENCE TO SEE ATTACKS BEFORE LAUNCHED
Data
▪ Cisco Talos feed of malicious
domains
▪ Cisco Threat Grid file-based
intelligence (1.5M+ daily
samples)
▪ Umbrella DNS data —
125B requests per day
Security researchers
▪ Industry renown researchers
▪ Build models that can
automatically classify and
score domains and IPs
Models
▪ Dozens of models continuously
analyze millions of live events
per second
▪ Automatically uncover malware,
ransomware, and other threats
![Page 13: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/13.jpg)
STATISTICAL MODELS
Guilt by inference
▪ Co-occurrence model
▪ Sender rank model
▪ Secure rank model
Guilt by association
▪ Predictive IP Space Modeling
▪ Passive DNS and WHOIS Correlation
Patterns of guilt
▪ Spike rank model
▪ Natural Language
Processing rank model
▪ Live DGA prediction
2M+ live events per second
11B+ historical events
![Page 14: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/14.jpg)
CO-OCCURRENCE MODELDomains guilty by inference
a.com b.com c.com x.com d.com e.com f.com
time - time +
Co-occurrence of domains means that a statistically significant number of identities
have requested both domains consecutively in a short timeframe
Possible malicious domain Possible malicious domain
Known malicious domain
![Page 15: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/15.jpg)
SPIKE RANK MODELPatterns of guilt
y.com
DAYS
DN
S R
EQ
UE
ST
SMassive amount
of DNS request
volume data is
gathered and
analyzed
DNS request volume matches known
exploit kit pattern and predicts future attack
DGA MALWARE EXPLOIT KIT PHISHING
y.com is blocked before
it can launch full attack
![Page 16: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/16.jpg)
PREDICTIVE IP SPACE MONITORING Guilt by association
Pinpoint suspicious domains and
observe their IP’s fingerprint
Identify other IPs – hosted on the
same server – that share the
same fingerprint
Block those suspicious IPs and
any related domains
DOMAIN
209.67.132.476
209.67.132.477
209.67.132.478
209.67.132.479
![Page 17: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/17.jpg)
FEATURE LIST
• Features• Protect on or off network
• Stop connections based on 80+ content categories
• AD group membership integration
• Proxy risky traffic
• IP-layer enforcement
• Reporting
• Log retention via Amazon S3
• 3rd party device integrations (Aruba, Cradlepoint, Aerohive)
• Threat enforcement integrations (Splunk, FireEye, Anobmali)
• Multi-organizational console
• Umbrella Investigate for direct access to threat intelligence
![Page 18: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/18.jpg)
PACKAGES/LICENSING• Wireless LAN
• For guest wireless access
• Professional• For small companies
• Insights• For mid-sized companies
• Proxy and AD integration
• Platform• For advanced security teams
• Threat enforcement integrations & Investigate access
• User License• Per user, per WLAN, per ISR4K, per roaming user
• Subscription – 12, 36, 60 months
![Page 19: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/19.jpg)
DEPLOYMENT TYPES
Existing
DNS/DHCP servers,
Wi-Fi APs
Simple config
change to
redirect DNS
ISR4K(today)
WLC(today)
Network footprint
Meraki MR(future)
Endpoint footprint
Granular filtering and
reporting on- & off-network
(Umbrella roaming client
also available)
AnyConnect roaming module
Cisco Security Connector
(in LA)
vEdge(future)
▪ Provisioning and policies per VLAN/SSID;
tags for granular filtering and reporting
▪ Out-of-the-box integration
(Umbrella virtual appliance also available)
![Page 20: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/20.jpg)
PROTECT ON-NETWORK DEVICES VIA DNS SERVER
Internal DNS Server
YOUR NETWORK
Network egress IP67.215.87.11
DNS server10.1.1.1
Internet gateway
Your policyEnforce all security settings
for
67.215.87.11
Server IP10.1.1.1
External DNS resolution208.67.222.222
Laptop IP10.1.1.3
208.67.222.222
![Page 21: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/21.jpg)
PROTECT INTERNAL NETWORKS VIA UMBRELLA VIRTUAL APPLIANCE
Umbrella VA
YOUR NETWORK
Network egress IP67.215.87.11
DNS server10.1.1.1
Internal DNS Server
Server IP10.1.1.1
Internet gateway
Appliance IP10.1.1.2
DNS server10.1.1.1
Internal domainsoffice.acme.com
Your policyEnforce all security settings
for
10.1.1.3
Appliance IP10.1.1.2
DNS server10.1.1.1
Internal domainsoffice.acme.com
Laptop IP10.1.1.3
Inserts 10.1.1.3, GUID and Org ID in EDNS request, encrypts and forwards
208.67.222.222
![Page 22: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/22.jpg)
Internal
DNS Server
PROTECT AD USERS VIA CONNECTOR AND UMBRELLA VIRTUAL APPLIANCE
YOUR NETWORK
Network egress IP67.215.87.11
DNS server10.1.1.1
Internet gateway
208.67.222.222
Laptop IP10.1.1.3
CEO
AD Server w/AD connector
Umbrella VA
Appliance IP10.1.1.2
DNS server10.1.1.1
Internal domainsoffice.acme.com
DHCP IP10.1.1.1
Associates CEO with 10.1.1.3
Inserts 10.1.1.3, GUID and Org ID in EDNS request, encrypts and forwards
Your policyEnforce all security settings for
EXEC group(GUID = CEO, a member of EXEC group)
Associates CEO with
EXEC group(via HTTPS
push)
![Page 23: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/23.jpg)
DEPLOYMENT STEPS/ORDER
• Cloud service setup
• Setup internal domains, IP addresses (internal & public)
• Virtual Appliances (VA)
• AD connectors
• AD configuration script
• Setup user/group identities
• Define security policies (url, block, whitelist)
• Setup SSL cert trust & enable proxy
• Setup mobile user
• Setup apple IOS users
![Page 24: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/24.jpg)
DEMO
• Cisco dCloud
• Dashboard
• Reporting
• Settings
• Investigate
![Page 26: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/26.jpg)
THE PROBLEM
• Ever increasing use of sanctioned and unsanctioned (shadow IT) cloud
services by corporate users
• Exposure to attacks, misuse, and accidental data breaches
• Regulatory and internal security compliance headache
![Page 27: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/27.jpg)
WHAT IS CLOUDLOCK?
• Company founded in 2011
• Acquired by Cisco in 2017
• Cloud-native cloud access security broker (CASB) by using native APIs
• It protects cloud users, data, and apps
• Users logged in to cloud apps from multiple geographic places
• Files inadvertently shared publicly
• Block users granting access via OAuth to malicious cloud apps
![Page 28: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/28.jpg)
FEATURES
• Data Security & Compliance (Data Loss Prevention)
• Threat Protection (User and Entity Behavior Analytics)
• Application Discovery & Control (App Firewall)
• Integration & Orchestration (aggregates feeds to SIEMs)
![Page 29: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/29.jpg)
CLOUD SERVICES
• 8 main services
• 2 main add-ons
![Page 30: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/30.jpg)
FEATURES
• Cloudlock aggregates data feeds across existing IT infrastructure to enrich security intelligence and harmonize data protection across on-premises and cloud environments for unprecedented insight and control.
![Page 31: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/31.jpg)
LICENSING
• Minimum 100 users
• User count is the highest number of users on any one service
• 1 or 3 yr subscriptions
• Basic (email) or Gold (24x7) support options
![Page 32: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/32.jpg)
DEPLOYMENT
![Page 33: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/33.jpg)
DEPLOYMENT
• Nothing to install; hosted in AWS
• Cloud service setup
• Pick and enable known cloud services, sharing API keys or OAuth info
• Define security policies
• User policies
• Whitelist/Blacklist countries
• DLP filters
• Whitelist/Blacklist apps
• Integrate with existing SEIMs
![Page 34: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/34.jpg)
DEMO
• Cisco dCloud
• Dashboard
• Incidents
• Policies
• Reporting
![Page 35: Email to Ransomware kill-chain, w/mitigation points · Key Ingredients PASSION Founded in 1997 Started, Managed, and Led by Engineers ... - EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION](https://reader034.vdocuments.us/reader034/viewer/2022042314/5f02c3727e708231d405e44d/html5/thumbnails/35.jpg)
FINThank you for your time!