Glenn WelbyGlobal Security Sales Organisation

November 2016

Find yourself in the Future Fighting Cyber crime-what problems are we fixing?

What is the

problem?

Rapid Digital Disruption on a Massive Scale

500BIn 2030

50BIn 2020

15BDevices Today

$19 Trillion Opportunity

Digital Disruption Drives the Hacker Economy

Attack SophisticationThreat ActorsAttack Surface

…Creating an ever-evolving, dynamic threat landscape

The Result is Constantly Evolving Challenges

10I000 0II0 00 0III000

I00I III0I III00II 0II00II

Protect

Infrastructure and

Critical Data

Secure the

Mobile WorkforceDefend Across the

Extended NetworkNetwork + Endpoint + Cloud

Enable

Business GrowthNew Business Value

New Business Models

Asymmetric battles are greater than our ability to respond

Persistent Attacks

Overwhelmed Defenders

Innovative Methods

Fragile Infrastructure

Shifting Tactics

Rising Vulnerabilities

Encryption Dilemma

Global Operations

Current Threat Landscape

• Evolution of Ransomware

• Advances in Malicious

Tradecraft

• Questionable Network Hygiene

• Conflicting Geopolitical

Perspective

Attacker's Infrastructure Built to be ResilientDesigned to evade and reconstitute

Why is there a

problem?

Direct Attacks Generate Big ProfitsMore efficient and more lucrative

What to do to fix

it?

Security practitioners need

to identify and constrain the

operational space of the adversaries

Actionable Collaboration is Critical

Actionable collaboration is needed between people, processes, and technology, and on the back-end infrastructure that attackers are using.

Processes

People

Technology

DNS: Doth Protest Too Much

91.3% of malware uses DNS

68% of organizations don’tmonitor it

A blind spot for attackers to gain command and control, exfiltrate data, and redirect traffic

Cyber Defence is

sexy!

-everybody’s doing it

Security Weighs on the Minds of Executives

Of Executives Very Concerned About Security

Agreed More Information Will Be Expected

48%

92%

Much More Concerned Than 3 Years Ago41%

But is confusing…. who do

you choose?

Cisco Confidential 18© 2015 Cisco and/or its affiliates. All rights reserved.

Startups Receiving VC

funding in last 5 years

1208 $7.3B

Security Vendors for

Some Customers

54

Demand for

Security Talent

12x

Security ChallengesSecurity Silos Complicate Protection

Changing

Business Models

Dynamic

Threat Landscape

Complexity

and Fragmentation

NGIPS

Encryption

BEFORE DURING AFTER

Baseline Systems

Predict Attacks

Proactive Exposure Analysis

Harden and Isolate Systems

Divert Attackers

Prevent incident

Detect IncidentsConfirm and

Prioritize Risk

Contain Incidents

IR-

Investigate/Forensics

Design/

Model Change

Remediate/

Make Change

Network-based Malware Sandboxes

Endpoint SIEM/Correlation and Analytics

Advanced Threat Defense

App Control/Whitelisting

Threat Intelligence/Intelligence Broker

AV/Next Gen AV

Patch Management

DLP

1

2

3

4 5

6

7 8 9

10

11

12

Honeypot

MDM

Endpoint Mgmt.

Incident Response (incl. Arbitration, Forensics, Automatic Incident

Generation, Threat Intelligence and Attack Path

Analysis, Journaling, Case Mgmt/Workflow )Micro Virtualization/Process Isolation

Host based IPS

Web SecurityFirewall

NGFWNAC + Identity

VPN

AVC

Email Security Advanced Malware Protection

Network Behavior Analysis

Patch / Vuln. Mgmt

AV / MRL Forensics

SIEMProducts

Technology Function

How is Cisco addressing

the challenge?

1. Richer network and security architecture needed

2. Best-in-class technology alone cannot deal with threat landscape

3. Integrated threat defense can converge on encrypted malicious activities

4. Open APIs are crucial

5. Requires less gear and software to install and manage

6. Automation and coordination aspects help to reduce TTD, containment, and remediation

Six Tenets of an Integrated Threat Defense

Cisco’s #1Priority

Threat-Centric Security

BillionsInvested

5KPeopleStrong

CognitiveSourcefire

ThreatGRIDNeohapsisOpenDNSPortcullisLancope

Broad/Deep Portfolio

Trusted Advisor

#1 Cybersecurity

CompanyExpanding Services

Capabilities

Pervasive Security

Cisco Is Investing in Security Growth

Integrated Architectural Approach

Unified Management

Endpoint CloudNetwork

Visibility

Threat Intelligence -

Services

• 16 billion web requests a day

• 600 billion emails a day

• In aggregate, block almost 20 billion threats per day

• More than 1.5 million unique malware samples daily (17/sec)

• 18.5 billion AMP queries

• 214k AMP queries/sec

A View Across Cisco’s Global Telemetry

MarketLeader

Committed to Security

Innovation

Strongest Portfolio &

Architecture

Why Cisco

Cisco Confidential 26© 2015 Cisco and/or its affiliates. All rights reserved.

Source: Cisco Midyear Security Report, 2016

100 VS.Days

IndustryCisco

Game Changing Innovation

~13

Reduced Time to Detection

Hours

Choose Cyber Defence ..its

a job for life

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28

Cisco Confidential© 2012 Cisco and/or its affiliates. All rights reserved. 29

STUDENTS WHO ATTENDED ARE STUDYING Cisco Netacad APJC 2015

THIS

SESSIONHELPED

STUDENTS

IDENTIFY THE

STEPS THEY NEED

TO TAKE

IN

THEIR CAREER JOURNEY

85%

VERYSATISFIED WITH THE

EVENT

84%

93%

70%

THOSE WHO ATTENDED

WOULD LIKE TO

SPECIALISEIN THESE TECHNOLOGIES

AS THEIR CAREER FOCUS

CCNA ROUTING + SWITCHING

STUDENTS

68% 11%CCNA SECURITYSTUDENTS

9% CCNPSTUDENTS

66% 45% 37% 36%

THIS SESSION

HELPED STUDENTSIDENTIFY THEIR

FUTURE CAREER IN TECHNOLOGY

CYBERSECURITY R&S

WIRELESS

IoE CLOUDCOMPUTING

November, 2016

@savgoust

Find Yourself In The Future Fighting Cyber Crime

1. ReconnaissanceHarvest information to

create attack strategy

and toolset

2. WeaponizationCoupling exploit with

backdoor into deliverable

payload

3. DeliveryDelivering weaponized

bundle to the victim via

email, web, USB, etc.

4. ExploitationExploiting a vulnerability

to execute code on

victim’s system

5. InstallationInstalling malware on

the asset

6. Command & ControlCommand channel for

remote manipulation of

victim’s system

7. Actions on ObjectivesWith ’Hands on Keyboard’

access, intruders accomplish

Preparation Intrusion Active Breach

Based on Lockheed Martin’s Cyber Kill Chain

RECONSTAGE

LAUNCH

EXPLOIT

INSTALL

CALLBACKPERSIST

Don’t believe the hype….

(https://en.wikipedia.org/wiki/Don't_Believe_the_Hype)

Capability Defense against the “Kill Chain”

RECON STAGE

TARGET

CALLBACK PERSIST

BREACH

LAUNCH EXPLOIT INSTALL

COMPROMISE

End–to–EndInfrastructure

Defense

NGIPS

NGFW

FlowAnalytics

NetworkAnti-

Malware

NGIPS

NGFW

HostAnti-

Malware

DNSDNS Security

WebSecurity

EmailSecurity

NGIPS

DNSDNS Security

WebSecurity

NGIPS

Threat Intelligence Restrospection

Reduce your threat exposure

Network Firewalling

Block unauthorized

access and activity by

controlling traffic flow

Application Visibility and Control (AVC)

Tailor application behavior

to reduce attack surface

and risk of data loss

URL Filtering

Restrict access to specific

sites and sub-sites, as

well as categories of sites

VPN Capabilities

Protect both site-to-site

connections and remote

users with granular control

W W W

Next Generation Intrusion Prevention System (NGIPS)Detect and prevent threats from entering your network

Control It All from a Single LocationNetwork, Data, and Application

Remote User

ContractorGuest

WirelessWired

Secure access from any

location, regardless of

connection type

Apply access and

usage policies across

entire network

Monitor access, activity,

and compliance of

noncorporate assets,

take containment actions

when needed

Admin

Enterprise

Mobility

Partner

VPN

BranchHeadquarters

Cisco Confidential 39© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Most used attack vectors – Web and Email

Approach

Tactic

Impact

Threat

vector

Infect or inject a trusted site

Conduct reconnaissance

on a target

Deliver an exploit that will attack

Target users through

compromised links

Leverage social engineering

Deliver an exploit that will attack

Deliver malware with stealth and

self-deleting programs

Gain access through DLL injection

and control firewalls, antivirus, ect

Compromises system control,

personal data and authorizations

DropperWatering hole Spear phishing

Protection Across Networks

The Network platform uses indications of compromise, file analysis, and in this example file trajectory to show you exactly how malicious files have moved across the environment

Endpoint

Content

Network

WWW

Protection Across Endpoints

The Endpoint platform has device trajectory, elastic search, and outbreak control, which in this exampleis shown quarantining recently detected malware on a device that has the AMP for Endpointsconnector installed

Endpoint

Content

Network

WWW

Protection Across Web and Email

Cisco® AMP for Web and Email protects against malware threats in web and email traffic by blocking known malware and issuing retrospective alerts when unknown files are convicted

Endpoint

Content

Network

WWW