Story Tweedie-Yates

Head of Cisco Security Product Marketing in EMEAR

December 2016

With an integrated threat defense

Give yourself time in the fight against cyberattacks

Most interesting thing about Ukraine?

Debunk “kill chain” misconception

Your basic defense and attackers’ speed

How Cisco lowers Total Time to Detection

Source: Verizon 2016 Data Breach Investigations Report and Ponemon Cost of Data Breach Study 2016

0

50

100

150

200

250

Compromise Exfiltrate Identify Contain

Seconds Minutes Hours Days

Attackers are winning the battle for time

Attacker Victim

Total Time to Detection (TTD)

Compromise Detection

Measure and improve your TTDGaining an edge on the continuous “arms race.”

bayrob

drydex

ngrbot

nemucod xtrat

Median TTD

Detected earlier

(<Median)

Detected later

(>Median)

0 13 50 100TTD (Hours)

teslactypt

Is early protection the best way to lower TTD?

RECON

STAGE

CALLBACK

PERSIST

LAUNCH

EXPLOIT

INSTALL

Learning about target

Building infrastructure and acquiring tools

Initial connection made with users

Utilizing vulnerabilities to run code

Installing malware

Communicating ‘home’

Spread until goal is accomplished

Typical ransomware kill chain

Exploitation Ransomware

Payload

User Clicks a

Malicious Link,

Malvertising

Decryption

key

assymetric

exchange

Call to

malicious

Infrastructure

Email w/ Ransomware Payload

Files

inaccessible

!

Launch Exploit Install Callback

Multi-layer defense that can improve TTD

Exploitation Ransomware

Payload

User Clicks a

Malicious Link,

Malvertising

Decryption

key

assymetric

exchange

Call to

malicious

Infrastructure

Email w/ Ransomware Payload

Files

inaccessible

!

Email Security

Endpoint Security

DNS Layer

Intrusion Prevention

Protection after an attack is crucial to lowering TTD

Network Endpoint Mobile Virtual Cloud

Point in Time ContinuousThreat Intelligence

X

DURING

Detect

Block

Defend

AFTER

Scope

Contain

Remediate

BEFORE

Discover

Enforce

Harden

A multi-layer defense lowers TTD for other threats – like Black Energy

Email w/ weaponized MS Office

attachments

Black

Energy 3

installed

C&C

through

Explorer

Remote

connections

using stolen

credentials

AttackC&C and

plug-in

installation

x2

Endpoint

SecurityWeb

Security

SegmentationEmail

Security

NGFW/IPS

Protecting multiple attack vectors and ‘after’ an attack is more effective at lowering TTD than protecting early on in the kill chain

Why are attackers so fast?

Time to Patch: Vulnerable Endpoints Are Ripe Targets

Browsers

Chrome

Applications

Java

Enterprise Software

Office

Vers

ion

up

da

te

15.0.4420

14.0.4762

10 weeks

15.0.4454

15.0.4569

42.0.2311 43.0.2357

10 weeks

41.0.2272

7.0.550

10 weeks

7.0.600

7.0.650

7.0.670

7.0.710

7.0.7207.0.790

HTTPS Malware Traffic

Increase

% Increase % Avg.

HTTPS

Advertisements +9.27% 34.06%

Search Engines and

Portals+8.58% 64.27%

Chat and Instant

Messaging+8.23% 96.83%

Don’t ignore encryptionAdversaries hide their tracks in the encrypted traffic to evade detection.

Technical considerations alone are not enough

Combining people, processes and technology

*Adapted from Cisco’s Program Assessment Service

18

NGIPS

Patch Mgmt

Threat Correlation

Strategy

Metrics

Strategy (People) Operations (Process) Tactical (Technology)

Malware Defense

Ukraine National Center for Cybersecurity will support people, processes

National Cyber Security Strategy

National Coordination Center for

Cybersecurity

How Cisco lowers Total Time to Detection

VS.

More Effective Against Sophisticated AttacksMuch faster than most organizations discover breaches

*Source Cisco Midyear Security Report, 2016

Industry Days

100Cisco Hours

~13

Integrated threat defense: sharing information to lower TTD

Event

Policy

Threat intel

Unrivaled global threat research and intelligence

00I00 I00I0I II0I0I 0II0I I0I00I0I0 0II0I0II 0I00I0I I0 00

II0III0I 0II0II0I II00I0I0 0I00I0I00 I0I0 I0I0 I00I0I00

III00II 0II00II I0I0II0II0 I0 I0 I00 00I0 I000 0II0 00

III00II I000I0I I000I0I I000I0I II 0I00 I0I000 0II0 00

00I I0I0I0 I0I0III000 I0I00I0I 0II0I0 I00I0I0I0I 000

II0II0I0I0I I0I0I0I 0I0I0I0I 0I0I00I0 I0I0I0I 0II0I0I0I

0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I0

00I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I

III00II 0II00II I0I000 0II0 00I0I00 I0 I000I0I 0II 0I0I0I

III00II 0II00II 0I0I0I0I 0I I0 I00 000II0 I0I0 0II0 00

24 7 365

Operations

100 TB Data

Received

1.5 MILLION

Malware Samples

600 BILLION

Email Messages

16 BILLION

Web Requests

MILLIONS of Telemetry

Agents

4 Global Data Centers

Over 100 Threat

Intelligence Partners

250+ Full Time Threat

Intel Researchers

Threat Sharing Demo

Product intercommunication across many attack vectors lowers TTD

Network

ISR/ASR

Advanced

Malware

Cisco Umbrella

WebW W W

ISE

Email

NGFW/

NGIPS

Threat Grid

Stealthwatch

Event

Threat Intel

Policy

The minimum for lowering TTD

26

Educate users

about threats

and best

practices

Basic

hardening to

resist

malware and

attacks

Measure TTD

What/how

many/where are

the devices on

the network

Monitor network

actively for

evidence of

compromise

Develop an

incident

response plan

People Process Technology

“Carol of the Bells”

Rakhiv, Ukraine is the center of Europe

World’s first constitution

4th most educated country in the world