jan minche security lead cisco, danmark · activities (sep. 2015 to marts 2016) 5. small but...
TRANSCRIPT
1C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential© 2011 Cisco and/or its affiliates. All rights reserved. 1
• Jan Minche
• Security Lead
• Cisco, Danmark
2C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco 2016 Annual Security Report
Available:
cisco.com/go/asr2016
1. Ransomware dominated malware
2. Exploite kits targeting Flash – 80% of
succesfull campaigns use Flash
3. JBoss
4. Fivefold HTTPS traffic from malicious
activities (Sep. 2015 to Marts 2016)
5. Small but growing number of the use
of TLS (transport layer security) to
hide activity
6. Unpatched software and systems
• 23% back to 2011
• 16% back to 2009
• Less than 10% IE request is
latest version
Top findings
3C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
250+Full Time Threat
Intel Researchers
MILLIONSOf Telemetry
Agents
4Global Data
Centers
1100+Threat Traps
100+Threat Intelligence
Partners
THREAT INTEL
1.5 MILLIONDaily Malware
Samples
600 BILLIONDaily Email
Messages
16 BILLIONDaily Web
Requests
Honeypots
Open Source
Communities
Vulnerability
Discovery (Internal)
Product
Telemetry
Internet-Wide
Scanning
20 BILLION
Threats Blocked
INTEL SHARING
TALOS INTEL BREAKDOWN
Customer Data
Sharing
Programs
Service Provider
Coordination
Program
Open
Source
Intel
Sharing
3rd Party Programs
(MAPP)
Industry
Sharing
Partnerships
(ISACs)
500+
Participants
4C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Digital Transformation on a Massive Scale
Attack
Sophistication
Threat
Actors
Attack
Surface
Global Cybercrime Market: $450B to $1T
15B
500B
$19TOpportunity
Next 10 Years
Devices
In 2030
Devices
Today
5C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
How Hackers Make Money
Global
Cybercrime
Market:
$450B-$1T
Bank Account Info>$1000
depending on account type and balance
$
DDoS as a Service
~$7/hour
DDoS
Medical Record>$50
Mobile Malware$150
Malware Development$2500
(commercial malware)
Social Security$1
Facebook Account$1 for an account
with 15 friends
Credit Card Data$0.25−$60
Spam$50/500K emails
Exploits$100k-$300K
6C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
7C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Malware Will Get Into Your Environment
Sources: 2014 Cisco Annual Security Report, 2014: A Year of Mega Breaches, Ponemon Institute, Cost of a Data Breach, 2013/2014, Ponemon Institute.
95% of large Organizations
targeted by malicious traffic
60%of data stolen in hours
65%of organizations say attacks
evaded existing preventative
security tools
$5.9MAverage cost of a breach in
the United States
8C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Sources: 2014 Cisco Annual Security Report, 2014: A Year of Mega Breaches, Ponemon Institute, Cost of a Data Breach, 2013/2014, Ponemon Institute.
Once Inside, Organizations Struggleto Deal with It
33% of organizations take 2+
years to discover breach
55%of organizations unable to
determine cause of a breach
45 daysAverage time to resolve
a cyber-attack
54%of breaches remain
undiscovered for months
9C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Sophisticated
Attackers
Complex
Geopolitics
Boardroom
Engagement
The Challenges Come from Every Direction
Misaligned
Policies
Dynamic
Threats
Defenders
Complicit
and
demanding
Users
10C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Shadow IT
Any Device to Any Cloud
Private Cloud
Public Cloud
Public Cloud
Unauthorised devices/APs
11C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Top cyber risks for users
Untrustworthy sources
Clickfraud and Adware
Outdated browsers
10% 64%IE requests
running latest
version
Chrome requests
running latest
version
vs
2015 Cisco Annual Security Report
12C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Defensive, In-Depth Security Alone Is Not Enough
Manual
and Static
Slow, manual, and
inefficient response
Poor
Visibility
Undetected multivector
and advanced threats
Siloed
Approach
Increased complexity
and reduced effectiveness
13C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
The Configuration Problem
• Poor awareness of true operational environment
• Change to environment requiring configuration/posture changes is unrecognized
• Detection content unavailable
• 0-day
• No anomaly detection mechanisms in place
13
14C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
The Organizational Problem
• Silo oriented organizational approach
• Weak to no cross communications and “partnership”
• False positive rates too high
• Operator overload due to mass of equally meaningless events that must be contextualized
• Frequently technologies are deployed but not properly operationalized
• Check-box security
• Unaware/uneducated workforce in relationto good IT behavior and what to be aware of!
14
15C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Breach/Detection Time Delta is Not Improving
15
Source: Verizon 2014 Data Breach Investigations Report
How?
17C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
If you knew you were going to be compromised, would you do
security differently?
It’s no longer a question of “if” you’ll be breached, it’s a question of “when”
18C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
The Problem is Threatsand especial unknown Threats
19C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Integrated Threat Defense Across the Attack Continuum
Firewall/VPN NGIPS
Security Intelligence
Web Security
Advanced MalwareProtection
BEFOREControl
Enforce
Harden
DURINGDetect
Block
Defend
AFTERScope
Contain
Remediate
Attack Continuum
Visibility and Automation
Granular App Control
Modern Threat Control
Retrospective Security
IoCs/IncidentResponse
20C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Branch
CampusEdge
Operational
Technology
Cloud
Data Center
Endpoint
Security Everywhere
21C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Shared intelligence
Shared contextual
awareness
Consistent policy
enforcementCisco Firepower™ Management Center
Get more from your network through integrated defenses
Talos
Firepower 4100 Series Firepower 9300 Platform
VisibilityRadware
DDoSNetwork analysis Email Threats
Identity and NAC DNS FirewallURL
22C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
“You can’t protect what you can’t see”
Gain more insight with increased visibility
Malware
Client applications
Operating systems
Mobile devices
VoIP phones
Routers and switches
Printers
Command
and control
servers
Network servers
Users
File transfers
Web
applications
Application
protocols
Threats
Typical IPS
Typical NGFW
Cisco Firepower™ NGFW
23C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco: 17.5 hoursIndustry TTD rate:* 100 days
Detect infections earlier and act faster
• Automated attack
correlation
• Indications of
compromise
• Local or cloud
sandboxing
• Malware infection
tracking
• Two-click containment
• Malware analysis
Source: Cisco® 2016 Annual Security Report
*Median time to detection (TTD)
JAN
MONDAY
1
JAN
FEB
MAR
APR
24C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
INTERNET
MALWARE
C2/BOTNETS
PHISHING
AV
AV
AV AV
ROUTER/UTM
AV AV
ROUTER/UTM
SANDBOX
PROXY
NGFW
NETFLOW
AV AV
AV AV
MID
LAYER
LAST
LAYERMID
LAYER
LAST
LAYER
MID
LAYER
FIRST
LAYER
OpenDNS / Cisco Umbrella
Perimeter
Perimeter Perimeter
Endpoint
Endpoint
CHALLENGES
Too Many Alerts via Appliances & AV
Wait Until Payloads Reaches Target
Too Much Time to Deploy Everywhere
BENEFITS
Alerts Reduced 2-10x; Improves Your SIEM
Traffic & Payloads Never Reach Target
Provision Globally in UNDER 30 MINUTES
25C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Address the Entire Attack Continuum
Network Endpoint Mobile Virtual Cloud
Network as a Sensor Network as an Enforcer
Only Cisco can enhance threat visibility and minimize time needed to contain
threats, with unmatched scalability, flexibility and operational efficiency.
BeforeDiscover
Enforce
Harden
AfterScope
Contain
Remediate
Detect
Block
Defend
During
26C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
27C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential© 2011 Cisco and/or its affiliates. All rights reserved. 27