jan minche security lead cisco, danmark · activities (sep. 2015 to marts 2016) 5. small but...

1C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential© 2011 Cisco and/or its affiliates. All rights reserved. 1

• Jan Minche

• Security Lead

• Cisco, Danmark


Cisco 2016 Annual Security Report

Available:

cisco.com/go/asr2016

1. Ransomware dominated malware

2. Exploite kits targeting Flash – 80% of

succesfull campaigns use Flash

3. JBoss

4. Fivefold HTTPS traffic from malicious

activities (Sep. 2015 to Marts 2016)

5. Small but growing number of the use

of TLS (transport layer security) to

hide activity

6. Unpatched software and systems

• 23% back to 2011

• 16% back to 2009

• Less than 10% IE request is

latest version

Top findings


250+Full Time Threat

Intel Researchers

MILLIONSOf Telemetry

Agents

4Global Data

Centers

1100+Threat Traps

100+Threat Intelligence

Partners

THREAT INTEL

1.5 MILLIONDaily Malware

Samples

600 BILLIONDaily Email

Messages

16 BILLIONDaily Web

Requests

Honeypots

Open Source

Communities

Vulnerability

Discovery (Internal)

Product

Telemetry

Internet-Wide

Scanning

20 BILLION

Threats Blocked

INTEL SHARING

TALOS INTEL BREAKDOWN

Customer Data

Sharing

Programs

Service Provider

Coordination

Program

Open

Source

Intel

Sharing

3rd Party Programs

(MAPP)

Industry

Sharing

Partnerships

(ISACs)

500+

Participants


Digital Transformation on a Massive Scale

Attack

Sophistication

Threat

Actors

Attack

Surface

Global Cybercrime Market: $450B to $1T

15B

500B

$19TOpportunity

Next 10 Years

Devices

In 2030

Devices

Today


How Hackers Make Money

Global

Cybercrime

Market:

$450B-$1T

Bank Account Info>$1000

depending on account type and balance

$

DDoS as a Service

~$7/hour

DDoS

Medical Record>$50

Mobile Malware$150

Malware Development$2500

(commercial malware)

Social Security$1

Facebook Account$1 for an account

with 15 friends

Credit Card Data$0.25−$60

Spam$50/500K emails

Exploits$100k-$300K


Malware Will Get Into Your Environment

Sources: 2014 Cisco Annual Security Report, 2014: A Year of Mega Breaches, Ponemon Institute, Cost of a Data Breach, 2013/2014, Ponemon Institute.

95% of large Organizations

targeted by malicious traffic

60%of data stolen in hours

65%of organizations say attacks

evaded existing preventative

security tools

$5.9MAverage cost of a breach in

the United States


Sources: 2014 Cisco Annual Security Report, 2014: A Year of Mega Breaches, Ponemon Institute, Cost of a Data Breach, 2013/2014, Ponemon Institute.

Once Inside, Organizations Struggleto Deal with It

33% of organizations take 2+

years to discover breach

55%of organizations unable to

determine cause of a breach

45 daysAverage time to resolve

a cyber-attack

54%of breaches remain

undiscovered for months


Sophisticated

Attackers

Complex

Geopolitics

Boardroom

Engagement

The Challenges Come from Every Direction

Misaligned

Policies

Dynamic

Threats

Defenders

Complicit

and

demanding

Users


Shadow IT

Any Device to Any Cloud

Private Cloud

Public Cloud

Public Cloud

Unauthorised devices/APs


Top cyber risks for users

Untrustworthy sources

Clickfraud and Adware

Outdated browsers

10% 64%IE requests

running latest

version

Chrome requests

running latest

version

vs

2015 Cisco Annual Security Report


Defensive, In-Depth Security Alone Is Not Enough

Manual

and Static

Slow, manual, and

inefficient response

Poor

Visibility

Undetected multivector

and advanced threats

Siloed

Approach

Increased complexity

and reduced effectiveness


The Configuration Problem

• Poor awareness of true operational environment

• Change to environment requiring configuration/posture changes is unrecognized

• Detection content unavailable

• 0-day

• No anomaly detection mechanisms in place

13


The Organizational Problem

• Silo oriented organizational approach

• Weak to no cross communications and “partnership”

• False positive rates too high

• Operator overload due to mass of equally meaningless events that must be contextualized

• Frequently technologies are deployed but not properly operationalized

• Check-box security

• Unaware/uneducated workforce in relationto good IT behavior and what to be aware of!

14


Breach/Detection Time Delta is Not Improving

15

Source: Verizon 2014 Data Breach Investigations Report


If you knew you were going to be compromised, would you do

security differently?

It’s no longer a question of “if” you’ll be breached, it’s a question of “when”


The Problem is Threatsand especial unknown Threats


Integrated Threat Defense Across the Attack Continuum

Firewall/VPN NGIPS

Security Intelligence

Web Security

Advanced MalwareProtection

BEFOREControl

Enforce

Harden

DURINGDetect

Block

Defend

AFTERScope

Contain

Remediate

Attack Continuum

Visibility and Automation

Granular App Control

Modern Threat Control

Retrospective Security

IoCs/IncidentResponse


Branch

CampusEdge

Operational

Technology

Cloud

Data Center

Endpoint

Security Everywhere


Shared intelligence

Shared contextual

awareness

Consistent policy

enforcementCisco Firepower™ Management Center

Get more from your network through integrated defenses

Talos

Firepower 4100 Series Firepower 9300 Platform

VisibilityRadware

DDoSNetwork analysis Email Threats

Identity and NAC DNS FirewallURL


“You can’t protect what you can’t see”

Gain more insight with increased visibility

Malware

Client applications

Operating systems

Mobile devices

VoIP phones

Routers and switches

Printers

Command

and control

servers

Network servers

Users

File transfers

Web

applications

Application

protocols

Threats

Typical IPS

Typical NGFW

Cisco Firepower™ NGFW


Cisco: 17.5 hoursIndustry TTD rate:* 100 days

Detect infections earlier and act faster

• Automated attack

correlation

• Indications of

compromise

• Local or cloud

sandboxing

• Malware infection

tracking

• Two-click containment

• Malware analysis

Source: Cisco® 2016 Annual Security Report

*Median time to detection (TTD)

JAN

MONDAY

1

JAN

FEB

MAR

APR


INTERNET

MALWARE

C2/BOTNETS

PHISHING

AV

AV

AV AV

ROUTER/UTM

AV AV

ROUTER/UTM

SANDBOX

PROXY

NGFW

NETFLOW

AV AV

AV AV

MID

LAYER

LAST

LAYERMID

LAYER

LAST

LAYER

MID

LAYER

FIRST

LAYER

OpenDNS / Cisco Umbrella

Perimeter

Perimeter Perimeter

Endpoint

Endpoint

CHALLENGES

Too Many Alerts via Appliances & AV

Wait Until Payloads Reaches Target

Too Much Time to Deploy Everywhere

BENEFITS

Alerts Reduced 2-10x; Improves Your SIEM

Traffic & Payloads Never Reach Target

Provision Globally in UNDER 30 MINUTES


Address the Entire Attack Continuum

Network Endpoint Mobile Virtual Cloud

Network as a Sensor Network as an Enforcer

Only Cisco can enhance threat visibility and minimize time needed to contain

threats, with unmatched scalability, flexibility and operational efficiency.

BeforeDiscover

Enforce

Harden

AfterScope

Contain

Remediate

Detect

Block

Defend

During

jan minche security lead cisco, danmark · activities (sep. 2015 to marts 2016) 5. small but...

Documents