Simple and Effective Security - Cisco...got infected per organization within the first 2 hrs. of...

Oct 2018

Simple and Effective Security

Minh Trinh Ph.D, CISSP

CyberSecurity Specialist, GSSO

[email protected]

Các câu hỏi cần có câu trả lời

• Sử dụng dịch vụ cloud rất hiệu quả về kinh tế, nhưng

doanh nghiệp có rủi ro gì về ATTT?

• Lừa đảo (phishing) càng ngày càng phổ biến, biện pháp

kỹ thuật nào, bên cạnh vấn đề đào tạo nhận thức, giúp

cho người dùng tránh được cạm bẫy?

• Làm sao chống được Ransomware?

• Nếu doanh nghiệp không có đủ đội ngũ IT, làm sao bảo

đảm ATTT?

Branch office

HQ

Airport

Productivity

Productivity File share


CRM

Deny Allow access


Connected

Apps

CRM

Allow access

How Is The Risk Different In The New World

• Users not protected by traditional security stack

• Gaps in visibility and coverage

• Expose sensitive info (inadvertently or

maliciously)

• Users can install and use risky apps on their

own

The way we work has changed

49% of the workforce

are mobile

82%admit to not

using the VPN

70%increase in

SaaS usage

70% of branch offices

have DIA

25% of corporate

data bypass

perimeter security

, security must too

Infrastructure

as a Service (IaaS)

Platform

as a Service (PaaS)SaaS

People People People

Data Data Data

Applications Applications Applications

Runtime Runtime Runtime

Middleware Middleware Middleware

Operating system Operating system Operating system

Virtual network Virtual network Virtual network

Hypervisor Hypervisor Hypervisor

Servers Servers Servers

Storage Storage Storage

Physical network Physical network Physical network

Cloud shared responsibility – SaaS/PaaS/IaaS

CSR responsibilityCustomer responsibility

Security Weaknesses of Native Cloud Service Providers

Single Platform OnlySolves Fewer

Problems

Lack of Security

Expertise

& Focus

UpchargeNo Incident

Management

Weak Remediation

Capabilities

1

Key questions for Cloud Usage

ApplicationsDataUsers/Accounts

Who is doing what in

my cloud applications?

How do I detect account

compromises?

Are malicious insiders

extracting information?

Do I have toxic and

regulated data in the cloud?

Do I have data that is being

shared inappropriately?

How do I detect policy

violations?

How can I monitor app

usage and risk?

Do I have any 3rd party

connected apps?

How do I revoke risky apps?

Keys to the kingdom: third-party apps

Let’s start with an example

Personalizing the attack

[email protected]

******

OAuth-connected apps have extensive access to corporate environments

The attackers gained

a persistent connection

to the victim’s identity

Cloudlock CyberLab estimates:

Approximately 300,000corporations have been infected

On Average 0.65%got infected per organization within the first

2 hrs.

of employees

May 3rd 2017, Google OAuth Attack Aftermath

Branch office

Simple & Effective Cloud Security

CloudLock / Stealthwatch CloudSecure Usage of Cloud Services

Umbrella / Amp for EndpointsSecure Access to Internet

HQ Roaming

Cisco Cloudlock addresses customers’ most critical cloud security use cases

Discover and Control

User and Entity

Behavior Analytics

Cloud Data Loss

Prevention (DLP)Apps Firewall

Cloud Malware

Shadow IT/OAuth

Discovery and Control

Data Exposures

and Leakages

Privacy and

Compliance Violations

Compromised

Accounts

Insider Threats

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Multi-Cloud

SWC SaaS Portal

Stealthwatch

Cloud

Hybrid-Cloud

How Cisco Security helps

Victimredirected

to attacker’s

domain

Attackergains access

to OAuth token

Attackerhas persistent

access to the

victims’ account

Victimopens email

and clicks link

Victimgrants access

to their account

Cloudlockrevokes OAuth token

Umbrellablocks user redirect to

malicious domain.

Attacker never

receives OAuth token

if blocked here.

Umbrella

Investigateused to research

attacker’s infrastructure

Email

Security blocks

malicious

emails

Google Docs would

like to

Read, send, delete,

manage your email

Manage your

contacts

AllowDeny

Stopping Attacks Before It Happens

•

Best DefensesDNS

Introducing Umbrella – Simple & Effective DNS Security

Overview

Authoritative DNS

Owns and publishes

the “phone books”

Domain registrar

Maps and records names

to #s in “phone books”

Recursive DNS

Looks up and remembers

the #s for each name

Our view of the internet

140Brequests per day

15Kenterprise customers

100Mdaily active

users

160+countriesworldwide

INTELLIGENCE

Our efficacy

3M+daily new

domain names

Discover

60K+daily malicious

destinations

Identify

7M+malicious destinations while resolving DNS

Enforce

INTELLIGENCE

Ransomware example

Ransomware: mapping attacker infrastructure

SEP 12-26 DAYS

Umbrella

AUG 17

LOCKY

*.7asel7[.]top

?

Domain → IPAssociation

?

IP → Sample Association

?

IP → NetworkAssociation

?

IP → Domain Association

?

WHOIS Association

?

Network → IP Association

91.223.89.201 185.101.218.206

600+

Threat Grid filesSHA256:0c9c328eb66672e

f1b84475258b4999d6df008

*.7asel7[.]top LOCKY

Domain → IPAssociation

AS 197569IP → NetworkAssociation

1,000+

DGA domainsccerberhhyed5frqa[.]8211fr[.]top

IP → DomainAssociation

IP → SampleAssociation

CERBER

-26 DAYS AUG 21

Umbrella

JUL 18

JUL 21

Umbrella

JUL 14 -7 DAYS

jbrktqnxklmuf[.]info

mhrbuvcvhjakbisd[.]xyz

LOCKY

LOCKY

DGA

Network → DomainAssociation

DGA

Threat detected same daydomain was registered.

Threat detected beforedomain was registered.

DOMAIN

REGISTERED

JUL 22-4 DAYS

C97-740389-00 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential

Intelligence‘Live DGA Prediction’ automated at an unparalleled scale

Predict 100,000s

of future domains

Combine newly-identified

configs with DGA to identity

C2 domains continuously

+

DGA

Configs

b.com

c.com, d.com, …

Automate reverse

engineering

Combine C2 domain pairs

and known DGA to identify

unknown configs

Configs

a.com b.com

DGA

+

Live DNS

log stream

Identify millions of domains,

many used by DGAs

and unregistered

a1.com

a2.com

b1.com

c2.com

Automate blocking

pool of C2 domains

Used by thousands of

malicious samples now

and in the future

fgpxmvlsxpsp.me[.]uk

beuvgwyhityq[.]info

gboondmihxgc.com

pwbbjkwnkstp[.]com

bggwbijqjckk[.]me

yehjvoowwtdh.com

ctwnyxmbreev[.]com

upybsnuuvcye[.]net

quymxcbsjbhh.info

vgqoosgpmmur.it


WHY?

Top Use Cases Using Umbrella

OFF-NETWORK SECURITY

50% of PCs are already mobile1

DIRECT-TO-NET OFFICES / GUEST WIFI

70% of offices already go direct2

PROACTIVE AND PREDICTIVE SECURITY

70-90% of malware is unique to each org3

IMPROVED INCIDENT

RESPONSE

Only 4% of alerts are investigated per

week

SIMPLIFIED SECURITY & VISIBILITY

Mean time-to-contain threats 26-39 hours4

Sources: (1) Gartner, (2) Forrester, (3) Verizon,

Enterprise-wide deployment in minutes

DEPLOYMENT

Existing

DNS/DHCP servers,

Wi-Fi APs

Simple config

change to

redirect DNS

ISR4K(today)

WLC(today)

Network footprint

Provisioning and policies per VLAN/SSID;

tags for granular filtering and reporting

Out-of-the-box integration

(Umbrella virtual appliance also available)

Meraki MR(future)

Endpoint footprint

Granular filtering and

reporting on- & off-network

(Umbrella roaming client

also available)

AnyConnect roaming module

Cisco Security Connector

vEdge(future)

Protecting Your Endpoints

Continuous protection when advanced malware evades point-in-time detection

Typically

updates 2

times a day

Typically once a

week older

machines once a

month or never

Can take hrs /

Days to complete

a full Scan

Continuous protection when advanced malware evades point-in-time detection

In Memory

Exploit Prevention

System Process Protection

On Disk

AMP Cloud

Malicious Activity Protection

Anti Virus

Custom Detections

Post-Infection

Device Flow Correlation

Machine Learning

Server Side IOC

Client Side IOC

Permanent Innovation makes Prevention a Non Ending Game

BRKSEC-2139 38

1. Cyber Criminal Organizations are like IT companies

2. Security companies innovate Every Day to Protect youBetter

3. Cyber Criminals innovate Every Day to Breach youBetter

Why Cisco?


Intelligence to see attacks before launched

Data

Cisco Talos feed of malicious

domains

Cisco Threat Grid file-based

intelligence (1.5M+ daily

samples)

Umbrella DNS data —

125B requests per day

Security researchers

Industry renown researchers

Build models that can

automatically classify and

score domains and IPs

Models

Dozens of models continuously

analyze millions of live events

per second

Automatically uncover malware,

ransomware, and other threats

250+Full Time Threat

Intel Researchers

MILLIONSOf Telemetry

Agents

4Global Data

Centers

1100+Threat Traps

100+Threat Intelligence

Partners

THREAT INTEL Per Day

1.5 MILLIONDaily Malware

Samples

600 BILLIONDaily Email

Messages, 86% SPAM

16 BILLIONDaily Web

Requests

Honeypots

Open Source

Communities

Vulnerability

Discovery (Internal)

Product

Telemetry

Internet-Wide

Scanning

20 BILLION

Threats Blocked

INTEL SHARING

Why Cisco - Eff icacy

Customer Data

Sharing

Programs

Service Provider

Coordination

Program

Open

Source

Intel

Sharing

3rd Party Programs

(MAPP)

Industry

Sharing

Partnerships

(ISACs)

500+

Participants

*Google : 3.5B searches/day

Unique malware samples daily

URLs processed daily

.

DNS entries processed daily

Threats blocked daily

Câu hỏi 1:

1. Rủi ro khi sử dụng dịch vụ cloud công cộng là:a. Không có đủ thông tin về các hoạt động của người dùng cuối với

cloudb. Không rõ thông tin đặt trên cloud được sử dụng có đúng không?c. Không rõ những ứng dụng nào nào truy cập được dữ liệu và có quá

nhiều quyền khôngd. Tất cả các rủi to trên

Câu hỏi 2:

2. Khi tôi nhận được một link qua mạng xã hội hoặc qua email, tôi nên làm gì? (chọn câu đúng nhất)

a. Xóa link và không dùng tới nób. Click vào link và quyết định có dùng tiếp hay không tùy vào nội dung

trả lờic. Kiểm tra độ tin cậy của người gửi. Nếu người gửi đáng tin cậy và tôi

có cài Umbrella thì sử dụng link.d. Kiểm tra độ tin cậy của người gửi và nếu người gửi đáng tin cậy thì

sử dụng link

Câu hỏi 3:

3. Advanced Malware Protection (AMP) của Cisco có những tính năng chínhnào?

a. Thay thế các Anti-virus trong việc nhận biết và ngăn ngừa mã độc lâynhiễm vào bộ nhớ và đĩa cứng của máy tính,

b. Có khả năng truy lại vết các mã độc đã lọt qua hệ thống nhận biết mãđộc trong quá khứ để loại trừ chúng hôm nay,

c. Cung cấp kết nối tới Cisco Threat Response để người dùng, chuyênviên IT điều tra những URL hay tập tin nghi ngờ,

d. Tất cả các tính năng trên.

Summary

INTERNET

MALWARE

C2/BOTNETS

PHISHING

AV

AV

AV AV

ROUTER/UTM

AV AV

ROUTER/UTM

SANDBOX

PROXY

NGFW

NETFLOW

AV AV

AV AV

MID

LAYER

LAST

LAYERMID

LAYER

LAST

LAYER

MID

LAYER

FIRST

LAYER

Where Do You Enforce Security?

Perimeter

Perimeter Perimeter

Endpoint

Endpoint

CHALLENGES

Too Many Alerts via Appliances & AV

Wait Until Payloads Reaches Target

Too Much Time to Deploy Everywhere

BENEFITS

Alerts Reduced 2-10x; Improves Your SIEM

Traffic & Payloads Never Reach Target

Contain Malware if already inside

Internet is faster not slower

AMP AMPAMP AMP

AMP AMP

AMP AMP

AMP

AMP

Data At Rest

Intra Cloud Traffic

Public / Private Cloud

The AMP Everywhere ArchitectureAMP Protection Across the Extended Network for an Integrated Threat Defense

AMP Threat

Intelligence Cloud

Windows OS Android

iOS Mobile

Virtua

lMAC

OS

CentOS, Red

Hat Linux for

servers and

datacenters

AMP on Web and Email Security

Appliances

AMP on Cisco® ASA Firewall with FirePOWER™ Services

AMP Private Cloud Virtual

Appliance

AMP on FirePOWERNGIPS Appliance

(AMP for Networks)

AMP on Cloud Web Security and Hosted

Email

CWS/

CTA

Threat GridMalware Analysis + Threat Intelligence

Engine

AMP on ISR with

FirePOWER Services

AMP for Endpoints

AMP for Endpoints

Remote Endpoints

AMP for Endpoints

can be launched

from Cisco

AnyConnect®

AMP on Meraki® MX

Simple and Effective Security - Cisco...got infected per organization within the first 2 hrs. of...

Documents

Transcript of Simple and Effective Security - Cisco...got infected per organization within the first 2 hrs. of...