Simple and Effective Security - Cisco...got infected per organization within the first 2 hrs. of...
Transcript of Simple and Effective Security - Cisco...got infected per organization within the first 2 hrs. of...
Oct 2018
Simple and Effective Security
Minh Trinh Ph.D, CISSP
CyberSecurity Specialist, GSSO
Các câu hỏi cần có câu trả lời
• Sử dụng dịch vụ cloud rất hiệu quả về kinh tế, nhưng
doanh nghiệp có rủi ro gì về ATTT?
• Lừa đảo (phishing) càng ngày càng phổ biến, biện pháp
kỹ thuật nào, bên cạnh vấn đề đào tạo nhận thức, giúp
cho người dùng tránh được cạm bẫy?
• Làm sao chống được Ransomware?
• Nếu doanh nghiệp không có đủ đội ngũ IT, làm sao bảo
đảm ATTT?
Branch office
HQ
Airport
Productivity
Productivity File share
Productivity File share
CRM
Deny Allow access
Productivity File share
Connected
Apps
CRM
Allow access
How Is The Risk Different In The New World
• Users not protected by traditional security stack
• Gaps in visibility and coverage
• Expose sensitive info (inadvertently or
maliciously)
• Users can install and use risky apps on their
own
The way we work has changed
49% of the workforce
are mobile
82%admit to not
using the VPN
70%increase in
SaaS usage
70% of branch offices
have DIA
25% of corporate
data bypass
perimeter security
, security must too
Infrastructure
as a Service (IaaS)
Platform
as a Service (PaaS)SaaS
People People People
Data Data Data
Applications Applications Applications
Runtime Runtime Runtime
Middleware Middleware Middleware
Operating system Operating system Operating system
Virtual network Virtual network Virtual network
Hypervisor Hypervisor Hypervisor
Servers Servers Servers
Storage Storage Storage
Physical network Physical network Physical network
Cloud shared responsibility – SaaS/PaaS/IaaS
CSR responsibilityCustomer responsibility
Security Weaknesses of Native Cloud Service Providers
Single Platform OnlySolves Fewer
Problems
Lack of Security
Expertise
& Focus
UpchargeNo Incident
Management
Weak Remediation
Capabilities
1
Key questions for Cloud Usage
ApplicationsDataUsers/Accounts
Who is doing what in
my cloud applications?
How do I detect account
compromises?
Are malicious insiders
extracting information?
Do I have toxic and
regulated data in the cloud?
Do I have data that is being
shared inappropriately?
How do I detect policy
violations?
How can I monitor app
usage and risk?
Do I have any 3rd party
connected apps?
How do I revoke risky apps?
Keys to the kingdom: third-party apps
Let’s start with an example
OAuth-connected apps have extensive access to corporate environments
The attackers gained
a persistent connection
to the victim’s identity
Cloudlock CyberLab estimates:
Approximately 300,000corporations have been infected
On Average 0.65%got infected per organization within the first
2 hrs.
of employees
May 3rd 2017, Google OAuth Attack Aftermath
Branch office
Simple & Effective Cloud Security
CloudLock / Stealthwatch CloudSecure Usage of Cloud Services
Umbrella / Amp for EndpointsSecure Access to Internet
HQ Roaming
Cisco Cloudlock addresses customers’ most critical cloud security use cases
Discover and Control
User and Entity
Behavior Analytics
Cloud Data Loss
Prevention (DLP)Apps Firewall
Cloud Malware
Shadow IT/OAuth
Discovery and Control
Data Exposures
and Leakages
Privacy and
Compliance Violations
Compromised
Accounts
Insider Threats
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Multi-Cloud
SWC SaaS Portal
Stealthwatch
Cloud
Hybrid-Cloud
How Cisco Security helps
Victimredirected
to attacker’s
domain
Attackergains access
to OAuth token
Attackerhas persistent
access to the
victims’ account
Victimopens email
and clicks link
Victimgrants access
to their account
Cloudlockrevokes OAuth token
Umbrellablocks user redirect to
malicious domain.
Attacker never
receives OAuth token
if blocked here.
Umbrella
Investigateused to research
attacker’s infrastructure
Security blocks
malicious
emails
Google Docs would
like to
Read, send, delete,
manage your email
Manage your
contacts
AllowDeny
Stopping Attacks Before It Happens
•
Best DefensesDNS
Introducing Umbrella – Simple & Effective DNS Security
Overview
Authoritative DNS
Owns and publishes
the “phone books”
Domain registrar
Maps and records names
to #s in “phone books”
Recursive DNS
Looks up and remembers
the #s for each name
Our view of the internet
140Brequests per day
15Kenterprise customers
100Mdaily active
users
160+countriesworldwide
INTELLIGENCE
Our efficacy
3M+daily new
domain names
Discover
60K+daily malicious
destinations
Identify
7M+malicious destinations while resolving DNS
Enforce
INTELLIGENCE
Ransomware example
Ransomware: mapping attacker infrastructure
SEP 12-26 DAYS
Umbrella
AUG 17
LOCKY
*.7asel7[.]top
?
Domain → IPAssociation
?
IP → Sample Association
?
IP → NetworkAssociation
?
IP → Domain Association
?
WHOIS Association
?
Network → IP Association
91.223.89.201 185.101.218.206
600+
Threat Grid filesSHA256:0c9c328eb66672e
f1b84475258b4999d6df008
*.7asel7[.]top LOCKY
Domain → IPAssociation
AS 197569IP → NetworkAssociation
1,000+
DGA domainsccerberhhyed5frqa[.]8211fr[.]top
IP → DomainAssociation
IP → SampleAssociation
CERBER
-26 DAYS AUG 21
Umbrella
JUL 18
JUL 21
Umbrella
JUL 14 -7 DAYS
jbrktqnxklmuf[.]info
mhrbuvcvhjakbisd[.]xyz
LOCKY
LOCKY
DGA
Network → DomainAssociation
DGA
Threat detected same daydomain was registered.
Threat detected beforedomain was registered.
DOMAIN
REGISTERED
JUL 22-4 DAYS
C97-740389-00 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Intelligence‘Live DGA Prediction’ automated at an unparalleled scale
Predict 100,000s
of future domains
Combine newly-identified
configs with DGA to identity
C2 domains continuously
+
DGA
Configs
b.com
c.com, d.com, …
Automate reverse
engineering
Combine C2 domain pairs
and known DGA to identify
unknown configs
Configs
a.com b.com
DGA
+
Live DNS
log stream
Identify millions of domains,
many used by DGAs
and unregistered
a1.com
a2.com
b1.com
c2.com
Automate blocking
pool of C2 domains
Used by thousands of
malicious samples now
and in the future
fgpxmvlsxpsp.me[.]uk
beuvgwyhityq[.]info
gboondmihxgc.com
pwbbjkwnkstp[.]com
bggwbijqjckk[.]me
yehjvoowwtdh.com
ctwnyxmbreev[.]com
upybsnuuvcye[.]net
quymxcbsjbhh.info
vgqoosgpmmur.it
C97-740389-00 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
WHY?
Top Use Cases Using Umbrella
OFF-NETWORK SECURITY
50% of PCs are already mobile1
DIRECT-TO-NET OFFICES / GUEST WIFI
70% of offices already go direct2
PROACTIVE AND PREDICTIVE SECURITY
70-90% of malware is unique to each org3
IMPROVED INCIDENT
RESPONSE
Only 4% of alerts are investigated per
week
SIMPLIFIED SECURITY & VISIBILITY
Mean time-to-contain threats 26-39 hours4
Sources: (1) Gartner, (2) Forrester, (3) Verizon,
Enterprise-wide deployment in minutes
DEPLOYMENT
Existing
DNS/DHCP servers,
Wi-Fi APs
Simple config
change to
redirect DNS
ISR4K(today)
WLC(today)
Network footprint
Provisioning and policies per VLAN/SSID;
tags for granular filtering and reporting
Out-of-the-box integration
(Umbrella virtual appliance also available)
Meraki MR(future)
Endpoint footprint
Granular filtering and
reporting on- & off-network
(Umbrella roaming client
also available)
AnyConnect roaming module
Cisco Security Connector
vEdge(future)
Protecting Your Endpoints
Continuous protection when advanced malware evades point-in-time detection
Typically
updates 2
times a day
Typically once a
week older
machines once a
month or never
Can take hrs /
Days to complete
a full Scan
Continuous protection when advanced malware evades point-in-time detection
In Memory
Exploit Prevention
System Process Protection
On Disk
AMP Cloud
Malicious Activity Protection
Anti Virus
Custom Detections
Post-Infection
Device Flow Correlation
Machine Learning
Server Side IOC
Client Side IOC
Permanent Innovation makes Prevention a Non Ending Game
BRKSEC-2139 38
1. Cyber Criminal Organizations are like IT companies
2. Security companies innovate Every Day to Protect youBetter
3. Cyber Criminals innovate Every Day to Breach youBetter
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
File names
Internal Targets
Associated
Files
File Paths
Global Intelligence
Local Sightings
Why Cisco?
C97-740389-00 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Intelligence to see attacks before launched
Data
Cisco Talos feed of malicious
domains
Cisco Threat Grid file-based
intelligence (1.5M+ daily
samples)
Umbrella DNS data —
125B requests per day
Security researchers
Industry renown researchers
Build models that can
automatically classify and
score domains and IPs
Models
Dozens of models continuously
analyze millions of live events
per second
Automatically uncover malware,
ransomware, and other threats
250+Full Time Threat
Intel Researchers
MILLIONSOf Telemetry
Agents
4Global Data
Centers
1100+Threat Traps
100+Threat Intelligence
Partners
THREAT INTEL Per Day
1.5 MILLIONDaily Malware
Samples
600 BILLIONDaily Email
Messages, 86% SPAM
16 BILLIONDaily Web
Requests
Honeypots
Open Source
Communities
Vulnerability
Discovery (Internal)
Product
Telemetry
Internet-Wide
Scanning
20 BILLION
Threats Blocked
INTEL SHARING
Why Cisco - Eff icacy
Customer Data
Sharing
Programs
Service Provider
Coordination
Program
Open
Source
Intel
Sharing
3rd Party Programs
(MAPP)
Industry
Sharing
Partnerships
(ISACs)
500+
Participants
*Google : 3.5B searches/day
Unique malware samples daily
URLs processed daily
.
DNS entries processed daily
Threats blocked daily
Câu hỏi 1:
1. Rủi ro khi sử dụng dịch vụ cloud công cộng là:a. Không có đủ thông tin về các hoạt động của người dùng cuối với
cloudb. Không rõ thông tin đặt trên cloud được sử dụng có đúng không?c. Không rõ những ứng dụng nào nào truy cập được dữ liệu và có quá
nhiều quyền khôngd. Tất cả các rủi to trên
Câu hỏi 2:
2. Khi tôi nhận được một link qua mạng xã hội hoặc qua email, tôi nên làm gì? (chọn câu đúng nhất)
a. Xóa link và không dùng tới nób. Click vào link và quyết định có dùng tiếp hay không tùy vào nội dung
trả lờic. Kiểm tra độ tin cậy của người gửi. Nếu người gửi đáng tin cậy và tôi
có cài Umbrella thì sử dụng link.d. Kiểm tra độ tin cậy của người gửi và nếu người gửi đáng tin cậy thì
sử dụng link
Câu hỏi 3:
3. Advanced Malware Protection (AMP) của Cisco có những tính năng chínhnào?
a. Thay thế các Anti-virus trong việc nhận biết và ngăn ngừa mã độc lâynhiễm vào bộ nhớ và đĩa cứng của máy tính,
b. Có khả năng truy lại vết các mã độc đã lọt qua hệ thống nhận biết mãđộc trong quá khứ để loại trừ chúng hôm nay,
c. Cung cấp kết nối tới Cisco Threat Response để người dùng, chuyênviên IT điều tra những URL hay tập tin nghi ngờ,
d. Tất cả các tính năng trên.
Summary
INTERNET
MALWARE
C2/BOTNETS
PHISHING
AV
AV
AV AV
ROUTER/UTM
AV AV
ROUTER/UTM
SANDBOX
PROXY
NGFW
NETFLOW
AV AV
AV AV
MID
LAYER
LAST
LAYERMID
LAYER
LAST
LAYER
MID
LAYER
FIRST
LAYER
Where Do You Enforce Security?
Perimeter
Perimeter Perimeter
Endpoint
Endpoint
CHALLENGES
Too Many Alerts via Appliances & AV
Wait Until Payloads Reaches Target
Too Much Time to Deploy Everywhere
BENEFITS
Alerts Reduced 2-10x; Improves Your SIEM
Traffic & Payloads Never Reach Target
Contain Malware if already inside
Internet is faster not slower
AMP AMPAMP AMP
AMP AMP
AMP AMP
AMP
AMP
Data At Rest
Intra Cloud Traffic
Public / Private Cloud
The AMP Everywhere ArchitectureAMP Protection Across the Extended Network for an Integrated Threat Defense
AMP Threat
Intelligence Cloud
Windows OS Android
iOS Mobile
Virtua
lMAC
OS
CentOS, Red
Hat Linux for
servers and
datacenters
AMP on Web and Email Security
Appliances
AMP on Cisco® ASA Firewall with FirePOWER™ Services
AMP Private Cloud Virtual
Appliance
AMP on FirePOWERNGIPS Appliance
(AMP for Networks)
AMP on Cloud Web Security and Hosted
CWS/
CTA
Threat GridMalware Analysis + Threat Intelligence
Engine
AMP on ISR with
FirePOWER Services
AMP for Endpoints
AMP for Endpoints
Remote Endpoints
AMP for Endpoints
can be launched
from Cisco
AnyConnect®
AMP on Meraki® MX