Malware Mega Threats 2700 W. Cypress Creek Rd. Suite C110, Fort Lauderdale, FL 33309 954-832-3601...
Preview:
Citation preview
- Slide 1
- Malware Mega Threats 2700 W. Cypress Creek Rd. Suite C110, Fort
Lauderdale, FL 33309 954-832-3601 Fax: 954-659-1610
www.greysontech.com
- Slide 2
- www.greysontech.com Who is Greyson Technologies?
- Slide 3
- www.greysontech.com What We Do! Greyson delivers measureable
business outcomes by architecting and implementing Unified
Communications, Security, Enterprise Networking, Virtualization and
Storage solutions in secure, hybrid cloud environments.
- Slide 4
- www.greysontech.com Why Greyson? Named South Floridas Fastest
Growing IT Company Floridas 13 th fastest Simply the Best Engineers
An Expert Team of A+ Players Local Certified Experienced w/Real
World Expertise Professional
- Slide 5
- www.greysontech.com CIO Roundtable Security Presents a Major
Concern! Survey Data: 57% of respondents expect to experience a
security breach within the next year. Attack vectors changing:
Silverlight attacks up 228% in Sept. 2014 Phishing and SPAM: Up
250% Persistent state of infection: Malware infections 250% in Oct
2014 Only 20% of respondents regularly communicate with management
about threats. 1 month The amount of time survey respondents say it
took to investigate, restore service and verify resolution of
incidents. Why We Are Here
- Slide 6
- 2014 Cisco and/or its affiliates. All rights reserved. Cisco
Confidential 6 2014 Cisco and/or its affiliates. All rights
reserved. Cisco Confidential 6 Intelligent Cybersecurity for the
Real World Chris Robb Advanced Malware Specialist, Cisco Security
chrrobb@cisco.com
- Slide 7
- 2014 Cisco and/or its affiliates. All rights reserved. Cisco
Confidential 7 The World Has Changed: Any Device to Any Cloud
PRIVATE CLOUD PUBLIC CLOUD HYBRID CLOUD
- Slide 8
- 2014 Cisco and/or its affiliates. All rights reserved. Cisco
Confidential 8 Spyware & Rootkits 2010 Viruses 2000 Worms 2005
APTs Cyberware Today + Anti-virus (Host) IDS/IPS (Network)
Anti-malware (Host+Network) Intelligence and Analytics
(Host+Network+Cloud) Enterprise Response The World Has Changed: The
Industrialization of Hacking
- Slide 9
- 2014 Cisco and/or its affiliates. All rights reserved. Cisco
Confidential 9 In the newswhat do these all have in common? Home
Depot 25,000 Records of Homeland Security Employees Stolen Over 50
UPS Franchises hit by data breach 4.5M Records stolen from US
Health Giant Goodwill Russian Hackers steal 4.5B records MeetMe
Social Network Users Passwords Stolen Insider breach at Las Vegas
Brain and Spine Surgery Center Florida bank notifies roughly 72,000
customers of breech Los Angeles based health system breached 60k
Tennessee works impacted by subcontractor breech Payment cards used
on Wireless Emporium website compromised Albertsons stores CC data
hacked $100,000 bitcoin loss due to hack Microsofts Twitter Account
Hacked Sonys Twitter Account Hacked Russian PMs Twitter hacked I
resign NRC Compturs hacked 3 times Ferguson police offices
computers hacked Norwegian oil industry under attack Saudi TV
website hacked by Libyan Teenager hacked in to Metropolitan Polices
computer Sony suffer DOS attack Dairy Queen hacked JP Morgan
- Slide 10
- 2014 Cisco. CONFIDENTIAL. www.ThreatGRID.com Customer Success
Story: Large Financial Services Firm 12/04/2014: What has happened
at Sony Pictures Entertainment over the past week reads like a
blockbuster screenplayor a chief executives nightmare: Hackers
target a major company, disabling its internal systems and leaking
documents revealing long-held secrets, from coming products to
executive pay. 12/05/2014: The Sony data breach continues to get
worse. First, it was exposed budgets, layoffs and 3,800 SSNs, then
it was passwords. Now, it's way more social security
numbersincluding Sly Stallone's. The Wall Street Journal reports
that analysis of the documents leaked so far included the Social
Security numbers of 47,000 current and former Sony Pictures
workers. That included Sylvester Stallone, Rebel Wilson, and
Anchorman director, Judd Apatow. The Journal reports that the SSNs
are found alongside salary information, home addresses, and
contract details. Version of malware that took out Sony Pictures
seen in wild in July While the malware that took down computers at
Sony Pictures last week was compiled just days before it was
triggered, an earlier version of the code used to unleash the
destructive attack may have been in use much earlier within Sonys
network. Malware with the same cryptographic signature and filename
as the Destover malware was spotted by the security firm Packet
Ninjas in July. That malware communicated with one of the same IP
addresses and domain names as the final Destover malware: a server
at Thammasat University in Bangkok, Thailand. The malware, which
was found in a Cisco Partner ThreatGrid repository, also
communicated with a network address assigned to a New York business
customer of TimeWarner Cable. Taken from article,
http://arstechnica.com/security/2014/12/version-of-malware-that-took-out-
sony-pictures-seen-in-wild-in-july/http://arstechnica.com/security/2014/12/version-of-malware-that-took-out-
sony-pictures-seen-in-wild-in-july/
- Slide 11
- Cisco Confidential 11 2014 Cisco and/or its affiliates. All
rights reserved. The Silver Bullet Does Not Exist Captive portal It
matches the pattern No false positives, no false negatives
Application Control FW/VPN IDS/IPS UTM NAC AV PKI Block or Allow
Fix the Firewall No key, no access Sandboxing Detect the Unknown
Threat Analytics Outside looking in The Best Point in Time
Protection Protects you 90 + % of the time
- Slide 12
- 2014 Cisco and/or its affiliates. All rights reserved. 12
Point-in-Time Detection Antivirus Sandboxing Initial Disposition =
Clean Actual Disposition = Bad Too Late!! Not 100% Analysis Stops
Event Horizon Sleep Techniques Unknown Protocols Encryption
Polymorphism Blind to scope of compromise
- Slide 13
- 2014 Cisco and/or its affiliates. All rights reserved. 13 AMP
goes beyond point-in-time detection BEFORE Discover Enforce Harden
DURING Detect Block Defend AFTER Scope Contain Remediate
NetworkMobileVirtual Email & Web ContinuousPoint-in-time Attack
Continuum Cloud
- Slide 14
- 2014 Cisco and/or its affiliates. All rights reserved. 14
Continuous Protection when advanced malware evades point-in-time
detection Antivirus Sandboxing Initial Disposition = Clean
Point-in-time Detection Initial Disposition = Clean AMP Actual
Disposition = Bad = Too Late!! Not 100% Analysis Stops Sleep
Techniques Unknown Protocols Encryption Polymorphism Actual
Disposition = Bad = Blocked Retrospective Detection, Analysis
Continues
- Slide 15
- 2014 Cisco and/or its affiliates. All rights reserved. Cisco
Confidential 15 Sample of Traditional Point in Time Protection
- Slide 16
- Cisco Confidential 16 2013-2014 Cisco and/or its affiliates.
All rights reserved. AMP for Endpoint: Device Trajectory / Incident
Analysis
- Slide 17
- Cisco Confidential 17 2013-2014 Cisco and/or its affiliates.
All rights reserved. Retrospective detection and protection Ability
to learn and proactively reduce your attack Surface Reduce Attack
Surface
- Slide 18
- 2013 Cisco and/or its affiliates. All rights reserved. Cisco
Confidential 18 Cisco Advanced Malware Protection Built on
unmatched collective security intelligence 101000 0110 00 0111000
111010011 101 1100001 110 1100001110001110 1001 1101 1110011
0110011 101000 0110 00 1001 1101 1110011 0110011 101000 0110 00 1.6
million global sensors 100 TB of data received per day 150 million+
deployed endpoints 600+ engineers, technicians, and researchers 35%
worldwide email traffic 13 billion web requests 24x7x365 operations
40+ languages 180,000+ File Samples per Day AMP Community AMP
Threat Grid Intelligence AMP Threat Grid Dynamic Analysis 10
million files/month Advanced Microsoft and Industry Disclosures
Snort and ClamAV Open Source Communities AEGIS Program
Private/Public Threat Feeds 101000 0110 00 0111000 111010011 101
1100001 110 1100001110001110 1001 1101 1110011 0110011 101000 0110
00 1001 1101 1110011 0110011 101000 0110 00 Cisco Collective
Security Intelligen ce EmailEndpointsWebNetworksIPSDevices WWW
Cisco Collective Security Intelligence Cloud Automatic Updates
every 3-5 minutes
- Slide 19
- 2013 Cisco and/or its affiliates. All rights reserved. Cisco
Confidential 19 Cisco AMP Solution Options Customer NeedFeature
WSA, ESA, CWSNetworkEndpoint I want to be able to define policies
for malwareFile Reputation I want to be able to isolate suspected
malware for threat analysis Sandboxing I want to be able to
backtrack if malware makes it into my system Retrospective Security
I need to identify compromised devices on my network Indications of
Compromise I want to track how a file has been behavingFile
Analysis I want to track how threats traverse the networkFile
Trajectory I want to see system activities, relationships and
events Device Trajectory I want to search large sets of data for
compromises Elastic Search I want to be able to stop the spread of
malware with custom tools Outbreak Control
- Slide 20
- 2014 Cisco. All Rights Reserved. CONFIDENTIAL. The First
Unified Malware Analysis & Threat Intelligence Solution
ThreatGRID is revolutionizing how organizations use accurate and
context-rich malware analysis and threat intelligence to defend
against advanced cyber attacks. Be Proactive. Recover Faster.
Defeat Advanced Threats. Maximize Existing Investments.
- Slide 21
- 2014 Cisco. CONFIDENTIAL. www.ThreatGRID.com 21 Some Cool
Things We Do !!! Allow you Interact with Malware Outside Looking In
approach Prioritize threatsContext-driven Malware Analytics
- Slide 22
- 2014 Cisco. CONFIDENTIAL. www.ThreatGRID.com Sample report from
AMP integration
- Slide 23
- 2014 Cisco. CONFIDENTIAL. www.ThreatGRID.com 23 ThreatGRID
Unique Value Context-Driven Malware Analytics 2 way API Integration
Multiple Deployment options Community Power & Scale Adaptive
Analysis Simple & Custom Feeds Easy to use ThreatGRID Portal
SOC Investigation & Response Threat Intelligence Security
Infrastructure Eng. Defeat Advanced Attacks Recover FasterBe
Proactive Maximize Existing Investment
- Slide 24
- Cisco Confidential24C97-732872-00 2014 Cisco and/or its
affiliates. All rights reserved. Cisco AMP Delivers Three
Advantages 3 Address the full attack continuum 2 More comprehensive
protection Cisco Collective Security Intelligence Point-in-Time
Detection Retrospective Security 1 A better approach
BEFOREDURINGAFTER Network Content
- Slide 25
- 2014 Cisco. CONFIDENTIAL. www.ThreatGRID.com Web Filtering and
Reputation Security Intelligence File Type Blocking Application
Visibility & Control Indicators of Compromise Traffic
Intelligence File Reputation Cognitive Threat Analytics XXXX Before
After www.website.c om During X File Retrospection Roaming User
Reporting Log Extraction Management Branch Office AllowWarnBlock
Partial Block Main Office ASA/NSI PS AMP Applianc e
WSAESAAnyConnect Admin Traffic Redire ctions TALOS Cisco Advanced
Malware Protection (AMP) Threats HQ File Sandboxin g X Threat Grid
AMP for Endpoint
- Slide 26
- 2014 Cisco and/or its affiliates. All rights reserved. Cisco
Confidential 26 Evolution of AMP Everywhere AMP 2012 Retrospective
Trajectory Outbreak Control Security AMP Endpoint PC 2012 AMP
Endpoint Mobile 2013 AMP Endpoint Virtual 2013 AMP Network 2013 AMP
Network Appliance 2014 AMP Endpoint Mac 2014 Device Trajectory Flow
Correlation 2014 AMP Private Cloud 2014 AMP for Content 2014 AMP
for ASA 2014 ThreatGRID 2014
- Slide 27
- Cisco Confidential27C97-732872-00 2014 Cisco and/or its
affiliates. All rights reserved. AMP for Endpoints Customer
Testimonial https://www.youtube.com/watch?v=RjPB__9BIww
- Slide 28
- www.greysontech.com Lets Play Enterprise Feud
- Slide 29
- www.greysontech.com Top 3 Answers on the Board
- Slide 30
- www.greysontech.com Phishing Attack Example
- Slide 31
- www.greysontech.com Phishing Attack Results
- Slide 32
- www.greysontech.com Greyson Consulting Services
- Slide 33
- www.greysontech.com How Greyson Works with Our Clients Local,
personal relationships built on trust. Long term partnerships with
consistency of engineering talent. Analysis, Architecture, Delivery
and Management. Enterprise solutions: Security infrastructure best
practices assessment Next generation firewalls and IPS Advanced
Malware Protection Email and Web Content Security Netflow based
network behavior anomaly detection Policy based security
enforcement
- Slide 34
- www.greysontech.com Questions?