Technology Consultant II

Ingram Micro

Cisco 2018

Annual Cybersecurity Report

Kevin Switzer

Agenda

• Appe-teasers – A few of the more interesting findings• Encryption use, Malicious file types, Sandbox evasion

• Statistical Trends• Cloud Usage, Malicious domains, software patches, alerts investigated,

tactical vs operational, Time to detection

• Predictions of what is to come in near future

• Cisco 2018 Security Capabilities Benchmark Study—which offers insights

on security practices from more than 3600 respondents across 26 countries

Malicious Binaries and Encryption

Increase

November 2016

Attackers embrace encryption to conceal their command-and-control activity

19%

12% Increase

268%70%

50%

38%

Global Encrypted Web Traffic Malicious Sandbox Binaries with Encryption

October 2017

Decrypt interesting traffic

SSL decryption engine

Uncover Hidden Threats at the Edge

Log

SSL

decryption engine

Enforcement

decisions

Encrypted Traffic

AVC

https://www.%$&^*#$@#$.com

https://www.%$&^*#$@#$.com

Inspect deciphered packets Track and log all SSL sessions

NGIPS and AMP

gambling

elicit

https://www.%$*#$@#$.com

https://www.%$*#$@#$.com

https://www.%$*#$@#$.com

https://www.%$*#$@#$.com

https://www.%$*#$@#$.com

https://www.%$*#$@#$.com

https//www.%$*#$@#$.com

https://www.%$*#$@#$.com

https://www.%$*#$@#$.com

https://www.%$*#$@#$.com

Sandbox Evasion PatternsAttackers are constantly testing sandbox evasion techniques

Document CloseDoc Embedded

in PDF

Malicious Samples Total Samples

Oct 2016

Volu

me

Volu

me

Oct 2017 Oct 2016 Oct 2017

How Malicious Actors Leverage Domains

60%Spam

20%Malvertising

20%Other

Organizations need to minimize access to malicious domains

Type of Attack

RLD Registered

Times

New or Reused

Domains

80%More than

1 week

20%Less than

1 week

42%New

58%Reused

Vulnerabilities – ‘Do we need those stinking patches?’

“Apparently, hackers do still party like it is 1999”

CVE = Common Vulnerabilities and Exposures

1405002 rev 6.27.14

Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.8

Software patches are fun, if you like to…

We need a better way to improve patch management processes

High Severity Vulnerabilities and Patch Management

High severity is driven by headlines

MS17-010 Detections

Patches double as organizations

realize potential threat

Exploited vulnerability

makes headlines

Microsoft warns

of vulnerability

Nu

mb

er

of

Dete

cti

on

s

Month Source: Qualys

Insert A4E screen shot

Alerts

44%of Alerts are

NOT Investigated

7%Experienced NO

Security Alert

56%of Alerts are

Investigated

34%of Investigated

Alerts are

Legitimate

51%of Legitimate Alerts

are Remediated

93%Experienced

Security Alert

Uninvestigated alerts still create huge business risk

49%of Legitimate Alerts are

NOT Remediated

Strategic, Operational, and Tactical Issues

26%can be addressed

by products alone

74% might also require

people and/or

processes to address

People

Products Policies

An overemphasis on

product solutions can leave

openings for attackers

Observed Threats and TTDCloud-based security technology has been a key factor in helping Cisco

maintain a low median despite an increase in threat samples

Cisco Annual Median TTD

(Hours)

37.1

14

4.6

2015 2016 2017

Number of Observed Threat Samples

10xIncrease

2016 2017

Market Expectations and Emerging Capabilities

OutcomesInvestment

Technology

Market Expectations: Threat Landscape

The threat landscape to remain complex and

challenging

• Few predict radically new threats on the horizon, but they

see more capable and more diabolical bad actors

• Believe they’ll need ever more sophisticated security

arsenals to keep they at bay

Market Expectations: Modern Workplace

The modern workplace will continue to create

conditions that favor the attackers

• The footprint security executives must secure continues to

expand

• Employees increasingly carry their work (and the

company’s data) with them wherever they go—a well-

documented source of exposure

• Clients, partners and suppliers all need secure access to

corporate resources

• With the increasing deployment of IoT sensors, etc.,

companies’ interfaces to the internet will multiply

dramatically

Market Expectations: Scrutiny

Additional scrutiny of their ability to secure

the organization

• Many expect they’ll be under additional scrutiny—from

regulators, executives, stakeholders, partners and clients

• Top scrutiny from Executive Leadership, Clients, and

Business Partners (76%, each)

• Several CISOs mention that the need to meet others’

expectations for accessibility puts increasing strains on staff

• Current and potential clients can be particularly demanding

of information regarding security processes and protocols

Market Expectations: Breaches Drive Budget

Budgets will remain stable, unless a security

breach drives unexpected investment

• 51%: Budgets based on previous year’s budget

• 51%: 3rd party risk assessment

• 7%: Breach drove improvements to a great extent

!

Market Expectations: Outsourcing

More reliance on outsourcing services

• 53%: More cost efficient

• 52%: Desire for more unbiased insight

• 51%: More timely response to incidents

Download the Cisco 2018 Annual Cybersecurity Report, Verizon

Data Breach Report, NSS Labs Breach Detection Test

cisco.com/go/acr2018

www.verizonenterprise.com/verizon-insights-

lab/dbir/2017/

http://b2me.cisco.com/NSSLabsBDS