April 5, 2017

Mohsen Manialawy, CISSP, M.Sc., MBA.

Solutions Architect Cisco Security Solutions

Human Insider Threats in Cybersecurity and the Architecture to Mitigate

Points of Discussion • Human Insider Threats, is it still a problem and how bad ?

• What is the Required Architecture to Mitigate ?

• Key Takeaways

Human Insider Threats, is it still a problem and how bad ?

58% 57% 57% 57%

The Top 4 Sources of Concern Which Security Professionals Found in Defending Against a Cyberattack

Mobile Devices Data in Public Cloud Cloud Infrastructure

Percentage of respondents who find the category very and extremely challenging to defend

User Behavior (For example, Clicking malicious link in email

or website)

Source: Cisco 2017 Annual Cybersecurity Report

Realities of Modern Threats

One out of four breaches are

caused by malicious insiders

95% of all cybercrime is triggered by

a user clicking on a malicious link

disguised to be legitimate

Two out of three breaches exploit

weak or stolen passwords

With lateral movement of advanced

persistent threats, even external attacks

eventually become internal threats

External Internal

FW

IDS

IPS Highlights

Source: 2014 Verizon Data Breach Investigations Report and Forrester research.

How Data Breaches Happen

Reconnaissance

Victim clicks phishing email link

Malware dropped via backdoor

Lateral Movement to find Admin

Escalate Privilege to become Admin

Data Exfiltration using Admin privilege

Information monetized after breach

Adware and Malvertising Shift Into High Gear (used for redirection to exploit kits)

of the 130

organizations

investigated had

adware infections

Adware

75% Malvertising

Using brokers (gates) to increase

speed and agility

Switching quickly between

servers without changing

redirection

Source: Cisco 2017 Annual Cybersecurity Report

Browser Infections: The Pest That Persists

More than

85% of the companies studied were affected each month by malicious extensions

Source: Cisco 2016 Annual Cybersecurity Report

Spam Comes Roaring Back Email is Back in Vogue

of spam is malicious

8 %

65% of email is spam

2016 2013 2010 .5K

1K

1.5K

5K

4.5K

4K

3K

Em

ails

/ S

eco

nd

3.5K

2.5K

2K

Source: Cisco 2017 Annual Cybersecurity Report

87K

PUA and Suspicious

Binaries, browser extensions

50K

Trojan Droppers

(VBS) 15K

Phishing

(Links)

27K

Trojan Downloaders

(Scripts)

18K

Browser

Redirection-

Downloads

24K

Browser

Redirection (JS)

11K

Facebook Hijacking

14K

Android Trojans

(Iop)

12K

Browser

Redirection

Watching and Waiting Adversaries Take Time Inspecting and Looking for Opportunities

35K

Facebook

Scam Links

Snowshoe Uses various IP address.

Hides from detection with

low volume.

Spam Attacks: Snowshoe and Hailstorm

Hailstorm Highly-concentrated.

High-speed. Uses speed

and volume to bypass

detection.

Source: Cisco 2017 Annual Cybersecurity Report

Percentage of Monthly Vertical Block Rates

Source: Cisco 2017 Annual Cybersecurity Report

Security Maturity in Industry Verticals

30% Finance

Hard Hit: Security Breaches Paralyze Systems and Impact Key Business Operations

Business Impact

36% Operations

26% Brand

Reputation

26% Customer

Retention

1-8 Hours time that systems were

down for 65% of

organizations

Nearly 30% of systems were

impacted for 61% of

organizations

Operational Impact

Source: Cisco 2017 Annual Cybersecurity Report

Human Insider Threats, is it still a problem and how bad ?

Absolutely…. quite impactful.

What Is the Required Architecture to Mitigate ?

Process of Attacks

Research,

identify and

select targets

Pair remote access

malware with exploits

Deliver cyberweapons

by email, website and

attachments

Install payloads to

gain persistent

access

User Browsing Web Site - Security Controls

Host Based Security Next-Generation Firewall/IPS

Gate Agent Accessing

Web

AMP Malware Sandbox Threat Intelligence

DNS

Security

Supporting Cloud

Services

After

Outbreak

Intelligence

Reporting

Log Extraction

Management

Allow Warn Block Partial Block

HQ

www

Web

Filtering

Web

Reputation

Application

Visibility &

Control

Webpage www.website.com

Anti-

Malware File

Reputation

File

Sandboxing

File

Retrospection

Cognitive

Threat

Analytics

DLP

Integration

Admin

X X X X X X

Threat

Analytics

Client

Authentication

Methods

Roaming User Branch Office

WCCP Load Balancer PBR AnyConnect Explicit/PAC Traffic

Redirection

Methods

Campus Office

Web Security Functions CloudThreat

Intelligence Appliance

User Opening an Email - Security Controls

Next-Generation Firewall/IPS Host Based Security

AMP Malware Sandbox Threat Intelligence

DNS Security

Supporting Cloud

Services

Email Security Functions

Reporting

Message

Track

Management

Allow Warn

Admin HQ

Anti-Spam

and

Anti-Virus

Mail Flow

Policies

Data Loss

Protection

Encryption

Before During X X X

X

Inbound

Email

Outbound

Email

Cisco

Appliance Virtual

Talos

Block Partial

Block

Outbound Liability

Before After During

Tracking

User click Activity

(Anti-Phish)

File

Sandboxing & Retrospection

X X X X X

Cloud

Content

Controls

X

Email

Reputation

Acceptance

Controls File

Reputation

Anti-Spam

Anti-Virus Outbreak

Filters

X

Mail Flow

Policies Graymail

Management

Safe Unsubscribe

X

Anti-Phish URL Rep & Cat

Network Resources Access Policy

Allow Deny

BYOD Access

Rapid Threat

Containment

Guest Access

Role-based Access

Identity Profiling

and Posture

Who

Compliant

What

When

Where

How

Identity/Context Based Segmentation Capable Infrastructure (mitigating malicious insiders)

Network

Door

Works across

wired, wireless

and VPN

Context Integration

Protocols

It Takes an Integrated Architecture with Threat Intelligence to Mitigate Insider Threats

Identity Authorization DNS Security Firewall Anti-Malware Access Control Posture Assessment Flow Analytics Application Visibility Threat Intelligence

DATA CENTER

Monitoring Policy

Identity

Cloud Services

AMP

Sandbox

Threat Intelligence

DNS Security

Anti-Virus

• Insider threats, are real, sophisticated, here to stay and cannot be ignored.

• Build a multilayer secure Integrated Architecture that works together, powered by Threat Intelligence and unified management and telemetry capability

• Technology only based mitigation solutions are NOT sufficient; invest in educating and training people on safe Internet and Email behavior, and ensure the proper implementation of policies, processes and procedures to quickly identify and contain breaches.

Key Takeaways