Network Visibility and Advanced Malware Protection · Network Visibility and Advanced Malware Protection James Weathersby, Director Technical Marketing ... of top 500 Android apps

Network Visibility and Advanced Malware Protection

James Weathersby, Director Technical Marketing

Gyorgy Acs, Consulting Security Engineer

Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public

Security Challenges

Changing

Business Models

Dynamic

Threat Landscape

Complexity

and Fragmentation


Security Challenges No change

Changing

Business Models

Dynamic

Threat Landscape

Complexity

and Fragmentation

of organizations not “fully aware” of all network devices

BYOD

90%

SOCIAL MEDIA

times more cloud services are being used than

known by IT

CLOUD

5–10 of top 500 Android apps

carry security/privacy risks

APP STORES

92% of organizations had

malware enter the corporate network through social

media/web apps

14%

complete


Security Challenges No change convert

Changing

Business Models

Dynamic

Threat Landscape

Complexity

and Fragmentation

A community that hides in plain sight avoids detection and attacks swiftly

60% of data is

stolen in

HOURS

54% of breaches remain

undiscovered for

MONTHS

YEARS MONTHS WEEKS HOURS START

85% of point-of-sale intrusions

aren’t discovered for

WEEKS

51% increase of companies

reporting a $10M loss

or more in the last

YEAR

complete


Security Challenges No change convert

Changing

Business Models

Complexity

and Fragmentation

Dynamic

Threat Landscape

Security Vendors

at RSA

Demand for

Security Talent

373 12x

Security Vendors for

Some Customers

45

Complexity Talent Fragmentation

complete


The Reality: Organizations Are Under Attack

Source: 2014 Cisco Annual Security Report

95% of large companies

targeted by malicious traffic 100% of organizations interacted

with websites hosting malware

2000 1990 1995 2005 2010 2015 2020

Viruses 1990–2000

Worms 2000–2005

Spyware and Rootkits 2005–Today

APTs Cyberware Today +

Hacking Becomes an Industry

Sophisticated Attacks, Complex Landscape

Phishing, Low Sophistication

Cybercrime is lucrative, barrier to entry is low

Hackers are smarter and have the resources to compromise your organization

Malware is more sophisticated

Organizations face tens of thousands of new malware samples per hour


Comprehensive Security Requires

Breach Prevention Rapid Breach Detection, Response, Remediation

Threat Intelligence

Source: http://www.pcworld.com/article/2109210/report-av erage-of- 82- 000- new-malware-t hreats- per- day- in- 2013.html

http://www.pcworld.com/article/2109210/report-average-of-82-000-new-malware-threats-per-day-in-2013.html
























The Full Attack Continuum

BEFORE Discover

Enforce

Harden

DURING Detect

Block

Defend

AFTER Scope

Contain

Remediate

Network Endpoint Mobile Virtual Email & Web

Continuous Point-in-time

Attack Continuum

Cloud


Visibility and Context

Firewall

App Control

VPN

Patch Mgmt

Vuln Mgmt

IAM/NAC

IPS

Antivirus

Email/Web

IDS

FPC

Forensics

AMP

Log Mgmt

SIEM

Mapping Technologies to the Model

BEFORE Discover

Enforce Harden

AFTER Scope

Contain Remediate

Attack Continuum

Detect

Block Defend

DURING

Secure DC, Enterprise Licensing Agreement, Enterprise Mobility


FireSIGHT Sees “Everything”

CATEGORIES

EXAMPLES

SOURCEFIRE

NGIPS & NGFW

TYPICAL

IPS

TYPICAL

NGFW

Threats Attacks, Anomalies ✔ ✔ ✔

Users AD, LDAP, POP3 ✔ ✗ ✔

Web Applications Facebook Chat, Ebay ✔ ✗ ✔

Application Protocols HTTP, SMTP, SSH ✔ ✗ ✔

File Transfers PDF, Office, EXE, JAR ✔ ✗ ✔

Malw are Conficker, Flame ✔ ✗ ✗

Command & Control Servers C&C Security Intelligence ✔ ✗ ✗

Client Applications Firefox, IE6, BitTorrent ✔ ✗ ✗

Netw ork Servers Apache 2.3.1, IIS4 ✔ ✗ ✗

Operating Systems Window s, Linux ✔ ✗ ✗

Routers & Sw itches Cisco, Nortel, Wireless ✔ ✗ ✗

Mobile Devices iPhone, Android, Jail ✔ ✗ ✗

Printers HP, Xerox, Canon ✔ ✗ ✗

VoIP Phones Avaya, Polycom ✔ ✗ ✗

Virtual Machines VMw are, Xen, RHEV ✔ ✗ ✗

Contextual

Awareness Information Superiority


FireSIGHT Enables Automation

IT Insight Spot rogue hosts, anomalies, policy

violations, and more

Impact Assessment Threat correlation reduces

actionable events by up to 99%

Automated Tuning Adjust IPS policies automatically

based on network change

User Identification Associate users with security

and compliance events

FireSight Demo


Cisco Advanced Malware Protection Built on unmatched collective security intelligence

101000 0110 00 0111000 111010011 101 1100001 110

1100001110001110 1001 1101 1110011 0110011 101000 0110 00

1001 1101 1110011 0110011 101000 0110 00

1.6 million

global sensors

100 TB

of data received per day

150 million+

deployed endpoints

600

engineers, technicians,

and researchers

35%

w orldw ide email traff ic

13 billion

w eb requests

24x7x365 operations

4.3 billion w eb blocks per day

40+ languages

1.1 million incoming malw are

samples per day

AMP Community

Private/Public Threat Feeds

Talos Security Intelligence

AMP Threat Grid Intelligence

AMP Threat Grid Dynamic

Analysis

10 million f iles/month

Advanced Microsoft

and Industry Disclosures

Snort and ClamAV Open Source

Communities

AEGIS™ Program

101000 0110 00 0111000 111010011 101 1100001 110

1100001110001110 1001 1101 1110011 0110011 101000 0110 00

1001 1101 1110011 0110011 101000 0110 00

Cisco® Collective Security

Intelligence

Email Endpoints Web Networks IPS Devices

WWW

Cisco Collective Security

Intelligence Cloud

Automatic Updates

in real-time


Cisco AMP Delivers A Better Approach

Retrospective Security Point-in-Time Protection

Continuous Analysis File Reputation, Sandboxing and Behavioral

Detection

Unique To Cisco AMP


Cisco Collective Security Intelligence

Point-in-Time Protection Continuous Protection

File Reputation & Behavioral Detection

Unique to Cisco AMP

Retrospective Security

Cisco AMP Defends With Reputation Filtering And Behavioral Detection

Reputation Filtering Behavioral Detection

Dynamic

Analysis

Machine

Learning

Fuzzy

Finger-printing

Advanced

Analytics One-to-One

Signature

Indications

of Compromise

Device Flow

Correlation



Reputation Filtering Is Built On Three Features

Dynamic

Analysis

Machine

Learning

Fuzzy

Finger-printing

Advanced


Signature

Indications

of Compromise

Device Flow

Correlation

Collective Security

Intelligence Cloud

Unknown fi le is encountered,

signature is analyzed, sent to

cloud 1

File is not known to be malicious

and is admitted 2

Unknown file is encountered,

signature is analyzed, sent to

cloud 3

File’s signature is known to be

malicious and is prevented from

entering the system 4




Dynamic

Analysis

Machine

Learning

Fuzzy

Finger-printing

Advanced


Signature

Indications

of Compromise

Device Flow

Correlation

Collective Security

Intelligence Cloud

Fingerprint of fi le is analyzed

and determined to be malicious 1

Malicious fi le is not allowed entry 2

Polymorphic form of the same file

tries to enter the system 3

The fingerprints of the two fi les

are compared and found to be

similar to one another 4

Polymorphic malware is denied

entry based on its similarity to

known malware 5


Dynamic

Analysis

Machine

Learning

Fuzzy

Finger-printing

Advanced


Signature

Indications

of Compromise

Device Flow

Correlation


Collectiv e Security

Intelligence Cloud

Unknown file’s metadata is sent

to the cloud to be analyzed 1

Metadata is recognized as

possible malware 2

File is compared to known

malware and is confirmed as

malware 3

A second unknown fi le’s

metadata is sent to cloud to be

analyzed 4

Metadata is similar to known

clean fi le, possibly clean 5

File is confirmed as a clean fi le

after being compared to a

similarly clean fi le 6

Machine Learning Decision Tree

Possible clean f ile

Possible malware

Conf irmed malware

Conf irmed clean f ile

Conf irmed clean f ile

Conf irmed malware


Dynamic

Analysis

Machine

Learning

Fuzzy

Finger-printing

Advanced


Signature

Indications

of Compromise

Device Flow

Correlation

Behavioral Detection Is Built On Four Features

Collective Security

Intelligence Cloud

File of unknown disposition is encountered 1

File replicates itself and this inf ormation is communicated to the

cloud 2

File communicates with malicious IP addresses or starts downloading files

with known malware disposition 3

Combination of activities indicates a compromise and the behavior is

reported to the cloud and AMP client 4

These indications are prioritized and reported to security team as possible

compromise 5


Dynamic

Analysis

Machine

Learning

Fuzzy

Finger-printing

Advanced


Signature

Indications

of Compromise

Device Flow

Correlation


Dynamic Analysis Engine

executes unknown fi les in on-

premise or cloud sandboxes

powered by AMP Threat Grid

1

Two files are determined to be

malware, one is confirmed as

clean 2

Intell igence Cloud is updated with

analysis results and retrospective

alerts are broadcast to users 3

Collective Security

Intelligence Cloud Collective

User Base AMP Threat Grid Sandbox


Dynamic

Analysis

Machine

Learning

Fuzzy

Finger-printing

Advanced


Signature

Indications

of Compromise

Device Flow

Correlation


Receives information regarding

software unidentified by

Reputation Filtering appliances 1

Analyzes fi le in light of the

information and context provided 3

Identifies the advanced malware

and communicates the new

signature to the user base 4

Receives context regarding

unknown software from Collective

User Base 2 Collective

User Base

Collective Security

Intelligence Cloud

AMP Threat Grid Analysis


Dynamic

Analysis

Machine

Learning

Fuzzy

Finger-printing

Advanced


Signature

Indications

of Compromise

Device Flow

Correlation


Collective Security

Intelligence Cloud

Two unknown files are seen

communicating with a particular

IP address 2

One is sending information to the

IP address, the other is receiving

commands from the IP address 3

Collective Security Intell igence

Cloud recognizes the external IP

as a confirmed, malicious site 4

Unknown files are identified

as malware because

of the association 5

IP: 64.233.160.0 Device Flow Correlation monitors

communications of a host on the

network 1


Cisco AMP Delivers A Better Approach

Retrospective Security Point-in-Time Detection

Continuous Protection File Reputation & Behavioral Detection

Unique to Cisco AMP


Cisco AMP Defends With Retrospective Security

To be effective, you have to be everywhere

Continuously


Cisco AMP Provides Retrospective Security

Trajectory Behavioral

Indications of

Compromise

Elastic

Search

Continuous

Analysis

Attack Chain

Weaving



Indications of

Compromise

Breach

Hunting

Continuous

Analysis

Attack Chain

Weaving

Retrospective Security Is Built On…

Performs analysis

the first time a fi le is

seen 1

Persistently

analyzes the fi le

over time to see if

the disposition is

changed

2

Giving unmatched

visibil ity into the path,

actions or

communications that

are associated with a

particular piece of

software

3



Indications of

Compromise

Breach

Hunting Continuous

Analysis

Attack Chain

Weaving


Leverages retrospective

capabilities in three ways:

File Trajectory records the trajectory of the software from device to device

File Trajectory 1

Process Monitoring 2

Communications

Monitoring 3

Process Monitoring monitors the I/O activity of all devices on the system

Communications Monitoring monitors which applications are performing actions

Attack Chain Weaving analy zes the data

collected by File Trajectory , Process and

Communication Monitoring to prov ide a

new lev el of threat intelligence



Indications of

Compromise

Breach

Hunting

Continuous

Analysis

Attack Chain

Weaving


Behavioral Indications of Compromise uses continuous analysis and retrospection

to monitor systems for suspicious and unexplained activity… not just signatures!

An unknown file

is admitted into

the network 1

The unknown f ile copies itself to

multiple machines 2

Duplicates

content from the

hard drive 3

Sends duplicate

content to an

unknown IP

address

4

Leveraging the power of Attack Chain Weaving, AMP is able to recognize patterns and activities of a

given fi le, and identify an action to look for across your environment rather than a fi le fingerprint or signature




Indications of

Compromise

Breach

Hunting

Continuous

Analysis

Attack Chain

Weaving

File trajectory automatically records propagation of the file across the

network

Unknown f ile is downloaded to dev ice 1

Fingerprint is recorded and sent to cloud f or analysis 2

The unknown f ile travels across the network to different devices

3

Sandbox analy tics determines the f ile is malicious and notifies all

dev ices 4

If f ile is deemed malicious, file trajectory can provide insight into

which hosts are infected and it prov ides greater visibility into the

extent of an infection

5

Collective Security Intelligence Cloud

Computer

Virtual Machine

Mobile

Mobile

Virtual Machine Computer

Network

Collective Security Intelligence Cloud

Mobile

Mobile

File Trajectory



Indications of

Compromise

Breach

Hunting

Continuous

Analysis

Attack Chain

Weaving

Computer

Unknown file is downloaded to a

particular device 1

The file executes 2

Device trajectory records this, the

parent processes, l ineage, and

all actions performed by the fi le 3

File is convicted as malicious and

the user is alerted to the root

cause and extent of the

compromise

4


Drive #1 Drive #2 Drive #3

Device Trajectory



Indications of

Compromise

Elastic

Search

Continuous

Analysis

Attack Chain

Weaving


Elastic Search is the

ability to leverage the

indicators generated

by Behavioral IoC’s to

monitor and search for

threats across an

environment

1

Once a threat has

been identified, it can

be used to search for

and identify if that

threat exists anywhere

else

2

This functionality

enables quick

searches to aid in the

detection of fi les that

remain unknown but

are malicious

3


AMP Provides Contextual Awareness and Visibility

Who

What

Where

When

How

Focus on these users first

These applications

are affected

The breach impacted

these areas

This is the scope of

exposure over time

Here is the origin and

progression

of the threat


Deployment Options

Method

Ideal for

Email and Web; AMP on ASA

CWS

New or existing Cisco CWS, Email /Web Security, ASA

customers

AMP for Networks

(AMP on FirePOWER Network Appliance)

IPS/NGFW customers

AMP for Endpoints

Windows, Mac, Android, VMs

License with ESA, WSA,

CWS, or ASA customers Snap into your network

Install lightweight connector

on endpoints

Details

• ESA/WSA: Prime visibility

into email/web

• CWS: web and advanced malware protection in a

cloud-delivered service

• AMP capabilities on ASA with FirePOWER Services

• Wide visibility inside

network

• Broad selection of

features- before,

during and after an

attack

• Comprehensive threat protection and response

• Granular visibility and control

• Widest selection of AMP features

AMP Private Cloud Virtual Appliance

High Privacy Environments

On-premise Virtual

Appliance

• Private Cloud option for those with high

privacy requirements

• For endpoints and

networks

There are several ways you can deploy AMP

PC / MAC Virtual

Mobile

AMP Demo


Block Threats Before They Breach

Challenge

Experienced security team of 7 supporting over

120 locations needed greater intelligence to quickly identify and stop threats. Current

defenses alerted personnel and logged details but did nothing to aid investigation of the issue.

Solution Augmented intrusion prevention systems with

AMP for Endpoint.

Result

After installation of AMP, a targeted attack was

identified and remediated in half a day. 7 days after the initial attack, new business processes

and intelligences implemented by AMP resulted in the immediate mitigation of a second targeted

attack.

BEFORE

A US Bank Case Study


Identify Scope And Remediate Impact After Breach

Challenge

The company is a frequent victim of spear fishing

campaigns with indications of infection emanating from multiple sources.

Solution Added AMP for Endpoints to a system already

using FirePOWER to enable them to track and investigate suspicious file activity.

Result

The company gained complete visibility into their

malware infections, determined the attack vector, assessed the impact to the network and made

intelligent surgical decisions for remediation in a fraction of the time than it would take to respond

manually.

AFTER

Power Utility Case Study


How Cisco AMP Works: Network File Trajectory Use Case



An unknown file is present on IP:

10.4.10.183, having

been downloaded from Firefox


At 10:57, the

unknown file is from IP 10.4.10.183 to IP:

10.5.11.8


Seven hours later the

file is then transferred to a third device

(10.3.4.51) using an

SMB application


The file is copied yet

again onto a fourth

device (10.5.60.66) through the same

SMB application a

half hour later


The Cisco Collective Security Intelligence

Cloud has learned

this file is malicious and a retrospective

event is raised for all

four devices

immediately.


At the same time, a

device with the

FireAMP endpoint connector reacts to

the retrospective

event and immediately stops

and quarantines the

newly detected

malware


8 hours after the first

attack, the Malware

tries to re-enter the system through the

original point of entry

but is recognized and

blocked.

DEMO TITLE


Protection Across Networks

The Network platform uses indications of compromise, file analysis, and in this example file trajectory to show you exactly how malicious files have moved across the environment

Netw ork

Endpoint

Content


Protection Across Endpoints

The Endpoint platform has device trajectory, elastic search and outbreak control which in this example is shown quarantining recently detected malware on a device that has the FireAMP connector installed

Netw ork

Endpoint

Content


Protection Across Web and Email

AMP for Web and Email protects against malware threats in web and email traffic by blocking known malware and issuing retrospective alerts when unknown files are convicted

Netw ork

Endpoint

Content

Documents

Network Visibility and Advanced Malware Protection · Network Visibility and Advanced Malware Protection James Weathersby, Director Technical Marketing ... of top 500 Android apps