-
Karel Simek,
Technical Marketing Engineers
January 2016
Breaches Detection Using Cognitive Threat Analytics (CTA)
-
There’s a new cyber-threat reality
Hackers will likely
command and control
your environment via web
You’ll most likely be
infected via email
Your environment
will get breached
-
BEFORE Discover Enforce Harden
DURING Detect Block Defend
AFTER Scope
Contain Remediate
Network Endpoint Mobile Virtual Email & Web
Continuous Point-in-time
Cloud Strengthen proactive analysis / after phase
(continuous monitoring, analytics, machine learning)
Advanced Threat Detection Requires Greater Visibility
-
“65% of CEOs say their risk management
approach is falling behind. In a new reality
where security breaches come at a daily rate,
we must move away from trying to achieve the
impossible perfect protection and instead invest in
detection and response. Organizations should
move their investments from 90 percent
prevention and 10 percent detection and
response to a 60/40 split.”
Peter Sondergaard
Senior VP and Global Head of Research
Gartner
-
CTA enhances web security with layers of breach detection
and analytics to identify difficult-to-find threats
With Cognitive Threat Analytics (CTA)
Anomalous Web requests
Threat Incidents
Malicious Events
Anomaly
detection Trust
modeling
Event
classification
Relationship
modeling
10B requests
per day
20K incidents
per day
-
CTA: Breach Detection Results
20k breaches daily On a sample of 10B we requests
10 breaches @ 1000 seats weekly FW/NGFW
NGIPS
Antivirus
Reputation/Rules
Policy/Patches
Web Security
CTA
60% increased
breach detection Based on Cisco internal testing
-
CTA in Customer Environment
-
CTA as part of Customers’ Security Strategy
3. CTA makes your SIEM intelligent
1. CTA turns your proxy into a security sensor
2. CTA helps you shorten breach reaction time
-
1. CTA turns your proxy into a security sensor
-
CTA turns your proxy into a security sensors
Server IP | URL | User | Rule Action | …. 75.82.2.16 |
www.xydsdd.com/ | oskiemk | Blocked | 78.84.3.16 | www.xproex.com/
| jsmith | Allow| 75.82.2.16 | www.cnn.com/new | pjames | Allow|
75.82.2.16 | www.tripcost.com/ | Mozilla | Blocked | 75.82.2.16 |
www.78.87.53.16/ | Mozilla | Blocked | 75.82.2.16 | www.xydsdd.com/
| Mozilla | Blocked | 75.82.2.16 | www.xydsdd.com/ | Mozilla |
Allowed | 75.82.2.16 | www.xydsdd.com/ | Mozilla | Blocked |
75.82.2.16 | www.xydsdd.com/ | Mozilla | Blocked | 75.82.2.16 |
www.xydsdd.com/ | Mozilla | Blocked | 75.82.2.16 | www.xydsdd.com/
| Mozilla | Blocked | 75.82.2.16 | www.seznam.com/ | Mozilla |
Allow | 75.82.2.16 | www.google.com/ | Internet Exp. | Allow|
75.82.2.16 | www.xydsdd.com/ | Mozilla | Blocked |
CTA
Context
Advanced Correlation
Long term modeling
Anomaly Detection
WHAT&WHEN
http://www.xydsdd.com/http://www.xydsdd.com/http://www.xydsdd.com/http://www.xydsdd.com/http://www.tripcost.com/http://www.tripcost.com/http://www.xydsdd.com/http://www.xydsdd.com/http://www.xydsdd.com/http://www.xydsdd.com/http://www.xydsdd.com/http://www.xydsdd.com/http://www.xydsdd.com/http://www.seznam.com/http://www.seznam.com/http://www.google.com/http://www.google.com/http://www.xydsdd.com/
-
Cisco WSA (Web Security Appliance)
External Telemetry (BlueCoat Sec. Gateway)
Cisco CWS (Cloud Web Security)
Cisco
Cognitive Threat
Analytics (CTA)
Confirmed Threats
Detected Threats
Threat Alerts
Incident
Response HQ
STIX / TAXII API
CT
A
CT
A
CT
A
SIEMs:
Splunk, ArcSight,
Q1 Radar, ...
HQ
Web Security
Gateways
Cloud
Web Security
Gateways CTA a-la-carte
ATD bundle = CTA & AMP
WSP bundle = CWS & ATD
CTA a-la-carte
CTA a-la-carte
Web Access Logs (input telemetry)
Breach Detection &
Advanced Threat Visibility
Cognitive Threat Analytics For CWS, WSA, and External
Telemetry
-
2. CTA helps you shorten breach reaction time
-
Malware leads to more malware Avalanche Effect of a Breach
If (optimistically)
1% of infections
make it through…
…Then those are
leveraged over and over
again in escalating series
of malicious operations
Click fraud
Pony
password
stealer
Data stealer
Subsequent targeted mission
Ransomware
RAT
Click fraud
Click fraud Malware injection
-
Simplified Integration
-
CTA: Responding To Active Breach
IPS
ISE IT Team
CTA AMP For Endpoint
SIEM
AMP For Endpoint
Breach Detection Immediate Reaction Final Reaction
Swiftness and Automation
Goal: disrupt malware
channels avoid immediate
risk of data leak
Thoroughness and Adaptation
Goal: Follow breadcrumbs to
the root cause, loss estimates,
policy updates
-
CTA: C2 Detected Ongoing Breach 10min
Breach Detection Immediate Reaction Final Reaction
-
10min
Breach Detection Immediate Reaction Final Reaction
-
ISE: Immediate User Quarantine 15min
Breach Detection Immediate Reaction Final Reaction
-
AMP4E: Immediate C2 Blocking 20min
Breach Detection Immediate Reaction Final Reaction
-
AMP4E: Finding Files Generating C2 20min
Breach Detection Immediate Reaction Final Reaction
-
AMP4E: Unloading Malware
Unknown
30min
Breach Detection Immediate Reaction Final Reaction
-
• Malware C2 and main modules have been disrupted
• Infected machines can no longer operate on the network
• Get some sleep, we still need to do some cleaning…
Immediate Reaction Done
Breach Detection Immediate Reaction Final Reaction
45min
-
AMP4E+SIEM Forensics: Root Cause 1 day
User mistake? Vulnerable app? New exploit?
Breach Detection Immediate Reaction Final Reaction
-
• Ticket created automatically
• Infected machine reimaged to prevent reinfection as malware
often has additional modules and hurts machine security in
general
Desktop Team: Reimaging Machine 2 days
Breach Detection Immediate Reaction Final Reaction
-
3. CTA makes your SIEM intelligent
-
CTA Simplifying SIEM Workflow CTA is a starting point for
investigations
SIEM Limitation
• No detection, only forensics
• Only simple manual correlations,
analyst time-intensive
• Does not generate local security
intelligence
CTA-Enabled SIEM
• Provides prioritized workflow
• Detection of visibility of novel and
emerging threats
• Automatic adaptation with
continuous detection
• Localized security intel
-
Building a Security Dashboard With CTA Intel
-
• CTA delivers superior breach detection
• CTA provides you with web traffic visibility
• CTA makes your SIEM smarter
Key Takeaway Messages
-
Q&A
-
Additional Resources
-
The Business of Malware; CTA Overview by Martin Rehak
(co-founder of Cognitive Security)
•
http://slideslive.com/38894173/breaking-the-business-of-malware
Identify Zero-Day Breaches with CTA on Cisco Web Security by
Petr Cernohorsky (Product Mgr)
•
http://www.slideshare.net/CiscoSecurity/identify-zeroday-breaches-with-cognitive-threat-analytics-on-cisco-web-security
CWS Premium / Cognitive Threat Analytics on Cisco YouTube
Channel
• https://www.youtube.com/watch?v=QFCJgpQOopk
• https://youtu.be/K-fpDDJLJKs?list=PL6FEA443253B44EC2 ...
customer reference
Manuals on log export from WSA and BlueCoat
•
http://www.cisco.com/c/dam/en/us/td/docs/security/web_security/scancenter/deployment/guide/Configure_WSA_Upload.pdf
•
http://www.cisco.com/c/dam/en/us/td/docs/security/web_security/scancenter/deployment/guide/Configure_Blue_Coat_ProxySG_Upload.pdf
External CTA Videos, References, Manuals
http://slideslive.com/38894173/breaking-the-business-of-malwarehttp://slideslive.com/38894173/breaking-the-business-of-malwarehttp://slideslive.com/38894173/breaking-the-business-of-malwarehttp://slideslive.com/38894173/breaking-the-business-of-malwarehttp://slideslive.com/38894173/breaking-the-business-of-malwarehttp://slideslive.com/38894173/breaking-the-business-of-malwarehttp://slideslive.com/38894173/breaking-the-business-of-malwarehttp://slideslive.com/38894173/breaking-the-business-of-malwarehttp://slideslive.com/38894173/breaking-the-business-of-malwarehttp://www.slideshare.net/CiscoSecurity/identify-zeroday-breaches-with-cognitive-threat-analytics-on-cisco-web-securityhttp://www.slideshare.net/CiscoSecurity/identify-zeroday-breaches-with-cognitive-threat-analytics-on-cisco-web-securityhttp://www.slideshare.net/CiscoSecurity/identify-zeroday-breaches-with-cognitive-threat-analytics-on-cisco-web-securityhttp://www.slideshare.net/CiscoSecurity/identify-zeroday-breaches-with-cognitive-threat-analytics-on-cisco-web-securityhttp://www.slideshare.net/CiscoSecurity/identify-zeroday-breaches-with-cognitive-threat-analytics-on-cisco-web-securityhttp://www.slideshare.net/CiscoSecurity/identify-zeroday-breaches-with-cognitive-threat-analytics-on-cisco-web-securityhttp://www.slideshare.net/CiscoSecurity/identify-zeroday-breaches-with-cognitive-threat-analytics-on-cisco-web-securityhttp://www.slideshare.net/CiscoSecurity/identify-zeroday-breaches-with-cognitive-threat-analytics-on-cisco-web-securityhttp://www.slideshare.net/CiscoSecurity/identify-zeroday-breaches-with-cognitive-threat-analytics-on-cisco-web-securityhttp://www.slideshare.net/CiscoSecurity/identify-zeroday-breaches-with-cognitive-threat-analytics-on-cisco-web-securityhttp://www.slideshare.net/CiscoSecurity/identify-zeroday-breaches-with-cognitive-threat-analytics-on-cisco-web-securityhttp://www.slideshare.net/CiscoSecurity/identify-zeroday-breaches-with-cognitive-threat-analytics-on-cisco-web-securityhttp://www.slideshare.net/CiscoSecurity/identify-zeroday-breaches-with-cognitive-threat-analytics-on-cisco-web-securityhttp://www.slideshare.net/CiscoSecurity/identify-zeroday-breaches-with-cognitive-threat-analytics-on-cisco-web-securityhttp://www.slideshare.net/CiscoSecurity/identify-zeroday-breaches-with-cognitive-threat-analytics-on-cisco-web-securityhttp://www.slideshare.net/CiscoSecurity/identify-zeroday-breaches-with-cognitive-threat-analytics-on-cisco-web-securityhttp://www.slideshare.net/CiscoSecurity/identify-zeroday-breaches-with-cognitive-threat-analytics-on-cisco-web-securityhttp://www.slideshare.net/CiscoSecurity/identify-zeroday-breaches-with-cognitive-threat-analytics-on-cisco-web-securityhttp://www.slideshare.net/CiscoSecurity/identify-zeroday-breaches-with-cognitive-threat-analytics-on-cisco-web-securityhttp://www.slideshare.net/CiscoSecurity/identify-zeroday-breaches-with-cognitive-threat-analytics-on-cisco-web-securityhttp://www.slideshare.net/CiscoSecurity/identify-zeroday-breaches-with-cognitive-threat-analytics-on-cisco-web-securityhttp://www.slideshare.net/CiscoSecurity/identify-zeroday-breaches-with-cognitive-threat-analytics-on-cisco-web-securityhttps://www.youtube.com/watch?v=QFCJgpQOopkhttps://www.youtube.com/watch?v=QFCJgpQOopkhttps://youtu.be/K-fpDDJLJKs?list=PL6FEA443253B44EC2https://youtu.be/K-fpDDJLJKs?list=PL6FEA443253B44EC2https://youtu.be/K-fpDDJLJKs?list=PL6FEA443253B44EC2http://www.cisco.com/c/dam/en/us/td/docs/security/web_security/scancenter/deployment/guide/Configure_WSA_Upload.pdfhttp://www.cisco.com/c/dam/en/us/td/docs/security/web_security/scancenter/deployment/guide/Configure_WSA_Upload.pdfhttp://www.cisco.com/c/dam/en/us/td/docs/security/web_security/scancenter/deployment/guide/Configure_WSA_Upload.pdfhttp://www.cisco.com/c/dam/en/us/td/docs/security/web_security/scancenter/deployment/guide/Configure_Blue_Coat_ProxySG_Upload.pdfhttp://www.cisco.com/c/dam/en/us/td/docs/security/web_security/scancenter/deployment/guide/Configure_Blue_Coat_ProxySG_Upload.pdfhttp://www.cisco.com/c/dam/en/us/td/docs/security/web_security/scancenter/deployment/guide/Configure_Blue_Coat_ProxySG_Upload.pdfhttp://www.cisco.com/c/dam/en/us/td/docs/security/web_security/scancenter/deployment/guide/Configure_Blue_Coat_ProxySG_Upload.pdf
-
Angler EK detection by Cognitive Threat Analytics (CTA)
• http://blogs.cisco.com/security/angler-for-beginners
Fake blogs generating real money
•
http://blogs.cisco.com/security/cognitive-research-fake-blogs-generating-real-money
Cognitive Research: Learning Detectors of Malicious Network
Traffic
•
http://blogs.cisco.com/security/talos/machine-learning-detectors
Cognitive Threat Analytics – Transparency in Advanced Threat
Researc
•
http://blogs.cisco.com/security/cognitive-threat-analytics-transparency-in-advanced-threat-research
Bad Browser Plug-ins Gone Wild: Malvertising, Data Exfiltration,
and Malware, Oh my!
• http://blogs.cisco.com/security/talos/bad-browser-plug-ins
CTA Security Blog
http://blogs.cisco.com/security/angler-for-beginnershttp://blogs.cisco.com/security/angler-for-beginnershttp://blogs.cisco.com/security/angler-for-beginnershttp://blogs.cisco.com/security/angler-for-beginnershttp://blogs.cisco.com/security/angler-for-beginnershttp://blogs.cisco.com/security/angler-for-beginnershttp://blogs.cisco.com/security/cognitive-research-fake-blogs-generating-real-moneyhttp://blogs.cisco.com/security/cognitive-research-fake-blogs-generating-real-moneyhttp://blogs.cisco.com/security/cognitive-research-fake-blogs-generating-real-moneyhttp://blogs.cisco.com/security/cognitive-research-fake-blogs-generating-real-moneyhttp://blogs.cisco.com/security/cognitive-research-fake-blogs-generating-real-moneyhttp://blogs.cisco.com/security/cognitive-research-fake-blogs-generating-real-moneyhttp://blogs.cisco.com/security/cognitive-research-fake-blogs-generating-real-moneyhttp://blogs.cisco.com/security/cognitive-research-fake-blogs-generating-real-moneyhttp://blogs.cisco.com/security/cognitive-research-fake-blogs-generating-real-moneyhttp://blogs.cisco.com/security/cognitive-research-fake-blogs-generating-real-moneyhttp://blogs.cisco.com/security/cognitive-research-fake-blogs-generating-real-moneyhttp://blogs.cisco.com/security/cognitive-research-fake-blogs-generating-real-moneyhttp://blogs.cisco.com/security/cognitive-research-fake-blogs-generating-real-moneyhttp://blogs.cisco.com/security/cognitive-research-fake-blogs-generating-real-moneyhttp://blogs.cisco.com/security/talos/machine-learning-detectorshttp://blogs.cisco.com/security/talos/machine-learning-detectorshttp://blogs.cisco.com/security/talos/machine-learning-detectorshttp://blogs.cisco.com/security/talos/machine-learning-detectorshttp://blogs.cisco.com/security/talos/machine-learning-detectorshttp://blogs.cisco.com/security/cognitive-threat-analytics-transparency-in-advanced-threat-researchhttp://blogs.cisco.com/security/cognitive-threat-analytics-transparency-in-advanced-threat-researchhttp://blogs.cisco.com/security/cognitive-threat-analytics-transparency-in-advanced-threat-researchhttp://blogs.cisco.com/security/cognitive-threat-analytics-transparency-in-advanced-threat-researchhttp://blogs.cisco.com/security/cognitive-threat-analytics-transparency-in-advanced-threat-researchhttp://blogs.cisco.com/security/cognitive-threat-analytics-transparency-in-advanced-threat-researchhttp://blogs.cisco.com/security/cognitive-threat-analytics-transparency-in-advanced-threat-researchhttp://blogs.cisco.com/security/cognitive-threat-analytics-transparency-in-advanced-threat-researchhttp://blogs.cisco.com/security/cognitive-threat-analytics-transparency-in-advanced-threat-researchhttp://blogs.cisco.com/security/cognitive-threat-analytics-transparency-in-advanced-threat-researchhttp://blogs.cisco.com/security/cognitive-threat-analytics-transparency-in-advanced-threat-researchhttp://blogs.cisco.com/security/cognitive-threat-analytics-transparency-in-advanced-threat-researchhttp://blogs.cisco.com/security/cognitive-threat-analytics-transparency-in-advanced-threat-researchhttp://blogs.cisco.com/security/cognitive-threat-analytics-transparency-in-advanced-threat-researchhttp://blogs.cisco.com/security/cognitive-threat-analytics-transparency-in-advanced-threat-researchhttp://blogs.cisco.com/security/cognitive-threat-analytics-transparency-in-advanced-threat-researchhttp://blogs.cisco.com/security/talos/bad-browser-plug-inshttp://blogs.cisco.com/security/talos/bad-browser-plug-inshttp://blogs.cisco.com/security/talos/bad-browser-plug-inshttp://blogs.cisco.com/security/talos/bad-browser-plug-inshttp://blogs.cisco.com/security/talos/bad-browser-plug-inshttp://blogs.cisco.com/security/talos/bad-browser-plug-inshttp://blogs.cisco.com/security/talos/bad-browser-plug-inshttp://blogs.cisco.com/security/talos/bad-browser-plug-ins
![The Cost of Credential Theft Final2[2] - Akamai...The 2016 Yahoo breaches are examples of how serious this threat is. The Yahoo breaches involved a total of 1.5 billion credentials](https://img.pdfslide.net/doc/110x75/5f113ec310b51271ce469a3a/the-cost-of-credential-theft-final22-akamai-the-2016-yahoo-breaches-are.jpg)
