Cisco Advanced Services

1 © 2015 Cisco and/or its affiliates. All rights reserved.

16SEP15 Principal & Director, Cisco Security Advisory

Cisco 2015 Midyear Security Report & Security Transitions… Cisco Brazil Security Week 2015

Brian J. Tillett, CCSK, CISSP


•  State of Cybersecurity (abridged) -2015 Cisco Midyear Security Report

•  Transitions across the Cybersecurity Industry

•  Transitions within Cisco

Topics:


Changes in Attack Behavior

Speed Agility Adaptability Destruction


Adversaries’ Agility is Their Strength

Constant upgrades increased Angler penetration rate to 40% Twice as effective than other exploit kits in 2014

Compromised System

Flash Vulnerabilities

Retargeting

Ransomware

Angler Continually throwing different

‘hooks’ in the water to increase the chances of compromise

Encrypted Malicious Payload Macros Social

Engineering

IP Changing Domain Shadowing

More Being

Developed

Daily

TTD

Security Measures Web Blocking IP Blocking Retrospective Analysis Antivirus Endpoint Solutions Email Scanning


Rombertik Malware evolves to not only steal data—if detected, it can destroy the targeted system.

Destructive if Modified •  Destroy master

boot record •  Render computer

inoperable on restart

Gain Access •  Spam •  Phishing •  Social engineering

Evade Detection •  Write random data to

memory 960 million times

Extract User Data •  Deliver user information

back to adversaries

Anti-Analysis Persistence Malicious Behavior


Countries with higher block ratios have many Web servers and compromised hosts on networks within their borders.

Russia 0.936

Japan 1.134 China 4.126 Hong Kong 6.255

France 4.197 Germany 1.277

Poland 1.421 Canada 0.863

U.S. 0.760

Brazil 1.135

Malware on a Global Scale Malicious actors do not respect country boundaries. Malware Traffic

Expected Traffic


Reducing Attack Surface & Window of Exposure


The Dilemma

Build Buy Be Left Behind


Attackers Are Exploiting Point Solutions with Increasing Speed

NGIPS

Malware Sandbox

IAM

Antivirus

IDS Firewall

VPN

Email

NGFW

Data


Data

Attackers Are Exploiting Point Solutions with Increasing Speed

NGIPS

Malware Sandbox

IAM

Antivirus

IDS Firewall

VPN

Email

NGFW

Time to detection:

200 Days

RansomwareNow targeting data

DomainShadowingOn the rise

Dridex850 unique mutations

identified first half 2015

SPAM

RombertikEvolves to evadeand destroy

AnglerConstantly upgradingand innovating

MalvertisingMutating to avoid detection


Only an Integrated Threat Defense Can Keep Pace

Data

Systemic Response

Con

trol

Visibility Context Intelligence

Reduce time to detection to under

1 Hour

2015 Midyear Security Report

cisco.com/go/msr2015

•  How does an enterprise measure security?

•  How to make security a competitive advantage; mission/business enabler; and not stifle innovation/progress?

•  How do we get ahead of our adversaries?

Ongoing Transitions within Cybersecurity:

Seatbelts

Airbags

Antivirus

Firewalls

Internet Volkswagen

Intrusion Detection

Antispyware

Intrusion Prevention

Heuristic Analysis

Behavior Analysis

System Integrity

Access Control

Data Loss Prevention

Identity Control

Sandboxing

defense

offense

Traction Control

Stability Control

Antilock Braking System

Back-up Camera

Collision Avoidance

Onboard Diagnostics

GPS

Lane Departure Warning

Driving Assistant

Connected Highways


Ongoing Transitions within Cisco:

Momentum in

Sourcefire Acquisition

Security

Cognitive Acquisition

Cisco Security Advisory

AMP Everywhere & FirePOWER

ThreatGRID Acquisition

Active Threat Analytics

OpenDNS

Cisco Confidential 17 © 2014 Cisco and/or its affiliates. All rights reserved.

Internet of Everything Security •  IoE Value Chain Assessment •  IoE Application Assessment •  IoE Device Assessment Application Security •  Secure Application Design •  Application Assessment •  Enterprise SDLC Mobile & Cloud Security •  Mobile App & Device Assessment •  Cloud Strategy & Architecture •  Cloud Application Assessment Strategy, Risk, & Programs •  IT Governance •  Security Strategy & Policy •  IT Risk Assessment •  3rd Party Risk Program •  Security Program Development •  Identity & Access Management •  Incident Readiness & Response Compliance •  PCI DSS & PA DSS Assessment •  ISO 27001 / 27002 •  HIPAA

Infrastructure Security •  Network Architecture Assessment •  Red Team Exercises •  Penetration Testing •  Social Engineering •  SOC Enablement

Integration •  Cisco Build Services •  Security Readiness •  Design, Development,

Implementation •  SOC Build & Integration Assessment •  Test Plan Development &

Execution •  Device Assessment •  Validation and Testing •  Kick Start Deployment Optimization •  Custom Reporting •  Cross Integration •  Performance Tuning •  Optimization Service

Remote Managed •  Device Health & Welfare •  Security Control Management •  Security Event Monitoring •  Collective Security Intelligence

Active Threat Analytics •  Advanced Threat Detection &

Triage •  Anomaly Detection •  Customer-Specific Mitigation •  Collective Security Intelligence

Cisco Security Services Portfolio

Optimization

Migration

Integration

Program Strategy

Architecture & Design

Assessments

Product Support Hosted Security Managed Security

ManagedServices

Advisory Integration


Core Security Service Areas


Managed

Custom Threat Intelligence

Strategy, Assessments, Incident Response

Integration Services

Security Optimization Services


Remote Managed Services & Operations




Managed








Integration Services Cisco delivers:

Plan, Design, Implement

Subject Matter Expertise Migration Optimization

Services:

•  Cisco Build Services •  Security Readiness •  Security Design, Development,

Implementation •  Security Test Plan and Execution •  Security Knowledge Transfer •  Security Device Assessment

•  Security Validation and Testing •  Security Kickstart Deployment •  Security Custom Reporting •  Security Cross Integration

Implementation •  Security Performance Tuning •  Security Optimization Service




Managed








Cisco Security Program Areas of Analysis


1 Initial

2 Repeatable

3 Defined

4 Managed

5 Optimized

Level 1 – Initial (ad hoc processes)

Level 2 – Repeatable (formal processes)

Level 3 – Defined (pervasive processes)

Level 4 – Managed (effective processes)

Level 5 – Optimized (refined processes)

•  Immature or inconsistent policies and procedures

•  Various degrees of defined processes •  Unpredictable or unstable

environment •  Inconsistent buy-in across the

enterprise

•  Processes abandoned at time of crisis •  Projects frequently exceed budget or

are not fully completed •  Insufficient measurement of risk •  Business objective alignment is not

established •  Inconsistent use of technology

•  Undefined enterprise architecture model

•  Lack of strategic planning

•  Undefined roles and responsibilities •  Minimal senior management

involvement in IT risk management

•  Policies and procedures have been implemented

•  Project-specific processes are documented, practiced, and enforced

•  Unique reporting and measurement at project level

•  Processes followed during crisis

•  Compliance program being established •  Adoption of technology standards

•  Target enterprise architecture model is defined

•  Enterprise architecture is being implemented at the component level

•  Governance approach is being formalized

•  Procurement based on specific requirements

•  Varied adherence to architecture standards

•  Defined roles and responsibilities for IT risk management organization

•  Senior management is educated on IT risk management

•  Responsibilities defined enterprise-wide

•  Enterprise-wide implementation of defined processes

•  Consistent reporting and defined measurement

•  Crisis predictable and minimized

•  Proactive exception management •  Compliance program is effective

•  Enterprise standards leveraged for all projects

•  Target enterprise architecture model is implemented

•  Initial alignment with business processes

•  Acquisitions and purchases governed by enterprise architecture model

•  Qualitative measurement of performance

•  Senior management commitment

•  Measured effectiveness of IT risk organization

•  Processes are adaptable based on scope/risk

•  Defined metrics and measurement •  Quantitative predictability of

performance

•  Explicit adherence to standards across the enterprise

•  Pervasive deployment and integration of enterprise architecture model

•  Benefits of target architecture model are realized

•  Alignment with business objectives •  Risk management used as an

enabler to business processes

•  Planned IT acquisition and investment

•  Senior management involvement

•  Accountability for IT risk organization

•  Processes are continually improved

•  Measured and increased ROI •  Decreased operating expenses •  Process feedback incorporated

•  Business processes reengineered for efficiency and savings

•  Ability to perform risk modeling •  Established business linkage •  Risk management enablers provide

an increase in top line revenue •  No unplanned IT investment

•  Alignment with corporate strategic plan

Cisco Security Capability Maturity Model


Deliverable Graphic Examples: Current State vs. Target State (+full description report on gaps, deficiencies, and paths to overcome)

Management Controls

OperationalControls

Technical Controls

Security Governance

Policy Management

Compliance Management

Risk Management

Security Strategy

Security Architecture

Metrics and Measurement

Patch Management

Vulnerability Management

Asset Management

Security Monitoring

Incident Management

Continuity of Operations

Identity and Access

Management

3rd Party Management

Systems Development

Lifecycle

Information Management

Change Management

Network Security

Wireless Security

Host Security

Endpoint Security

Application Security

Data Security

Database Security

Management Controls

OperationalControls

Technical Controls

Security Governance

Policy Management

Compliance Management

Risk Management

Security Strategy

Security Architecture

Metrics and Measurement

Patch Management

Vulnerability Management

Asset Management

Security Monitoring

Incident Management

Continuity of Operations

Identity and Access

Management

3rd Party Management

Systems Development

Lifecycle

Information Management

Change Management

Network Security

Wireless Security

Host Security

Endpoint Security

Application Security

Data Security

Database Security

Current State -‐ Example

Target State -‐ Example

Cisco Confidential 25 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Joint SPA & NDSA Recommendation Prioritization Prioritization helps the Security Ops management to address the recommendations based on Criticality and Ease of implementation.

Cisco Confidential 26 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Intel Driven Incident Response

Intelligence Powered by TalosTM

Response Custom Tiers

Remediation Post Breach

100 TB Intelligence 1.6M sensors 150 million+ endpoints 35% of email world wide FireAMP™, 3+ million 13B web requests Open Source Communities 180,000+ Files per Day 1B SBRS Queries per Day TALOS Research and Outreach

Kill Chain Review Attack Vector Evaluation Threat Actor Landscaping Policy Review & Overhaul Application Penetration Testing Direct Access to Cisco’s Elite CCIEs Future Partnerships for Remediation - Microsoft - Red Hat - More…

Rapid Response Incident Coordination & Investigation Breach Containment & Recovery

Emergency

Established IR Engagement Process Threat & Incident Reviews Rate Relief

Readiness

Proactive Threat Hunting Intel / IR / SOC Build-outs Custom Training

Custom



Network Traffic Analysis (CTI) & Traditional Perimeter Protection

•  Know the “blind spots”

•  Utilize “zero day” attacks

•  Test against their copies of the latest detection/prevention technology to ensure not detected

•  Hardware modifications & firmware injection – visible only to traffic flows

•  Strive to make their exfiltration look like normal traffic

•  Use different exfiltration networks for each major target

•  Make compromises persistent

•  Implement “self delete” when discovered

Need for comprehensive threat

visibility

27

INSTRUMENT IDENTIFY REMEDIATE MEASURE




Managed








DMZ Users

Malware Analysis

Netflow Collector

Identity Mgmt.

Data Center

Netflow Collector

Identity Mgmt.

Web Security

Email Security

Malware Analysis

Netflow Collector

Identity Mgmt.

Talos

ATA: A Comprehensive Threat Solution

ASA with FIREPOWER

Cisco Cloud Security Internet

Mobile Endpoints Anywhere / Anytime

Cisco Active Threat Analytics

ThreatGRID FirePower

Full Packet Cognitive

Malware Analysis

Application Exhaust


Use Case: Customer Statistics for Two-Week Timeframe

Post-investigation incidents/tickets 71

269,808 Security Events

Unique events 113,713

High fidelity events 1710

207,992 61,816 Threat intel sourced Telemetry generated

Roughly 20,000 Events/day to

5 ranked & prioritized Incidents/day


OpenSOC Framework Sources Data Collection Messaging Broker Real-Time Processing Storage Access

Analytic Tools

Tableau

R / Python

Power Pivot

Web Services

Search

PCAP Reconstruction

Telemetry Sources

NetFlow

Machine Exhaust

HTTP

Other

Flume

Agent B

Agent N

Agent A

Kafka

B Topic

N Topic

PCAP Topic

DPI Topic

A Topic

Storm

B Topology

N Topology

A Topology

PCAP Topology

DPI Topology

Hive

Raw Data

ORC

Elasticsearch

Index

HBase

Packet Table

PCAP Passive

Tap

Traffic Replicator


https://github.com/OpenSOC

Thank you!

Technology

Cisco Advanced Services