Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cisco Security Arquitectura, Visibilidad y AI en la defensa contra CiberAmenazas Eutimio Fernández eutferna@cisco.com Are you concerned about Cybersecurity?

Published byNatalia Ponce Modified over 6 years ago

Similar presentations

Presentation on theme: "Cisco Security Arquitectura, Visibilidad y AI en la defensa contra CiberAmenazas Eutimio Fernández eutferna@cisco.com Are you concerned about Cybersecurity?"— Presentation transcript:

1 Cisco Security Arquitectura, Visibilidad y AI en la defensa contra CiberAmenazas
Eutimio Fernández Are you concerned about Cybersecurity?

2 Digital Disruption, Massive Scale
Active Adversaries Security Industry 50B Devices Connected by 2020 $19T Opportunity Attack surface Threat Actors Attack Sophistication Rapidly expanding number of security companies Not interoperable Not open Changing Business Models Dynamic Threat Landscape Complexity and Fragmentation Security Challenges Right now, your priority is your business. You’re buying new technology, investing in new infrastructure and most likely trying to adapt to changing business models like cloud. It’s all good stuff but it takes hard work. At the same time, the people who work on the bad side of the malware industry are working just as hard. Why do they do this? Because it’s worth the money. The hacker economy works just like ours, everything has a price. A Social Security number or a credit card number, it’s actually only worth about a fifty cents to a dollar. But bank account information or medical insurance numbers…those go for a $1000 bucks each. Hackers desperately want access to your customer data, employee data, IP because it’s worth a lot. One theft of a million customer cards or billing accounts – that’s serious money. And sometimes, in the case of Ransomware, all they have to do is lock it down and force you to pay to get it back. Why do we use fancy terms like “Dynamic Threat Landscape”? Because you aren’t facing a group of hacktivists in a basement anymore – the scale of malware industry is massive. To deal with this landscape, people install new security solutions like it’s going out of style. You can see it in the market – new security companies are popping up everywhere, each selling their own twist on security. Well, unfortunately most of it is snake-oil – injecting complexity and fragmentation. Before you know it, you have 70, 80 even 90 vendors inside your environment, and each one of those vendors gave you a compelling argument on their product. 90 Vendors means gaps between security products. Nobody can manage effectively to that scale…but we see companies trying to do just that all the time..

3 Complexity managing events
El 79% of CISOS( 5% more tan 2018) consider complex or very complex to manage events from multiple security vendors Complexity managing events Vamos a comenzar con las principales conclusiones globales. Y después veremos los resultados en España. Ocho de cada diez CISOs (el 79%) consideran complicado o muy complicado gestionar las alertas de seguridad procedentes de múltiples proveedores. Esta cifra ha aumentado desde el año pasado (74%). Contar con soluciones de demasiados proveedores dificulta la capacidad de respuesta frente al volumen de alertas recibidas. El 65% encuentran difícil determinar el alcance de un ataque, contenerlo y remediarlo. Muchas de las amenazas desconocidas pueden así pasar desapercibidas

4 Consolidation of Security Infrastructures
In 2018, the 54% has solutions from 10 or less vendors - in % of them. Frente a este reto, las organizaciones están consolidando su entorno, apostando por menos proveedores. La razón es que la mayoría de las veces estas múltiples soluciones no están integradas entre sí, y no coordinan sus alertas. El estudio muestra que los CISOs con menos soluciones puntuales pueden gestionar mejor las alertas mediante una aproximación de arquitectura integrada.

5 Network threats are getting smarter
Motivated and targeted adversaries Insider Threats Increased attack sophistication State sponsored Financial/espionage motives $1T cybercrime market Compromised credentials Disgruntled employees Admin/privileged accounts Advanced persistent threats Encrypted malware Zero-day exploits Industry average detection time for a breach Industry average time to contain a breach Average cost of a data breach NOS COMPROMETEN CREDENCIALES USER/ADMIN PUEDEN ESTAR HACIENDO DE TODO… CUANTO TARDAMOS DARNOS CUENTA >100 dias, REMEDIARLO >60 dias

6 Superior Threat Intelligence
Continually updates by our full security architecture Visibility Radware DDoS URL Network analysis Threats Identity and NAC DNS Firewall 250+ Full time threat intel researchers 20 billion Threats blocked daily 00I00 I00I0I II0I0I 0II0I I0I00I0I0 0II0I0II 0I00I0I I0 00 II0III0I 0II0II0I II00I0I0 0I00I0I00 I0I0 I0I0 I00I0I00 III00II 0II00II I0I0II0II0 I0 I0 I00 00I0 I000 0II0 00 III00II I000I0I I000I0I I000I0I II 0I00 I0I000 0II0 00 00I I0I0I0 I0I0III000 I0I00I0I 0II0I0 I00I0I0I0I 000 II0II0I0I0I I0I0I0I 0I0I0I0I 0I0I00I0 I0I0I0I 0II0I0I0I 0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I0 00I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I III00II 0II00II I0I000 0II0 00I0I00 I0 I000I0I 0II 0I0I0I 1.5 million Daily malware samples Millions Of telemetry agents 600 billion Daily messages 4 Global data centers 16 billion Daily web requests 24  7  365 operations Over 100 Threat intelligence partners

7 Network Security Visibility “See Everything”
Complete visibility of users, devices, networks, applications, workloads and processes Segmentation “Reduce the Attack Surface” Prevent attackers from moving laterally east-west with application whitelisting and micro-segmentation Threat protection “Stop the Breach” Quickly detect, block, and respond to attacks before hackers can steal data or disrupt operations

8 Cisco Network as a Sensor/Enforcer
NGNAC – Cisco ISE Internet Full endpoint visibility See & share endpoint context NGNAC Cisco ISE Full network control Dynamic Micro-segmentation Identity (user/machine) OS Application Risk Location… Rapid Threat Containment Stop attacks immediately Workplace desktops Workplace desktops Workplace desktops Architect your Zero Trust network

9 Cisco Network as a Sensor/Enforcer
NBA – Cisco Stealthwatch Internet Extend network visibility Remove blind spots NBA Cisco Stealthwatch NGNAC Cisco ISE SpeedUp incident response Long term analytics & forensics Encrypted Traffic Analytics Detect Malware without decrypt Workplace desktops Workplace desktops Continuously monitor your trusted ecosystem

10 Netflow Visbility Netflow Provides
Switches Routers Internet Flow Information Packets SOURCE ADDRESS DESTINATION ADDRESS SOURCE PORT 47321 DESTINATION PORT 443 INTERFACE Gi0/0/0 IP TOS 0x00 IP PROTOCOL 6 NEXT HOP TCP FLAGS 0x1A SOURCE SGT 100 : APPLICATION NAME NBAR SECURE-HTTP Netflow Provides A trace of every conversation in your network An ability to collect records everywhere in your network (switch, router, or firewall) Network usage measurements An ability to find north-south as well as east-west communication NetFlow is the main data source used in Stealthwatch, and is essentially the “truth” about what is going on in your network. Flow represents accounting and statistical information about traffic that is traversing a network device. The flow information is stored on the device for a period of time this period is ended by either the closure of the flow or a timeout. The flow information is then exported as a flow record to a collector. A Flow record contains information or metadata about the traffic that travers a network device such as source, destination, packet counts, byte counts, TCP flags, etc…

11 What’s in a Flow Record? Highly scalable (enterprise-class) collection
Where How What Who When Who Highly scalable (enterprise-class) collection High compression => long-term storage Months of data retention The key to gaining visibility into your network is Netflow. Netflow is a transactional record of all activity observed on a network device. Think of it as a cell phone record of activity occurring on your network. Stealthwatch takes in all the observed traffic information from netflow capable exporters, stiches together and dedupes all of this data and creates conversational flow records for observed activity. Who What When Where How Netflow is an extremely efficient means of monitoring activity on a network. It is metadata, so it compresses extremely well, allowing for months of activity to be logged for IR and forensic activities.

12 COLLECT AND ANALYZE FLOWS
Behavioral and Anomaly Detection Model Behavioral Algorithms Are Applied to Build “Security Events” SECURITY EVENTS (94 +) ALARM CATEGORY RESPONSE Addr_Scan/tcp Addr_Scan/udp Bad_Flag_ACK** Beaconing Host Bot Command Control Server Bot Infected Host - Attempted Bot Infected Host - Successful Flow_Denied . ICMP Flood Max Flows Initiated Max Flows Served Suspect Long Flow Suspect UDP Activity SYN Flood Concern Alarm table COLLECT AND ANALYZE FLOWS Recon Host snapshot C&C Exploitation FLOWS Data hoarding Syslog / SIEM Exfiltration Mitigation DDoS target Once Stealthwatch has been configured and host groups are defined, it can begin building a database of netflow data and forming a baseline of expected network traffic and activity, as well as a historical record of observed traffic. Stealthwatch has an extensive Network Behavior and Anomaly detection engine. Behaviour Detection – requires understanding of known bad behavior. Anomaly detection – identify a change from “normal” Stealthwatch security model: Security Events – composed of algorithms that analyze flows and activity looking for certain patterns. Over 94 algorithms. Events feed into high level alarm categories; which can generate an alarm. Some security events can alarm on their own. An alarm can have an associated response such as notify in the alarm table or generate a syslog message to a SIEM. The netflow database can be used for these 3 high-level use cases: Asset Discovery: What is happening on our network Identifying Indicators of Compromise: Using policy monitoring or network behaviour and anomaly detection methodologies Incident reponse Leverage the historical database for an audit trail of a host or user’s behaviour over time In addition to the behavioral analytics that can be performed against the observed activity, you can also quickly leverage this visibility to discern if you have hosts violating policy and communicating across established boundaries. This allows the investigation of mitigation scenarios to properly segment and control traffic. By using NetFlow and analytics, Stealthwatch can provide pervasive network visibility and security for improved threat defense and incident response, providing you with the data that you need to get detailed context into what’s happening on the network. This is all well and good for your local networks, but what about the cloud?

13 Malicious Binaries and Encryption
Attackers embrace encryption to conceal command-and-control activity October 2017 12% Increase November 2016 50% 38% 268% 19% 70% Increase Global Encrypted Web Traffic Malicious Sandbox Binaries with Encryption Cisco threat researchers report that 50 percent of global web traffic was encrypted as of October That is about a 12-point increase in volume from November 2016. One factor driving that increase is the availability of low-cost or free SSL certificates. Another is Google Chrome’s stepped-up practice of flagging unencrypted websites that handle sensitive information, like customers’ credit card information, as “non-secure.” Businesses are motivated to comply with Google’s HTTPS encryption requirement unless they want to risk a potentially significant drop in their Google search page rankings. As the volume of encrypted global web traffic grows, adversaries appear to be widening their embrace of encryption as a tool for concealing their C2 activity. Cisco threat researchers observed a more than threefold increase in encrypted network communication used by inspected malware samples over a 12-month period. Our analysis of more than 400,000 malicious binaries found that about 70 percent had used at least some encryption as of October 2017. We see more and more malware using encrypted traffic in its communication, but we are not stating that this is the ONLY traffic, or that at this point it is necessary for the malware to be detected It does not mean that they transferred only with encryption, a still significant part of the communication may be unencrypted While it seems that before most of the malicious binaries used solely unencrypted communication, this is no longer the case Previously, since all the communication was unencrypted, it was easier to analyze and model the malware communication Now, to fully understand the malware communication we need to also understand the encrypted portion

14 Cisco Network as a Sensor/Enforcer
Cisco Stealthwatch (NBA) - Encrypted Traffic Analytics In experiments based on real-world data, Cisco was able to achieve over 99% accuracy with 0.01% false positives (only 1 false positive for every 10,000 TLS connections) seen. 

15 Cloud Security Cisco Security Architecture eutferna@.com
Are you concerned about Cybersecurity?

16 DNS BENEFITS CHALLENG ES Where Do You Enforce Security? MALWARE
INTERNET MALWARE C2/BOTNETS PHISHING MID LAYER DNS FIRST LAYER SANDBOX PROXY NGFW NETFLOW AV LAST LAYER AV BENEFITS Alerts Reduced 2-10x; Improves Your SIEM Traffic & Payloads Never Reach Target Provision Globally in UNDER 30 MINUTES CHALLENG ES Too Many Alerts via Appliances & AV Wait Until Payloads Reaches Target Too Much Time to Deploy Everywhere Think about where you enforce security today. You probably have a range of products in your security stack to protect your network and endpoints—whether it’s at your corporate headquarters, branch offices, or on roaming endpoints. And of course, you can block malware on your network and endpoints, but why wait until malware reaches the enterprise when you can block threats out on the Internet? There are many ways that malware can get in, which is why it’s important to have multiple layers of security. But if you consider how malware is often downloaded or how phishing attacks work and how malware exfiltrates data…it often happens on the Internet. ---CLICK--- DNS is a foundational component of how the Internet works and is used by every device in the network. Way before a malware file is downloaded or before an IP connection over any port or any protocol is even established, there’s a DNS request. And that’s where OpenDNS enforces security. OpenDNS Umbrella can be the first layer of defense against threats by preventing devices from connecting to malicious or likely malicious sites in the first place—which significantly reduces the chance of malware getting to your network or endpoints. Endpoint AV Endpoint MID LAYER LAST LAYER Perimeter MID LAYER Perimeter Perimeter AV ROUTER/UTM AV ROUTER/UTM

17 Built into foundation of the internet
ENFORCEMENT Built into foundation of the internet Destinations Original destination or block page Safe Original destinations Blocked Modified destination Security controls DNS and IP enforcement Risky URL inspection through proxy SSL decryption available Intelligent proxy Deeper inspection Internet traffic On- and off-network Umbrella provides enforcement without delay. Umbrella uses DNS to enforce security but how does this work? When Umbrella receives a DNS request, it first identifies which customer the request came from, and which policy to apply. Next, Umbrella determines if the the request is: Safe or whitelisted, Malicious or blacklisted, OR Risky or unknown For: Safe requests, we route the connection as usual, and Malicious requests, we route the connection to a block page Unknown or risky requests, we route the connection to our cloud-based proxy for deeper inspection Additionally, all requests are logged globally and immediately visible for your security teams to take action. Proxy: It’s important to note that traditional web proxies examine all internet requests which adds latency and complexity for their users. But because Umbrella sends only the partially malicious or suspicious domains for review, user’s don’t experience the same performance issues.

18 Intelligence Co-occurrence model
Domains guilty by inference time - time + a.com b.com c.com x.com d.com e.com f.com Possible malicious domain Possible malicious domain Known malicious domain Co-occurrence of domains means that a statistically significant number of identities have requested both domains consecutively in a short timeframe Whenever someone makes a DNS request, the co-occurrence rank model identifies what other domains are queried right before and after in a short timeframe. Identifying domains that have high co-occurrence scores can highlight a connection between domains, regardless of what IP or network they’re hosted on. For example, if the 2 domains “c.com” and “d.com” are frequently visited right before or after the malicious domain “x.com”, this may mean that “c.com” “d.com” are possibly malicious domains as well – they are domains guilty by inference. And what does that mean in the larger scope? If customers use our Investigate product, in the event of an attack, security analysts are able to piece together the malicious domains that are all tied to the same attack and get the most complete view of an attacker’s internet infrastructure. Co-occurrences even enable analysts to stay ahead of attackers and proactively block additional related (and suspicious) domains before their network is compromised.

19 Intelligence Spike rank model
Patterns of guilt DGA MALWARE EXPLOIT KIT PHISHING y.com DAYS DNS REQUESTS Massive amount of DNS request volume data is gathered and analyzed y.com is blocked before it can launch full attack DNS request volume matches known exploit kit pattern and predicts future attack We’ve mentioned that Cisco Umbrella resolves close to 80B DNS requests per day. Spike Rank leverages that massive amount of DNS request volume data and detects domains that have spikes in their DNS request patterns using sound wave graphing. This model recognizes when spikes in traffic to a domain match patterns seen with other attacks. For example, if the traffic to one domain matches the request patterns seen with exploit kits, we’ll block the domain before the full attack launches.

20 Predictive IP Space Monitoring
Guilt by association Pinpoint suspicious domains and observe their IP’s fingerprint Identify other IPs – hosted on the same server – that share the same fingerprint Block those suspicious IPs and any related domains DOMAIN - Predictive IP Spacing Monitoring takes a suspicious domain from Spike Rank and observes it’s IP’s open ports, running services, and OS versions, otherwise known as the “IP’s fingerprint” - The model then closely analyzes all of the IPs hosted on the same server, identifying any other IPs that share the same malicious fingerprint. - For the IPs that share the same “fingerprints", we can flag them with a high confidence as malicious. - And then quarantine or block the IP and their malicious domains. Even the domains that have yet to be created. - This essentially provides predictive security and protection against emergent threats.

21 Cloud-Delivered Firewall
Cisco Umbrella Overview Cloud-Delivered Firewall Web controls SaaS usage controls SIG Cisco Umbrella Safe DNS resolution Correlated Threat Intelligence Easiest way to protect all of your users and endpoints in minutes.

22 Conclusions You cannot Protect of what you can not See ( and understand) Visibility is key to identify and put in place security measures correctly Understanding behavior is key to reduce the incident response time Applying intelligence, analitics and automation to the data will allow us to respond faster and more properly and reduce the time to remediate

23 Thank you.

Download ppt "Cisco Security Arquitectura, Visibilidad y AI en la defensa contra CiberAmenazas Eutimio Fernández eutferna@cisco.com Are you concerned about Cybersecurity?"

Similar presentations

Palo Alto Networks Jay Flanyak Channel Business Manager

Palo Alto Networks Jay Flanyak Channel Business Manager
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.
What is FORENSICS? Why do we need Network Forensics?

What is FORENSICS? Why do we need Network Forensics?
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
Web Application Firewall (WAF) RSA ® Conference 2013.

Web Application Firewall (WAF) RSA ® Conference 2013.
The Changing World of Endpoint Protection

The Changing World of Endpoint Protection
CIO Perspectives on Security Fabrício Brasileiro Regional Sales Manager.

CIO Perspectives on Security Fabrício Brasileiro Regional Sales Manager.
Network security Product Group 2 McAfee Network Security Platform.

Network security Product Group 2 McAfee Network Security Platform.
Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.

Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.
Sky Advanced Threat Prevention

Sky Advanced Threat Prevention
Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.

Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.
Role Of Network IDS in Network Perimeter Defense.

Role Of Network IDS in Network Perimeter Defense.

Similar presentations

Ads by Google