Cisco Advanced Services
ciscodobrasil
3,238 views
33 slides
Oct 28, 2015
Slide 1 of 33
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
About This Presentation
Consultoria e integração em segurança
Slide Content
1 © 2015 Cisco and/or its affiliates. All rights reserved.
16SEP15
Principal & Director, Cisco Security Advisory
Cisco 2015
Midyear Security Report &
Security Transitions…
Cisco Brazil Security Week 2015
Brian J. Tillett, CCSK, CISSP
16SEP15
Principal & Director, Cisco Security Advisory
Cisco 2015
Midyear Security Report &
Security Transitions…
Cisco Brazil Security Week 2015
Brian J. Tillett, CCSK, CISSP
2 © 2015 Cisco and/or its affiliates. All rights reserved.
• State of Cybersecurity (abridged)
-2015 Cisco Midyear Security Report
• Transitions across the Cybersecurity Industry
• Transitions within Cisco
Topics:
• State of Cybersecurity (abridged)
-2015 Cisco Midyear Security Report
• Transitions across the Cybersecurity Industry
• Transitions within Cisco
Topics:
3 © 2015 Cisco and/or its affiliates. All rights reserved.
Changes in Attack Behavior
Speed Agility Adaptability Destruction
Changes in Attack Behavior
Speed Agility Adaptability Destruction
4 © 2015 Cisco and/or its affiliates. All rights reserved.
Adversaries’ Agility is Their Strength
Constant upgrades increased Angler penetration rate to 40%
Twice as effective than other exploit kits in 2014
Compromised System
Flash Vulnerabilities
Retargeting
Ransomware
Angler
Continually throwing different
‘hooks’ in the water to increase the
chances of compromise
Encrypted
Malicious
Payload
Macros
Social
Engineering
IP Changing
Domain
Shadowing
More Being
Developed
Daily
TTD
Security
Measures
Web Blocking IP Blocking Retrospective Analysis Antivirus Endpoint Solutions Email Scanning
Adversaries’ Agility is Their Strength
Constant upgrades increased Angler penetration rate to 40%
Twice as effective than other exploit kits in 2014
Compromised System
Flash Vulnerabilities
Retargeting
Ransomware
Angler
Continually throwing different
‘hooks’ in the water to increase the
chances of compromise
Encrypted
Malicious
Payload
Macros
Social
Engineering
IP Changing
Domain
Shadowing
More Being
Developed
Daily
TTD
Security
Measures
Web Blocking IP Blocking Retrospective Analysis Antivirus Endpoint Solutions Email Scanning
5 © 2015 Cisco and/or its affiliates. All rights reserved.
Rombertik
Malware evolves to not only steal data—if detected, it can destroy the targeted system.
Destructive if
Modified
• Destroy master
boot record
• Render computer
inoperable on restart
Gain Access
• Spam
• Phishing
• Social engineering
Evade Detection
• Write random data to
memory 960 million times
Extract User Data
• Deliver user information
back to adversaries
Anti-Analysis Persistence Malicious Behavior
Rombertik
Malware evolves to not only steal data—if detected, it can destroy the targeted system.
Destructive if
Modified
• Destroy master
boot record
• Render computer
inoperable on restart
Gain Access
• Spam
• Phishing
• Social engineering
Evade Detection
• Write random data to
memory 960 million times
Extract User Data
• Deliver user information
back to adversaries
Anti-Analysis Persistence Malicious Behavior
6 © 2015 Cisco and/or its affiliates. All rights reserved.
Countries with higher block ratios have many Web servers and compromised hosts on networks within their borders.
Russia 0.936
Japan 1.134
China 4.126
Hong Kong 6.255
France 4.197
Germany 1.277
Poland 1.421
Canada 0.863
U.S. 0.760
Brazil 1.135
Malware on a Global Scale
Malicious actors do not respect country boundaries. Malware Traffic
Expected Traffic
Countries with higher block ratios have many Web servers and compromised hosts on networks within their borders.
Russia 0.936
Japan 1.134
China 4.126
Hong Kong 6.255
France 4.197
Germany 1.277
Poland 1.421
Canada 0.863
U.S. 0.760
Brazil 1.135
Malware on a Global Scale
Malicious actors do not respect country boundaries. Malware Traffic
Expected Traffic
7 © 2015 Cisco and/or its affiliates. All rights reserved.
Reducing Attack Surface &
Window of Exposure
Reducing Attack Surface &
Window of Exposure
8 © 2015 Cisco and/or its affiliates. All rights reserved.
The Dilemma
Build Buy Be Left Behind
The Dilemma
Build Buy Be Left Behind
9 © 2015 Cisco and/or its affiliates. All rights reserved.
Attackers Are Exploiting Point Solutions with Increasing Speed
NGIPS
Malware
Sandbox
IAM
Antivirus
IDS
Firewall
VPN
Email
NGFW
Data
Attackers Are Exploiting Point Solutions with Increasing Speed
NGIPS
Malware
Sandbox
IAM
Antivirus
IDS
Firewall
VPN
NGFW
Data
10 © 2015 Cisco and/or its affiliates. All rights reserved.
Data
Attackers Are Exploiting Point Solutions with Increasing Speed
NGIPS
Malware
Sandbox
IAM
Antivirus
IDS
Firewall
VPN
Email
NGFW
Time to detection:
200 Days
Ransomware
Now targeting data
Domain
Shadowing
On the rise
Dridex
850 unique mutations
identi!ed !rst half 2015
SPAM
Rombertik
Evolves to evade
and destroy
Angler
Constantly upgrading
and innovating
Malvertising
Mutating to avoid detection
Data
Attackers Are Exploiting Point Solutions with Increasing Speed
NGIPS
Malware
Sandbox
IAM
Antivirus
IDS
Firewall
VPN
NGFW
Time to detection:
200 Days
Ransomware
Now targeting data
Domain
Shadowing
On the rise
Dridex
850 unique mutations
identi!ed !rst half 2015
SPAM
Rombertik
Evolves to evade
and destroy
Angler
Constantly upgrading
and innovating
Malvertising
Mutating to avoid detection
11 © 2015 Cisco and/or its affiliates. All rights reserved.
Only an Integrated Threat Defense Can Keep Pace
Data
Systemic Response
C
o
n
tro
l Visibility C
o
n
t
e
x
t
I
n
t
e
l
l
i
g
e
n
c
e
Reduce time to
detection to under
1 Hour
Only an Integrated Threat Defense Can Keep Pace
Data
Systemic Response
C
o
n
tro
l Visibility C
o
n
t
e
x
t
I
n
t
e
l
l
i
g
e
n
c
e
Reduce time to
detection to under
1 Hour
2015 Midyear Security Report
cisco.com/go/msr2015
cisco.com/go/msr2015
• How does an enterprise measure security?
• How to make security a competitive advantage; mission/
business enabler; and not stifle innovation/progress?
• How do we get ahead of our adversaries?
Ongoing Transitions within Cybersecurity:
• How to make security a competitive advantage; mission/
business enabler; and not stifle innovation/progress?
• How do we get ahead of our adversaries?
Ongoing Transitions within Cybersecurity:
Seatbelts
Airbags
Antivirus
Firewalls
Internet Volkswagen
Intrusion Detection
Antispyware
Intrusion Prevention
Heuristic Analysis
Behavior Analysis
System Integrity
Access Control
Data Loss Prevention
Identity Control
Sandboxing
defense
offense
Traction Control
Stability Control
Antilock Braking System
Back-up Camera
Collision Avoidance
Onboard Diagnostics
GPS
Lane Departure Warning
Driving Assistant
Connected Highways
Airbags
Antivirus
Firewalls
Internet Volkswagen
Intrusion Detection
Antispyware
Intrusion Prevention
Heuristic Analysis
Behavior Analysis
System Integrity
Access Control
Data Loss Prevention
Identity Control
Sandboxing
defense
offense
Traction Control
Stability Control
Antilock Braking System
Back-up Camera
Collision Avoidance
Onboard Diagnostics
GPS
Lane Departure Warning
Driving Assistant
Connected Highways
15 © 2015 Cisco and/or its affiliates. All rights reserved.
Ongoing Transitions within Cisco:
Ongoing Transitions within Cisco:
Momentum in
Sourcefire
Acquisition
Security
Cognitive
Acquisition
Cisco
Security
Advisory
AMP
Everywhere &
FirePOWER
ThreatGRID
Acquisition
Active
Threat
Analytics
OpenDNS
Sourcefire
Acquisition
Security
Cognitive
Acquisition
Cisco
Security
Advisory
AMP
Everywhere &
FirePOWER
ThreatGRID
Acquisition
Active
Threat
Analytics
OpenDNS
Cisco Confidential 17 © 2014 Cisco and/or its affiliates. All rights reserved.
Internet of Everything Security
• IoE Value Chain Assessment
• IoE Application Assessment
• IoE Device Assessment
Application Security
• Secure Application Design
• Application Assessment
• Enterprise SDLC
Mobile & Cloud Security
• Mobile App & Device Assessment
• Cloud Strategy & Architecture
• Cloud Application Assessment
Strategy, Risk, & Programs
• IT Governance
• Security Strategy & Policy
• IT Risk Assessment
• 3rd Party Risk Program
• Security Program Development
• Identity & Access Management
• Incident Readiness & Response
Compliance
• PCI DSS & PA DSS Assessment
• ISO 27001 / 27002
• HIPAA
Infrastructure Security
• Network Architecture Assessment
• Red Team Exercises
• Penetration Testing
• Social Engineering
• SOC Enablement
Integration
• Cisco Build Services
• Security Readiness
• Design, Development,
Implementation
• SOC Build & Integration
Assessment
• Test Plan Development &
Execution
• Device Assessment
• Validation and Testing
• Kick Start Deployment
Optimization
• Custom Reporting
• Cross Integration
• Performance Tuning
• Optimization Service
Remote Managed
• Device Health & Welfare
• Security Control Management
• Security Event Monitoring
• Collective Security Intelligence
Active Threat Analytics
• Advanced Threat Detection &
Triage
• Anomaly Detection
• Customer-Specific Mitigation
• Collective Security Intelligence
Cisco Security Services Portfolio
Optimization
Migration
Integration
Program Strategy
Architecture & Design
Assessments
Product Support Hosted Security Managed Security
Managed
Services
AdvisoryIntegration
Internet of Everything Security
• IoE Value Chain Assessment
• IoE Application Assessment
• IoE Device Assessment
Application Security
• Secure Application Design
• Application Assessment
• Enterprise SDLC
Mobile & Cloud Security
• Mobile App & Device Assessment
• Cloud Strategy & Architecture
• Cloud Application Assessment
Strategy, Risk, & Programs
• IT Governance
• Security Strategy & Policy
• IT Risk Assessment
• 3rd Party Risk Program
• Security Program Development
• Identity & Access Management
• Incident Readiness & Response
Compliance
• PCI DSS & PA DSS Assessment
• ISO 27001 / 27002
• HIPAA
Infrastructure Security
• Network Architecture Assessment
• Red Team Exercises
• Penetration Testing
• Social Engineering
• SOC Enablement
Integration
• Cisco Build Services
• Security Readiness
• Design, Development,
Implementation
• SOC Build & Integration
Assessment
• Test Plan Development &
Execution
• Device Assessment
• Validation and Testing
• Kick Start Deployment
Optimization
• Custom Reporting
• Cross Integration
• Performance Tuning
• Optimization Service
Remote Managed
• Device Health & Welfare
• Security Control Management
• Security Event Monitoring
• Collective Security Intelligence
Active Threat Analytics
• Advanced Threat Detection &
Triage
• Anomaly Detection
• Customer-Specific Mitigation
• Collective Security Intelligence
Cisco Security Services Portfolio
Optimization
Migration
Integration
Program Strategy
Architecture & Design
Assessments
Product Support Hosted Security Managed Security
Managed
Services
AdvisoryIntegration
Cisco Confidential 18 © 2014 Cisco and/or its affiliates. All rights reserved.
Core Security Service Areas
Advisory Integration
Managed
Custom Threat
Intelligence
Strategy, Assessments,
Incident Response
Integration
Services
Security Optimization
Services
Active Threat
Analytics
Remote Managed
Services & Operations
Core Security Service Areas
Advisory Integration
Managed
Custom Threat
Intelligence
Strategy, Assessments,
Incident Response
Integration
Services
Security Optimization
Services
Active Threat
Analytics
Remote Managed
Services & Operations
Cisco Confidential 19 © 2014 Cisco and/or its affiliates. All rights reserved.
Core Security Service Areas
Advisory Integration
Managed
Custom Threat
Intelligence
Strategy, Assessments,
Incident Response
Integration
Services
Security Optimization
Services
Active Threat
Analytics
Remote Managed
Services & Operations
Core Security Service Areas
Advisory Integration
Managed
Custom Threat
Intelligence
Strategy, Assessments,
Incident Response
Integration
Services
Security Optimization
Services
Active Threat
Analytics
Remote Managed
Services & Operations
Cisco Confidential 20 © 2014 Cisco and/or its affiliates. All rights reserved.
Integration Services
Cisco delivers:
Plan, Design,
Implement
Subject Matter
Expertise
Migration Optimization
Services:
• Cisco Build Services
• Security Readiness
• Security Design, Development,
Implementation
• Security Test Plan and Execution
• Security Knowledge Transfer
• Security Device Assessment
• Security Validation and Testing
• Security Kickstart Deployment
• Security Custom Reporting
• Security Cross Integration
Implementation
• Security Performance Tuning
• Security Optimization Service
Integration Services
Cisco delivers:
Plan, Design,
Implement
Subject Matter
Expertise
Migration Optimization
Services:
• Cisco Build Services
• Security Readiness
• Security Design, Development,
Implementation
• Security Test Plan and Execution
• Security Knowledge Transfer
• Security Device Assessment
• Security Validation and Testing
• Security Kickstart Deployment
• Security Custom Reporting
• Security Cross Integration
Implementation
• Security Performance Tuning
• Security Optimization Service
Cisco Confidential 21 © 2014 Cisco and/or its affiliates. All rights reserved.
Core Security Service Areas
Advisory Integration
Managed
Custom Threat
Intelligence
Strategy, Assessments,
Incident Response
Integration
Services
Security Optimization
Services
Active Threat
Analytics
Remote Managed
Services & Operations
Core Security Service Areas
Advisory Integration
Managed
Custom Threat
Intelligence
Strategy, Assessments,
Incident Response
Integration
Services
Security Optimization
Services
Active Threat
Analytics
Remote Managed
Services & Operations
Cisco Confidential 22 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Security Program Areas of Analysis
Cisco Security Program Areas of Analysis
Cisco Confidential 23 © 2014 Cisco and/or its affiliates. All rights reserved.
1
Initial
2
Repeatable
3
Defined
4
Managed
5
Optimized
Level 1 – Initial
(ad hoc processes)!
Level 2 – Repeatable
(formal processes)!
Level 3 – Defined
(pervasive processes)!
Level 4 – Managed
(effective processes)!
Level 5 – Optimized
(refined processes)!
• Immature or inconsistent policies and
procedures
• Various degrees of defined processes
• Unpredictable or unstable
environment
• Inconsistent buy-in across the
enterprise
• Processes abandoned at time of crisis
• Projects frequently exceed budget or
are not fully completed
• Insufficient measurement of risk
• Business objective alignment is not
established
• Inconsistent use of technology
• Undefined enterprise architecture
model
• Lack of strategic planning
• Undefined roles and responsibilities
• Minimal senior management
involvement in IT risk management!
• Policies and procedures have been
implemented
• Project-specific processes are
documented, practiced, and enforced
• Unique reporting and measurement at
project level
• Processes followed during crisis
• Compliance program being established
• Adoption of technology standards
• Target enterprise architecture model is
defined
• Enterprise architecture is being
implemented at the component level
• Governance approach is being formalized
• Procurement based on specific
requirements
• Varied adherence to architecture standards
• Defined roles and responsibilities for IT risk
management organization
• Senior management is educated on IT risk
management!
• Responsibilities defined enterprise-
wide
• Enterprise-wide implementation of
defined processes
• Consistent reporting and defined
measurement
• Crisis predictable and minimized
• Proactive exception management
• Compliance program is effective
• Enterprise standards leveraged for
all projects
• Target enterprise architecture model
is implemented
• Initial alignment with business
processes
• Acquisitions and purchases
governed by enterprise architecture
model
• Qualitative measurement of
performance
• Senior management commitment!
• Measured effectiveness of IT risk
organization
• Processes are adaptable based on
scope/risk
• Defined metrics and measurement
• Quantitative predictability of
performance
• Explicit adherence to standards
across the enterprise
• Pervasive deployment and
integration of enterprise architecture
model
• Benefits of target architecture model
are realized
• Alignment with business objectives
• Risk management used as an
enabler to business processes
• Planned IT acquisition and
investment
• Senior management involvement!
• Accountability for IT risk
organization
• Processes are continually
improved
• Measured and increased ROI
• Decreased operating expenses
• Process feedback incorporated
• Business processes reengineered
for efficiency and savings
• Ability to perform risk modeling
• Established business linkage
• Risk management enablers provide
an increase in top line revenue
• No unplanned IT investment
• Alignment with corporate strategic
plan!
Cisco Security Capability Maturity Model
1
Initial
2
Repeatable
3
Defined
4
Managed
5
Optimized
Level 1 – Initial
(ad hoc processes)!
Level 2 – Repeatable
(formal processes)!
Level 3 – Defined
(pervasive processes)!
Level 4 – Managed
(effective processes)!
Level 5 – Optimized
(refined processes)!
• Immature or inconsistent policies and
procedures
• Various degrees of defined processes
• Unpredictable or unstable
environment
• Inconsistent buy-in across the
enterprise
• Processes abandoned at time of crisis
• Projects frequently exceed budget or
are not fully completed
• Insufficient measurement of risk
• Business objective alignment is not
established
• Inconsistent use of technology
• Undefined enterprise architecture
model
• Lack of strategic planning
• Undefined roles and responsibilities
• Minimal senior management
involvement in IT risk management!
• Policies and procedures have been
implemented
• Project-specific processes are
documented, practiced, and enforced
• Unique reporting and measurement at
project level
• Processes followed during crisis
• Compliance program being established
• Adoption of technology standards
• Target enterprise architecture model is
defined
• Enterprise architecture is being
implemented at the component level
• Governance approach is being formalized
• Procurement based on specific
requirements
• Varied adherence to architecture standards
• Defined roles and responsibilities for IT risk
management organization
• Senior management is educated on IT risk
management!
• Responsibilities defined enterprise-
wide
• Enterprise-wide implementation of
defined processes
• Consistent reporting and defined
measurement
• Crisis predictable and minimized
• Proactive exception management
• Compliance program is effective
• Enterprise standards leveraged for
all projects
• Target enterprise architecture model
is implemented
• Initial alignment with business
processes
• Acquisitions and purchases
governed by enterprise architecture
model
• Qualitative measurement of
performance
• Senior management commitment!
• Measured effectiveness of IT risk
organization
• Processes are adaptable based on
scope/risk
• Defined metrics and measurement
• Quantitative predictability of
performance
• Explicit adherence to standards
across the enterprise
• Pervasive deployment and
integration of enterprise architecture
model
• Benefits of target architecture model
are realized
• Alignment with business objectives
• Risk management used as an
enabler to business processes
• Planned IT acquisition and
investment
• Senior management involvement!
• Accountability for IT risk
organization
• Processes are continually
improved
• Measured and increased ROI
• Decreased operating expenses
• Process feedback incorporated
• Business processes reengineered
for efficiency and savings
• Ability to perform risk modeling
• Established business linkage
• Risk management enablers provide
an increase in top line revenue
• No unplanned IT investment
• Alignment with corporate strategic
plan!
Cisco Security Capability Maturity Model
Cisco Confidential 24 © 2014 Cisco and/or its affiliates. All rights reserved.
Deliverable Graphic Examples: Current State vs. Target State
(+full description report on gaps, deficiencies, and paths to overcome)
Management Controls
Operational
Controls
Technical
Controls
Security
Governance
Policy
Management
Compliance
Management
Risk
Management
Security
Strategy
Security
Architecture
Metrics and
Measurement
Patch
Management
Vulnerability
Management
Asset
Management
Security
Monitoring
Incident
Management
Continuity of
Operations
Identity and
Access
Management
3rd Party
Management
Systems
Development
Lifecycle
Information
Management
Change
Management
Network
Security
Wireless
Security
Host Security
Endpoint
Security
Application
Security
Data Security
Database
Security
Management Controls
Operational
Controls
Technical
Controls
Security
Governance
Policy
Management
Compliance
Management
Risk
Management
Security
Strategy
Security
Architecture
Metrics and
Measurement
Patch
Management
Vulnerability
Management
Asset
Management
Security
Monitoring
Incident
Management
Continuity of
Operations
Identity and
Access
Management
3rd Party
Management
Systems
Development
Lifecycle
Information
Management
Change
Management
Network
Security
Wireless
Security
Host Security
Endpoint
Security
Application
Security
Data Security
Database
Security
Current!State!*!Example!
Target!State!*!Example!
Deliverable Graphic Examples: Current State vs. Target State
(+full description report on gaps, deficiencies, and paths to overcome)
Management Controls
Operational
Controls
Technical
Controls
Security
Governance
Policy
Management
Compliance
Management
Risk
Management
Security
Strategy
Security
Architecture
Metrics and
Measurement
Patch
Management
Vulnerability
Management
Asset
Management
Security
Monitoring
Incident
Management
Continuity of
Operations
Identity and
Access
Management
3rd Party
Management
Systems
Development
Lifecycle
Information
Management
Change
Management
Network
Security
Wireless
Security
Host Security
Endpoint
Security
Application
Security
Data Security
Database
Security
Management Controls
Operational
Controls
Technical
Controls
Security
Governance
Policy
Management
Compliance
Management
Risk
Management
Security
Strategy
Security
Architecture
Metrics and
Measurement
Patch
Management
Vulnerability
Management
Asset
Management
Security
Monitoring
Incident
Management
Continuity of
Operations
Identity and
Access
Management
3rd Party
Management
Systems
Development
Lifecycle
Information
Management
Change
Management
Network
Security
Wireless
Security
Host Security
Endpoint
Security
Application
Security
Data Security
Database
Security
Current!State!*!Example!
Target!State!*!Example!
Cisco Confidential 25 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Joint SPA & NDSA Recommendation Prioritization
Prioritization helps the Security Ops management to address the
recommendations based on Criticality and Ease of implementation.
Joint SPA & NDSA Recommendation Prioritization
Prioritization helps the Security Ops management to address the
recommendations based on Criticality and Ease of implementation.
Cisco Confidential 26 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Intel Driven Incident Response
Intelligence
Powered by Talos
TM
Response
Custom Tiers
Remediation
Post Breach
100 TB Intelligence
1.6M sensors
150 million+ endpoints
35% of email world wide
FireAMP™, 3+ million
13B web requests
Open Source Communities
180,000+ Files per Day
1B SBRS Queries per Day
TALOS Research and Outreach
Kill Chain Review
Attack Vector Evaluation
Threat Actor Landscaping
Policy Review & Overhaul
Application Penetration Testing
Direct Access to Cisco’s Elite CCIEs
Future Partnerships for Remediation
- Microsoft
- Red Hat
- More…
Rapid Response
Incident Coordination & Investigation
Breach Containment & Recovery
Emergency
Established IR Engagement Process
Threat & Incident Reviews
Rate Relief
Readiness
Proactive Threat Hunting
Intel / IR / SOC Build-outs
Custom Training
Custom
Intel Driven Incident Response
Intelligence
Powered by Talos
TM
Response
Custom Tiers
Remediation
Post Breach
100 TB Intelligence
1.6M sensors
150 million+ endpoints
35% of email world wide
FireAMP™, 3+ million
13B web requests
Open Source Communities
180,000+ Files per Day
1B SBRS Queries per Day
TALOS Research and Outreach
Kill Chain Review
Attack Vector Evaluation
Threat Actor Landscaping
Policy Review & Overhaul
Application Penetration Testing
Direct Access to Cisco’s Elite CCIEs
Future Partnerships for Remediation
- Microsoft
- Red Hat
- More…
Rapid Response
Incident Coordination & Investigation
Breach Containment & Recovery
Emergency
Established IR Engagement Process
Threat & Incident Reviews
Rate Relief
Readiness
Proactive Threat Hunting
Intel / IR / SOC Build-outs
Custom Training
Custom
Cisco Confidential 27 © 2014 Cisco and/or its affiliates. All rights reserved.
Custom Threat Intelligence
Network Traffic
Analysis (CTI) &
Traditional Perimeter
Protection
• Know the “blind spots”
• Utilize “zero day” attacks
• Test against their copies of the latest
detection/prevention technology to
ensure not detected
• Hardware modifications & firmware
injection – visible only to traffic flows
• Strive to make their exfiltration look
like normal traffic
• Use different exfiltration networks for
each major target
• Make compromises persistent
• Implement “self delete” when
discovered
Need for
comprehensive threat
visibility
27
INSTRUMENT IDENTIFY REMEDIATE MEASURE
Custom Threat Intelligence
Network Traffic
Analysis (CTI) &
Traditional Perimeter
Protection
• Know the “blind spots”
• Utilize “zero day” attacks
• Test against their copies of the latest
detection/prevention technology to
ensure not detected
• Hardware modifications & firmware
injection – visible only to traffic flows
• Strive to make their exfiltration look
like normal traffic
• Use different exfiltration networks for
each major target
• Make compromises persistent
• Implement “self delete” when
discovered
Need for
comprehensive threat
visibility
27
INSTRUMENT IDENTIFY REMEDIATE MEASURE
Cisco Confidential 28 © 2014 Cisco and/or its affiliates. All rights reserved.
Core Security Service Areas
Advisory Integration
Managed
Custom Threat
Intelligence
Strategy, Assessments,
Incident Response
Integration
Services
Security Optimization
Services
Active Threat
Analytics
Remote Managed
Services & Operations
Core Security Service Areas
Advisory Integration
Managed
Custom Threat
Intelligence
Strategy, Assessments,
Incident Response
Integration
Services
Security Optimization
Services
Active Threat
Analytics
Remote Managed
Services & Operations
Cisco Confidential 29 © 2014 Cisco and/or its affiliates. All rights reserved.
DMZ Users
Malware Analysis
Netflow Collector
Identity Mgmt.
Data Center
Netflow Collector
Identity Mgmt.
Web Security
Email Security
Malware Analysis
Netflow Collector
Identity Mgmt.
Talos
ATA: A Comprehensive Threat Solution
ASA with FIREPOWER
Cisco Cloud Security Internet
Mobile Endpoints
Anywhere / Anytime
Cisco Active Threat Analytics
ThreatGRID FirePower
Full Packet Cognitive
Malware Analysis
Application Exhaust
DMZ Users
Malware Analysis
Netflow Collector
Identity Mgmt.
Data Center
Netflow Collector
Identity Mgmt.
Web Security
Email Security
Malware Analysis
Netflow Collector
Identity Mgmt.
Talos
ATA: A Comprehensive Threat Solution
ASA with FIREPOWER
Cisco Cloud Security Internet
Mobile Endpoints
Anywhere / Anytime
Cisco Active Threat Analytics
ThreatGRID FirePower
Full Packet Cognitive
Malware Analysis
Application Exhaust
Cisco Confidential 30 © 2014 Cisco and/or its affiliates. All rights reserved.
Use Case: Customer Statistics for Two-Week Timeframe
Post-investigation incidents/tickets 71
269,808 Security Events
Unique events 113,713
High fidelity events 1710
207,992 61,816 Threat intel sourced
Telemetry
generated
Roughly 20,000 Events/
day
to
5 ranked & prioritized
Incidents/day
Use Case: Customer Statistics for Two-Week Timeframe
Post-investigation incidents/tickets 71
269,808 Security Events
Unique events 113,713
High fidelity events 1710
207,992 61,816 Threat intel sourced
Telemetry
generated
Roughly 20,000 Events/
day
to
5 ranked & prioritized
Incidents/day
Cisco Confidential 31 © 2014 Cisco and/or its affiliates. All rights reserved.
OpenSOC Framework
Sources Data Collection Messaging Broker Real-Time Processing Storage Access
Analytic Tools
Ta b l e a u
R / Python
Power Pivot
Web Services
Search
PCAP
Reconstruction
Telemetry Sources
NetFlow
Machine Exhaust
HTTP
Other
Flume
Agent B
Agent N
Agent A
Kafka
B Topic
N Topic
PCAP Topic
DPI Topic
A Topic
Storm
B Topology
N Topology
A Topology
PCAP Topology
DPI Topology
Hive
Raw Data
ORC
Elasticsearch
Index
HBase
Packet Table
PCAP
Passive
Tap
Traffic
Replicator
OpenSOC Framework
Sources Data Collection Messaging Broker Real-Time Processing Storage Access
Analytic Tools
Ta b l e a u
R / Python
Power Pivot
Web Services
Search
PCAP
Reconstruction
Telemetry Sources
NetFlow
Machine Exhaust
HTTP
Other
Flume
Agent B
Agent N
Agent A
Kafka
B Topic
N Topic
PCAP Topic
DPI Topic
A Topic
Storm
B Topology
N Topology
A Topology
PCAP Topology
DPI Topology
Hive
Raw Data
ORC
Elasticsearch
Index
HBase
Packet Table
PCAP
Passive
Tap
Traffic
Replicator
Cisco Confidential 32 © 2014 Cisco and/or its affiliates. All rights reserved.
https://github.com/OpenSOC
https://github.com/OpenSOC
Thank you!
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 3,238
- Slides 33
- Favorites 1
- Age 3689 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
33 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
31 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
27 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
29 views