The Cyber Threat Landscape - · PDF fileNiall Moynihan Security Product Sales Specialist The Cyber Threat Landscape Why you need to think differently

Niall Moynihan

Security Product Sales Specialist

The Cyber Threat Landscape Why you need to think differently…

Cisco Confidential 2 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

All are smart, all had security,

All were seriously compromised.

Today’s Reality…


Reducing complexity and fragmentation

of security solutions

Maintaining security posture with changing business models and

attack vectors

Continuously protecting across a dynamic threat

landscape

Our Customers’ Biggest Security Challenges


Enable the Business

Support New Technology adoption

Secure the Enterprise

Security -- Balancing Priorities (CEO, CIO and CISCO priorities)

Global Expansion

Increase employee

engagement/productivity

M&A

New Business

models/Partnerships

Regulatory Compliance

Business Continuity

Cloud Computing

BYOD

Collaboration

Programmable Networks/SDN

Hyper connectivity IoT / IoE

Disaster Recovery

Policy Enforcement

Advanced Threat Mitigation

Risk Management

Data Protection

Incident Response

Forensics / Security Analysis


Modern networks are like candy; a hard crunchy shell around a soft chewy centre.

Bill Cheswick, 1986


Motivated and Targeted Attackers

Organised crime

Hacktivists

Nation States

“25% of attacks targeted at a specific

individual or company” Verizon Data Breach report 2013


eBay hacked, requests all users change passwords May 21, 2014

eBay confirms users' passwords were compromised but says there's no evidence any financial information was accessed.


Bypassing defences by… Identifying Individuals to target

- www.companywebsite.com/about/

- Switchboard/Receptionist

- Social Media

Using Social Engineering

Phishing………..

Phishing gets the hacker behind the firewall In the majority of these incidents, the attacks targeted corporate

workstations NOT devices Gives him access of a user Popular with low level scammers This is where the hack starts

Email Spear Phishing is Prime Attack Vector



Mandiant APT1 Report, Feb 2013

Well Planned, Stealthy Attacks

66% of the breaches in our

2013 report took months or

even years to discover

Verizon Data Breach Investigations Report, 2013

Cisco Annual Security Report, 2014

100% of corporate networks surveyed,

showed signs of malicious traffic


IoT and Mobile – Massively increasing Attack Surface


The New Security Model


The New Security Model

BEFORE Discover

Enforce

Harden

AFTER Scope

Contain

Remediate

A t t a c k C o n t i n u u m

Network Endpoint Mobile Virtual Cloud

Detect

Block

Defend

DURING

Point in Time Continuous


Comprehensive Security Portfolio

IPS & NGIPS

• Cisco IPS 4300 Series

• Cisco ASA 5500-X Series

integrated IPS

• FirePOWER NGIPS

• FirePOWER NGIPS w/

Application Control

• FirePOWER Virtual

NGIPS

Web Security

• Cisco Web Security

Appliance (WSA)

• Cisco Virtual Web Security

Appliance (vWSA)

• Cisco Cloud Web Security

Firewall & NGFW

• Cisco ASA 5500-X Series

• Cisco ASA 5500-X w/

NGFW license

• Cisco ASA 5585-X w/

NGFW blade

• FirePOWER NGFW

Advanced Malware Protection

• FireAMP

• FireAMP Mobile

• FireAMP Virtual

• AMP for FirePOWER

license

• Dedicated AMP

FirePOWER appliance

• Cyber Threat Defense

NAC +

Identity Services

• Cisco Identity Services

Engine (ISE)

• Cisco Access Control

Server (ACS)

Email Security

• Cisco Email Security

Appliance (ESA)

• Cisco Virtual Email Security

Appliance (vESA)

• Cisco Cloud Email Security

• Cisco

• Sourcefire

UTM

• Meraki MX

VPN

• Cisco AnyConnect VPN


Sensor Network

Discover Everywhere

Controller Ready

Dynamic Remediation

Network Segmentation

Defend at Scale

New Generation of Devices Make Security Part of the Network Fabric

Security Group Tag

Embedded in ASICs

Netflow

Wirerate Performance

Cisco ONE Support

API

Cisco Catalyst 4500E

Supervisor 8E

Cisco Catalyst

3850

ISR 4451-AX

Catalyst 6807-XL,

6880-X, 6800ia

ASR1001-AX

• Policy Enforcement


Mobility Is Changing The Future Of Work

ACCESS POLICY IS MORE CRITICAL THAN EVER

How we work Where we work When we work What tools we use Who we work with


Identity Services Engine (ISE)

ISE

Security Policy Attributes Identity Context

Wired

Business-Relevant

Policies

Wireless VPN

Replaces AAA & RADIUS, NAC, guest management & device identity servers

WHA

T

WHERE

HOW

WHO

WHE

N

VM client, IP device, guest, employee,

remote user


Key ISE Use Cases

GUEST ACCESS

It’s easy to provide

guests limited time and resource access

SECURE ACCESS ON

WIRED, WIRELESS & VPN

Control with one policy across wired,

wireless & remote infrastructure

BYOD

Users get safely on the internet fast

and easy

TRUSTSEC NETWORK

POLICY

Rules written in business terms

controls access


BYOD & ISE

Reduce Burden on IT & Help Desk Staff

Reliable automation reduces user problems to near zero so…

Get Users On-Net in Minutes, Not Hours

Simple self-service portal for any user to get quickly on-net without help or hassle

Automated self-service portal

Immediate Secure Access Rigorous Identity and Access Policy Enforcement



Cyber Threat Defense Solution

Network Components Provide Rich Context

Unites NetFlow data with identity and application ID to provide security context

Device? User? Events?

65.32.7.45

Posture? Vulnerability AV Patch

NetFlow Enables Security Telemetry

NetFlow-enabled Cisco switches and routers become security telemetry sources

Cisco is the undisputed market leader in Hardware-enabled NetFlow devices

Cisco ISE

Cisco Network

Lancope Partnership Provides Behavior-Based Threat Detection

Single pane of glass that unifies threat detection, visibility, forensics analysis, and reporting

Cisco ASR 1000 or

ISR G2 + NBAR

Application?

+ +

+ NetFlow

FlowSensor

FlowCollector StealthWatch Management

Console

Cisco ASA

Cisco NGA


Cyber Threat Defense Solution Components

Cisco Network

2

4

StealthWatch FlowCollector

StealthWatch Management

Console

NetFlow

StealthWatch FlowSensor

StealthWatch FlowSensor

VE Users/Devices

Cisco ISE

NetFlow

StealthWatch FlowReplicat

or

Other tools/collectors

https

https

NBAR NSEL


Cisco CTD Solution: Attack Detection without Signatures

High Concern Index indicates a

significant number of suspicious events

that deviate from established baselines

Host Groups Host CI CI% Alarms Alerts

Desktops 10.10.101.118 338,137,280 112,712% High Concern index Ping, Ping_Scan, TCP_Scan

Monitor and baseline activity for a host and within host groups.


NetFlow Security Use Cases

• Identifying BotNet Command & Control Activity. BotNets are implanted in the enterprise to execute commands from their Bot herders to send SPAM, Denial of Service attacks, or other malicious acts.

• Revealing Data Loss. Code can be hidden in the enterprise to export of sensitive information back to the attacker. This Data Leakage may occur rapidly or over time.

• Detecting Sophisticated and Persistent Threats. Malware that makes it past perimeter security can remain in the enterprise waiting to strike as lurking threats. These may be zero day threats that do not yet have an antivirus signature or be hard to detect for other reasons.

• Finding Internally Spread Malware. Network interior malware proliferation can occur across hosts for the purpose gathering security reconnaissance data, data exfiltration or network backdoors.

• Uncovering Network Reconnaissance. Some attacks will probe the network looking for attack vectors to be utilized by custom-crafted cyber threats.


Defending the entire Attack Continuum

BEFORE Control

Enforce

Harden

DURING AFTER Detect

Block

Defend

Scope

Contain

Remediate

Attack Continuum

Visibility and Context

Firewall

NGFW

NAC + Identity Services

VPN

UTM

NGIPS

Web Security

Email Security

Advanced Malware Protection

Network Behavior Analysis


The Power of Continuous Security

Point-in-time security sees a

lighter, bullet, cufflink, pen &

cigarette case…

Wouldn’t it be nice to know if

you’re dealing with something

more serious?


Cisco in the news: Latest acquisition…..ThreatGrid

• ThreatGRID, is a company that provides dynamic malware analysis and threat intelligence technology to analyze file behavior, enabling organizations to accurately identify attacks and better defend against advanced cyber attacks. With both private and public cloud-based technology, ThreatGRID combines dynamic malware analysis with analytics and actionable indicators to enable security teams to proactively defend against and quickly respond to cyber attacks and malware outbreaks.

• The combination of Sourcefire and ThreatGRID will allow our customers to aggregate and correlate data to identify cyber threats

http://www.cisco.com/web/solutions/trends/cloud/index.html?CAMPAIGN=cloud+story&COUNTRY_SITE=us&POSITION=social+media&REFERRING_SITE=cisco+blog&CREATIVE=cloud+keyword


Summary

• Cisco provides a broad portfolio of integrated solutions that deliver

unmatched visibility and continuous advanced threat protection across the

entire attack continuum.

• Allowing customers to act smarter and more quickly – before, during, and

after an attack.

• Customers have flexibility and choice - Ciscos’s broad portfolios give

customer the flexibility and choice to purchase and deploy security in a

way that best fits and adapts to their changing business environment.


Protection of Personal Information Act 2013 Current Status

• The Act was signed into law of the 26 November 2013

• Certain sections of the POPI Act became operative with effect the 11th April 2014

• The sections of the Act which became operational from 11 April 2014 relate to the establishment of the Information Regulator, and the drafting of regulations.

• Only once the Regulator is set up will the remaining provisions become operation (by further presidential proclamation(s) in the Gazette) – August 2014

• Organisations will have 12 Months (August 2015) to comply and a extension can be extended to a maximum of three years.

• Non-compliance with the Act could expose the Responsible Party to a penalty of a fine and / or imprisonment of up to 12 months. In certain cases the penalty for non-compliance could be a fine and / or imprisonment of up 10 years. Section 99


Why should I comply with POPI?

POPI compliance involves capturing the minimum required data, ensuring accuracy, and removing data that is no longer required. These measures are likely to improve the overall reliability of the organisation databases. Compliance demands identifying Personal Information and taking reasonable measures to protect the data. This will likely reduce the risk of data breaches and the associated public relations and legal ramifications for the organisation.

The Cyber Threat Landscape - · PDF fileNiall Moynihan Security Product Sales Specialist The Cyber Threat Landscape Why you need to think differently

Documents