• Save
Cisco Security Intelligence Operations (SIO): Defense in Depth
 

Cisco Security Intelligence Operations (SIO): Defense in Depth

on

  • 5,681 views

Cisco Security Intelligence Operations (SIO) is a cloud-based big data analytics capability, which correlates over 100 terabytes of daily network intelligence across 1.6 million deployed Web, Email, ...

Cisco Security Intelligence Operations (SIO) is a cloud-based big data analytics capability, which correlates over 100 terabytes of daily network intelligence across 1.6 million deployed Web, Email, Firewall and IPS security devices. SIO brings together the industry's greatest breadth and depth of security intelligence across this global community, combining it with third-party feeds and threat research teams to block advanced targeted attacks.

Statistics

Views

Total Views
5,681
Views on SlideShare
5,049
Embed Views
632

Actions

Likes
5
Downloads
0
Comments
2

5 Embeds 632

https://twitter.com 605
http://www.scoop.it 24
http://www.senderbase.org 1
https://web.tweetdeck.com 1
https://www.rebelmouse.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • The threat landscape is changing…It began with basic threats like worms and viruses in the early 2000s. Attackers were likely to be non-sophisticated without organization– such as kids in high school competing on how many email accounts they could hack.Over time, threats evolved to spyware and rootkits, becoming harder to find and detect. They sought to bury themselves deep in a target system and carry out stealthy attacks that evaded detection and maintained privileged access for future compromise. This new class of attacks gave rise to a heightened focus on perimeter security with IPS/IDS taking center stage.Now, advanced persistent threats and cyberwar are the big problem. Entire nation states are involved, meaning it’s not just enterprises being impacted, but entire governments. We are looking at well-funded, organized groups with very specific goals in mind and even more sophisticated tools at their disposal (Stuxnet). They leverage the same exploit patterns as in the past, but began combining them across multiple attack vectors in a sustained lifecycle. Organizations added reputation and sandboxing to defend against this new class of threat.Looking ahead to the era we are entering today: we are seeing the impact of the “Any to Any” challenge. That is, any user on any device, increasingly going to any type of connection, with any application, and on any cloud. The twin trends of Mobility and Cloud are fundamentally expanding the attack surface. As the number of connections and information that is processed and flows over the network grows, we are entering a time when global cloud-based intelligence and real-time analytics are critical to your network defense. You need a global threat perspective, as well as insight into what’s happening inside your network.
  • Cyber threats today follow a similar pattern as we have seen in the past: we start with users and the applications they are running. Where it begins to diverge is the impact of multiple devices per person, which are accessing data across any clouds, many sites and through any network.There are two ways users are typically compromised: The “Active” approach vs. “Passive.”First, let’s cover active. In this situation, users go about their daily web browsing routines: perhaps doing researching for a new product launch, catching up on the news, investigating a new company or just watching online videos. As shown in our recent 2013 Annual Security Report, the majority of compromises happen on the trusted and legitimate sites users visit each day, with malicious actors using iFrame re-directs or Malvertising campaigns to silently carry out their attacks. Regardless of where and how these sites or exploit servers are encountered, malicious code is passed to their system. In the passive model, malicious content is pushed toward the user rather than requiring them to request it. We typically see this in Spearphishing, and the many other attack vectors that require direct action by users on their local systems.Modern advanced cyber threats further complicate this method – with multiple compromised sites and exploit servers propagating, often in real-time and with automated tools to evade detection mechanisms such as reputation and blocklists. The malicious code itself changes and morphs to bypass signature-based methods. Just as in the previous example, attackers will often compromise trusted, hiding the threats in plain site.Once the user is compromised, the malicious code will communicate with a Command and Control server for further instruction. CNCs typically have multiple objectives, especially in the case of focused and persistent attackers: deliver additional malicious code or a path to exfiltrate data.Now, that’s’ just one example of an advanced threat. What about the typical lifecycle?Infiltrate (gain access)Control a machine or set of machinesMove Laterally within the organization to go after specific individuals or contentThen, the goal is to either extend the attack surface by placing hidden backdoors or additional exploits for future attacks or carry out a targeted goal such as data exfiltration.
  • Cyber threats today follow a similar pattern as we have seen in the past: we start with users and the applications they are running. Where it begins to diverge is the impact of multiple devices per person, which are accessing data across any clouds, many sites and through any network.There are two ways users are typically compromised: The “Active” approach vs. “Passive.”First, let’s cover active. In this situation, users go about their daily web browsing routines: perhaps doing researching for a new product launch, catching up on the news, investigating a new company or just watching online videos. As shown in our recent 2013 Annual Security Report, the majority of compromises happen on the trusted and legitimate sites users visit each day, with malicious actors using iFrame re-directs or Malvertising campaigns to silently carry out their attacks. Regardless of where and how these sites or exploit servers are encountered, malicious code is passed to their system. In the passive model, malicious content is pushed toward the user rather than requiring them to request it. We typically see this in Spearphishing, and the many other attack vectors that require direct action by users on their local systems.Modern advanced cyber threats further complicate this method – with multiple compromised sites and exploit servers propagating, often in real-time and with automated tools to evade detection mechanisms such as reputation and blocklists. The malicious code itself changes and morphs to bypass signature-based methods. Just as in the previous example, attackers will often compromise trusted, hiding the threats in plain site.Once the user is compromised, the malicious code will communicate with a Command and Control server for further instruction. CNCs typically have multiple objectives, especially in the case of focused and persistent attackers: deliver additional malicious code or a path to exfiltrate data.Now, that’s’ just one example of an advanced threat. What about the typical lifecycle?Infiltrate (gain access)Control a machine or set of machinesMove Laterally within the organization to go after specific individuals or contentThen, the goal is to either extend the attack surface by placing hidden backdoors or additional exploits for future attacks or carry out a targeted goal such as data exfiltration.
  • This is what the architecture looks like for our integrated security strategy. It’s similar to what you see in a network architecture. In this presentation, we are going to focus on Cisco Security Intelligence Operations, or the top layer of the stack. SIO starts with the network as the platform for security – with SIO being firmly rooted in all of our security appliances, whether they are Firewall, IPS, Web, Email and even VPN on the endpoint. Each of these platforms protect organizations and users, and also feed into a global network of sensors – pushing this data into the cloud-based capability of SIO to formulate a continuously evolving defense against advanced threats.Common policy, management and context form the glue between SIO and the platforms. Our customers have security appliances deployed across their networks, with SIO providing the intelligence and policy bringing the two together with action, such as blocking malicious content, to prevent infiltration of your network.We’re going to take a deeper look into the components that make up SIO – but it is important to note we take two complementary views into the threat landscape. The first, which this presentation will focus on, is the global viewpoint where we collect data from a global network of sensors (both Cisco appliances and third-party feeds), and aggregate it in the cloud to understand what exploits are out in the wild actively compromising users, and what vulnerabilities are being used to accomplish these exploits, pushing this intelligence to our security platforms. This allows us to do a better job of discovering those threats and stopping them before they can attack us.We also take the local perspective from what is happening inside an enterprise network. This is our Threat Defense solution, where we turn the global threat lens around to discover anomalous behavior and activity inside a network, helping to determine potential compromise and where they originate. In this space, you may have heard about our recent acquisition of Cognitive Security – a firm that focuses on real-time network behavioral analysis from Netflow– which we are integrating into our solutions.
  • We’ve touched on each of our security platforms from a 30,000ft perspective. Let’s go into detail about what kind of data each of them is looking for, and what they send back to the SIO cloud to build our store of intelligence.What’s key here, is that each platform plays a different role in defending your network, and each one is looking for a difference slice of specialized intelligence to block advanced threats. For example:Email appliance cares if a incoming connection is a valid SMTPWeb security focuses on whether the content is bad or unwantedFirewalls ask about Botnets and whether outbound activity is communicating with a CNC serverIPS weeds out suspicious actors and hostile activity by combining signatures with reputationand our AnyConnect VPN monitors what malicious content gets through to the client, communicating back with both web security and our firewalls.So, this is the type of information the platforms need to perform their jobs – what about where all this intelligence within SIO comes from? The value of our solution is the breadth and depth of the inputs feeding back to the cloud. Let’s start from the simplest and move through them:Blocklist and Reputation are lists of domains, URLs, IP, and in some cases files that we know something about. In some cases, we know the content is good—allowing us to let it through quickly, sometimes it is bad and immediately blocked from an infrastructure level, or a shade of grey. It is in these “grey” situations that SIO’s defense in depth framework keeps your organization safe.We don’t just rely on lists or reputation though; we proactively look for content to feeds our intelligence. We have spam traps that catch emails that may not pass though our appliances. We run Honeypots, where we wait for attackers to try and control systems and analyze their methods and the infrastructures associated with them. Then, we use crawlers to pull content from across the web, scan it, and see what is out there, making note of where it came from and if it is malicious.We further augment our data with Domain/WHOIS information; building a database of where the malicious actors are and what domains they are registering.We develop signatures ourselves and partner with third-parties to defend against known-bad content as it comes through.We do deep content inspection, examining what a file should look like, breaking it down into its comportment pieces, and seeing if it matches. This is actually looking into the structure of a file to see how it is formed, and going a step further to analyze specific keywords, repeatability of content, and more to determine whether it is legitimate based on our ever-growing list of samples.Each piece of these inputs are augmented by partnerships across the industry and finally, support by an in-house threat research team.Once the intelligence is aggregated and cross-correlated in the cloud, we need to push it back down to the platforms. Each platform receives the right intelligence, in the right way, just-in-time to maximize network defenses while minimizing the required on-box resources. We’ve spent some time on Reputation and signatures, but it’s important to note that everything isn’t sent to every platform, only what is needed, for example: an email appliances receives sender reputation, whereas web security is sent domain and IP rep, and an IPS signature updates, though all of that data has already been munged together through SIO.The last intelligence we push down is platform specific rules and logic. This is the “brains” of the platforms that allow them to determine what to allow or deny at the time of request.In the cloud, SIO is continuously improving. All of these updates are done every 3-5minutes.
  • We’ve touched on each of our security platforms from a 30,000ft perspective. Let’s go into detail about what kind of data each of them is looking for, and what they send back to the SIO cloud to build our store of intelligence.What’s key here, is that each platform plays a different role in defending your network, and each one is looking for a difference slice of specialized intelligence to block advanced threats. For example:Email appliance cares if a incoming connection is a valid SMTPWeb security focuses on whether the content is bad or unwantedFirewalls ask about Botnets and whether outbound activity is communicating with a CNC serverIPS weeds out suspicious actors and hostile activity by combining signatures with reputationand our AnyConnect VPN monitors what malicious content gets through to the client, communicating back with both web security and our firewalls.So, this is the type of information the platforms need to perform their jobs – what about where all this intelligence within SIO comes from? The value of our solution is the breadth and depth of the inputs feeding back to the cloud. Let’s start from the simplest and move through them:Blocklist and Reputation are lists of domains, URLs, IP, and in some cases files that we know something about. In some cases, we know the content is good—allowing us to let it through quickly, sometimes it is bad and immediately blocked from an infrastructure level, or a shade of grey. It is in these “grey” situations that SIO’s defense in depth framework keeps your organization safe.We don’t just rely on lists or reputation though; we proactively look for content to feeds our intelligence. We have spam traps that catch emails that may not pass though our appliances. We run Honeypots, where we wait for attackers to try and control systems and analyze their methods and the infrastructures associated with them. Then, we use crawlers to pull content from across the web, scan it, and see what is out there, making note of where it came from and if it is malicious.We further augment our data with Domain/WHOIS information; building a database of where the malicious actors are and what domains they are registering.We develop signatures ourselves and partner with third-parties to defend against known-bad content as it comes through.We do deep content inspection, examining what a file should look like, breaking it down into its comportment pieces, and seeing if it matches. This is actually looking into the structure of a file to see how it is formed, and going a step further to analyze specific keywords, repeatability of content, and more to determine whether it is legitimate based on our ever-growing list of samples.Each piece of these inputs are augmented by partnerships across the industry and finally, support by an in-house threat research team.Once the intelligence is aggregated and cross-correlated in the cloud, we need to push it back down to the platforms. Each platform receives the right intelligence, in the right way, just-in-time to maximize network defenses while minimizing the required on-box resources. We’ve spent some time on Reputation and signatures, but it’s important to note that everything isn’t sent to every platform, only what is needed, for example: an email appliances receives sender reputation, whereas web security is sent domain and IP rep, and an IPS signature updates, though all of that data has already been munged together through SIO.The last intelligence we push down is platform specific rules and logic. This is the “brains” of the platforms that allow them to determine what to allow or deny at the time of request.In the cloud, SIO is continuously improving. All of these updates are done every 3-5minutes.
  • So, that’s where our intelligence comes from – but how much do we really see? To discover where threats are hiding you need to pull massive quantities of information across multiple vectors – (Firewall, IPS, Web, Email, and VPN, not just one of them). We see across the global threat landscape through a footprint that crosses both geographic and industry borders. On a single day, we gather over:100TB of security intelligenceacross 1.6M deployed security devicescovering 13B web requests per dayover 150,000 applications and micro-applicationscollecting 93B email messagesSIO represents the industry’s largest collection of real-time threat intelligence, with the broadest visibility, largest footprint and ability to put it into action across multiple platforms for a true defense in depth framework.
  • So, that’s where our intelligence comes from – but how much do we really see? To discover where threats are hiding you need to pull massive quantities of information across multiple vectors – (Firewall, IPS, Web, Email, and VPN, not just one of them). We see across the global threat landscape through a footprint that crosses both geographic and industry borders. On a single day, we gather over:100TB of security intelligenceacross 1.6M deployed security devicescovering 13B web requests per dayover 150,000 applications and micro-applicationscollecting 93B email messagesSIO represents the industry’s largest collection of real-time threat intelligence, with the broadest visibility, largest footprint and ability to put it into action across multiple platforms for a true defense in depth framework.
  • So, that’s where our intelligence comes from – but how much do we really see? To discover where threats are hiding you need to pull massive quantities of information across multiple vectors – (Firewall, IPS, Web, Email, and VPN, not just one of them). We see across the global threat landscape through a footprint that crosses both geographic and industry borders. On a single day, we gather over:100TB of security intelligenceacross 1.6M deployed security devicescovering 13B web requests per dayover 150,000 applications and micro-applicationscollecting 93B email messagesSIO represents the industry’s largest collection of real-time threat intelligence, with the broadest visibility, largest footprint and ability to put it into action across multiple platforms for a true defense in depth framework.
  • So, that’s where our intelligence comes from – but how much do we really see? To discover where threats are hiding you need to pull massive quantities of information across multiple vectors – (Firewall, IPS, Web, Email, and VPN, not just one of them). We see across the global threat landscape through a footprint that crosses both geographic and industry borders. On a single day, we gather over:100TB of security intelligenceacross 1.6M deployed security devicescovering 13B web requests per dayover 150,000 applications and micro-applicationscollecting 93B email messagesSIO represents the industry’s largest collection of real-time threat intelligence, with the broadest visibility, largest footprint and ability to put it into action across multiple platforms for a true defense in depth framework.
  • So, that’s where our intelligence comes from – but how much do we really see? To discover where threats are hiding you need to pull massive quantities of information across multiple vectors – (Firewall, IPS, Web, Email, and VPN, not just one of them). We see across the global threat landscape through a footprint that crosses both geographic and industry borders. On a single day, we gather over:100TB of security intelligenceacross 1.6M deployed security devicescovering 13B web requests per dayover 150,000 applications and micro-applicationscollecting 93B email messagesSIO represents the industry’s largest collection of real-time threat intelligence, with the broadest visibility, largest footprint and ability to put it into action across multiple platforms for a true defense in depth framework.
  • We’ve talked about where our intelligence comes from, and the level of visibility our global sensors have – let’s get into how we stop threats on the platforms themselves. Context is an essential part of the equation, allowing us to bring together the who, what, where, why and when in real-time to block an attack. This is how we take something that may be in that “grey” area and turn it bright red.Who: SIO provides intelligence about a variety of bad actors on the Internet. These individuals show themselves in different places across the network. Sometimes it’s a malicious email server sending spam, or a malicious web server hosting malicious content. We are able to distinguish between these two entities so any blocking action is accurate and focused. For example, We don't want to block an entire domain just because one URL residing within that domain was hosting malware.Where: Each geographic area has a certain level of risk associated with it. By adding geolocation to our context, we get a better picture of where malicious actors tend to aggregate, where we should pay more attention, and add this to the mix to determine level of maliciousness.How: We take information about how content arrived, and through what protocols. Asking questions like: is this email behavior as it should? Is the connection encrypted? Keying in on levels of risk based on our historical database. In this example, we generally have found dynamic IP addresses used more often to host and deliver malicious content.When: Then, we add all this together with time-bound variables. This is constantly evolving as we learn more about the threat landscape, but we can determine information such as when a domain or mail server was registered, marking the content as possessing more risk if it was sent from a domain that was registered under 1 minute ago versus one that has been around over a year.All of this is done in real-time, and in this case – once we look across the rich context we can determine this is indeed a threat, and block it before it can cause damage.
  • We’ve talked about where our intelligence comes from, and the level of visibility our global sensors have – let’s get into how we stop threats on the platforms themselves. Context is an essential part of the equation, allowing us to bring together the who, what, where, why and when in real-time to block an attack. This is how we take something that may be in that “grey” area and turn it bright red.Who: SIO provides intelligence about a variety of bad actors on the Internet. These individuals show themselves in different places across the network. Sometimes it’s a malicious email server sending spam, or a malicious web server hosting malicious content. We are able to distinguish between these two entities so any blocking action is accurate and focused. For example, We don't want to block an entire domain just because one URL residing within that domain was hosting malware.Where: Each geographic area has a certain level of risk associated with it. By adding geolocation to our context, we get a better picture of where malicious actors tend to aggregate, where we should pay more attention, and add this to the mix to determine level of maliciousness.How: We take information about how content arrived, and through what protocols. Asking questions like: is this email behavior as it should? Is the connection encrypted? Keying in on levels of risk based on our historical database. In this example, we generally have found dynamic IP addresses used more often to host and deliver malicious content.When: Then, we add all this together with time-bound variables. This is constantly evolving as we learn more about the threat landscape, but we can determine information such as when a domain or mail server was registered, marking the content as possessing more risk if it was sent from a domain that was registered under 1 minute ago versus one that has been around over a year.All of this is done in real-time, and in this case – once we look across the rich context we can determine this is indeed a threat, and block it before it can cause damage.
  • Let’s take a look at how SIO utilizes this intelligence across our platforms to provide defense in depth. First, we start with an email in a spear phishing campaign, which our email security solutions blocked at the time of request using the reputation of the sender’s infrastructure. But, we don’t stop here. Most spearphishing or other targeted attacks contain a URL, which links to malicious code or an attempt to collect sensitive information. Just because the spam was blocked, it doesn’t mean our job is finished – we need to ask ourselves what else can we gather from the scene of the crime?We harvest the URL from this message, grabbing as much intelligence as we can, treating it as a feed into SIO, and pushing it down to the rest of our appliances to block future threats. Let’s specifically look at how we treat this intelligence in our web security pipeline.On the web side, a customer has been directed to the same URL, hosted on the same infrastructure as we saw in the malicious email. That’s strike one, and would be blocked at the time of request. What happens when the case isn’t so clear?If content gets through our reputation engine, it is correlated with web categorization data. In the cases when a site is blocked or has a positive/negative reputation, the action is easy. But, due to the rapidly evolving nature of the web and threats, the majority of content is either classified or unclassified. Classified means another enterprise uses has encountered the site, even if it does not have a reputation score. This allows us to tell if it is a SaaS portal, online shopping, news, etc. and apply variable levels of risk and action to it. But, in the case of an unclassified site, we know no one has visited it before and it doesn’t have a reputation score. In these cases, this raises suspicion and we send it through every possible test to ensure malicious content is blocked and good content gets through.In SIO, we run multiple AV engines in parallel. Not every scanner will capture or identity Malware right away, so we increase the chance to capture it with each engines specialization. Based on a sites category, we determine how many, and which specific AVs, the content should be run through to maximize on-box resources and minimize time to detection. As a side note, you can view our lead-times versus major AV vendors on the Threat Operations Center [link]If it passes our signature test, we run the content through our original and platform specific rules. This allows us to do things like run a comparison against declared content type versus what our scanners know it to be.Then, our platforms take action through local enforcement of policy. This is the customized rules, automated checks and acceptable use policy administrators set to allow or deny certain types of content and potential threats.It’s not about one box, acting in a silo, defending your network. It’s about an intelligent system with multiple layers of protection letting the content you need to run your business through freely, and preventing costly and damaging attacks.
  • Let’s take a look at how SIO utilizes this intelligence across our platforms to provide defense in depth. First, we start with an email in a spear phishing campaign, which our email security solutions blocked at the time of request using the reputation of the sender’s infrastructure. But, we don’t stop here. Most spearphishing or other targeted attacks contain a URL, which links to malicious code or an attempt to collect sensitive information. Just because the spam was blocked, it doesn’t mean our job is finished – we need to ask ourselves what else can we gather from the scene of the crime?We harvest the URL from this message, grabbing as much intelligence as we can, treating it as a feed into SIO, and pushing it down to the rest of our appliances to block future threats. Let’s specifically look at how we treat this intelligence in our web security pipeline.On the web side, a customer has been directed to the same URL, hosted on the same infrastructure as we saw in the malicious email. That’s strike one, and would be blocked at the time of request. What happens when the case isn’t so clear?If content gets through our reputation engine, it is correlated with web categorization data. In the cases when a site is blocked or has a positive/negative reputation, the action is easy. But, due to the rapidly evolving nature of the web and threats, the majority of content is either classified or unclassified. Classified means another enterprise uses has encountered the site, even if it does not have a reputation score. This allows us to tell if it is a SaaS portal, online shopping, news, etc. and apply variable levels of risk and action to it. But, in the case of an unclassified site, we know no one has visited it before and it doesn’t have a reputation score. In these cases, this raises suspicion and we send it through every possible test to ensure malicious content is blocked and good content gets through.In SIO, we run multiple AV engines in parallel. Not every scanner will capture or identity Malware right away, so we increase the chance to capture it with each engines specialization. Based on a sites category, we determine how many, and which specific AVs, the content should be run through to maximize on-box resources and minimize time to detection. As a side note, you can view our lead-times versus major AV vendors on the Threat Operations Center [link]If it passes our signature test, we run the content through our original and platform specific rules. This allows us to do things like run a comparison against declared content type versus what our scanners know it to be.Then, our platforms take action through local enforcement of policy. This is the customized rules, automated checks and acceptable use policy administrators set to allow or deny certain types of content and potential threats.It’s not about one box, acting in a silo, defending your network. It’s about an intelligent system with multiple layers of protection letting the content you need to run your business through freely, and preventing costly and damaging attacks.
  • Now you’ve seen how SIO works at a general level, let’s take it down to a real threat Cisco defended against using our cross-platform intelligence.How many of you use IE, or at least have individuals within your organization who do?Recently, Cisco detected a zero-day vulnerability, which gave a remote attacker full control of your system. All a user had to do was stumbled upon, or be driven to, one of the exploit sites we mentioned earlier. This could be used to gain a foothold in your network for additional attacks, or simply exfiltrate data from the infected system. Not only did we detect the threat though, our analysis showed a huge spike in volume to the exploit sites, meaning real users were being compromised.Traditional response began too late for those users, with AV vendors just beginning to issue signature updates at day 16, with many of them waiting nearly 20 before protection arrived. Not only this, but the actual security advisory and official Microsoft patch happened in this same 16 day plus timeframe.What happens when you apply SIO to a threat like this? Cisco blocked the exploit site on day-zero, a full 16 days before the first signature was issued. We stopped access to the exploit site at the infrastructure level, through web reputation, which was pushed out in real-time to all our customers.Then, we took the known-bad domains from our web security solutions and correlated this with intelligence from our IPS, issuing a signature to block the command and control infrastructure. So, even if a user was compromised before coming onto a network, the threat was still disabled.This isn’t where our efforts stopped though, as our analysis revealed 40+ parked domains that dated back to 2001, registered by the same attacker. We proactively blocked these, preventing future attacks from the same infrastructure.The exploit servers propagated, the code mutated, coming in from multiple attack vectors. It was only through the cloud-based capability of SIO that fed intelligence across our platforms that we blocked the IE exploit 18 days early, the CNC and disarmed 40+ parked domains. As showcased in our 2013 Annual Security Report, these types of attacks – distributed via Malscript / iFrames are by far the most common, followed by Exploits, meaning this isn't a new or unique threat – one we are only going to see more of.
  • Now you’ve seen how SIO works at a general level, let’s take it down to a real threat Cisco defended against using our cross-platform intelligence.How many of you use IE, or at least have individuals within your organization who do?Recently, Cisco detected a zero-day vulnerability, which gave a remote attacker full control of your system. All a user had to do was stumbled upon, or be driven to, one of the exploit sites we mentioned earlier. This could be used to gain a foothold in your network for additional attacks, or simply exfiltrate data from the infected system. Not only did we detect the threat though, our analysis showed a huge spike in volume to the exploit sites, meaning real users were being compromised.Traditional response began too late for those users, with AV vendors just beginning to issue signature updates at day 16, with many of them waiting nearly 20 before protection arrived. Not only this, but the actual security advisory and official Microsoft patch happened in this same 16 day plus timeframe.What happens when you apply SIO to a threat like this? Cisco blocked the exploit site on day-zero, a full 16 days before the first signature was issued. We stopped access to the exploit site at the infrastructure level, through web reputation, which was pushed out in real-time to all our customers.Then, we took the known-bad domains from our web security solutions and correlated this with intelligence from our IPS, issuing a signature to block the command and control infrastructure. So, even if a user was compromised before coming onto a network, the threat was still disabled.This isn’t where our efforts stopped though, as our analysis revealed 40+ parked domains that dated back to 2001, registered by the same attacker. We proactively blocked these, preventing future attacks from the same infrastructure.The exploit servers propagated, the code mutated, coming in from multiple attack vectors. It was only through the cloud-based capability of SIO that fed intelligence across our platforms that we blocked the IE exploit 18 days early, the CNC and disarmed 40+ parked domains. As showcased in our 2013 Annual Security Report, these types of attacks – distributed via Malscript / iFrames are by far the most common, followed by Exploits, meaning this isn't a new or unique threat – one we are only going to see more of.
  • With the rate of change in the threat landscape, the best defense is one that crosses platform, geographic and industry boundaries. Cisco Security Intelligence Operations is the industry’s greatest breadth and volume of threat intelligence. SIO pulls in over 100TB of daily security intelligence, correlating it in the cloud to continuously improve your security posture. No matter if the content is known-bad, good or somewhere in-between, SIO spans the entire Cisco security portfolio to make timely and accurate decisions. In the end, defense in depth is the best defense against modern advanced cyber threats.

Cisco Security Intelligence Operations (SIO): Defense in Depth Cisco Security Intelligence Operations (SIO): Defense in Depth Presentation Transcript

  • 1C97-728161-00 © 2013 Cisco and/or its affiliates. All rights reserved. 1C97-728161-00 © 2013 Cisco and/or its affiliates. All rights reserved.Scott Simkin, Cisco® Security Product and Solutions MarketingCisco Security Intelligence OperationsDefense in DepthMay 2013
  • 2C97-728161-00 © 2013 Cisco and/or its affiliates. All rights reserved.AgendaThreat EvolutionCisco Security FrameworkCisco® Security Intelligence Operations(SIO) Portal OverviewBreadth and ContextCisco SIO Portal DefenseThreat Example
  • 3C97-728161-00 © 2013 Cisco and/or its affiliates. All rights reserved.Threat Landscape EvolutionThreatsResponseWormsSpyware and rootkitsAdvanced persistent threats(APTs) and cyberwarIncreased attack surface(mobility and cloud)Intelligenceand analyticsTomorrowGlobal reputationand sandboxing2010Host-based(antivirus)2000Network perimeter(IDS and IPS)2005GoogleChromeFirefoxInternetExplorerJavaFlashUSBAdobe PDFFacebookTwitterYoutubeVMWareiPadMicrosoftOfficeAndroidAmazonBlackberrymobileSalesforceMaciOSiCloudGmailTechnorati StumbleUponRedditMyspaceFlickrDeliciousRSSNewsvineYahooLaptopWirelessChatApplicationDiggApplicationUsersServerNetworkNokia mobileBox netDropboxiphoneCisco WebExNetvibesMobileMe View slide
  • 4C97-728161-00 © 2013 Cisco and/or its affiliates. All rights reserved.Compromise siteand exploit serverAdvanced Cyber ThreatsUsers and applications View slide
  • 5C97-728161-00 © 2013 Cisco and/or its affiliates. All rights reserved.Extend attacksurfaceLateralmovementControl InfiltrateCompromise siteand exploit serverAdvanced Cyber ThreatsUsers and applicationsCisco® Network CollectorWWWDataexfiltration
  • 6C97-728161-00 © 2013 Cisco and/or its affiliates. All rights reserved.Common policy,management, andcontextCommonmanagementSharedpolicyAnalytics CompliancePartnerAPIIdentity Application Device Location TimeNetwork-enforcedpolicyAccess Firewall IPS VPN Web EmailAppliances Routers Switches Wireless VirtualCloud-basedthreat intelligenceand defenseAttacksThird-partyfeedsReputationAnd rulesMalwareanalysisGlobal LocalWorkloadsApplicationsand servicesInfrastructurePublicTenantsHybridPrivate
  • 7C97-728161-00 © 2013 Cisco and/or its affiliates. All rights reserved.Defend with IntelligenceValid SMTPconnection?Bad orunwantedcontent?Command andcontrol site?Hostile action? Maliciouscontent on theendpoint?WWWSignaturesThreatresearchDomainregistrationContentinspectionSpamtraps, honeypots,and crawlersBlocklists andreputationThird-partypartnershipsCisco® Security Intelligence Operations
  • 8C97-728161-00 © 2013 Cisco and/or its affiliates. All rights reserved.Defend with IntelligenceWWWReputation Signatures Platform-specific rules and logicCisco® Security Intelligence Operations
  • 9C97-728161-00 © 2013 Cisco and/or its affiliates. All rights reserved.Discovery with Breadthof daily security intelligence
  • 10C97-728161-00 © 2013 Cisco and/or its affiliates. All rights reserved.deployed security devicesDiscovery with Breadth100 TBof securityintelligence
  • 11C97-728161-00 © 2013 Cisco and/or its affiliates. All rights reserved.daily web requestsDiscovery with Breadth100 TBof securityintelligence1.6milliondeployeddevices
  • 12C97-728161-00 © 2013 Cisco and/or its affiliates. All rights reserved.applicationsand micro-applicationsDiscovery with Breadth100 TBof securityintelligence1.6milliondeployeddevices13billionwebrequests
  • 13C97-728161-00 © 2013 Cisco and/or its affiliates. All rights reserved.Cisco® Security IntelligenceOperationsBroad visibilityGlobal footprintDefense in depth100 TBof securityintelligence1.6milliondeployeddevices13billionwebrequests150,000micro-applications1000applications93billiondaily emailmessages35%enterpriseemail5500IPSsignatures150milliondeployedendpoints3 to 5-minuteupdates5 billiondaily emailconnections4.5billiondaily emailblocks
  • 14C97-728161-00 © 2013 Cisco and/or its affiliates. All rights reserved.SuspiciousDomainOwnerPoorlyStructuredPDFDynamic IPAddressServer inHigh RiskLocationRARDOCZIPDiscovery with ContextPDF BeijingLondonSan JoseKiev HTTPSSLSMTPWhat HowWhere When192.1.0.68smtp.example.comExample.org17.0.2.12WhoDomainRegistered< 1 MinDomainRegistered> 2 YearDomainRegistered< 1 MonthMail server< 1 monthDomainregistered> 1 year
  • 15C97-728161-00 © 2013 Cisco and/or its affiliates. All rights reserved.SuspiciousdomainownerPoorlystructuredPDFDynamic IPaddressServer inhigh-risklocationDiscovery with ContextWhat HowWhere When0101 1100110 1100 111010000 110 0001110 00111 010011101 11000 0111 0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 10010 010 10010111001 10 100111 010 00010 0101 110011 011 001 110100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 011010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 011WhoDomainregistered< 1 minute
  • 16C97-728161-00 © 2013 Cisco and/or its affiliates. All rights reserved.Blocked Reputation UnclassifiedClassifiedCisco SIO Defense FlowReputation Categories Antivirus SignaturesCisco® Security Intelligence OperationsHarvest URLsfrom spamWWWSender reputation = -10Spam blockedEfficientantivirususe-10 to 10Cisco SIO webintelligence
  • 17C97-728161-00 © 2013 Cisco and/or its affiliates. All rights reserved.Cisco SIO Defense FlowRulesReputation Categories Antivirus SignaturesHarvest URLsfrom spamCisco SIO webintelligenceWWWPolicySender reputation = -10Spam blockedInspect content types• Confidence in type• Inferred rather thandeclaredExampleEfficientantivirususeDoes local policy allowthis action or content?-10 to 10Cisco® Security Intelligence Operations
  • 18C97-728161-00 © 2013 Cisco and/or its affiliates. All rights reserved.Day 0Zero-day malwareIn the wildDay 16First antivirussignature deployedDay 17Second antivirussignature deployedSecurity advisoryissuedMicrosoft IEpatchedTraditional responseDay 18Third antivirussignature deployedMicrosoft Internet Explorer Zero-Day Vulnerability
  • 19C97-728161-00 © 2013 Cisco and/or its affiliates. All rights reserved.Day 14Cisco® IPS signatureCNC server blockedDay 161st Anti-VirusSignature DeployedDay 172nd Anti-VirusSignature DeployedSecurity AdvisoryIssuedIE PatchedCisco SIO Proactive Defense Traditional ResponseDay 0Zero-day malwareblocked by CiscoDay 183rd Anti-VirusSignatures DeployedMicrosoft Internet Explorer Zero-Day VulnerabilityMultiple attack vectors andmultiple layers of defense• Cisco SIO cross-platformintelligence• Blocked zero-day threat• Blocked 40+ “parked” domains• Blocked exploit server and CNC• 18-day lead time
  • 20C97-728161-00 © 2013 Cisco and/or its affiliates. All rights reserved.Cisco SIO: Defense in DepthCisco® Security Intelligence OperationsWWW
  • 21C97-728161-00 © 2013 Cisco and/or its affiliates. All rights reserved.http://cs.co/ciscosio1
  • 22C97-728161-00 © 2013 Cisco and/or its affiliates. All rights reserved.