Cisco Content Security Technology Overview and Update

Cisco Content Security Technology Overview And Update

Hrvoje Dogan Security Solutions Architect, SBG [email protected]

C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 • Email Security Evolution • Inbound Protection Features • Outbound Control Features Agenda • Web Security Trends • Web Security Appliance and Update • Cloud Web Security and Update

C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 Many of the products and features described herein remain in varying stages of development and will be offered on a when-and-if-available basis. This roadmap is subject to change at the sole discretion of Cisco, and Cisco will have no liability for delay in the delivery or failure to deliver any of the products or features set forth in this document.

HIGH VOLUME LOW VOLUME ? LOW $ VALUE HIGH $ VALUE Past Today Tomorrow

???

Targeted Attacks Virus Outbreaks

Blended Phishing Threats Targeted Spam Phishing

Network Evasions

Inbound Threats Inbound Polymorphic Code Botnets Advanced Conficker Persistent Threats Covert, Sponsored Image Targeted Attacks Code Red Spam Slammer Stuxnet Custom URL Attachment-based Worms

LOW VOLUME HIGH VOLUME ? LOW $ IMPACT HIGH $ IMPACT Past Today Tomorrow

Changing legislation Intellectual property

European Union laws Customer asset loss Trade secrets Data breaches State laws Federal laws Outbound Compliance Corporate espionage Province laws Legal documents HIPAA

State regulations Credit card numbers PCI Product-planning documents 4 Brand Social security numbers

Access email only By 2015, access Access email from behind from over 7B

Usage anywhere, anytime corporate firewall mobile devices

Tripled since January

Highest level since 2010

Anti-spam industry problem

Cisco maintains efficacy leadership

Source: http://www.opus1.com/www/whitepapers/antispamresults2013.pdf

Volume UP = Count of Spam UP Source: http://www.spamcop.net/spamgraph.shtml?spamyear Source: http://cbl.abuseat.org/totalflow.html

Offer spam (Micro-category) = Sell goods or services. Categories of Missed Spam (customer submissions since Jan/14) Diplomas Mkt Svcs Casino Majority of Offer spam uses Snowshoe techniques Seminar Link Insurance Malware Dating Porn Luxury Snowshoe spam – technique used by spammers to Drug Loan Stocks Lottery cover their tracks, go under the radar. Its objective is Job to defeat traditional Anti-Spam techniques. Scam short campaigns – morphs fast – constantly changing Phish

Anti-Sender Reputation Anti-Content Analysis • Never use the same IP to send • Never use the same series of more than x amount of spam in words more than y period of time. • Never reuse the same images • Never send the same spam • Never use the same URL

Offer from the same IP.

Not “new” techniques, however, usage has increased

Fine line to balance catch rate and false positive

Cisco’sThis graphic email securitywas published solution by demonstrated Opus One in thetheir highest2014 “COMPARING spam capture INDUSTRY-LEADINGrate and the most accurate rate of detection. The results are remarkable given the tradeoffANTI-SPAM between SERVICES” spam capture and false positive rates.All of theFor anti-spam example, solutions a vendor in Gartner’s can catchJuly 2013 100% “Leaders” of spamand “Challengers” if they block Magic every Quadrant message categories but were then tested. the falseIn total, eight vendors were evaluated over the course of a year. positiveThe only ratevendor would mentioned also by be name 100%, is Cisco which (Cisco’s is obviously Email unacceptable.Security Appliance was previously called “Ironport” but Cisco is Ciscophasing consistently out the IronPort outperformed brand name). The the remaining other vendors, vendor names have been obfuscated. with the highest spam capture rate in eight of the twelveTo ensure months consistency measured. and reliability, When Opus another One operated vendor within had the following parameters during the 12-month long analysis from a Januarybetter 2013anti-spam to December catch 2013. rate than Cisco, it came at the cost of a significantly higher false positive rate: from 16 to 40 times worse. Opus One Joel Snyder, April 2014

Attack Continuum

BEFORE DURING AFTER Control Detect Scope Enforce Block Contain Harden Defend Remediate

Gaps in protection Point-in-time Malware prevention as new attack defenses can be is not 100% vectors emerge evaded

SenderBase Reputation Filtering Drop

Anti-Spam Drop/Quarantine

Cisco® SIO Anti-Virus Drop/Quarantine

Advanced Malware Protection AMP Drop/Quarantine

Outbreak Filters Quarantine/Re-write

Real-time URL Analysis cws

Re-write Deliver Quarantine Drop URLs

C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the ﬁle again. If the red x still appears, you may have to delete the image and then insert it again. Cisco SenderBase: Email Reputation Database

Threat Intelligence Spam Traps Complaint IP Blacklists • Over 1.6M global devices Reports and Whitelists • Historical library of 40,000 threats • 35% of global email traffic seen per day • 13B+ Worldwide web requests seen per day • 200+ parameters tracked Message Compromised Website • Multi-vector visibility Composition Host Lists Composition Data Data

Benefits

• 360 degree dynamic threat visibility Global Volume Domain Other Data • Understanding of vulnerabilities and Data Blacklist and exploit technologies Safelists • Visibility into highest threat vehicles • Latest attack trends and techniques IP Reputation Score

Your Company Trusted_Partner.com Verified SIGNEDü

Cisco ESA Imposter

Trusted_Partner.com Drop/Quarantine

• Block phishing and spoofing attacks • Apply more liberal policies to AUTHENTICATED external sources

Trusted_Partner.com

Verified SIGNEDü

Report Cisco ESA Imposter

Drop/Quarantine Trusted_Partner.com

• Reduce the exposure of your users to phishing • Tie DKIM and SPF together and address their shortcomings • Identifies actions to take if message authentication fails for sender’s domains • Allows for sending of aggregate reports back to sending domain to inform of message disposition C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 URL Defense Integrated email and web security

Rewrite

Email Contains URL Send to Cloud

BLOCKEDwww.playboy.comBLOCKED Defang BLOCKEDwww.proxy.orgBLOCKED

Cisco SIO Replace “This URL is blocked by policy”

URL Categorization

Reputation SourceFire AMP update integration File File Reputation Sandboxing

Known File Unknown files are Reputation uploaded for sandboxing

Advanced Malware Protection Outbreak Filters

Cloud Powered Zero-Hour Telemetry Based Zero-Hour Malware Detection Virus and Malware Detection

• Blocks files known to be malicious File Reputation • Reputation verdicts delivered by AMP cloud intelligence network

• Behavioral analysis of unknown files File Sandboxing • Looks for suspicious behavior • Feeds intelligence back to AMP cloud

• Continuous analysis of files that have traversed the gateway File Retrospection • Retrospective alerting after an attack when file is determined to be malicious

Reputation Filtering Block BEFORE Cisco® SIO URL Filtering Block

Signature, AV, Spam scanning Block

DURING File Reputation Block SourceFire AMP Cloud File Behavior Block

AFTER File Retrospection Alert

Rate Limiting Encrypt AS/AV Checks Compliance/ DKIM/SPF Outbound DLP Sensitive Data

Sender Recipient

• Receive alerts identifying high-volume ! possibly infected senders Malicious Sender

• Rate limit can be set higher for senders such as marketing or the customer help desk Known High Volume Sender

• Users can send up to 100 mails per hour

Typical User

Policy !

• Administrator can set rate limit for individual

senders Alert admin when limit is hit

Admin

Alert Rate Limit per Anti-Spam Anti-Virus Admins Mail From (Intelligent Multi-Scan)

Stay off of blacklists • Stop malicious and abusive use of systems • Know which machines/users to remediate • Combine with Outbreak Filters for bi-directional protection

Verified SIGNED SIGNEDü

From: Your_Company.com From: Your_Company.com From: Your_Company.com

Report

Publish DMARC, DKIM, and Cisco ESA SPF Your Company ISP SPF Records Records Query DMARC, DKIM, and DNS Public Server • Protect your identity from phishing • Improve sender reputation and deliverability • Visibility and control of sent email and who is sending on your behalf

IPv6 Addressing Is your Email Security

filtering content with IPv6

addressing appropriately?

• Supports: IPv4/IPv6 addressing – single or dual stack – with Anti-Spam, Anti-Virus, Content Filters, DLP, Encryption, and more • Translates: IPv6 in and IPv4 out… or vice versa • Full reporting and Message Tracking support

On-premises Cloud

Deployment Options Appliance Virtual Hybrid Hybrid Cloud Managed

Multi-device Support Desktop Mobile Laptop Tablet

Emails delivered Emails / mo Emails / day Emails / employee / day %

Attempted 124 M 5.6 M 73

Blocked 77 M 3.5 M 46 63%

Delivered 37 M 1.7 M 22 30%

Delivered, marked “Marketing” 9 M 0.4 M 5 7%

ESA Blocked Emails Emails* / mo Emails / day Emails / employee / day %

By reputation 73 M 3.3 M 43 94%

Malware Spam By spam content 4.3 M 0.2 M 3 5% By invalid receipts 0.4 M 0.02 M 0.25 1%

3.5M Emails blocked each day

Exploitation Theft & Espionage Disruption

Accounting Agriculture and Mining Automotive Aviation Industry Risk and Banking and Finance Charities and NGOs Clubs and Organizations Web Malware Education Electronics Energy, Oil, and Gas Encounters, 2013 Engineering and Construction Entertainment Food and Beverage Government Healthcare Heating, Plumbing, and A/C IT and Telecommunications Industrial Insurance Legal Manufacturing Media and Publishing Pharmaceutical and Chemical Professional Services Real Estate and Land Mgmt. Retail and Wholesome Transportation and Shipping Travel and Leisure Utilities

16%

14%

12% PDF

10% Flash

8% Java

0 Jan. Feb. Mar. Apr. May Jun. Jul. Aug. Sep. Oct. Nov.

Month

7000 2013

2012 6000 2011

5000 2010

4000

3000

2000

1000

0 Jan. Feb. Mar. Apr. May Jun. Jul. Aug. Sep. Oct. Nov. Dec.

Month

1000 320 800 278 293 291 256 600 281 212 211 221 224 517 215 437 400 391 387 386 366 347 333 324 Update Alert 303 286

200 New Threat Alert

0 Jan. Feb. Mar. Apr. May Jun. Jul. Aug. Sep. Oct. Nov.

Connections to domains that are known High-Threat Malware malware threat sites or threat vectors. 100%

Suspicious and excessive trafc going to Government and Military places not typically contacted by the public. 100%

Connections to known hijacked infrastructure Hijacked Infrastructure or compromised sites. 96%

Connections to blank sites that may have code Sites without Content on them to inject malware into systems. 92%

Suspect FTP Unexpected connections to irregular FTP sites. 88%

Connections from within an organization to Suspect VPN suspicious VPN sites. 79%

Connections to universities in suspicious places, potentially Education via Threat(s) serving as pivot points for other kinds of malware. 71%

Very high volume of attempts to connect to Pornography known pornography sites. 50%

Zbot Daily Blocks, 2013 (Source: Cisco Cloud Web Security) (webmail) 100% Solimba 90% AirInstall FirstSerial NBC.com and downloader downloader iBryte Installer 80% related downloader CryptoLocker 70% compromises ransomware 60% Google Doc iphonedevsdk.com50% Watering Hole phishing Watering40% Hole Attacks against Attacks targeting Energy & Oil 30%Tech Industry 20% 10% 0% 1-Jan-13 1-Feb-13 1-Mar-13 1-Apr-13 1-May-13 1-Jun-13 1-Jul-13 1-Aug-13 1-Sep-13 1-Oct-13 1-Nov-13 1-Dec-13

Signature Outbreak Intelligence™

§ This chart shows the day to day rate of OI detected threats vs. 78% standard antivirus signatures. 22% § In 2013, 22% of Web malware was blocked by Cisco Outbreak Intelligence before signature detection became available Signature Outbreak Intelligence™ § Outbreak Intelligence provides early detection of new threats based on heuristic analysis of behavioral characteristics and machine learning C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 32 Web Pages Contain Hidden Threats

• Flash • Java • JPG • PDF Potential threats • Script • .exe • Etc.

Facebook time: Bytes on YouTube Pandora: Total browse time for 2,110,516 minutes or video playback: 713,884,303,727 the day: 35,175 hours, 1465 11,344,463,363,245 or .6 TB 2,270,690,423 or days, 4.1 years! or 10 TB 4,320 Years. # of Facebook likes: Total bytes for the day: 3,925,407 at 1 second a 70,702,617,989,737 like that’s almost 1100 or 64 TB over 15% from hrs/day or 45 days just YouTube! liking things!

Source: Cloud Web Security Report

Strong Protection Safeguards every device, everywhere, all the time

Complete Control Enables control of all web traffic on all devices

Investment Value Delivers more for your investment

WWW

URL Filtering WWW Block Time of Request

Reputation Filter WWW Block

Cisco® SIO Dynamic Content Analysis (DCA) WWW Block

Time of Signature-based Anti-Malware Engines WWW Block Response

AMP Real-time Sandbox Analysis

Partial WWW Allow WWW Warn WWW WWW Block Block

C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36 Telemetry • Cisco plays a critical role in evaluating threats, given the prevalence of its solutions and the breadth of its security intelligence: • 16 billion web requests are inspected every day through Cisco Cloud Web Security

• 93 billion emails are inspected every day by Cisco’s hosted email solution • 200,000 IP addresses are evaluated daily

• 400,000 malware samples are evaluated daily

• 33 million endpoint files are evaluated every day by FireAMP

• 28 million network connects are evaluated every day by FireAMP

C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37 Results • This activity results in the following threats being detected by Cisco: • 4.5 billion emails are blocked every day

• 80 million web requests are blocked every day • 6450 endpoint file detections occur every day in FireAMP • 3186 endpoint network detections occur every day in FireAMP • 50,000 network intrusions are detected every day

FireAMP WSA Cloud

FireAMP Client

File Reputation Query Web FireCloud Local Client Web/Sender Cache Heartbeat -retrospective Reputation File Reputation Proxy VRT update Client Unknown File, upload for Sandboxing

AV Scanners VRT Sandboxing

FireCloud Client acts like another scanner with Advanced Malware Protection capabilities

• Two Phase Approach: 1st Phase in AsyncOS 8.0 2nd Phase in AsyncOS 8.5 Shared Memory Multi-Threading Proxy Architecture for HTTPs Performance

Reporting Optimized Regular Improvements Expression Engine

Test Configuration Platform RPS on AsyncOS 7.7 RPS on AsyncOS 8.0

Premium bundle S370 316 450 (WBRS, AVC, Auth, (42%) HTTPs 10%, Webroot, Sophos) S380 396 683 (25%) ( 72%) (116%) S670 615 1050 (70%) S680 711 1050 (15%) (48%) (70 %)

Orange -- % Increase by upgrading from x70 to x80, running AsyncOS 7.7 Green -- % Increase by running the same HW, but upgrading from AsyncOS 7.7 to AsyncOS 8.0 Red -- % Increase by upgrading from x70 to x80, and also upgrading from AsyncOS 7.7 to AsyncOS 8.0 All the RPS numbers in the table are sustained RPS

• Supported for AD Server 2003, 2008, 2012

• Support for Multiple Platforms: Windows, Mac OSX, and web browsers

• Deployment scenarios on-par with Multi-forest NTLM features Multiple Kerberos realms Group based policies

• Setup/Configure similar to Multi-forest NTLM feature

Feature IPv6 Support

WBRS (Web Reputation) Ready

SaaS Yes

Authentication Surrogates Yes

AVC, Bandwidth Control Yes

X-Forwarded-For Headers Yes

End User Notification, End User Acknowledgement Yes

Feature Support for IPv6

DNS Yes

Authentication (LDAP, RADIUS, etc.) N/A

Transparent User Authentication Yes

WCCP Ready*

ICAP (External DLP) Yes

PAC File Hosting N/A

• Background: Update to WSA 7.5.7 Release (Limited GA) WSA Cloud Connector 8.0 is the virtualized version of WSA 7.5.7.

• Applications: Provision multiple virtual WSA Cloud Connectors to meet traffic demand

• Advantage: Scale, easy management and deployment.

Current Datacenters Chennai Paris Chicago San Jose Copenhagen Sao Paulo Dallas Singapore Frankfurt Sydney Hong Kong Tokyo Johannesburg Toronto 2X London Vancouver Miami Zurich New York 2X

• 21 data centers • 19 locations

• Each logical Proxy consists of: Active/Passive Firewalls Active/Passive Load Balancers Application Switches Distribution Switches 2 x Chassis of 16 Blades each (32 Total)

Improved capacity management Convergence

Improved content delivery performance

Intelligence

Platform for new services

Automation VM infrastructure on scalable Cisco UCS hardware Future services + Room for product evolution

Use your existing Cisco asset to leverage CWS

Cloud Web Security

AnyConnect ASA ISR G2 WSA WSAv Hosted PAC & Connector Web Security Connector Authentication

Cisco Device No Cisco Device

Attach Based Direct to Cloud

Reduced time to discovery Active, continuous monitoring to stop the spread of an attack

Normal… or not? Spots symptoms of infection using behavioral anomaly detection algorithms and trust modeling

Security that evolves Uses machine learning to learn from what it sees and adapt over time

No more rule sets Discovers threats on its own…just turn it on.

CTA is a cloud-based solution that reduces time to discovery of threats operating inside the network.

Identifies Learns from Adapts new threats what it sees over time

Licensed feature on CWS, part of new CWS Premium package

Talk to your Cisco or partner account teams to set up an evaluation

Evaluations available for: • Cloud • Virtual • On-premise appliances using Demo Loaner Program