Cisco Web and Email

Security
Protection for the top two attack vectors
Story Tweedie-Yates
Product Marketing Manager – Cisco Web Security
February 16, 2016
Agenda

Top 2 attack vectors

Threats from a user’s perspective
Before, during and after: a security framework
Cisco Web and Email Security tour
Demos
Get Started
Top 2 Attack Vectors
Exposure – web blocks
82,000 Virus Blocks
19.7 Billion
Total Threats Blocked 181 Million Spyware Blocks
Daily

818 Million Web Blocks

7.2 Trillion Daily Web Breakdown

Yearly
Exposure- email blocks
Large Attack Surface
Attack surface - email
Attackers:
A growing appetite
to leverage targeted
phishing campaigns

SPAM up

250% Example: Snowshoe SPAM attack

Attack surface – web browsers

More than

85%
of the companies studied
were affected each month
by malicious browser
extensions
Attack surface – user error on web

Users becoming complicit

enablers of attacks
Untrustworthy sources

Clickfraud and Adware

10% 64% vs
IE requests Chrome requests
Outdated browsers running latest running latest
version version
Attack surface – web applications
PDF and Flash steady
Attackers:
Java drop 34%
Shifts in the attack vectors

Java
Log Volume Silverlight
rise 228%
PDF
Flash

Silverlight

2015 Cisco Annual Security Report

Attack surface – web protocol
The growing trend of web encryption creates a false sense
of security and blind spots for defenders

Organizational Security

https://
Individual Privacy Government Compliance
Encrypted traffic is increasing. It represents over 50% of bytes transferred.
Low Barriers to Entry
Compromising without clicking
Attackers:

Malvertising is on the rise: low-limit

exfiltration makes infection hard to
detect
In October 2014, there is a spike of

250%
Exploit Kits, e.g. Cryptowall version 4
CRYPTOWALL 4.0

• Notorious ransomware
• Version 1 first seen in 2014
• Distributed via Exploitkits and Phishing Emails
• Fast Evolution
Threats from a user’s
perspective
Web and email are portable

Mobile Coffee shop Corporate Home Airport

Sample attacking: Joe CFO
Waiting for his plane

Meet Joe. He is heading home for a

well deserved vacation.
He’s catching up on email using the
airport Wi-Fi while he waits for his
flight.
Sample attacking: Joe CFO
Checks his email

Joe just got an email from

his vacation resort.

Your Tropical Getaway

Joe,

Thank you for choosing us. We look forward to seeing you.

Before your arrival, please verify your information here:

www.vacationresort.com

Best,
Resort Team
Sample attacking: Joe CFO
Instinctively, he clicks on the link

No problem, right? Everything looks

normal.
The site may even be a trusted site,
or maybe a site that is newly minted.

Your Tropical Getaway

Joe,

Thank you for choosing us. We look forward to seeing you.

Before your arrival, please verify your information here:

www.vacationresort.com

Best,
Resort Team
Sample attacking: Joe CFO
Joe is now infected

Joe opens the link and the resort

video plays.
Although he doesn’t know it, Joe’s
machine has been compromised by a
Silverlight based video exploit.
The malware now starts to harvest
Joe’s confidential information:
• Passwords
• Credentials
• Company access authorizations
Today’s cyber-threat reality

Your environment You’ll most likely be Hackers will likely

will get breached infected via email command and control
your environment via web
Before, during and after: a
security framework
The Attack Continuum

BEFORE DURING AFTER

Discover Detect Scope
Enforce Block Contain
Harden Defend Remediate

Network Endpoint Mobile Virtual Cloud

X
Threat IntelligencePoint in Time Continuous
 Talos WSA Cisco Web Security

After
Outbreak File Cognitive
Application Webpage Intelligence Sandboxing Threat
Web Web Anti- File
Visibility & www.website.com

Analytics
www Filtering Reputation Malware Reputation
Control

DLP File
Integration Retrospection

X X X X X X

ASA WSA Explicit/PAC ISR G2 ISR 4k AnyConnect

CWS
Reporting
Traffic WCCP Load Balancer Explicit/PAC PBR AnyConnect HQ
Redirection WSA
Methods
Management
Client
Authentication
Methods Admin Log Extraction

Key: CWS Only WSA / WSAv Only Hybrid

Allow Warn Block Partial Block

Campus Office Branch Office Roaming User BYOD User
 Cisco Email Security Talos Cisco
Cloud Appliance Virtual
Before
During After
Email Mail Flow Acceptance
Anti-Spam File Graymail File
Reputation Policies Controls Content Outbreak
Anti-Virus Reputation Management Sandboxing & Retrospection
Controls Filters
ThreatGrid Safe Unsubscribe URL Rep & Cat Anti-Phish
Inbound
Email Tracking
User click Activity
(Anti-Phish)

X X X X X X X X

Before X
Management
X During X X Admin
Outbound HQ Reporting
Email
Message
Track
Outbound Liability
Mail Flow
Anti-Spam Data Loss
Policies Encryption Partial
and Protection Allow Warn Block
Block
Anti-Virus
Talos: before, during and after

Threat
100I II0I III00II 0II00II I0I000 0II0 00
I00I III0I III00II 0II00II I0I000 0110 00 ® Research
10I000 0II0 00 0III000 II1010011 101Cisco
101000 0II0 00 0III000 III0I00II II II0000I II0
1100001 110
Intelligence Response
1100001110001III0 I00I II0I III00II 0II00II 101000 0110 00
Talos
110000III000III0 I00I II0I III0011 0110011 101000 0110 00

 1.1 million file samples per day

WWW  AMP community
Email Endpoints Web Networks IPS Devices  Advanced Microsoft
and industry disclosures
1.6 million 35%
global sensors worldwide email traffic
 Snort and ClamAV open source
communities
100 TB 13 billion  AMP TG Intelligence
of data received per day web requests
ESA/WSA/CWS  AEGIS™ program
150 million+ 24x7x365
deployed endpoints operations  Private and public threat feeds
600+ 40+  10 million files per month - AMP
engineers, technicians, languages TG Dynamic analysis
and researchers
Cisco Web and Email
Security tour
Feature Tour Map
Pervasive

Continuous

Always On

Complete
Solution

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Strategic Imperatives
Visibility-Driven Threat-Focused Platform-Based

Network-Integrated, Continuous Advanced Threat Agile and Open Platforms,

Broad Sensor Base, Protection, Cloud-Based Built for Scale, Consistent
Context and Automation Security Intelligence Control, Management

Network Endpoint Mobile Virtual Cloud

Email and Web Security new feature tour
map
Cloud Web Security (CWS) Web Security Appliance Email Security Appliance Cloud Email Security
(WSA) (ESA) (CES)

Mobile Browser ISE Integration Web Interaction Tracking

GUI Graymail

Cognitive Threat Analytics Anti-snowshoe

Unified Reporting/Policy Zix Encryption

ISR 4k Connector X90 hardware

Hybrid Email

Visibility-Driven Threat Focused Platform Based

Visibility Driven
CWS
Mobile
Browser
Internet

MDM
Solution
Scancenter
Policy
 And Extending User Identity and Context
Identity Services
Who: Doctor
Engine Integration
What: Laptop Acquires important context
Where: Office and identity from the network

Confidential Monitors and provides visibility

Patient into unauthorized access
Records
Who: Doctor Provides differentiated access
What: iPad
WSA to the network
Where: Office
Cisco® Identity Cisco TrustSec® provides
Services Engine segmentation throughout the
Internal network
Employee
Who: Guest Consistent Secure Intranet Cisco Web Security Appliance
What: iPad Access Policy provides web security and
Where: Office
policy enforcement
Internet
Available only on WSA
Get the Intelligence You Need
Over 10,000 Report Variations
 High-level overview with customizable widgets
 One-click drill down into widgets
Customize
 Customized login screen for each admin
Dashboards

Admin Traffic
Redirections
70+ pre-
defined
HQ
reports

Quick
Analysis
Web Interaction Tracking
Enabling tracking of URLs rewritten by policy

Rewritten URL: 2asyncfs.com

Click Time: 09:23:25 12 Jan 2015
Filtering Re-write reason: Outbreak
Action taken: Blocked
User A

App 1 App 2 App 3 App 5

Rewritten URL: 5asynxsf.com

Click Time: 11:01:13 09 Mar 2015 App 4

Re-write reason: Policy

G
Action taken: Allowed
User B App 6 App 7

Potentially Rewritten URLs

Rewritten URL: 8esynttp.com
malicious URLs
Click Time: 16:17:44 15 Jun 2015
Re-write reason: Outbreak Monitor users from a single pane of glass
Action taken: Blocked
User C
Threat Focused
Here’s an example of how CTA works
Anomaly Detection Trust Modeling Classification Entity Modeling Relationship Modeling

HTTP(S)
Cluster 1 Cluster 1 CONFIRMED threats
Request
Classifier (spanning multiple users)
HTTP(S) HTTP(S) HTTP(S) HTTP(S) HTTP(S)
Request
HTTP(S)
Request HTTP(S)
Request
X Request Request Request HTTP(S)
Request
HTTP(S)
Request Request
HTTP(S)
Classifier HTTP(S)
HTTP(S) HTTP(S) HTTP(S)
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
Request
A Request Request HTTP(S)
Request HTTP(S)
Request

Request Request
HTTP(S) HTTP(S)
Request Request HTTP(S) HTTP(S) HTTP(S) HTTP(S)
Request Request HTTP(S) Request
HTTP(S) HTTP(S) HTTP(S) Request
Request
Request Request HTTP(S) Request
Request
HTTP(S)
Request HTTP(S)
HTTP(S)
Cluster 2 Cluster 2
Request
HTTP(S) Request
Request HTTP(S)
Request
HTTP(S)
Request
Classifier
HTTP(S) HTTP(S) HTTP(S)
HTTP(S) HTTP(S)
HTTP(S)
Request H Request Request Request
HTTP(S)
Request Request HTTP(S)
Request HTTP(S)
Classifier Request
HTTP(S)
DETECTED threats (unique)
HTTP(S) HTTP(S) HTTP(S) Request
HTTP(S) HTTP(S)
Request Request HTTP(S)
Request Request
Request
Z Request Request
HTTP(S) HTTP(S)
HTTP(S)

HTTP(S)
Request Request HTTP(S)
Request Cluster 3 Request
HTTP(S) HTTP(S)
Request HTTP(S) Request
Request HTTP(S)
Request
HTTP(S) Request
Request HTTP(S) HTTP(S)
HTTP(S)
HTTP(S)
Request
Request
Request
Cluster 3 HTTP(S)
Request
Request HTTP(S) HTTP(S)
HTTP(S) Request HTTP(S)
Request
Request Classifier
Request HTTP(S) HTTP(S) HTTP(S) HTTP(S)
HTTP(S)
Request
HTTP(S)
Request HTTP(S) K Request Request Request
HTTP(S)
Request

HTTP(S)
Request HTTP(S)
Request
Classifier Request

HTTP(S) HTTP(S) HTTP(S)

Request
Request M Request Request HTTP(S)
Request
HTTP(S) HTTP(S)
Request Request

10B requests per day +/- 1% is anomalous 10M events per day 1K-50K incidents per day

Near real-time processing

Graymail management
Threat Defense Security
Quarantine
Graymail Detection • Whitelist – Allow Sender
• Blacklist – Block Sender
• Release – Safe unsubscribe

Add Safe Unsubscribe Link

Verdict

Reputation Anti-virus Social

Filter Bulk Marketing Request
Network
Advanced
Anti-spam Malware
Block
Protection
Anti-Snowshoe Enhancements
“Building on the multi-layer defense strategy for effective protection against
snowshoe spam”

Enhanced contextual awareness for the anti-spam

engine, with unique cloud-based Bayesian learning

Increase automation and auto-classification of

emails for faster response

Global expansion of sensor coverage for early

visibility
Platform Based
With unified reporting and policy
management
Unified Reporting Unified Policies

Roaming user HQ Roaming user HQ

WSA WSA


 

Web Security Cloud Web Security

Reporting Application Graphical User Interface
Hybrid Email
Email Encryption
Zix Gateway with Cisco Technology

Automate encryption Automate delivery to Exchange encrypted Provide the optimal

for employees the most secure, most email transparently mobile experience
convenient method
New Web and Email Security Hardware
Platform

190 390 690

Cisco Unified Computing

System (Cisco UCS)
New Hardware Platforms
• Web Security Appliance
WSA-S170 WSA-S190

WSA-S380 WSA-S390

WSA-S680 WSA-S690

• Security Management Appliance

SMA-M170 SMA-M190

SMA-M380 SMA-M390

SMA-M680 SMA-M690

Central Processing Units (CPUs)

Increased memory = Performance
+
Raw disk storage capacity
Save money on bandwidth in your branch
Direct Internet
Access with GRE
over IPSec

ISR 4k

Branch Headquarters

Backhauling
Traffic $$$

Internet
 Cisco Web and Email Security roadmap
Visibility Driven Threat Focused Platform Based
WSA and CWS Unified Policy
Recent Email Web Interaction Tracking WSA with CTA Email and Web Appliance New Hardware
Releases Email Graymail Management ZCT Email Encryption CWS Mobile Browser
Hybrid Email

Current Email DLP

Threat Grid Integration (CWS) Hybrid Web Security
Projects Auto-remediation for 0365 (Email)

Chromebook Support (CWS) Integration with Firepower

Future Http 2.0 (WSA)
Email Shortlinks
Management Center (WSA)

Many of the products and features described herein remain in varying stages of development and will be offered on a when-and-if-available basis. This roadmap is subject to
change at the sole discretion of Cisco, and Cisco will have no liability for delay in the delivery or failure to deliver any of the products or features set forth in this document.
Demos
New CWS GUI

CTA
Email Innovations
Web security customer requirements
Detailed web and HR Need for deep inspection
Large amounts of https traffic
reporting and control with AVC

Proxy

Name Login_ID
Password
*******
https OK Cancel

Corporate network
Roaming user
Get Started Today with Cisco

1 Learn more on the website

2 See and share what’s new

3 Ask for your free trial