The top two attack vectors for malware are email and web browsers. Watering-hole attacks conceal malware on member-based sites and phishing scams can target individuals with personal details. This PPT describes a different security approach to protect against these threats while achieving business growth, efficiency and lowered expenses. The presentation features Cisco Email, Web and Cloud Web Security and covers basic features, offers, benefits, newest features and product integrations. Watch the webinar: http://cs.co/9004BGqvy
1. Story Tweedie-Yates
Product Marketing Manager – Cisco Web Security
February 16, 2016
Protection for the top two attack vectors
Cisco Web and Email
Security
2. Top 2 attack vectors
Threats from a user’s perspective
Before, during and after: a security framework
Cisco Web and Email Security tour
Demos
Get Started
Agenda
4. Exposure – web blocks
82,000 Virus Blocks
181 Million Spyware Blocks
818 Million Web Blocks
Daily Web Breakdown
Daily
Yearly
19.7 Billion
7.2 Trillion
Total Threats Blocked
7. Attackers:
A growing appetite
to leverage targeted
phishing campaigns
Example: Snowshoe SPAM attack
SPAM up
250%
Attack surface - email
8. Attack surface – web browsers
More than
85%of the companies studied
were affected each month
by malicious browser
extensions
9. Users becoming complicit
enablers of attacks
Untrustworthy sources
Clickfraud and Adware
Outdated browsers
10% 64%
IE requests
running latest
version
Chrome requests
running latest
version
vs
Attack surface – user error on web
10. Attackers:
Shifts in the attack vectors
Java
Silverlight
PDF
Flash
Java drop 34%
Silverlight
rise 228%
PDF and Flash steady
Log Volume
2015 Cisco Annual Security Report
Attack surface – web applications
11. Attack surface – web protocol
Encrypted traffic is increasing. It represents over 50% of bytes transferred.
Individual Privacy Government Compliance
Organizational Security
The growing trend of web encryption creates a false sense
of security and blind spots for defenders
https://
13. Attackers:
Malvertising is on the rise: low-limit
exfiltration makes infection hard to
detect
In October 2014, there is a spike of
250%
Compromising without clicking
14. Exploit Kits, e.g. Cryptowall version 4
• Notorious ransomware
• Version 1 first seen in 2014
• Distributed via Exploitkits and Phishing Emails
• Fast Evolution
CRYPTOWALL 4.0
16. Web and email are portable
Mobile Coffee shop Corporate Home Airport
17. Sample attacking: Joe CFO
Waiting for his plane
Meet Joe. He is heading home for a
well deserved vacation.
He’s catching up on email using the
airport Wi-Fi while he waits for his
flight.
18. Sample attacking: Joe CFO
Checks his email
Joe just got an email from
his vacation resort.
Your Tropical Getaway
Joe,
Thank you for choosing us. We look forward to seeing you.
Before your arrival, please verify your informationhere:
www.vacationresort.com
Best,
Resort Team
19. Sample attacking: Joe CFO
Instinctively, he clicks on the link
No problem, right? Everything looks
normal.
The site may even be a trusted site,
or maybe a site that is newly minted.
Your Tropical Getaway
Joe,
Thank you for choosing us. We look forward to seeing you.
Before your arrival, please verify your informationhere:
www.vacationresort.com
Best,
Resort Team
20. Sample attacking: Joe CFO
Joe is now infected
Joe opens the link and the resort
video plays.
Although he doesn’t know it, Joe’s
machine has been compromised by a
Silverlight based video exploit.
The malware now starts to harvest
Joe’s confidential information:
• Passwords
• Credentials
• Company access authorizations
21. Today’s cyber-threat reality
Hackers will likely
command and control
your environment via web
You’ll most likely be
infected via email
Your environment
will get breached
23. The Attack Continuum
Network Endpoint Mobile Virtual Cloud
Point in Time ContinuousThreat Intelligence
X
DURING
Detect
Block
Defend
AFTER
Scope
Contain
Remediate
BEFORE
Discover
Enforce
Harden
24. Key:
Cisco Web Security
After
Outbreak
Intelligence
Reporting
Log Extraction
Management
Allow Warn Block Partial Block
HQ
Client
Authentication
Methods
Talos
www
CWS Only WSA / WSAv Only
Web
Filtering
Web
Reputation
Application
Visibility &
Control
Webpage
www.website.com
Anti-
Malware
File
Reputation
File
Sandboxing
File
Retrospection
Cognitive
Threat
Analytics
DLP
Integration
Hybrid
CWS
WSA
Roaming UserBranch Office
WCCP
ASA
Load Balancer
WSA
PBR
ISR G2 AnyConnect
AnyConnectExplicit/PAC
Explicit/PAC
Traffic
Redirection
Methods
Campus Office BYOD User
Admin
WSA
X X X X X X
ISR 4k
25. Cisco Email Security
Reporting
Message
Track
Management
Allow Warn
Admin
HQ
Anti-Spam
and
Anti-Virus
Mail Flow
Policies
Data Loss
Protection
Encryption
Before
DuringX XX
X
Inbound
Email
Outbound
Email
Cisco
Appliance Virtual
Talos
Block
Partial
Block
Outbound Liability
Before
AfterDuring
Tracking
User click Activity
(Anti-Phish)
File
Sandboxing & Retrospection
X X XXX
Cloud
Content
Controls
X
Email
Reputation
Acceptance
Controls
File
Reputation
Anti-Spam
Anti-Virus
Outbreak
Filters
X
Mail Flow
Policies Graymail
Management
Safe Unsubscribe
X
Anti-PhishThreatGrid URL Rep & Cat
26. 1.1 million file samples per day
AMP community
Advanced Microsoft
and industry disclosures
Snort and ClamAV open source
communities
AMP TG Intelligence
AEGIS™ program
Private and public threat feeds
10 million files per month - AMP
TG Dynamic analysis
Talos: before, during and after
10I000 0II0 00 0III000 II1010011 101 1100001 110
110000III000III0 I00I II0I III0011 0110011 101000 0110 00
I00I III0I III00II 0II00II I0I000 0110 00
1010000II0000III000III0I00IIIIII0000III0
1100001110001III0I00III0IIII00II0II00II101000011000
100III0IIII00II0II00III0I0000II000
Cisco®
Talos
Threat
Intelligence
Research
Response
ESA/WSA/CWS
Email Endpoints Web Networks IPS Devices
WWW
1.6 million
global sensors
100 TB
of data received per day
150 million+
deployed endpoints
600+
engineers, technicians,
and researchers
35%
worldwide email traffic
13 billion
web requests
24x7x365
operations
40+
languages
33. Identity Services
Engine Integration
And Extending User Identity and Context
Acquires important context
and identity from the network
Monitors and provides visibility
into unauthorized access
Provides differentiated access
to the network
Cisco TrustSec® provides
segmentation throughout the
network
Cisco Web Security Appliance
provides web security and
policy enforcement
Available only on WSA
Confidential
Patient
Records
Internal
Employee
Intranet
Who: Guest
What: iPad
Where: Office
Who: Doctor
What: iPad
Where: Office
Internet
Who: Doctor
What: Laptop
Where: Office
WSA
Consistent Secure
Access Policy
Cisco® Identity
Services Engine
34. Admin
HQ
Traffic
Redirections
Get the Intelligence You Need
Over 10,000 Report Variations
Customize
Dashboards
70+ pre-
defined
reports
Quick
Analysis
High-level overview with customizable widgets
One-click drill down into widgets
Customized login screen for each admin
35. Web Interaction Tracking
Enabling tracking of URLs rewritten by policy
G
App 1 App 2 App 5App 3
App 4
App 6 App 7
Rewritten URL: 2asyncfs.com
Click Time: 09:23:25 12 Jan 2015
Re-write reason: Outbreak
Action taken: Blocked
Rewritten URL: 5asynxsf.com
Click Time: 11:01:13 09 Mar 2015
Re-write reason: Policy
Action taken: Allowed
Rewritten URL: 8esynttp.com
Click Time: 16:17:44 15 Jun 2015
Re-write reason: Outbreak
Action taken: Blocked
User A
User B
User C
Potentially
malicious URLs
Filtering
Rewritten URLs
Monitor users from a single pane of glass
39. Anti-Snowshoe Enhancements
Enhanced contextual awareness for the anti-spam
engine, with unique cloud-based Bayesian learning
Increase automation and auto-classification of
emails for faster response
Global expansion of sensor coverage for early
visibility
“Building on the multi-layer defense strategy for effective protection against
snowshoe spam”
41. Unified Reporting
With unified reporting and policy
management
Unified Policies
Roaming user HQ
Cloud Web Security
Graphical User Interface
WSA
Roaming user HQ
Web Security
Reporting Application
WSA
43. Email Encryption
Zix Gateway with Cisco Technology
Automate encryption
for employees
Automate delivery to
the most secure, most
convenient method
Exchange encrypted
email transparently
Provide the optimal
mobile experience
47. Cisco Web and Email Security roadmap
Visibility Driven Threat Focused Platform Based
Recent
Releases
Email Web Interaction Tracking
Email Graymail Management
WSA with CTA
ZCT Email Encryption
WSA and CWS Unified Policy
Email and Web Appliance New Hardware
CWS Mobile Browser
Hybrid Email
Current
Projects
Email DLP
Auto-remediation for 0365 (Email)
Threat Grid Integration (CWS) Hybrid Web Security
Future
Chromebook Support (CWS)
Http 2.0 (WSA)
Email Shortlinks
Integration with Firepower
Management Center (WSA)
Many of the products and features described herein remain in varying stages of development and will be offered on a when-and-if-available basis. This roadmap is subject to
change at the sole discretion of Cisco, and Cisco will have no liability for delay in the delivery or failure to deliver any of the products or features set forth in this document.
49. Web security customer requirements
Large amounts of https traffic
Detailed web and HR
reporting
Need for deep inspection
and control with AVC
Name
Password
OK Cancel
*******
Login_ID
Corporate network
Proxy
Roaming user
https
50. Get Started Today with Cisco
Learn more on the website1
See and share what’s new2
Ask for your free trial3
Editor's Notes
We always talk about the top two attack vectors being email and Web security. What do we mean by that and why do we say that?
Web Security has 3 characteristics that make it one of the top attack vectors:
Large exposure – email and web account for a comparatively huge amount of traffic
Large attack surface – browsers, applications, pictures, etc.
Low entry barrier for attackers – running existing exploit, something that’s already packaged and ready to go – easy to create a domain or send out one million emails from one hacked account : downloading an exploit kit is easy, nobody uses one account to send a million emails anymore
Starting with exposure – look at the right in this slide at the numbers of how many blocks Talos sees on a daily basis are attributed to web traffic. 80%. This is an enormous risk exposure for users.
Add spam into this and you see 2,557,767 blocks/sec
Notes on new numbers:
19.6 Billion Threats blocked per day = Web Blocks + Spam w/ Malicious attachment
2.5 Million Threats blocked per second = The 19.6 Billion blocks + all Spam messages with attachments or not
If we just look at email, we see the large exposure that people have to spam through their email
Furthermore, the attack surface for web and email is huge. For example, you see with snowshoe spam that attackers are sending low volumes of spam from a large set of IP addresses to avoid detection. They have any amount of IP addresses at their availability to continue doing this. They can also use legitimate, but hacked, accounts to do this.
Spam plays still plays a key role in helping online criminals carry out their campaigns; relying on the exploitation of users to plant malware on devices or steal credentials.
In 2014, spam volume has increased 250 percent
Snowshoe spam, sending low volumes of spam from a large set of IP addresses to avoid detection, is emerging.
Malicious actors often steal valid email credentials from users with malicious spam messages and then send spam from compromised, yet reputable, accounts.
This means spam is now more dangerous with low volume spam messages enjoying high/no reputation, making this malicious spam, often the first step (phishing email) in a blended attack, very hard to detect.
Spammers morph messages to evade detection by tweaking successful messages so that their basic structure remains the same, but the messages are different enough that they can evade spam filters – seen as high as 95 variations of the same message.
Now take the attack surface. The web vector contains applications and other entry points that attackers use to deliver viruses and carry out other malicious activities.
Once installed, malicious browser extensions can steal information, and become a major source of data leakage. Every time a user opens a new webpage with a compromised browser, that extension collects data. The attackers can then exfiltrate detailed information about every internal or external webpage that the user visits. They are also gathering highly sensitive information embedded in the URL, including user credentials, customer data, and details about an organization’s internal APIs and infrastructure.
According to the 2016 Cisco Annual Security Report, or ASR, browser infections are occurring at an alarming rate:
A full 85 percent of the 45 companies in our sample were affected every month by malicious browser extensions—a finding that underscores the massive scale of these operations. Because infected browsers are often considered a relatively minor threat, they can go undetected or unresolved for days or even longer—giving attackers more time and opportunity to carry out their campaigns.
The attack surface even includes whatever browser version you are using
Users loading compromised malvertising ad-ons from untrustworthy sources
Users in highly targeted industries almost twice as likely to succumb to Clickfraud and Adware
Not updating browsers: 10% of IE requests running latest version vs. 64% of Chrome requests running latest version
The attack surface for web also includes applications
Java exploits drop 34 percent, as Java is now falling out of favor with Java security improving, making it harder to exploit.
A significant rise in Silverlight attacks of 228 percent, though still low in volume of attacks.
Flash attacks (3 percent decrease) and PDF (7 percent increase) holding relatively steady.
There was an 88 percent overall average decline of exploit kit activity from May through November 2014. Even with this decline, we continue to see serious breaches occurring at an alarming rate.
As you can see in this slide, encrypted HTTPS traffic has become a vital component of web security.
Research conducted as part of the 2016 ASR revealed that encrypted traffic, particularly HTTPS, has reached a tipping point. While not yet representing the majority of transactions, HTTPS will soon become the dominant form of traffic on the Internet. In fact, our research shows that it already consistently represents over 50 percent of bytes transferred. This is due to overhead and the larger content that is sent via HTTPS, such as transfers to file storage sites.
What’s unfortunate is that many customers equate HTTPS traffic with “safe” traffic. However, what it really means is that you’re blind to what’s inside the HTTPS request, not that the request itself is encrypted and therefore safe.
Barriers to web and email attacks are extremely low for the attackers. In the case of malvertising, they only need customers to visit a site in order to accomplish their mission.
Malvertising: Criminals are using a ‘freemium-type model’ – similar to the legitimate tactic to give software away free but charge for additional features. In their case it is a sophisticated and multipronged technique for distributing malware, making money from many individual users in small increments by persistently infecting their browsers.
Users are often tricked to download malicious toolbars that inject malicious ads into pages visited by users contributing to a persistent state of infection.
Looking at 70 companies and 886,646 users and hosts from January through November 2014 we found a maximum infection rate of 1751 users in a given month.
Affected users jumped 250% in October 2014
CryptoWall is one ransomware variant that has shown gradual evolution over the past year with CryptoWall 2 and Cryptowall 3. Despite global efforts to detect and disrupt the distribution of CryptoWall, adversaries have continued to innovate and evolve their craft, leading to the release of CryptoWall 4.
For readers that may not be familiar, ransomware is malicious software that is designed to hold users' files (such as photos, documents, and music) for ransom by encrypting their contents and demanding the user pay a fee to decrypt their files. Typically, users are exposed to ransomware via email phishing campaigns and exploit kits. The core functionality of CryptoWall 4 remains the same as it continues to encrypt users’ files and then presents a message demanding the user pay a ransom. However, Talos observed several new developments in CryptoWall 4 from previous versions. For example, several encryption algorithms used for holding users’ file for ransom have changed.
http://blog.talosintel.com/2015/12/cryptowall-4.html
Today, people aren’t just sending email from their desktop computers anymore. They’re using mobile devices or laptops to send email from coffee shops, corporate headquarters, home offices, airports, nearly everywhere you can imagine. Fueling this change is the need to be always connected. By 2016, (according to the Pew Internet and American Life Project Report, May 2011), at least 50 percent of enterprise email users will rely primarily on a browser, tablet, or mobile client instead of a desktop client.
But it isn’t just the tools to send and receive email that are changing. The threats to email are evolving, too.
Meet Joe CFO. He’s sitting in the airport waiting to head home. He’s excited to go back for a well deserved vacation.
T: He’s using the public airport Wi-Fi to check his email
Joe just received an email from what appears to be his vacation resort.
It is asking him to verify his information – a credit card number, dinner reservations, or any number of things.
It wants him to verify by clicking on an embedded URL link.
T: Joe is drawn to the link.
Everything seems fine. There is a factor of trust, since Joe is going on vacation and the email is from a vacation resort.
The email may even be from a trusted site that has been compromised.
T: Joe clicks on the link.
A resort video plays. Although he doesn’t know it, Joe has been taken to a website with a flash-based video exploit and it has downloaded malware onto his machine.
The malware begins to harvest his information. Joe’s passwords, credentials, and company access authorizations have all been compromised.
He has unknowingly given hackers the ability to steal sensitive company and customer information.
T: Enjoy your vacation Joe.
Today’s reality has 3 outcomes for your business:
Your environment will be breached
When it is, it will probably happen because of an infected email
And if hackers use command and control on your system, they will probably get access via web
T: All of this means, you need a smarter solution.
<click>
THE BEST WAY TO COMMUNICATE THE TOTALITY OF THE CHALLENGE IS TO LOOK AT THE ATTACK CONTINUUM. THIS IS WHAT OUR CUSTOMERS ARE DEALING WITH, WHEN TRYING TO DEFEND THEIR NETWORKS.
THE REASON WE USE THIS NEW SECURITY MODEL IS TO ACCENTUATE, THAT A SILVER BULLET IS NOT FEASIBLE….ITS A BIGGER PROBLEM.
THERE ARE THREE STAGES TO AN ATTACK: BEFORE, DURING, AND AFTER
LETS LOOK AT BEFORE AN ATTACK –
BEFORE AN ATTACK:
CUSTOMERS NEED TO KNOW WHAT THEY ARE DEFENDING….YOU NEED TO KNOW WHATS ON YOUR NETWORK TO BE ABLE TO DEFEND IT – DEVICES / OS / SERVICES / APPLICATIONS / USERS
THEY NEED TO IMPLEMENT ACCESS CONTROLS, ENFORCE POLICY AND BLOCK APPLICATIONS AND OVERALL ACCESS TO ASSETS.
THIS IS WHERE CUSTOMERS SPEND MOST OF THEIR TIME AND MONEY….THE HOPE IS TO REDUCE THE ATTACKABLE SURFACE SPACE OF THE NETWORK.
UNFORTUNATELY, ATTACKERS HAVE A RELATIVELY EASY TIME PENETRATING THE PERIMETER OF A NETWORK EVEN WITH GOOD ACCESS CONTROLS.
DURING THE ATTACK:
WHEN ATTACKS GET THROUGH, WE NEED TO BE ABLE TO DETECT THEM
MUST HAVE THE BEST DETECTION OF THREATS THAT YOU CAN GET
ONCE WE DETECT ATTACKS, WE CAN BLOCK THEM AND DEFEND the ENVIRONMENT
AFTER THE ATTACK:
INVARIABLY ATTACKS WILL BE SUCCESSFUL, AND Customers NEED TO BE ABLE TO DETERMINE THE SCOPE OF THE DAMAGE, CONTAIN THE EVENT, REMEDIATE, AND BRING OPERATIONS BACK TO NORMAL
ALSO NEED TO ADDRESS A BROAD RANGE OF ATTACK VECTORS, WITH SOLUTIONS THAT OPERATE EVERYWHERE THE THREAT CAN MANIFEST ITSELF – ON THE NETWORK, ENDPOINT, MOBILE DEVICES, VIRTUAL AND CLOUD ENVIRONMENTS.
IN THE NEW SECURITY MODEL YOUR SECURITY SOLUTIONS CANT BE EFFECTIVE AT A POINT IN TIME, BUT THEY MUST BE ALWAYS ON, LISTENING , LOOKING FOR CHANGE…IN OTHER WORDS…CONTINUOS IN THEIR CAPABILITY.
Cisco Web Security offers a plethora of features to suit your business needs.
Let’s start with a high level view of what both CWS and WSA offer together:
• Big data analytics and collective global security intelligence
• Reputation filtering
• Real-time malware scanning
• Web usage controls
• Application visibility and control (AVC)
• Data loss prevention (DLP)
• Threat protection and remediation
• Flexible deployment options
When deciding either/or, the most basic differentiation between the two offerings is this question:
Does the customer prefer Cloud or Appliance?
Cisco Cloud Web Security is the cloud delivered solution that is ideal for a highly distributed organization. CWS data centers around the world act as proxies for web requests, which works well for geographically distributed organizations.
Cisco Web Security Appliance is an ideal solution for an organization with a centralized user population.
Besides the inherent differences between a cloud and on-premises offering, the following is a comprehensive, though not exhaustive, list of some of the detailed differences between CWS and WSA.
Following the visual on the slide, we can start with Outbreak Intelligence. CWS has Outbreak Intelligence which is contextual based malware detection. CWS always uses 2 signature-based AV engines: Sophos and Kaspersky. All files get scanned by both AV’s as well as by Outbreak Intelligence (heuristics based), and if any of these engines detect the file as malicious it will be blocked. WSA does not use Outbreak Intelligence, but the L4 traffic monitoring engine can detect malicious activity without the need of signatures. WSA uses 3 signature-based engines and the admin can decide which of the 3 to use (any combination): Webroot, McAfee, and Sophos.
Keeping with the visual on the slide, WSA has layer 4 scanning abilities while CWS does not. Because WSA is an on-premise device it can be used to monitor “level 4” network activity, i.e. not limited only to HTTP and HTTPS traffic. This means that other threats or undesirable traffic coming in and out of the network to/from the internet can be detected. As only HTTP and HTTPS traffic gets sent to CWS in the cloud, it does not have this or an equivalent capability. However, CTA on CWS also helps with that (see below).
CWS has CTA for advanced, cloud powered zero day breach detection while WSA doesn’t. CTA is roadmapped for WSA in Q1 FY16.
What is not on the slide is that WSA has caching which provides a better customer experience – this is functional with CWS when deploying via the WSA as a redirection method. Furthermore, WSA offers time & bandwidth quota’s, which are only available on CWS with standalone deployment. WSA also has IPv6 support, which is roadmapped for CWS.
Going back to the visual, you can see here that WSA has stronger DLP options than CWS. Only ICAP (Internet Content Adaption Protocol) is relevant for the DLP on the WSA. It is used to send content to something else (DLP system in this case) for checking before onward transmission . CWS only has OCSP which is not DLP.
CWS is the only offering that provides split-tunnel functionality for remote users even when not deployed via VPN. To get this functionality the AnyConnect Secure Mobility client must be downloaded.
Looking at the AMP area on the infographic, both solutions have PDF, EXE and MSFT Office file support on AMP
Looking down at the Log Extraction area on the bottom right corner, both WSA and CWS can do log extraction. Considering WSA is an appliance which is local, log export or “extraction” is extremely straightforward. It’s not a WSA thing, but more of a hardware proxy thing. As the WSA is an on-premise device, it is much easier to export the logs from the device directly into another platform such as a SIEM and the export is a standard feature of the WSA. As the CWS logs are in the cloud it is necessary to “extract” them back to the customer’s network. Log extraction from WSA and CWS both integrate with SIEM and other tools.
Cisco Email security provides protection across the attack continuum.
Before an attack with Reputation Filtering,
During an attack with Signature, Antivirus and spam scanning; URL scanning; File reputation; and sandboxing
And after an attack with continuous retrospection – the ability to identify malicious malware that crossed the wire undetected.
To deliver protection in all phases and continuously monitor effectively, you need constant and dynamic support from the cloud.
There are multiple inputs that you’ll need to process to get the kind of intelligence and insight you need to deliver security effectively -- for both point-in-time and continuous monitoring capabilities.
Notice that the data cited in this slide looks familiar to what you’ll see from other vendors. But look at the scale of Cisco’s numbers. That kind of volume is how Cisco delivers such a high level of protection.
Processing 35% of the world’s email traffic, being able to mine that data for insight into vendor relationships, run reputation against it, with millions of sensors that feed us input. That’s the Cisco difference.
We combine that processing, data mining, and analytics with the intelligence provided by the Research Response every day. That intelligence includes relationships with all the big vendors – Microsoft, Adobe, and Apple. It includes nearly 200,000 unique files that are processed and executed virtually every single day, as we look for artifacts or indications of compromise.
There’s a global network of honeypots and much more. Cisco’s intelligence operation feeds its data and findings to our research team, which promotes the design of capabilities that only we can deliver because its based on continuous monitoring on a global scale.
It’s all delivered through our cloud platform, called Collective Security Intelligence, which allows you to take advantage of advanced analytics based on IPS rule, firewall category, and other information pushed out across the protection continuum.
…That is visibility-driven, threat–focused with a platform based approach. Pervasive, continuous and always-on.
At Cisco, our mission states our focus… Intelligent cybersecurity for the real world.
There are three components to the Hybrid offering, reporting, policy and Hybrid SKUs
So moving from left to right, we have…
Hybrid reporting Available today and provides a consolidated view of user activity across multiple WSAs and Cloud Web Security. This capability is enabled by the Web Security Reporting Application V4.0 will be release this week and will we cover more on reporting in a moment.
Next…
Hybrid policy which provides a way in which a common malware and web filtering policy can be managed for the on premises users and those utilising cloud web security. The common policy is achieved by importing a previously exported WSA policy into CWS. This is currently in developed and targeted for availability in June.
Lastly, we have the hybrid SKU bundle, orderable today.
The Hybrid Bundle includes both WSA and CWS components and allows the customers the flexibility to consume Cisco’s Web Security offerings in any way they want. The customer purchases a total number of users and can change choose the mix of on-premises to cloud users that’s suitable for them. As they transition more users to the cloud they can also change the relative mix at any time. We will be covering this in more detail later but first, let’s take a closer look at hybrid reporting then common policy.
Now we move on to protection of mobile users.
One web security solution for all users and devices
How does it work?
The current offering is a Mobile browser that can be used to browse safely which is pushed onto the device through a corporate MDM solution.
Replaces the native browser
Basically, CWS works as a proxy. The model is:
User makes web request => request is re-directed to CWS proxy => request goes to internet or is blocked => if request is blocked, the user receives the access denied view shown above
CWS Mobile Browser will be shown as a browser on the mobile device, users will only be able to use it by going through the browser
The goal of the Cloud Web Security (CWS) Secure Browser is to provide a web browser on iOS and Android mobile devices that will forward the device users web traffic to the CWS cloud.
Why a mobile browser?
No existing CWS solution for iOS or Android roaming devices.
Biggest competitors have a similar component in their mobile security solution.
Together with customer’s MDM solution, enforce customer AUP on BYOD devices.
Another important element of Cisco Web Security is the Cisco Identity Services Engine, or ISE, which can be used to set policy with the WSA. For example, a doctor on a laptop in his office can access confidential patient records online. That same doctor using his iPad in his office cannot – but he does have access to browsing the internal employee intranet.
WIRe reporting provides over 10,000 report variations to meet your specific needs.
Detailed reporting dashboards offer high-level overviews of usage with multiple views for quick insight. They also provide visibility into policy blocks, malware blocks, and website activity from sites like Facebook.
Administrators and management want more visibility into threats. Specifically, they want to track messages with malicious links, including who clicked on the link and the results of their actions
End users who click on these links need education on email borne threats and these reports would help identify those users
URL Click Tracking allows administrators to track the end users who click on URLs that have been rewritten by the ESA
Reports show:
Top users who clicked on malicious URLs
The top malicious URLs clicked by end users
Date/time, rewrite reason, and action taken on the URLs
Starting with 10 billion requests a day, anomaly detection and trust modeling let you focus on the 1% of requests that actually matter.
<click>
Then, using event classification and entity modeling you can find out what type of threat it is, and where it is on your system.
Finally, using relationship modelling, you can understand if a threat is a one-off attack or part of a larger global campaign.
From 10 billion requests per day, down to 1-50 thousand incidents, CTA can comb through big data in near real-time.
This means you not only get the visibility you need, you get it when you need it.
T: Together, AMP and CTA help you determine the right course of action.
<click>
Graymail has become more of a problem and both users and administrators are leery of clicking unsubscribe links which may harvest addresses or have drive-by download malware on the target web site
These aggressive marketing messages are not spam, but considered as such by the end users as they didn’t “opt in” to receive them.
Administrators want to be able to better control this type of mail and allow for safe unsubscribes for their end users
End users wish to stop the tide of garbage coming in their inbox. The recipient wants a way to stop it, yet not have to worry about malicious threats
Graymail messages are categorized into Marketing, Social Networking, and Bulk messages
Using an un-subscribe mechanism, the end user can indicate to the sender that they would like to “opt-out” of receiving such emails in the future.
Since mimicking an un-subscribe mechanism is a popular phishing technique, end users are wary of clicking on the unsubscribe links
The Graymail solution will provide:
Protection against malicious threats masquerading as unsubscribe links
A uniform interface for all subscription management to end-users
Better visibility to the email administrators and end-users into such emails
When a snowshoe spammer uses a large number of IP addresses and domains, traditional spam filters are not effective. Enhanced contextual awareness can analyze the content - looking at words, patterns, and photos - of the email to identify it as snowshoe spam. As we analyze it, we can recognize them as snowshoe spam.
Once we identify an email as snowshoe spam, we can classify it and group others with similar characteristics using automation and auto-classification WITHOUT having to analyze the full email.
Talos receives security intelligence from millions of sensors and honey pots around the globe. This intelligence can be used to catch snowshoe spam.
Unified Policy allows you to set policy for the cloud or the appliance all from the same place, saving previous administrative time and maintaining the same levels of protection across remote users as well as users in HQ. This is one-directional from CWS to WSA.
Web Usage Reporting provides full visibility into how Web resources are used. With over 10,000 customizable reports that can convey over 100 different attributes for each request, you can ensure that business-critical applications are not being affected by non-business-related traffic. You can see traffic by user or by application with customizable reportlets and dashboards for easy visualization. Furthermore, you can see reports for your cloud and application users from the same screen with the Web Security Reporting Application. This is one-directional from the WSA to CWS.
ZixGateway with Cisco Technology, ZCT, is an email encryption appliance that delivers simple, secure management of email encryption services. Deployed completely on-premises, ZCT works in conjunction with your Cisco Email Security Appliance (ESA). Automation offers peace of mind for businesses and a simplified experience for employees, who no longer have to worry about making the right decision or taking the right steps to encrypt each email. More than 70 percent of emails using ZCT technology are sent and received transparently. ZCT also provides an optimal mobile experience for both senders and recipients.
The platform is built on Cisco’s Unified Computing System (or UCS) server platforms. This means you are getting all the web and email security performance you need from the single provider you trust the most; Cisco.
There are three main platform sizes for the x90 to fit your needs. The 190 for smaller groups of users and then the 390 and the 690 for increasing amounts of capacity that can serve larger groups of users.
The x90 platform involves three specific performance increases. First, the hardware maintains a high level of responsiveness and speed while providing you the best features and functionality. This is possible through increased Central Processing Unit cores (or CPU). We are also providing increased memory and raw disk storage capacity. This means that you can store your web and email security data for a longer period of time, allowing you better access to your data for reporting.
With this hardware launch, the 190 provides large performance benefits. The CPU core count has tripled and there is now 1.2 TB of raw hard disk space available.
Even with the performance increases for the x390, the box itself takes up a smaller amount of space. Now, you have a high-performing solution that fits within your space constraints.
For the larger groups of users, we are introducing an entirely new offering with even more storage and capacity. The 690x provides 4.8TB of storage on the Email Security Appliance, and 9.6TB on the Web Security and Security Management Appliances.
Before we end, I encourage you to visit Cisco.com/go/websecurity
http://www.cisco.com/c/en/us/products/security/web-security-appliance/web-email-security.html
https://info.sourBefore we end, I encourage you to visit Cisco.com/go/websecurity to learn more about the solution and how it can improve web security at your organization.
While you’re there, you can see how we’re updating and adapting the solution every day to better serve customer security needs.
Last, contact us to set up a free trial created especially for your company needs and challenges.
[Cisco.com/go/websecurity
http://www.cisco.com/c/en/us/products/security/web-security-appliance/web-email-security.html
https://info.sourcefire.com/ContentSecurityOfferPage.html
use the instant eval form for CWS: https://instanteval.cws.sco.cisco.com/provisioning/index#/]cefire.com/ContentSecurityOfferPage.html
use the instant eval form for CWS: https://instanteval.cws.sco.cisco.com/provisioning/index#/