SlideShare a Scribd company logo
1 of 28
Download to read offline
2015 Midyear Security Report
Download at http://cs.co/MSR15SL
Changes in Attack Behavior
Speed Agility Adaptability Destruction
Patchwork of Security Products Creates
Complex Environment for Organizations
Large Well-Established Players
Only better information sharing in the security industry will enable integration of solutions from niche
innovators and long-standing players.
Organizations are
Caught in Between
Niche Vendors
• Blocked threats: 19,692,200,000 threats per day
• Blocked threats w/ spam: 2,557,767 blocks/sec
• Web requests per day: 16.9 billion requests per day
A View Across Cisco’s Global Telemetry
Speed meets new levels of sophistication.
Malicious Actors Are More
Innovative and Quicker to Adapt
Adversaries’ Agility is Their Strength
Constant upgrades increased Angler penetration rate to 40%
Twice as effective than other exploit kits in 2014
Compromised System
Flash Vulnerabilities
Retargeting
Angler
Continually throwing different
‘hooks’ in the water to increase the
chances of compromise
Macros
Social
Engineering
Domain
Shadowing
TTD
Security
Measures
Web Blocking IP Blocking Retrospective Analysis Antivirus Endpoint SolutionsEmail Scanning
Patching: A Window of Opportunity
Users not moving quickly to the latest Flash versions or updating the patches
creates an opportunity for Angler and other exploits to target the vulnerability.
Rombertik
Malware evolves to not only steal data—if detected, it can destroy the targeted system.
Destructive if
Modified
• Destroy master
boot record
• Render computer
inoperable on restart
Gain Access
• Spam
• Phishing
• Social engineering
Evade Detection
• Write random data to
memory 960 million times
Extract User Data
• Deliver user information
back to adversaries
Anti-Analysis Persistence Malicious Behavior
The Top Vulnerability
Categories Are Persistent
CWE-119
Buffer Errors
471
CWE-20
Input Validation
244
CWE-399
Resource
Management
Errors
238
CWE-200
Information
Leak/Disclosure
138
CWE-264
Permissions,
Privileges &
Access Control
155
Malvertising Update
Adware MultiPlug abandons its URL-encoding scheme for evading detection and increased its
effectiveness at compromising users
Numbers of Compromised Users:
New URL Scheme vs. Old URL Scheme
The new URL scheme
dramatically outpaces
the old one.
The “version”: the number of times that Cisco updated alerts as multiple vendors attempted to identify and correct these vulnerabilities in their products
9Versions
Open SSL
(FREAK)
1
Version
QEMU Virtual
Floppy Disk
Controller
(VENOM)
22Versions
Open SSL
(Heartbleed)
25Versions
GNU Bash
(Shellshock)
15Versions
GNU C glibc
(Ghost)
Patch management processes minimize awareness, coordination
and implementation nightmares
Open-Source Patching: Software Supply
Chain Management is Critical
32Versions
SSL 3.0 Fallback
(POODLE)
Web-Based Attacks Have Been Holding Steady
Java PDF FlashSilverlight
December 2014–May 2015
The Evolution of Ransomware:
Data, Not Systems, Are the Targets
TOR
Ransomware is now completely
automated through the
anonymous web network.
$300-$500
Adversaries have
done their market
research. Ransoms
are not exorbitant.
Personal Files
Financial Data
Emails
Photo
Dridex: Operationalizing Fast Flux
The damage is done and the campaign has moved on before antivirus detection.
Campaign Start
Detected By
Outbreak Filters
Antivirus Engine
Finally Detects Dridex
But Adversaries Have
Accomplished Penetration
and Have Moved on
Risk of Malware Encounters by Vertical Industries
Although the electronics industry has the highest attack-to-traffic ratio, no industry is immune to attack.
It is only a matter of time
before attackers see the
potential in high-volume,
low–block rate verticals.
Countries with higher block ratios have many Web servers and compromised hosts on networks within their borders.
Russia 0.936
Japan 1.134
China 4.126
Hong Kong 6.255
France 4.197
Germany 1.277
Poland 1.421
Canada 0.863
U.S. 0.760
Brazil 1.135
Malware on a Global Scale
Malicious actors do not respect country boundaries. Malware Traffic
Expected Traffic
Time to Detection
The current industry TTD rate of 200 days is not acceptable.
46200 VS
HOURSDAYS
Industry Cisco
Analysis and Observations
Reducing the Window of
Exposure
The Dilemma
Build Buy Be Left Behind
Global Governance Not Ready to Deal with
Cyber Challenges and Geopolitical Interests
Three examples of efforts that, while steps in the right direction, could create difficulties in practice:
Better harmonization in rule making is required to keep pace with the bad actors.
Big Picture Approach Shared Access Approach Tighter Control Approach
Customers Must Demand Trustworthy
Products from Their Vendors
Vendors need to be held accountable for vetting security products end to end.
Secure Development Secure Hardware Secure Deployment Secure Supply
Chain and Lifecycle
Services Fill the Gap
With the speed and variation of attacks increasing and the security
talent pool shrinking, many organizations will rely more on outside
vendors for the expertise to manage the risk environment.
PersonnelAssessments
Automation/
Analytics
Emerging
Business Models Flexibility
Privacy Policy
Point Solutions Do Not Keep Pace.
The Need for an
Integrated Threat Defense
Attackers Are Exploiting Point Solutions with Increasing Speed
NGIPS
Malware
Sandbox
IAM
Antivirus
IDS
Firewall
VPN
Email
NGFW
Data
Data
Attackers Are Exploiting Point Solutions with Increasing Speed
NGIPS
Malware
Sandbox
IAM
Antivirus
IDS
Firewall
VPN
Email
NGFW
Time to detection:
200 Days
Only an Integrated Threat Defense Can Keep Pace
Data
Systemic Response
Time to detection:
as little as
46 Hours
• Adversaries rapidly refine their ability to evade detection
• Point solutions create weak points in security defenses
• An integrated threat defense built on trustworthy products
and services is the best defense
Conclusion
Download your copy >> http://cs.co/MSR15SL
2015 Midyear Security Report

More Related Content

What's hot

Infographic: Security for Mobile Service Providers
Infographic: Security for Mobile Service ProvidersInfographic: Security for Mobile Service Providers
Infographic: Security for Mobile Service ProvidersCisco Security
 
Pervasive Security Across Your Extended Network
Pervasive Security Across Your Extended NetworkPervasive Security Across Your Extended Network
Pervasive Security Across Your Extended NetworkCisco Security
 
Cisco's 2016 Annual Security report
Cisco's 2016 Annual Security reportCisco's 2016 Annual Security report
Cisco's 2016 Annual Security reportCisco Canada
 
Midsize Business Solutions: Cybersecurity
Midsize Business Solutions: CybersecurityMidsize Business Solutions: Cybersecurity
Midsize Business Solutions: CybersecurityCisco Security
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Security
 
Presentation cisco iron port email & web security
Presentation   cisco iron port email & web securityPresentation   cisco iron port email & web security
Presentation cisco iron port email & web securityxKinAnx
 
Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere Cisco Canada
 
How Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & SecureHow Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & Securescoopnewsgroup
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...Kaspersky
 
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security ChallengesInfosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security ChallengesSkybox Security
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 
Supply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorSupply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorKaspersky
 
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALDefending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALMichael Bunn
 
Advanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real WorldAdvanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real WorldCisco Canada
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDragos, Inc.
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overviewCisco Canada
 
Kaspersky endpoint security business presentation
Kaspersky endpoint security business presentationKaspersky endpoint security business presentation
Kaspersky endpoint security business presentationData Unit
 
Kaspersky Lab new Enterprise Portfolio
Kaspersky Lab new Enterprise PortfolioKaspersky Lab new Enterprise Portfolio
Kaspersky Lab new Enterprise PortfolioKaspersky
 

What's hot (20)

Infographic: Security for Mobile Service Providers
Infographic: Security for Mobile Service ProvidersInfographic: Security for Mobile Service Providers
Infographic: Security for Mobile Service Providers
 
Pervasive Security Across Your Extended Network
Pervasive Security Across Your Extended NetworkPervasive Security Across Your Extended Network
Pervasive Security Across Your Extended Network
 
Cisco's 2016 Annual Security report
Cisco's 2016 Annual Security reportCisco's 2016 Annual Security report
Cisco's 2016 Annual Security report
 
Midsize Business Solutions: Cybersecurity
Midsize Business Solutions: CybersecurityMidsize Business Solutions: Cybersecurity
Midsize Business Solutions: Cybersecurity
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security Overview
 
Presentation cisco iron port email & web security
Presentation   cisco iron port email & web securityPresentation   cisco iron port email & web security
Presentation cisco iron port email & web security
 
Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere
 
How Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & SecureHow Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & Secure
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
 
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security ChallengesInfosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
 
Supply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorSupply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy Sector
 
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALDefending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
 
Advanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real WorldAdvanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real World
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill Chain
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overview
 
Kaspersky endpoint security business presentation
Kaspersky endpoint security business presentationKaspersky endpoint security business presentation
Kaspersky endpoint security business presentation
 
OFFICE 365 SECURITY
OFFICE 365 SECURITYOFFICE 365 SECURITY
OFFICE 365 SECURITY
 
Kaspersky Lab new Enterprise Portfolio
Kaspersky Lab new Enterprise PortfolioKaspersky Lab new Enterprise Portfolio
Kaspersky Lab new Enterprise Portfolio
 

Viewers also liked

2013 Cisco Annual Security Report
2013 Cisco Annual Security Report2013 Cisco Annual Security Report
2013 Cisco Annual Security ReportCisco Security
 
Defending the Data Center: Managing Users from the Edge to the Application
Defending the Data Center:  Managing Users from the Edge to the ApplicationDefending the Data Center:  Managing Users from the Edge to the Application
Defending the Data Center: Managing Users from the Edge to the ApplicationCisco Security
 
From Physical to Virtual to Cloud
From Physical to Virtual to CloudFrom Physical to Virtual to Cloud
From Physical to Virtual to CloudCisco Security
 
Cisco ISE Reduces the Attack Surface by Controlling Access
Cisco ISE Reduces the Attack Surface by Controlling AccessCisco ISE Reduces the Attack Surface by Controlling Access
Cisco ISE Reduces the Attack Surface by Controlling AccessCisco Security
 
Malware and the Cost of Inactivity
Malware and the Cost of InactivityMalware and the Cost of Inactivity
Malware and the Cost of InactivityCisco Security
 
McAllen Intermediate School District
McAllen Intermediate School DistrictMcAllen Intermediate School District
McAllen Intermediate School DistrictCisco Security
 
Balance Data Center Security and Performance
Balance Data Center Security and PerformanceBalance Data Center Security and Performance
Balance Data Center Security and PerformanceCisco Security
 
Data Center Security Now and into the Future
Data Center Security Now and into the FutureData Center Security Now and into the Future
Data Center Security Now and into the FutureCisco Security
 
A Reality Check on the State of Cybersecurity
A Reality Check on the State of CybersecurityA Reality Check on the State of Cybersecurity
A Reality Check on the State of CybersecurityCisco Security
 
Rick slides thursday (2).pptx [autosaved]
Rick slides thursday (2).pptx [autosaved]Rick slides thursday (2).pptx [autosaved]
Rick slides thursday (2).pptx [autosaved]Cisco Collaboration
 
Growing Your Business Through Subscribers & Advertising in Email
Growing Your Business Through Subscribers & Advertising in EmailGrowing Your Business Through Subscribers & Advertising in Email
Growing Your Business Through Subscribers & Advertising in EmailVivastream
 
William Paterson University
William Paterson UniversityWilliam Paterson University
William Paterson UniversityCisco Security
 

Viewers also liked (13)

2013 Cisco Annual Security Report
2013 Cisco Annual Security Report2013 Cisco Annual Security Report
2013 Cisco Annual Security Report
 
Defending the Data Center: Managing Users from the Edge to the Application
Defending the Data Center:  Managing Users from the Edge to the ApplicationDefending the Data Center:  Managing Users from the Edge to the Application
Defending the Data Center: Managing Users from the Edge to the Application
 
From Physical to Virtual to Cloud
From Physical to Virtual to CloudFrom Physical to Virtual to Cloud
From Physical to Virtual to Cloud
 
Cisco ISE Reduces the Attack Surface by Controlling Access
Cisco ISE Reduces the Attack Surface by Controlling AccessCisco ISE Reduces the Attack Surface by Controlling Access
Cisco ISE Reduces the Attack Surface by Controlling Access
 
Malware and the Cost of Inactivity
Malware and the Cost of InactivityMalware and the Cost of Inactivity
Malware and the Cost of Inactivity
 
McAllen Intermediate School District
McAllen Intermediate School DistrictMcAllen Intermediate School District
McAllen Intermediate School District
 
Balance Data Center Security and Performance
Balance Data Center Security and PerformanceBalance Data Center Security and Performance
Balance Data Center Security and Performance
 
Data Center Security Now and into the Future
Data Center Security Now and into the FutureData Center Security Now and into the Future
Data Center Security Now and into the Future
 
A Reality Check on the State of Cybersecurity
A Reality Check on the State of CybersecurityA Reality Check on the State of Cybersecurity
A Reality Check on the State of Cybersecurity
 
SESIÓN Nº3 ENSAMBLAJE
SESIÓN Nº3 ENSAMBLAJESESIÓN Nº3 ENSAMBLAJE
SESIÓN Nº3 ENSAMBLAJE
 
Rick slides thursday (2).pptx [autosaved]
Rick slides thursday (2).pptx [autosaved]Rick slides thursday (2).pptx [autosaved]
Rick slides thursday (2).pptx [autosaved]
 
Growing Your Business Through Subscribers & Advertising in Email
Growing Your Business Through Subscribers & Advertising in EmailGrowing Your Business Through Subscribers & Advertising in Email
Growing Your Business Through Subscribers & Advertising in Email
 
William Paterson University
William Paterson UniversityWilliam Paterson University
William Paterson University
 

Similar to Cisco 2015 Midyear Security Report Slide Deck

Cisco 2016 Annual Security Report
Cisco 2016 Annual Security ReportCisco 2016 Annual Security Report
Cisco 2016 Annual Security ReportJames Gachie
 
Cisco 2016 Security Report
Cisco 2016 Security Report Cisco 2016 Security Report
Cisco 2016 Security Report Steve Fantauzzo
 
Cisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco Security
 
Introduction to PolySwarm
Introduction to PolySwarmIntroduction to PolySwarm
Introduction to PolySwarmBlakeReyes
 
Introduction to PolySwarm
Introduction to PolySwarmIntroduction to PolySwarm
Introduction to PolySwarmPolySwarm
 
Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52Felipe Prado
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 sucesuminas
 
ciso-platform-annual-summit-2013-Hp enterprise security overview
ciso-platform-annual-summit-2013-Hp enterprise security overviewciso-platform-annual-summit-2013-Hp enterprise security overview
ciso-platform-annual-summit-2013-Hp enterprise security overviewPriyanka Aash
 
Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...
Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...
Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...Floyd DCosta
 
Custom defense - Blake final
Custom defense  - Blake finalCustom defense  - Blake final
Custom defense - Blake finalMinh Le
 
Strengthening security posture for modern-age SaaS providers
Strengthening security posture for modern-age SaaS providersStrengthening security posture for modern-age SaaS providers
Strengthening security posture for modern-age SaaS providersCloudflare
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
Sophos Day Belgium - What's cooking in Sophos' Network Security Group?
Sophos Day Belgium - What's cooking in Sophos' Network Security Group?Sophos Day Belgium - What's cooking in Sophos' Network Security Group?
Sophos Day Belgium - What's cooking in Sophos' Network Security Group?Sophos Benelux
 

Similar to Cisco 2015 Midyear Security Report Slide Deck (20)

Cisco asr-2016-160121231711
Cisco asr-2016-160121231711Cisco asr-2016-160121231711
Cisco asr-2016-160121231711
 
Cisco Annual Security Report
Cisco Annual Security ReportCisco Annual Security Report
Cisco Annual Security Report
 
Cisco 2016 Annual Security Report
Cisco 2016 Annual Security ReportCisco 2016 Annual Security Report
Cisco 2016 Annual Security Report
 
Cisco Annual Security Report 2016
Cisco Annual Security Report 2016Cisco Annual Security Report 2016
Cisco Annual Security Report 2016
 
Cisco 2016 Security Report
Cisco 2016 Security Report Cisco 2016 Security Report
Cisco 2016 Security Report
 
Cisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco 2014 Midyear Security Report
Cisco 2014 Midyear Security Report
 
Introduction to PolySwarm
Introduction to PolySwarmIntroduction to PolySwarm
Introduction to PolySwarm
 
Introduction to PolySwarm
Introduction to PolySwarmIntroduction to PolySwarm
Introduction to PolySwarm
 
Cisco 2018, Annual Cybersecurity Report
Cisco 2018, Annual Cybersecurity ReportCisco 2018, Annual Cybersecurity Report
Cisco 2018, Annual Cybersecurity Report
 
Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
 
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
 
ciso-platform-annual-summit-2013-Hp enterprise security overview
ciso-platform-annual-summit-2013-Hp enterprise security overviewciso-platform-annual-summit-2013-Hp enterprise security overview
ciso-platform-annual-summit-2013-Hp enterprise security overview
 
Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...
Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...
Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...
 
Custom defense - Blake final
Custom defense  - Blake finalCustom defense  - Blake final
Custom defense - Blake final
 
Isday 2017 - Atelier Cisco
Isday 2017 - Atelier CiscoIsday 2017 - Atelier Cisco
Isday 2017 - Atelier Cisco
 
Strengthening security posture for modern-age SaaS providers
Strengthening security posture for modern-age SaaS providersStrengthening security posture for modern-age SaaS providers
Strengthening security posture for modern-age SaaS providers
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Sophos Day Belgium - What's cooking in Sophos' Network Security Group?
Sophos Day Belgium - What's cooking in Sophos' Network Security Group?Sophos Day Belgium - What's cooking in Sophos' Network Security Group?
Sophos Day Belgium - What's cooking in Sophos' Network Security Group?
 

More from Cisco Security

Incident Response Services Template - Cisco Security
Incident Response Services Template - Cisco SecurityIncident Response Services Template - Cisco Security
Incident Response Services Template - Cisco SecurityCisco Security
 
AMP Helps Cisco IT Catch 50% More Malware threats
AMP Helps Cisco IT Catch 50% More Malware threatsAMP Helps Cisco IT Catch 50% More Malware threats
AMP Helps Cisco IT Catch 50% More Malware threatsCisco Security
 
The Cost of Inactivity: Malware Infographic
The Cost of Inactivity: Malware InfographicThe Cost of Inactivity: Malware Infographic
The Cost of Inactivity: Malware InfographicCisco Security
 
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...Cisco Security
 
String of Paerls Infographic
String of Paerls InfographicString of Paerls Infographic
String of Paerls InfographicCisco Security
 
Midyear Security Report Infographic
Midyear Security Report InfographicMidyear Security Report Infographic
Midyear Security Report InfographicCisco Security
 
Cisco Annual Security Report Infographic
Cisco Annual Security Report InfographicCisco Annual Security Report Infographic
Cisco Annual Security Report InfographicCisco Security
 
City of Tomorrow Builds in Next-Generation Security
City of Tomorrow Builds in Next-Generation SecurityCity of Tomorrow Builds in Next-Generation Security
City of Tomorrow Builds in Next-Generation SecurityCisco Security
 
Laser Pioneer Secures Network End-to-End to Protect Assets
Laser Pioneer Secures Network End-to-End to Protect AssetsLaser Pioneer Secures Network End-to-End to Protect Assets
Laser Pioneer Secures Network End-to-End to Protect AssetsCisco Security
 
Leveraging Context-Aware Security to Safeguard Patient Data
Leveraging Context-Aware Security to Safeguard Patient DataLeveraging Context-Aware Security to Safeguard Patient Data
Leveraging Context-Aware Security to Safeguard Patient DataCisco Security
 
Secure, Automated Network Access for Any Device on Campus
Secure, Automated Network Access for Any Device on CampusSecure, Automated Network Access for Any Device on Campus
Secure, Automated Network Access for Any Device on CampusCisco Security
 

More from Cisco Security (11)

Incident Response Services Template - Cisco Security
Incident Response Services Template - Cisco SecurityIncident Response Services Template - Cisco Security
Incident Response Services Template - Cisco Security
 
AMP Helps Cisco IT Catch 50% More Malware threats
AMP Helps Cisco IT Catch 50% More Malware threatsAMP Helps Cisco IT Catch 50% More Malware threats
AMP Helps Cisco IT Catch 50% More Malware threats
 
The Cost of Inactivity: Malware Infographic
The Cost of Inactivity: Malware InfographicThe Cost of Inactivity: Malware Infographic
The Cost of Inactivity: Malware Infographic
 
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
 
String of Paerls Infographic
String of Paerls InfographicString of Paerls Infographic
String of Paerls Infographic
 
Midyear Security Report Infographic
Midyear Security Report InfographicMidyear Security Report Infographic
Midyear Security Report Infographic
 
Cisco Annual Security Report Infographic
Cisco Annual Security Report InfographicCisco Annual Security Report Infographic
Cisco Annual Security Report Infographic
 
City of Tomorrow Builds in Next-Generation Security
City of Tomorrow Builds in Next-Generation SecurityCity of Tomorrow Builds in Next-Generation Security
City of Tomorrow Builds in Next-Generation Security
 
Laser Pioneer Secures Network End-to-End to Protect Assets
Laser Pioneer Secures Network End-to-End to Protect AssetsLaser Pioneer Secures Network End-to-End to Protect Assets
Laser Pioneer Secures Network End-to-End to Protect Assets
 
Leveraging Context-Aware Security to Safeguard Patient Data
Leveraging Context-Aware Security to Safeguard Patient DataLeveraging Context-Aware Security to Safeguard Patient Data
Leveraging Context-Aware Security to Safeguard Patient Data
 
Secure, Automated Network Access for Any Device on Campus
Secure, Automated Network Access for Any Device on CampusSecure, Automated Network Access for Any Device on Campus
Secure, Automated Network Access for Any Device on Campus
 

Recently uploaded

Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 

Recently uploaded (20)

Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 

Cisco 2015 Midyear Security Report Slide Deck

  • 1. 2015 Midyear Security Report Download at http://cs.co/MSR15SL
  • 2. Changes in Attack Behavior Speed Agility Adaptability Destruction
  • 3. Patchwork of Security Products Creates Complex Environment for Organizations Large Well-Established Players Only better information sharing in the security industry will enable integration of solutions from niche innovators and long-standing players. Organizations are Caught in Between Niche Vendors
  • 4. • Blocked threats: 19,692,200,000 threats per day • Blocked threats w/ spam: 2,557,767 blocks/sec • Web requests per day: 16.9 billion requests per day A View Across Cisco’s Global Telemetry
  • 5. Speed meets new levels of sophistication. Malicious Actors Are More Innovative and Quicker to Adapt
  • 6. Adversaries’ Agility is Their Strength Constant upgrades increased Angler penetration rate to 40% Twice as effective than other exploit kits in 2014 Compromised System Flash Vulnerabilities Retargeting Angler Continually throwing different ‘hooks’ in the water to increase the chances of compromise Macros Social Engineering Domain Shadowing TTD Security Measures Web Blocking IP Blocking Retrospective Analysis Antivirus Endpoint SolutionsEmail Scanning
  • 7. Patching: A Window of Opportunity Users not moving quickly to the latest Flash versions or updating the patches creates an opportunity for Angler and other exploits to target the vulnerability.
  • 8. Rombertik Malware evolves to not only steal data—if detected, it can destroy the targeted system. Destructive if Modified • Destroy master boot record • Render computer inoperable on restart Gain Access • Spam • Phishing • Social engineering Evade Detection • Write random data to memory 960 million times Extract User Data • Deliver user information back to adversaries Anti-Analysis Persistence Malicious Behavior
  • 9. The Top Vulnerability Categories Are Persistent CWE-119 Buffer Errors 471 CWE-20 Input Validation 244 CWE-399 Resource Management Errors 238 CWE-200 Information Leak/Disclosure 138 CWE-264 Permissions, Privileges & Access Control 155
  • 10. Malvertising Update Adware MultiPlug abandons its URL-encoding scheme for evading detection and increased its effectiveness at compromising users Numbers of Compromised Users: New URL Scheme vs. Old URL Scheme The new URL scheme dramatically outpaces the old one.
  • 11. The “version”: the number of times that Cisco updated alerts as multiple vendors attempted to identify and correct these vulnerabilities in their products 9Versions Open SSL (FREAK) 1 Version QEMU Virtual Floppy Disk Controller (VENOM) 22Versions Open SSL (Heartbleed) 25Versions GNU Bash (Shellshock) 15Versions GNU C glibc (Ghost) Patch management processes minimize awareness, coordination and implementation nightmares Open-Source Patching: Software Supply Chain Management is Critical 32Versions SSL 3.0 Fallback (POODLE)
  • 12. Web-Based Attacks Have Been Holding Steady Java PDF FlashSilverlight December 2014–May 2015
  • 13. The Evolution of Ransomware: Data, Not Systems, Are the Targets TOR Ransomware is now completely automated through the anonymous web network. $300-$500 Adversaries have done their market research. Ransoms are not exorbitant. Personal Files Financial Data Emails Photo
  • 14. Dridex: Operationalizing Fast Flux The damage is done and the campaign has moved on before antivirus detection. Campaign Start Detected By Outbreak Filters Antivirus Engine Finally Detects Dridex But Adversaries Have Accomplished Penetration and Have Moved on
  • 15. Risk of Malware Encounters by Vertical Industries Although the electronics industry has the highest attack-to-traffic ratio, no industry is immune to attack. It is only a matter of time before attackers see the potential in high-volume, low–block rate verticals.
  • 16. Countries with higher block ratios have many Web servers and compromised hosts on networks within their borders. Russia 0.936 Japan 1.134 China 4.126 Hong Kong 6.255 France 4.197 Germany 1.277 Poland 1.421 Canada 0.863 U.S. 0.760 Brazil 1.135 Malware on a Global Scale Malicious actors do not respect country boundaries. Malware Traffic Expected Traffic
  • 17. Time to Detection The current industry TTD rate of 200 days is not acceptable. 46200 VS HOURSDAYS Industry Cisco
  • 18. Analysis and Observations Reducing the Window of Exposure
  • 19. The Dilemma Build Buy Be Left Behind
  • 20. Global Governance Not Ready to Deal with Cyber Challenges and Geopolitical Interests Three examples of efforts that, while steps in the right direction, could create difficulties in practice: Better harmonization in rule making is required to keep pace with the bad actors. Big Picture Approach Shared Access Approach Tighter Control Approach
  • 21. Customers Must Demand Trustworthy Products from Their Vendors Vendors need to be held accountable for vetting security products end to end. Secure Development Secure Hardware Secure Deployment Secure Supply Chain and Lifecycle
  • 22. Services Fill the Gap With the speed and variation of attacks increasing and the security talent pool shrinking, many organizations will rely more on outside vendors for the expertise to manage the risk environment. PersonnelAssessments Automation/ Analytics Emerging Business Models Flexibility Privacy Policy
  • 23. Point Solutions Do Not Keep Pace. The Need for an Integrated Threat Defense
  • 24. Attackers Are Exploiting Point Solutions with Increasing Speed NGIPS Malware Sandbox IAM Antivirus IDS Firewall VPN Email NGFW Data
  • 25. Data Attackers Are Exploiting Point Solutions with Increasing Speed NGIPS Malware Sandbox IAM Antivirus IDS Firewall VPN Email NGFW Time to detection: 200 Days
  • 26. Only an Integrated Threat Defense Can Keep Pace Data Systemic Response Time to detection: as little as 46 Hours
  • 27. • Adversaries rapidly refine their ability to evade detection • Point solutions create weak points in security defenses • An integrated threat defense built on trustworthy products and services is the best defense Conclusion
  • 28. Download your copy >> http://cs.co/MSR15SL 2015 Midyear Security Report

Editor's Notes

  1. The tactics developed by malware authors and online criminals have shown increasing sophistication over the past several years. Recent Cisco security reports have chronicled such innovation in the shadow economy, along with security professionals’ fight to stay ahead of adversaries. What’s new is the threat actors’ growing ability to innovate rapidly and enhance their capacity to compromise systems and evade detection. In the first half of 2015, the hallmark of online attackers may be their willingness to evolve new tools and strategies—or recycle old ones—to dodge security defenses. Through tactics such as obfuscation, they can not only slip past network defenses but also carry out their exploits long before they are detected—if ever.
  2. Security vendors know they need to stay agile. If they or their networks let down their guard even briefly, attackers will get the upper hand. But the pace of innovation in the industry is not as rapid as it needs to be. Many vendors are offering piecemeal or individual solutions to security problems. And buyers—that is, the organizations that purchase security tools from vendors—are eagerly looking for stopgap products, not in-depth strategic solutions. But because they are not integrating technologies and processes across the entire security footprint, their management of security tools becomes unwieldy. On one side of the security industry are large, well-established players building security suites based on one or more standout products. However, these suites may also contain other solutions that are not as effective as, or do not work with, other leading solutions. Niche vendors, meanwhile, are developing products to help fill specific security gaps. Many organizations are quick to invest in the latest innovation that fills a known gap, instead of stepping back to look at security holistically. The result is a “patchwork quilt” of products that is difficult for security teams to manage. The solutions may have overlapping capabilities, may not meet industry standards, and are likely not interoperable. And niche technologies that cannot be deployed at scale to meet the needs of average users are typically short-lived, no matter how effective they may be. Additionally, many security technologies require organizations to overhaul their security architecture just to adapt to the latest risks. These technologies, whether they’re from one side of the security industry spectrum or the other, are not capable of evolving with the changing threat landscape. This is not a sustainable model.
  3. Cisco pulls from vast global network telemetry that offers visibility, context, intelligence and control to address current and emerging online threats.
  4. As adversaries rapidly refine their ability to develop and deploy malware that can breach network defenses and evade detection, the security industry as a whole struggles to innovate at a similar pace. This dynamic creates a significant problem for organizations investing in security products and services. They often obtain individual solutions to address security gaps, only to create more weak points in their defenses.
  5. Earlier this year, Cisco Security Research singled out the Angler exploit kit as the one to watch among known exploit kits observed in the wild because of its innovative use of Flash, Java, Microsoft Internet Explorer, and Silverlight vulnerabilities. So far in 2015, Angler stands as the leader in exploit kit sophistication and effectiveness. The exploit kit’s authors’ recent concentration on, and quick work to take advantage of, vulnerabilities in Adobe Flash is an example of their commitment to innovation. Cisco Security Research reports that, on average, 40 percent of users who encounter an Angler exploit kit landing page on the web are compromised. This means Angler can identify a known Flash (or other) vulnerability that it can exploit. It then downloads the payload to the user’s machine. By comparison, in previous years, other widely used kits that featured a mix of exploits had an average success rate of just 20 percent. Angler methods include: Angler targets exploits, particularly those of Flash, and takes advantage of the patching gap Angler comprises over 75% of domain shadowing activity since December 2014; Nuclear and RIG are adopting the same practice Angler leverages well-constructed landing pages (to include Jane Austen text) that avoid detection Malvertising provides a steady stream of visitors to landing pages Angler operates in very high volume, short-lived, random campaigns with rapid IP switching Angler drops encrypted malicious payload to delay time to detection. There was a 100% increase in Angler’s penetration rate
  6. We attribute the recent growth in exploits of Flash vulnerabilities to two primary factors: Flash exploits are being integrated regularly into the latest versions of widely used exploit kits such as Angler (see page X). Although Adobe frequently updates its Flash Player, many users are simply not quick enough to apply updates that would protect them from exploits targeting the vulnerability being patched. It appears many users have difficulty staying on top of Adobe Flash updates and perhaps may not even be aware of some upgrades. Angler’s authors are benefiting from this “patching gap”—the time between Adobe’s release of an update and when users actually upgrade. For example, in the February 2015 time frame, many users moved quickly to the latest version of Flash (16.0.0.305), but only after it was integrated into Angler. That update addressed vulnerabilities in CVE-2015-0313, released February 2, 2015. Meanwhile, as users slowly migrated to the new version of Flash, Angler actively exploited the known vulnerability in the previous version.
  7. The authors of sophisticated malware design it to simply stop working in order to avoid being blocked or destroyed when it’s examined by security systems. At the same time, security researchers are constantly on the lookout for new static, dynamic, and automated analysis tools that will make it more difficult for attackers to remain undetected. The goal of Rombertik is to hook into a user’s web browser to extract and deliver sensitive user information to a server controlled by attackers. In this way, Rombertik is similar to the malware known as Dyre. However, Dyre exists to steal banking logins, while Rombertik appears to indiscriminately collect all kinds of user data. Rombertik gains a foothold in users’ systems through spam and phishing messages that use social engineering to entice recipients to download and unzip attachments carrying the malware. When a user unzips the file, it appears to be a PDF; in fact, it’s a screensaver executable file that begins to compromise the system. If Rombertik detects that it is being modified, it attempts to destroy the system’s master boot record and then restart the computer, which will then be inoperable. Breakdown of Rombertik Uses spam and phishing messages to get users to download and unzip attachments which turn out to be screensaver executables Excessive garbage code keeps the sandbox busy with 960 million instructions to memory; a form of stalling tactics rather than sleeping If Rombertik senses inspection or modification it begins to destroy the MBR or the computer’s home directory If successful, it hooks into browsers to extract user information
  8. In examining the most common vulnerabilities for the first half of 2015, we find the same types of errors showing up year after year. For example, buffer errors are once again at the head of the list of Common Weakness Enumeration (CWE) threat categories, as defined by the National Vulnerability Database Buffer errors, resource management errors, and input validation, the three most frequent CWEs, are perennially among the five most common coding errors being exploited by criminals. Assuming vendors are aware of the CWE list, why do these errors keep occurring with such regularity? The problem lies in insufficient attention being paid to the secure development lifecycle. Security safeguards and vulnerability tests should be built in as a product is being developed. Instead, vendors wait until the product reaches the market and then address its vulnerabilities. Vendors need to increase the importance of security within the development lifecycle, or they will continue to spend time and money on catch-up efforts to detect, fix, and report vulnerabilities. In addition, security vendors must assure customers that they are doing everything possible to make their solutions trustworthy and secure—in this case, by making vulnerability testing a crucial component of product development.
  9. As reported in the Cisco 2015 Annual Security Report, we conducted an in-depth analysis in 2014 of a highly sophisticated, botnet-like, web-based threat that uses malvertising from web browser add-ons as a medium for distributing malware and unwanted applications. This family of malware has a clear signature: Adware MultiPlug. The browser extensions are bundled with other seemingly useful yet unwanted applications, such as PDF tools and video players. Cisco has been monitoring this threat for more than a year. We have observed that the threat is constantly changing in order to remain undetected. The average time period that the threat uses a domain name is three months, and add-on names still change continuously. As reported in the Cisco 2015 Annual Security Report, we have so far discovered more than 4000 different add-on names and over 500 domains associated with this threat. In January 2015, the researchers started to notice that the threat was mutating. Specifically, it abandoned its URL-encoding scheme for evading detection so it could cloak itself in common web traffic instead. This shift in tactics appears to be increasing the threat’s effectiveness at compromising users. Malvertising Breakdown Bot-like, web-based web browser add-on threat Uses domains for three month intervals Changes add-on names continuously; in 2014, 4000 add-ons and 500 domains were observed Once successful, external and internal web-pages visited are exfiltrated via browser extensions In the first five months of 2015 malicious actors abandoned their original URL encoding scheme to cloak its activity in common web traffic to increase penetration rate
  10. Since the April 2014 release of Heartbleed, the security flaw in the handling of Transport Layer Security (TLS), third-party software vulnerabilities have become an aggravating problem for enterprises seeking to repel attackers. Heartbleed signaled the beginning of closer examinations of third-party software (TPS) vulnerabilities, particularly as open-source solutions became more popular. Here we show six of the most common open-source vulnerabilities that we tracked in the first half of 2015. The Alert Version indicates the number of times that Cisco updated those alerts, as multiple vendors attempted to identify and correct these vulnerabilities in their products. Open-source vulnerabilities pose an inherent challenge: Shutting down a vulnerability requires coordination by many vendors. The community of developers who maintain open-source solutions may quickly provide a fix or a patch, but the fixes then need to be integrated into all versions of the product. The good news: As awareness of open-source vulnerabilities grows, the security community is responding more quickly to them. For example, when the VENOM (Virtualized Environment Neglected Operations Manipulation) vulnerability, which affected open-source code for virtualization systems, first emerged, vendors released patches even before the vulnerability was publicly announced.  
  11. Continuing a trend we monitored and covered in the Cisco 2015 Annual Security Report, exploits involving Java were on the decline in the first half of 2015. Java used to be a favored attack vector for online criminals, but security improvements and stepped-up patching efforts have forced attackers away from it. Here we show the log volume of Java, PDF, Silverlight and Flash exploits for the first half of 2015. PDF exploits vary on a month-to-month basis, but in general, are not as common as Flash exploits. Flash is a favored tool of developers of exploit kits, so its presence in the log volume chart may be directly tied to outbreaks of criminal activity involving exploit kits such as Angler.
  12. In today’s flourishing malware economy, cryptocurrencies like bitcoin and anonymization networks such as Tor are making it even easier for miscreants to enter the malware market and quickly begin generating revenue. To become even more profitable while continuing to avoid detection, operators of crimeware, like ransomware, are hiring and funding their own professional development teams to create new variants and tactics. Ransomware encrypts users’ files—targeting everything from financial files to family photos—and provides the keys for decryption only after users pay a “ransom.” Ransomware targets everyone from large companies to schools to individual users. The malware is typically delivered through a number of vectors including email and exploit kits. The exploit kit Angler, for example, is known to drop the Cryptowall payload. The ransom demanded is not exorbitant. Usually, a payment between $300 and $500 is required. Why such a modest fee? Adversaries who deploy ransomware have done their market research to determine the ideal price point. The idea is that the ransom is not set so high that a user won’t pay it or, worse, that it will motivate the user to contact law enforcement. Instead, the ransom is more of a nuisance fee. And users are paying up. Cisco Security Research reports that nearly all ransomware-related transactions are carried out through the anonymous web network Tor. Adversaries keep the risk of detection low, and profitability high, by using channels like Tor and the Invisible Internet Project (I2P). I2P is a computer network layer that allows applications to send messages to each other pseudonymously and securely. Many ransomware operations also have development teams that monitor updates from antivirus providers so that the authors know when a variant has been detected and it’s time to change techniques. Adversaries rely on the cryptocurrency bitcoin for payments, so transactions are more difficult for law enforcement to trace. And to maintain a good reputation in the marketplace—that is, being known to fulfill their promise to give users access to their encrypted files after the payment has been processed—many ransomware operators have established elaborate customer support operations. We have recently observed a number of customized campaigns that were designed to compromise specific groups of users, such as online gamers. Some ransomware authors have also created variants in uncommon languages like Icelandic to make sure that users in areas where those languages are predominantly spoken do not ignore the ransomware message. Users can protect themselves from ransomware by backing up their most valuable files and keeping them isolated, or “air gapped” from the network. Users should also realize that their system could be at risk even after they pay a ransom and decrypt their files. Almost all ransomware is multivector. The malware may have been dropped by another piece of malware, which means the initial infection vector must still be resolved before the system can be considered clean.
  13. The upswing in the use of Microsoft Office macros to deliver banking Trojans shows the convergence of two trends in the world of online criminals: resurrecting old tools or threat vectors for reuse, and changing the threat so quickly and frequently that they can re-launch attacks over and over again and evade detection. The old tools used by the perpetrators of these Trojans are macros in Microsoft Office products such as Microsoft Word. Popular with adversaries years ago, these macros had fallen out of favor because they were eventually turned off by default. However, using social engineering techniques, bad actors can persuade users to turn on macros, thereby adding a new tactic to their toolboxes. Our researchers noticed that the spam campaigns carrying the Dridex payload tended to be very short-lived—perhaps just a few hours long—and that they also mutated frequently, as an evasion tactic. While antivirus solutions perform useful security functions, they are not well suited to detecting these short-lived spam campaigns. By the time a campaign is detected, attackers have already changed the emails’ content, user agents, attachments, and refers. They then launch the campaign again, forcing antivirus systems to detect them anew. This approach—combining spam, Microsoft Office macros, and Dridex—appeared to be catching on with cybercriminals during the first half of 2015. We examined 850 unique samples of the emails and attached Microsoft Office files carrying this Trojan, a relatively large number of unique examples for a spam campaign. The creators of these quickly mutating campaigns appear to have a sophisticated understanding of evading security measures. They are aware of the reliance on antivirus detection for these threats, and they work to make sure they avoid detection. Dridex Breakdown Re-use of old attack vectors Uses email delivery with attachments Uses social engineering to get the user to turn on the macros that are turned off by default Executes campaigns within a matter of hours before detection notices propagate Once detected, morphs campaign to evade detection (changes to email content, user agents, attachments, referrers) 850 unique campaign samples observed
  14. In examining the block rates of Cisco customers, we determined that the electronics industry has the most blocked attacks among the 25 industries tracked. Cisco attributes the electronic industry’s high proportion of block rates to an outbreak of Android spyware. As shown, most industries hover at the “normal” level (the 1.0 line) for the ratio of attacks to normal network traffic. However, singling out industries currently above the 1.0 line as being significantly more vulnerable to attacks may be misleading, especially as this analysis only covers the first half of 2015. In addition, no industry should consider itself “safer” than other industries in terms of being a target. Every organization in every industry should assume that it is vulnerable, that attacks will happen, and that it should implement defense-in-depth strategies accordingly.
  15. Cisco Security Research also examined the countries and regions where malware-based block activity originates, as seen in Figure 17. The countries were selected for study based on their volume of Internet traffic. A block ratio of 1.0 indicates that the number of blocks observed is proportional to network size. Countries and regions with block activity that we consider higher than normal likely have many web servers and hosts with unpatched vulnerabilities on their networks. A presence in large, commercially viable networks that handle high Internet volume is another factor for high block activity. This map relates to where servers are hosted. It does not attribute patterns of malicious web activity to the depicted countries or regions. Hong Kong, which ranks number one on the list, is an example of a region where a high percentage of vulnerable web servers are observed.  A small number of networks hosted in France participated in an outbreak midway through the reporting time period, which raised its profile more than expected.
  16. We define “time to detection,” or “TTD,” as the window of time between the first observation of a file and the detection of a threat. We determine this time window using opt-in security telemetry gathered from Cisco security products deployed around the globe. The “retrospectives” category shows the number of files that Cisco initially categorized as “unknown” that were later converted to “known bad.” The number of retrospectives has been increasing since December 2014. It is yet another indicator that malware creators are innovating rapidly to stay one step ahead of security vendors. However, at the same time, the median TTD for threat detection by Cisco has been declining. In December 2014, the median TTD—meaning when analysis revealed an unknown file to be a threat—was about two days (50 hours). The current industry standard for time to detection is 100 to 200 days, an unacceptable level, given how rapidly today’s malware authors are able to innovate. We attribute a recent upward trend in retrospectives to an increase in evasive activity and to successful payload deliveries of new Flash exploits by the Angler and Nuclear exploit kits. From January to March, the median TTD was roughly the same—between 44 and 46 hours, but with a slight trend downwards. In April, it had edged up slightly to 49 hours. However, by the end of May, TTD for Cisco had decreased to about 41 hours. This improvement is due partly to Cisco’s ability to quickly identify commodity malware such as Cryptowall, which is evasive but not novel.
  17. The innovation race between adversaries and security vendors is only accelerating, and organizations are at risk of becoming more vulnerable to attack if they sit back and watch. They need to be proactive about identifying and addressing cybersecurity risks that can affect their business and aligning the right people, processes, and technology to help them meet those challenges.
  18. The pace at which malicious actors are able to innovate and advances in the security vendors’ ability to respond creates a dilemma for organizations. In order to keep pace, organizations will need to either build more effective security defenses, buy services to fill the gaps or increase their exposure to current and emerging security threats.
  19. Businesses around the globe are becoming increasingly reliant on the Internet to support business models that make them more competitive and benefit their consumers. But they face adversaries who are deploying tactics that can undermine their success. If left unchecked, cyber risks will have profound consequences on innovation and economic growth for all businesses. Cisco geopolitical experts see a cohesive, multi-stakeholder cyber governance framework as a positive step toward sustaining business innovation and economic growth on the global stage, supporting organizations’ investments in the digital economy. However, the current governance framework does not protect businesses from cyber attacks . These include not just those that lead to data breaches and the theft of intellectual property, but also those capable of disrupting global supply chains, damaging critical infrastructure, or worse. Many companies don’t pursue remedies to cyber attacks because they lack the support of law enforcement from other countries. However, more governments are becoming open to the concept of public attribution of attacks and the imposition of sanctions. The lack of effective global cyber governance can also prevent the collaboration necessary in the security industry to create adaptive technologies that can detect and prevent new threats. Recent changes were proposed to the Wassenaar Arrangement, a voluntary multinational agreement intended to control the export of certain “dual-use” technologies, including intrusion software such as digital surveillance tools. These proposals threaten to constrain this control and prevent security researchers from sharing information with their industry peers without heavy regulatory burdens. This development may have a significant impact on security research capabilities and further exacerbate the talent shortage in the industry. The question of boundaries—especially with regard to how governments collect data about citizens and businesses and share, or not share, that information between jurisdictions—is a significant hurdle to the type of cooperation needed to achieve cohesive cyber governance. As the Internet of Things takes shape and the world becomes more interconnected, industry, governments, and society will need to work together more effectively to address growing security and privacy challenges. Currently, cooperation—and trust—between entities on the global stage is limited at best between some players, and nonexistent between others. Even entities with strong alliances have competing philosophies about cyber governance, and they are naturally focused on enacting laws that benefit their sovereign interests and their citizens. Much like discussions about climate change, only a handful of players will come to the table to talk, and consensus is hard to achieve even for small measures. At the regional level, at least, there are some efforts to look beyond national borders. For instance, within the European Union (EU), there is movement to improve the coordination of information sharing through the proposed Network and Information Security (NIS) Directive. This directive “aims to ensure a high common level of cybersecurity in the EU” by, among other things, “improving cooperation between Member States, and between public and private sectors.” The EU and the United States also appear to be close to signing a data protection “umbrella agreement” that will set data protection standards for data shared between law enforcement authorities. This agreement will not answer the bigger questions as to how and what type of data can be accessed. But it may go some way to improve the tense atmosphere between the two powers, which has threatened to put companies in the middle of the jurisdictional conflict. Legal, technical, and security teams for organizations that operate in the EU and the United States will need to work together on access requirements if the umbrella agreement is signed. There is other legislation in the works in Europe that could end up creating more boundaries, however, especially for businesses. EU institutions are looking to finalize the new General Data Protection Regulation (GDPR) by the end of the year, replacing the existing EU Data Protection Directive. This regulation contains a broad definition of personal data and prescriptive rules on how such data should be managed under the threat of huge fines. It will have a significant impact on how organizations that do business with and in the EU gather, store, and use customer data, and how they report data breaches. Intended to create greater accountability and transparency, the GDPR will, at least, compel many organizations to examine their approach to data privacy and governance and adopt best practices. Technical teams, for example, will need to take into account design considerations around limitations or difficulties associated with moving data across borders. They will need to be aware of different regional sensitivities of data that is characterized as “personal” or not. Security teams will also need to be mindful of developments that affect data transfer, the definition of personal data, the legal bases for network and information security processing, and data breach reporting requirements. Greater harmonization of rulemaking could serve as a path toward building a cyber governance framework that elevates the advocacy of negotiations between governments regarding data protection regulations and at the same time prevents industry from getting caught in the middle. Until that happens, security practitioners need to play an active role in making sure decision makers in their organizations understand the impact that regulations issued by different countries may have on operations. Incompatible systems, burdensome or conflicting data requirements, privacy law violations, and data transfer and handling requirements are among the challenges.
  20. As more consolidation and integration in the security industry unfolds over the next five years, organizations that purchase new security products and services will need to make sure those solutions are effective, sustainable, and trusted. They should take time to understand what security and other IT vendors are doing to build security into their products. They must verify that these products remain trustworthy through every point in the supply chain that delivers those products to them. More than that, they should ask vendors to demonstrate that their products can be trusted and contractually back up their claims.
  21. Security vendors have an important role to play in helping end users understand the importance of investing in trustworthy solutions and keeping security technology up to date. Organizations that rely on outdated infrastructure are placing their data, systems, and users—their entire business—at risk. The worsening shortage of security talent means that many organizations have limited skilled resources to monitor developments in both the risk environment and vendor landscape. Lack of access to in-house security expertise is a key factor for the piecemeal or “patchwork quilt” approach that many companies take when building their security defenses. Enlisting third-party expertise offers organizations the flexibility to pivot with the shifting threat landscape. Security services providers are well positioned to look at security holistically and to help business invest in and get the most from its security investments. In addition to augmenting lean security teams, third-party experts can offer assessments that test the strength of an organization’s security posture. And they can help identify effective strategies for addressing vulnerabilities and other risks. They can also help organizations deploy automation and manage solutions that provide the analytics and real-time threat correlation needed to combat hard-to-detect and rapidly emerging threats. Some organizations look to security services providers for guidance as they embrace mobile, social, cloud, and other emerging business models. Some seek help in navigating data privacy and data sovereignty requirements in markets where they operate. Others, including small and midsize businesses looking to take advantage of security technologies and operations that larger enterprises use, tap third-party experts to help them find managed and hosted models that meet the needs of their business.
  22. In a world where the compromise of users and systems is both assured and assumed, detection of evasive threats is obviously a necessary focus for organizations and security teams. Threat activity, including activity from nation-states, is only increasing. Many organizations are therefore thinking even more seriously about developing business continuity plans that can help them recover critical services following a cyber attack against their business or the infrastructure that helps to support it. However, we also see noticeable demand from both businesses and individual users for the security industry to develop capabilities that can more effectively deflect—and not just detect—cyber attacks. At the very least, they seek solutions that provide faster time to detection and resolution. Security complexity stands in the way of meeting these demands—for now.
  23. Many organizations are quick to invest in the latest innovation that fills a known gap, instead of stepping back to look at security holistically. The result is a “patchwork quilt” of products that is difficult for security teams to manage.
  24. The solutions may have overlapping capabilities, may not meet industry standards, and are likely not interoperable. And niche technologies that cannot be deployed at scale to meet the needs of average users are typically short-lived, no matter how effective they may be. Additionally, many security technologies require organizations to overhaul their security architecture just to adapt to the latest risks. These technologies, whether they’re from one side of the security industry spectrum or the other, are not capable of evolving with the changing threat landscape. This is not a sustainable model. Innovative malicious actors leverage speed, agility, adaptability and destruction to achieve their objectives
  25. Our security experts suggest that the need for adaptive solutions will lead to significant change in the security industry within the next five years. We will see industry consolidation and a movement toward an Integrated Threat Defense  architecture  that provides visibility, control, intelligence, and context across many solutions. This detection-and-response framework will support a faster response to both known and emerging threats. Core to this architecture is a visibility platform that delivers full contextual awareness. It must be continuously updated to assess threats, correlate local and global intelligence, and optimize defenses. Local intelligence will provide context regarding infrastructure while global intelligence correlates all detected events and indicators of compromise for analysis and immediate, shared protection. The intent of the visibility platform is to build a foundation that all vendors can operate on and contribute to. This system would take in and act on the massive volume of security information available from the security community. The visibility it provides would give security teams more control. They will be able to deliver better protection across more threat vectors and thwart more attacks. This is the direction the security industry must take to help all end users defend themselves from the sophisticated tactics of today’s threat actors. However, developing an integrated threat defense ,  as it is described here, will require better cooperation, dialogue, and coordinated action among all security vendors—niche innovators and long-standing players alike.