Remote Filtering - Web Security, Email Security, Data Security
Email and Web Security news-Dragan Novakovic - …€¦ · Threat-centric email and web security...
Transcript of Email and Web Security news-Dragan Novakovic - …€¦ · Threat-centric email and web security...
Dragan Novakovic
Security Consulting Systems Engineer
Threat-centric email and web security
Cisco Email and Web Security News
Email is still the #1 threat vector
Phishing leaves businesses on the line
Phishing
Spoofing
Ransomware
Messages contain
attachments and URL’s
Socially engendered
messages are well crafted
and specific
Credential “hooks” give
criminals access to your
systems
94% of phish mail has
malicious attachments1
30% of phishing messages
are opened1
$500M
Loss incurred due
to phishing
attacks in a year
by US companies2
12016 Cisco Annual Security Report22016 Verizon Data Breach Report, Krebs on Security
Forged addresses
fool recipients
Threat actors extensively
research targets
Money and sensitive
information are targeted
Spoofing rates are on the rise
2015 2016
In losses
from spoofing
2013 - 20151
$2.3B
increase1
270%
1FBI Warns of Dramatic Increase in Business email scams, 2016
Phishing
Spoofing
Ransomware
Ransomware attacks are holding companies hostage
Malware encrypts
critical files
Locking you out of your
own system
Extortion demands
are being paid
$60M
Cost to
consumers and
companies of a
single campaign2
9,515users are paying
ransoms per month2
Ransomware
represents the
biggest jump in
occurrences of
crimeware1
12016 Verizon Data Breach Report, Kerbs on Security22016 Cisco Annual Security Report
Phishing
Spoofing
Ransomware
Reduce threats Support growth Achieve agility
Cisco secures your email, cloud or on-premises
Reduce threats
Cisco Email Security is backed by unrivaled global threat intelligence
00I00 I00I0I II0I0I 0II0I I0I00I0I0 0II0I0II 0I00I0I I0 00
II0III0I 0II0II0I II00I0I0 0I00I0I00 I0I0 I0I0 I00I0I00
III00II 0II00II I0I0II0II0 I0 I0 I00 00I0 I000 0II0 00
III00II I000I0I I000I0I I000I0I II 0I00 I0I000 0II0 00
00I I0I0I0 I0I0III000 I0I00I0I 0II0I0 I00I0I0I0I 000
II0II0I0I0I I0I0I0I 0I0I0I0I 0I0I00I0 I0I0I0I 0II0I0I0I
0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I0
00I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I
III00II 0II00II I0I000 0II0 00I0I00 I0 I000I0I 0II 0I0I0I
III00II 0II00II 0I0I0I0I 0I I0 I00 000II0 I0I0 0II0 00
24 7 365 Operations
100 TBOf Data Received Daily
1.5 MILLIONDaily Malware Samples
600 BILLIONDaily Email Messages
16 BILLIONDaily Web Requests
MILLIONSOf Telemetry Agents
4Global Data Centers
Over 100Threat Intelligence Partners
250+Full Time Threat Intel
Researchers
Deploy the world's largest email
traffic monitoring network
Leverage industry-leading
threat analytics
with SenderBase
Anti-spam processing / Context Adaptive Scanning Engine (CASE)
It’s built with industry-leading spam protection
Review sender reputation, URL
reputation, and message contentQuarantine suspicious messages
for additional review
Block spam with 99% accuracy with
fewer than 1:1M false positives
Quarantine
Forward
BlockCisco Anti-Spam
Whosent the
message?
WhatIs the
content?
Howwas the
message
constructed?
Wheredoes the
call to
action
take you?Cisco Email Security O365 Mail Server
And reduces your exposure to the three main components of an email attack
Attachments
URLswww.url.com
Email content
Cisco protects against threats hidden within attachments
Anti-virusVirus Outbreak
Filters
Advanced
Malware
Protection (AMP)Anti-spam
Forward clean emails to
additional security checks
Defend against
zero-day malware
Scan attachments for
known viruses
Anti-virus processing
Block known and zero-day viruses
Block
Forward
QuarantineDetermine what
actions to take on viral
messages
Multiple detection methods:
Outbreak Filters
Zero-Hour Virus
and Malware Detection
Real time security updates that
prevent new malware
Also receive AV Signature
updates regularly
.PDF.LNK.EXE.DOC
Block
QuarantineDetermine whether
anomalies are
zero-day threats
Pattern
matching
Emulation
technology
Advanced
heuristic
techniques
Updates every 12 hours
Advanced Malware Protection (AMP) architecture
Detect and contain advanced threats quickly
AMP Threat
Intelligence Cloud
Meraki® MX
ISR w/
FirePOWER
Services
Cisco® ASA w/ FirePOWER™
Services
FirePOWERNGIPS Appliance
Threat Grid Malware Analysis Private Cloud
Virtual Appliance
Cloud Email Security and
Email Security Appliance
Endpoints
AnyConnect®Windows OS Android MobileCentOS, Red Hat
and LinuxVirtual MAC OS
CWS and Web Security
ApplianceNetwork
Edge
Data
Center
Private
CWS
Remote Endpoints
Deploy easily with
multiple platform options
Leverage threat intelligence
and dynamic malware analysis
Advanced Malware Protection (AMP)
Keep tabs on all emails admitted into the environment after analysis
File Reputation
Known
Signatures
File Sandboxing
• Advanced Analytics
• Dynamic analysis
• 560+ indicators
File Retrospection
.PDF.LNK.EXE.DOC.SYS .SCR
?
Fuzzy
Fingerprinting
Indications of
compromise
Block known malware Investigate files safelyAuto-remediate
threats in O365
Gain visibility into
messages trying to enter
the network
MaliciousCleanUnknown
AMP Threat Grid for Sandboxing
Upload unknown files to
Threat Grid
Examine files with
context-driven analysis
Receive threat report
and score to guide
decision making
Automatically remediate
malware for O365 users
JPG
SWF
Threat Grid
Email delivered
Email sent to O365 for
administered action
Office 365
Admin
Threat Score:
Cisco Email Security
Investigate unrecognized attachmentssafely
HTML
Cisco protects against disguised hyperlinks
Content Filters Outbreak FiltersAnti-spam
Control which emails cross the network
Easily enforce business and
compliance policies
Customize filters in three different ways
for additional security
Content Filters
Rewrite URL
Defang / Block
BLOCKEDwww.proxy.org
BLOCKED
Replace with Text
“This URL is blocked by
policy”
URL reputation
and categorization
Content FiltersCisco Cloud Web
Proxy
Admin
Outbreak Filters
Dynamic
quarantine
Rewritten message
Modify emails to
protect end-user
Redirect traffic to protect
from malicious linksBlock all known
threats with Talos
Forward
Block
Cisco Cloud Web Proxy
Rewrite URLs
Quarantine emails with
suspicious URLs
Add threat
warning
Prepend
subject line
Site blocked
Site validated
From: Bank.com
To: Bob Smith
Subject: Suspicious mail
Warning! This email contains
suspicious content
Hello John,
Access your account here.
Block
Outbreak Filters
Detect targeted or blended attacks automatically
Cisco defends against human error
DMARC, DKIM
and SPF
Forged Email
DetectionAnti-spam
DMARC, DKIM and SPF
Block fraudulent senders
Inspect sender details
on inbound messages
Block invalid senders
and identify next steps
Determine whether a
sender is reputable
Signed
Fraudulent
Delete
Send
Quarantine
Verified
TrustedPartner.com
TrustedPartner.com
SPFChecks if mail from a
domain is being sent from
an authorized host
DMARCTies SPF and DKIM
results to 'From' header
DKIMMatches public key to
sender domain’s private
key records
DNS
Cisco Email Security
Forged Email Detection
Protect against spoofing attacks
Match sender address
against company directory
Send appended mail to warn
users of potential forgery
Inspect SMTP envelope
for sender address
Record a log of attempts
and actions taken
Compare against
Company directory
• Allison Johnson
• Barry Smith
• Chuck Robbins
• Dave Tucker
From: Chuck
Subject: [URGENT] Need help
transferring funds
Inspects the SMTP envelope address:
$ telnet mail-smtp-in.l.mail.com 25
Trying 74.125.206.26...
Connected to mail-smtp-in.l.mail.com.
Escape character is '^]'.
220 mx.mail.com ESMTP i11si22058766wmh.67 - gsmtp
HELO mail.outside.com
250 mx.mail.com at your service
MAIL FROM:<[email protected]>
250 2.1.0 OK i11si22058766wmh.67 - gsmtp
RCPT TO:<[email protected]>
250 2.1.5 OK i11si22058766wmh.67 – gsmtp
Data
SM
TP
En
ve
lop
e
From: [email protected]
Subject: {Possibly Forged}
[URGENT] Need help
transferring funds
Post-processing
Pre-processing
Recipient Domain
Sending Domain
Actual Sender
Cisco catches critical data before it leaves the network
Data loss
prevention
Cisco Registered Envelope
Service and
ZixGateway with Cisco
Technology
Data Loss Prevention (DLP)
Protect personal information and IP
Control what leaves the
network and customize policies
Scan email content for
sensitive information
Prevent data exfiltration
automatically
Scanned against
100+ predefined
DLP policies
Cisco Email Security
Critical violation: Info
redirected and not sent
Minor violation: Content
sent with encryption
Admin
Manage policies such as:
• Specific users
• Groups
• Locations
• Federal compliance
• State regulations
With multi-language support
No violation: Content sent
with optional encryption
Cisco Registered Envelope Service (CRES)
Extend security to external communications
Scan messages for
keywords, policies, and sender
Apply authentication mechanisms
to access encryption keys
Maintain control over
your sent messages
Cisco Email Security
CRES
Sender
controls
Push Open attachment
& confirm identity
ZixGateway with Cisco Technology (ZCT)
Send highly secure emails on-premises
Use transparent secure delivery
for e-discovery and archiving
Make delivery transparent for
senders and receivers
Select the best method of
secure delivery automatically
Cisco Email Security ZCT
PXE web server
& key server
ZCT Secure
Hosted Portal
Zix
Directory
Mail ServerSenders
employees
Transparent secure delivery
Other Zix Users
External DB(PXE keys)
TLS Users
PXE Push
Achieve agility
Message tracking
Investigate users without running new reports
Track messages in
near-real-time
Search for a single email based
on specific parameters
Search for common
threats across emails
+You Search Images Videos Maps News Shopping mail More
1.Recipient
2.Envelope sender
3.Subject line
4.File names
5.URLs
Search
Admin
Unified business reporting
Understand the health of your system
Access data from the cloud
to create consolidated reports
Reduce investigations
and response times
Identify trends with scheduled
and ad-hoc reporting
III00II I000I0I I000I0I I000I0I II 0I00 I0I000 0II0 00
00I I0I0I0 I0I0III000 I0I00I0I 0II0I0 I00I0I0I0I 000
II0II0I0I0I I0I0I0I 0I0I0I0I 0I0I00I0 I0I0I0I 0II0I0I0I
0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I0
00I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I
00I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I
0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I0Cisco Email Security
See details around:
• Email Threats
• Malicious Attachments
• Email Volume
• Spam Counters
• Policy Violations
• Virus Reports
• Outgoing Email Data
• Reputation Service
• System Health View
Graymail detection and safe unsubscribe
Separate what matters from what doesn’t
Identify messages
that aren’t spam
Categorize incoming bulk, marketing,
and social networking emails
Provide users a method
to safely unsubscribe
unsubscribe here
Graymail Detection
Bulk
Social
Network Marketing
Add Safe
Unsubscribe Link
Quarantine / Block
Unsubscribe
engine
Graymail warning added to
banner of email
Mark Up Messages
Modify
subject
Add
x-header
Safe unsubscribe
Cisco Email Security supports archiving through Commvault partnership
Simplify backup and recovery of archived messages
Automate data management
to optimize storage
Store critical messages
and attachments
Retrieve emails easily
with O365 integration
End user
+You Search Images Videos Maps News Shopping mail More
Local storage
Search
Cisco Email Security
1010 01010 1010
00110 01000 10110 11
with IntelliSnap technology
Support growth
Transition to the cloud with confidence
Cisco Email Security
Increase dedicated
instances up to
50% at no cost
Prevent shared-
fate with compute
instances
Integrate easily
with O365
Deliver 99.999%
availability
Migrate to new
deployment
options easily
Cloud Email Security with Office 365
Easily integrate with your current email client
Point Mail Exchange (MX) records to the
Cisco Cloud Email Security
Configure Smart Host settings in O365 to
deliver outbound mail
O365 Exchange Online
O365 Cisco Email Security w/ O365
Anti-spam filters Anti-spam filters
Anti-virus protection Anti-virus protection*
Policy enforcement Policy enforcement
Disaster recovery Disaster recovery
Directory services Directory services
Advanced threat protection Graymail detection
Message tracking Outbreak Filters
Message tracking
Email encryption
AMP
Detailed reporting
Zero-day incident mgmt
Data loss preventionCustomer email domain External domain
*Anti-virus provided by O365
Cisco Email Security
Outbound
Inbound
Cisco Email Security
Outbound
Inbound
Deploy the configuration that works best for you
HybridCloud
On Premises
Cisco delivers superior protection and visibility to specialized threats
Reduce threats Support growth Achieve agility
with advanced
protection
through operational
efficiency
with availability and
assurance
Industry-Leading Protection acrossthe Attack Continuum
Cisco Web Security
The Way We Use the Web Is ChangingMaking It More Difficult to Protect Your Network
Mobile Coffee Shop Corporate
Home Airport
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why do we need Content Filtering?
• Web 2.0 brings more content, , to the user. More attack vectors.
• Advertisements, from third parties, are a popular vehicle for malware
• Gone are the days of simple one domain pages
Network Security
38
www.lifehacker.com
183 161 different requests
52 30+ different domains
2.8+ 2.1+ MB for front page
www.cnn.com
329 425 different requests
95 61 different domains
3.6 6.4+ MB for front page
www.cisco.com
163 112 different requests
123 21 different domains
6.0 1.3 MB for front page
www.reddit.com
66 47 different requests
134 11 different domains
775 500 KB for front page
Customers Are Challenged with Today’s Evolving Threat Landscape
Data Loss
Acceptable Use Violations
Malware Infections
Web
FilteringCloud Access
Security
Web
ReputationApplication
Visibility and
Control
Parallel AV
ScanningData-Loss
Prevention
File
Reputation
Cognitive
Threat
Analytics*
XX X X
BeforeAfterDuring
X
File
Retrospection
www
Roaming User
Reporting
Log Extraction
Management
Branch Office
www www
Allow Warn Block Partial BlockCampus Office
WCCP Explicit/PACLoad Balancer PBR AnyConnect® Client AdminTraffic
Redirections
Talos Cisco Web Security
www
HQ
File
Sandboxing
X
Client
Authentication
Technique
* Roadmap feature: Projected release 2H CY15
XCisco® ISE
Appliance Virtual
Cloud to Core
Coverage web requests a day
16 BILLION
email messages a day
300 BILLIONAMP queries a day
18.5 BILLION
WEB: Reputation, URL
Filtering, AVC
CLOUD: FireAMP &
ClamAV detection content
EMAIL: Reputation, AntiSpam,
Outbreak Filters
END POINT: Software –
ClamAV, Razorback, Moflow
Reputation AnalysisThe Power of Real-Time Context
Suspicious
Domain Owner
Server in High
Risk Location
Dynamic IP
Address
Domain
Registered
< 1 Min
192.1.0.68example.comExample.org17.0.2.12 BeijingLondonSan JoseKiev HTTPSSLHTTPS
Domain
Registered
> 2 Year
Domain
Registered
< 1 Month
Web Server
< 1 Month
Who HowWhere When
0010 010 10010111001 10 100111 010 00010 0101 1100110 1100 111010000 110 0001110 00111 010011101 11000 0111 0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101
0010 010 10010111001 10 100111 010 00010 0101 110011 011 001 110100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101
0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101
-10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10
IP Reputation Score
BEFORE
Discover
Enforce
Harden
DURING
Detect
Block
Defend
AFTER
Scope
Contain
Remediate
Loss of Productivity Is a ThreatHow Much Bandwidth and Time Is Being Wasted?
Source: Cloud Web Security Report
Facebook YouTube Pandora
BEFORE
Discover
Enforce
Harden
DURING
Detect
Block
Defend
AFTER
Scope
Contain
Remediate
Facebook time:
2,110,516 minutes or
35,175 hours, 1465
days, 4.1 years
No. of Facebook
likes: 3,925,407 at 1
second per like. That’s
almost 1100 hours per
day, or 45 days just
liking things
Bytes on YouTube
video playback:
11,344,463,363,245
or 10 TB
Pandora:
713,884,303,727
or 0.6 TB
Total browsing time
per day:
2,270,690,423 or
4,320 years
Total bytes per day:
70,702,617,989,737
or 64 TB; over 15%
from YouTube
Acceptable Use ControlsBeyond URL Filtering
URL Filtering
Constantly updated URL database covering over 50 million sites worldwide
Real-time dynamic categorization for unknown URLs
HTTP://
Application Visibility and Control (AVC)
Hundreds
of Apps
Control over mobile,
collaborative, and
Web 2.0 applications
Assured policy control
over which apps can
be used by which
users and devices
Granular enforcement
of behaviors within
applications
Intelligent Controls of
Bandwidth Usage
BEFORE
Discover
Enforce
Harden
DURING
Detect
Block
Defend
AFTER
Scope
Contain
Remediate
150,000+
Micro-Apps
Application
Behavior
Application Visibility and Control (AVC)
Acceptable Use ControlsBeyond URL Filtering
URL Filtering
Constantly updated URL database covering over 50 million sites worldwide
Real-time dynamic categorization for unknown URLs
HTTP://
Control over mobile,
collaborative, and
Web 2.0 applications
Assured policy control
over which apps can
be used by which
users and devices
Granular enforcement
of behaviors within
applications
Intelligent Controls of
Bandwidth Usage
BEFORE
Discover
Enforce
Harden
DURING
Detect
Block
Defend
AFTER
Scope
Contain
Remediate
Application
Behavior
Hundreds
of AppsFacebook
iTunes
YouTube
Google+
150,000+
Micro-Apps
FarmVille
Real-Time Malware ScanningDynamic Vectoring and Streaming
Signature and Heuristic Analysis
Heuristics DetectionIdentify Unusual Behaviors
Antimalware Scanning
Parallel Scans, Stream Scanning
Signature InspectionIdentify Known Behaviors
Multiple Anti-malware
Scanning Engines
Optimizes efficiency and catch rate with
intelligent multiscanning
Enhances coverage with multiple signature
scanning engines
Improves user experience with parallel scanning
for fastest analysis
Provides the latest coverage with
automated updates
Identifies encrypted malicious traffic by
decrypting and scanning SSL traffic
BEFORE
Discover
Enforce
Harden
DURING
Detect
Block
Defend
AFTER
Scope
Contain
Remediate
Dynamic
Analysis
Machine
Learning
Fuzzy
Fingerprinting
Advanced
Analytics
One-to-One
Signature
Delivers the First Line of Detection
All detection is less than 100% effective
Reputation Filtering and File Sandboxing
And Continues to Analyze What Happens Along the Attack Continuum
0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110
1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
Web
WWW
Endpoints NetworkEmail DevicesIPS
File Fingerprint and Metadata
Process Information
Continuous feed
Continuous analysis
File and Network I/O
Breadth and Control Points:
Telemetry Stream
Talos + Threat Grid Intelligence
TrajectoryBehavioral
Indications
of Compromise
Threat
Hunting
Retrospective
Detection
These applications
are affected
What
This is the scope of
exposure over time
When
Here is the origin
and progression
of the threatHow
Focus on these
users first
Who
AMP Provides Contextual Awareness and Visibility That Allows You to Take Control of an Attack Before It Causes Damage
AMP Threat Grid Feeds Dynamic Malware Analysis and Threat Intelligence to the Cisco AMP Solution
AMP Threat Grid platform
correlates the sample result with
millions of other samples and
billions of artifacts
Actionable threat content and
intelligence is generated that
can be used by AMP, or
packaged and integrated into a
variety of existing systems or
used independently.
1100001110001110 1001 1101 1110011 0110011 101000 0110 00
101000 0110 00 0111000 111010011 101 1100001 110
1001 1101 1110011 0110011 101000 0110 00
Analyst or system (API) submits suspicious
sample to Threat Grid
Low Prevalence Files
An automated engine observes, deconstructs,
and analyzes using multiple techniques
Actionable threat content and
intelligence is generated that can
be packaged and integrated in to
a variety of existing systems or
used independently.
AMP Threat Grid platform
correlates the sample
result with millions
of other samples and
billions of artifacts
101000 0110 00 0111000 111010011 101 1100001 110
101000 0110 00 0111000 111010011 101 1100001 110
1001 1101 1110011 0110011 101000 0110 00
Threat Score/Behavioral Indicators
Big Data Correlation Threat Feeds
Sample and Artifact Intelligence Database
Actionable Intelligence
Proprietary techniques for
static and dynamic analysis
“Outside looking in” approach
350 Behavioral Indicators
On-Premises Layer 4 Traffic MonitorInfected Endpoint Detection
Users
Cisco®
S-Series
Network -Layer
Analysis
PowerfulAntimalware Data
Preventing“Phone-Home” Traffic
Scans all traffic, all ports, all protocols
Detects malware bypassing port 80
Prevents botnet traffic
Automatically updated rules
Real-time rule generation using “dynamic discovery”
Packet and Header
Inspection
Internet
Also Available on Cisco® Adaptive Security Appliance as Botnet Traffic Filter
BEFORE
Discover
Enforce
Harden
DURING
Detect
Block
Defend
AFTER
Scope
Contain
Remediate
Identify Possible Breach with Cognitive Threat Analytics
Anomaly Detection
010 01000 11110 100 0110
01000 01000111 0100 11
11 111 0 010 01100 01000
010 01000 11110 100 0110
01000 01000111 0100 11
11 111 0 010 01100 01000
010 01000 11110 100 0110
01000 01000111 0100 11
11 111 0 010 01100 01000
010 01000 11110 100 0110
01000 01000111 0100 11
11 111 0 010 01100 01000
Behavior Analysis Machine Learning
01000 01000111 0100 11
11 111 0 010 01100 01000
Reduced time to discoveryActive, continuous monitoring to
stop the spread of an attack
Normal… or not?Spots symptoms of infection
using behavioral anomaly
detection algorithms and
trust modeling
Security that learnsUses machine learning and
Big Data Analytics to learn from
what it sees and adapts
over time
No more rule setsDiscovers threats on its own…
just turn it on.
Layer 1
Layer 2
AMP
CTA
CWS Premium
AMP
CTALayer 3
File Reputation Anomaly
detection
Trust
modelingEvent classification Entity modeling
Dynamic
Malware
Analysis
File
Retrospection
Relationship modeling
CTA
Web Security Advanced ThreatProtection Differentiators
CTA presents results in two categoriesConfirmed Threats
Confirmed Threats - Threat
Campaigns• Threats spanning across multiple users
• 100% confirmed breaches
• For automated processing leading to fast reimage / remediation
• Contextualized with additional Cisco Collective Security Intelligence
CTA presents results in two categoriesDetected Threats
Detected Threats – One-off Threats• Unique threats detected for individuals
• Suspected threat confidence and risk levels provided
• For semi-automated processing
• Very little or no additional security context exists
Cisco AnyConnect Secure Mobility ClientRedirect Roaming Users to Premises and/or Cloud
Roaming Laptop,
Mobile, or Tablet User
Roaming Laptop Users
Client Installed on Machine
Web Users
WSA Applies
Web Security
Features
Web Security
Location
CWS Applies
Web Security
Features
Router or firewall
re-route traffic to
WSA or CWS
Web Traffic
Redirection
Backhauls
Traffic Through
VPN Tunnel
to HQ
Routes Traffic
Through SSL Tunnel
Directly to Closest
Cisco® Cloud Proxy
Router or Firewall
Reroute Traffic to
WSA or CWS
Cisco
AnyConnect®
Client
VPN
ACWS
VPN
Block
WWW
Warn
WWW
Allow
WWW
Delivers Verdict
Identity Services
Engine Integration
Extend User Identity and Context
Acquires important context
and identity from the network
Monitors and provides visibility
into unauthorized access
Provides differentiated access
to the network
Cisco TrustSec® provides
segmentation throughout the
network
Cisco Web Security Appliance
provides web security and
policy enforcement
Available only on WSA
Confidential
Patient
Records
Internal
Employee
IntranetWho: Guest
What: iPad
Where: Office
Who: Doctor
What: iPad
Where: Office
Internet
Who: Doctor
What: Laptop
Where: Office
WSA
Consistent Secure
Access Policy
Cisco® Identity
Services Engine
• Referer is an HTTP header field that identifies the webpage that requested the current webpage.
• WSA will use referer field to find out the URL from where website was browsed and use it to define access policies.
Referer Header Exception
Block video category
Allow embedded youtube video
in specific website
External Feed for policies
Periodically get inputs from external sources to
block IP address, domain or URLs
Dynamic update access policies (w/o proxy
restart) to implement new inputs
Out-of-box integration with O365 xml feed
published by Microsoft
Web Proxy
Web Security Appliance
HTTP(S) Server
HTTP Feed
daemon
ACL
Rules
ACL
Engine
Admin
O365 Feed
daemon
O365
Cloud
Pe
rio
dic
Fe
tch
Periodic Fetch
Used to integrate with ticketing system,
government feeds or external security agencies
External system
Time and Volume QuotasIntelligent Controls of Bandwidth Usage
100100101001000100100100100001010101
110110010100101001010010101001001001
1010
0101
0101
0010
0010
0011
1101
0101
0010
1010
0101
0101
0010
0010
0011
1101
0101
0010
1010
0101
0101
0010
0010
0011
1101
0101
0010
Control web usage to meet administrative policies,such as:
- Total bandwidth used during work hours
- Total bandwidth per day used for social media categories
Configure polices to restrict access based on the amount of data (in bytes) and time
Quotas are applicable to HTTP, HTTPS, and FTP traffic
Configured under access policies and decryption policies
Create custom end-user notifications of warnings when a quota is close, as well as when exceeded
Actionable ReportingAnalyze, Troubleshoot, and Refine Security Policies
Centralized Appliance- and Application-based Reporting
Centralized Management
Delegated Administration
Centralized Policy Management
In-Depth Threat Visibility
Extensive Forensic Capabilities
Insight
Across Threats, Data, and Applications
Control
Consistent Policy across Offices and for Remote Users
Visibility
Continuous Visibility across Different Devices, Services, and Network Layers
BEFORE
Discover
Enforce
Harden
DURING
Detect
Block
Defend
AFTER
Scope
Contain
Remediate
Cisco Web Security At a Glance
Centralized Management and Reporting
Cisco® Talos
URL Filtering
Application Visibility and Control (AVC)
Data-Loss Prevention (DLP)
Threat Monitoring and Analytics
Advanced Malware Protection
Spots symptoms of infection based on behavioral anomalies and CNC traffic
Blocks unknown files through reputationand sandboxing
Continues to monitor threat levels afteran attack
Contains 50 million known sites
Categorizes unknown URLs in real time
Controls mobile, collaborative, and Web 2.0 applications
Enforces behaviors within Web2.0 applications
Blocks sensitive information
Integrates easilyby ICAP withthird-party vendors
Offers actionable insight across threats, data, and applications
AllowWWW Limited AccessWWW BlockWWW
Monitors threats worldwide, filters on reputation and automatically updates every 3-5 minutes
Protection Control
WWW
Safeguards Every
Device, Everywhere, All
the Time
Strong Protection Complete Control Investment Value
Offers Control of All
Web Traffic
on All Devices
Delivers More for
Your Investment
In Today’s Exposed, Highly Connected and Increasingly Mobile World, Cisco WebSecurity Delivers