Dr. Michael von der Horst - The Current Threat Landscape: A 360° View and Effective Remediation Strategies

Let's start with a quick video, which captures some of the things discussed before. Hopefully it works
More devices, more users, more services, more to protect than ever bad news, more threats. And they're not just increasing in number. They're changing, evolving, getting smarter every day. No surprise to keep up. You add more tools, more vendors, more complexity, more cost, more work looks like more. Hasn't fixed anything. It's time for a different approach to security. It's time to think. Big biggie threats for breakfast so you can stop attacks before they happen. Big uses machine learning to detect intrusions hiding in your network. Big is intuitive, constantly learning and evolving to stay ahead of the bad guys. More is still waiting for you to connect the dots. It's going to take security that thinks big to defeat the evolving threats of tomorrow. We're talking 20 billion threats blocked every day. Big it's time for Cisco security. Now the company who built the internet is here to protect you from it. That's right, Cisco.
Okay. So much for the advertisement here and some fun for starting in let's first look a little bit. Why are we there? And what has changed if the classic model you got a headquarter, you got internet access, you're protected with a firewall, use all the classic things. Unfortunately that's over and that's over for the last 10 years. We saw some of this earlier this morning and we are like it because the new challenges which we have, we would like to connect our devices. I team, as we saw earlier today is really on the growth and it's the security camera. It's, you know, the water heater, it's the electricity meter and many, many other things, and more will come with 5g. We we've seen explosion in this. If you're not able to secure this and connect it to the internet in a secure fashion, this will be, you know, the new threat vector of the entrance will come in.
Now, the second on the workload had a lot. Cloud is the key thing and hybrid as we saw before is, you know, the way to move forward. We'll shift workloads forward and backward need to secure that connection in a automated AI driven fashion. The next and that many haven't really seen yet is with direct access to the internet. Now the classic hub spoke structure for enterprise networks is managing more and more each and every branch is directly connected to the internet. You use your laptop, you use your mobile device and it makes it much more difficult for the classic enterprise it department to secure these connections, to secure the interaction, to find a new way, how to interact at that level users like myself, work from everywhere. My office is basically where my laptop is and I would like to use and have the same access, the same methods, the same security here in this conference room at the airport lounge in my home office.
And of course in my Cisco office need to find ways how to make this user-centric device and application centric and go way just from the network focus and let's not face it it's a big business. It security and per threat cap, something like more than 6 million or 6 trillion. It's obviously American European. Thinging here 6 trillion on damage and cost inflicted, you know, by 21, that's our estimate globally. And we see basically there two types of attacks coming in. You know, one what you see the simple and random, the fishing, the infected fire, trying to stop it production, trying to steal CPU time for mining Bitcoins on your devices and others for huge criminal organizations are sending this out to each and everybody. They just hope to find the big entry point, get in the negligent user who opens that. And then, you know, the bad stuff starts afterwards.
Just for example, in my private connections in Munich, where I lived, you know, something like, you know, three to five doctors got infected in their, you know, practitioners and needed to shut down for a few days because somebody opened still a infected PDF or went to website, which was infected. And especially in the SMB space that is happening every week, every day, larger corporation, a bit more protective with that, but it's still happening. And the business does growing. The other one, which we see is, you know, a very much complex tailormade attacks. We mainly nation state attackers across the world are targeting individual organizations, individual people, and being either for very large primary or theft of large money sums and indenture property or foundation secrets and getting into that and trying to steal elements or trying to affect industrial operations, critical infrastructure attacks. Like we heard in Saudi a few weeks ago on this area.
And that's a very different way, how to defect that and how to detect it. And our it security must actually capital with both some of the recent news. This just from the month of September in the ger media, Bitcom had a huge report out on that security data has been stolen. He data has been stolen. Unasur was saying, you would like to stop a country these days. Then you just go to the networks and to the power plants and the technical critical infrastructure. And then it's probably much easier than to use the classic military force. So what to do about that. And that's actually an, our point of view, what the market gives you. And we are part of the problem Cisco included or that, and we hope to be able to solve that it's, you know, more than 500 or by whatever count 600 save on 800 different solutions, pinpoint solutions.
In most cases who are very effective and attacking a single problem and finding a remedy for that hugely effective, but how does it work then in real life? You know, there's more than, you know, 20, 30, 40, 50 potential issues, entry points and things need to protect. And what we see there out in the market is companies are adding one solution after the other, our cybersecurity part and your surveys, how many security vendors usually companies have. And most of them do have much more than five, actually more than 30% of the company surveyed do have more than 50 different vendors in their it operations. And you can imagine how difficult and how complex it is to install these, to operate these, to see the threats coming through, and then do the remediation afterwards. And this, you know, one of the key beliefs we have this needs somehow to end, we need to get the complexity out.
We need to work with the industry to integrate the different solutions and find an architecture, which is talking to each other much more automated and integrated from the point of detection to the point of remediation. We've just taken of that one statistic that, you know, over 54% of legitimate alerts, and we know all the non-GI alerts is not being followed through not being remedied on average, because lack of resources, lack of interconnection offer different tools. That means the attackers are still in the network. And that comes to the other statistics here. On average, it takes a hundred days for the industry to detect a common threat. It's coming down now two or three years ago. It was, you know, 200 days plus, but best practices with some of our players in the field. And Cisco you're down to four to five hours with the usual we have in the network.
And that's actually, we can change the game and turn it upside down. And that's, I think the second mantra I would like to give you, and maybe you can work so on that threat protection is one thing you can race, you know, your walls as much as you want, but always will be. Somebody will get through a hundred percent. Security is a myth. And I never would say that never would underwrite a hundred percent security. It just doesn't happen. But what happens is you can detect it much faster with the help of AI. You can look for anomalies, you can look for bad behaviors in the network, within the applications and the faster you detect that and find the anomalies. Then you can start the remediation in most cases, hopefully automatically, if you figure out the intrusion, if you shut down a network segment, if you shut down a user, if you shut down an application or block, you know, the malicious request, and then for very difficult cases, you can deploy and use your SOC much more efficiently than he would normally.
And we striving within Cisco to get, you know, more than 95% of all the attacks just stopped at that. Come in, detected automatically, try to shut it down. How does it work in Cisco? By the way, is the largest internal user of the architecture. I'm showing you some pieces of that. Now, first we try to have a best of pre portfolio across for different elements, which you need to protect. It starts obviously with your network, that's where we come from, but we are also very strong at the end point, trying to figure out anonymous there, trying to make secure connections back to the headquarters, trying to shut down malicious intrusion directly there. And then as an extension, naturally, the cloud securing doc Kubernetes applications securing the cloud access as such, make it as transparent and also secure as possible. But that's just on the device and resolution point need to bolster that by very strong threat analytics.
We have a team of 250 plus threat researchers who work day in, day out with all the tele telemetry data. They get on finding new threats, finding the sources, finding new identifier for these threat, and then delivering the necessary information to shut these threats down. They operate over 300 AI based systems on helping them to automate that use. If the customers allow that data from all our deployed devices worldwide to analyze anomalies, feed that back into the system and then help to defend the active systems much better in time. So on average, every five to 10 minutes, a automated update on threat information gets being pushed to our products and that's helps it to automate the issue very much, but that wouldn't work. If you would help, you know, the security operation center with very simplified threat management. So for example, if something pops up in a firewall, it's just one entry point and looks kind of suspicious, need to figure out, okay, what machine is it?
What application is it? You need to have a simple link into a system which identifies that user. You can shut it down. If it's really a bad attack, you need to investigate further. Have you seen this before? Can you potentially, in retrospect, shut down that file from your network. And we have a technology on advanced measure protection, where if you see a fire within your network and you figure out, let's say 10 hours later, that that file is kind of malicious. You can figure out how that file has been moving through the network. You can see on which PCs on which servers and database has been stored, and you can shut it down after effect once at your one negative sample, there hit an infection and then he can spread it out across the system. And that's part of the mediation effort they can, if automation help to act much faster, but Cisco alone, obviously even your largest enterprise security vendor, these days is too small to take it.
Or the very strong collaboration with IBM are using their Watson technology. And if you have capabilities to increase our offerings with a very strong collaboration with where we help them to build the security code deep into iOS, deep into OSX at the operating system level, that makes these mobile devices much more secure than they are today. When they're more than 150 other security players who either share threat intelligence with us who are using our limitation, APIs, use sharing of information to shut down the Netflix segments and so on and help us to collaborate. Let's see, in one example how this works together, some malicious file comes in. What can we do first? We can block with the NS level security umbrella is the name for that. The request we can figure out we're one of the largest DNS server worldwide. What are malicious domains who are popping up by the attacker automatically generated?
For example, we use applications score to filter that level so that the user bid in the office network or bid on the road never can access that site and just block it there. Then of course you get the usual firewall blockage. You can stop it. And then you got your classic tools between web security and email security to block for fire. These three different methods work together. So if you figure out something, let's say the DNS layer and make the clear decision, that's a negative, that's a malicious website. We follow that information to a firewall and also to the web security and security together, maybe something gets through usually that malicious code needs to activate itself. Most of the things we see today are multi-stage and they need to call back to some server, download other code, send forward information for the attack operating system, yada, yada, all that again, you can block this at the DNS layer because all of these malicious software pieces need to figure out grocery remote server, fixed IP addresses are being blocked these days, that goes fairly quickly over the DNS layer.
It's still wide open and that's where you can effectively insert and stop the spreading of the bad core throughout the network. But if firewall does, you know, the usual block on the other side, in the end, if something bad happens, we can figure it out. At the end point, without advanced mobile protection solve the malicious behavior. We can use that data to retrospective, shut it down at other end points and feed back to S layer service for example, but we also got two other methods to do that. Telfor and cryptic traffic analytics is our tool for analyzing network traffic for malicious behavior. This massively AI driven, we developed a few years ago, technology to even look at the pattern of encrypted traffic. And some of you might know that something like 80% of the traffic is now encrypted and you can't inspect it. So you can't do the normal inspection of the code, but the pattern itself can be recognized as either Google request malign and some stuff behind that, or pretty good, depending on the content or at downloading component of a mail or at uploading, for example, extracted data.
And we now got a false, we've got a positive rate of 98, 90 9% from data. We have, we improving this with our AI learning tools a month by month. That works in a very nicely, some quick overview. What we do on jump note, your other slides I talked about, I just would like to, at the end focus on two things. Now, one, I mentioned the DNS layer security team. I think that's fairly new. If few other companies are doing this and what does that actually give you the DNS layer? Yes. I talked about that. The next, what it can give as a secure internet gateway is adding additional web access and email access protection. On top of that, it can deliver you a cloud based firewall, which you can configure, which is automated. It can extend into a SaaS control where you can figure out which cloud service are being used within your company.
What is shadow it? What is good? What is malign? And more importantly, also it can connect for different threat in term and keep you updated on that. And that's where we see the evolution, especially for the mobile worker and on the laptop, in this, in a very heterogeneous user environment to sum it up as time zooms running out, what are the six, seven points I would like to leave you how you can improve your own security posture. Now, first of all, if nothing, if it figure out what is really important and prioritize what you choose to defend, because you cannot never, ever defend a hundred percent build the right first line of defense, but also do closer return path. And that's where DNS comes in. And that's actually a huge benefit compared to what's no common standard right now. Second increase the visibility in what's happening on the network, get an understanding for a hundred percent communication.
And then with the right tools assess, is it malign? Is it positive? Is it good and how you can stop it and how you need to shut it out. It's used for time to detect. So you'd be much faster taking out the bad guys, segment the network, but it's not spreading across your complete enterprise network. Keep that segmentation as device center as possible, or even better application center as possible and limited it, the information traffic there, lastly, automate and integrate. And then again, train and exercise for worst case. The few cases I mentioned upfront, I sort, you know, personal friendship circle, none of them had write backups. None of them had a disaster recovery in place, and that made it actually much more difficult in the end to survive it. And you come of the bad situation. So thank you very much for your time. You're out there for further discussion and wish you a good session. Thank you, Mr. Welcome.