Network Security

Introduction: risks and solutions

 Phishing
• Phishing is typically carried out by email or
instant messaging and it often directs users to
enter personal information at a fake website,
the look and feel of which are almost identical
to the legitimate one.
• http://www.societegeneral.fr instead of
http://www.societegenerale.fr
 Risks - evolution
• 1995: viruses then worms, low sophistication
Worms spread from computer to computer, but
unlike a virus, it has the capability to travel without
any human action. Mass attacks

• 2005: Hacking becomes an industry

• 2012: Sophisticated attacks, APT (Advanced

persistent threat). Target Attack
Viruses, worms and Trojan Horses are all malicious programs (malware)
 Risks
• The Trojan Horse will appear to be useful software coming
from a legitimate source but will actually do damage once
installed or run on computers.
 
• The results can vary. Some Trojans are designed to be more
annoying than malicious (like changing your desktop, adding
silly active desktop icons) or they can cause serious damage
by deleting files and destroying information on your system.

• Trojans are also known to create a backdoor on your

computer that gives malicious users access to your system,
possibly allowing confidential or personal information to be
compromised
Ransomware (since around 2006) is a type of malware that
restricts access to the computer system that it infects, and
demands a ransom paid to the creator(s) of the malware in order
for the restriction to be removed.

Some forms of ransomware encrypt files on the system's hard

drive or modify the master boot record and/or partition table
(which prevents the operating system from booting normally at all
until it is repaired)….

Microsoft or FBI usurpation to ask money (from 20 $ to …)

It can procure several US$ millions before to be taken down by

authorities
 Zero-Day Vulnerability
•A zero day vulnerability refers to a hole in software that is
unknown to the vendor. This security hole is then exploited by
hackers before the vendor becomes aware and hurries to fix it.
•Uses of zero day attacks can include infiltrating malware allowing
unwanted access to user information. “zero day” refers to the
unknown nature of the hole to those outside of the hackers,
specifically, the developers. Once the vulnerability becomes
known, a race begins for the developer (to release a patch In
order to rectify the vulnerability)
•OS, browsers, applications are vulnerable; users need to update
them often, for improved security as well as features (and new
potential issues …).
 Java improvement explanation:
Modern versions of Java are quickly patched if necessary, and older, more vulnerable versions
of the Java Runtime Environment are being blocked by default by browser vendors.
 VOIP/TOIP new threats
New ToIP architecture has 2 issues: reliability … and security

PBX-IP server must accept incoming calls, these calls made

by hackers permit to take control of the PBX-IP…..

Then to generate outcoming calls to surcharged numbers, if

the amount is not too high, it can remain undetected
(multiplied by the number of customers …. Very profitable
and so easy to do …)

Large % of customers with such undetected problems …..

Reliability is so difficult to get, security has no or less priority

 Hack tools so easy to use … with very good tutorials

VOIP RAT

Viproy Voip Pen-Test Kit provides penetration testing modules for

VoIP networks. It's developed for security testing of VoIP and
Unified Communications services. Viproy has Skinny, SIP libraries to
develop custom security tests.

The modules below can be used to test SIP design and

authorisation flaws, Skinny service issues, cloud VoIP design issues
and client software vulnerabilities…. But also used by hackers ….

So easy also to initiate overcharged calls with modified caller

identifier (even no need of complex tools)
 Not only threats for PC, but for any connected device: Mobile,
connected cars … and private life of individual persons

950 million Android phones could be affected !!

The weaknesses reside in Stagefright , a media playback tool in
Android. It allows malicious hackers to infiltrate devices and exfiltrate
private data. Attackers will only need mobile phone numbers, they
could send an exploit packaged in a Stagefright multimedia message
(MMS), which would let them write code to the device and steal data
from sections of the phone that can be reached with Stagefright’s
permissions. That would allow for recording of audio and video , and
snooping (spying) on photos stored in SD cards...
The victim might never know they had even received a message. It
would “ trigger immediately before you even look at your phone…
before you even get the notification ”. It would be possible to delete
the message before the user had been alerted too, making attacks
completely silent.
Armed with only $15 of simple electronics gear he
bought from RadioShack, A 14-year-old boy was
able to easily hack into the car, and unlock its doors
and remote-start the engine. He also set the wipers
going and was able to make the car play music from
his mobile phone. Just to press the point, he then
flashed the headlights to the beat.

The same way, He would be able to stop a car going

at full speed on a highway …

BMW had to patch its connectID system

Not only BMW …. Many other examples:
In 2015 hackers were able to successfully shut down
a Jeep driving at 70 mph, and again when a device
was uncovered that could hack GM's OnStar
service. Recently, the Nissan Leaf was shown to be
hackable due to insecure APIs.

Such hacking requires extended periods of time

(months or possibly years) experimenting with a
specific vehicle. Financially-motivated hackers won't
see payback for their investment, but terrorists are
likely to pursue such hacks, some are bound to
succeed.
 Ashley Madison Case: hacking not only for money …
 
“Ashley Madison is the most famous name in infidelity and married
dating” the site asserts on its homepage. “Have an Affair today on
Ashley Madison. Thousands of cheating wives and cheating husbands
signup everyday looking for an affair…. With Our affair guarantee
package we guarantee you will find the perfect affair partner”

Hackers who stole sensitive customer information from

AshleyMadison.com site appear to have made good on their threat to
post the data online. Data information was posted to the dark web
(accessible only through the Tor browser). The files appear to include
account details and log-ins for some 32 million users.
The data, which amounts to millions of payment transactions,
includes names, street address, email address and amount paid, but
not credit card numbers.
One analysis of email addresses found in the data dump also
shows that some 15,000 are .mil. or .gov addresses.

Passwords released in the data dump appear to have been

hashed using the bcrypt algorithm

Hackers are still likely to be able to ‘crack’ many of these

hashes in order to discover the account holder’s original
password.

If the accounts are still online, this means hackers will be able
to grab any private correspondence associated with the
account
The hackers, called the Impact Team, demanded that Avid Life
Media, owner of AshleyMadison.com and its companion site
Established Men , take down the two sites.

EstablishedMen.com promises to connect beautiful young women

with rich sugar daddies “to fulfill their lifestyle needs.”
The hackers didn’t target CougarLife, a sister site run by ALM…
(gallant hackers ??)

“Avid Life Media has been instructed to take Ashley Madison and
Established Men offline permanently in all forms, or we will
release all customer records, including profiles with all the
customers’ secret sexual fantasies and matching credit card
transactions, real names and addresses, and employee documents
and emails,” the hackers wrote
The hackers appeared to target AshleyMadison and
EstablishedMen over the questionable morals they
condoned and encouraged, but they also took issue with
what they considered ALM’s fraudulent business
practices: women accounts are mainly fakes …

Despite promising customers to delete their user data

from the site for a $19 fee, the company actually retained
the data on ALM’s servers, the hackers claimed.

“Too bad for those men, they’re cheating and deserve no

such discretion,” the hackers wrote. “Too bad for ALM,
you promised secrecy but didn’t deliver.”
Feb 20th 2017

Germany has banned a children's doll capable of listening to children's

conversations and responding in real time, with the country's
telecommunications watchdog labelling the toy a "concealed surveillance
device".

The My Friend Cayla doll, which is also sold in Australia, uses bluetooth, an
internet connection and speech-to-text technology to interact with children.
Germany's Federal Network Agency, the country's telecommunications
watchdog, said the seemingly-innocuous toy was an example of "unauthorised
wireless transmitting equipment".

"Items that conceal cameras or microphones and that are capable of

transmitting a signal, and therefore can transmit data without detection,
compromise people's privacy

All toys capable of transmitting signals and recording images or sound without
detection are banned under German law.

A security consultant says the toy is 'simple to break into'

Tor : free software for enabling anonymous communication

Onion routing is implemented by encryption in the application layer

of a communication protocol stack, like the layers of an onion.
Tor encrypts the data, including the destination IP address, multiple
times and sends it through a virtual circuit including successive,
randomly selected Tor relays.

Each relay decrypts a layer of encryption to reveal only the next relay
in the circuit in order to pass the remaining encrypted data on to it.

The final relay decrypts the innermost layer of encryption and sends
the original data to its destination without revealing, or even
knowing, the source IP address.
 TOR

It eliminates any single point at which the

communicating peers can be determined
through network surveillance.

It is slower but permits anonymous access to

hidden services (web proposed forbiden
product, contract killers, drugs, guns, …). Such
servers have an address in .onion, and are
only accessible through TOR (darknet market)

It can be used also for undetected attacks

TOR (TOR Onion Router)
Pour acheminer un paquet au serveur, le client doit chiffrer son paquet de
nombreuses fois :
la première fois, le client chiffre son paquet TCP avec la clef publique
correspondant au dernier nœud, numéroté n ;
la deuxième fois, avec celle de l’avant-dernier nœud, numérotée n-1 ;
la troisième fois, avec celle de n-2 ;
la quatrième fois, avec celle de n-3, etc.
la dernière fois, avec celle du premier nœud, numéroté 1.

À ce stade, toutes les couches de l’oignon enferment le paquet TCP. Voyons

comment l’oignon est pelé lorsque le client envoie ce paquet au circuit qu’il a
construit :
le premier serveur du circuit déchiffre le paquet avec la clef 1 et l’envoie au
deuxième serveur ;
le deuxième serveur déchiffre ce paquet avec la clef 2, etc. ;
le dernier serveur déchiffre ce paquet avec sa propre clef privée n et obtient le
paquet original.
En 2014 le gouvernement américain annonçait que des hackers avaient piraté les données
des pouvoirs publics et que les données personnelles de 19 millions d'Américains avaient été
dérobées.

Il est désormais facile d'acheter des données personnelles volées, des armes, de la drogue
ou de faire appel à un tueur à gage, …Une fausse pièce d'identité d’un pays européen se
négocie aux alentours de 1000 euros et il faut verser 4000 euros pour un passeport.

Le lot de plusieurs données personnelles (adresse, mail, numéro de téléphone, de sécurité

sociale ou de carte bancaire …) est appelé un fullz. Les données personnelles d'une
personne étaient en moyenne revendues 20 euros.

Si de nombreuses entreprises se ruinent pour acheter des bases de données leur permettant
d'envoyer de la publicité et ainsi, démarcher de nouveaux clients potentiels, le marché noir
propose des prix défiant toute concurrence : en moyenne, comptez 75 dollars pour un
million d'adresses mails valides
 Advanced persistent threat
• An APT is a set of continuous computer hacking processes, often
orchestrated by human(s) targeting a specific entity. APT usually
targets organizations and/or nations for business or political
motives. APT processes require a high degree of covertness over a
long period of time. The "advanced" process signifies sophisticated
techniques using malware to exploit vulnerabilities in systems. The
"persistent" process suggests that an external command and
control system is continuously monitoring and extracting data from
a specific target.
• The term is commonly used to refer to cyber threats, using a
variety of intelligence gathering techniques to access sensitive
information.
• The purpose of these attacks is to place custom malicious code on
one or multiple computers for specific tasks and to remain
undetected for the longest possible period.
Advanced persistent threat
Life cycle
Different Actors – Different Motivations

Nations (Affiliates)

nels
Cyber-Criminals

‘Hacktivists'
« Ha

Person with specific

motivation
Ironic : RSA

18 months just to discover the attack !!

 Common APT features

•  “Client-side” Attacks

Plutot que de tenter de compromettre les serveurs bien protégés contenant les données à exfiltrer, les
hackers ont réalisé qu’il était bien plus aisé de compromettre les terminaux de utilisateurs (virtual
drives) pour pénétrer leur cible (Malware)

•  Attaques Personnalisées
Les Attaques sont conçues pour
évader les système de detection (NG-
x, AV, Sandbox, …)
Hackers can take several months to
prepare their attacks (> 1 million $
« income »)

•  Social Engineering

Les attaquants utilisent les

Etape 1 : Connaitre sa Cible

Activités

Partenaires / Sous-Traitants (sub-contactors)

Organigramme (organization chart)

Personnels ayant quitté la société

Schéma du Réseau

Système de Protection / Détection

OS / Logiciels / Progiciels
…
Cible et Legende

Site Compromis

Sheldon C.
VP Recherche Leonard Fake ID
et Dev. Assistant Dr. Forum
Sheldon

LeonardH
Sois à l’heure demain –
Lancement du projet
2. Choice and Customisation of an existing malware

Modifier son empreinte sans modifier son comportement

•  Modification légère du code

o  Substitution d’une fonction par une similaire
o  Modification de variables / nom de fonctions
° Compression du malware par un packer
So … not detected by standard anti-virus
 SANDBOX (provided with advanced AV)

A sandbox is implemented by executing the software in a

restricted operating system environment.

It is often used to execute untested code, or untrusted

programs from unverified third parties, suppliers, untrusted
users and untrusted websites.

All incoming files are controlled and not allowed if

something not normal or dangerous is detected

Even if the malware can not be detected by signature after

its modification, its non normal behavior will be detected
Sandbox Evasion

•  Si le Malware detecte la Sandbox il ne révèlera

pas son caracterre malicieux

•  Il existe une multitude de techniques pour

évader une sandbox

. First of all most common sandbox are

perfectly known by the hackers. They can
find an evasion technique

Sandbox drawback: high number of "false positive"

 Malware & RAT

•  CyberGate RAT (remote adm. Tools)

 4. Malware Execution

•  Clés USB
•  Navigation
Web
•  Usurpation de site Légitime
•  Compromission de site Legitime
•  Hijack DNS

•  Mail
•  Instant Messaging

•  Exploitation d’une vulnérabilité, Interaction Utilisateur,

Autorun

Email scam (fraud) is an unsolicited email that claims the prospect of a bargain or
something for nothing (except shipping costs …). Some scam messages ask for business,
others invite victims to a website
1 Fishing Email

Malware is executed
transparently (not to be
detected) on the target machine:
exploit kit use

Malware will use zero-day

vulnerability on the target
machine (or non up-to-date
software versions)

3
Exploit / Infection

Action Utilisateur
 Exploit kit

An exploit kit is a launching platform used to deliver the malware.

Easy to use, the kit is able to previously to detect vulnerabilities in

the applications, browser, OS, … of the target and then to deliver
the fitted malware

the “beauty” of exploit kits is that they can be developed in

Country A, sold in Country B, and used in Country C to attack
Country D by using systems hosted in Country E. As the result, is
that it’s hard to attribute malicious activity to actors located in a
particular country by simply looking at IP addresses observed
during the immediate attack.
1 Fishing Email

Spear Phishing email 4 Callback

Malware includes a callback

which permits to exfiltrate
sensitive information

3
Exploit / Infection

Action Utilisateur
1 Fishing Email

Spear Phishing email 4 Callback

3
Exploit / Infection

Exfiltration
Action Utilisateur
5
Exfiltration is not the only feature:
Remote control is easily provided through RAT tools use
(example with poison ivy)

These RAT tools (remote administration tool) allow a

remote "operator" to control a system as if he has
physical access to that system.
While desktop sharing and remote administration have
many legal uses, "RAT" software is usually associated with
criminal or malicious activity.
Malicious RAT software is installed without the victim's
knowledge, often as payload of a Trojan horse, and will try
to hide its operation from the victim and from security
software
 Poison Ivy : a so-easy-to-use RAT

Malware (considered as the server part) is prepared not to be

detected (slight modifications to change signature and
compression through a packer). This malware will be associated
to an application (for example the default browser of the target)

Then transfered (through a compromised website, a mail, usb key

…) and unpacked in the target.

When the user (target) will use his browser, the hacker with the
RAT management tool (considered as the client part) will have full
access to the user machine.
Poison Ivy

File manager
Registry manipulator
Process viewer and manipulator
Services and drivers viewer

Remote cmd.exe shell

Password dumper
Key logger
Screen and audio capture
Internet camera capture

As a result : total control of the target.

The target is often a client , but through the
client we have access to the servers (through
classical file sharing)
 •  Maintenir son acces le temps nécessaire
•  Base de registre

Persister

•  Migration dans un process legitime

•  Suppression du malware
Masquer •  Effacement Evt
ses Traces

•  Vol de mot de passe / identité

•  VPN
Legitimité

•  Installation d’outil
•  Installation nouvelles variantes du Mission Remplie
Action on malware
Target •  Observation / Keylogger

•  Mouvement Lateral
• 
Vulnérabilité
Pivot Locale
•  Partage
•  Mail
•  Rebonds

•  Via alternate channel (smtp, P2P

Exfiltrate …)
si le nombre de spams diminue, le nombre de
malwares, lui, augmente.

En juin 2015, celui-ci atteint même son plus

haut niveau d’attaques sur les douze derniers
mois.

57.6 millions de malwares sont apparus au

cours de ce mois, contre 44.5 millions durant le
mois de mai et « seulement » 29.2 millions en
avril.
 Conclusion: La detection de
Malware en mode “Point-in-
Time” uniquement n’est pas
efficace à 100%
Cela detectera Mais il suffit d’
99% 1%
des menaces pour être
compromis
Security Policy
 Full Attack Continuum
The combination of these dynamics – changing business models,
an evolving threat landscape, and security complexity and
fragmentation –has created security gaps, broken the security
lifecycle, reduced visibility, and introduced security management
challenges.

To truly protect organizations in the face of these dynamics, we

need to change our approach to security. It’s time
for a new threat-centric security model Addressing the Full Attack
Continuum :
Before, During, and After an Attack
Most security tools today focus on visibility and
blocking at the point of entry in order to protect
systems. They scan files once at an initial point
in time to determine if they are malicious.
But advanced attacks do not occur at a single
point in time; they are ongoing and require
continuous scrutiny. Adversaries now employ
tactics such as port hopping, zero-day attacks,
detection evasion, encrypted traffic, blended
threats and sandbox evasion to elude initial
detection.
 Need of an « after » process
If the file isn’t caught or if it evolves and
becomes malicious after entering the
environment, point-in-time detection
technologies cease to be useful in identifying
the activities of the attacker.
Security methods can’t just focus on detection
but must also include the ability to (at least)
mitigate the impact once an attacker gets in.
Defenders need retrospective security
in order to marginalize the impact of an attack
by identifying point of entry (backward file
trajectory), determining the scope, containing
the threat, eliminating the risk of re-infection,
and remediating (if damage).
 Unified Platform-based solution
Security requires an integrated system of agile and open
platforms that cover the network, devices, and the cloud.
These platforms need to be extensible, built for scale,
and centrally managed for unified policy and consistent
controls.
This constitutes a shift from deploying simply point
security appliances to integrating a true platform of
scalable, easy to deploy services and applications.
Platform-based approach increases security
effectiveness, also accelerates time to detection
 Before

“Preventive” (classical part)

describes the set of policies, products and
processes that is put in place to prevent a attack.
The key goal of this category is to raise the bar
for attackers by reducing their surface area for
attack, and by blocking them and their attack
methods before they impact the enterprise.
 During
“Detective”
capabilities are designed to find attacks that
have evaded the preventive category. The key
goal of this category is to reduce the dwell time
of threats and, thus, the potential damage they
can cause. Detection capabilities are critical
because the enterprise must assume that it is
already compromised.
 After
“Retrospective”
Proficiencies (not only tools) are required to
investigate and remediate issues discovered by
detective activities to provide forensic analysis and
root cause analysis, and to recommend new preventive
measure to avoid future incidents (feedback to the first
“preventive step”).
Identification of the patient zero (as for epidemic), the
initial infected device (Firesource requires agent in the
devices)
 IDS/IPS
• In a passive system, the intrusion detection system (IDS)
sensor detects a potential security breach, logs the
information and signals an alert on the console or owner.

• In a reactive system, also known as an intrusion prevention

system (IPS), the IPS auto-responds to the suspicious activity
by resetting the connection or by reprogramming the firewall
to block network traffic from the suspected malicious source.

• The term IDPS is commonly used where this can happen

automatically or at the command of an operator; systems
that both "detect (alert)" and "prevent".
 All Intrusion Detection Systems use one of two detection
techniques:

• Statistical anomaly-based IDS

• An IDS which is anomaly based will monitor network

traffic and compare it against an established baseline.
• The baseline will identify what is “normal” for that
network- what sort of bandwidth is generally used, what
protocols are used, what ports and devices generally
connect to each other
• and alert the administrator or user when traffic is detected
which is anomalous, or significantly different, than the
baseline.
 False positive
• The issue is that it may raise a False Positive
alarm for a legitimate use if the baselines are
not intelligently configured.

• Issue : Fine tuning of a cursor , compromise

between the need to detect every attack and
not to have to many false positives
 2nd: Signature-based IDS

• A signature based IDS will monitor packets on the

network and compare them against a database of
signatures or attributes from known malicious threats.
• This is similar to the way most antivirus software
detects malware. The issue is that there will be a lag
between a new threat being discovered in the wild
and the signature for detecting that threat being
applied to your IDS.
• During that lag time your IDS would be unable to
detect the new threat.
 Limitations

• Noise can severely limit an intrusion detection

system's effectiveness. Bad packets generated
from software bugs for instance can create a
significantly high false-alarm rate.
• It is not uncommon for the number of real
attacks to be far below the number of false-
alarms. Number of real attacks is often so far
below the number of false-alarms that the real
attacks are often missed and ignored.
 Limitations
• Encrypted packets are not processed by the intrusion
detection software. Therefore, the encrypted packet can
allow an intrusion to the network that is undiscovered until
more significant network intrusions have occurred.

• Intrusion detection software provides information based on

the network address that is associated with the IP packet
that is sent into the network. This is beneficial if the network
address contained in the IP packet is accurate. However, the
address that is contained in the IP packet could be faked or
scrambled.
 SNORT
• Snort is a free and open source network
intrusion prevention system (NIPS) and
network intrusion detection system (NIDS)
[
created in 1998 (Windows and linux versions).
• Snort is now developed by Source fire
• …
• And belongs to cisco since 2012
 SNORT
• Snort's open source network-based intrusion detection system (NIDS) has
the ability to perform real-time traffic analysis and packet logging on
Internet Protocol (IP) networks. Snort performs protocol analysis, content
searching, and content matching.

• The program can also be used to detect attacks, Snort can be configured in
three main modes: sniffer, packet logger, and network intrusion detection.In
sniffer mode, the program will read network packets and display them on
the console. In packet logger mode, the program will log packets to the disk.

• In intrusion detection mode, the program will monitor network traffic and
analyze it against a rule set defined by the user. The program will then
perform a specific action based on what has been identified
 Classical FW
• the typical functions of traditional firewalls
such as packet filtering, network- and port-
address Translation (NAT), stateful inspection,
and virtual private network (VPN) support.
• They include more layers of the OSI model (in
fact TCP/IP model) to improve filtering of
network traffic dependent on the packet
contents
 Next-Generation Firewall

• A NGFW is an integrated network platform that

combines a traditional SPI firewall with other
network device filtering functionalities an
intrusion prevention system (IPS) and/or other
techniques such as website filtering,
QoS/bandwidth management, antivirus
inspection, anti-spam and third-party
integration (i.e. Active Directory, LDAP, …).
 NG FW
• NGFWs perform deeper inspection compared
to classical stateful inspection FW

• They go deeper to inspect the payload of

packets and match signatures for harmful
activities such as known vulnerabilities, exploit
attacks, viruses and malware.
 Cisco security products
• Protect Across the Entire Attack Continuum
• Protect against advanced threats while reducing
complexity and cost. The NGFW Cisco ASA with
FirePOWER Services, delivers integrated threat
defense across the entire attack continuum. It
combines proven ASA firewall with advanced
malware protection (AMP) in a single device.
 Advanced Malware Protection AMP
• Sourcefire Advanced Malware Protection (AMP) offers
malware analysis and protection for networks and endpoints
using big data analytics to discover, understand and block
advanced malware outbreaks, advanced persistent threats
(APTs) and targeted attacks. AMP enables malware detection
and blocking while provisioning continuous analysis and
retrospective alerting, using Sourcefire security intelligence.

• Advanced Malware Protection can be deployed inline via a

license key on NGIPS/FW, dedicated AMP FirePOWER
appliance or on endpoints (windows), virtual and mobile
devices (android) with FireAMP.
 Firesight
• Cisco FireSIGHT Management Center centrally
manages network security and operational
functions for Cisco ASA with FirePOWER
Services and Cisco FirePOWER network
security appliances. It automatically
aggregates and correlates information. Reduce
your costs by streamlining operations and
automating many commonly recurring
security analysis and management tasks.
 Business
• Sourcefire est une société américaine fondée en 2001 par Martin
Roesch, le créateur du logiciel IDS libre Snort.

• En octobre 2005, La société israélienne Check Point a tenté d'acquérir

Sourcefire pour 225 millions de dollars US, mais en mars 2006 le CFIUS a
suspendu la transaction en invoquant des raisons de sécurité nationale.

• En 2007, Sourcefire acquiert le projet de logiciel antivirus libre ClamAV,

cela a provoqué une crainte dans la communauté de l'antivirus.

• Le 23 juillet 2013 Cisco annonce avoir fait l'acquisition de Sourcefire

pour un montant de 2,7 milliards de dollars ….

• 2015: Cisco staff dedicated to security: 700 persons

Visibility
We can’t protect what we don’t know. Products helps
administrators but doesn’t prevent processes applied by persons
(3P rules).
To find malware according weak IOC (Indicators of
Compromise) provided by tools requires time and knowledge