Post on 25-Jan-2023
#CLUS
Jamey Heary, Jamie Sanbower, Rob Tappenden, Jatin Sachdeva
TECSEC-2609
Architectural Approach to Securing the Hybrid Data Center
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Agenda
• Zero Trust Intro
• Workforce Security
• Trust Centric (Duo)
• Threat Centric (Umbrella SIG)
• Workplace Security
• Trust Centric (SDA+ISE)
• Threat Centric (NGFW, Stealthwatch, AMP4N)
• Workload Security
• Trust Centric (ACI, Tetration, AlgoSec/NGFWv, SWC, CloudLock)
• Threat Centric (AMP4E, NGIPS, Tetration, CTR)
TECSEC-2609 3
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Agenda
• Zero Trust Intro
• Workforce Security
• Workplace Security
• Workload Security
TECSEC-2609 4
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
About this Tectorial
• It is Cisco centric
• It is focused on the most impactful DC security solutions
• We cover a lot of solutions that work together, this a journey, you don’t need everything at once. Prioritize!
• Provides a baseline understanding and demo of each solution covered
• Ask questions, that’s the best way to learn!
TECSEC-2609 5
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
The Modern Data Center is Incredibly ComplexIn the future, computers may weigh no more than 1.5 ton – Popular Mechanics, 1949
TECSEC-2609 6
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
How is Data Being Stolen?
70%
86%
#CLUS TECSEC-2609 7
81%
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
A little bit of Zero Trust history
De-perimiterization
An international group of corporate CISOs and vendors (Cisco hosted initial meeting)
Focused on solving “de-perimiterization” problem
Early output calling for “the need for trust”
Multiple Models Emerge
Forrester coined Zero Trust. NGFW biased
Google published their ZT solution as BeyondCorp
Forrester then expands to Zero Trust eXtended
Gartner names their model Continuous Adaptive Risk and Trust Assessment
Generalised
The industry has largely accepted Zero Trust Architecture as the general term
2004 2010 2014 2017 Today
Jericho Forum ZT BeyondCorp CARTA & ZTX ZTA
TODAY
TECSEC-2609 9
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Zero Trust is mis-named
Zero Trust really means“Least-Privilege Access”(i.e. grant access, but make it specific!)
But, there is a lot more to it than just that…
TECSEC-2609 10
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Before we go further, let’s level set:
There is a big difference between Authentication(AuthN) and Authorization(AuthZ)
TECSEC-2609 11
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
I’d like 40K from Chuck Robbins’ Account
Do You Have Identification?
Yes, I Do. Here It Is.
Sorry, Jamey Heary is not Authorized
for Chuck Robbins’ Account
Authentication vs. Authorization
TECSEC-2609 12
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Zero Trust changes the paradigm
Focuses on data protection, not on attacks
Assumes all environments are hostile and breached
No access until user + device is proven “trusted”
Authorize and encrypt all transactions and flows
Verify before Trust
TECSEC-2609 13
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
A literal definition of Zero Trust has hard-requirements
The network is always assumed to be hostile
External and Internal threats exist at all times
Every user, device, app, and network flow is authenticated and authorized
Automated and integrated systems are what allow a zero trust architecture to work in the real world
Policies must be dynamic and calculated from as many sources of context as possible
All activity is logged and accounted
Trust is earned and temporary
Thanks for a great year!
TECSEC-2609 14
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
But with most orgs and the tools available to us today…
There is no practicalmeans available to meet all ZTA requirements, so we need compensating controls to be as close to ZTA as possible
TECSEC-2609 15
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco’s Zero Trust approach has two focus areas
Trust-CentricGood security practice to verify before granting access via a identity-based
policy — for any user, any device, any app, in any location
Threat-CentricBasic security maturity to prevent attacks via an intelligence-based policy — then detect, investigate,
and remediate
TECSEC-2609 16
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco’s Architectural Philosophy for Security
“Reduce the attack surface using Least privilege access”
“Stop the Breach”
Visibility
“See and Share Everything”
Threat-Centric Trust-Centric
Conte
xtu
al
Inte
gra
tions
TECSEC-2609 17
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Application & Workload Access Network Access
Workforce Workload Workplace
Three Domains of Cisco Zero Trust Design
+
ServersApps
Databases
SaaS
Data Center
User & Devices
IoT Devices
WirelessNetwork Traffic
Corporate NetworkAll Corp IT
User & Device Access
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Three Domains of Hybrid DC Security
+ Is the user who they say they are?
+ Do they have access to the right applications?
+ Is their device secure?
+ Is their device trusted?
Workforce
+ What applications are used in the enterprise?
+ What is communicating withapplications/data?
+ Is communication w/ the workload secure & trusted?
Workload
+ Do users & devices authenticatefor network access?
+ What access are they granted?
+ Are devices on the networksecure?
+ Is their network segmentationbased on trust?
Workplace
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Acme Inc.
• Large Retail Provider
• Multiple Data Centers and Cloud (IaaS/SaaS)
• Workforce
• Campus Network – 10,000 users
• Workplace
• 100 Retail stores, 2 HQ’s, 10 Automated distribution centers
• Workloads
• Virtual Machines (2,000+)
• Containers
20TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Strategic Objectives 2020
21TECSEC-2609
Enhance operational efficiency
Mitigate risk of change
Regulatory Compliance
Digital Transformation
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
IT Initiatives
22TECSEC-2609
Modernize IT• Automate• Simplify
Hybrid DC Buildout • Rapid Migration to
cloud• Security at speed of IT
Microservices • Containers• Kubernetes
Zero Trust Security
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Businesses are Enabling Data Access Between…
Any User
Employee
Contractor
Partner
Any Device
Corporate-Issued
Bring-Your-Own
IoT
Any App
Data Center
Multi-Cloud
SaaS
In Any Location
On-Premises
On-VPN
Off-Network
24TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Mindsets are Changing to Address These Problems
Location ≠ Trust
Don’t grant access to data based on where requests originate in
the network
Automate Policy
Adjust access using dynamic context to improve policy
efficacy and simplicity
Least Privilege Access
Prioritize enforcing the least privileges
for a limited time for your high-risk data
Trust Erodes
Don’t rely only on one-time verification of user, device, and
workload trust
25TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS TECSEC-2609
User and Device Identity for Policy and Awareness
PrivateCloud
Public CloudIaaS
Public CloudSaaS Apps
Intent-based NetworkingCloud Endpoint
Trusted Identity Added to Cisco’s Portfolio
Verifies User and Device Trust
26
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Software-Defined Policy Access Evolution
27
Cisco IdentityServices Engine (ISE)
SDP Approach to Network Access
SDP Approach to App Access
Mobile & BYOD Access Solution
App / Services
On-Prem Cloud
User + Device
On-Prem ISE ISE
Off-Prem ISE* or Duo☨ Duo
IoT Access Solution
App / Services
On-Prem Cloud
Head-less
DeviceOn-Prem ISE ISE
Trusted Access across Hybrid IT Enterprises
☨ Integrated with AnyConnect *Duo Beyond with Network Gateway (i.e. reverse proxy) **Duo Access for BYOD
DuoMFA
ISE ISE or Duo**
ISE☨ or Duo* Duo
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Secure Any Corporate Application
28TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Verify Trust for Any DeviceLimit Access to Compliant Devices
29
● Identify corporate-owned & BYOD
● Verify if devices are out-of-date and
potentially vulnerable to security risks
● Block devices access to critical
applications
● Apply policies consistently for any device
platform: Windows, MacOS, iOS & Android
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Adaptive PoliciesEasily Enforce Compliance
30
● Customizable security policies
● Global, App & Group Level
controls
● Establishes a level of trust based
on users and devices
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Duo Product Architecture
31
Duo Cloud Platform
Web/SSH(Duo Network
Gateway)
Multi-Factor
Authentication
VPN, Virtual
Desktop, etc.
Duo Integrated
(azure-ad, rdp,
ssh, Windows,
app, api, etc)
Access
Device
MFA
Device
or
Cloud Apps
Device Policy
Check
Device
Visibility
User
Policy
User
Management
MFA
Management
Primary Auth
(AD, Azure-AD,
LDAP, etc.)User
Duo Access
Gateway[SAML/SSO]
Duo Auth
Proxy[Radius/LDAP]
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Duo Never Touches the Primary Authentication
32
• Duo Push
• Mobile Passcode
• Phone, SMS
• HOTP Token
• U2F/WebAuthN
• Bypass
Core service and
policy engine is
always in the
cloud
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Duo Access Gateway Setup (DAG)
33TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Duo Network GatewayDetect User and Device Context for Internal HTTP/S and SSH Apps
34
Public Internet
Security Groups
Tier 1
10.0.0.1-4
*.domain.local
192.0.0.1/24
Tier 2
Tier 3
DNG
(443)
SSH
Trusted User
Trusted Device
Use Duo Beyond to secure access to internal networks and the public cloud.
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Duo Network Gateway Setup (DNG)
● Deploy a Duo Network Gateway in
the DMZ using Docker, with both
“public” and “internal” access.
● Configure your SAML IdP for
primary auth.
● Configure DNG with Duo for
secondary auth.
● Configure a web application on the
DNG for your protected “internal”
application.
● Create public DNS entries for your
protected internal web apps to
point to the DNG’s public interface.
● Users access the “internal” app
using their browser.
35TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Disruption – Hybrid Cloud
39
SD WAN DIA/DCA
Roaming/mobileBranch office HQ
Internet / SaaS / IaaSNetwork:
Decentralized
Security:
Protect at data center,
cloud, and branch edge
Cloud Edge
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Transformation to the Secure Internet Gateway
40
Firewall
Web gateway
DNS-layer security
Data loss prevention
Converging security services in the cloud
Cloud Delivered Services
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cloud Security Platform
41
Safe DNS Resolution
Web Controls
Cloud-Delivered Firewall SaaS Usage
Controls (CASB)
Correlated Threat Intel
CiscoUmbrella
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-WAN Integration w/Viptela
42
Cisco Umbrella
FW
SDWAN Device (vEdge)
Headquarters (Hub)
Internet
DIA / DCA
All DIA traffic IPSEC Tunnel
White list
domains + IPs
Tunnel Support
Direct Viptela support of an IPSec Tunnel
from a Viptela vEdge device to Umbrella
Private IP Reporting
Internal visibility w/o agents to help with
remediation and SIEM correlation
Local Domain Bypass and
Device RegistrationDirect Internal DNS traffic to your internal
infrastructure and automatically register vEdge
devices within the Umbrella dashboard, supporting
networks that are dynamic
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS TECSEC-2609
Cloud Delivered Firewall
43
Provides firewall functionality at the
cloud edge
Protection at the FIRST HOP for
organizations with DIA deployments
Ability to enforce beyond DNS
across all ports and protocols
Initial: L3/L4 firewall
Later: L7, Snort/IPS
TUNNEL (IPSEC)
HTTP/S
Any deployment
FWaaSfull web proxy
Internet
NON-WEB / SITE EXCLUSIONS
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Full Web Proxy Capabilities
44
App Discovery
(Shadow IT)
Antivirus / Anti-
Malware (AMP)
Full URL Logging
Malware
Sandboxing
(Threat Grid)
App Blocking &
Control
Time-Based &
File-type Controls
Web Content
Filtering
Data Loss
Prevention (DLP)
Visibility Protection Control
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
We Have had Challenges in the Workplace…
47TECSEC-2609
Complexity
Ability to operationalize
Quantit
y of use
rs /
thin
gs
Traditional networks cannot keep up!
95% network changes performed manually
Most features never used
Risk
By 2020 over 26 billion devices will be interconnected* *Gartner
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Those Challenges Show up in the Security Statistics
48TECSEC-2609
of breaches start on endpoint devices70%WHY?
Vulnerabilities
Internet devices surveyed
had vulnerabilities, on
average ~26 each
92%User/Admin error
Breach method
observed in 2017**
#2Gaps in visibility
of Internet traffic is ENCRYPTED*
Doubled in 3 years
85%DAYS is average time to detection
200
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Anatomy of a Breach in User Land
49TECSEC-2609
ReconnaissanceVictim clicks phishing email link
Perimeter bypassed Malware exploits &
vulnerabilities
Lateral Movement
Pivot to DC, exploitation of trust
Data Exfiltration using Admin privilege
Information monetized
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco Secure Access Approach
Conte
xtu
al
Inte
gra
tions
“Reduce the attack surface using Least privilege access”
“Stop the Breach”
Visibility
“See and Share Everything”
IPS
Flow Analytics
Breach Detection + Sandboxing
DNS Security
Software Defined Segmentation
Firewalling
Threat-Centric Trust-Centric
TECSEC-2609 50
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco Secure Access Solutions – Focus Areas
Conte
xtu
al
Inte
gra
tions
“Reduce the attack surface using Least privilege access”
Cisco DNA and SDA
ISE
NGFW
“Stop the Breach”
NGFW/NGIPS
Stealthwatch + Encrypted Traffic Analytics
AMP + Threatgrid + Umbrella
Visibility
“See and Share Everything”
Trust-CentricThreat-Centric
TECSEC-2609 51
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco DNA + Cisco Security: Stronger Together
53TECSEC-2609
Cisco Security
Threat Centric
Protection
Visibility Trust Centric Segmentation
Cisco DNA Intent-based Network
AnalyticsPolicy Automation
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Demo: Integration Made Easy
54TECSEC-2609
Cisco DNAC ➢ ISE
What are we solving?
Integrating systems is complex and highly skilled
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Lets talk Visibility
Conte
xtu
al
Inte
gra
tions
“Reduce the attack surface using Least privilege access”
“Stop the Breach”
Visibility
“See and Share Everything”
Trust-CentricThreat-Centric
TECSEC-2609 57
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Visibility is the FoundationVisibility for Segmentation
58TECSEC-2609
The demanding part of segmentation is building and maintaining a proper policy
Critical to understand:
• Applications, their business criticality and how they communicate
• User and device inventory and context
• Risks, threats and written policy needs
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Integrated with the network
Stealthwatch
NetFlow
How are they communicating?
AnyConnect
What is my risk profile?Are my hosts compliant?
Posture
Patched?
AV/AM/FW?
Encrypted?
Inventory?
Who and What is on my network?
ISE
Identity, Profiling
Who
What
When
Where
How
Compliant
Context
59TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
NetFlow
DNS HTTP RADIUS NMAP SNMP
CDP
LLDPDHCP
H323 SIPMDNS
Where Does ISE Profiler Get All that Visibility Context?
60TECSEC-2609
From the Cisco Infrastructure!
ZeroNetwork downtime to deploy profiler
630+ High-level canned profiles +Periodic feeds
100+Active security partners ISE
Feed Service
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Demo: Visibility and Context Gathering
61TECSEC-2609
Cisco ISE Profiler
ISE ➢ Fabric & Security
What are we solving?
I have no idea who and what is really on my network
Visibility Wizard ➢ Fabric & Security
Collecting and maintaining an inventory is complex, unreliable and tedious
Cisco ISE
Cisco ISE Threat-centric NAC
ISE ➢ AMP, AnyConnect, 3rd party vuln. scanners
I’m blind to the risk of the users, devices and apps on my network
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 65TECSEC-2609
What are we solving?
My network is flat; campus segmentation is unmanageable and static but my business is dynamic”
I need more segmentation, I just don’t have the staff and resources to deploy and manage it”
ACLs are a nightmare, hard to manage and a constant battle to stay on top of”
One Cat9300 48 port switchBest practices deployment
Manual # config lines: 1400+!!!
Segmentation: Reducing the Attack Surface
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Segmentation with Cisco DNA + Security
66TECSEC-2609
Unleashes the true power within a Cisco secure network
ISE + SW Visibility Context
Written Security Policy
Dramatically reduces the attack surface
and is manageable
Digital Network Architecture (DNA)
Segmentation Enforcement
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Refresher: Cisco Digital Network Architecture (DNA)SDA Fabric Roles and Terminology
67TECSEC-2609
APIC-EM
ISEDC
BB
Campus
SDA
Fabric
DNAC
CC
vn vn
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
InternetLogical TopologySegmentation
68TECSEC-2609
CampusVN
IoT VN
GuestVN
InfraVN
SGTs:EmployeeContractorCampus-Quar
SGTs:Net ServicesNet DevicesInfra-Quar
SGTs:GuestGuest-Quar
SGTs:CamerasIoT-mgmt.IoT-Quar
SDA Campus Fabric
NGFW FTD
802.1xdACL Blacklists
ISE DNAC FMC SMCC
APICACIDC Fabric EPGs:
WebDBSAP
Macro-segmentation
Micro-segmentation
Inter-VN, Perimeter
SD-WAN
Virtual Networks (VN)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Demo: Automation & Simplification
69TECSEC-2609
What are we solving?
Operationalizing a segmented network is even harder
Building a segmented wired and wireless network is hard
The costs of segmenting are prohibitively high
Cisco DNAC + ISE
DNAC+ISE ➢ Infrastructure
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Deployment Recap
72TECSEC-2609
• What just happened in that 5 minutes?
• SDA Fabric creation
• VXLANs, VNs, lisp, routing, BGP, ECMP, VRFs
• Security best practices
• 802.1x configuration
• ISE integration and policies
• SGT TrustSec
• Switch device sensor
• Profiling configuration
• AAA and device administration
• Etc. etc.
Software Defined Security!
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Demo: Simple Segmentation Enforcement
73TECSEC-2609
• Macro-Segmentation – IoT Virtual Network provisioning
• Inter-VN, perimeter - NGFW Zone Firewalling
• Micro-Segmentation – SGACL ACCT2HR
• Blacklist - dACL
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Attack Surface is Now ReducedNext up: Mitigating Exposed Threats, Risks and Vulnerabilities
77TECSEC-2609
VN: Employee SGT: HR SGT: IoT high risk
Outside fabric perimeter
Cisco DNA Integrated Threat Protection
DNA Dynamic Segmentation
DNA Embedded Visibility
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco Advanced Threat Solutions
78TECSEC-2609
Integrated ISE + Cisco DNA
• DNS-based protection, Encryption
• Secure Internet Gateway
• IoT security
• Cloud based simplicity
• Protection against application vulnerabilities
• Impact-assessment and IoC
• Auto-tuning of policy
• Stop advanced malware
• AV replacement
• Sandboxing to find zero-day
• Retrospective threat remediation
Umbrella NGFW / NGIPS AMP
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Firepower Manager Center• A policy configuration tool for NGFW / NGIPS
• A quick way to see the context / composition of your network
• A tool to “check-on” your threat events
TECSEC-2609 79
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Access Control Policy
Traffic must match in the Access Control Policy in order to be Inspected
For a simple IPS deployment, you can use the Default Action
TECSEC-2609 80
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Access Control Policy
In a NGFW deployment, the Default Action will likely be “Block All Traffic”.
Intrusion Policy needs to be defined for each Allow Action.
TECSEC-2609 81
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Access Control Policy
If you need, different Allow rules can have different Intrusion Policies assigned.
TECSEC-2609 82
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Intrusion Policy
The Intrusion Policy defines which Snort rules are used in packet inspection, as well as the configuration of the Preprocessors.
You should make use of Firepower Recommendations!
TECSEC-2609 83
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Automated Impact AssessmentCorrelates all intrusion events
to an impact of the attack against the target
Impact FlagAdministrator
ActionWhy
1 Act immediately; vulnerable
Event corresponds to vulnerability mapped to host
2Investigate; potentially vulnerable
Relevant port open or protocol in use,
but no vulnerability mapped
3Good to know; currently not vulnerable
Relevant port not open or protocol
not in use
4 Good to know; unknown target
Monitored network, but unknown host
0 Good to know; unknown network
Unmonitored network
TECSEC-2609 84
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Indications of Compromise (IoCs) Detection & Threat Correlation
IPS Events
Malware Backdoors
CnC Connections
Exploit KitsAdmin Privilege
Escalations
Web App Attacks
SecurityIntelligence
Events
Connections to Known CnC IPs;
DNS Servers, Suspect URLs
MalwareEvents
Malware Detections
Malware Executions
Office/PDF/Java Compromises
Dropper Infections
TECSEC-2609 85
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
“You can’t protect against what you can’t see”
Gain more insight with increased visibility
Malware
Client applications
Operating systems
Mobile devices
VoIP phones
Routers and switches
Printers
Command and control
servers
Network servers
Users
File transfers
Web applications
Applicationprotocols
Threats
Typical IPS
Typical NGFW
Cisco Firepower™ NGFW
TECSEC-2609 86
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Visibility Provides Context
TECSEC-2609 87
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Detailed Threat Analytics
TECSEC-2609 88
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Visibility Provides Context
TECSEC-2609 89
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Visibility Provides Context
TECSEC-2609 90
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Customizable Monitoring and Reporting
TECSEC-2609 91
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
InternetLogical TopologyThreat Protection
92TECSEC-2609
CampusVN
IoT VN
GuestVN
InfraVN
SGTs:EmployeeContractorCampus-Quar
SGTs:Net ServicesNet DevicesInfra-Quar
SGTs:GuestGuest-Quar
SGTs:CamerasIoT-mgmt.IoT-Quar
SDA Campus Fabric
NGFW FTD
ISE DNAC FMC
ACIDC Fabric
Umbrella
Talos
AMP/TGInternet
AMP4EAnyConnect
Rapid threat containment
SGT=Quar
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 93TECSEC-2609
Cisco Talos Threat Intel
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Firepower RTC automation
Gathers data, opens space
Demo: Best-of-Breed Threat Protection
94TECSEC-2609
Cisco rapid threat containment, Impact flags
NGFW ➢ ISE ➢ Fabric
Automated custom tuning
What are we solving?
Need protection that adapts to my environment. IPS tuning needs to be automated.
Malware spreads super quick, trusted automated response is needed
Cisco NGFW/NGIPS
Incident investigation data must be consolidated and collaborative
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Handling Potentially Compromised Hosts
Business DataApp / Storage
Source Destination Action
IP SGT IP SGT Service Action
Any Employee Any Biz Server HTTPS Allow
Any Suspicious Any Biz Server Any Deny
SG-Firewall
NIDS SIMEvent: ReconnaissanceSource IP: 10.10.10.10/32Response: Quarantine
PXGRID: ANC Quarantine: 10.10.10.10
Source IP: 10.10.10.10/32MAC Address: aa:bb:cc:dd:ee:ffPolicy Mapping SGT: Quarantine
Switch#show cts role-based permissionsIPv4 Role-based permissions from group 255:Quarantined to group 4:Employees:
Deny IP-00
Employee
SGACL
Corp Network
Please note: Quarantine Authorization policy per address pool per VN needed
TECSEC-2609 96
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Firepower Remediation Subsystem Components
TECSEC-2609 97
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Automating Incident
Response
TECSEC-2609 98
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco Visibility for Threat Protection
101TECSEC-2609
• Uses DNA for threat-centric visibility and analytics
• Integrated with ISE
• Non-intrusive deployment
• Cisco Innovation
• Detects encrypted malware without decryption
• Audits encryption types in use
• Designed for Cat9K, ISR1K & 4K, CSR, ASR
StealthwatchEncrypted Traffic
Analytics
Integrated
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Detect More Threats in the Campus and BranchCisco Stealthwatch
102TECSEC-2609
Switch Router Router Firewall ServerUser
WAN
ServerDevice
End-to-End
Network Visibility
• Quickly scope an incident
• Network troubleshooting
• One click quarantine
Respond
• Comprehensive, contextual network flow visibility
• Real-time situational awareness of traffic
Monitor
• Detect anomalous network behavior
• Detect network behaviors indicative of threats: worms, insider threats, DDoS and malware
Detect Analyze
• Holistic network audit trail
• Threat hunting and forensic investigations
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Host Attributes:
• Role in transaction
• Role in organization
• Device Type
• Username
• Reverse DNS
• …
• Etc.
Host Attributes:
• Role in transaction
• Role in organization
• Device Type
• Username
• Reverse DNS
• …
• Etc.
Stealthwatch: Modelling a Network Transaction
Transaction Attributes:
• Time
• Byte, packet counts
• Protocols & ports
• Application
• Application Content
• Process Name
• …
• Etc.
TECSEC-2609 103
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Stealthwatch: Building the Flow Table
NetFlow / IPFIX
weblogs
Group Definitions
Threat Intelligence
User/Device Identity
Transactional Contextual
Flow Table
TECSEC-2609 104
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Conversational Flow Record
ISE Telemetry
NBAR
Applied situational awareness
Flow Sensor
Geo-IP mapping
Threat Intelligence
TECSEC-2609 105
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco Encrypted Traffic Analytics (ETA) Solution
106TECSEC-2609
Cognitive Threat Analytics
Enhanced NetFlow traffic
exporters
Stealthwatch ETA
collectors
Malware detection and cryptographic
compliance
Crypto ComplianceMalware DetectionLeverages DNA
Catalyst 9k
ISR, ASR, CSR
Initial Data Packet
Packet Lengths and Times
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco Stealthwatch
Behavior + anomaly detection
Demo: Best-of-Breed Threat Protection
107TECSEC-2609
Cisco Stealthwatch
Fabric ➢ Stealthwatch +Cognitive threat analytics
Fabric➢ Stealthwatch+CTA
What are we solving?
I am blind to threats in encrypted traffic
I have no visibility of targeted attacks
Encrypted Traffic Analytics
Lack of defense against use of stolen credentials
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco DNA + Cisco Security: Stronger Together
110TECSEC-2609
Cisco Security
Threat Protection
Visibility Segmentation
Cisco DNA Intent-based Network
AnalyticsPolicy Automation
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco Data Center Security
Conte
xtu
al
Inte
gra
tion
“Reduce the attack surface using Least privilege access”
“Stop the Breach”
Visibility
“See and Share Everything”
Threat-Centric Trust-Centric
TECSEC-2609 113
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Featured Use Cases and Demos
Conte
xtu
al
Inte
gra
tion
Firewalls and Application Segmentation
Tetration
ISE/Trustsec
ASA/NGFW
Automated Threat Detection, Blocking, and Response
NGFW/NGIPS
Tetration
AMP
Stealthwatch + Stealthwatch Cloud
Visibility
Trust-CentricThreat-Centric
TECSEC-2609 114
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Static
ACME Application Evolution
115TECSEC-2609
SQL
DB
Mgmt
REST
API
Billing
REST
API
Web UIAPI
Gateway
Accounts
REST
API
MonolithicMicroservices
Requirements
Design
Testing
Implementation
Prod
WaterfallAgile
Iterate
Iterate
Iterate
Dynamic
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Pace of Application Evolution
Traditional enterprise applications
~5%Applications
modernized per year
~5%Applications developed per year
New and modernized apps
Security approach must bridge the needs of both
TECSEC-2609 116
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
The Challenge of Protecting Modern Applications
Breadth
Containers, VM, Bare Metal
On premises, public cloud, legacy apps, appliances …
Scale
Tens of thousands of workloads
Trillions of Data Points
Depth
Rich Data-Driven Approach
Micro segmentation
Vulnerability management
Integrity monitoring
Exploit prevention
Data leakage prevention
Speed
Real time detection and response
Address ephemeral workloads
TECSEC-2609 117
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Anatomy of a Breach
118
ReconInitial
ExploitEstablish
PersistenceEscalate Privileges
Execute Mission
LateralMovement
LateralMovement
InternalRecon
Maintain Persistence
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
• Understand Attack
• Forensic Record
• Spectre / Meltdown
• Behaviour anomalies
Detect Malicious Activity
• Close unused ports
• Reduce exposure to
Software Exploits
• Software Uniformity
Reduce Attack Surface
• Understand Policy
• Restrict Visibility
• Prevent Lateral Movement
Prevent Communications
Cloud Workload Protection with Tetration
A BEHAVIOUR driven approach
Segment Harden Detect
TECSEC-2609 119
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
The Trust-Me Approach to Workload Security
121TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Segmentation –Zone Based
TECSEC-2609 122
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Segmentation –Application Based
TECSEC-2609 123
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
True Micro-Segmentation
Application Workloads Application Policy
TECSEC-2609 124
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
True Micro-Segmentation
Application Policy
Shared Database
DNS
Authentication Services
Users
SaaS
TECSEC-2609 125
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Rich Telemetry
Workload Protection
Dynamic Microsegmentation
Enrich with Meta-Data
Tetration Software Sensors
TECSEC-2609 126
Wide OS SupportPhysical, Virtual, Container
ADC Integrations
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Tetration Software Sensors
TECSEC-2609 127
Workload Telemetry
Enforcement Policy
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Common Approach across Data Center and Cloud
128TECSEC-2609
Cloud
IP Network
Tetration SaaS
Campus Users WAN Users
Cloud
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Acme Data Sources and Integrations
129TECSEC-2609
Cloud
IP Network
Tetration SaaS
Campus Users WAN Users
Cloud
ISE AnyConnect
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Initial Posture Assessment
130TECSEC-2609
Classify Inventory by Attribute
Owner Acme Retail
Location Data Center
Service Retail
App Payments
Environment Production
PCI Category CDE
Criticality High
Impact High
Detailed, dynamic inventory of every workload and endpoint.Annotations applied to every asset for attribute based classification
10.8.3.5
Owner Acme Retail
Location AWS
Service Loyalty
App Rewards
Environment Test
PCI Category Out of Scope
Criticality Low
Impact Low
10.3.12.2
Up to 32 user defined attributes
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Start with what you have today…
TECSEC-2609 132
Security Platforms
CMDB CI
IPAM/DNS
Hypervisor/Cloud
Network
or Jim’s spreadsheet
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Dynamic Annotations
• Manual upload provides a great start, but a more dynamic operational model is desirable
• Dynamic annotations allow for dynamic grouping and policy actions
• Integrate with external systems for dynamic annotation update via Tetration API.
133TECSEC-2609
csv upload
Rest API
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Dynamic Attribute-Based Policy
PCI Category = “CDE”PCI CDE
Filter Query
Prod Workloads Environment = “Production”
PCI CDE
Prod Workloads
DENY
Non-Prod WorkloadsDENY
Action Consumer Provider Services
Any
Any
PCI OOS
Mission Critical Retail TCP 22Trusted Mgmt
Approved DNS UDP 53Prod Workloads
Define Policy
Build Dynamic Queries
TECSEC-2609 134
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Extend Policy between User/Device and Application
User Jim Smith
User Group Managers
Security Group Tag 25
Authenticated True
Device Posture Compliant
Integration with Cisco ISE provides user and device attributes and posture.Dynamically tracks user authentication and device posture for access policy control against application workloads
Trusted Users
Payroll
Dropped
Allowed
?
ISE Tetration
pxGrid
TECSEC-2609 135
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
ISE Attributes for Context
• Collect Endpoint device info
• User Endpoint Profile
• IOT and manufacturing devices
• Facility devices
• Cisco ISE sends information about
• Device group (SGT)
• User
• Device
• Device location
• Device Posture
136TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Let Computers do the Heavy LiftingTetration automatically converts your intent into blacklist and whitelist rules
Intent Rules
Deny PCI Out of Scope from talking to Cardholder Data applications
SOURCE (10.3.12.2,….) DEST (10.8.3.5,….)
Allow Trusted Users to access the payroll system
SOURCE (10.7.1.13,…) DEST 10.8.9.9
Block all HTTP connections that are not destined for web servers
SOURCE ANY DEST 10.0.10.0/24 PORT 80
SOURCE ANYDEST ANY PORT = 80
T TECSEC-2609 137
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Heirarchical Policy Model
Acme
Inside
Data Center Stores
Retail HR Loyalty Retail
Campus
Payments Payroll Rewards
ProdProd UAT DevUAT Dev
Growth
Dev
Portal
DevProd UAT Dev
139
Cloud
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Dynamic Inventory Mapping
Acme
Inside
Loyalty
Rewards
Prod
Root Scope ID = 101
Owner = Acme
Location = AWS
Service = Loyalty
App = Rewards
Environment= Prod
and
and
and
and
and
140
Cloud
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Application Dependency MappingWithin the Application
141TECSEC-2609
Application Workspace Clusters
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Application Dependency MappingOutside the Application
142TECSEC-2609
Clusters
Shared Database
DNS
Authentication Services
Users
External Dependencies
SaaS
Visualize and Refine Dependencies
Retail Front EndCredit
Inventory
Trusted Branch Users
Transactions
Authentication
Retail Front End provides:
TCP 443
Trusted Branch Users
provides:
none
Trusted IT Services
Discovered Application Policy based on detailed historical flow analysis
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Policy Validation
144TECSEC-2609
Default Policies (42) Catch All DENY
Priority Action Consumer Provider Services
100
100
100
100
100
100
100
transactions credit
transactions
transactions
transactions
core-app
transactions
authentication TCP 443
TCP 2532
UDP 123
TCP 88, 139, 445….
TCP 22, 443
inventory TCP 1556
credit TCP 21, 23
Which NTP hosts?
SSH from Campus?
All clusters backed up?
TCP 443
Verify,Restrict, Remediate
TCP 22
Insecure Protocols?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Policy Validation
• Are the server groups as expected?
• Should UAT be talking to Production? Test?
• Are all IT services applied consistently?
• Can I be confident the policy is accurate?
• What if the application changes? Can the policy change too?
• Are there any unexpected dependencies?
TECSEC-2609 145
Highly Sensitive
Prod Workloads
DENY
Non-Prod WorkloadsDENY
Any
Any
Untrusted
Mission Critical Retail TCP 22Trusted Mgmt
Approved DNS UDP 53Prod Workloads
Retail BankingCore Banking System
Investme
nts
Trusted Branch Users
Untrusted Users
Credit
Authentication
IT
Services
• Application owners provided a level of autonomy to make application level changes quickly
Micro-segmentation with merged policy
Tetration merges discovered dependencies with user defined intent to deliver a complete policy meeting the needs of different groups with responsibility for information security policy.
Security Policy
Application Policy
• Security and network teams control global aspects of application inter-connection and shared services
Catch All DENY • Any connection not explicitly permitted by white-list policy rule is denied.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Active Policy Analysis
• Provides confirmation of policy accuracy pre enforcement
• Near-real time live traffic analysis against policy
• Identify and remediate any non-compliant activity BEFORE enforcement
TECSEC-2609 147
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Policy Compliance Verification
148TECSEC-2609
Permitted Permitted flow matching policy
Misdropped Permitted flow. Matching policy with dropped packets
Escaped Flow denied by policy. Flow permitted (not dropped)
Rejected Flow denied by policy. Flow dropped
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Zero Trust Policy Enforcement
Application Policy
150
Workload Enforcement
TECSEC-2609 150
Custom Policy per workloadDynamic, recomputed every 60 sec
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Tetration Endpoint Enforcement
Pre-requisites:
• Enforcement License Enabled
• Enforcement Agent Deployed
• Enforcement Enabled in Agent Config
Dependencies:
• Linux: iptables and IP Sets
• Windows: Windows Firewall
TECSEC-2609 151
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Enforcement Rules
TECSEC-2609 152
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Enforcement Rule Monitoring
TECSEC-2609 153
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Compliance Validation and Monitoring
154TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Workload Hardening
157TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Software Vulnerability Assessment and Control
• Identify Known Vulnerabilities across full inventory
• Search by CVE, or CVSS (CVE Score)
• Build filters for dynamic policy control
TECSEC-2609 158
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Software Vulnerability Assessment and Control
• Apply absolute policy overrides, to contain/protect against active vulnerabilities
• Dynamic policy filter adapts policy as vulnerabilities are patched
TECSEC-2609 159
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Vulnerability Assessment Metrics
TECSEC-2609 160
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Process Hash Validation
161TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Identify Malicious/Suspicious Processes
162TECSEC-2609
Process Hash Validation• Whitelist/Blacklist Assessment
• NIST/Threatfeed• User Upload
• Consistency measurement• Identify variations/outliers
Workload Inventory• Search all long-lived
processes• User, PID, Hash,
Command Line
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Reduce the Attack Surface
TECSEC-2609 163
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco Tetration – Workload Hardening
Workloads
Reduce Attack Surface• Identify unused ports for
remediation
Process Hash Validation
• Whitelist/Blacklist Assessment
• NIST/Threatfeed
• User Upload
• Identify variations/outliers
164
Detect Known Vulnerabilities
• Apache Struts
• Wannacry/EternalBlue
• Kubernetes RunC
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
ACI Overview
Virtual Switch
Web App
ACI Fabric
Device automation
Network
automation
EPGApp
Service Graph
EPGWeb
Contract
TECSEC-2609 166
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
ACI Fabric Building Blocks
Spine Nexus9000 Switches – MP BGP Control Plane
Leaf Nexus9000 Switches – Distributed Anycast GW
Service GraphsEnd Point Groups
L3 or L2 Outs
10G
40G
1G
40G
10G10G 1G
40G
Virtual or Physical L4-L7 DevicesVirtual or Physical Workloads
40G 40G 40G
TECSEC-2609 167
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Understanding EPGs and Contracts
• Endpoints are “grouped” to attach them to the fabric
• An Endpoint Group (EPG) is a set of devices that share the same policy requirements
• By default endpoints in different EPGs can’t communicate at all
• By default … endpoints inside an EPG can communicate freely
• Intra EPG default can be changed… today, to block intra-EPG communication (Intra-EPG contracts and service graphs in 4.0)
• Every EPG belongs to a VRF and an Application Profile
• Tenants, VRF, BD, Application Profiles, EPGs, Contracts are logical configurations
TECSEC-2609 168
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
EPG Relationships are defined with Contracts White List Model (*): No Contract, No Communication
Bridge Domain – 10.10.10.1/24
BM-01
10.10.10.11
VM-02
10.10.10.12VM-03
10.10.10.13BM-04
10.10.10.14
EPG BLUE EPG GREEN
(*) Default can be changed
Without contracts,
by default there is no
communication
between groups
TECSEC-2609 169
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
EPGs Will Have Relationships with Contracts White List Model (*): Contract Determines Communication
Bridge Domain – 10.10.10.1/24
BM-01
10.10.10.11
VM-02
10.10.10.12VM-03
10.10.10.13BM-04
10.10.10.14
EPG BLUE EPG GREEN
Contract: Blue-to-Green
Scope: VRF
Subject: AppTraffic
Both Directions: True
Reverse Port Filters: Yes
permit tcp/80
permit tcp/443C
ON
SU
ME
S
PR
OV
IDE
S
any,tcp/8080
(*) Default can be changed
GREEN Provides the contract,
so ports tcp/80 and tcp/443 are
exposed.
BLUE Consumes the contract,
so ports tcp/80 and tcp/443 are
NOT exposed.
any, tcp/80
any,tcp/80
TECSEC-2609 170
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Contracts Also Allow Inserting Services Next Generation Firewall, ADC, IDS/IPS, etc.
Bridge Domain – 10.10.10.1/24
BM-01
10.10.10.11
VM-02
10.10.10.12VM-03
10.10.10.13BM-04
10.10.10.14
EPG BLUE EPG GREENC
ON
SU
ME
S
PR
OV
IDE
S
Contract: Blue-to-Green
Scope: VRF
Subject: AppTraffic
Both Directions: True
Reverse Port Filters: Yes
permit tcp/80
permit tcp/443
You can insert an NGFW, or
a LB by attaching a Service
Graph to the contract subject
TECSEC-2609 171
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco NGFW Leadership
Leader in the 2018 Gartner MQTime to detection of a
successful breachSavings from
security automation
Cisco
~4.6 hoursIndustry
~100 Days
Source: 2018 Cisco CyberSecurity Report
First year
$184K
Read the Report
TECSEC-2609 174
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Malware
Protection
Cisco Firepower NGFW Firepower Threat Defense
Threat-Focus stops vulnerability exploitation
URL Filtering
Single OS + Single Management
WWW
Analytics and
VisibilityApplication Visibility
and Control
Intrusion
PreventionHigh Availability
Firewall, VPN
and Routing Identity-based
Policy Control
SSL Decrypt
and Network
Profiling
Simple, Open, Automated and Effective
TECSEC-2609 175
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Birth of the Cisco Firepower NGFW (FTD)
ASA• L2-L4 Stateful Firewall
• Scalable CGNAT, ACL, routing
• Application inspection
FirePOWER• Threat-centric NGIPS
• Identity, AVC, URL Filtering
• Advanced Malware Protection
Cisco NGFW (a.k.a. FTD)• Converged NGFW/NGIPS image on Firepower 2100/4100/9300 and ASA5500-X platforms
• Single point of management with Firepower Management Center, FDM, CDO, API
• Full FirePOWER functionality for NGFW/NGIPS deployments
• ASA Data Plane with TCP Normalizer, NAT, ACL, VPN, dynamic routing, failover functions
TECSEC-2609 176
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco NGFW Cutting-edge CapabilitiesTrusted by 10’s of thousands of customers
Context Rich
Creates a host profile Internally, ISE pxgrid,
3rd party host scan data
Impact Assessment and IoC
Threat correlation reduces actionable
events by up to 99%
Automated Tuning
Adjust IPS policies automatically
based on traffic profile
App Identification you can trust
OpenAppID
TECSEC-2609 177
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
NGFW Physical Platforms - DC
FPR 4110
FPR 4120
FPR 4140
FPR 4150
FPR 9300 -SM-24
FPR 9300 -SM-36
FPR 9300 -SM-44
FPR 2110
FPR 2120
FPR 2130
FPR 2140
2-8.5 Gbps AVC
2-8.5 Gbps AVC+IPS
12-30 Gbps AVC
10-24 Gbps AVC+IPS
One Module:
30-54 Gbps AVC
24-53 Gbps AVC+IPS
Three Modules:
Up to 135 Gbps AVC
Up to 133 Gbps AVC+IPS
TECSEC-2609 178
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Inline or Passive Fail-to-wire NetMods Typical modes
NetMod
Virtual or Physical
Routed
Transparent
101110
101110
Inline
Inline Tap
Passive
Pick from many deployment modesFirewall deployment modes
Available on 2100, 4100 and 9300
TECSEC-2609 179
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
UpLink Scalability Intra-chassis clustering Inter-chassis/ Inter-site Clustering
Increasethroughput
Handle more connections Combine multiple
individual firewalls/SSMs and
manage as one
Deliver scalable performance across many sitesFirewall Clustering. Industry leading 80+% efficiency rating
Location A Location B
Zero-Downtime upgrades
for most applications
up to 270 Gbps NGFWup to 100Gbps NGFW
TECSEC-2609 180
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Flow Offload Use Cases in our DC
• Trusted flow processing at ultra-high speed with limited security visibility
• High single-flow throughput, high packet rate, low latency
• Hardware-based offload with no x86 dependency
• Flow offload is supported in both inter-chassis and intra-chassis cluster modes
• Used where Low Latency and High Single Flow throughput is more important than security
Use Cases: High Frequency Trading, High Performance Computing Research Sites
Intra/Inter DC Storage Backup or Database Sync, GRE Tunneled Packets
TECSEC-2609 181
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
High Availability and Scalability Options Chosen
High AvailabilityHigh Scalability
(Firepower 9300 only)High Availability and Scalability(Firepower 4100/9300 only)
ASA
• Active/Standby Failover(2 modules or appliances)
• Active/Active Failover(2 modules or appliances)
• Intra-chassis Clustering(≤3 modules, 240Gbps)
• Inter-chassis Clustering (≤16 modules, 1.2Tbps)
• Inter-chassis clustering(≤16 modules, 1.2Tbps)
FTD• Active/Standby HA
(2 modules or appliances)• Intra-chassis Clustering
(≤3 modules, 100Gbps)• Inter-chassis clustering
(≤6 modules, 270Gbps)
TECSEC-2609 182
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
FTD HA and Clustering
• FTD inherits failover and clustering infrastructure from ASA
• Clustering is recommended for Data Center deployments
• Replicates full NGFW/NGIPS configuration and flow state
• Interface and Snort instance health monitoring
• Zero-downtime upgrades for most applications
• Ensures full stateful flow symmetry in both NGIPS and NGFW modes
Cluster
vPC
vPC
FTD FTD
vPC
vPC
FTD FTD
A SHA LinkHA/Failover: Both directions of a flow traverse
a single active unit
Clustering: All packets for a flow are redirected to
connection Owner
vPC1 vPC2 vPC1
TECSEC-2609 183
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
FTD Clustering with FP9300/4100
Supervisor
Switch 1
FTD
Switch 2
Nexus vPC
FTD
FTD Cluster
Supervisor
FTDFTD
FTDCCL
FP9300 Chassis 1 FP9300 Chassis 2
FTD Intra-Chassis Cluster
• Modules can be clustered within chassis
• Bootstrap configuration is applied by Supervisor
FTD Inter-Chassis Cluster
• Cluster of up to 6 modules (in 2 chassis)
• Off-chassis flow backup for complete redundancy
TECSEC-2609 184
Mixed FTD Deployment Examples
Firepower 9300 Chassis
FTD 6.3 Native FTD 6.4 Native FTD 6.3
Instance 1FTD 6.3
Instance 2FTD 6.4
Instance 3
Production Development TestProduction
Firepower Chassis
Instance 1(4 CPU)
Instance 2(12 CPU)
Instance N(2 CPU)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
• FTDv scaling
Allow user to choose 4, 8 or 12 cores. (~1Gbps, 2 Gbps, 3 Gbps)
Virtual platforms: VMware and KVM
• Data Plane Development Kit (DPDK)for FTDv
Significant performance improvement
Only VMware, KVM, and AWS (disabled for Azure)
Enhancements to Virtual Deployments
TECSEC-2609 187
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
NGFW Virtual Platforms
TECSEC-2609 188
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
NGFW Management Options
Firepower Management Center
(FMC)
Enables comprehensive security administration and automation of multiple appliances.
Centralized On-premise.
Firepower Device Manager
Enables easy on-box management of common security and policy tasks.
Local on-box UI introduced in 6.1.
Cisco Defense Orchestrator
Enables cloud-based policy management of multiple deployments.
FTD support targeted June 2019
Provides consistent policy configuration across multiple Cisco
products
Seamless ASA to FTD migration
APIs
Enables automation and orchestration directly or through 3rd party apps.
FMC APIs and Device APIs.
Device APIs facilitate co-management between FDM and CDO.TECSEC-2609 189
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
ASAv OverviewAWS and Azure
190TECSEC-2609
ASAv9.10.x
ASA Appliance
Stateful F/W, NAT, Routing and ACL
VPNIPSEC and SSL
REST API
Route based VPNVTI
Management CLI, ASDM, CSM and CDO
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
NGFWv, FMCv and ASAv in Public Cloud and Gov CloudInstance Types
191TECSEC-2609
NGFWv Instance (Marketplace)
c3.xlarge, c4.xlarge
FMCv Instance (Marketplace)
c3.xlarge, c3.2xlarge
c4.xlarge, c4.2xlarge
ASA instance (Marketplace)
c3.large, c3.xlarge
c4.large, c4.xlarge
m4.large, m4.xlarge
SSD storage on c3 instance and EBS storage on c4 or m4 instance
large instance is ASAv10, xlarge instance is ASAv30
NGFWv Instance (Marketplace)
Standard D3 and D3v2
FMCv Instance (Marketplace)
Standard D3v2 and D4v2Available from FMC/FTD release 6.4
ASAv Instance (Marketplace)
Standard D3 and D3v2
D3 and D3v2 instance is ASAv30
NEW
Standard_D3v2 (4 CPU, memory: 14GB) Standard_D4v2 (8CPU, Memory: 28GB)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
NGFWv Deployment Modes in Public Cloud
192TECSEC-2609
Routed mode (NGFWv) - AWS Passive mode (NGFWv) - AWS Routed mode (NGFWv) - Azure
• Passive mode is only applicable to NGFWv in AWS
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
FMC in Public CloudAWS and Azure
193TECSEC-2609
• FMC is available in AWS• c3.xlarge and c3.2xlarge• c4.xlarge and c4.2xlarge
• FMC is available in Azure from release 6.4
• Standard D3v2 and D4v3
Standard_D3v2 (4 CPU, memory: 14GB)
Standard_D4v2 – (8CPU, Memory: 28GB)
Release 6.4
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
ASAv Deployment Modes in Public Cloud
194TECSEC-2609
Routed mode (ASAv) - AWS Routed mode (ASAv) - Azure
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
NGFWv and ASAv scalable design• Azure internal load balancer (ILB) standard & external load balancer
vNET
WEB
APP
DBData Center
FMC
Gateway Subnet
AzureExpress Route
Virtual Network
Gateway
DB-UDR
Destination Next Hop
Default/Internet ILB VIP
APP, WEB & DC ILB VIP
APP-UDR
Destination Next Hop
Default/Internet ILB VIP
DB, WEB and DC ILB VIP
WEB-UDR
Destination Next Hop
Default/Internet ILB VIP
DB, APP and DC ILB VIP
Internet
ILB Standard
(VIP)HA Port
GW-UDR
Destination Next Hop
WEB, APP & DB ILB VIP
FW01
FW02
FW..n
NGFWv
NGFWv
NGFWv
NVA Subnet (inside)
ExternlalLB
Internet Users
Stateless
Switchover
Firewalls in
Availability Set
YouTube: overview
TECSEC-2609 195
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
NGFWv scalable design using AWS NLBNetwork Load Balancer (NLB). (ALB also supported)
inside-1c
NLB
outside-1c
inside-1d
management-1c
Route Table: RT
subnet next-hop
0.0.0.0 IGW
FMCv
WebServer01
NGFWv
management-1d
us-east-1c
us-east-1d
Elastic IP
NGFWv
outside-1d
NGFWv
Stateless
switchover
WebServer02
YouTube:
Demo
VPC
IGW
TECSEC-2609 196
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
LicensingNGFWv and ASAv in Public Cloud
197TECSEC-2609
Cisco Smart Licensing for NGFWv and ASAv in AWS and Azure
Standard LicenseFirewall, throughput
Anyconnect Apex LicenseSSL, IPSEC
AWS Azure
• Bring you own license • Hourly or Annual
license
• Bring you own license ASA
NGFW
Base LicenseFirewall, AVC
Term basedThreat, URL, AMP
AWS Azure
• Bring you own license • Hourly or Annual
license
• Bring you own license
Note: No Cisco TAC support from AWS pay-as-you-go model license model but you can purchase one year TAC support from listed partner: Purchase TAC Support
ASAv entitlement in Public Cloud AWS (ASAv10 & ASAv30): ASAv10 & ASAv30 entitlement (1G*, 250 (ASAv10) or 750 (ASAv30) VPN endpoints)
Azure (ASAv30): ASAv5, ASAv10 & ASAv30 entitlement (100M (ASAv5), 1G*(ASAv10 or ASAv30), 50 (ASAv5), 250 (ASAv10) or 750 (ASAv30) VPN endpoints)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco Data Center Security
Trust-Centric
Conte
xtu
al
Inte
gra
tionThreat-Centric
“Reduce the attack surface using Least privilege access”
“Stop the Breach”
Visibility
“See and Share Everything”
TECSEC-2609 199
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Featured Use Cases and Demos
Trust-Centric
Conte
xtu
al
Inte
gra
tionThreat-Centric
Firewalls and Application Segmentation
ASA/NGFW
ACI/TrustSec + Tetration
Automated Threat Detection, Blocking, and Response
NGFW/NGIPS
AMP
Stealthwatch + Tetration
VisibilityTECSEC-2609 200
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco AMPSecurity that Works Together
202
Threat Intelligence - TALOS
Services
Network Endpoint Cloud
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Endpoint Devices Increasingly Difficult to Defend
203
Mobile Devices Cloud Data User Behavior
Most challenging areas to defend:
*Source: Cisco 2018 Security Capabilities Benchmark Study
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
How Does the 1% Escape and Get Through?
204
Advanced evasion techniques:• Fileless malware
• Environmentally-aware malware
• Polymorphism
• Exploit legitimate processes
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Uncover the 1% with Cisco AMP for Endpoints
205
The network and endpoint, working together across all
operating systems
With proactive threat hunting
Using multiple detection and protection mechanisms
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
How Cisco Addresses Endpoint Challenges
206
Prevent DetectReduce Risk
• Antivirus
• Fileless malware detection
• Cloud lookups (1:1, 1:many)
• Client Indicators of Compromise
• Static analysis
• Sandboxing
• Malicious Activity Protection
• Machine learning
• Device flow correlation
• Cloud Indicators of Compromise
• Vulnerable software
• Low prevalence
• Proxy log analysis
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cloud Based Analysis
207
AMP cloud constantly updated with the latest threat intelligence and research to protect against advanced threats.
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Prevent Fileless Malware Malware has Evolved – We Need to Protect Against More than Just Files
208
Monitor process activity and guard against attempts to hijack legitimate applications.
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Protect Against Ransomware Malicious Activity Protection
209
• Monitor Process behavior at execution
• Tuned to detect tell-tale ransomware signs
• Quarantine and terminate associated files and processes
• Log and alert encryption attempt
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
See Once, Block Everywhere Share Intelligence Across Network, Web, Email, and Endpoints
210
NGIPS CES/ESA WSA/SIGISRNGFW
Talos
Threat GridAMP Cloud
Endpoint
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Agentless Detection with Proxy Analysis Identify Anomalous Traffic Occurring Within Your Network
211TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Dynamic Analysis and Sandboxing Execute, Analyze & Test Malware Behavior to Discover Unknown Zero-Day Threats
212
Analysis Report
Suspicious File
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Continuous Monitoring
213
What happened?
Where did the malware come from?
Where has the malware been?
What is it doing?
How do we stop it?
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco Threat Response Unleashing the Power of the Cisco Integrated Security Architecture
215
•
•
•
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco Threat Response in Action Three Simple Ways to Get Started
216
•
••
•
•
•
•
•
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Before you turn in your TPS reports, I’m
going to need to know if we are
vulnerable to the Olympic Destroyer
attack I heard about on the news
CIO
Olympic Destroyer
TECSEC-2609 217
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Any data source can be used when searching for a vulnerability or threat. We are using Google and Talos Blogs in this example.
Olympic Destroyer
TECSEC-2609 218
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Copy data that you can use in CTR to search your own environment to see if you may have been compromised
Olympic Destroyer
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Log into Cisco Threat Response by going to https://visibility.amp.cisco.com.You can also access CTR from any supporting application.
Olympic Destroyer
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
When starting a New Investigation, you can paste data and CTR will parse through looking for information it can search on such as:
• IP Addresses (v4 and v6)• Domains• File Hashes (SHA256, SHA1, MD5)• MAC addresses• URLs• Indication of Compromise (IoC) Hashes• Syslog Messages• Security Alerts (any format)• Etc.
Integration Modules:
• AMP Global Intel - Advanced Threat Intelligence API (Default)
• Private AMP Global Intel - Advanced Threat Intelligence API (Default)
• AMP File Reputation - AMP Protect DB (Default)
• Talos Intelligence - Cisco Talos Intelligence (Default)
• AMP for Endpoints - Advanced Malware Protection
• Umbrella - Cisco Umbrella
• Threat Grid - Understand and prioritize threats faster
• VirusTotal - Online Virus, Malware and URL Scanner
Olympic Destroyer
221
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Olympic Destroyer
TECSEC-2609 223
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Olympic Destroyer
TECSEC-2609 224
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
The Security Analytics Equation
Telemetry sources that instrument the
digital business.
Collect and store at scale.
Analyze and automate. Security Outcomes
228TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Machine learning
Global threat intelligence
Behavioral modeling
Using existing network infrastructure
Insider threat
Encrypted malware
Unknown threats
Policy violations
Cisco Stealthwatch
229TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Stealthwatch Cloud Stealthwatch Enterprise
Private network monitoringEnterprise network
monitoringPublic cloud monitoring
Suitable for enterprises & commercial businesses using public cloud services
On-premises virtual or hardware appliance
On-premises network monitoring On-premises network monitoringPublic cloud monitoring
Suitable for SMBs & commercial businesses
Suitable for enterprises & large businesses
Software as a Service (SaaS) Software as a Service (SaaS)
Stealthwatch Product Suite
230TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Flexible Security for Dynamic Environments
Native Cloud Logs Premises Network Logs
Stealthwatch Cloud Virtual Appliance
NetFlow
IPFIX
Mirror/Span
Stealthwatch Cloud
231TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Integrate Easily with all Your Current Systems
• SaaS Management Portal
Web Platforms
SIEM Public Cloud
And Other Platforms
S3
SQS
Stealthwatch Cloud
SNS
Pub/Sub Storage
232TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Dynamic Entity ModelingUsing Modeling to Detect Security Events
233
Collect Input Draw ConclusionsPerform Analysis
System Logs
Security Events
Passive DNS
External Intel
Config Changes
Vulnerability Scans
IP Meta Data
Dynamic Entity
Modeling
Group
Consistency
Rules
Forecast
Role
What ports/protocols does the device continually access?
What connections does itcontinually make?
Does it communicate internally only?What countries does it talk to?
How much data does the device normally send/receive?
What is the role of the device?
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Dynamic Entity ModelingLow Noise Alerts Help You Solve Problems
234
Excessive failed access attempts
DDoS and amplification attacks
Potential data exfiltration
Geographically unusual remote access
Suspected botnet interaction
ALERT: Anomaly detected
95% Stealthwatch Cloud alerts rated as “helpful” by customers
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Amazon Web Services Architecture
235
Amazon Account
SaaS Portal
API
Permissions allow Stealthwatch Cloud
to read AWS services
Role Created for Stealthwatch Cloud
in Account
Stealthwatch Cloud
Amazon VPC
Amazon CloudWatch
CloudTrail
GuardDuty
Inspector
Inspector
Lambda
Config
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Google Cloud Platform Architecture
236
GCP Account
SaaS Portal
API
Permissions allow Stealthwatch Cloud to read GCP Flow Logs
Stealthwatch Cloud User with
permissions
Stealthwatch Cloud
Virtual Private Cloud
Google Compute Engine
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Microsoft Azure Platform Architecture
237
Azure Virtual Network
SaaS Portal
Windows OS w/ 3rd
Party Flow Agent
**Flow Agent Must Generate 5 Tuple Flow Feed
Linux Servers with Stealthwatch Cloud
Sensor
Stealthwatch Cloud Virtual Appliance is UDP destination for flow agents; collects and sends data upstream to Stealthwatch Cloud analysis engine
Stealthwatch Cloud Virtual Appliance
Stealthwatch Cloud
TLS Private Tunnel
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Monitor Premises or Public Cloud Networks
238
Data Center Segment
Accounting Segment
Core Switching
SIEM
Syslog
SNMP
SaaS Portal
Mgmt
NetFlow
IPFIX
Span
Stealthwatch Cloud
Stealthwatch Cloud Virtual Appliance
TLS Private Tunnel
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
AMP for EndpointsDo my workloads satisfy security compliance? Tetration Endpoint Agent
Demo: Simplifying Security Visibility
Cloud Center
Will my network security policies move with my workload?
How can I deploy and monitor my cloud infrastructure? Stealthwatch Cloud
OpenDNS Umbrella
241
What’s the customer problem?
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Full Process Tree and Timeline
245TECSEC-2609
Process Execution Detail for every running process
Detecting Behavioral Deviations
• Match the process behavior deviations to identify suspicious activities
• Trigger on specific event combinations incl:
• Unseen Command
• Privilege escalation
• Shell-code execution
• Side channel attack
• Raw socket creation
• User login activities
• File access pattern
Privilege Escalation
Unseen Command
Vulnerability ExploitRemote Shell
Payload Delivery
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Data Anomaly Detection
• Detect anomalies in neighbor traffic volume
• Temporal Analysis with Seasonality assessment
• Correlate with forensic events and flow data
TECSEC-2609 248
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Tracking Workload Exposures
249TECSEC-2609
Privilege
escalation
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Alerting to SOC
• Flexible alerting per alert type
• Native Kafka
• Notifier appliance
• Syslog
• PagerDuty
• Kinesis
• Slack
250TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Today’s SaaS Security Challenges
Hacking
Compromised
accounts and
malicious insiders
Gaps in visibility
and coverage
Data breaches
and compliance
#CLUS TECSEC-2609 253
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
$$$ Security Challenges Have Evolved
254TECSEC-2609
HQ BranchRoaming user
Users Data Apps
SaaS
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Key Questions Organizations Have
255TECSEC-2609
ApplicationsDataUsers/Accounts
Who is doing what in
my cloud applications?
How do I detect account
compromises?
Are malicious insiders
extracting information?
Do I have toxic and
regulated data in the cloud?
Do I have data that is being
shared inappropriately?
How do I detect policy
violations?
How can I monitor app
usage and risk?
Do I have any 3rd party
connected apps?
How do I revoke risky apps?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
The Cloud Threat Funnel
All user behavior
Threat intelligence
Cyber research
Cloud vulnerability insight
Centralized policies
Community intelligence
Contextual analysis
Anomalies Suspicious activities
True threat
Source: Cloudlock CyberLab
58%abnormal
behavior
31%login
activities
11%admin
actions
113x than average
login failure
141x than average
data asset deletion
227x than average
file downloads
Session terminated
Email sent
File modified
File downloaded
Document created
Access denied
TECSEC-2609 256
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Public APIs
Cisco NGFW / Umbrella
Managed
Users
Managed
Devices
Managed
Network
Unmanaged
Users
Unmanaged
Devices
Unmanaged
Network
CASB – API Access (Cloud to Cloud)
#CLUS TECSEC-2609 257
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
More Than 25% of Those Apps are High Risk
27%
219,000Third-party apps
Percent of installs by risk
high risk
58%medium risk
15%low risk
Source: Cloudlock CyberLab
#CLUS 258TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cloudlock Provides Automated Response Actions
Detect Alert(Admin/Users)
Security Workflows
Response Actions
API Integrations
#CLUS TECSEC-2609 259
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Example of Why you Need Cloud User Security
260TECSEC-2609
North America9:00 AM ETLogin
Africa10:00 AM ETData export Distance from the US
to the Central African
Republic: 7362 miles
At a speed of 800 mph, it would take 9.2 hours
to travel between them
In one hour
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
More than 24K Files per Organization Publicly Accessible
261TECSEC-2609
Data exposure per organization
Accessible by external collaborators
Accessible publicly
Accessible organization-wide
2%
10%
12%
24,000 filespublicly accessible per organization
of external sharing done with non-corporate email addresses70%
Source: Cloudlock CyberLab
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cloudlock has Over 80 Pre-Defined Policies
262TECSEC-2609
PII
SSN/ID
numbers
Driver license
numbers
Passport
numbers
Education
Inappropriate
content
Student loan
application
information
FERPA
compliance
General
Email address
IP address
Passwords/
login
information
PHI
HIPAA
Health
identification
numbers
(global)
Medical
prescriptions
PCI
Credit card
numbers
Bank account
numbers
SWIFT codes
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Addresses Most Critical Cloud Security Use Cases
263TECSEC-2609
Discover and Control
User and Entity
Behavior Analytics
Cloud Data Loss
Prevention (DLP)Apps Firewall
OAuth Discovery and
Control
Shadow IT
Data Exposures
and Leakages
Privacy and
Compliance Violations
Compromised
Accounts
Insider Threats
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 264TECSEC-2609
Smartest Intelligence
Talos, CyberLab, crowd-sourced
community trust ratings
Proven Track Record Deployed at over 700
organizations and supporting
deployments over 750,000
users
FedRAMP ATOCisco Cloudlock has received
a FedRAMP Authority To
Operate (ATO)
Cisco Ecosystem Integrated, architectural
approach to security,
vendor viability
Cloud-Native Full value instantly, no disruption
Cisco
Cloudlock
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco’s Architectural Philosophy for Security
“Reduce the attack surface using Least privilege access”
“Stop the Breach”
Visibility
“See and Share Everything”
Threat-Centric Trust-Centric
Conte
xtu
al
Inte
gra
tions
TECSEC-2609 266
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application to Application Flows East West within DC and/or Cloud/Multi-Cloud
ApplicationApplication
Business Use Case - Apps need to access other apps for business purposes (eg. web-app-db) and management functions (eg. DC for ntp, dns, domain, etc.)
ApplicationApplication
Capabilities – to mitigate identified risks
Risks- Lack of Visibility, Policy mis-configuration, Policy Violations, Infection, Vulnerability
ApplicationApplication
Product Mappings – to provide identified capabilities
Cisco AMP Cisco Tetration Cisco AMP
Workload Security
TECSEC-2609 267
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco AMP
Internal Corp User/Device and Remote Corp User to Application FlowsNorth South from corporate network to DC/Cloud
Application
Business Use Case – Users/Devices need to consume apps and app-owners need to manage apps
User
Risks- Lack of Visibility, Policy mis-configuration, Policy Violations, Infection, Vulnerability
Application
Capabilities – to mitigate identified risks
User
Product Mappings – to provide identified capabilities
User
Cisco ASA/FTD or DUO NetworkGateway
Cisco ISE
CiscoStealthwatchOr StealthwatchCloud
Cisco FTD Cisco Firepower 3rd party
Cisco DUOAccessGateway
Cisco AMP& Tetration
Workforce Security Workplace Security Workload Security
268
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Customer to Application FlowsNorth South from external network to DC/Cloud
Application
Business Use Case – Customers need to access web applications
User
Risks- Lack of Visibility, Policy mis-configuration, Policy Violations, Infection, Vulnerability, DDoS
Application
Capabilities – to mitigate identified risks
User
Product Mappings – to provide identified capabilities
User
CiscoStealthwatchOr StealthwatchCloud
Cisco FTD Cisco Firepower 3rd party
Cisco AMP& Tetration
Radware
Application
Workplace Security Workload Security
269
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Web/App
Architecture, Placement and Integration
Transit Networks (SGT/NSEL best effort)
Group exchange between ACI and ISE
IaaS (AWS/Azure)(Cloud Native Policy)
Web App DB
Campus / VPNISE Policy Domain
Data CenterAPIC Policy Domain
ACI Fabric
North South Flows
Sales Partner Employee Vendor BYODNon-Compliant
NGFW
North South
NGFW East West
Tetration
Analytics
Stealthwatch
ISE
ASA/Firepower
VPN
Policy Modelling, Visibility & Audit
Policy Modelling, Visibility & Audit
Policy Modelling, Visibility & Audit
Wired, Wireless, VPN Users Cloud Policy Domain
Optional
ASA/Firepower
Stealthwatch Cloud
NGFW
North South
Policy Modelling, Visibility & Audit
DNS
Internet SaaS
Cisco Umbrella
Cloud DNS
TECSEC-2609 270
Questions? Use Cisco Webex Teams to chat with the speaker after the session
Find this session in the Cisco Live Mobile App
Click “Join the Discussion”
Install Webex Teams or go directly to the team space
Enter messages/questions in the team space
How
Webex Teams will be moderated by the speaker until June 16, 2019.
1
2
3
4
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco Webex Teams
cs.co/ciscolivebot#
272
TECSEC-2609
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Continue your education
273TECSEC-2609
Related sessions
Walk-in labsDemos in the Cisco campus
Meet the engineer 1:1 meetings
Complete your online session evaluation
• Please complete your session survey after each session. Your feedback is very important.
• Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live Mobile App or by logging in to the Session Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS TECSEC-2609 274