Architectural Approach to Securing the Hybrid Data Center

#CLUS

Jamey Heary, Jamie Sanbower, Rob Tappenden, Jatin Sachdeva

TECSEC-2609

Architectural Approach to Securing the Hybrid Data Center

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS

Agenda

• Zero Trust Intro

• Workforce Security

• Trust Centric (Duo)

• Threat Centric (Umbrella SIG)

• Workplace Security

• Trust Centric (SDA+ISE)

• Threat Centric (NGFW, Stealthwatch, AMP4N)

• Workload Security

• Trust Centric (ACI, Tetration, AlgoSec/NGFWv, SWC, CloudLock)

• Threat Centric (AMP4E, NGIPS, Tetration, CTR)

TECSEC-2609 3


Agenda

• Zero Trust Intro

• Workforce Security

• Workplace Security

• Workload Security

TECSEC-2609 4


About this Tectorial

• It is Cisco centric

• It is focused on the most impactful DC security solutions

• We cover a lot of solutions that work together, this a journey, you don’t need everything at once. Prioritize!

• Provides a baseline understanding and demo of each solution covered

• Ask questions, that’s the best way to learn!

TECSEC-2609 5


The Modern Data Center is Incredibly ComplexIn the future, computers may weigh no more than 1.5 ton – Popular Mechanics, 1949

TECSEC-2609 6

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

How is Data Being Stolen?

70%

86%

#CLUS TECSEC-2609 7

81%

What is Zero Trust?


A little bit of Zero Trust history

De-perimiterization

An international group of corporate CISOs and vendors (Cisco hosted initial meeting)

Focused on solving “de-perimiterization” problem

Early output calling for “the need for trust”

Multiple Models Emerge

Forrester coined Zero Trust. NGFW biased

Google published their ZT solution as BeyondCorp

Forrester then expands to Zero Trust eXtended

Gartner names their model Continuous Adaptive Risk and Trust Assessment

Generalised

The industry has largely accepted Zero Trust Architecture as the general term

2004 2010 2014 2017 Today

Jericho Forum ZT BeyondCorp CARTA & ZTX ZTA

TODAY

TECSEC-2609 9


Zero Trust is mis-named

Zero Trust really means“Least-Privilege Access”(i.e. grant access, but make it specific!)

But, there is a lot more to it than just that…

TECSEC-2609 10


Before we go further, let’s level set:

There is a big difference between Authentication(AuthN) and Authorization(AuthZ)

TECSEC-2609 11


I’d like 40K from Chuck Robbins’ Account

Do You Have Identification?

Yes, I Do. Here It Is.

Sorry, Jamey Heary is not Authorized

for Chuck Robbins’ Account

Authentication vs. Authorization

TECSEC-2609 12


Zero Trust changes the paradigm

Focuses on data protection, not on attacks

Assumes all environments are hostile and breached

No access until user + device is proven “trusted”

Authorize and encrypt all transactions and flows

Verify before Trust

TECSEC-2609 13


A literal definition of Zero Trust has hard-requirements

The network is always assumed to be hostile

External and Internal threats exist at all times

Every user, device, app, and network flow is authenticated and authorized

Automated and integrated systems are what allow a zero trust architecture to work in the real world

Policies must be dynamic and calculated from as many sources of context as possible

All activity is logged and accounted

Trust is earned and temporary

Thanks for a great year!

TECSEC-2609 14


But with most orgs and the tools available to us today…

There is no practicalmeans available to meet all ZTA requirements, so we need compensating controls to be as close to ZTA as possible

TECSEC-2609 15


Cisco’s Zero Trust approach has two focus areas

Trust-CentricGood security practice to verify before granting access via a identity-based

policy — for any user, any device, any app, in any location

Threat-CentricBasic security maturity to prevent attacks via an intelligence-based policy — then detect, investigate,

and remediate

TECSEC-2609 16


Cisco’s Architectural Philosophy for Security

“Reduce the attack surface using Least privilege access”

“Stop the Breach”

Visibility

“See and Share Everything”

Threat-Centric Trust-Centric

Conte

xtu

al

Inte

gra

tions

TECSEC-2609 17


Application & Workload Access Network Access

Workforce Workload Workplace

Three Domains of Cisco Zero Trust Design

+

ServersApps

Databases

SaaS

Data Center

User & Devices

IoT Devices

WirelessNetwork Traffic

Corporate NetworkAll Corp IT

User & Device Access


Three Domains of Hybrid DC Security

+ Is the user who they say they are?

+ Do they have access to the right applications?

+ Is their device secure?

+ Is their device trusted?

Workforce

+ What applications are used in the enterprise?

+ What is communicating withapplications/data?

+ Is communication w/ the workload secure & trusted?

Workload

+ Do users & devices authenticatefor network access?

+ What access are they granted?

+ Are devices on the networksecure?

+ Is their network segmentationbased on trust?

Workplace


Acme Inc.

• Large Retail Provider

• Multiple Data Centers and Cloud (IaaS/SaaS)

• Workforce

• Campus Network – 10,000 users

• Workplace

• 100 Retail stores, 2 HQ’s, 10 Automated distribution centers

• Workloads

• Virtual Machines (2,000+)

• Containers

20TECSEC-2609


Strategic Objectives 2020

21TECSEC-2609

Enhance operational efficiency

Mitigate risk of change

Regulatory Compliance

Digital Transformation


IT Initiatives

22TECSEC-2609

Modernize IT• Automate• Simplify

Hybrid DC Buildout • Rapid Migration to

cloud• Security at speed of IT

Microservices • Containers• Kubernetes

Zero Trust Security

Workforce


Businesses are Enabling Data Access Between…

Any User

Employee

Contractor

Partner

Any Device

Corporate-Issued

Bring-Your-Own

IoT

Any App

Data Center

Multi-Cloud

SaaS

In Any Location

On-Premises

On-VPN

Off-Network

24TECSEC-2609


Mindsets are Changing to Address These Problems

Location ≠ Trust

Don’t grant access to data based on where requests originate in

the network

Automate Policy

Adjust access using dynamic context to improve policy

efficacy and simplicity

Least Privilege Access

Prioritize enforcing the least privileges

for a limited time for your high-risk data

Trust Erodes

Don’t rely only on one-time verification of user, device, and

workload trust

25TECSEC-2609

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS TECSEC-2609

User and Device Identity for Policy and Awareness

PrivateCloud

Public CloudIaaS

Public CloudSaaS Apps

Intent-based NetworkingCloud Endpoint

Trusted Identity Added to Cisco’s Portfolio

Verifies User and Device Trust

26


Software-Defined Policy Access Evolution

27

Cisco IdentityServices Engine (ISE)

SDP Approach to Network Access

SDP Approach to App Access

Mobile & BYOD Access Solution

App / Services

On-Prem Cloud

User + Device

On-Prem ISE ISE

Off-Prem ISE* or Duo☨ Duo

IoT Access Solution

App / Services

On-Prem Cloud

Head-less

DeviceOn-Prem ISE ISE

Trusted Access across Hybrid IT Enterprises

☨ Integrated with AnyConnect *Duo Beyond with Network Gateway (i.e. reverse proxy) **Duo Access for BYOD

DuoMFA

ISE ISE or Duo**

ISE☨ or Duo* Duo

TECSEC-2609


Secure Any Corporate Application

28TECSEC-2609


Verify Trust for Any DeviceLimit Access to Compliant Devices

29

● Identify corporate-owned & BYOD

● Verify if devices are out-of-date and

potentially vulnerable to security risks

● Block devices access to critical

applications

● Apply policies consistently for any device

platform: Windows, MacOS, iOS & Android

TECSEC-2609


Adaptive PoliciesEasily Enforce Compliance

30

● Customizable security policies

● Global, App & Group Level

controls

● Establishes a level of trust based

on users and devices

TECSEC-2609


Duo Product Architecture

31

Duo Cloud Platform

Web/SSH(Duo Network

Gateway)

Multi-Factor

Authentication

VPN, Virtual

Desktop, etc.

Duo Integrated

(azure-ad, rdp,

ssh, Windows,

app, api, etc)

Access

Device

MFA

Device

or

Cloud Apps

Device Policy

Check

Device

Visibility

User

Policy

User

Management

MFA

Management

Primary Auth

(AD, Azure-AD,

LDAP, etc.)User

Duo Access

Gateway[SAML/SSO]

Duo Auth

Proxy[Radius/LDAP]

TECSEC-2609


Duo Never Touches the Primary Authentication

32

• Duo Push

• Mobile Passcode

• Phone, SMS

• HOTP Token

• U2F/WebAuthN

• Bypass

Core service and

policy engine is

always in the

cloud

TECSEC-2609


Duo Access Gateway Setup (DAG)

33TECSEC-2609


Duo Network GatewayDetect User and Device Context for Internal HTTP/S and SSH Apps

34

Public Internet

Security Groups

Tier 1

10.0.0.1-4

*.domain.local

192.0.0.1/24

Tier 2

Tier 3

DNG

(443)

SSH

Trusted User

Trusted Device

Use Duo Beyond to secure access to internal networks and the public cloud.

TECSEC-2609


Duo Network Gateway Setup (DNG)

● Deploy a Duo Network Gateway in

the DMZ using Docker, with both

“public” and “internal” access.

● Configure your SAML IdP for

primary auth.

● Configure DNG with Duo for

secondary auth.

● Configure a web application on the

DNG for your protected “internal”

application.

● Create public DNS entries for your

protected internal web apps to

point to the DNG’s public interface.

● Users access the “internal” app

using their browser.

35TECSEC-2609

Duo Security Demo

Cisco Umbrella


Disruption – Hybrid Cloud

39

SD WAN DIA/DCA

Roaming/mobileBranch office HQ

Internet / SaaS / IaaSNetwork:

Decentralized

Security:

Protect at data center,

cloud, and branch edge

Cloud Edge

TECSEC-2609


Transformation to the Secure Internet Gateway

40

Firewall

Web gateway

DNS-layer security

Data loss prevention

Converging security services in the cloud

Cloud Delivered Services

TECSEC-2609


Cloud Security Platform

41

Safe DNS Resolution

Web Controls

Cloud-Delivered Firewall SaaS Usage

Controls (CASB)

Correlated Threat Intel

CiscoUmbrella

TECSEC-2609


SD-WAN Integration w/Viptela

42

Cisco Umbrella

FW

SDWAN Device (vEdge)

Headquarters (Hub)

Internet

DIA / DCA

All DIA traffic IPSEC Tunnel

White list

domains + IPs

Tunnel Support

Direct Viptela support of an IPSec Tunnel

from a Viptela vEdge device to Umbrella

Private IP Reporting

Internal visibility w/o agents to help with

remediation and SIEM correlation

Local Domain Bypass and

Device RegistrationDirect Internal DNS traffic to your internal

infrastructure and automatically register vEdge

devices within the Umbrella dashboard, supporting

networks that are dynamic

TECSEC-2609

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS TECSEC-2609

Cloud Delivered Firewall

43

Provides firewall functionality at the

cloud edge

Protection at the FIRST HOP for

organizations with DIA deployments

Ability to enforce beyond DNS

across all ports and protocols

Initial: L3/L4 firewall

Later: L7, Snort/IPS

TUNNEL (IPSEC)

HTTP/S

Any deployment

FWaaSfull web proxy

Internet

NON-WEB / SITE EXCLUSIONS


Full Web Proxy Capabilities

44

App Discovery

(Shadow IT)

Antivirus / Anti-

Malware (AMP)

Full URL Logging

Malware

Sandboxing

(Threat Grid)

App Blocking &

Control

Time-Based &

File-type Controls

Web Content

Filtering

Data Loss

Prevention (DLP)

Visibility Protection Control

TECSEC-2609

Workplace


We Have had Challenges in the Workplace…

47TECSEC-2609

Complexity

Ability to operationalize

Quantit

y of use

rs /

thin

gs

Traditional networks cannot keep up!

95% network changes performed manually

Most features never used

Risk

By 2020 over 26 billion devices will be interconnected* *Gartner


Those Challenges Show up in the Security Statistics

48TECSEC-2609

of breaches start on endpoint devices70%WHY?

Vulnerabilities

Internet devices surveyed

had vulnerabilities, on

average ~26 each

92%User/Admin error

Breach method

observed in 2017**

#2Gaps in visibility

of Internet traffic is ENCRYPTED*

Doubled in 3 years

85%DAYS is average time to detection

200


Anatomy of a Breach in User Land

49TECSEC-2609

ReconnaissanceVictim clicks phishing email link

Perimeter bypassed Malware exploits &

vulnerabilities

Lateral Movement

Pivot to DC, exploitation of trust

Data Exfiltration using Admin privilege

Information monetized


Cisco Secure Access Approach

Conte

xtu

al

Inte

gra

tions



Visibility


IPS

Flow Analytics

Breach Detection + Sandboxing

DNS Security

Software Defined Segmentation

Firewalling


TECSEC-2609 50


Cisco Secure Access Solutions – Focus Areas

Conte

xtu

al

Inte

gra

tions


Cisco DNA and SDA

ISE

NGFW


NGFW/NGIPS

Stealthwatch + Encrypted Traffic Analytics

AMP + Threatgrid + Umbrella

Visibility


Trust-CentricThreat-Centric

TECSEC-2609 51

Software Defined Security


Cisco DNA + Cisco Security: Stronger Together

53TECSEC-2609

Cisco Security

Threat Centric

Protection

Visibility Trust Centric Segmentation

Cisco DNA Intent-based Network

AnalyticsPolicy Automation


Demo: Integration Made Easy

54TECSEC-2609

Cisco DNAC ➢ ISE

What are we solving?

Integrating systems is complex and highly skilled

Cisco DNA ISE Demo


Lets talk Visibility

Conte

xtu

al

Inte

gra

tions



Visibility



TECSEC-2609 57


Visibility is the FoundationVisibility for Segmentation

58TECSEC-2609

The demanding part of segmentation is building and maintaining a proper policy

Critical to understand:

• Applications, their business criticality and how they communicate

• User and device inventory and context

• Risks, threats and written policy needs


Integrated with the network

Stealthwatch

NetFlow

How are they communicating?

AnyConnect

What is my risk profile?Are my hosts compliant?

Posture

Patched?

AV/AM/FW?

Encrypted?

Inventory?

Who and What is on my network?

ISE

Identity, Profiling

Who

What

When

Where

How

Compliant

Context

59TECSEC-2609


NetFlow

DNS HTTP RADIUS NMAP SNMP

CDP

LLDPDHCP

H323 SIPMDNS

Where Does ISE Profiler Get All that Visibility Context?

60TECSEC-2609

From the Cisco Infrastructure!

ZeroNetwork downtime to deploy profiler

630+ High-level canned profiles +Periodic feeds

100+Active security partners ISE

Feed Service


Demo: Visibility and Context Gathering

61TECSEC-2609

Cisco ISE Profiler

ISE ➢ Fabric & Security


I have no idea who and what is really on my network

Visibility Wizard ➢ Fabric & Security

Collecting and maintaining an inventory is complex, unreliable and tedious

Cisco ISE

Cisco ISE Threat-centric NAC

ISE ➢ AMP, AnyConnect, 3rd party vuln. scanners

I’m blind to the risk of the users, devices and apps on my network

ISE Visibility Demo

Trust CentricSegmentation



My network is flat; campus segmentation is unmanageable and static but my business is dynamic”

I need more segmentation, I just don’t have the staff and resources to deploy and manage it”

ACLs are a nightmare, hard to manage and a constant battle to stay on top of”

One Cat9300 48 port switchBest practices deployment

Manual # config lines: 1400+!!!

Segmentation: Reducing the Attack Surface


Segmentation with Cisco DNA + Security

66TECSEC-2609

Unleashes the true power within a Cisco secure network

ISE + SW Visibility Context

Written Security Policy

Dramatically reduces the attack surface

and is manageable

Digital Network Architecture (DNA)

Segmentation Enforcement


Refresher: Cisco Digital Network Architecture (DNA)SDA Fabric Roles and Terminology

67TECSEC-2609

APIC-EM

ISEDC

BB

Campus

SDA

Fabric

DNAC

CC

vn vn


InternetLogical TopologySegmentation

68TECSEC-2609

CampusVN

IoT VN

GuestVN

InfraVN

SGTs:EmployeeContractorCampus-Quar

SGTs:Net ServicesNet DevicesInfra-Quar

SGTs:GuestGuest-Quar

SGTs:CamerasIoT-mgmt.IoT-Quar

SDA Campus Fabric

NGFW FTD

802.1xdACL Blacklists

ISE DNAC FMC SMCC

APICACIDC Fabric EPGs:

WebDBSAP

Macro-segmentation

Micro-segmentation

Inter-VN, Perimeter

SD-WAN

Virtual Networks (VN)


Demo: Automation & Simplification

69TECSEC-2609


Operationalizing a segmented network is even harder

Building a segmented wired and wireless network is hard

The costs of segmenting are prohibitively high

Cisco DNAC + ISE

DNAC+ISE ➢ Infrastructure

Cisco DNA Fabric Demo


Deployment Recap

72TECSEC-2609

• What just happened in that 5 minutes?

• SDA Fabric creation

• VXLANs, VNs, lisp, routing, BGP, ECMP, VRFs

• Security best practices

• 802.1x configuration

• ISE integration and policies

• SGT TrustSec

• Switch device sensor

• Profiling configuration

• AAA and device administration

• Etc. etc.

Software Defined Security!


Demo: Simple Segmentation Enforcement

73TECSEC-2609

• Macro-Segmentation – IoT Virtual Network provisioning

• Inter-VN, perimeter - NGFW Zone Firewalling

• Micro-Segmentation – SGACL ACCT2HR

• Blacklist - dACL

Segmentation Demo

Threat Centric


Attack Surface is Now ReducedNext up: Mitigating Exposed Threats, Risks and Vulnerabilities

77TECSEC-2609

VN: Employee SGT: HR SGT: IoT high risk

Outside fabric perimeter

Cisco DNA Integrated Threat Protection

DNA Dynamic Segmentation

DNA Embedded Visibility


Cisco Advanced Threat Solutions

78TECSEC-2609

Integrated ISE + Cisco DNA

• DNS-based protection, Encryption

• Secure Internet Gateway

• IoT security

• Cloud based simplicity

• Protection against application vulnerabilities

• Impact-assessment and IoC

• Auto-tuning of policy

• Stop advanced malware

• AV replacement

• Sandboxing to find zero-day

• Retrospective threat remediation

Umbrella NGFW / NGIPS AMP


Firepower Manager Center• A policy configuration tool for NGFW / NGIPS

• A quick way to see the context / composition of your network

• A tool to “check-on” your threat events

TECSEC-2609 79


Access Control Policy

Traffic must match in the Access Control Policy in order to be Inspected

For a simple IPS deployment, you can use the Default Action

TECSEC-2609 80



In a NGFW deployment, the Default Action will likely be “Block All Traffic”.

Intrusion Policy needs to be defined for each Allow Action.

TECSEC-2609 81



If you need, different Allow rules can have different Intrusion Policies assigned.

TECSEC-2609 82


Intrusion Policy

The Intrusion Policy defines which Snort rules are used in packet inspection, as well as the configuration of the Preprocessors.

You should make use of Firepower Recommendations!

TECSEC-2609 83


Automated Impact AssessmentCorrelates all intrusion events

to an impact of the attack against the target

Impact FlagAdministrator

ActionWhy

1 Act immediately; vulnerable

Event corresponds to vulnerability mapped to host

2Investigate; potentially vulnerable

Relevant port open or protocol in use,

but no vulnerability mapped

3Good to know; currently not vulnerable

Relevant port not open or protocol

not in use

4 Good to know; unknown target

Monitored network, but unknown host

0 Good to know; unknown network

Unmonitored network

TECSEC-2609 84


Indications of Compromise (IoCs) Detection & Threat Correlation

IPS Events

Malware Backdoors

CnC Connections

Exploit KitsAdmin Privilege

Escalations

Web App Attacks

SecurityIntelligence

Events

Connections to Known CnC IPs;

DNS Servers, Suspect URLs

MalwareEvents

Malware Detections

Malware Executions

Office/PDF/Java Compromises

Dropper Infections

TECSEC-2609 85


“You can’t protect against what you can’t see”

Gain more insight with increased visibility

Malware

Client applications

Operating systems

Mobile devices

VoIP phones

Routers and switches

Printers

Command and control

servers

Network servers

Users

File transfers

Web applications

Applicationprotocols

Threats

Typical IPS

Typical NGFW

Cisco Firepower™ NGFW

TECSEC-2609 86


Visibility Provides Context

TECSEC-2609 87


Detailed Threat Analytics

TECSEC-2609 88



TECSEC-2609 89



TECSEC-2609 90


Customizable Monitoring and Reporting

TECSEC-2609 91


InternetLogical TopologyThreat Protection

92TECSEC-2609

CampusVN

IoT VN

GuestVN

InfraVN

SGTs:EmployeeContractorCampus-Quar

SGTs:Net ServicesNet DevicesInfra-Quar

SGTs:GuestGuest-Quar

SGTs:CamerasIoT-mgmt.IoT-Quar

SDA Campus Fabric

NGFW FTD

ISE DNAC FMC

ACIDC Fabric

Umbrella

Talos

AMP/TGInternet

AMP4EAnyConnect

Rapid threat containment

SGT=Quar


Cisco Talos Threat Intel


Firepower RTC automation

Gathers data, opens space

Demo: Best-of-Breed Threat Protection

94TECSEC-2609

Cisco rapid threat containment, Impact flags

NGFW ➢ ISE ➢ Fabric

Automated custom tuning


Need protection that adapts to my environment. IPS tuning needs to be automated.

Malware spreads super quick, trusted automated response is needed

Cisco NGFW/NGIPS

Incident investigation data must be consolidated and collaborative


Demo: Cisco Threat Protection


Handling Potentially Compromised Hosts

Business DataApp / Storage

Source Destination Action

IP SGT IP SGT Service Action

Any Employee Any Biz Server HTTPS Allow

Any Suspicious Any Biz Server Any Deny

SG-Firewall

NIDS SIMEvent: ReconnaissanceSource IP: 10.10.10.10/32Response: Quarantine

PXGRID: ANC Quarantine: 10.10.10.10

Source IP: 10.10.10.10/32MAC Address: aa:bb:cc:dd:ee:ffPolicy Mapping SGT: Quarantine

Switch#show cts role-based permissionsIPv4 Role-based permissions from group 255:Quarantined to group 4:Employees:

Deny IP-00

Employee

SGACL

Corp Network

Please note: Quarantine Authorization policy per address pool per VN needed

TECSEC-2609 96


Firepower Remediation Subsystem Components

TECSEC-2609 97


Automating Incident

Response

TECSEC-2609 98

Visibility for Threat Protection

What about the really, really bad stuff?

What if I’m breached?


Cisco Visibility for Threat Protection

101TECSEC-2609

• Uses DNA for threat-centric visibility and analytics

• Integrated with ISE

• Non-intrusive deployment

• Cisco Innovation

• Detects encrypted malware without decryption

• Audits encryption types in use

• Designed for Cat9K, ISR1K & 4K, CSR, ASR

StealthwatchEncrypted Traffic

Analytics

Integrated


Detect More Threats in the Campus and BranchCisco Stealthwatch

102TECSEC-2609

Switch Router Router Firewall ServerUser

WAN

ServerDevice

End-to-End

Network Visibility

• Quickly scope an incident

• Network troubleshooting

• One click quarantine

Respond

• Comprehensive, contextual network flow visibility

• Real-time situational awareness of traffic

Monitor

• Detect anomalous network behavior

• Detect network behaviors indicative of threats: worms, insider threats, DDoS and malware

Detect Analyze

• Holistic network audit trail

• Threat hunting and forensic investigations


Host Attributes:

• Role in transaction

• Role in organization

• Device Type

• Username

• Reverse DNS

• …

• Etc.

Host Attributes:

• Role in transaction

• Role in organization

• Device Type

• Username

• Reverse DNS

• …

• Etc.

Stealthwatch: Modelling a Network Transaction

Transaction Attributes:

• Time

• Byte, packet counts

• Protocols & ports

• Application

• Application Content

• Process Name

• …

• Etc.

TECSEC-2609 103


Stealthwatch: Building the Flow Table

NetFlow / IPFIX

weblogs

Group Definitions

Threat Intelligence

User/Device Identity

Transactional Contextual

Flow Table

TECSEC-2609 104


Conversational Flow Record

ISE Telemetry

NBAR

Applied situational awareness

Flow Sensor

Geo-IP mapping

Threat Intelligence

TECSEC-2609 105


Cisco Encrypted Traffic Analytics (ETA) Solution

106TECSEC-2609

Cognitive Threat Analytics

Enhanced NetFlow traffic

exporters

Stealthwatch ETA

collectors

Malware detection and cryptographic

compliance

Crypto ComplianceMalware DetectionLeverages DNA

Catalyst 9k

ISR, ASR, CSR

Initial Data Packet

Packet Lengths and Times


Cisco Stealthwatch

Behavior + anomaly detection

Demo: Best-of-Breed Threat Protection

107TECSEC-2609

Cisco Stealthwatch

Fabric ➢ Stealthwatch +Cognitive threat analytics

Fabric➢ Stealthwatch+CTA


I am blind to threats in encrypted traffic

I have no visibility of targeted attacks

Encrypted Traffic Analytics

Lack of defense against use of stolen credentials

Demo:Visibility/Analytics Operations

In Summary


Cisco DNA + Cisco Security: Stronger Together

110TECSEC-2609

Cisco Security

Threat Protection

Visibility Segmentation

Cisco DNA Intent-based Network

AnalyticsPolicy Automation

Protecting the Workloads


Cisco Data Center Security

Conte

xtu

al

Inte

gra

tion



Visibility



TECSEC-2609 113


Featured Use Cases and Demos

Conte

xtu

al

Inte

gra

tion

Firewalls and Application Segmentation

Tetration

ISE/Trustsec

ASA/NGFW

Automated Threat Detection, Blocking, and Response

NGFW/NGIPS

Tetration

AMP

Stealthwatch + Stealthwatch Cloud

Visibility


TECSEC-2609 114


Static

ACME Application Evolution

115TECSEC-2609

SQL

DB

Mgmt

REST

API

Billing

REST

API

Web UIAPI

Gateway

Accounts

REST

API

MonolithicMicroservices

Requirements

Design

Testing

Implementation

Prod

WaterfallAgile

Iterate

Iterate

Iterate

Dynamic


Pace of Application Evolution

Traditional enterprise applications

~5%Applications

modernized per year

~5%Applications developed per year

New and modernized apps

Security approach must bridge the needs of both

TECSEC-2609 116


The Challenge of Protecting Modern Applications

Breadth

Containers, VM, Bare Metal

On premises, public cloud, legacy apps, appliances …

Scale

Tens of thousands of workloads

Trillions of Data Points

Depth

Rich Data-Driven Approach

Micro segmentation

Vulnerability management

Integrity monitoring

Exploit prevention

Data leakage prevention

Speed

Real time detection and response

Address ephemeral workloads

TECSEC-2609 117


Anatomy of a Breach

118

ReconInitial

ExploitEstablish

PersistenceEscalate Privileges

Execute Mission

LateralMovement

LateralMovement

InternalRecon

Maintain Persistence

TECSEC-2609


• Understand Attack

• Forensic Record

• Spectre / Meltdown

• Behaviour anomalies

Detect Malicious Activity

• Close unused ports

• Reduce exposure to

Software Exploits

• Software Uniformity

Reduce Attack Surface

• Understand Policy

• Restrict Visibility

• Prevent Lateral Movement

Prevent Communications

Cloud Workload Protection with Tetration

A BEHAVIOUR driven approach

Segment Harden Detect

TECSEC-2609 119

Know the Application


The Trust-Me Approach to Workload Security

121TECSEC-2609


Segmentation –Zone Based

TECSEC-2609 122


Segmentation –Application Based

TECSEC-2609 123


True Micro-Segmentation

Application Workloads Application Policy

TECSEC-2609 124


True Micro-Segmentation

Application Policy

Shared Database

DNS

Authentication Services

Users

SaaS

TECSEC-2609 125


Rich Telemetry

Workload Protection

Dynamic Microsegmentation

Enrich with Meta-Data

Tetration Software Sensors

TECSEC-2609 126

Wide OS SupportPhysical, Virtual, Container

ADC Integrations


Tetration Software Sensors

TECSEC-2609 127

Workload Telemetry

Enforcement Policy


Common Approach across Data Center and Cloud

128TECSEC-2609

Cloud

IP Network

Tetration SaaS

Campus Users WAN Users

Cloud


Acme Data Sources and Integrations

129TECSEC-2609

Cloud

IP Network

Tetration SaaS

Campus Users WAN Users

Cloud

ISE AnyConnect


Initial Posture Assessment

130TECSEC-2609

Classify Inventory by Attribute

Owner Acme Retail

Location Data Center

Service Retail

App Payments

Environment Production

PCI Category CDE

Criticality High

Impact High

Detailed, dynamic inventory of every workload and endpoint.Annotations applied to every asset for attribute based classification

10.8.3.5

Owner Acme Retail

Location AWS

Service Loyalty

App Rewards

Environment Test

PCI Category Out of Scope

Criticality Low

Impact Low

10.3.12.2

Up to 32 user defined attributes


Start with what you have today…

TECSEC-2609 132

Security Platforms

CMDB CI

IPAM/DNS

Hypervisor/Cloud

Network

or Jim’s spreadsheet


Dynamic Annotations

• Manual upload provides a great start, but a more dynamic operational model is desirable

• Dynamic annotations allow for dynamic grouping and policy actions

• Integrate with external systems for dynamic annotation update via Tetration API.

133TECSEC-2609

csv upload

Rest API


Dynamic Attribute-Based Policy

PCI Category = “CDE”PCI CDE

Filter Query

Prod Workloads Environment = “Production”

PCI CDE

Prod Workloads

DENY

Non-Prod WorkloadsDENY

Action Consumer Provider Services

Any

Any

PCI OOS

Mission Critical Retail TCP 22Trusted Mgmt

Approved DNS UDP 53Prod Workloads

Define Policy

Build Dynamic Queries

TECSEC-2609 134


Extend Policy between User/Device and Application

User Jim Smith

User Group Managers

Security Group Tag 25

Authenticated True

Device Posture Compliant

Integration with Cisco ISE provides user and device attributes and posture.Dynamically tracks user authentication and device posture for access policy control against application workloads

Trusted Users

Payroll

Dropped

Allowed

?

ISE Tetration

pxGrid

TECSEC-2609 135


ISE Attributes for Context

• Collect Endpoint device info

• User Endpoint Profile

• IOT and manufacturing devices

• Facility devices

• Cisco ISE sends information about

• Device group (SGT)

• User

• Device

• Device location

• Device Posture

136TECSEC-2609


Let Computers do the Heavy LiftingTetration automatically converts your intent into blacklist and whitelist rules

Intent Rules

Deny PCI Out of Scope from talking to Cardholder Data applications

SOURCE (10.3.12.2,….) DEST (10.8.3.5,….)

Allow Trusted Users to access the payroll system

SOURCE (10.7.1.13,…) DEST 10.8.9.9

Block all HTTP connections that are not destined for web servers

SOURCE ANY DEST 10.0.10.0/24 PORT 80

SOURCE ANYDEST ANY PORT = 80

T TECSEC-2609 137

Tetration ADM and Policy


Heirarchical Policy Model

Acme

Inside

Data Center Stores

Retail HR Loyalty Retail

Campus

Payments Payroll Rewards

ProdProd UAT DevUAT Dev

Growth

Dev

Portal

DevProd UAT Dev

139

Cloud

TECSEC-2609


Dynamic Inventory Mapping

Acme

Inside

Loyalty

Rewards

Prod

Root Scope ID = 101

Owner = Acme

Location = AWS

Service = Loyalty

App = Rewards

Environment= Prod

and

and

and

and

and

140

Cloud

TECSEC-2609


Application Dependency MappingWithin the Application

141TECSEC-2609

Application Workspace Clusters


Application Dependency MappingOutside the Application

142TECSEC-2609

Clusters

Shared Database

DNS

Authentication Services

Users

External Dependencies

SaaS

Visualize and Refine Dependencies

Retail Front EndCredit

Inventory

Trusted Branch Users

Transactions

Authentication

Retail Front End provides:

TCP 443


provides:

none

Trusted IT Services

Discovered Application Policy based on detailed historical flow analysis


Policy Validation

144TECSEC-2609

Default Policies (42) Catch All DENY

Priority Action Consumer Provider Services

100

100

100

100

100

100

100

transactions credit

transactions

transactions

transactions

core-app

transactions

authentication TCP 443

TCP 2532

UDP 123

TCP 88, 139, 445….

TCP 22, 443

inventory TCP 1556

credit TCP 21, 23

Which NTP hosts?

SSH from Campus?

All clusters backed up?

TCP 443

Verify,Restrict, Remediate

TCP 22

Insecure Protocols?


Policy Validation

• Are the server groups as expected?

• Should UAT be talking to Production? Test?

• Are all IT services applied consistently?

• Can I be confident the policy is accurate?

• What if the application changes? Can the policy change too?

• Are there any unexpected dependencies?

TECSEC-2609 145

Highly Sensitive

Prod Workloads

DENY

Non-Prod WorkloadsDENY

Any

Any

Untrusted

Mission Critical Retail TCP 22Trusted Mgmt

Approved DNS UDP 53Prod Workloads

Retail BankingCore Banking System

Investme

nts


Untrusted Users

Credit

Authentication

IT

Services

• Application owners provided a level of autonomy to make application level changes quickly

Micro-segmentation with merged policy

Tetration merges discovered dependencies with user defined intent to deliver a complete policy meeting the needs of different groups with responsibility for information security policy.

Security Policy

Application Policy

• Security and network teams control global aspects of application inter-connection and shared services

Catch All DENY • Any connection not explicitly permitted by white-list policy rule is denied.


Active Policy Analysis

• Provides confirmation of policy accuracy pre enforcement

• Near-real time live traffic analysis against policy

• Identify and remediate any non-compliant activity BEFORE enforcement

TECSEC-2609 147


Policy Compliance Verification

148TECSEC-2609

Permitted Permitted flow matching policy

Misdropped Permitted flow. Matching policy with dropped packets

Escaped Flow denied by policy. Flow permitted (not dropped)

Rejected Flow denied by policy. Flow dropped

Enforcing the Policy


Zero Trust Policy Enforcement

Application Policy

150

Workload Enforcement

TECSEC-2609 150

Custom Policy per workloadDynamic, recomputed every 60 sec


Tetration Endpoint Enforcement

Pre-requisites:

• Enforcement License Enabled

• Enforcement Agent Deployed

• Enforcement Enabled in Agent Config

Dependencies:

• Linux: iptables and IP Sets

• Windows: Windows Firewall

TECSEC-2609 151


Enforcement Rules

TECSEC-2609 152


Enforcement Rule Monitoring

TECSEC-2609 153


Compliance Validation and Monitoring

154TECSEC-2609

Tetration Demo

Workload Hardening


Workload Hardening

157TECSEC-2609


Software Vulnerability Assessment and Control

• Identify Known Vulnerabilities across full inventory

• Search by CVE, or CVSS (CVE Score)

• Build filters for dynamic policy control

TECSEC-2609 158


Software Vulnerability Assessment and Control

• Apply absolute policy overrides, to contain/protect against active vulnerabilities

• Dynamic policy filter adapts policy as vulnerabilities are patched

TECSEC-2609 159


Vulnerability Assessment Metrics

TECSEC-2609 160


Process Hash Validation

161TECSEC-2609


Identify Malicious/Suspicious Processes

162TECSEC-2609

Process Hash Validation• Whitelist/Blacklist Assessment

• NIST/Threatfeed• User Upload

• Consistency measurement• Identify variations/outliers

Workload Inventory• Search all long-lived

processes• User, PID, Hash,

Command Line


Reduce the Attack Surface

TECSEC-2609 163


Cisco Tetration – Workload Hardening

Workloads

Reduce Attack Surface• Identify unused ports for

remediation

Process Hash Validation

• Whitelist/Blacklist Assessment

• NIST/Threatfeed

• User Upload

• Identify variations/outliers

164

Detect Known Vulnerabilities

• Apache Struts

• Wannacry/EternalBlue

• Kubernetes RunC

TECSEC-2609

Fabric for Workload Security


ACI Overview

Virtual Switch

Web App

ACI Fabric

Device automation

Network

automation

EPGApp

Service Graph

EPGWeb

Contract

TECSEC-2609 166


ACI Fabric Building Blocks

Spine Nexus9000 Switches – MP BGP Control Plane

Leaf Nexus9000 Switches – Distributed Anycast GW

Service GraphsEnd Point Groups

L3 or L2 Outs

10G

40G

1G

40G

10G10G 1G

40G

Virtual or Physical L4-L7 DevicesVirtual or Physical Workloads

40G 40G 40G

TECSEC-2609 167


Understanding EPGs and Contracts

• Endpoints are “grouped” to attach them to the fabric

• An Endpoint Group (EPG) is a set of devices that share the same policy requirements

• By default endpoints in different EPGs can’t communicate at all

• By default … endpoints inside an EPG can communicate freely

• Intra EPG default can be changed… today, to block intra-EPG communication (Intra-EPG contracts and service graphs in 4.0)

• Every EPG belongs to a VRF and an Application Profile

• Tenants, VRF, BD, Application Profiles, EPGs, Contracts are logical configurations

TECSEC-2609 168


EPG Relationships are defined with Contracts White List Model (*): No Contract, No Communication

Bridge Domain – 10.10.10.1/24

BM-01

10.10.10.11

VM-02

10.10.10.12VM-03

10.10.10.13BM-04

10.10.10.14

EPG BLUE EPG GREEN

(*) Default can be changed

Without contracts,

by default there is no

communication

between groups

TECSEC-2609 169


EPGs Will Have Relationships with Contracts White List Model (*): Contract Determines Communication


BM-01

10.10.10.11

VM-02

10.10.10.12VM-03

10.10.10.13BM-04

10.10.10.14

EPG BLUE EPG GREEN

Contract: Blue-to-Green

Scope: VRF

Subject: AppTraffic

Both Directions: True

Reverse Port Filters: Yes

permit tcp/80

permit tcp/443C

ON

SU

ME

S

PR

OV

IDE

S

any,tcp/8080

(*) Default can be changed

GREEN Provides the contract,

so ports tcp/80 and tcp/443 are

exposed.

BLUE Consumes the contract,

so ports tcp/80 and tcp/443 are

NOT exposed.

any, tcp/80

any,tcp/80

TECSEC-2609 170


Contracts Also Allow Inserting Services Next Generation Firewall, ADC, IDS/IPS, etc.


BM-01

10.10.10.11

VM-02

10.10.10.12VM-03

10.10.10.13BM-04

10.10.10.14

EPG BLUE EPG GREENC

ON

SU

ME

S

PR

OV

IDE

S

Contract: Blue-to-Green

Scope: VRF

Subject: AppTraffic

Both Directions: True

Reverse Port Filters: Yes

permit tcp/80

permit tcp/443

You can insert an NGFW, or

a LB by attaching a Service

Graph to the contract subject

TECSEC-2609 171

Workload Trust Centric Firewalling


Cisco NGFW Leadership

Leader in the 2018 Gartner MQTime to detection of a

successful breachSavings from

security automation

Cisco

~4.6 hoursIndustry

~100 Days

Source: 2018 Cisco CyberSecurity Report

First year

$184K

Read the Report

TECSEC-2609 174

https://www.cisco.com/c/en/us/products/security/security-reports.html?CCID=cc000160&DTID=odicdc000016&OID=anrsc005679

https://engage2demand.cisco.com/LP=12439?ccid=cc000155&dtid=odicdc000016&oid=anrsc011043


Malware

Protection

Cisco Firepower NGFW Firepower Threat Defense

Threat-Focus stops vulnerability exploitation

URL Filtering

Single OS + Single Management

WWW

Analytics and

VisibilityApplication Visibility

and Control

Intrusion

PreventionHigh Availability

Firewall, VPN

and Routing Identity-based

Policy Control

SSL Decrypt

and Network

Profiling

Simple, Open, Automated and Effective

TECSEC-2609 175


Birth of the Cisco Firepower NGFW (FTD)

ASA• L2-L4 Stateful Firewall

• Scalable CGNAT, ACL, routing

• Application inspection

FirePOWER• Threat-centric NGIPS

• Identity, AVC, URL Filtering

• Advanced Malware Protection

Cisco NGFW (a.k.a. FTD)• Converged NGFW/NGIPS image on Firepower 2100/4100/9300 and ASA5500-X platforms

• Single point of management with Firepower Management Center, FDM, CDO, API

• Full FirePOWER functionality for NGFW/NGIPS deployments

• ASA Data Plane with TCP Normalizer, NAT, ACL, VPN, dynamic routing, failover functions

TECSEC-2609 176


Cisco NGFW Cutting-edge CapabilitiesTrusted by 10’s of thousands of customers

Context Rich

Creates a host profile Internally, ISE pxgrid,

3rd party host scan data

Impact Assessment and IoC

Threat correlation reduces actionable

events by up to 99%

Automated Tuning

Adjust IPS policies automatically

based on traffic profile

App Identification you can trust

OpenAppID

TECSEC-2609 177


NGFW Physical Platforms - DC

FPR 4110

FPR 4120

FPR 4140

FPR 4150

FPR 9300 -SM-24

FPR 9300 -SM-36

FPR 9300 -SM-44

FPR 2110

FPR 2120

FPR 2130

FPR 2140

2-8.5 Gbps AVC

2-8.5 Gbps AVC+IPS

12-30 Gbps AVC

10-24 Gbps AVC+IPS

One Module:

30-54 Gbps AVC

24-53 Gbps AVC+IPS

Three Modules:

Up to 135 Gbps AVC

Up to 133 Gbps AVC+IPS

TECSEC-2609 178


Inline or Passive Fail-to-wire NetMods Typical modes

NetMod

Virtual or Physical

Routed

Transparent

101110

101110

Inline

Inline Tap

Passive

Pick from many deployment modesFirewall deployment modes

Available on 2100, 4100 and 9300

TECSEC-2609 179


UpLink Scalability Intra-chassis clustering Inter-chassis/ Inter-site Clustering

Increasethroughput

Handle more connections Combine multiple

individual firewalls/SSMs and

manage as one

Deliver scalable performance across many sitesFirewall Clustering. Industry leading 80+% efficiency rating

Location A Location B

Zero-Downtime upgrades

for most applications

up to 270 Gbps NGFWup to 100Gbps NGFW

TECSEC-2609 180


Flow Offload Use Cases in our DC

• Trusted flow processing at ultra-high speed with limited security visibility

• High single-flow throughput, high packet rate, low latency

• Hardware-based offload with no x86 dependency

• Flow offload is supported in both inter-chassis and intra-chassis cluster modes

• Used where Low Latency and High Single Flow throughput is more important than security

Use Cases: High Frequency Trading, High Performance Computing Research Sites

Intra/Inter DC Storage Backup or Database Sync, GRE Tunneled Packets

TECSEC-2609 181


High Availability and Scalability Options Chosen

High AvailabilityHigh Scalability

(Firepower 9300 only)High Availability and Scalability(Firepower 4100/9300 only)

ASA

• Active/Standby Failover(2 modules or appliances)

• Active/Active Failover(2 modules or appliances)

• Intra-chassis Clustering(≤3 modules, 240Gbps)

• Inter-chassis Clustering (≤16 modules, 1.2Tbps)

• Inter-chassis clustering(≤16 modules, 1.2Tbps)

FTD• Active/Standby HA

(2 modules or appliances)• Intra-chassis Clustering

(≤3 modules, 100Gbps)• Inter-chassis clustering

(≤6 modules, 270Gbps)

TECSEC-2609 182


FTD HA and Clustering

• FTD inherits failover and clustering infrastructure from ASA

• Clustering is recommended for Data Center deployments

• Replicates full NGFW/NGIPS configuration and flow state

• Interface and Snort instance health monitoring

• Zero-downtime upgrades for most applications

• Ensures full stateful flow symmetry in both NGIPS and NGFW modes

Cluster

vPC

vPC

FTD FTD

vPC

vPC

FTD FTD

A SHA LinkHA/Failover: Both directions of a flow traverse

a single active unit

Clustering: All packets for a flow are redirected to

connection Owner

vPC1 vPC2 vPC1

TECSEC-2609 183


FTD Clustering with FP9300/4100

Supervisor

Switch 1

FTD

Switch 2

Nexus vPC

FTD

FTD Cluster

Supervisor

FTDFTD

FTDCCL

FP9300 Chassis 1 FP9300 Chassis 2

FTD Intra-Chassis Cluster

• Modules can be clustered within chassis

• Bootstrap configuration is applied by Supervisor

FTD Inter-Chassis Cluster

• Cluster of up to 6 modules (in 2 chassis)

• Off-chassis flow backup for complete redundancy

TECSEC-2609 184

FP9300 Application Flexibility

SM1 = Native ASA

SM2 = Native FTD

SM3 = (7) FTD Instances

Mixed FTD Deployment Examples

Firepower 9300 Chassis

FTD 6.3 Native FTD 6.4 Native FTD 6.3

Instance 1FTD 6.3

Instance 2FTD 6.4

Instance 3

Production Development TestProduction

Firepower Chassis

Instance 1(4 CPU)

Instance 2(12 CPU)

Instance N(2 CPU)


• FTDv scaling

Allow user to choose 4, 8 or 12 cores. (~1Gbps, 2 Gbps, 3 Gbps)

Virtual platforms: VMware and KVM

• Data Plane Development Kit (DPDK)for FTDv

Significant performance improvement

Only VMware, KVM, and AWS (disabled for Azure)

Enhancements to Virtual Deployments

TECSEC-2609 187


NGFW Virtual Platforms

TECSEC-2609 188


NGFW Management Options

Firepower Management Center

(FMC)

Enables comprehensive security administration and automation of multiple appliances.

Centralized On-premise.

Firepower Device Manager

Enables easy on-box management of common security and policy tasks.

Local on-box UI introduced in 6.1.

Cisco Defense Orchestrator

Enables cloud-based policy management of multiple deployments.

FTD support targeted June 2019

Provides consistent policy configuration across multiple Cisco

products

Seamless ASA to FTD migration

APIs

Enables automation and orchestration directly or through 3rd party apps.

FMC APIs and Device APIs.

Device APIs facilitate co-management between FDM and CDO.TECSEC-2609 189


ASAv OverviewAWS and Azure

190TECSEC-2609

ASAv9.10.x

ASA Appliance

Stateful F/W, NAT, Routing and ACL

VPNIPSEC and SSL

REST API

Route based VPNVTI

Management CLI, ASDM, CSM and CDO


NGFWv, FMCv and ASAv in Public Cloud and Gov CloudInstance Types

191TECSEC-2609

NGFWv Instance (Marketplace)

c3.xlarge, c4.xlarge

FMCv Instance (Marketplace)

c3.xlarge, c3.2xlarge

c4.xlarge, c4.2xlarge

ASA instance (Marketplace)

c3.large, c3.xlarge

c4.large, c4.xlarge

m4.large, m4.xlarge

SSD storage on c3 instance and EBS storage on c4 or m4 instance

large instance is ASAv10, xlarge instance is ASAv30

NGFWv Instance (Marketplace)

Standard D3 and D3v2

FMCv Instance (Marketplace)

Standard D3v2 and D4v2Available from FMC/FTD release 6.4

ASAv Instance (Marketplace)

Standard D3 and D3v2

D3 and D3v2 instance is ASAv30

NEW

Standard_D3v2 (4 CPU, memory: 14GB) Standard_D4v2 (8CPU, Memory: 28GB)


NGFWv Deployment Modes in Public Cloud

192TECSEC-2609

Routed mode (NGFWv) - AWS Passive mode (NGFWv) - AWS Routed mode (NGFWv) - Azure

• Passive mode is only applicable to NGFWv in AWS


FMC in Public CloudAWS and Azure

193TECSEC-2609

• FMC is available in AWS• c3.xlarge and c3.2xlarge• c4.xlarge and c4.2xlarge

• FMC is available in Azure from release 6.4

• Standard D3v2 and D4v3

Standard_D3v2 (4 CPU, memory: 14GB)

Standard_D4v2 – (8CPU, Memory: 28GB)

Release 6.4


ASAv Deployment Modes in Public Cloud

194TECSEC-2609

Routed mode (ASAv) - AWS Routed mode (ASAv) - Azure


NGFWv and ASAv scalable design• Azure internal load balancer (ILB) standard & external load balancer

vNET

WEB

APP

DBData Center

FMC

Gateway Subnet

AzureExpress Route

Virtual Network

Gateway

DB-UDR

Destination Next Hop

Default/Internet ILB VIP

APP, WEB & DC ILB VIP

APP-UDR



DB, WEB and DC ILB VIP

WEB-UDR



DB, APP and DC ILB VIP

Internet

ILB Standard

(VIP)HA Port

GW-UDR


WEB, APP & DB ILB VIP

FW01

FW02

FW..n

NGFWv

NGFWv

NGFWv

NVA Subnet (inside)

ExternlalLB

Internet Users

Stateless

Switchover

Firewalls in

Availability Set

YouTube: overview

TECSEC-2609 195

https://youtu.be/sNhjggrOzew


NGFWv scalable design using AWS NLBNetwork Load Balancer (NLB). (ALB also supported)

inside-1c

NLB

outside-1c

inside-1d

management-1c

Route Table: RT

subnet next-hop

0.0.0.0 IGW

FMCv

WebServer01

NGFWv

management-1d

us-east-1c

us-east-1d

Elastic IP

NGFWv

outside-1d

NGFWv

Stateless

switchover

WebServer02

YouTube:

Demo

VPC

IGW

TECSEC-2609 196

https://youtu.be/l1e5hjQbA9Y


LicensingNGFWv and ASAv in Public Cloud

197TECSEC-2609

Cisco Smart Licensing for NGFWv and ASAv in AWS and Azure

Standard LicenseFirewall, throughput

Anyconnect Apex LicenseSSL, IPSEC

AWS Azure

• Bring you own license • Hourly or Annual

license

• Bring you own license ASA

NGFW

Base LicenseFirewall, AVC

Term basedThreat, URL, AMP

AWS Azure

• Bring you own license • Hourly or Annual

license

• Bring you own license

Note: No Cisco TAC support from AWS pay-as-you-go model license model but you can purchase one year TAC support from listed partner: Purchase TAC Support

ASAv entitlement in Public Cloud AWS (ASAv10 & ASAv30): ASAv10 & ASAv30 entitlement (1G*, 250 (ASAv10) or 750 (ASAv30) VPN endpoints)

Azure (ASAv30): ASAv5, ASAv10 & ASAv30 entitlement (100M (ASAv5), 1G*(ASAv10 or ASAv30), 50 (ASAv5), 250 (ASAv10) or 750 (ASAv30) VPN endpoints)

https://aws.amazon.com/marketplace/pp/B01HQPRQMQ?qid=1522335115947&sr=0-7&ref_=srh_res_product_title

WorkloadThreat Centric


Cisco Data Center Security

Trust-Centric

Conte

xtu

al

Inte

gra

tionThreat-Centric



Visibility


TECSEC-2609 199


Featured Use Cases and Demos

Trust-Centric

Conte

xtu

al

Inte

gra

tionThreat-Centric

Firewalls and Application Segmentation

ASA/NGFW

ACI/TrustSec + Tetration

Automated Threat Detection, Blocking, and Response

NGFW/NGIPS

AMP

Stealthwatch + Tetration

VisibilityTECSEC-2609 200

Amp for Endpoints


Cisco AMPSecurity that Works Together

202

Threat Intelligence - TALOS

Services

Network Endpoint Cloud

TECSEC-2609


Endpoint Devices Increasingly Difficult to Defend

203

Mobile Devices Cloud Data User Behavior

Most challenging areas to defend:

*Source: Cisco 2018 Security Capabilities Benchmark Study

TECSEC-2609


How Does the 1% Escape and Get Through?

204

Advanced evasion techniques:• Fileless malware

• Environmentally-aware malware

• Polymorphism

• Exploit legitimate processes

TECSEC-2609


Uncover the 1% with Cisco AMP for Endpoints

205

The network and endpoint, working together across all

operating systems

With proactive threat hunting

Using multiple detection and protection mechanisms

TECSEC-2609


How Cisco Addresses Endpoint Challenges

206

Prevent DetectReduce Risk

• Antivirus

• Fileless malware detection

• Cloud lookups (1:1, 1:many)

• Client Indicators of Compromise

• Static analysis

• Sandboxing

• Malicious Activity Protection

• Machine learning

• Device flow correlation

• Cloud Indicators of Compromise

• Vulnerable software

• Low prevalence

• Proxy log analysis

TECSEC-2609


Cloud Based Analysis

207

AMP cloud constantly updated with the latest threat intelligence and research to protect against advanced threats.

TECSEC-2609


Prevent Fileless Malware Malware has Evolved – We Need to Protect Against More than Just Files

208

Monitor process activity and guard against attempts to hijack legitimate applications.

TECSEC-2609

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&ved=2ahUKEwi0r5n5noPaAhWHEXwKHcraC80QjRx6BAgAEAU&url=http://www.iconarchive.com/show/simply-styled-icons-by-dakirby309/Microsoft-Word-2013-icon.html&psig=AOvVaw2mQpzLGJnmnePJT2d18b2x&ust=1521921851431401

http://www.iconarchive.com/show/simply-styled-icons-by-dakirby309/Microsoft-PowerPoint-2013-icon.html

http://www.iconarchive.com/show/simply-styled-icons-by-dakirby309/Microsoft-Excel-2013-icon.html

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&ved=2ahUKEwiTtYrzn4PaAhXmwFQKHftcAc0QjRx6BAgAEAU&url=https://morphict.co.uk/blog/adobe-flash-update/&psig=AOvVaw2tq70qIq0rR0fEGh3uMddn&ust=1521922115785877

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&ved=2ahUKEwjr8-SFoIPaAhUDFXwKHb-XCtAQjRx6BAgAEAU&url=https://blog.mozilla.org/firefox/new-firefox-new-firefox-icon/&psig=AOvVaw2POg7W7-6cyc_eg4DplcFR&ust=1521922169847792

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&ved=2ahUKEwj1jKiWoIPaAhWnrFQKHSAoC8gQjRx6BAgAEAU&url=http://www.iconarchive.com/show/mac-osx-yosemite-icons-by-johanchalibert/safari-icon.html&psig=AOvVaw2jw4A7CYsSEZHDhyPW8dbi&ust=1521922196060269

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&ved=2ahUKEwiU57uwoIPaAhWRGnwKHU2DA8sQjRx6BAgAEAU&url=https://commons.wikimedia.org/wiki/File:Opera_2015_icon.svg&psig=AOvVaw2BX6cTu5JNc0ZlayI7LWSB&ust=1521922236541488

http://www.iconarchive.com/show/cristal-intense-icons-by-tatice/Internet-Explorer-icon.html


Protect Against Ransomware Malicious Activity Protection

209

• Monitor Process behavior at execution

• Tuned to detect tell-tale ransomware signs

• Quarantine and terminate associated files and processes

• Log and alert encryption attempt

TECSEC-2609


See Once, Block Everywhere Share Intelligence Across Network, Web, Email, and Endpoints

210

NGIPS CES/ESA WSA/SIGISRNGFW

Talos

Threat GridAMP Cloud

Endpoint

TECSEC-2609


Agentless Detection with Proxy Analysis Identify Anomalous Traffic Occurring Within Your Network

211TECSEC-2609


Dynamic Analysis and Sandboxing Execute, Analyze & Test Malware Behavior to Discover Unknown Zero-Day Threats

212

Analysis Report

Suspicious File

TECSEC-2609


Continuous Monitoring

213

What happened?

Where did the malware come from?

Where has the malware been?

What is it doing?

How do we stop it?

TECSEC-2609

Cisco Threat Response


Cisco Threat Response Unleashing the Power of the Cisco Integrated Security Architecture

215

•

•

•

TECSEC-2609


Cisco Threat Response in Action Three Simple Ways to Get Started

216

•

••

•

•

•

•

•

TECSEC-2609


Before you turn in your TPS reports, I’m

going to need to know if we are

vulnerable to the Olympic Destroyer

attack I heard about on the news

CIO

Olympic Destroyer

TECSEC-2609 217


Any data source can be used when searching for a vulnerability or threat. We are using Google and Talos Blogs in this example.

Olympic Destroyer

TECSEC-2609 218


Copy data that you can use in CTR to search your own environment to see if you may have been compromised

Olympic Destroyer


Log into Cisco Threat Response by going to https://visibility.amp.cisco.com.You can also access CTR from any supporting application.

Olympic Destroyer

https://visibility.amp.cisco.com/


When starting a New Investigation, you can paste data and CTR will parse through looking for information it can search on such as:

• IP Addresses (v4 and v6)• Domains• File Hashes (SHA256, SHA1, MD5)• MAC addresses• URLs• Indication of Compromise (IoC) Hashes• Syslog Messages• Security Alerts (any format)• Etc.

Integration Modules:

• AMP Global Intel - Advanced Threat Intelligence API (Default)

• Private AMP Global Intel - Advanced Threat Intelligence API (Default)

• AMP File Reputation - AMP Protect DB (Default)

• Talos Intelligence - Cisco Talos Intelligence (Default)

• AMP for Endpoints - Advanced Malware Protection

• Umbrella - Cisco Umbrella

• Threat Grid - Understand and prioritize threats faster

• VirusTotal - Online Virus, Malware and URL Scanner

Olympic Destroyer

221


Olympic Destroyer

222


Olympic Destroyer

TECSEC-2609 223


Olympic Destroyer

TECSEC-2609 224

Workload Threat Centric Demo

StealthWatch Cloud


The Security Analytics Equation

Telemetry sources that instrument the

digital business.

Collect and store at scale.

Analyze and automate. Security Outcomes

228TECSEC-2609


Machine learning

Global threat intelligence

Behavioral modeling

Using existing network infrastructure

Insider threat

Encrypted malware

Unknown threats

Policy violations

Cisco Stealthwatch

229TECSEC-2609


Stealthwatch Cloud Stealthwatch Enterprise

Private network monitoringEnterprise network

monitoringPublic cloud monitoring

Suitable for enterprises & commercial businesses using public cloud services

On-premises virtual or hardware appliance

On-premises network monitoring On-premises network monitoringPublic cloud monitoring

Suitable for SMBs & commercial businesses

Suitable for enterprises & large businesses

Software as a Service (SaaS) Software as a Service (SaaS)

Stealthwatch Product Suite

230TECSEC-2609


Flexible Security for Dynamic Environments

Native Cloud Logs Premises Network Logs

Stealthwatch Cloud Virtual Appliance

NetFlow

IPFIX

Mirror/Span

Stealthwatch Cloud

231TECSEC-2609


Integrate Easily with all Your Current Systems

• SaaS Management Portal

Web Platforms

Email

SIEM Public Cloud

And Other Platforms

S3

SQS

Stealthwatch Cloud

SNS

Pub/Sub Storage

232TECSEC-2609


Dynamic Entity ModelingUsing Modeling to Detect Security Events

233

Collect Input Draw ConclusionsPerform Analysis

System Logs

Security Events

Passive DNS

External Intel

Config Changes

Vulnerability Scans

IP Meta Data

Dynamic Entity

Modeling

Group

Consistency

Rules

Forecast

Role

What ports/protocols does the device continually access?

What connections does itcontinually make?

Does it communicate internally only?What countries does it talk to?

How much data does the device normally send/receive?

What is the role of the device?

TECSEC-2609


Dynamic Entity ModelingLow Noise Alerts Help You Solve Problems

234

Excessive failed access attempts

DDoS and amplification attacks

Potential data exfiltration

Geographically unusual remote access

Suspected botnet interaction

ALERT: Anomaly detected

95% Stealthwatch Cloud alerts rated as “helpful” by customers

TECSEC-2609


Amazon Web Services Architecture

235

Amazon Account

SaaS Portal

API

Permissions allow Stealthwatch Cloud

to read AWS services

Role Created for Stealthwatch Cloud

in Account

Stealthwatch Cloud

Amazon VPC

Amazon CloudWatch

CloudTrail

GuardDuty

Inspector

Inspector

Lambda

Config

TECSEC-2609


Google Cloud Platform Architecture

236

GCP Account

SaaS Portal

API

Permissions allow Stealthwatch Cloud to read GCP Flow Logs

Stealthwatch Cloud User with

permissions

Stealthwatch Cloud

Virtual Private Cloud

Google Compute Engine

TECSEC-2609


Microsoft Azure Platform Architecture

237

Azure Virtual Network

SaaS Portal

Windows OS w/ 3rd

Party Flow Agent

**Flow Agent Must Generate 5 Tuple Flow Feed

Linux Servers with Stealthwatch Cloud

Sensor

Stealthwatch Cloud Virtual Appliance is UDP destination for flow agents; collects and sends data upstream to Stealthwatch Cloud analysis engine


Stealthwatch Cloud

TLS Private Tunnel

TECSEC-2609


Monitor Premises or Public Cloud Networks

238

Data Center Segment

Accounting Segment

Core Switching

SIEM

Syslog

SNMP

SaaS Portal

Mgmt

NetFlow

IPFIX

Span

Stealthwatch Cloud


TLS Private Tunnel

TECSEC-2609

StealthWatch Cloud Demo


AMP for EndpointsDo my workloads satisfy security compliance? Tetration Endpoint Agent

Demo: Simplifying Security Visibility

Cloud Center

Will my network security policies move with my workload?

How can I deploy and monitor my cloud infrastructure? Stealthwatch Cloud

OpenDNS Umbrella

241

What’s the customer problem?

TECSEC-2609

Threat Centric


Full Process Tree and Timeline

245TECSEC-2609

Process Execution Detail for every running process

Detecting Behavioral Deviations

• Match the process behavior deviations to identify suspicious activities

• Trigger on specific event combinations incl:

• Unseen Command

• Privilege escalation

• Shell-code execution

• Side channel attack

• Raw socket creation

• User login activities

• File access pattern

Privilege Escalation

Unseen Command

Vulnerability ExploitRemote Shell

Payload Delivery

Step by Step Forensic Record

Prepare to execute

Establish Command and Control

Persist


Data Anomaly Detection

• Detect anomalies in neighbor traffic volume

• Temporal Analysis with Seasonality assessment

• Correlate with forensic events and flow data

TECSEC-2609 248


Tracking Workload Exposures

249TECSEC-2609

Privilege

escalation


Alerting to SOC

• Flexible alerting per alert type

• Native Kafka

• Notifier appliance

• Email

• Syslog

• PagerDuty

• Kinesis

• Slack

250TECSEC-2609

SaaS SecurityCloudlock

Threat Protection: SaaS Protection

CloudLock CASB


Today’s SaaS Security Challenges

Hacking

Compromised

accounts and

malicious insiders

Gaps in visibility

and coverage

Data breaches

and compliance

#CLUS TECSEC-2609 253


$$$ Security Challenges Have Evolved

254TECSEC-2609

HQ BranchRoaming user

Users Data Apps

SaaS


Key Questions Organizations Have

255TECSEC-2609

ApplicationsDataUsers/Accounts

Who is doing what in

my cloud applications?

How do I detect account

compromises?

Are malicious insiders

extracting information?

Do I have toxic and

regulated data in the cloud?

Do I have data that is being

shared inappropriately?

How do I detect policy

violations?

How can I monitor app

usage and risk?

Do I have any 3rd party

connected apps?

How do I revoke risky apps?


The Cloud Threat Funnel

All user behavior

Threat intelligence

Cyber research

Cloud vulnerability insight

Centralized policies

Community intelligence

Contextual analysis

Anomalies Suspicious activities

True threat

Source: Cloudlock CyberLab

58%abnormal

behavior

31%login

activities

11%admin

actions

113x than average

login failure

141x than average

data asset deletion

227x than average

file downloads

Session terminated

Email sent

File modified

File downloaded

Document created

Access denied

TECSEC-2609 256


Public APIs

Cisco NGFW / Umbrella

Managed

Users

Managed

Devices

Managed

Network

Unmanaged

Users

Unmanaged

Devices

Unmanaged

Network

CASB – API Access (Cloud to Cloud)



More Than 25% of Those Apps are High Risk

27%

219,000Third-party apps

Percent of installs by risk

high risk

58%medium risk

15%low risk


#CLUS 258TECSEC-2609


Cloudlock Provides Automated Response Actions

Detect Alert(Admin/Users)

Security Workflows

Response Actions

API Integrations



Example of Why you Need Cloud User Security

260TECSEC-2609

North America9:00 AM ETLogin

Africa10:00 AM ETData export Distance from the US

to the Central African

Republic: 7362 miles

At a speed of 800 mph, it would take 9.2 hours

to travel between them

In one hour


More than 24K Files per Organization Publicly Accessible

261TECSEC-2609

Data exposure per organization

Accessible by external collaborators

Accessible publicly

Accessible organization-wide

2%

10%

12%

24,000 filespublicly accessible per organization

of external sharing done with non-corporate email addresses70%



Cloudlock has Over 80 Pre-Defined Policies

262TECSEC-2609

PII

SSN/ID

numbers

Driver license

numbers

Passport

numbers

Education

Inappropriate

content

Student loan

application

information

FERPA

compliance

General

Email address

IP address

Passwords/

login

information

PHI

HIPAA

Health

identification

numbers

(global)

Medical

prescriptions

PCI

Credit card

numbers

Bank account

numbers

SWIFT codes


Addresses Most Critical Cloud Security Use Cases

263TECSEC-2609

Discover and Control

User and Entity

Behavior Analytics

Cloud Data Loss

Prevention (DLP)Apps Firewall

OAuth Discovery and

Control

Shadow IT

Data Exposures

and Leakages

Privacy and

Compliance Violations

Compromised

Accounts

Insider Threats


Smartest Intelligence

Talos, CyberLab, crowd-sourced

community trust ratings

Proven Track Record Deployed at over 700

organizations and supporting

deployments over 750,000

users

FedRAMP ATOCisco Cloudlock has received

a FedRAMP Authority To

Operate (ATO)

Cisco Ecosystem Integrated, architectural

approach to security,

vendor viability

Cloud-Native Full value instantly, no disruption

Cisco

Cloudlock

Summary


Cisco’s Architectural Philosophy for Security



Visibility



Conte

xtu

al

Inte

gra

tions

TECSEC-2609 266


Application to Application Flows East West within DC and/or Cloud/Multi-Cloud

ApplicationApplication

Business Use Case - Apps need to access other apps for business purposes (eg. web-app-db) and management functions (eg. DC for ntp, dns, domain, etc.)


Capabilities – to mitigate identified risks

Risks- Lack of Visibility, Policy mis-configuration, Policy Violations, Infection, Vulnerability


Product Mappings – to provide identified capabilities

Cisco AMP Cisco Tetration Cisco AMP

Workload Security

TECSEC-2609 267


Cisco AMP

Internal Corp User/Device and Remote Corp User to Application FlowsNorth South from corporate network to DC/Cloud

Application

Business Use Case – Users/Devices need to consume apps and app-owners need to manage apps

User

Risks- Lack of Visibility, Policy mis-configuration, Policy Violations, Infection, Vulnerability

Application


User


User

Cisco ASA/FTD or DUO NetworkGateway

Cisco ISE

CiscoStealthwatchOr StealthwatchCloud

Cisco FTD Cisco Firepower 3rd party

Cisco DUOAccessGateway

Cisco AMP& Tetration

Workforce Security Workplace Security Workload Security

268


Customer to Application FlowsNorth South from external network to DC/Cloud

Application

Business Use Case – Customers need to access web applications

User

Risks- Lack of Visibility, Policy mis-configuration, Policy Violations, Infection, Vulnerability, DDoS

Application


User


User

CiscoStealthwatchOr StealthwatchCloud

Cisco FTD Cisco Firepower 3rd party

Cisco AMP& Tetration

Radware

Application

Workplace Security Workload Security

269


Web/App

Architecture, Placement and Integration

Transit Networks (SGT/NSEL best effort)

Group exchange between ACI and ISE

IaaS (AWS/Azure)(Cloud Native Policy)

Web App DB

Campus / VPNISE Policy Domain

Data CenterAPIC Policy Domain

ACI Fabric

North South Flows

Sales Partner Employee Vendor BYODNon-Compliant

NGFW

North South

NGFW East West

Tetration

Analytics

Stealthwatch

ISE

ASA/Firepower

VPN

Policy Modelling, Visibility & Audit



Wired, Wireless, VPN Users Cloud Policy Domain

Optional

ASA/Firepower

Stealthwatch Cloud

NGFW

North South


DNS

Internet SaaS

Cisco Umbrella

Cloud DNS

TECSEC-2609 270

Questions? Use Cisco Webex Teams to chat with the speaker after the session

Find this session in the Cisco Live Mobile App

Click “Join the Discussion”

Install Webex Teams or go directly to the team space

Enter messages/questions in the team space

How

Webex Teams will be moderated by the speaker until June 16, 2019.

1

2

3

4


Cisco Webex Teams

cs.co/ciscolivebot#

272

TECSEC-2609


Continue your education

273TECSEC-2609

Related sessions

Walk-in labsDemos in the Cisco campus

Meet the engineer 1:1 meetings

Complete your online session evaluation

• Please complete your session survey after each session. Your feedback is very important.

• Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live water bottle.

• All surveys can be taken in the Cisco Live Mobile App or by logging in to the Session Catalog on ciscolive.cisco.com/us.

Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com.


http://ciscolive.cisco.com/us

https://ciscolive.cisco.com/

Thank you

#CLUS

Architectural Approach to Securing the Hybrid Data Center

Documents

Transcript of Architectural Approach to Securing the Hybrid Data Center