Post on 19-Jul-2020
Yes, You can protectyour endpoints!
Szilard Csordas, Security Consultantscsordas [at] cisco.com
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Endpoint Footprint Problem:• Anti-Virus/Anti-Spyware agent
• IPSec/SSLVPN agent
• Host IPS/FW agent
• 802.1x authentication supplicant
• Data Loss Prevention(DLP) agent
• Malware Prevention agent
• Web Filtering agent
• Behavior/Heuristics agent
• More?
TOO MANY AGENTS!
2
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Everything is Encrypted!
3
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Introducing Anyconnect• Latest version is AnyConnect 4.3
• See table in Appendix for OS Support
4
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect Module Installation OptionsPackage for your Favorite Deployment Tool
Mobile installed via App Store
Group Policy
5
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect Module Installation Options
Client Provisioning
Automatic Upgrades from cisco.com with 4.3*
* Can be disabled some or all Users via VPN/ISE configuration
6
ISE posture required for any module to be installed
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deployment Use Cases• Remote Access VPN with
Centralized Controls
• Prevention / Detection• Network Visibility• Endpoint Compliance• Enterprise Access• Admin/Troubleshooting (not covered)
7
Remote Access VPN
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Recommended for Centralized Controls• Manual – requiring the enduser to manually connect to VPN.
• Automatic using Always-On and Trusted Network Detection, requires little interaction.
9
Protection / DetectionAdvance Malware Protection for Endpoint (AMP4E)
Umbrella Roaming Security
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is Advanced Malware Protection for Endpoint (AMP4E)•
• Cloud connected & managed
• Focused on two modes of operation• Something I know à Prevention = Security Mode• Something I don’t know…yet à Retrospection = Incident Response Mode
• Supported on
• Deployed Standalone or AnyConnect Enabled - ISE or VPN
https://youtu.be/xvol1L80Yvs
11
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP4E - How does it work?
12
AMPCloud
Connector records activity related to file executions
Visibility of Executions (History to Current)
TCP 443
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
AMP4E – Right Click on FileIs it known by Cisco?Compare with 3rd party
Dig Deeper• Analyze with AMP ThreatGrid• File Details and Network
Profile• Retrieve File
Take action• Detect • Block• Allow
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP4E – Detailed File Analysis from ThreatGrid
AMPEasy classification by using Severity (95+
Bad, 70+ suspicious) and Confidence Threat Scoring
14
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP4E – Other ways to parse
Vulnerable Software -Application <-> CVE
Prevalence – Low Execution Count (unique files worth investigation)
Analyze will trigger Fetch if file not
already in repository
15
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP4E – Integration with AMP for Networks
AMP4E detected threat reported in FMC > IoCs and can include OpenIoCs
16
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP4E Installed, Quarantine
17
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP4E DeploymentThrough ISE or ASA or Directly from PortalAMP Enabler Profile Editor Direct from Portal / Via URL
18
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is Umbrella Roaming Client?• Off Trusted network protection across all ports for both Domain and IP
• Added layer of protection for existing security controls
• AnyConnect 4.3 (Windows / Mac)
• Existing Roaming Client (Windows / Mac)
19
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
How does it work? First Match Rule Table by Identity
CiscoUmbrella
EncryptedAuthenticatedDNS/IP Security Filtered
208.67.222.222208.67.220.220
On Trusted NetworkClient goes dormantNetwork is Protected
Root/SP DNS
Local Corp DNS20
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Am I by protected by Umbrella?
http://welcome.opendns.com/
Phishing testing - > http://www.internetbadguys.com/
Adult Content Testing -> http://www.exampleadultsite.com
21
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Umbrella Provides Visibility
Filtered by Identity,
Service and Date for
easy data mining and reporting
Identify Cloud services being used (Shadow IT)
22
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Umbrella Provides Protection
Overview Security Activity
Dashboard highlighting protections
Detailed Reports by Identity, Time, Domain…etc
Integration with Cisco and 3rd
parties
Internal IP available via Virtual Appliance*
23
Network Visibility
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Visibility Module
• for 4.2MR1 – 4.2.1022
• Supported on Windows and Mac devices
• Apex License Required
• Integration with Lancope 6.8, LiveAction, Splunk (Enterprise 6.0 with Collector 64-bit Linux) and Plixer
User Visibility Device Visibility
Application Visibility Location/Network DomainNetwork Visibility
25
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AWAY
Flow Collector
SMC-manager
EndpointCollector
Context Included:• User• Application• Device• Location: To / From
to Existing Alarms and Flow Data
WORK
Network NetFlow/NSEL
NVM with Stealthwatch
26
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
NVM Configuration TemplateSuppression and Throttling
<?xm l version="1.0" encoding="UTF-8"?>
<NVM Profile xsi:noNam espaceSchem aLocation="NVM Profile.xsd" xm lns:xsi=http://www.w3.org/2001/XM LSchem a-instance>
Broadcast and Multicast Suppression
Throttling so not to overwhelm VPN
27
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
NVM Configuration TemplateFlexible Data Collection Policy
28
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
DataLoss is just one alarm
Suspect Data Loss: 3
29
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Insider Threat – Bad Behavior Discovery
30
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
HTTPS Unclassified now KnownAnyConnect NVM with Lancope Stealthwatch
• Application Identified – Dropbox
• Application Hash – Who else is running?
• Identity – nedzaldivar (even without ISE or Identity, from non domain asset)
31
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Verify Application is CorrectAnyConnect NVM with Cisco Stealthwatch
32
Corporate AssetsNetwork Access Manager(NAM)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is Network Access Manager (Windows Only)• 802.1x Supplicant
• EAP-Chaining
• MacSEC
AES-128Encrypted
802.1AE – replay protection for every packetUn-Encrypted
Single Authentication/Authorization Session
34
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
EAP-Chaining – ISE Log Example
• User and Machine Tied together
• EAP-FAST Required
35
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MacSec ISE Configuration ExampleISE Authorization Result is MacSEC
ISE Authorization Policy
36
Compliance(Posture)
BRKSEC-
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Compliance (Posture)• Provides deep inspection in OS, File, Certificate, Registry, Anti-Virus, Anti-
Spyware, Person Firewall, Ports open, Running processes…etc
• AC Anyconnect Apex license required!
Options
• Hostscan with VPN connecting to an
• ISE Posture with connecting to Wired, Wireless or VPN using
38
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
With ASA 9.2, inline Posture node is not required. Change of Authorization is natively supported option
ISE PostureRegistry check for Machine joined to Domain
39
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Endpoint Visibility ASA Hostscan ISE Posture
Policy Framework DAP ISE+VPN
Updates Every 3 months Dynamically
IP, Hostname, Mac address Yes Yes
Certificate Fields Yes Yes
BIOS Serial Number Yes No
Personal Firewall Yes No
File CRC32 Check Yes Yes
Disk Encryption No Yes
SHA256 File Check No Yes
USB Check No Yes*
OS Support Windows, Mac, Linux Windows, Mac
BRKSEC-2051 40
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Summary
• AnyConnect reduces Agent Sprawl!
• Added Security with each module
• Provides Visibility and Control
• Complexity of networks is equal on endpoints
41
Thank you