Cisco security everywhere jamie sanbower 2-25-16

The latest and greatest

Jamie Sanbower, CCIEx3 #13637Security Technical Solutions Architect

Security Everywhere

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialSecurity Architecture OverviewNGFW / NGIPSAdvanced Threat DefensePolicy & AccessMeraki SecuritySummary

Agenda

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialSecurity Architecture Overview

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential


3

Comprehensive Best-of-Breed Security Portfolio

WWW

Threat Intelligence and Analytics

Open|Cloud|Integrated|ContinuousNGFW/NGIPSAdvancedThreatPolicy and AccessWebEmailUTMBuilding Blocks Working Together as an Architecture

Cisco Confidential

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBaseball team analogy (moses)

43/1/16Cisco Live 2013

10I000 0II0 00 0III000 II1010011 101 1100001 110

Working Together to Create a Security ArchitectureCisco FTD ASA w/ FPCisco Web & Email SecurityCisco NGIPSCommon Identity, Policy and Context SharingMalware Prevention / Sandboxing10I000 0II0 00 0III000 II1010011 101 1100001 110110000III000III0 I00I II0I III0011 0110011 101000 0110 00101000 0II0 00 0III000 III0I00II II II0000I II0100I II0I III00II 0II00II I0I000 0II0 00

Context-aware SegmentationNetwork IntegrationContextVisibilityCisco AMP ClientAMPOpenDNSTrustsecISEPxgridNaaSNaaE

Cisco

Pervasive & IntegratedAcross the Portfolio


5

Better Together Lots of Products, Working Together


6

Example Capabilities Architected into Network Fabric

Network as an EnforcerNetwork as a SensorAccelerate Containment

Reduce Lateral Movement, Enforce Dynamic Granular Access Control, Compliance Adherence

Detect Anomalous Traffic Flows, Rogue Devices/Aps, User Access Policy Violations

Automate Quarantine, Traffic Redirection, Real-Time Application of ACLs

7

Hosted Identity Services ThreatGRID applianceAdvanced Threat AnalyticsRadWARE, and ZIX partnershipsCisco ASA with FirePOWER ServicesNetwork as a Sensor and Enforcer ACI Integration with ASA and FirePOWERNeohapsis and OpenDNS AcquisitionsAMP EverywhereAcquisition of Lancope and PorticullisFirePOWER Services on ISRNew Platforms(ASA 5506, 5508, 5516, 5506-H, & FirePOWER 9300)AMP in AnyConnectMassive Innovation and Investment

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialNGFW / NGIPS



9

NGIPS / NGFW Capabilities

Firepower NGIPSFirepower + AMPASA+Firepower+AMP

Application VisibilityControl (AVC)

IdentityAuthorization

Intrusion Prevention

MonitoringAnalytics

Threat Intelligence

Web ReputationFiltering

Anti-MalwareFile Reputation

MalwareSandbox

Firewall

Access ControlUsing TrustSec

Routing

VPN Concentrator

ClusteringCommon NGIPS and AMP code baseCommon Threat Management Firepower MCCommon Security Intelligence - TalosNGFW


10

NSS Labs Next-Generation Firewall Security Value Map

Source: NSS Labs 2014

The NGFW Security Value Map shows the placement of Cisco ASA with FirePOWER Services and the FirePOWER 8350 as compared to other vendors. All three products achieved 99.2 percent in security effectiveness and now all can be confident that they will receive the best protections possible regardless of deployment.

NSS Labs Next-Generation IPS Security Value MapSource: NSS Labs 2015

The Firepower 8350 blocked 99.5% of exploits. The device proved effective against all evasion techniques tested. The device also passed all stability and reliability tests. The Cisco Firepower 8350s rated by NSS at 18,544 Mbps, which is higher than the vendor-claimed performance; Cisco rates this device at 15 Gbps.

Some thoughts on how to interpret the latest NSS numbers

Security Effectiveness Scores:

1800 attacksCisco: 99.5% (missed 8)PAN: 98.8% (missed 21)TippingPoint: 86.6% (missed 241)Fortinet: 99.2% (missed 14)

Now, the report says the ran over 1800 attacks. If we just use 1800 as the number, then that means Cisco missed 8 attacks. PAN missed 21. Fortinet missed 14+. TippingPoint missed 241.

Cant we say, then, that a customer running PAN was 2-1/2 times more likely to be compromised than Cisco? The number is actually 2.6 times more likely. We could also call it 260% more likely.

Using the same logic, Fortinet customer would be 1.8 times more likely. (or 180% more likely)

TippingPoint completely sucks, using this logic. More than 30 times more likely, or 300% more likely to be compromised.

We all know PAN is a pain. Theyre not a pain because theyre a better firewall or IPS. Theyre a pain because they are VERY GOOD at focusing their attention on the few things they do better. In the past, this was application visibility and application-based firewall rules. Several years ago, it was identity-based rules.

Most recently, for me, its back to identity. Only now, theyre not looking at AD. Theyre focusing the customers on the need to support authentication through other means, like listening to Radius accounting packets (which can easily be spoofed, by the way) and Outlook Web Access authentication. Its also on SafeSearch lately. They convince the customers that these requirements are a MUST, and use it to eliminate Cisco.

We need to focus the customers, instead, on PROTECTING THEIR NETWORKS. No one does this as well as Cisco.

Gary12

Cisco Firepower Management Center (Firesight)

Theres actually a video embedded here. Play it during the presentation!13

Most Accurate NGIPS

Understand the Context of the traffic:

Who, What, Where, Which Applications


Most Accurate NGIPS

IPS Rules automatically tuned for YOUR environment!


Most Accurate NGIPS


Most Powerful NGFW


Most Powerful NGFW


Most Powerful NGFW


Most Powerful NGFW


Advanced Threat Defense



21

NSS Labs Breach Detection Systems Security Value Map

Source: NSS Labs 2015

Cisco AMP offers superior security effectiveness, excellent performance, and provides security across more attack vectors than any other vendor.

99.2% Security Effectiveness rating in BDS testing, the highest of all vendors tested.

Excellent performance with minimal impact on network, endpoint, or application latency.

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialIntroduction to NetFlow23

10.2.2.2port 1024

10.1.1.1port 80

eth0/1eth0/2

Start TimeInterfaceSrc IPSrc PortDest IPDest PortProtoPkts SentBytes SentTCP Flags10:20:12.221eth0/110.2.2.2102410.1.1.180TCP51025SYN,ACK,PSH10:20:12.871eth0/210.1.1.18010.2.2.21024TCP1728712SYN,ACK,FIN

Start TimeInterfaceSrc IPSrc PortDest IPDest PortProtoPkts SentBytes SentTCP Flags10:20:12.221eth0/110.2.2.2102410.1.1.180TCP51025SYN,ACK,PSH

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialNetFlow = Visibility24

Router# show flow monitor CYBER-MONITOR cache IPV4 SOURCE ADDRESS: 192.168.100.100IPV4 DESTINATION ADDRESS: 192.168.20.6TRNS SOURCE PORT: 47321TRNS DESTINATION PORT: 443INTERFACE INPUT: Gi0/0/0IP TOS: 0x00IP PROTOCOL: 6ipv4 next hop address: 192.168.20.6tcp flags: 0x1Ainterface output: Gi0/1.20counter bytes: 1482counter packets: 23timestamp first: 12:33:53.358timestamp last: 12:33:53.370ip dscp: 0x00ip ttl min: 127ip ttl max: 127application name: nbar secure-http

A single NetFlow Record provides a wealth of information

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialTurn Network into a Security Sensor Grid

Internet

Atlanta

San Jose

New York

ASR-1000Cat6kUCS withNexus 1000vASACat6k3925 ISR3560-X3750-XStack(s)

Cat4kDatacenterWANDMZAccess

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

Know The Top Security Events You Should Investigate

Target Unusual Behavior Without Tuning

Easily white-list critical device network flow behavior

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialCritical devices would include point of sale systems, IoT devices, any device that uses a minimum amount of predictable functions/behaviors. Not for generic windows clients25

Cisco StealthWatch SystemNetwork Reconnaissance Using Dynamic NetFlow AnalysisMonitorDetectAnalyzeRespond

Understand your network normalGain real-time situational awareness of all traffic

Leverage Network Behavior Anomaly detection & analyticsDetect behaviors linked to APTs, insider threats, DDoS, and malware

Collect & Analyze holistic network audit trailsAchieve faster root cause analysis to conduct thorough forensic investigations

Accelerate network troubleshooting & threat mitigationRespond quickly to threats by taking action to quarantine through Cisco ISE

*Cisco acquired Lancope Dec 15

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialSCRIPT:The next product within the solution is Lancope StealthWatch Lancope is a Cisco partner and StealthWatch is on the Cisco Price List.StealthWatch enables context aware visibility, threat detection, incident response diagnostics and user monitoring It gives deeper visibility into the network and also accelerates the response of what to do with Netflow data, it analyzes the Netflow data and provides analytics on top of it StealthWatch can look at user behavior copying files, moving places in the network and determine whether these behaviors are suspicious It allows you to provide analytics and gain insight from Netwflow, you can gain visibility into user behavior, detect anomolies, collect and analyze network audit trails and leverage Cisco Identity Services Engine, or Cisco ISE, to take action based on this visibility.

26

Card Processor

Hacked Server

POS Terminals

ASA Firewall

Private WAN (trusted)

Credit Card Processor

ASA FirewallStoresData CenterUpdates from POS Server HTTPS Credit Card Processing HTTPSInternetISR G2 Routers

ISR G2 RoutersWireless AP

Wireless POSC3850 Unified AccessNetwork as a Sensor Host Lock Violation and Suspect Data Loss

Public Internet

Compromised Server

StealthWatch FlowCollectorStealthWatch Management Console Exfiltration of Credit Cards OR Commands from Attacker

Cisco ISECommand and Collect

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialThis is where you put them.

The lancope stuff.

Visibility doesnt require any presence in the store. You do need to have 3850 if you want to do NetFlow between devices in the store which is a recommendation. You also would only need a Flow Senor if you want to get granual Application Data, typically this can also be done at the datacenter.

Two features to help: Suspect Data Loss the Other is Host Lock Violation27

Best-of-Breed Cisco Advanced Malware ProtectionContinuous ProtectionReputation FilteringBehavioral Detection

Dynamic AnalysisMachine LearningFuzzy Finger-printingAdvanced AnalyticsOne-to-OneSignatureIndications of CompromiseDevice Flow Correlation

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential28These seven features break down into two types.

Reputation filteringBehavioral detection.

Reputation filtering is comprised of three key features. The first of which, is One-to-One Signatures

AMP EverywhereAMP Protection Across the Extended Network for an Integrated Threat Defense

AMPThreat IntelligenceCloud

Windows OS

Android Mobile

Virtual

MAC OS

CentOS, Red Hat Linux for servers and datacenters

AMP on Web and Email Security Appliances

AMP on Cisco ASA Firewall with Firepower ServicesAMP Private Cloud Virtual ApplianceAMP on Firepower NGIPS Appliance (AMP for Networks)

AMP on Cloud Web Security and Hosted Email

CWS/CTA

Threat GridMalware Analysis + Threat Intelligence EngineAMP on ISR with Firepower Services

EndpointsEndpointsNetwork Edge

AMP for EndpointsData Center

AMP for EndpointsRemote Endpoints

AMP for Endpoints can be launched from AnyConnect

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialWith AMP Everywhere, organizations can deploy a security architectures that shares information and provides an integrated threat defense, from network edge to data center to endpoints, across all attack vectors.29

Network AMP Indicators of CompromiseSometimes doesnt answer the question:Did the malware execute?


With AMP for Networks + AMP for EndpointsNetwork AMP + Endpoint AMP = Better Context

Detecting malware is great, but it could have been blocked on the client by AV or AMP for EndpointKnowing the malware executed makes prioritizing response much easier


A device with the AMP for Endpoints connector reacts to a retrospective event and immediately stops and quarantines the newly detected malware

Network AMP + Endpoint = Better Context

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialThis machine here, 10.5.11.8, we can see that it has the AMP for Endpoints connector installed. We know this because immediately after that retrospective event was raised the endpoint quarantined file. So by having the connector on the endpoint you have the ability to clear up and remediate and quarantine that infection on the end-point near in real time

32

When Malware Strikes, Have AnswersWhere did it come from?Who else is infected?What is it doing?

Device Trajectory

File Trajectory

File Analysis

Automated Remediation

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialAMP is context-aware

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialThe great thing about AMP is that its context aware. In this case, we are looking at the device trajectory. We see a list of applications (green are known-good, red known-bad and black unknown). The lines coming out of these are timelines, and the icons show when the file was moved, copied or executed. An example of context is the line coming out of 14 [PE] a file with unknown disposition that shows it dropping file 4 [PE], a known bad file. We can therefore infer that 14 is also bad. 34

Cisco AMP with ThreatGRID450+ behavioral indicators (and growing)Malware families, malicious behaviors, and moreDetailed description and actionable information

Prioritize threats with confidenceEnhance SOC analyst and IR knowledge and effectiveness (and security product)

Best-of-breed malware/file sandboxing

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialWe generate a Threat Score for every sample to assess how malicious it is. We do this by analyzing more than 450+ behavioral indicators defined by our own reverse-engineering and threat research team.. These indicators are based on the actual actions a file performs that we observe, that outside looking in approach i mentioned, when we run the file through our analysis engines.. The indicators are detailed descriptions of the actual behavior exhibited, including identifying what a particular sample was attempting to do. We look at these behaviors in a broader context, comparing your information against the behavior of millions of known samples to arrive at how that behavior was triggered by your specific sample. And we use a proprietary algorithm that considers the severity and confidence of the observed malware actions along with historical data and other parameters. The result is a threat score and behavioral analysis that gives security analysts the real-time insight they need to prioritize and respond to threats.

A key differentiator for Threat Grid is that we take this analysis and reporting and we perform it at scale.

35

PRODUCTS & TECHNOLOGIESUmbrellaEnforcementDNS based security service protects any device, anywhere

InvestigateIntelligenceDiscover and predict attacks before they happen

OpenDNS Adds to Ciscos Threat Prevention Portfolio

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialA Quick Refresher on DNS

RECURSIVE DNSLooks up & remembers the #s for each name

DOMAIN REGISTRAR Maps and records names to #s in phone books

AUTHORITATIVE DNSOwns and publishes the phone books

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential# = IP address37

Advantages of a DNS-based SolutionANY OPERATING SYSTEMWin, Mac, iOS, Android, Linux, ChromeOS, and even network devices and custom operating systems

FAST AND SCALABLEExtremely efficient query/response method

SIMPLE TO DEPLOYnetworks DHCP tells every connected device where to point DNS

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialThe elegance of DNS is that everything uses it already today. It doesnt matter who owns the device, how youve setup your network, or what OS or apps are running, they all work with DNS the same.38

INTERNETMALWAREBOTNETS/Command&ControlPHISHING

& HERE!

The Power of OpenDNS + Cisco

LANCOPEWSA (+ESA)

FIREPOWERAMPAMPAMPAMP

AnyConnectAMPAMPAMP

MERAKIAMPAMP

ASAHEREHEREHEREHEREHEREHQBranchBranchRoamingOff-netDNS LAYER

BENEFITSAlerts Reduced 2-10x; Improves your SIEMBlock malware before it hits the enterprise Contains malware C&C and Data ExfilNo added latencyProvision globally in under 30 minutes!

#CONFIDENTIALYour customers have already deployed Cisco appliances at offices and Cisco agents on devices.Of course, you can block malware on the network and the endpoint, but why wait until malware reaches the enterprise when you can block it out on the Internet.For that matter, why wait until anyone knows its malware, by learning about threats earlier in the attack lifecycle when the infrastructure is staged to launch the malware.That will cut customers # of alerts by 2 to 10 times.And for the malware that gets inside, contain its ability to exfiltrate data.

Block malware outside the enterprise, on the internet.

We Prevent and Contain threats very early in the attack lifecycle (kill chain), and do so by identifying / blocking the threat at the point at which its staged/launched/controlled (I.e. Very far away from the target [Network, Laptop, Application etc). we help stop attacks closer to the source of attack (so block the infection before the file/payload has been delivered and has had to traverse parts of the enterprise there are many benefits to this).

----ALTERNATIVE-----

Recall that DNS is ubiquitous for every network and endpoint footprint that exists in an organization. Even IoT devices rely on DNS.It doesnt require deploying a new appliance in the network. It doesnt require changing WCCP on a network you manage or deploying PAC files on an endpoint you own to redirect web traffic. And we dont care if web traffic is encrypted.Leveraging our wireless hardware partnerships, changing a single IP in DNS or DHCP servers, or referring to our network device setup guides make it so easy to point DNS to us.Were not exaggerating when we say it takes only 30 minutes to cover dozens of locations and thousands of devices.It is the fastest and easiest way to stop the vast majority of threats trying to infiltrate your systems and exfiltrate your data.----No endpoint security solution comes close to providing as much visibility into all Internet activity as Umbrella.And by combining the Internet-wide visibility that our Investigate product adds to Umbrella, customers can even identify targeted attacks.----But perhaps most valuable, is that because DNS precedes every IP connection, we cut the number of security alerts generated by the rest of a customers security stack in half or more.

39

OpenDNS working within the Architecture: better togetherSTART: App wants to connect to the InternetBENEFIT: Very-fast operation that accurately blocks a large percentage of threatsRESULT: Best-of-breed web threat protection that is efficient and easy to deploy

DNS request to resolve URL

1

DNS traffic redirects to OpenDNS

2

OpenDNS resolves request

3

App allowed to send web request

4

Web traffic redirected thru CWS

5

CWS performs web & file inspection

6

OpenDNSUmbrella DNS Traffic

CiscoCWS

InternetRemaining Web Traffic


40

A New Layer of Breach ProtectionRecursive DNS InspectionThreat PreventionDNS is common to almost all threatsProtects On & Off NetworkNot limited to devices forwarding traffic through on-premise appliancesPartner & Custom IntegrationsBlock based on malware analysis (Threatgrid, FireEye, etc.)Block by Domains for All Ports No added latencyIncredibly easy to POV/Deploy30min deploy timeUMBRELLAEnforcement

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialFree version41

OpenDNS Umbrella and ThreatGrid integrationSuspect Domain Protection

Dynamic AnalysisStatic AnalysisThreat Intelligence

AMP Threat Grid

Domain Based IOC DataFileSample

ASA /FP

MobileAMPFIREPOWER

FIREPOWER

Web Sec

ESA

FirewallApplianceWeb SecurityE-Mail SecuritySecurity AnalystAMP ThreatGrid Enabled Security SolutionsProtected Clients

Immediate Protection from domain based IOCsBenefitsAutomated integrationFull AMP Solution Coverage


Policy & Access



43

Protection against Advanced Persistent ThreatsNetwork Segmentation is critical

Verizon DBIR 2014: Recommended Controls


44

Cisco Secure AccessMaking segmentation easy and dynamic

ISETrustsecAnyConnect

Cloud WebSecurity

Web Security

Centralized Policy

Identity Authorization

L2/L3 Segmentation

Guest Access

MDM Integration

Posture& Profiling

Access ControlSegmentation

L2/L3 Segmentation

FirewallSimplification

Universal Security Client

MDM Integration

Posture& Profiling

AMP Enabler


45

Yellow RetailWAN

Data Centre

Yellow3rd-party supplierBlue RetailStore

Core Network (Transit)

Yellow RetailStore

TAG everything yellowAllow Yellow & Purple

DC Router: Allow yellow to yellow Allow blue and Yellow to purpleTag Yellow apps YellowTag Shared apps Purple

TAG everything BlueAllow Blue to PurpleDeny Blue to Blue except collaboration appsSharedAppsRetailApps

Simplify: Segmenting PCI traffic with SGT Security Domain Level classifications

Blue RetailWAN

M&ACompany XSGACLSGACLSGACL

Blue RetailWAN

SGACL


Meraki Security



47

Cisco Meraki: Cloud-managed Networks

Meraki MS Ethernet Switches

Meraki SMMobile Device Management

Meraki MR Wireless LAN

Meraki MX Security Appliances

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialMeraki MX Security Appliances6 models scaling from small branch to campus / datacenterComplete networking and security in a single applianceZero-touch site to site VPNWAN optimizationNG firewallContent filteringWAN link-bondingIntrusion Prevention

Feature highlights

Future support for:AMPIPFIX

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialSystems Manager Mobile Device ManagementDevice Management controls iOS, Android, Mac, and Windows devicesCloud-based - no on-site appliances or software, works with any vendors networkFree for up to 100 seatsCentralized app deploymentDevice securityRapid provisioningBackpack file sharingAsset management

Feature highlights

AMPIPFIX

Future support

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialSummary



51

Pervasive & Integrated Across CiscoIn Summary

Attack Continuum

Network-Integrated,Broad Sensor Base,Context sharing and Automation

Continuous Advanced Threat Protection, Cloud-Based Security Intelligence

Leading products working together as a systemBuilt for Scale, Consistent Control, ManagementVisibility-DrivenThreat-FocusedPlatform-Based

BEFOREDiscoverEnforce Harden

AFTERScopeContainRemediate

Detect Block DefendDURING


52

Only Cisco DeliversConsistent ControlReducedComplexityConsistent Policies Across the Network and Data CenterFits and Adapts to Changing Business Models Global Intelligence With the Right ContextDetects and Stops Advanced ThreatsAdvanced Threat Protection

UnmatchedVisibility

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialThe value Cisco brings customers is: Unmatched VisibilityYou will have access to the global intelligence you need with the right context to make informed decisions and take immediate action.Network as a sensorContextual awarenessUtilize global intelligence with big data analyticsOpen interfaces to visibility tools

Consistent ControlYou can consistently enforce policies across the entire network and have the control you need to accelerate threat detection and response.Unified policy orchestration, language and enforcementOpen interfaces to control platformsExtends from data center to cloud to end-point

Advanced Threat ProtectionYou will be able to detect, understand and protect against advanced malware/advanced persistent threats across the entire security continuum.Real-time threat analysisRetrospective threat analysis

Reduced ComplexityYou can adapt to the changing dynamics of your business environment quickly , at scale and securely.Integrated security services platformsUnified managementAutomationOpen ecosystem through APIsACI fabric integrationManaged Services53


Cisco security everywhere jamie sanbower 2-25-16

Technology

Transcript of Cisco security everywhere jamie sanbower 2-25-16