We will explore why the current industry approach to security is failing us. We will then discuss how building security as an architecture can raise the security level for any organization.   An architectural approach is required to take security to the next level and defend against modern threats. We will discuss how you can use Cisco solutions to build a true security architecture.

1. Jamey Heary
Cisco Distinguished Systems Engineer
CCIE 7680
May 2016
Building a True Security
Architecture
One Capability at a Time

2. Agenda
Current State of Security
Cisco Security
Security as an Architecture- Stories
Summary

3. State of Security

4. Cyberwar is Raging!!

5. Why is the Security Industry Approach Failing?
• It is not a fair fight to begin with
• People, Process and Technology Issues
• Hacking People, Malicious Insiders
Security Technology Issues
• Silo’d Point Products. Nothing works together!
• Bolt on security, whack a mole strategy
• We are designing in complexity on purpose!
• Hyper focused on Prevention = anemic detection/scoping & Incident Response
• Lack of real network and security visibility

6. Architecture Fail
Working together Fail
Bolt-on Fail

7. Cisco Security
Cisco Security Homepage
Cisco.com/go/security

8. Cisco Security is Rockin it!
Best Security Company, 2016
Cisco’s Security Everywhere
…“that’s pretty brilliant”
“Cisco’s strength in its Security
business shows it is not an ‘old’
tech company”
“Network security architects …
need to adopt new products
and/or services that will enable
the network to be an integral
part of a strategy that focuses
on detecting and responding to
security incidents.”
“Vendors Like Palo Alto, FireEye Are
Selling Legacy Technology”
“Cisco is making all the
right moves… software-
focused, cloud-friendly
portfolio with double-digit
growth in Security
and acquisitions like
OpenDNS”
CIO Survey’s 1st in
Customer Preference

9. Cisco Security Execution and Investment
ThreatGRID
acquired
Sourcefire
Acquired
Active
Threat
Analytics
Black Hat
2014:
Talos
Integrated
Threat Defense
Vision
AMP Everywhere
w/Threat Grid
Incident Response
Service
Cisco ASA w/ FirePOWER
Services for Mid-Size and
Branch environments
Global Security
Sales Organization
Cisco ASA w/
FirePOWER
Services
ACI +
FirePOWER Services
RSAC: AMP
Everywhere;
OpenAppID
Security
and Trust
Organization
Security
Everywhere
2013 2016
Portcullis
acquired
OpenDNS
Acquired
OpenDNS/
Threat Grid
Integrated
Lancope
Acquired
Neohapsis
Acquired
Security
Everywhere
Extended
Firepower
NGFW and
Security
Advisory
Service for
Segmentation
unveiled
Cognitive
Acquired
Invested ~$5B in last 36 months!

10. 2010 2012 2013 2014 20152011
100
98
96
94
92
90
88
86
84
82
NGFW
NGIPS
BDS
(Cisco AMP)
NGFW
(test average)
NGIPS
(test average)
A Track record of Best-of-Breed Security Effectiveness
Best of Breed Efficacy in NSS Labs testing Year after Year
Cisco
Test Average

11. Magic Quadrant Ranking
NGIPS “Leader” since 2006
Email Security “Leader” since 2005
Network Access Control (NAC) “Leader” since 2011
Web Security “Leader” 3 of past 4 years
Network Performance Monitoring and Diagnostics “Leader” (Lancope)
Enterprise Network Firewalls / UTM “Challenger”
SSLVPN (no longer updated) “Leader”

12. Comprehensive Best-of-Breed Security Capabilities
Cisco Confidential
WWW
DNS
Network Fabric, Threat Intelligence and Analytics
NGFW/
NGIPS
Advanced Threat
and Analytics
Policy and
Access
Web and
DNS
Email Endpoint
Capabilities Working Together
Simple | Open | Automated | Effective

13. The Cisco
Advantage
Best of Breed
Portfolio
Architectural
Approach
Only Cisco can build a true E2E security architecture

14. Without an Architecture it is a mess of complexity!
What makes an Architecture an Architecture?
Just Three things IMHO
1. Capabilities/Solutions (Ideally best of breed)
2. That work well together
3. Effectively

15. Cisco is building the Industry’s first
Threat-Centric Security Architecture
INNOVATION

16. SAFE Simplifies Security
Method Overview
1. Identify your goals
2. Break down your network into manageable pieces
3. Criteria for success of the business (requirements in each PIN/domain)
4. Categorize your Risks, Threats and Policies
5. Build the Security Solution
A. Capabilities Phase
B. Architecture Phase
C. Low-level Design Phase
Format: Whiteboard, Diagrams and/or Presentation

17. Security Capabilities Design – Branch Example
Host-
based
Security
Wireless Wireless
Intrusion
Prevention
Posture
Assess-
ment
Access
Control +
TrustSec
Flow
Analytics
L2//L3
Network
L2//L3
Network
Host-
based
Security
Posture
Assess-
ment
Access
Control +
TrustSec
Flow
Analytics
Web
Security
Services
Firewall Next-Gen
Intrusion
Prevention
System
Anti-
Malware
Flow
Analytics
AVC-
Application
Visibility
Control
Threat
Intelligence
VPN
Wireless Manager
Web browsing
Wired Clerk processing
credit card transaction
Wireless Controller
Switch Next-Generation Firewall/Router
To Data Center
To Cloud
WAN
• Use Best Practices to identify applicable security capabilities
• No Products and No Devices in this phase; that comes next
• Identify security capabilities that best mitigate threats, risks and policy

18. Management
Security
Services and
Applications
Security
Services
Platform
Infrastructure
Element
Layer
Cisco Platform-Based Security Architecture
Hardware Agnostic, Integrated and 3rd Party Friendly
Common Security Policy & Management
Common Security Policy and Management
Orchestration
Security
Management APIs
Cisco APIC
APIs
Platform
APIs
Cloud Intelligence
APIs
Physical Appliance Virtual Cloud
Access
Control
Context
Awareness
Content
Inspection
Application
Visibility
Threat
Prevention
Device API: OpenFlow, OpenStack, Rest, Yang
Cisco Networking Operating Systems (Enterprise, Data Center, Service Provider, Cloud)
Route–Switch–ComputeASIC Data Plane Software Data Plane
APIs APIs
Cisco Security Applications Third-Party Security Applications
APIs

19. Web AccessNGIPS Adv. Malw
WAF SaaS VisibAnti-Virus FPCNAC DLPDDoS
Integrated Management
SERVICES
LAYER
ANALYTICS
LAYER
Global & Local Threat Intelligence
Email
Raw Data (Cisco + 3rd Party) Threat Research Analytics Engines
ENFORCEMENT
LAYER
Partnerships Cisco Portfolio
FW/NGFW
TELEMETRY
INTELLIGENCE
PolicyAutomation,APIsandControllerIntegration
Network Platforms
Security Platforms
Router / Switches / Server
Cloud Platform
OpenDNS, Email, CWS,
Stealthwatch, Defense Orchestrator
Endpoint Platform
AnyConnect
AMP
Umbrella
Cisco Integrated Threat Defense Architecture
Stuff simply works together

20. Control
Cisco
AnyConnect®
FirePowerCisco CWS
WWW
Cisco WSACisco ASACisco ESA
Visibility
WWW
Web
Endpoints
Devices
Networks
Email
IPS
Difference between a paperweight and a NGFW?
Best-of-Breed Global Threat Intelligence Cloud
24x7x365
operations
40+ languages
More than US$100 million
spent on dynamic research
and development
Information
Actions
Cisco® Collective
Security IntelligencePervasive across Portfolio
www.talosintel.com
Threat Intel

21. See the Unseen
Unprecedented Intel Breadth & Depth
Daily Security Intelligence
Daily Threats Blocked
Deployed Security Devices
Daily Malware
Sandbox Reports
120TB
Security
Intelligence
1.6M
Deployed
Devices
19.7B
Threats
Blocked
150,000
Micro-
applications
1,000
Applications
93B
Daily Email
Messages
35%
Enterprise
Email
13B
Web
Requests
150M
Deployed
Endpoints
3-5 min
Updates
Cisco Security Intelligence
Global Visibility
Global Footprint
5B
Daily Email
Connections
4.5B
Daily Email
Blocks
14M
Deployed
Access
Gateway
75,000
FireAMP
Updates
6,000
New Clam
AV Sigs
1.1M
Sandbox
Reports

22. Cisco Talos Research
Finding Bad Guys,
one 0-day at a time

23. Prevention Says easy, Does hard
Criminals only have to find one vuln; Be prepared
BEFORE
Discover
Enforce
Harden
AFTER
Scope
Contain
Remediate
Attack Continuum
Detect
Block
Defend
DURING
Shared Context & Security Intelligence

24. The power of a Cisco Security
Architecture
A collection of stories

25. Malicious Code
Launches
Alice, the contractor,
Clicks a Link or
Malvertising
Ransomware
Payload
Malicious
Infrastructure
Story 1: Ransomware

26. How Cisco Protects Customers
OpenDNS Next-Gen Firewall AMP Lancope
OpenDNS blocks the DNS request
NGFW blocks the connection/file
Web Security w/AMP blocks the file
AMP for Endpoint blocks the file &
communication back to home
OpenDNS blocks the request
NGFW blocks the connection
Lancope detects the activity

27. OR
Ransomware
Payload
Bob Downloads
Malicious Email
Attachment

28. OR
Email Security w/AMP
blocks the file
OpenDNS Email Security AMP Lancope
AMP for Endpoint blocks
the file & communication
back to home

29. Cisco TrustSec
Building block of a true security architecture
• TrustSec is a context-based TAG firewall/access control solution
• Cisco ISE is the central policy engine for Trustsec
• Classification of systems/users based on context
(user role, device, location, posture, threat, access method…)
• The context-based classification propagates using SGT tags
• SGT used by firewalls, stealthwatch, routers and switches to make intelligent
forwarding or blocking decisions in the DC
Users,
Device
Switch Router DC NGFW DC Switch
HR Servers
Enforcement
SGT Transport
Fin Servers SGT = 4
SGT = 10
ISE DirectoryClassification
SGT:5

30. 30© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Architecture: Network & Security working together
WLAN
Controller
VPN Remote
Access Access Switch
Firewall
ISE
Policy Server
Business Data
App / Storage
Corp Asset
Endpoints
Corp Network
Device Type: Apple Mac
User: Mary
AD Group: Employee
Asset Registration: Yes
Posture: Compliant
Physical Location: Lobby
Policy Mapping  SGT: Employee
Source Destination Action
IP SGT IP SGT Service Action
Any Employee Any Biz Server HTTPS Allow
Any Suspicious Any Biz Server Any Deny
Firewall Rules
• Differentiated Network Access based on Context
• Security Group Tag is added to every packet from
host
• Massive Firewall rule simplification
• Policy Enforcement regardless of IP address/vlan
• Accelerated service provisioning
• Consistent policy assignment regardless of
access method

31. Architecture: Rapid Threat Containment
WLAN
Controller
Quarantine is based on MAC Address
preventing compromised device accessing
from other location / access methods
NGFW
Policy
Server
Business Data
App / Storage
Compromised
Endpoint
10.10.10.10 (aa:bb:cc:dd:ee:ff)
Corp Network
Source Destination Action
IP SGT IP SGT Service Action
Any Employee Any Biz Server HTTPS Allow
Any Suspicious Any Biz Server Any Deny
Firewall Rules
NGFW Stealthwatch
Event: Malware
Source IP: 10.10.10.10/32
Response: Quarantine
OS Type: Windows 8
User: Mary
AD Group: Employee
Asset Registration: Yes
Posture: Non-Compliant
Physical Location: Lobby
MAC Address: aa:bb:cc:dd:ee:ff
Policy Mapping  SGT: Suspicious
PXGRID: EPS Quarantine: 10.10.10.10
Access Switch

32. Story 2: Security Automation – Dynamic Segmentation
32

33. Enabling Network-Wide Identity & Context Sharing
Cisco Platform Exchange Grid – pxGrid
INFRASTRUCTURE FOR A ROBUST
SECURITY ECOSYSTEM
• Single framework – develop once,
instead of to multiple APIs
• Control what & where context is
shared among platforms
• Bi-directional – share and consume
context at the same time
• Extremely Scalable
• Integrating with Cisco SDN for broad
network control functions
AD
Single, Pub/Sub
Open Framework
Real-time & Secure
pxGrid
Context
Sharing

34. NGFW
Story 3: Security Automation – Rapid Threat Containment
VPN
Bob

35. Cisco NGFW cutting-edge Automation
Not your grandma’s NGFW
Context Rich
Creates a host profile Internally, ISE pxgrid,
3rd party host scan data
Impact Assessment
Threat correlation reduces actionable
events by up to 99%
Automated Tuning
Adjust IPS policies automatically
based on traffic profile
App Identification you can trust
OpenAppID

36. Demo

37. • Breaches will happen. Be Prepared.
Scenario
• Zero-day Malware gets through and infects Bob’s wireless PC and
then spreads to a single server in the DC he has access to
• AMP sees the unknown file and sends it to the sandbox
• Malware tries to spread from Bob and the server.
Story 4: Security Retrospection– Scope, contain,
remediate

38. Web
Filtering and
Reputation
Security
Intelligence
File Type
Blocking
Application
Visibility &
Control
Indicators of
Compromise
Traffic
Intelligence
File
Reputation
Cognitive
Threat
Analytics
XXX X
After
www.website.com
X
File
Retrospection
Roaming User
Reporting
Log Extraction
Management
Allow Warn Block
Partial
Block
NGFW/
Meraki
AMP
ApplianceWSA/CWS ESA AMP Endpoint
Admin
Cisco Security Architecture
Threats
File
Sandbox
X
AMP Everywhere
Integrated

39. A New Layer of Breach Protection
Industries first recursive DNS Security Solution
Threat Prevention
DNS is common to almost all threats
Protects On & Off Network
Not limited to devices forwarding traffic through on-premise
appliances
Partner & Custom Integrations
Block based on malware analysis (Threatgrid, FireEye, etc.)
Block by Domains for All Ports
No added latency
Incredibly easy to POV/Deploy
30min deploy time
UMBRELLA &
Investigate
DNS Protection and Intel

40. • Previous automated Software defined segmentation drastically limits the
attack surface available to the malware to spread
• OpenDNS prevents C&C connection
• Stealthwatch (flow behavior analytics) alerts on C&C and host lock
The Cisco Security Architecture Goes to Work

41. Card Processor
Hacked
Server
POS Terminals
ASA
Firewall
Private
WAN
(truste
d)
Credit Card
Processor
ASA
Firewall
Stores Data CenterUpdatesfrom
POSServer
HTTPS
Credit Card Processing HTTPS
Internet
ISR G2
Routers
ISR G2
Routers
Wireless
AP
Wireless POS
C3850
Unified
Acces
s
Network as a Sensor– Host Lock Violation and Suspect
Data Loss
Host Lock Violation - CTD
Public
Internet
Compromised
Server
StealthWatch
FlowCollector
StealthWatch
Management
Console
Cisco ISE
Command and
Collect

42. • Stealthwatch uses pxGrid to have ISE change the SGT to compromised
• Hosts are now in quarantine and ISE posture assessment can start self-
patching
• Within <5mins AMP returns a malicious verdict on the file. All AMP devices
are now alerting and dropping file. AMP on endpoint will kill the process
and shutdown the malware on infected hosts
• All domains discovered by AMP threatgrid are passed to OpenDNS for
blocking providing an umbrella of threat coverage
• Both AMP and Stealthwatch can be used to investigate and scope breach
The Cisco Security Architecture Goes to Work

43. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
When Malware Strikes, Have Answers - AMP
Where did it come
from?
Who else is
infected?
What is it doing? How do I stop it?
Device Trajectory
File Trajectory
File Analysis Automated Remediation

44. Near Future: Threat Centric NAC: ISE 2.1*
EndPoints based on Incidents and Indicators

45. ISE Threat Centric NAC
Network as
a Sensor
and
Enforcer,
and
Integrated
Threat
Defense

46. Story 5: Cisco ACI Security

47. EPG
“Internet”
EPG
“Web”
Solving the inline problem elegantly– Service
graphs & chaining
FireSIGHT Management
Center
Alerts
Network Visibility
Policy Management
Analytics
Remediation
Application Policy
Infrastructure
Controller (APIC)
Service Graph
Contracts
NGIPS/NGFW
Advanced Malware Protection
Policy and events
Basic configuration
and health
Intelligent Remediation

48. VRF1 pod1net
ASA and Firepower Insertion into ACI
Web host
Web EPG
App host
App EPG
DB host
DB EPG
NGIPS
ASA5525 Cluster
Routed L3FW Context
Dynamic Routing to vPC
GoTo
ASA virtual
RoutedL3FW Context
GoTo
ASAv
Firepower 7010
Inline NGIPS
GoThrough
Outside host
Outside Network
NGFW Cluster
Fabric
Perimeter
Outside
Router
L3out3
ASA DP 1.2.3.4
Firepower DP 1.0.1

49. So much more I’d like to
tell you,
So many more use cases
Reach out to your Cisco account team

50. In Summary

51. Simple, Effective, Integrated & Open Security
Cisco Security
Leapfrogging the Market

52. Our Approach is Unique

53. Strategy is for amateurs.

54. Execution is for professionals.

56. Appendix

57. Cisco’s Comprehensive Best-of-Breed Security Portfolio
WWW
Threat Intelligence and Analytics
Open | Simple | Integrated | Automated
NGFW/
NGIPS
Advanced
Threat
Policy and
Access
Web Email Endpoint
Building Blocks Working Together as an Architecture

58. 10I000 0II0 00 0III000 II1010011 101 1100001 110
Working Together to Create a True Security Architecture
Cisco FTD
ASA w/ FP
Cisco Web &
Email Security
Cisco
NGIPS
Common Identity, Policy
and Context Sharing
Malware Prevention /
Sandboxing
10I000 0II0 00 0III000 II1010011 101 1100001 110
110000III000III0 I00I II0I III0011 0110011 101000 0110 00
1010000II0000III000III0I00IIIIII0000III0
100III0IIII00II0II00III0I0000II000
Context-aware
Segmentation
Network Integration
Context Visibility
Cisco AMP Client
AMP
OpenDNS
Trustsec
ISE
Pxgrid
NaaS
NaaE
Cisco
Pervasive & Integrated
Across the Portfolio
Remediation

59. Pervasive & Integrated Across Cisco
Across the whole Attack Continuum
Attack Continuum
Network-Integrated,
Broad Sensor Base,
Context sharing and
Automation
Continuous Advanced
Threat Protection, Cloud-
Based Security Intelligence
Leading products working
together as a system
Built for Scale, Consistent
Control, Management
Visibility-Driven Threat-Focused Integrated
BEFORE
Discover
Enforce
Harden
AFTER
Scope
Contain
Remediate
Detect
Block
Defend
DURING

60. How to Build a Security Architecture
SAFE Simplifies Security
Method Overview
1. Identify your goals
2. Break down your network into manageable pieces
3. Criteria for success of the business (requirements in each PIN/domain)
4. Categorize your Risks, Threats and Policies
5. Build and model the Security Architecture
A. Capabilities Phase
B. Architecture Phase
C. Low-level Design Phase
Format: Whiteboard, Diagrams and/or Presentation

61. Reference Architectures

62. ISE 2.1 Feature List
 Guest and SSO Enhancements
 Microsoft Intune & SCCM Integration
 ACS to ISE Migration Features
 Smart Licensing
 Third party NAD Support
 EasyConnect
 Streamlined Visibility
Context directory
Customizable Dashboard
Expanded Profiling Capabilities
 Threat Centric NAC
 TrustSec Workflow Enhancements
 TrustSec / ACI Policy Plane Integration
 New Posture Compliance Check

63. Cisco Meraki

64. Cisco Meraki: Cloud-managed Networks
Meraki MS
Ethernet Switches
Meraki SM
Mobile Device
Management
Meraki MR
Wireless LAN
Meraki MX
Security
Appliances

65. Meraki MX Security Appliances
6 models scaling from small branch to campus / datacenter
Complete networking and security in a single appliance
Zero-touch site to site
VPN
WAN optimization
NG firewall
Content filtering
WAN link-bonding
Intrusion Prevention
Feature
highlights
Future support for:
• AMP
• IPFIX

66. Systems Manager Mobile Device Management
Device Management controls iOS, Android, Mac, and Windows devices
Cloud-based - no on-site appliances or software, works with any vendor’s network
Free for up to 100 seats
Centralized app
deployment
Device security
Rapid provisioning
Backpack™ file sharing
Asset management
Feature
highlights
AMP
IPFIX
Future
support

67. “Yellow” Retail
WAN
Data Centre
“Yellow” Retail
3rd-party supplier
“Blue” Retail
Store
Core Network
(Transit)
“Yellow” Retail
Store
“Yellow” Retail Router:
TAG everything
“yellow”
Allow “Yellow” &
“Purple”
DC Router:
Allow yellow to yellow Allow blue and
Yellow to purple
Tag “Yellow” apps “Yellow”
Tag “Shared” apps “Purple”
“Blue” Retail Router:
TAG everything “Blue”
Allow “Blue” & “Purple”
Shared
Apps
Retail
Apps
Simplify: Segmenting traffic with SGT
Security Domain Level classifications
6
“Blue” Retail
WAN
“Blue” Retail
3rd-party supplier
SGACL
SGACLSGACL

68. Cisco Security Solution Partners
Combined Program – Over 60+ Partners
Combined API Framework and Integration Points
BEFORE
Policy
and
Control
AFTER
Analysis
and
Remediation
Identification
and Block
DURING
Infrastructure & Mobility
RemediationVulnerability Management
SIEMVisualizationNetwork Access Taps
Custom Detection Incident ResponseFull Packet Capture
IAM/SSO