We will explore why the current industry approach to security is failing us. We will then discuss how building security as an architecture can raise the security level for any organization. An architectural approach is required to take security to the next level and defend against modern threats. We will discuss how you can use Cisco solutions to build a true security architecture.
5. Why is the Security Industry Approach Failing?
• It is not a fair fight to begin with
• People, Process and Technology Issues
• Hacking People, Malicious Insiders
Security Technology Issues
• Silo’d Point Products. Nothing works together!
• Bolt on security, whack a mole strategy
• We are designing in complexity on purpose!
• Hyper focused on Prevention = anemic detection/scoping & Incident Response
• Lack of real network and security visibility
8. Cisco Security is Rockin it!
Best Security Company, 2016
Cisco’s Security Everywhere
…“that’s pretty brilliant”
“Cisco’s strength in its Security
business shows it is not an ‘old’
tech company”
“Network security architects …
need to adopt new products
and/or services that will enable
the network to be an integral
part of a strategy that focuses
on detecting and responding to
security incidents.”
“Vendors Like Palo Alto, FireEye Are
Selling Legacy Technology”
“Cisco is making all the
right moves… software-
focused, cloud-friendly
portfolio with double-digit
growth in Security
and acquisitions like
OpenDNS”
CIO Survey’s 1st in
Customer Preference
9. Cisco Security Execution and Investment
ThreatGRID
acquired
Sourcefire
Acquired
Active
Threat
Analytics
Black Hat
2014:
Talos
Integrated
Threat Defense
Vision
AMP Everywhere
w/Threat Grid
Incident Response
Service
Cisco ASA w/ FirePOWER
Services for Mid-Size and
Branch environments
Global Security
Sales Organization
Cisco ASA w/
FirePOWER
Services
ACI +
FirePOWER Services
RSAC: AMP
Everywhere;
OpenAppID
Security
and Trust
Organization
Security
Everywhere
2013 2016
Portcullis
acquired
OpenDNS
Acquired
OpenDNS/
Threat Grid
Integrated
Lancope
Acquired
Neohapsis
Acquired
Security
Everywhere
Extended
Firepower
NGFW and
Security
Advisory
Service for
Segmentation
unveiled
Cognitive
Acquired
Invested ~$5B in last 36 months!
10. 2010 2012 2013 2014 20152011
100
98
96
94
92
90
88
86
84
82
NGFW
NGIPS
BDS
(Cisco AMP)
NGFW
(test average)
NGIPS
(test average)
A Track record of Best-of-Breed Security Effectiveness
Best of Breed Efficacy in NSS Labs testing Year after Year
Cisco
Test Average
11. Magic Quadrant Ranking
NGIPS “Leader” since 2006
Email Security “Leader” since 2005
Network Access Control (NAC) “Leader” since 2011
Web Security “Leader” 3 of past 4 years
Network Performance Monitoring and Diagnostics “Leader” (Lancope)
Enterprise Network Firewalls / UTM “Challenger”
SSLVPN (no longer updated) “Leader”
12. Comprehensive Best-of-Breed Security Capabilities
Cisco Confidential
WWW
DNS
Network Fabric, Threat Intelligence and Analytics
NGFW/
NGIPS
Advanced Threat
and Analytics
Policy and
Access
Web and
DNS
Email Endpoint
Capabilities Working Together
Simple | Open | Automated | Effective
13. The Cisco
Advantage
Best of Breed
Portfolio
Architectural
Approach
Only Cisco can build a true E2E security architecture
14. Without an Architecture it is a mess of complexity!
What makes an Architecture an Architecture?
Just Three things IMHO
1. Capabilities/Solutions (Ideally best of breed)
2. That work well together
3. Effectively
15. Cisco is building the Industry’s first
Threat-Centric Security Architecture
INNOVATION
16. SAFE Simplifies Security
Method Overview
1. Identify your goals
2. Break down your network into manageable pieces
3. Criteria for success of the business (requirements in each PIN/domain)
4. Categorize your Risks, Threats and Policies
5. Build the Security Solution
A. Capabilities Phase
B. Architecture Phase
C. Low-level Design Phase
Format: Whiteboard, Diagrams and/or Presentation
17. Security Capabilities Design – Branch Example
Host-
based
Security
Wireless Wireless
Intrusion
Prevention
Posture
Assess-
ment
Access
Control +
TrustSec
Flow
Analytics
L2//L3
Network
L2//L3
Network
Host-
based
Security
Posture
Assess-
ment
Access
Control +
TrustSec
Flow
Analytics
Web
Security
Services
Firewall Next-Gen
Intrusion
Prevention
System
Anti-
Malware
Flow
Analytics
AVC-
Application
Visibility
Control
Threat
Intelligence
VPN
Wireless Manager
Web browsing
Wired Clerk processing
credit card transaction
Wireless Controller
Switch Next-Generation Firewall/Router
To Data Center
To Cloud
WAN
• Use Best Practices to identify applicable security capabilities
• No Products and No Devices in this phase; that comes next
• Identify security capabilities that best mitigate threats, risks and policy
18. Management
Security
Services and
Applications
Security
Services
Platform
Infrastructure
Element
Layer
Cisco Platform-Based Security Architecture
Hardware Agnostic, Integrated and 3rd Party Friendly
Common Security Policy & Management
Common Security Policy and Management
Orchestration
Security
Management APIs
Cisco APIC
APIs
Platform
APIs
Cloud Intelligence
APIs
Physical Appliance Virtual Cloud
Access
Control
Context
Awareness
Content
Inspection
Application
Visibility
Threat
Prevention
Device API: OpenFlow, OpenStack, Rest, Yang
Cisco Networking Operating Systems (Enterprise, Data Center, Service Provider, Cloud)
Route–Switch–ComputeASIC Data Plane Software Data Plane
APIs APIs
Cisco Security Applications Third-Party Security Applications
APIs
19. Web AccessNGIPS Adv. Malw
WAF SaaS VisibAnti-Virus FPCNAC DLPDDoS
Integrated Management
SERVICES
LAYER
ANALYTICS
LAYER
Global & Local Threat Intelligence
Email
Raw Data (Cisco + 3rd Party) Threat Research Analytics Engines
ENFORCEMENT
LAYER
Partnerships Cisco Portfolio
FW/NGFW
TELEMETRY
INTELLIGENCE
PolicyAutomation,APIsandControllerIntegration
Network Platforms
Security Platforms
Router / Switches / Server
Cloud Platform
OpenDNS, Email, CWS,
Stealthwatch, Defense Orchestrator
Endpoint Platform
AnyConnect
AMP
Umbrella
Cisco Integrated Threat Defense Architecture
Stuff simply works together
20. Control
Cisco
AnyConnect®
FirePowerCisco CWS
WWW
Cisco WSACisco ASACisco ESA
Visibility
WWW
Web
Endpoints
Devices
Networks
Email
IPS
Difference between a paperweight and a NGFW?
Best-of-Breed Global Threat Intelligence Cloud
24x7x365
operations
40+ languages
More than US$100 million
spent on dynamic research
and development
Information
Actions
Cisco® Collective
Security IntelligencePervasive across Portfolio
www.talosintel.com
Threat Intel
23. Prevention Says easy, Does hard
Criminals only have to find one vuln; Be prepared
BEFORE
Discover
Enforce
Harden
AFTER
Scope
Contain
Remediate
Attack Continuum
Detect
Block
Defend
DURING
Shared Context & Security Intelligence
24. The power of a Cisco Security
Architecture
A collection of stories
25. Malicious Code
Launches
Alice, the contractor,
Clicks a Link or
Malvertising
Ransomware
Payload
Malicious
Infrastructure
Story 1: Ransomware
26. How Cisco Protects Customers
OpenDNS Next-Gen Firewall AMP Lancope
OpenDNS blocks the DNS request
NGFW blocks the connection/file
Web Security w/AMP blocks the file
AMP for Endpoint blocks the file &
communication back to home
OpenDNS blocks the request
NGFW blocks the connection
Lancope detects the activity
28. OR
Email Security w/AMP
blocks the file
OpenDNS Email Security AMP Lancope
AMP for Endpoint blocks
the file & communication
back to home
29. Cisco TrustSec
Building block of a true security architecture
• TrustSec is a context-based TAG firewall/access control solution
• Cisco ISE is the central policy engine for Trustsec
• Classification of systems/users based on context
(user role, device, location, posture, threat, access method…)
• The context-based classification propagates using SGT tags
• SGT used by firewalls, stealthwatch, routers and switches to make intelligent
forwarding or blocking decisions in the DC
Users,
Device
Switch Router DC NGFW DC Switch
HR Servers
Enforcement
SGT Transport
Fin Servers SGT = 4
SGT = 10
ISE DirectoryClassification
SGT:5
31. Architecture: Rapid Threat Containment
WLAN
Controller
Quarantine is based on MAC Address
preventing compromised device accessing
from other location / access methods
NGFW
Policy
Server
Business Data
App / Storage
Compromised
Endpoint
10.10.10.10 (aa:bb:cc:dd:ee:ff)
Corp Network
Source Destination Action
IP SGT IP SGT Service Action
Any Employee Any Biz Server HTTPS Allow
Any Suspicious Any Biz Server Any Deny
Firewall Rules
NGFW Stealthwatch
Event: Malware
Source IP: 10.10.10.10/32
Response: Quarantine
OS Type: Windows 8
User: Mary
AD Group: Employee
Asset Registration: Yes
Posture: Non-Compliant
Physical Location: Lobby
MAC Address: aa:bb:cc:dd:ee:ff
Policy Mapping SGT: Suspicious
PXGRID: EPS Quarantine: 10.10.10.10
Access Switch
33. Enabling Network-Wide Identity & Context Sharing
Cisco Platform Exchange Grid – pxGrid
INFRASTRUCTURE FOR A ROBUST
SECURITY ECOSYSTEM
• Single framework – develop once,
instead of to multiple APIs
• Control what & where context is
shared among platforms
• Bi-directional – share and consume
context at the same time
• Extremely Scalable
• Integrating with Cisco SDN for broad
network control functions
AD
Single, Pub/Sub
Open Framework
Real-time & Secure
pxGrid
Context
Sharing
35. Cisco NGFW cutting-edge Automation
Not your grandma’s NGFW
Context Rich
Creates a host profile Internally, ISE pxgrid,
3rd party host scan data
Impact Assessment
Threat correlation reduces actionable
events by up to 99%
Automated Tuning
Adjust IPS policies automatically
based on traffic profile
App Identification you can trust
OpenAppID
37. • Breaches will happen. Be Prepared.
Scenario
• Zero-day Malware gets through and infects Bob’s wireless PC and
then spreads to a single server in the DC he has access to
• AMP sees the unknown file and sends it to the sandbox
• Malware tries to spread from Bob and the server.
Story 4: Security Retrospection– Scope, contain,
remediate
38. Web
Filtering and
Reputation
Security
Intelligence
File Type
Blocking
Application
Visibility &
Control
Indicators of
Compromise
Traffic
Intelligence
File
Reputation
Cognitive
Threat
Analytics
XXX X
After
www.website.com
X
File
Retrospection
Roaming User
Reporting
Log Extraction
Management
Allow Warn Block
Partial
Block
NGFW/
Meraki
AMP
ApplianceWSA/CWS ESA AMP Endpoint
Admin
Cisco Security Architecture
Threats
File
Sandbox
X
AMP Everywhere
Integrated
39. A New Layer of Breach Protection
Industries first recursive DNS Security Solution
Threat Prevention
DNS is common to almost all threats
Protects On & Off Network
Not limited to devices forwarding traffic through on-premise
appliances
Partner & Custom Integrations
Block based on malware analysis (Threatgrid, FireEye, etc.)
Block by Domains for All Ports
No added latency
Incredibly easy to POV/Deploy
30min deploy time
UMBRELLA &
Investigate
DNS Protection and Intel
40. • Previous automated Software defined segmentation drastically limits the
attack surface available to the malware to spread
• OpenDNS prevents C&C connection
• Stealthwatch (flow behavior analytics) alerts on C&C and host lock
The Cisco Security Architecture Goes to Work
41. Card Processor
Hacked
Server
POS Terminals
ASA
Firewall
Private
WAN
(truste
d)
Credit Card
Processor
ASA
Firewall
Stores Data CenterUpdatesfrom
POSServer
HTTPS
Credit Card Processing HTTPS
Internet
ISR G2
Routers
ISR G2
Routers
Wireless
AP
Wireless POS
C3850
Unified
Acces
s
Network as a Sensor– Host Lock Violation and Suspect
Data Loss
Host Lock Violation - CTD
Public
Internet
Compromised
Server
StealthWatch
FlowCollector
StealthWatch
Management
Console
Cisco ISE
Command and
Collect
42. • Stealthwatch uses pxGrid to have ISE change the SGT to compromised
• Hosts are now in quarantine and ISE posture assessment can start self-
patching
• Within <5mins AMP returns a malicious verdict on the file. All AMP devices
are now alerting and dropping file. AMP on endpoint will kill the process
and shutdown the malware on infected hosts
• All domains discovered by AMP threatgrid are passed to OpenDNS for
blocking providing an umbrella of threat coverage
• Both AMP and Stealthwatch can be used to investigate and scope breach
The Cisco Security Architecture Goes to Work
57. Cisco’s Comprehensive Best-of-Breed Security Portfolio
WWW
Threat Intelligence and Analytics
Open | Simple | Integrated | Automated
NGFW/
NGIPS
Advanced
Threat
Policy and
Access
Web Email Endpoint
Building Blocks Working Together as an Architecture
58. 10I000 0II0 00 0III000 II1010011 101 1100001 110
Working Together to Create a True Security Architecture
Cisco FTD
ASA w/ FP
Cisco Web &
Email Security
Cisco
NGIPS
Common Identity, Policy
and Context Sharing
Malware Prevention /
Sandboxing
10I000 0II0 00 0III000 II1010011 101 1100001 110
110000III000III0 I00I II0I III0011 0110011 101000 0110 00
1010000II0000III000III0I00IIIIII0000III0
100III0IIII00II0II00III0I0000II000
Context-aware
Segmentation
Network Integration
Context Visibility
Cisco AMP Client
AMP
OpenDNS
Trustsec
ISE
Pxgrid
NaaS
NaaE
Cisco
Pervasive & Integrated
Across the Portfolio
Remediation
59. Pervasive & Integrated Across Cisco
Across the whole Attack Continuum
Attack Continuum
Network-Integrated,
Broad Sensor Base,
Context sharing and
Automation
Continuous Advanced
Threat Protection, Cloud-
Based Security Intelligence
Leading products working
together as a system
Built for Scale, Consistent
Control, Management
Visibility-Driven Threat-Focused Integrated
BEFORE
Discover
Enforce
Harden
AFTER
Scope
Contain
Remediate
Detect
Block
Defend
DURING
60. How to Build a Security Architecture
SAFE Simplifies Security
Method Overview
1. Identify your goals
2. Break down your network into manageable pieces
3. Criteria for success of the business (requirements in each PIN/domain)
4. Categorize your Risks, Threats and Policies
5. Build and model the Security Architecture
A. Capabilities Phase
B. Architecture Phase
C. Low-level Design Phase
Format: Whiteboard, Diagrams and/or Presentation
64. Cisco Meraki: Cloud-managed Networks
Meraki MS
Ethernet Switches
Meraki SM
Mobile Device
Management
Meraki MR
Wireless LAN
Meraki MX
Security
Appliances
65. Meraki MX Security Appliances
6 models scaling from small branch to campus / datacenter
Complete networking and security in a single appliance
Zero-touch site to site
VPN
WAN optimization
NG firewall
Content filtering
WAN link-bonding
Intrusion Prevention
Feature
highlights
Future support for:
• AMP
• IPFIX
66. Systems Manager Mobile Device Management
Device Management controls iOS, Android, Mac, and Windows devices
Cloud-based - no on-site appliances or software, works with any vendor’s network
Free for up to 100 seats
Centralized app
deployment
Device security
Rapid provisioning
Backpack™ file sharing
Asset management
Feature
highlights
AMP
IPFIX
Future
support
67. “Yellow” Retail
WAN
Data Centre
“Yellow” Retail
3rd-party supplier
“Blue” Retail
Store
Core Network
(Transit)
“Yellow” Retail
Store
“Yellow” Retail Router:
TAG everything
“yellow”
Allow “Yellow” &
“Purple”
DC Router:
Allow yellow to yellow Allow blue and
Yellow to purple
Tag “Yellow” apps “Yellow”
Tag “Shared” apps “Purple”
“Blue” Retail Router:
TAG everything “Blue”
Allow “Blue” & “Purple”
Shared
Apps
Retail
Apps
Simplify: Segmenting traffic with SGT
Security Domain Level classifications
6
“Blue” Retail
WAN
“Blue” Retail
3rd-party supplier
SGACL
SGACLSGACL
68. Cisco Security Solution Partners
Combined Program – Over 60+ Partners
Combined API Framework and Integration Points
BEFORE
Policy
and
Control
AFTER
Analysis
and
Remediation
Identification
and Block
DURING
Infrastructure & Mobility
RemediationVulnerability Management
SIEMVisualizationNetwork Access Taps
Custom Detection Incident ResponseFull Packet Capture
IAM/SSO