Cisco Connect Montreal
Canada • 20th November 2018
Global vision.
Local knowledge.

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Bienvenue!!
Welcome!!

Benjamin Rossignol
Cybersecurity Systems Engineer, CCIE#23791
November 2018
Cisco’s Architectural Approach
Next-Generation
Datacenter Security

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Percentage of security team’s time
47%
Servers
29%
Customer data
23%
Endpoints
of the security team’s time
is spent on security in the data center76%

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
5PSOSEC-2559
Roadblocks to Security Success
• More than half of attacks result in damages over $500k
• More devices and Greater Threat Complexity
• Budget constraints and lack of trained personnel
• Security product overload!
Nearly half of the security risk
organizations face stems from having
multiple security vendors and products.
Of organizations using 1 to 5 vendors, 28
percent said they had to manage public
scrutiny after a breach; that number rose
to 80 percent for organizations using
more than 50 vendors.
-- Cisco 2018 Security Capability Benchmark
Study

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Data Center Security… It Takes an Architecture!
Threat
protection
“Stop the breach”
Segmentation
“Reduce the
attack surface”
Visibility
“See everything”
Threat intelligence - Talos
Intent-based
Automation
Analytics

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Building a True
Data Center Security Architecture

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Datacenter Security Solutions –Focus Areas
Network & Application Analytics
• Stealthwatch
• Tetration
Visibility
Stop Attacks and Malware
• NGFW/NGIPS
• Advanced Malware
Protection (AMP)
Threat Prevention
Firewall and Access Control
• NGFW, ACI and Tetration
Policy Orchestration
• FMC and CloudCenter
• APIC and ISE
Segmentation
Integrated

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Architecture
Integrated
Portfolio
Best of breed

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
It Takes an Integrated Architecture
pxGrid
Security
Group
Tag /
EPG
API
Intel
Sharing Automation
Analytics
(Stealthwatch, Tetration)
Advanced
Malware
Policy and Access
o ISE
o NGFW
o Tetration
o ACI
NGFW / NGIPS
Threat Protection
Visibility
Segmentation
Management
o CloudCenter
o APIC
o FMC
o Tetration

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE
Switches Routers Wireless
EndpointsIOT PhonesPrinters
WSA ESAFMC SMC
TALOS AMP/TG UmbrellaCTA
SIEM
VMC
Net Protocols
pxGrid
AMP/TG API
Firepower API
Syslog
Talos API
Cloud Services
Infrastructure & Devices
pxGrid
Generic API
Radius
Netflow
DNS
Legend
11

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Data Centers are Changing
Cisco Security Grows with You
Application Centric
Infrastructure
ACI Fabric
Virtualization
and Cloud
Traditional
Data Center

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Segmentation

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
“I have no idea what my segmentation policy
needs to be at any given time!”

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
How well do you understand your applications?
Application
Relevant Policy
Perform
Application
Dependency
Mapping
Tested?
Existing
ACL?
Accurate?
Review
Trusted?
No
No
No
No
Yes
Yes
YesIt’s already out
of date
Yes

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Tetration Connection Manager
Automated Security Policy Recommendation
Step2: Auto-Generation of Whitelist
Policies
Whitelist policy recommendation
• Identifies application intent
• Generates 4 tuple policies
Export into Cisco solutions
• Export in JSON, XML and YAML
• Import into ACI, ASA and NGFW
Step1: Application Behavior Analysis
Application conversations Conversation details/
process bindings

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Automated Policy Discovery
Audit and Enforcement
• Zero Trust Enforcement
ASA
• Tetration-to-ASA Policy Conversion
• Lifecycle ACL Management
• ACL Audit
Tetration

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Tetration Offerings
18
• VM Virtual Appliance
• DC, Amazon or Azure
• 3 Server Platform
• Turnkey Hadoop Appliances
• SW & HW Sensors
• Highest Performance
On-Prem Software OnlySaaS
• Tetration As A Service
• Cisco Hosted & Managed
• Cloud First Customers
1K to 25K+ Workloads 100 to 1000 Workloads
NEW NEW

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DB Endpoint Group
NGFW ACI Tetration
Web EPG Database EPG
North / South Course Grain East / West
Fine Grain East / West
AKA Micro Segmentation

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
APIC configures FMC 6.2.3, using REST-APIs to manage the following devices:
 Pre-registered FTD devices in either Stand-alone, HA or Cluster mode
APIC configures the following features:
• Interfaces in Routed, Switched, or Inline mode. Defines VLAN sub-interfaces
(including Port-Channels) for Routed and Transparent firewall mode, including IRB.
Static routes can be added under interface configuration.
• Security Zones, Interface Names, Inline Sets, as specified in function profile
parameters. FMC names are prefixed with APIC Tenant and registered FTD device
name. EPG learning feature is supported with FMC.
• Assignment of the Security Zones to pre-configured ACP Rule(s).
FTD FI Device Package Version 1.0.3

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
FTD FI Device Package for ACI
Policy Creation:
Security Admin uses FMC to create an appropriate policy
Fabric Insertion:
Network Admin uses APIC to program Fabric Insertion of FTD
Security team configures via FMC
SECURITY NETWORK
DBApp
FMC 6.2
FMC GUI API API / GUI
Firepower NGFW
(FTD 6.2.3 image)
Registered to FMC
APIC Imports
FTD Device Package
To Program FMC
Managed Service Graph
Hybrid – Service Manager Model

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Data Center Security Working Together
CloudCenter
Tetration
ISE
AMP
Tetration
sensor
EPG
App
AMP
FTD
External Internal
FMC Manager
fire
EPG
DB
Tetration
sensor

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Simplifying Security
Orchestration
• Automated workload deployment
• Hybrid Cloud
CloudCenter
• Deploy EPG and contract
• Deploy service graph
ACI
• Deploy AMP for Endpoints
• Deploy Tetration Software Sensor
• Deploy ASA Firewall
Security Solutions

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Consistent access
policy from users to
servers
• pxGrid
ISE/TrustSec
• Contextual awareness
ACI/Endpoint Group
• Group based policy
NGFW

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
From Campus to Data Center
ACI Policy DomainTrustSec Policy Domain
Switch Router Router Firewall Nexus9000 Nexus9000 ServersUser
SGT
over
Ethernet
IPSec / DMVPN /
GETVPN / SXP
Classification
ISE creates matching SGTs for EPGs
ISE exchanges IP-SGT/EPG ‘Name bindings’
IP-ClassId, VNI bindings
IP-Security Group bindings
exchanged with network
Spine Leaf
Cisco ISE Cisco APIC-DC
Security Groups End Point Groups
ACI: Application Centric Infrastructure
APIC
WAN
(GETVPN
DMVPN IPSEC)
ASR 1K
Policy plane integration
Firewall

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Advanced Threat Protection

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Applications and services
Mitigating threats, risks and vulnerabilities
Users zone Server zone 1 Server zone 2 Outside world
business partners
Perimeter
firewall
Segment Datacenter Architecture

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Need for Advanced Threat Protection
TECDCT-2609
Segmentation
Threat

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Advanced Threat solutions
• DNS Security
• Command and
Control and
Malware Blocking
• Content Control
• Protection against
exploitation of app
vulnerabilities
• Impact-assessment
and IoC
• Auto-tuning of policy
• File based malware
protection
• Sandboxing to find
zero-day malware
• Retrospective
remediation of malware
Umbrella NGFW/NGIPS AMP
TECDCT-2609

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
96.8%
99.7%
90.1%
0.6%
67%
6.5%
2.9%
91.8%
17.1%
6.5%
96.3%
27%
Cisco:
Undisputed Leader in Stopping Threats Fast
-------Efficacy-------
--------------Time-----------------
74.7%
95.3% 97.1%
18.5%
39.9%
70.8%

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What is a Quarantine?

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Rapid Threat Containment (RTC)
Initial compromise Detection
Protect critical data, by stopping attacks faster, based on real-time threat intelligence
Internet
Enterprise
Network
Monetize theft
Problem
Infection spread
Data hoarding
Data exfiltration
100 – 200 days Initial compromise Containment
Internet
Solution
PxGrid
Enterprise
Network
Sensor
- AMP/
- NGIPS/
- ASA
(wFirePOWER)
EPS: Quarantine
(over PxGrid)
COA
Minutes
FMC
ISE
TrustSec
segmentation

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Firepower Remediation Subsystem Components

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Tetration Inventory – Contextual Visibility and
Policy
App Server
10.66.237.5
ISE/PxGrid
CMDB CI
IPAM/DNS
Hypervisor/Cloud
Security Ecosystem
Network
ISE Integration via PxGrid - Beta

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Multi-Layered
threat prevention
architecture in
action
• Command & Control prevention
• Rapid threat containment
NGFW/NGIPS
• Tetration software sensor enforcement
• Automation NGFW to Tetration
Tetration
• Zero Day Protection
• Malware protection – from network, to
endpoint, to cloud
AMP

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Rapid threat
containment with
ACI micro-
segmentation
• Indicators of compromise
• Rapid threat containment
NGFW/NGIPS
• Micro-segmentation/uEPG
• Automation NGFW to APIC
ACI
• Network AMP
• Malware protection – from network, to
endpoint, to cloud
AMP

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
FMC to APIC Rapid Threat Containment
FMC Remediation Module for APIC
DB EPG
ACI Fabric
App EPG
Infected App1
Step 4: APIC Quarantines infected App1
workload into an isolated uSeg EPG
Step 1: Infected End Point launches an attack
that NGFW(v), FirePOWER Services in ASA,
or FirePOWER appliance blocks the attack
Step 2: Event is generated to FMC about an
attack blocked from infected host
Step 3: Attack event is configured to trigger
remediation module for APIC and quarantine
infected host using APIC NB API
1
FMC
App2
2
34
See demo on http://cs.co/rtc-with-apic

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
FMC Remediation Module for ACI on Cisco.com
TECDCT-2609

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Visibility & Analytics

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Comprehensive,
contextual network flow
visibility
• Real-time situational
awareness of traffic
Monitor
• Detect anomalous
network behavior
• Detect network
behaviors indicative of
threats: worms, insider
threats, DDoS and
malware
Detect
• Quickly scope an incident
• Network troubleshooting
• One click quarantine
Respond
See and detect more threats in your DC
Cisco Stealthwatch
Analyze
• Holistic network audit trail
• Threat hunting and
forensic investigations
Switch Router Router Firewall Data Center
Switch
ServerUser
WAN
ServerDevice
End-to-
End
Network
Visibility

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Threat
detection and hunting
Application traffic
modeling &
visibility
Access control
policy and audit
Anomalous
behavior
Integrated with other security solutions 1+1=3
Greater Visibility and Security Together
Cisco Tetration and Stealthwatch

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Monitoring Unified SGT-ACI Policy
TrustSec Domain
ACI Domain
pci_users
SGT: 16
EV_appProfile_LOB2_App1EPG
SGT: 10005
ACI Domain
Stealthwatch Deployment
Cisco ISE
APIC-DC
syslog
NetFlow
SGT
Definitions
EPG
Definitions
Policy Plane
Integration
Tetration
Analytics
SPAN
Policy
Push
Tetration
Telemetry

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Summary

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Data Center Security
Visibility
“See Everything”
Complete visibility of users,
devices, networks, applications,
workloads and processes
Threat Protection
“Stop the Breach”
Quickly detect, block, and respond to
attacks before hackers can steal data
or disrupt operations
Segmentation
“Reduce the Attack Surface”
Prevent attackers from moving
laterally east-west within the DC
with application whitelisting

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Questions?

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Merci!!
Thank you!!