2. 50B Devices
Connected by 2020
$19T
Opportunity
Digital Disruption,
Massive Scale
Active
Adversaries
Security
Industry
Attack surface
Threat Actors
Attack
Sophistication
Rapidly expanding number
of security companies
Not interoperable
Not open
Changing
Business Models
Dynamic Threat
Landscape
Complexity and
Fragmentation
Security Challenges
4. How Often is Your Board Formally Updated on
Cybersecurity Risks?
Monthly Quarterly Semi-Annual Annually Never
4%
Source: Survey of 100 Global CISO’s February 2017
9%
38%
57%
29%
21% 25%
13%
4% 0%
2015 2017
5. Source: Ben Walker, Marketing Executive at vouchercloud – April 5, 2015
90%
of the world’s data
today has been created
in the last
2 years alone
Today,
DATA
is where the
money is
14. OpenAppID
Application Visibility & Control
Provide next-generation visibility into app usage
See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps
Cisco database
• 4,000+ apps
• 180,000+ Micro-apps
Network &
users
1
2
Prioritize traffic
15. OpenAppID
Extend AVC to proprietary and custom apps
Easily customize application detectors Detect custom and proprietary apps Share detectors with other users
Open-SourceSelf-Service
16. Web controls
Block or allow access to URLs and domains
Classify 280M+ URLs Filter sites using 80+ categories Manage “allow/block” lists easily Block latest malicious URLs
Category-based
Policy Creation
Allow Block
Admin
Cisco URL Database
DNS Sinkhole
01001010100
00100101101
Security feeds
URL | IP | DNS
NGFW
Filtering
BlockAllow
Safe Search
gambling
17. Next-Generation Intrusion Prevention System (NGIPS)
Understand threat details and quickly respond
Communications
App & Device Data
01011101001
010
010001101
010010 10 10
Data packets
Prioritize
response
Blended threats
• Network
profiling
• Phishing
attacks
• Innocuous
payloads
• Infrequent
callouts
3
1
2
Accept
Block
Automate
policies
ISE
Scan network traffic Correlate data Detect stealthy threats Respond based on priority
18. c
File Reputation
Advanced Malware Protection (AMP)
Uncover hidden threats in the environment
• Known Signatures
• Fuzzy Fingerprinting
• Indications of compromise
Block known malware Investigate files safely Detect new threats Respond to alerts
File & Device Trajectory
AMP for
Network Log
Threat Grid Sandboxing
• Advanced Analytics
• Dynamic analysis
• Threat intelligence
?
AMP for
Endpoint Log
Threat Disposition
Enforcement across
all endpoints
RiskySafeUncertain
Sandbox Analysis
19. Cisco Advanced Malware Protection (AMP)
Deployment Options
Get Visibility and Control across all attack
vectors to defend against today’s most
advanced threats.
Protect your Endpoints! Get
visibility into file and executable-
level activity, and remediate
advanced malware on devices
running Windows, Mac OS,
Linux, and Android.
Supercharge your next-generation
firewall by turning on AMP
capabilities on the Cisco Firepower
NGFW or the Cisco ASA with
Firepower Services.
Get deep visibility into threat activity
and block advanced malware with
AMP deployed as a network-
Add AMP to a Cisco Web Security
Appliance (WSA) or Cisco Cloud
Web Security (CWS) and get
visibility and control to defend
against advanced threats
launched from the web.
Add AMP to a Cisco Email
Security Appliance (ESA)
and get visibility and control
to defend against advanced
threats launched
via email.
Combat and block network-
based threats by deploying
AMP capabilities on the Cisco
Integrated Services
Router (ISR).
For high privacy environments that
restrict the use of the public cloud,
use an on-premises, air-gapped
private cloud deployment of
AMP for Networks or
AMP for Endpoints.
An on-premises appliance or
cloud-based solution for static
and dynamic malware analysis
(sandboxing) and threat
intelligence.
based solution running on
AMP-bundled security
appliances (NGIPS).AMP for Endpoints
AMP for Firewalls
AMP for Networks
AMP for Email
AMP for ISR
AMP for Web
Threat Grid
AMP for Private Cloud
Virtual Appliance
20. Available in multiple deployment options
Cisco Firepower Threat
Defense on ASA 5500-X
Cisco Firepower™ 4100
Series and 9300
New
Appliances
And on high-end performance appliances…
Also available as standalone solutions
Dedicated
AMP
NGIP
S
only
Physical, virtual, and cloud options
• AWS
• Azure
Cisco Firepower Threat
Defense on 2100
22. Firepower Management Center
Easily manage NGFWs across multiple sites
Manage across many sites Control access and set policies Investigate incidents Prioritize response
Firepower Management Center
Centralized management for multi-site deployments
Multi-domain management
Role-based access control
High availability
APIs and pxGrid integration
NGIPS
Firewall & AVC
AMP
Security Intelligence
…Available in physical and virtual options
23. Premiere Portfolio in the Industry
UTM
Network
Analytics
Advanced
Malware
Secure Internet Gateway
WebW W W
Policy and Access
Email
NGFW/
NGIPS
Cloud Access Security
Talking Points:
Climate today and Security Challenges
Today we are witnessing Digital Disruption on a massive scale.
It is driving exponential growth in the number of online devices.
Imagine 50 BILLION CONNECTED DEVICES by 2020! (up from 15B devices today).
No business, industry, or govt is immune from this digital disruption.
Digitization is a $19 trillion opportunity.
Add to that the reality that we are facing Active Adversaries
Attackers with a level of sophistication and professionalism that challenges the organization’s ability to cope.
They are motivated by financial gain and sometimes hacktivism, they understand their targets—down to their likes and dislikes and how they conduct business.
They exploit any weakness they find ruthlessly.
This all means attackers are agile, while companies can’t always say the same.
And our Security Industry is Fragmented
There are 100s of security companies out there. . . .you know them!
And new companies are spawned daily touting new security boxes /new protection for the enterprise.
And these security products are seldom open or interoperable.
Do any of these conditions describe your situation?
These factors pose security challenges for every business
Many enterprises / companies security response has been a patchwork approach of point products to build a security posture.
This undermines our need to get to more effective security.
Talking Points:
I travel fair amount. . . last 6 months been to 2 spots China, Singapore, Poland, UK, Aust, Japan, All across US
Themes I hear. . .
Ransomware
People shortage – automation helps you solve it
Mobile workforce
IoT – hospitals
Cloud apps
Complexity
Integrated architecture ala Cisco can solve all
Talking Points:
Playing To Technical Stereotype Draws Attention Away From Key Areas
CISOs have been demanding greater business engagement for many years. Unfortunately, they haven't heeded that this desired change will require them to realign priorities and build new skills. Several factors have held back their progress:
Security leaders still tend to be rooted in technology. More than half (54%) of security decision-makers say security and risk at their company is still mainly tech-focused, and a similar percentage report that their CISO continues to report into IT (55%).
Conversely, only 3% of security decision-makers have a more rounded view with their CISO reporting into enterprise risk. It is unsurprising, then, that most CISOs approach security from a technical perspective.
This also means that they often struggle with financial decisions, corporate communications, organizational design, commercial hurdles, and other challenges that are increasingly growing as the role demands more business knowledge and skillset.
Talking Points:
We are creating lots of data
As a matter of fact, we are creating more data now than we’ve ever created in the history of mankind
In the last 2 years alone, we’ve created 90% of the world’s data
And what’s creating all this data?
It’s all these megatrends you read about: IOT / cloud/ explosion of mobile devices
As we create more data, the pot of gold for these cybercriminals is growing bigger and bigger
At the same time, the tools available for these criminals are becoming way more sophisticated and easier to access. . .these tools, like ransomware, are offered online as a service you can buy
Let’s face it. Companies are spending a lot of money on security. . . why is it that they continue to get breached?? Why is that?
The way the Industry has chosen to address these problems is not working. Let me explain to you why. . .
Source: Ben Walker, Marketing Executive at vouchercloud – April 5, 2015
2.5Quintillion bytes of data
created
every day
Talking Points:
The cyber security business is massive
Billions of dollars. . .
For the last 20 years, the industry has approached this problem the SAME WAY
If you have a problem, here’s a box we can sell you. . .and we might sell you some software too
Talking Points:
This is actually what the security landscape in a company looks like
And this is not an exaggeration. . .but a fact
The average enterprise has between 50 and 100 different security vendors in their environment
Think about that for a moment
Not different products. . .it’s different vendors
If you look closely at all these different areas, you can see that Cisco competes in most of these quadrants
And this complexity continues to accelerate.. . especially as new threats evolve regularly.
This complexity is creating massive headaches for our customers. . .
And let’s be honest with ourselves. . . Our customers are NOT more secure..
Companies are still getting breached!
Why is that?
Does the technology not work?? Are they not deploying it correctly?
Have you ever stopped to ask yourself these questions???
As you continue to add more technologies on top of each other, It’s actually LESS EFFECTIVE
We at Cisco believe we can approach this problem differently. . .that we can be part of the solution. . . .
Listen, I am not telling you to sell less boxes. . .but I am asking you to take a DIFFERENT APPROACH to help our customers reduce what we call the Security Effectiveness Gap
Talking Points:
FIRST CLICK
It’s really quite simple
As our customers attempt to stay out in front of all these cyber threats, they’re investing in technologies in the form of many new boxes and software.. . . to add capabilities
But what’s happening is these capabilities hit a plateau. . .they’re flat lining. . .
Even when they’re spending more and more money
NEXT CLICK
And at the same time, the complexity goes thru the roof
That’s because these boxes are not integrated.
And it creates what we call this effectiveness gap. . .
It’s a management nightmare. . . trying to manage all these different type of siloed technologies. . . .the technologies in many cases do not talk with each other
And it’s very difficult to make sense of all the data coming at you. . .
What do you respond to? What’s relevant??
NEXT CLICK
What we have done at Cisco is this: We’ve turned the tables on this effectiveness gap. .. and REVERSED this challenge that our customers are dealing with
And we are actually doing this TODAY
We are increasing customer’s capabilities while reducing complexity
We’re actually doing this by investing in automation. . .and developing technologies that work together, reducing your time to detection
As we all know, when it comes to security, speed matters
Let me frame this up for you: the industry standard is that it takes customers a 100 days to detect that they have been breached
Our approach is working -- we have taken time to detection down to 13 hours, which leads the industry. .. . . .and we want to take this down even further, to minutes.
NO ONE can close the effectiveness gap like we can – no one can do it without effective security built upon an integrated architecture.
Transition: It starts with best of breed products that are integrated into a single architecture. .
Talking Points:
Here is the strategy moving forward
It’s about the industry’s most effective security portfolio – starting with our best of breed portfolio that fit together into an integrated architecture working together for simpler and more effective security.
We have security on the network, in the cloud and on endpoints. Then you couple that with world class intelligence. . . and what is threat intelligence?
That word gets thrown around a lot…
Threat intelligence is in its essence gives you a list of items which you need to block…
And our brand of threat intelligence at Cisco is Talos
So what Talos does is it takes incredible machine learning capabilities where they look at the security posture of the internet plus threat feeds from all of our technologies. . .and they couple that with human intelligence to proactively discover and respond to the latest threats.
In Talos, we have over 250 threat intelligence researchers who are the best in the industry.. they push back out their learnings throughout our architecture and to all of Cisco’s security products. . .this information is automated and continuously updated.
When you tie these all together with threat intelligence…it takes an architectural approach like this to improve security effectiveness and drive the cost and complexity out of the environment.
Integrated Thread Defense
You’ve heard of Integrated Threat Defense - when best of breed technologies come together into an architecture with integrated threat defense—these products work together seamlessly for a systemic response -- see a threat once and protect everywhere – automatically.
This makes our networks harder to penetrate and as importantly, with automated responses, makes security simpler.
This automation means we block more threats outright, we contain breaches faster and limit their scope, meaning there is far less time and money spent recovering from breaches.
This is our force multiplier – manual burdens are lifted off of IT teams so are more effective and focused on projects that grow the business.
And that’s how you solve the security conundrum we’ve been talking about.
All of our customers are trying to PROTECT their network, endpoint and Cloud. . .Clearly these all have to work together.
In order to reduce the threats you face, you need the best threat intelligence. Cisco Talos is the largest threat detection network in the world, monitoring 35% of global email traffic, including 600 billion email messages and 1.5 million malware samples daily.
Talos is a recognized leader in threat detection as validated by NSS Labs. With over 250 highly skilled malware reverse engineers, threat analysts, and zero-day vulnerability research engineers, Talos catches threats that traditional security infrastructure and analysis systems can’t.
Talos has unique insight into email-based threats due to SenderBase reputation filtering. Our diverse customer base allows us to address and identify threats with unparalleled speed and agility. Each day we inspect billions of emails; drawing on layered detection technologies we’re going to talk about today. Talos blocks 200 billion malicious emails a day, or 2.3 million blocks per second.
With Talos, you’re able to see more anomalies, network intrusions and threats because Cisco delivers a 24/7 view into global traffic activity and keeps you up-to-date with the latest intelligence every 3-5 minutes. No other company can offer this comprehensive intelligence.
Live map of threats today: Malware = http://beta.senderbase.org/ebc_malware/. Email Spam = http://beta.senderbase.org/ebc_spam/.
A combination of Cisco’s old SIO (Security Intelligence Operations) and Sourcefire Vulnerablity Research Team (VRT), amongst others like maintaining open source SNORT and SenderBase. TALOS fits into the broader Cisco Collective Security Intelligence (CSI) ecosystem which also includes TRIAD (threat response, intelligence and development), Managed threat defence and Security Operations.
Talking Points:
A recent study shows that Cisco’s Arch Approach helps customers save money
When you compare point products approach.. .with our arch approach
Their overall findings show customers can see 30+% in TCO reduction and 38% in ROI over a three year period.
Let’s look at the details
Hardware, Software and Annual Support
IT and Security Productivity
Reduced Business & End User Downtime
Reduced Risk of Data Breach
These saving are from Forrester white paper about TCO and Cisco’s Architectural Approach to Security – based on real Cisco customer input data.
Broken into 5 stories, the Security Business Outcomes help you sell this architecture. You can use them to walk a customer through an effective security posture step by step, but are also modular so you can jump ahead if a customer is interested in one solution over another.
Each story is anchored to a specific problem, one of our hero products, and complimentary Cisco services.
First is “Stop threats at the edge” and it highlights the Firepower NGFW.
Second, “Protect users wherever they are” which positions the value of Cisco Umbrella.
Third, “Control who gets onto your network” demonstrating the power of the Identity Services Engine.
Fourth, “Simplify network segmentation” speaking to TrustSec and the network as an enforcer of policy.
Finally, “Find and contain problems fast” focusing on how AMP tracks, contains and remediates breaches faster than any other product in the industry.
“Segment your network” not great as an outcome - it’s more the process. Should be “stop lateral movement"
no edge - digitization is about an attack surface
No Security advisory services
Vertical alignment - that is how the field sells
Add SLN to infra
what do we say about IOT?
KEVIN/BRIAN:
Every one of these needs to include the secondary products too; if plan A doesn’t work, plan B discussions i.e. last one, AMP; also leads to RTC
AnyConnect “Protect users wherever…” also visibility, leverage install base
simplifying management of network (instead of segmenting/lateral movement) accelerate digitization through automation
Value around how complex the segmentation is “Simplify network segmentation”
Hello, welcome. My name is ____________ and I’m with Cisco. Thanks for taking the time to meet with me today to talk about the Cisco Firepower NGFW, the industry’s first fully integrated threat-focused next-generation firewall for environments of all types.
T: We all know that protecting the business is critical, yet it’s getting harder to keep up.
<Click>
…Controler l’accès aux applications avec Application Visibility and Control.
Les Firewall traditionnels se basent sur des règles de filtrage liées à l’adresse IP, le port ou le protocole.
AVC permet d’identifier les applications en s’appuyant sur une base de plus de 4000 applications et 180 000 micro application. Cela permet d’autoriser ou de bloquer l’accès à l’application en fonction du profil de l’utilisateur.
Le but est de limiter les applications non professionnelles ou celles qui peuvent être source de menace (application de partage, de jeux ou de tchat)
AVC permet d’autoriser certaines apllication tout en bloquant des micro application telles que le chat dans Facebook par exemple ou le transfert de fichier.
La partie social media prenant une part plus important dans les entreprises, mais toutes les personnes ne l’utilisent pas à des fins professionnelles. On peut personnaliser en fonction des groupes. Par exemple un utlisateur lambda pourra aimer ou retweeter une information mais seul les membres du groupe Marketing pourront poster de nouveaux contenus tels que des images ou des videos.
Interdire Remote Desktop Protocol (RDP), pour les utilisateurs qui n’ont pas besoin de l’utiliser comme des financiers par exemple.
Notre version open source permet au administrateurs d’étendre le niveau de controle à des applications spécifiques au travers d’Oppen AppID
Au dela des applications qui sont déjà référencées
Openapp ID permet la creation de signatures applicatives permettant d’identifier des applications spécifiques à l’entreprise.
Application medicales ou industrielles
Visualisez les alertes et maîtrisez le trafic web suspect. Appliquez des politiques sur des centaines de millions d'URL classées en plus de 80 catégories.
Customisation des URLS par rapport à des listes de restrictions
DNS Sinkhole ?
Balcklisté au niveau DNS domaine connu qui peuvent etre malicieux
Le format de règle Snort développé par Cisco est un standard open-source qui est de loin le plus utilisé dans l’industrie. A la différence des formats utilisés pas ses compétiteurs, les règles Snort® peuvent être inspectées, éditées et même modifiées directement sur une sonde Cisco ou à travers le Firesight Managment Center.
Le cœur de détection des NGIPS Cisco repose sur les règles de détection de vulnérabilité Snort® avec plus de 100.000 utilisateurs actifs
De plus, les règles certifiées par Cisco sont développées par l’équipe de recherches en vulnérabilités Talos (Regroupement des équipes SIO de Cisco et VRT de Sourcefire). Cette équipe est constituée d’experts dont la tâche consiste à rechercher, analyser et répondre aux dernières menaces, tentatives d’intrusion et vulnérabilités réseau.
Ces règles, s’appuyant sur la détection de la vulnérabilité, permettent de protéger contre les attaques de type « zéro-day » en détectant n’importe quel exploit possible d’une même vulnérabilité. Ainsi, si une variante d’attaque apparait, elle est détectée par la même règle Snort® et ne nécessite pas de nouvelle signature. Les règles Snort® protègent, entre autres, contre les types d’attaques suivants :
* Worms
* Trojans
* Port scans
* Buffer overflow attacks
* Denial-of-service attacks
* Spyware
* Protocol anomalies
* Malformed traffic
* Invalid headers
* VoIP attacks
* IPv6 attacks
* Fragmentation attacks and evasions
T: Then, you can…
<Click>
L'analyse de la réputation des fichiers : les analyses avancées et la mutualisation des informations de veille permettent de déterminer si un fichier est malveillant. Les détections se révèlent ainsi plus précises.
Quand cette fonction est activité, pour chaque binaire détecté, FirePOWER calcul son hash. Puis interroge la base de réputation TALOS pour avoir le score qui est associé au hash.
Pour tous les scores négatifs ( qui correspondent à un binaire malveillant connu par Cisco ) une action de blocage du fichier est réalisée. Empêchant ainsi toute intrusion dans le système d’information de binaires à risques.
Des notes de réputations pour tous les binaires malveillants qui ont déjà été analysés par TALOS. Les équipes de TALOS affectent des notes de réputation à plus d’1,5 million de binaires malveillants par jours.
L'analyse des fichiers en sandboxing : vous permet d'exécuter, d'analyser et de tester des comportements malveillants dans un environnement extrêmement sécurisé. Vous êtes ainsi en mesure d'identifier des menaces de type « zero-day » autrefois inconnues. En option il est possible d’installer cette Sandbox en local.
La détection rétrospective : des alertes se déclenchent si la disposition d’un fichier change lors d'une analyse approfondie. Vous pouvez donc identifier des programmes malveillants qui ont déjoué la première ligne de défense.
Les indicateurs de compromission : permet de corriger et de hiérarchiser des événements liés aux fichiers et à la télémétrie afin de détecter des failles potentiellement actives. Les événements à haut risque sont donc classés par ordre de priorité.
La trajectoire des fichiers : offre une visibilité sur la propagation des fichiers dans votre environnement et vous permet d'en assurer le suivi en permanence. Vous pouvez déterminer l'ampleur d'une attaque due à un malware beaucoup plus rapidement.
Gamme ASA avec le code Firepower Threat Defense
PME, succursales, grandes entreprises
Code qui peut être activé sur la gamme ASA 5500-X
FP 2100
Environnements : de la périphérie d'Internet, data centers
Débit entre 1,9 Gbit/s et 8,5 Gbit/s
Inspection des menaces entre 1,9 Gbit/s et 8,5 Gbit/s
Pare-feu « stateful », Cisco Application Visibility and Control, système de prévention des intrusions nouvelle génération, AMP, URL
FP4100
Périphérie d'Internet, environnements à haute performance
Débit entre 20 Gbit/s et 60 Gbit/s
FP9300
Opérateurs télécoms, data centers
Débit jusqu'à 225 Gbit/s
Inspection des menaces jusqu'à 90 Gbit/s
Pare-feu, Cisco Application Visibility and Control, système de prévention des intrusions nouvelle génération, AMP, URL, DDoS
T: …Obtain the visibility and control you need with multiple management options. These enable you to…
<Click>
…Get comprehensive visibility and control in one centralized location through an enhanced user interface with the Firepower Management Center .
The Firepower Management Center is optimized for multi-site deployments, offering the ability to manage all Firepower appliances across distributed locations in one central place.
To support Multiple Domain Management and make policy administration more efficient, The Firepower Management Center provides the ability to create a hierarchy of policies. Global Policies (e.g., access, inspection) can be established that will apply to all management environments. A policy hierarchy can then be constructed underneath the Global Policy level to represent different environments, different companies, different business units, or different parts of the organization. Each of these policy environments will inherit the policies of the hierarchy above it, allowing for more consistent and efficient policy management.
It integrates seamlessly with all Firepower appliances to enable consistent policy enforcement and provide summarized deployment reports. This enables you to take full advantage of the NGFW's Firewall & AVC, NGIPS, and AMP capabilities, as well as its security intelligence feeds, further enhancing your protection. This includes management of NAT & Routing, SSL, Identity, Rate limiting, and Active/Passive Authentications, and enables you to coordinate Intrusion & Malware prevention capabilities as well as perform analytics, correlation, and remediation from one centralized platform.
The Firepower Management Center leverages the NGFW's capabilities to offer unprecedented visibility and control of network activity through a centralized interface. All traffic can be viewed through comprehensive reporting, with customizable tables, graphs, and charts. Alerts and risk reports provide immediate notification of potential issues, and rule recommendations let you know how best to respond.
Cisco Firepower Management Center’s comprehensive impact assessment relies on information from passive discovery, including OS, clients, and server applications. It allows analysts to focus on the smaller subset of events they are vulnerable to, and prioritizes threats targeting those vulnerabilities. This helps to focus the attention of security administrators and can eliminate up to 99 percent of the ‘noise’ associated with security monitoring and response.
The Firepower Management Center is also designed to meet your network needs, available in physical and virtual options, and built for high availability.
T: In addition to being able to easily manage a multi-site NGFW deployment, you’re also able to…
<Click>
Talking Points:
With Cisco, your customers get the most effective portfolio AND an entire security architecture that works across the extended enterprise. . .in a way only Cisco can…because we’ve been collecting and driving intelligence across networks for years.
You’ve heard of the saying “The whole is worth more than the sum of the parts”, right?
Our portfolio comes together into an integrated architecture, one that provides coordinated responses, visibility and intelligence – which is key for effective security – to see a threat in one place and instantly protect against it everywhere.
I won’t get into detail with all the products here…except to say we have the most advanced portfolio for advanced attacks….protection for endpoints, email and web security gateways…cloud-based and cloud access security products…protection for secure access to the enterprise network, from any device, at any time, in any location …
And we tie them together with our integrated architectural approach.