Upload
doanphuc
View
215
Download
1
Embed Size (px)
Citation preview
Defense Against Emerging Threats
BRKSEC-1010
Neil Lovering
CCIE #1772
Consulting Systems Engineer – Security [email protected] @NeilLovering
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Preview
• The Cyber Security Landscape
• Common Cyber Security Themes
• Cisco Cyber Solutions
• Cyber Futures
• Q&A
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
About the Host
• Active CCIE (#1772)
– First earned 18 years ago
– Recertified (again) summer ’13
• Fluent on Bostonian
• Used to jump out of “perfectly good” airplanes
• Can judge a swim meet but cannot swim half the strokes
• Do my best to fight the pains of age
• Run, lift, hike, drink beer, etc.
4
The Cyber Security Landscape
:10
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
The Ultimate Cyber Protection
• If you are connected, you are vulnerable
– The only true way to protect yourself is to disconnect
– But what about Stuxnet?
• Problem – ‘Off the grid’ is unlikely in today’s world
• Realistic alternative –Understand the environment and create layers of defense
6
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Cyber Security
• One of the Top 5 ‘Most Likely’ risks to global development
• Security is and always has been an integral part of any network
– Captain Spock voice
• Today’s networks are more critical and almost always online
– Utilities
– Healthcare
– Financial
– Government
– Military
7
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Cyber Security Motivation – Laws
• Sarbanes-Oxley Act (SOX)
– Monitoring / Visibility
– Risk Management
• Payment Card Industry Data Security Standard (PCI DSS)
– Access control
– Role-based access
– Monitoring / Visibility
Laws and Regulations
8
• Gramm-Leach-Bliley Act (GLB) Act
– Access control
– Role-based access
– Monitoring / Visibility
• Customs-Trade Partnership Against Terrorism (C-TPAT)
– Accountability
– Monitoring / Visibility
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Cyber Security Motivation – Industry
• Federal Information Security Management Act (FISMA)
– Monitoring / Visibility
• North American Electric Reliability Corp. (NERC) Standards
– Monitoring / Visibility
– Access Control
– Differentiated Access
– Reputation
Industry Guidelines and Requirements
9
• Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records
– Differentiated Access
– Monitoring / Visibility
– Access Control
• Health Insurance Portability and Accountability Act (HIPAA)
– Access Control
– Differentiated Access
– Monitoring / Visibility
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Cyber Security Motivation – Government
• DoD Information Assurance Certification Accreditation Process (DIACAP)
• National Institute of Standards and Technology (NIST)
– Advance … standards and technology in ways that enhance economic security
– Federal Information Processing Standards (FIPS) • FIPS 140 = Security for cryptography
• National Information Assurance Partnership (NIAP)
– NIST + NSA
– Uses Protection Profiles like Common Criteria does
Government Guidelines
10
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Cyber Security Motivation – International
• Common Criteria
– Target of Evaluation (TOE) – the product or system under evaluation
– Protection Profile (PP) – security requirements for a class of security devices
– Security Target (ST) – security properties of the target of evaluation • May reference one or more Protection Profiles
– Security Functional Requirements (SFRs) – individual security functions provided by a product
International Standards
11
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
A Network is a Busy Place
• How do you know what to look for?
• How do you know where to look?
• How do you know what is good or bad?
• How do you know an event has occurred?
• How do you know the event is over?
12
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
The Threat Landscape Evolution
13
Th
rea
ts
Resp
on
se
Worms
Spyware / Rootkits
APTs / Cyberware
Increased Attack
Surface (Mobility & Cloud)
INTELLIGENCE & ANALYTICS
Today
GLOBAL REPUTATION & SANDBOXING
2010
HOST-BASED (ANTI-VIRUS)
2000
NETWORK PERIMETER (IDS/IPS)
2005
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Threat Intelligence
• Attacks are targeting significant resources across the entire Internet
• Malicious actors are using untrusted applications to exploit gaps
• Penetrations may go undetected for long periods
– Advanced Persistent Threats (APTs)
– Mean Time to Know (MTTK)
14
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Think Outside the Box
• For Advanced Threats (APT) you need advanced people to detect
• Security was, is and will be a process that never ends
• Attack continuum – Before, During, After
• Perimeter Security Devices are not obsolete, they are just the first line of defense
• Use advanced behavior based detection tools (e.g. Cyber Threat Defense, Sourcefire AMP) for botnet detection
15
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Attack Chain
Survey
Obtain a full picture of an environment: network, endpoint, mobile, and virtual,
including the technologies deployed to secure the environment
Write
Create targeted, context-aware malware
Test
Ensure the malware works as intended, specifically so it can evade security tools
in place
Execute
Navigate through the extended network—being environmentally aware, evading
detection, and moving laterally until reaching the target
Accomplish the Mission
Gather data, create disruption, or cause destruction
16
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Us vs. Them
• How an attacker thinks
– Courtesy of DoD and Lockheed Martin
• Defense in depth across a time spectrum
17
Recon Weapon-
ization Delivery Exploitation Installation
Command
& Control Actions
Protect Survive Detect
React
Intrusion Kill Chain
Threat Counter-measures
BEFORE DURING AFTER
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
The Modern Security Model
18
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Point in time Continuous
Control
Enforce
Harden
Detect
Block
Defend
Scope
Contain
Remediate
BEFORE DURING AFTER
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Repeat As Needed
Continuous Monitoring and Risk Management
Step #1
Categorize Information System
Step #2
Select Security Controls
Step #3
Implement Security Controls Step #4
Access Security Controls
Step #5
Authorize Information System
Step #6
Monitor Security Controls
Risk Management Framework
Architecture Description
Architecture Reference Models
Segment and Solution Architectures
Mission and Business Processes
Information System Boundaries
Organization Inputs
Laws, Directives, Policy Guidance
Strategic Goals and Objectives
Priorities and Resource Availability
Supply Chain Considerations
*NIST 800-37
19
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Continuous Monitoring Functional Areas
20
Continuous Monitoring Tools and Capabilities
1. Hardware Asset Management 9. Manage Account Access
2. Software Asset Management 10. Prepare for Contingencies and Incidents
3. Configuration Management 11. Respond to Contingencies and Incidents
4. Vulnerability Management 12. Design and Build in Requirements Policy
and Planning
5. Manage Network Access Controls 13. Design and Build in Quality
6. Manage Trust and People Granted Access 14. Manage Audit Information
7. Manage Security Related Behavior 15. Manage Operational Security
8. Manage Credentials and Authentication CMaaS – Additional Functional Areas
*DHS Continuous Diagnostics and Mitigation
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Monitoring the Monitors
21
• Control access
– Know who and what gets in
– Levels of security controls
• Examine what roams around
– Observe from many points in the network
• Be able to react
– Keep a history of network actions
– Multiple data sources helps with validation
• Have a sixth sense
– Add metrics such as ‘reputation’
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Sources of Issues
• Network security is responsible for
– User access to the network
– Applications that may access the network
• Compromise includes
– A local or network application
– Data used within an application or stored locally
– A remote site accessed
• Sensitive data exfiltration
22
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Indicators of Compromise
23
Raw Flow Analysis
Log Analysis (SIEM)
IDS Alert
Outside Notification
Behavioral Analysis
Activity Monitoring
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Visibility Reduces Exposure
• Typical crisis begins without warning
• Network visibility allows reaction before compromise
• Insight increases security posture
24
Impact
to the B
usin
ess (
$ )
Time
credit card data
compromised
*
attack
identified *
vulnerability
closed
*
CRISIS
REGION
attack
onset
*
* attack
thwarted
* early
warning
* attack
identified
* vulnerability
closed
INSIGHT
REGION
MTTK
Common Cyber Security Themes
:30
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Mapping Technologies to the Security Model
26
BEFORE Control
Enforce
Harden
DURING AFTER Detect
Block
Defend
Scope
Contain
Remediate
Attack Continuum
Firewall
App Control
VPN
Patch Mgmt
Vuln Mgmt
IAM / NAC
IPS
Anti-Virus
Email/Web
IDS
FPC
Forensics
AMP
Log Mgmt
SIEM
Visibility and Context
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Host-Based Intrusion Prevention
27
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Overall Cyber Security
• An effective cyber security solution is implemented at many layers
– Host • Anti-virus / anti-malware
• Training and education
– Network • Firewall / Next-generation firewall
• IPS / IDS
• Web / URL / Reputation filtering
• Identity tracking
• Differentiated / role-based network access
• Visibility and monitoring
• Training and education
28
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
What Defines Success?
29
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Defense in Depth
• Network security is like an Ogre
• Information Assurance
– Availability
– Integrity
– Authentication
– Confidentiality
– Non-Repudiation
• The application of these services should be based on
– Protect – Before – Trust
– Detect – During – Insight
– React – After – Resiliency
*NSA Systems and Network Attack Center (SNAC)
30
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Cyber Trust
• Assumption – nothing in the cyber world can or should be trusted
• Two forms of trust erosion
– Decline in customer product confidence
– Malicious actors are defeating trust mechanisms
• Recommendations
– Examine security models holistically
– Gain visibility across the entire attack continuum • Before
• During
• After
31
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Network Log Tools
• Log collection can quickly become overwhelming
• Configuration validation is also key to overall network security
• There are a variety of network log and config collection tools available
• Need a tool that parses all the available data for specific events and anomalies
32
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Network Log Collection
• Device logs
– Windows, Apple, Linux
– ASA, Router, IPS, Switch, ISE, etc.
• Cisco Security Suite for Splunk
– Log collection from ASA, WSA, ESA and IPS
– Flexible and scalable security investigations
– Real-time forensics operationalized
– Data is more meaningful to more users
– Metrics and operational visibility
– Real-time correlation and alerting
33
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Network Log Analysis
• Graphical interface simplifies the investigative process
34
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
NetFlow Tracks Conversations
• NetFlow was introduced on Cisco routers
– Now possible on multiple platforms and multiple vendors
• Network devices export NetFlow data
• NetFlow collectors retrieve and analyze the data
• Each network layer offers unique NetFlow capabilities
35
Catalyst® 6500
Distribution
& Core
Catalyst® 4500
ASA
ISR
Edge
ASR
Access
Catalyst® 3560/3750-X
Catalyst® 4500
Catalyst® 3850
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
gig
0/2
gig
0/1
gig
0/1
gig
0/2
NetFlow Collection Duties
• Flow stitching
– The complete conversation
– Rarely successive packets in logs
• Flow de-duplication
– Two network devices see the same packet stream
– Remove apparent duplicate flows
36
10.2.2.2 port 1024
10.1.1.1 port 80
gig
0/1
gig
0/2
20.2.2.2 port 1024
20.1.1.1 port 80
gig
0/1
gig
0/2
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Security Information and Event Management
• Forensics and Instrumentation
– Aggregate logs from many sources • Routers
• Firewalls
• IDS/IPS
• Servers (DNS, SMTP, WWW, Fileserver)
• Applications
• Databases
• Antivirus
• Host Based Intrusion Detection
• A “better picture”
37
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
SIEM Ecosystem
• Cisco has created a SIEM ecosystem
– Seven different security vendors
– Correlate network and security events
– Integrate with Cisco ISE for network identity
• Increased effectiveness of SIEM and threat defense deployments
• Decreased time to detect, assess, and respond to security events
• Complete user/device visibility and control
38
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Solution Concepts for Cyber Security
• Trust
– Identify and Manage
• Insight
– Protect and Defend
• Resilience
– Respond and Recover
• Intelligence
– Plan and Prepare
39
Network Endpoint Mobile Virtual Cloud
Point in time Continuous
Resilience AFTER
Trust BEFORE
Intelligence
Insight DURING
Cisco Cyber Solutions
:50
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Cyber Product vs. Cyber Architecture
• Security product created as an afterthought
• Integration with various network components often not considered
• Custom solutions do not play nice with others
• Very expensive to maintain
Point Products
41
Cyber Security
Widget #1
Cyber Security
Widget #2
Cyber Security
Widget #3
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Cyber Product vs. Cyber Architecture
• Security products designed to work with each other and network components
• Enhanced visibility with identity and reputation
• Overlapping functionality provides enhanced security posture
Integrated Network Security
42
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Mapping Technologies – Reminder
43
BEFORE Control
Enforce
Harden
DURING AFTER Detect
Block
Defend
Scope
Contain
Remediate
Attack Continuum
Firewall
App Control
VPN
Patch Mgmt
Vuln Mgmt
IAM / NAC
IPS
Anti-Virus
Email/Web
IDS
FPC
Forensics
AMP
Log Mgmt
SIEM
Visibility and Context
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Cisco Security Architecture
BEFORE Control
Enforce
Harden
DURING AFTER Detect
Block
Defend
Scope
Contain
Remediate
Attack Continuum
SIO Visibility and Context VRT
ASA
NGFW
AnyConnect
CSM / DC / Prime
CTD / Lancope
ISE
NG-IPS
WSA
ESA
NG-IDS
NetFlow / FPC
CTD / Lancope
AMP
Log Mgmt
SIEM
44
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Cisco Solutions for Cyber Security – Trust
• Identity Services Engine
– Identity and Context
– Security Group Access
– 802.1AE MACsec Encryption
• ASA and NGFW
• Security Management
– Cisco Security Manager
– Defense Center
– Prime Infrastructure
• AnyConnect
• Cisco Threat Defense
45
Network Endpoint Mobile Virtual Cloud
Point in time Continuous
Resilience AFTER
Trust BEFORE
Visibility & Content = Intelligence
Insight DURING
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Cisco Identity Services Engine All-in-One Enterprise Policy Control
46
Who What
Where When How
VM Client, IP Device, Guest, Employee, Remote User
Wired Wireless VPN
Business-Relevant
Policies
Replaces AAA & RADIUS, NAC, Guest Mgmt & Device Identity Servers
Security Policy Attributes
Identity
Context
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
• Simplified Access Management
• Accelerated Security Operations
• Consistent Policy Anywhere
access-list 102 permit ip 178.97.113.59 255.255.255.255 gt 178 111.184.163.103 255.255.255.255 gt 959 access-list 102 deny ip 164.149.136.73 0.0.0.127 gt 1624 163.41.181.145 0.0.0.255 eq 810 access-list 102 permit icmp 207.221.157.104 0.0.0.255 eq 1979 99.78.135.112 0.255.255.255 gt 3231 access-list 102 permit tcp 100.126.4.49 0.255.255.255 lt 1449 28.237.88.171 0.0.0.127 lt 3679 access-list 102 deny icmp 157.219.157.249 255.255.255.255 gt 1354 60.126.167.112 0.0.31.255 gt 1025 access-list 102 deny icmp 76.176.66.41 0.255.255.255 lt 278 169.48.105.37 0.0.1.255 gt 968 access-list 102 permit ip 8.88.141.113 0.0.0.127 lt 2437 105.145.196.67 0.0.1.255 lt 4167 access-list 102 permit udp 60.242.95.62 0.0.31.255 eq 3181 33.191.71.166 255.255.255.255 lt 2422 access-list 102 permit icmp 186.246.40.245 0.255.255.255 eq 3508 191.139.67.54 0.0.1.255 eq 1479 access-list 102 permit ip 209.111.254.187 0.0.1.255 gt 4640 93.99.173.34 255.255.255.255 gt 28 access-list 102 permit ip 184.232.88.41 0.0.31.255 lt 2247 186.33.104.31 255.255.255.255 lt 4481 access-list 102 deny ip 106.79.247.50 0.0.31.255 gt 1441 96.62.207.209 0.0.0.255 gt 631 access-list 102 permit ip 39.136.60.170 0.0.1.255 eq 4647 96.129.185.116 255.255.255.255 lt 3663 access-list 102 permit tcp 30.175.189.93 0.0.31.255 gt 228 48.33.30.91 0.0.0.255 gt 1388 access-list 102 permit ip 167.100.52.185 0.0.1.255 lt 4379 254.202.200.26 255.255.255.255 gt 4652 access-list 102 permit udp 172.16.184.148 0.255.255.255 gt 4163 124.38.159.247 0.0.0.127 lt 3851 access-list 102 deny icmp 206.107.73.252 0.255.255.255 lt 2465 171.213.183.230 0.0.31.255 gt 1392 access-list 102 permit ip 96.174.38.79 0.255.255.255 eq 1917 1.156.181.180 0.0.31.255 eq 1861 access-list 102 deny icmp 236.123.67.53 0.0.31.255 gt 1181 31.115.75.19 0.0.1.255 gt 2794 access-list 102 deny udp 14.45.208.20 0.0.0.255 lt 419 161.24.159.166 0.0.0.255 lt 2748 access-list 102 permit udp 252.40.175.155 0.0.31.255 lt 4548 87.112.10.20 0.0.1.255 gt 356 access-list 102 deny tcp 124.102.192.59 0.0.0.255 eq 2169 153.233.253.100 0.255.255.255 gt 327 access-list 102 permit icmp 68.14.62.179 255.255.255.255 lt 2985 235.228.242.243 255.255.255.255 lt 2286 access-list 102 deny tcp 91.198.213.34 0.0.0.255 eq 1274 206.136.32.135 0.255.255.255 eq 4191 access-list 102 deny udp 76.150.135.234 255.255.255.255 lt 3573 15.233.106.211 255.255.255.255 eq 3721 access-list 102 permit tcp 126.97.113.32 0.0.1.255 eq 4644 2.216.105.40 0.0.31.255 eq 3716 access-list 102 permit icmp 147.31.93.130 0.0.0.255 gt 968 154.44.194.206 255.255.255.255 eq 4533 access-list 102 deny tcp 154.57.128.91 0.0.0.255 lt 1290 106.233.205.111 0.0.31.255 gt 539 access-list 102 deny ip 9.148.176.48 0.0.1.255 eq 1310 64.61.88.73 0.0.1.255 lt 4570 access-list 102 deny ip 124.236.172.134 255.255.255.255 gt 859 56.81.14.184 255.55.255.255 gt 2754 access-list 102 deny icmp 227.161.68.159 0.0.31.255 lt 3228 78.113.205.236 255.55.255.255 lt 486 access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165 access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428 access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511 access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945 access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116 access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959 access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993 access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848 access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878 access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216 access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111 access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175 access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462 access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384 access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878 access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467
Cisco ISE – Security Group Access
Traditional Security Policy
47
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
• Traffic can be encrypted per-user, per-hop
• ISE can control the encryption policy
• Traffic is still available for ‘additional policy’ throughout the network
Cisco ISE – MACsec Encryption
48
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Cisco ASA & NGFW
• Application Visibility and Control (AVC), Intrusion Prevention (IPS), and Web Security Essentials (WSE)
• End-to-End Network Intelligence
• Granular Application Control
• Proactive, Intelligent Threat Protection
• Many Devices, Total Control
49
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Cisco/Sourcefire NGFW – Better Together
• Includes the world’s most powerful NGIPS
• Granular application control
• Advanced firewall functionality in a flexible, high-performance security appliance
• Optional Advanced Malware Protection license
50
Cisco Sourcefire Typical NGFW
NSS NGFW Security Value
Map, Gartner IPS MQ Superior Available
Reputation based proactive
protection Superior Available Not available
Intelligent security automation Superior Not available
File reputation, File trajectory,
Retrospective alerts Superior Partial
Application Visibility & Control Available Superior Available
Acceptable use / URL filtering Superior Available Available
Remote access VPN Superior Not enterprise-
grade
Stateful firewall, HA Superior Available Available
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Security Management – Cisco Security Manager
• Manage Cisco security devices and functionality
• Security Operations Dashboard
• Policy and Object Management
• Event and Image Management
• Reporting and Troubleshooting
• Health and Performance Monitoring
51
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Security Management – Prime Security Manager
• Greater visibility and control
• Enhanced threat response and mitigation
• Unified management for core ASA firewall and NGFW services
• Straightforward migration to ASA 5500-X NGFW
52
Navigate Down to Events
Dashboard
Map Events to Policies
View Event Details
Visibility
&
Control
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Security Management – Defense Center
• Centrally manage Cisco/Sourcefire IPS appliances and virtual devices
• Analyze events
• Automate threat prevention updates
• Configure policies
• Generate reports and custom dashboards
53
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Cisco Solutions for Cyber Security – Insight
• Cisco Next-Generation Intrusion Prevention System
• Content Security
– WSA
– ESA
• IOS Security
– Botnet filter
54
Network Endpoint Mobile Virtual Cloud
Point in time Continuous
Insight DURING
Visibility & Content = Intelligence
Trust BEFORE
Resilience AFTER
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Cisco/Sourcefire NG-IPS
55
Categories Examples Cisco/Sourcefire NGIPS Typical IPS
Threats Attacks, Anomalies ✔ ✔
Users AD, LDAP, POP3 ✔
Web Apps and App Protocols Facebook, Ebay, HTTP, SSH ✔
File Transfers PDF, Office, EXE, JAR ✔
Malware and Command & Control Conficker, Flame, C&C Intelligence ✔
Client Applications Firefox, IE6, BitTorrent ✔
Operating Systems and Servers Windows, Linux, Apache, IIS4 ✔
Mobile Devices iPhone, Android, Jail-Broken ✔
Printers HP, Xerox, Canon ✔
VoIP Phones Cisco, Avaya, Polycom ✔
Virtual Machines VMware, Xen, RHEV ✔
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Cisco Solutions for Cyber Security – Resilience
• NetFlow / CTD
• AMP
• NGIDS
• Log Management
• SIEM
56
Network Endpoint Mobile Virtual Cloud
Point in time Continuous
Trust BEFORE
Resilience AFTER
Visibility & Content = Intelligence
Insight DURING
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Cyber Threat Defense Architecture
• Flow Replicator
• Flow Sensor
• Flow Collector
• Management Console
57
SMC
FR FC
NetFlow
FS
FS
VE
FC
Other NetFlow Collector (SIEM)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Cyber Threat Defense Visibility
• Visibility and Security Intelligence
• Advanced Targeted Threats
• Performance Bottlenecks
• Compliance Validation
58
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Advanced Malware Protection (AMP)
• Comprehensive
– Network and Endpoint
• Continuous Analysis
– File and Device Trajectory
• Integrated Response
• Big Data Analytics
• Control & Remediation
Retrospective Security
59
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Cisco Solutions for Cyber Security – Intelligence
• Cisco Security Intelligence Operations (SIO)
– Cisco SensorBase
– Cisco Threat Operations Center
– Dynamic updates
• Sourcefire Vulnerability Research Team (VRT)
60
Network Endpoint Mobile Virtual Cloud
Point in time Continuous
Trust BEFORE
Resilience AFTER
Insight DURING
Visibility & Content = Intelligence
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
SIO – Defend With Intelligence
61
WWW
Reputation Signatures
Signatures
Threat
Research
Domain
Registration
Content
Inspection
Spam Traps,
Honeypots,
Crawlers
Blocklists &
Reputation
3rd Party
Partnerships
Platform-specific Rules & Logic
Cisco Security Intelligence Operations
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Global Context – Data Makes a Difference
62
Threat Operations Center Advanced Algorithms Cisco SensorBase
Global Threat
Telemetry
Global Threat Telemetry
8:10 GMT All Cisco Customers Protected
Bank Branch in Chicago ISP Datacenter in Moscow Ad Agency HQ in London
8:03 GMT IPS Detects Hacker Probing
8:07 GMT Web Security Detects
New Botnet
8:00 GMT Email Security Detects Compromised Server
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Private & Public
Threat Feeds
Advanced Microsoft
& Industry Disclosures
Snort® & ClamAV™
Open Source Communities
IPS Rules
Malware Protection
Reputation Feeds Vulnerability
Database Updates
Sandboxing Machine Learning
Big Data Infrastructure
SPARK
Program
Honeypots Sandnets
Cisco Vulnerability Research Team (VRT)
• Comprehensive
• Continuous Analysis
• Integrated Response
• Big Data Analytics
• Control & Remediation
63
Vulnerability
Research
Team Sourcefire AEGIS™
Program
FireAMP™ Community
File Samples (>180,000 per day)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Continuous Monitoring Cisco Solutions
64
Continuous Monitoring Tools
HW Asset Mgmt Mnge Acct Access
SW Asset Mgmt Prep for Contingency/Incidents
Config Mgmt Resp to Contingency/Incidents
Vul Mgmt Design/Build Rqmts Policy and Planning
Mnge NAC Design/Build Quality
Mnge Access Mnge Audit Info
Mnge Sec Behav Mnge Operational Security
Mnge Creds/Auth CMaaS – Add Func Areas Cisco AS, TAC, SmartNet
Cyber Futures - pxGrid
1:15
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Platform Exchange Grid – pxGrid
66
I have firewall logs! I need identity…
I have threat data! I need reputation…
I have sec events! I need reputation…
I have NetFlow! I need entitlement…
I have reputation info! I need threat data…
That Didn’t
Work So Well!
I have NBAR info! I need identity…
SIO
I have location! I need identity…
I have MDM info! I need location…
I have app inventory info! I need posture…
I have identity & device-type! I need app inventory & vulnerability…
I have application info! I need location & auth-group…
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
The Potential of Network-Wide Context Sharing
67
I have NBAR info! I need identity…
SIO
I have location! I need identity…
I have MDM info! I need location…
I have app inventory info! I need posture…
I have identity & device-type! I need app inventory & vulnerability…
I have firewall logs! I need identity…
I have threat data! I need reputation…
I have sec events! I need reputation…
I have NetFlow! I need entitlement…
I have reputation info! I need threat data…
I have application info! I need location & auth-group…
pxGrid Context Sharing
Single Framework
Direct, Secured Interfaces
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
pxGrid Benefits and Availability
BENEFITS
• Single framework – develop once
• Customize and secure what context gets shared and with which platforms
• Bi-directional – share and consume context
• Enables and pxGrid partner to share with any other pxGrid partner
• Integrates with Cisco ONE for broad network control functions
68
AVAILABILITY
• First instantiation is on ISE
• Available now for adoption by ISE integration partners
• pxGrid partner integrations delivered for customer use in 1Q14
• Pursuing options for industry standardization in CY14
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Fully Integrated, Pervasive Security Architecture
Identity Services
Engine
Lancope
NetFlow Analysis
Data Center / Cloud
Centralized Policy and Visibility
External
Network Security
Tag
Security
Tag
Policy Control
Pervasive Network Security
Access Core
ISE pxGrid
NG-IPS
69
WHO WHAT WHERE WHEN HOW
• Use NetFlow data to extend visibility to the access layer
• Enrich flow data with identity, events and application to create context
• Intelligent sharing of pertinent security information and events
NetFlow
RADIUS
Context
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Review
• The Cyber Security Landscape
• Common Cyber Security Themes
• Cisco Cyber Solutions
• Cyber Futures
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Participate in the “My Favorite Speaker” Contest
• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)
• Send a tweet and include
– Your favorite speaker’s Twitter handle: @NeilLovering
– Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Promote Your Favorite Speaker and You Could be a Winner
71
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Complete Your Online Session Evaluation
• Give us your feedback and you could win fabulous prizes. Winners announced daily.
• Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center.
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
72
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Continue Your Education
• Demos in the Cisco Campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
73
Backup Slides
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Indicators of Compromise – By Type (2013)
• Java was the dominant concern
• Where practical, disable Java in browsers
• Telemetry tools like Cisco NetFlow can monitor Java-associated traffic
• Comprehensive patch management can close many security holes
• Continuous monitoring can track infections that spread later
Cisco FireAMP
77
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Cumulative Annual Alert Totals – 2010-2013
• 2013 showed a 14% increase over 2012
• 2013 were the highest levels since IntelliShield began recording in 2000
Cisco IntelliShield
78
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Comprehensive Network Security
79
Cloud-Based Threat
Intelligence & Defense
Common Policy,
Management & Context
Connect
Branch
Campus
Cellular
Internet
Comm. / SMB / Branch
WWW
Campus | Edge
WWW
SP Core/ Edge
ASR
CSR
WWW
SaaS
Data Center/V
UCS
Global Orchestra
tion
SP Cloud
SP-1
SP-2
Cloud
Security
Gateway
1
2
4
5
3
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1010 Cisco Public
Application Centric Infrastructure
80
ACI Fabric
Non-Blocking Penalty Free Overlay
App DB Web
Outside
(Tenant VRF)
QoS
Filter
QoS
Service
QoS
Filter
Application Policy
Infrastructure
Controller
APIC