Gain Full Visibility and Security Across Your Network...Consistent threat protection and remediation across the network Network as a Sensor Visibility and analytics across the extended

Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. 1

Gain Full Visibility and Security Across Your NetworkCandice GriswoldSecurity Account Manager NVE-AJC

May 2017

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Enterprise Network Security Trends

Capabilities

Complexity

1Mnew devices

will go online every

hour by 2020

Attacks take

100 days to resolve

on average

76%of IT professionals

say a lack of visibility

is their biggest challenge

in addressing

network threats

Malicious

breaches take

80 days to discover

The average

total cost of a

single data breach is

$4M

Complexity of attacks is increasing but our capabilities are not and we have a security gap between the two.

We need to reduce the security gap by providing better visibility of network threats.


Challenges

I want to know what is

going on with my network

at all times – across all

applications, users,

and devices

I want to defend my

network against increasingly

complex and persistent

network threats – now and

in the future

I want a single solution to be able to streamline

my organization’s response to and

containment of threats


All Threats Are Insider Threats

With lateral movement of advanced persistent threats,

even external attacks eventually become internal threats

95% of all cybercrime

is user-triggered by

disguised

malicious links

One out of four

breaches are caused

by malicious insiders

Two out of three

breaches exploit weak

or stolen passwords


Intelligent real-time

protection against known

and

unknown threats

Detailed network

traffic visibility for

threat detection

Enterprise Network Security Should Provide…

Unified security that

reduces risk and

complexity


Cisco Enterprise Network Security

Network as an Enforcer

Consistent threat protection

and remediation across the

network

Network as a Sensor

Visibility and analytics

across the extended

enterprise, industry-leading

threat intelligence

Threat Mitigation

Security embedded into

hardware and software by

design

Secure your digital network in real-time, all the time, everywhere

Cisco Network as a Sensor (NaaS)

Detect Anomalous Traffic Flows, Malware

Identify User Access Policy Violations

Obtain Broad Visibility into All Network Traffic


• Obtain comprehensive,

scalable enterprise

visibility and security

context

• Gain real-time

situational awareness

of traffic

• Detect and analyze

network behavior

anomalies

• Easily detect behaviors

linked to advanced

persistent threats

(APTs), insider threats,

distributed denial-of-

service (DDoS) attacks,

and malware

• Accelerate network

troubleshooting and

threat mitigation

• Respond quickly

to threats

• Continuously improve

enterprise security

posture

Monitor Detect Analyze Respond

See and detect more in your networkwith Stealthwatch

• Collect and analyze

holistic network audit

trails

• Achieve faster root

cause analysis

• Conduct thorough

forensic investigations


Behavioral and Anomaly DetectionBehavioral Algorithms Are Applied to Build “Security Events”

SECURITY

EVENTS (94 +)ALARM

CATEGORY RESPONSE

Addr_Scan/tcp

Addr_Scan/udp

Bad_Flag_ACK**

Beaconing Host

Bot Command Control Server

Bot Infected Host - Attempted

Bot Infected Host - Successful

Flow_Denied

.

.

ICMP Flood

.

.

Max Flows Initiated

Max Flows Served

.

Suspect Long Flow

Suspect UDP Activity

SYN Flood

.

Concern

Exfiltration

C&C

Recon

Data Hoarding

Exploitation

DDoS Target

Alarm Table

Host Snapshot

Email

Syslog / SIEM

Mitigation

COLLECT AND

ANALYZE FLOWS

FLOWS


NaaS use cases with Stealthwatch

Context-Aware Visibility

• Network, application,

and user activity

• Monitor lateral

movement using

the network as

a sensor

• Advanced persistent

threats

• Insider threat

• DDoS

• Data exfiltration

• In-depth, flow-based

forensic analysis of

suspicious incidents

• Scalable repository of

security information

• Network segmentation

to profile application /

device traffic

• Capacity planning

• Performance monitoring

• Application awareness

• Cisco ISE

• Monitor privileged

access

• Policy enforcement

Threat Detection

Incident Response

Network Planning & Diagnostics

User Monitoring


Customer Case Study - Network as a Sensor

Industry: Retail

Company: Large Known Global Retailer

Existing Environment:

• Large Cisco Switch & Router Footprint

• ASA & ISE

Customer Challenges:

• Limited visibility & intelligence across their highly-distributed retail footprint

• Lack of ability to correlate numerous data sets

Results:

• After deploying Cisco Netflow, Stealthwatch and Cisco ISE

• Gains Retail Point-of-Presence Visibility

• Deeper Understanding into Network Application Usage


Analysis with Stealthwatch Provides

Discovery

Policy and segmentation

Network behavior anomaly

detection (NBAD)

Identification of

Additional IOCs

Better Understanding of

how to Respond to an IOC

Audit trail of all host-to-host

communication

Identifies business-critical

applications and services

across the network

Cisco Network as an Enforcer (NaaE)

Implement Access Controls to Secure Resources

Contain the Scope of an Attack on the Network

Quarantine Threats, Reduce Time-to-Remediation


Cisco Identity Services Engine (ISE)Adding Visibility and Context to NetFlow

INTEGRATED

PARTNER CONTEXT

NETWORK / USER

CONTEXT

How

WhatWho

WhereWhen

Send Contextual Data Collected From Users, Devices, And Networks

To Stealthwatch For Advanced Insights And NetFlow Analytics


access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467

Traditional Security Policy

Network as an Enforcer:Cisco TrustSec Software-Defined SegmentationProvide Role-Based Segmentation to Control Access and Contain Threats

TrustSec Security Policy

Segmentation Policy Enforced Across the Extended Network

Switch Router VPN &

FirewallDC Switch Wireless

Controller

Simplifies Firewall Rule, ACL, VLAN Management

Prevents Lateral Movement of Potential Threats

Eliminates Costly Network Re-architecture


Customer Case Study - Network as an Enforcer

Industry: Banking

Company: Large Known Global Bank

Existing Environment:

• Large Cisco Switch & Router Footprint

Customer Challenges:

• Visibility into the network and rogue devices

• Policy enforcement of user to data center policies

• Meeting compliance audits

Results:

• After deploying StealthWatch, Cisco ISE and Cisco TrustSec

• Gain Deep Visibility into Network Access and Devices

• Segment Network Access and Assets using Business Role Based Policies

• Accelerated time to Compliance Audits


Architecting a Secure NetworkCombining Network as a Sensor / Network as an Enforcer

Network Sensor

(Stealthwatch)

Campus/DC

Switches/WLC

Cisco Routers /

3rd Vendor Devices

Threat

pxGRID

Network Sensors Network EnforcersPolicy & Context

Sharing

TrustSec

Software-Defined

Segmentation

Cisco

Collective

SecurityIntelligence

Confidential

Data

NGIPS

pxGRID

ISE

NGFW


Integrated Threat Defense (Detection & Containment)

Employee

Employee

Supplier

Quarantine

Shared

Server

Server

High Risk

Segment

Internet

Stealthwatch

Event: TCP SYN Scan

Source IP: 10.4.51.5

Role: Supplier

Response: Quarantine

ISE

Change Authorization

Quarantine

Network Fabric


Next Steps

Link to

www.cisco.com/go/networksecurity

Link to

www.cisco.com/go/dna

http://www.cisco.com/go/networksecurity

http://www.cisco.com/go/dna

Documents

Gain Full Visibility and Security Across Your Network...Consistent threat protection and remediation across the network Network as a Sensor Visibility and analytics across the extended