Inside Cisco IT: Security Overview How it Works Inside Cisco · Inside Cisco IT: Security Overview – How it Works Inside Cisco EVERY DAY Rich Gore Cisco IT Senior Manager BRKCOC-4500

Inside Cisco IT: Security Overview –How it Works Inside CiscoEVERY DAY

Rich Gore

Cisco IT Senior Manager

BRKCOC-4500

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#BRKCOC-4500

• The Challenge of Security at Cisco

• What does a successful break-in look like?

• Behind the Scenes: Every Day Security

• Conclusion

• Resources

Agenda




• Conclusion

• Resources

Agenda

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6BRKCOC-4500

141K Workforce

94 Countries

~1.5M IP Addresses

217K Infra Devices

275K Total Hosts

2500+ IT Applications

28K Remote Office Connections

via Cisco Virtual Office

Cisco Trusted Enterprise: What We Must Protect13 major Internet connections

~47 TB bandwidth used daily

1350 Labs

220+ Acquisitions

300+ partner extranet connections

600+ Cloud ASPs

WebEx, Meraki, OpenDNS and Growing Portfolio of Cloud Offers


28 BillionNetflows analyzed /day (StealthWatch)

2.5 MillionEmail transactions blocked /day(ESA)

2.0 MillionWeb transactions blocked (WSA)

47 TBInternet Traffic inspected

1.2 TrillionSIEM Events / day across network

7.6 BillionDNS requests / day (Umbrella)

17KFiles analyzed/day (ThreatGrid/AMP)

Scope Agent Results

1232 Devices Deployed

For detection & prevention

InfoSec Team members

Data Analytics

(4TB/day)

& Security

Services

4.4 MEmails received per day (ESA)

Phish click rate down 4xover 3 year Phishpond program

13.4 MillionIntrusion alert/day (NG-IPS)

6.25 MillionDNS requests blocked (Umbrella)

75 K Employees

498Offices

94Countries

141 KConnected

Stakeholders

217 KConnected

User Devices

1.5 MIP Addresses

Used in Cisco

IN ONE DAY: Security Challenge Inside Cisco

In one dayIn one day

DNS requests blocked (Umbrella)

22 Managed Incidents (CSIRT)

175

1000 Phish from CSIRT BRKCOC-4500 7


DEVICES

NET

APPS

DATA

Proactive Controls

Device Management

Visibility and Defense

Network & Identity

Access Control

AMP for Network

AMP for Endpoints

Threat

Intelligence

Web and Email

Protection

Firewalls &

Intrusion Protection

InfoSec Monitoring

Awareness & Training

8

The Answer: Defense in Depth

BRKCOC-4500




• Conclusion

• Resources

Agenda


Successful Attacks have to work multiple times

Reconnaissance:Find users from public sites like Facebook / LinkedIn

1

You

Got

Mail!!!

Naïve user opens the exploit that installs malware backdoor

3

Attacker targets other servers / devices to escalate privileges – admin status

4

Lateral movement through servers -Data acquired

5

Data transferred externally

6Data Monetized.We Lose.

7

Attacker sends targeted email with malicious attachment (or bad website tricks user into clicking malware download).

2

BRKCOC-4500 10


Successful Attacks: How well do they work?

60% of data is stolen in

HOURS

85%of point-of-sale intrusions

aren’t discovered for

WEEKS

54%of breaches remain

undiscovered for

MONTHS

51%increase in companies

reporting a $10 million

or more loss in the last

3 YEARS

“A community that hides in plain sight avoids detection and attacks swiftly.”— Cisco Security Annual Security Report.


How Well do they work at Cisco? Detection Results

Capability: Quarantine a device, blocking access to part of, or the entire network, and enable remediation with help of IT Support, and/or user self-help

Business Value:

• Ability to follow devices with active malware and block network access

• Lower operational costs and faster response times to contain and remediate

• Prevent data leakage

Complexity:

• Designing rules for differentiated network access.

• What CAN a user access when quarantined?

Time to Detect – Time to Contain = Exposure Window

BRKCOC-4500 12


Demonstrating Security Value inside Cisco: Executive Communication




• Conclusion

• Resources

Agenda


1-6: A Day In the Life at Cisco – for employees

BRKCOC-4500 15



Data

Center WAN

BRKCOC-4500 15



Data

Center WAN

Cloud Resources

Unknown Email

Source

Internet

BRKCOC-4500 15



Data

Center WAN

Cloud Resources

Unknown Email

Source

Internet

BRKCOC-4500 15



Data

Center WAN

Cloud Resources

Unknown Email

Source

Internet

BRKCOC-4500 15



Data

Center WAN

Cloud Resources

Unknown Email

Source

Internet

BRKCOC-4500 15



Data

Center WAN

Cloud Resources

Unknown Email

Source

Internet

BRKCOC-4500 15


7-10: A Day in the Life at Cisco – for Infosec

Data

Center WAN

Cloud Resources

Unknown Email

Source

Internet

BRKCOC-4500 22



Data

Center WAN

Cloud Resources

Unknown Email

Source

Internet

BRKCOC-4500 22



Data

Center WAN

Cloud Resources

Unknown Email

Source

Internet

BRKCOC-4500 22



Data

Center WAN

Cloud Resources

Unknown Email

Source

Internet

BRKCOC-4500 22


Cisco ISE,

Trustsec

Cisco Access

Switch

End User Devices

IP Camera

Badge

Reader

Trusted

Device

Standard

1. Behind the Scenes: Employee at Work Employee commutes to Cisco site, badges in, logs into their Cisco managed laptop, gets authenticated, and connects to Wired or Wireless LAN.

Cisco ACS (Radius)

Device MDM

AMP for Endpoints in Laptop

Wireless Access Point

Internet Access

Cisco Intranet Resource Access

Intranet

Internet

A

B

C

D

802.1x

BRKCOC-4500 26


1.A Security – Badge Reader Data Flow

HR

Space

Manage

ment

SSOT Master

SJC RTP AMS BGL

Directory

Workplace

Resources

HR Data Entry Portal

Special Absence Database

Contingent Worker Database

Employee Connection

or Collaboration ToolsOn

Demand

Region1 Region2 Region3 Region4

Regional

Badging

Offices

New Hire Process

Cardholder Data Changes

Termination

Badge Extension and

Deactivation

Leave of Absence Changes

Employment Category Changes

Default Access Level Assignment

Image Transfer Downstream

Contractor and Vendor Changes

Intelligent Data Comparison

Transaction Processing

Threshold

Termination Threshold

Email Summary and Notification

Advanced Data Analysis

Automated Processes

Cisco - SIZE:Card Readers 10220Employee Badges (Active) 70016Contractor Badges (Active) 38150Access Levels 5515


Situational Awareness Information

SFOC Analyst

Desktop

Policy Engine

IP and Analog Cameras

Telepresence and Spark

Radios, Mobile Phones, IP Phones

Access Control

Notification Systems

IPICS Dispatch Console

Cisco IT Infrastructure (WAN, DC)

Third-Party Sensors

Situation Detection Situation Response Situation Monitoring

Alarm, Events, Video Monitoring

1.B – Security Cameras – Monitoring and Response8,424 IP Security Cameras at Cisco


1.B Video Analytics:Comparing Employee Picture to a Video Camera Output


1.A,B SFOC - Security & Facilities Operations Centers

RTP

San Jose

Shanghai

Bangalore

London


1.C Securing the Device:Trusted Laptop Standard

• Device to user attribution

• Full Content Encryption

• Complex password

• 10 Minute Auto Lock

• Anti-malware – AMP 4 E, AV/HIPS

• Updated OS version

• Updated software versions

• Hardware/Software Inventory

87,864 10,107

37,103

BRKCOC-4500 31


1.D AD: Authentication/Authorization Basic Flow

PS

N PS

N

MTV-VIPs

PS

N PS

N

RTP-VIPs

AAA RADIUS Server

1. MTV-VIP

2. ALN-VIP

3. RTP-VIP

PS

N

ALN-VIPs

User/

Endpoint Network Access

Device (US)

ISE Policy NodesAD Domain

Controllers

AD-DC-MTV

AD-DC-ALN

AD-DC-RTP

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-4500

1.D Single Global ISE Deployment (WLAN, CVO, LAN, VPN)

AER

RTP

ALN

SNG

Secondary ISE PAN/M&T

ISE PSNs

Primary ISE PAN/M&T

24 ISE Nodes

20 PSNs; 8 DC (Node Groups)

1.5 Million active profiled “Endpoints”

Max ~450K Concurrent “Endpoints”

TYO

HKG

BGL

33

MTV


1.D ISE Across Networks

Identity Services Engine

Wireless Devices

AnyConnect VPNUmbrella

AMP For Endpoints

WSAESA

AMP For Network

Wired Network Devices

Adaptive Security

Appliance

Device Management

StealthWatch

AMP Threat-Grid

FireSight

Home Access (CVO)

UmbrellaCisco Core Network


2. Behind the Scenes: Browsing the WebEmployee opens CEC browser, logs into internal applications or external web sites to get information, download a file, and do work.

Cisco ISE

Cisco Access Switch

Wireless Access

Point

AMP for Endpoints

in Laptop

Umbrella

DMZ

Distribution

Layer

Firewall

Internal

Resources

WSA

AMP Management

Console

ThreatGrid

All other AMP

devices

Cloud Resources

Unknown Web Site

Laptop

Intranet

Internet

A

B

D

E

802.1x

Firewall

NGIPS

C

BRKCOC-4500 35


Multifactor / Cloud Authentication:

Static passwords are the #1 target for theft as they can be used to bypass security controls

2.A Passwords – Multifactor Auth

Mitigations:

1. “Swipe Instead Of Type”: End-user multifactor application for Trusted Device

2. One Time Passwords (OTP) as catch-all

3. Multi Factor Authentication designs for static password resets


2.B Umbrella Network Deployment

DNS BGP

ASNIP

DOMAIN

ADDITIONAL NETWORK SECURITY/VISIBILITY

StealthWatch

WSA (+ESA)

FIREPOWER

April 2016

Solution is easy to deploy and rollback• preserves existing solution and adds security

offered by OpenDNS as an overlay.• Lightweight implementation with no changes

to the network, DHCP scopes or statically defined end clients.

Planning and change management for 90 Days

30 Minutes to implement

Acquisition process updated to include 0-day rollout of Umbrella providing immediate security and visibility with no hardware requirements

BRKCOC-4500 37


2B: Umbrella Deployment Results at Cisco

• 166k Malware events blocked in the first 24

hours, reduces WSA load:

• 62% fewer “bad web reputation” blocks

• 96% fewer “bad URL category” blocks

• 82% fewer “malware” related blocks

INTERNET

MALWARE

BOTNETS/C2

PHISHING

& HERE!

LANCOPE

WSA (+ESA)

FIREPOWER

AMP

AMP

AMP

AMP

AMP

AMP

AMP

AMP

MERAKI

AMP

AMP

ASA

HER

E

HER

EHERE

HER

E

HER

E

HQ

Branch Branch

Mobile

Mobile

BRKCOC-4500 38


2.C Web Security Appliance

Malware Blocked in One Day:• 441K – Trojan Horse

• 61K - Other Malware

• 29K - Encrypted Files (monitored)

• 16.4K - Adware Messages

• 1K – Trojan Downloaders

• 55 - Phishing URLs

• 22 - Commercial System Monitors

• 5 - Worms

• 3 - Dialers

Cisco Web Traffic Stats:

• 330-360M web visits/day

• 6-7M (2%) blocked (now 2M)

WSA Blocked Transactions:

• 93.5% - Web Reputation (now 98.9%)

• 4.5% - URL Category (now 0.5%)

• 2% - Anti-Malware (now 1.1%)

80 Deployed


2.D Cisco AMP Threatgrid: Automatically submit suspicious files – 17,000 per dayAutomated analysis, from edge to endpoint

Submission

Analyst or system (API)

submits suspicious sample to

Threat Grid.

Suspicious

file

Edge

Endpoints

ASA w/FPS ESA

Next Gen

IPSWSA

AMP for

Endpoints

AMP for

Networks

14 appliances

Avg. 7 min / analysis


2D: ThreatGrid Output - Prioritized

450+ behavioral indicators (and growing)• Malware families, malicious behaviors, and more

• Detailed description and actionable information

Prioritize threats with confidence• Enhance SOC analyst and IR knowledge and effectiveness

(and security product)

Easy-to-understand Threat Scores guide decision making


FireSIGHTManagement Center

100%**

2D: Advanced Malware Protection: Integrated Threat Defense

1% of all

WSA

transactions

blocked

NG-IPS 83xx

and VM series

deployed

Passive

and Inline

capabilities

25K+

quarterly

alerts

80 WSAs/

30 ESA

Deployed

3K+ email

files blocked

by AMP

monthly

14 TG

appliances

Deployed

On-Prem

Sandboxing

10K+ files

analyzed

every 24hrs.

Analytics

Engine

Machine

Learning

Engine

30K+

agents

deployed

13 iPOP’s Globally

Cloud

Enabled AMP

Eight Global Appliances Deployed**Deployment Progress Completion

AMP for Endpoints30%** deployment in progress

AMP for Networks50%** ISR, NGIPS; FP9300s beginning

Threat Grid/AMP100%**

AMP for Web and Email100%**

BRKCOC-4500 424

1

5

2

6

3

7 8UCS

C220 M4

Intel

Inside

XEO N

Console!


2.E Cloud Services Security

140

182

237

308

400

0

100

200

300

400

500

2011 2012 2013 2014 2015

Nu

mb

er

of P

rovid

ers

CAGR

= 30%

Cloud Providers


Product As a Service

ERP

Meeting Place On-Prem

Documentation In-House

Team Collaboration IWE

(WebEx Social)

Call Manager On-Prem Spark Call

in the cloud

43BRKCOC-4500

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwjAgLWmsunNAhUM3GMKHV7XBo0QjRwIBw&url=https://login.salesforce.com/&psig=AFQjCNGqhsFjY5FkK4oVDqPoBOjgEePpCg&ust=1468257159219012

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwjws-vfsunNAhVB8mMKHegrAW8QjRwIBw&url=http://www.robomq.io/ecosystem/ecosystem.html&psig=AFQjCNGpdOgofZb7nUuzfJiLXaLmtS93lA&ust=1468257245926498

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwjh4NaIs-nNAhVM7GMKHd2zCEMQjRwIBw&url=http://orlandobusinessnews.com/2016/01/26/orange-county-pushing-to-bring-adp-regional-hq-to-maitland/&psig=AFQjCNFc7mOYB2p47jZCUwWbVhcBNAPa-Q&ust=1468257366699672


Privacy and Data Security

Application Security

Infrastructure Security

Authenticationand

Authorization

Vulnerability Management

Logging and Auditability

Support and Operations

IncidentAnalysis and

Response

Business Continuity

CASPR

Models

Public

Confidential

Highly

Confidential

Restricted

44

2.E CASPRCloud & Application Service Provider Remediation

BRKCOC-4500


3. Behind the Scenes: Getting EMailEmployee downloads email and reads them and responds, and perhaps also clicks on a hyperlink or opens an attachment.

Cisco ISE

Cisco Access Switch

Laptop

Wireless Access

Point

AMP for Endpoints

in Laptop

Cloud Resources

Unknown Email Source

MS

Exchange

(email)

ESA

AMP Management

Console

ThreatGrid

All other AMP

devices

Intranet

Intranet

Internet

A

CC

DMZ

Distribution

Layer

Firewall

802.1x

NGIPS

BRKCOC-4500 45

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46BRKCOC-45002.8 M Emails blocked each day

ESA Blocked Emails Emails* / mo Emails / day Emails / employee / day %

By reputation 81 M 2.65 M 35.4 93.6 %

By spam content 4.89 M 161 K 2.2 5.8 %

By invalid receipts 573 K 18.7 K 0.25 0.7 %

Virus payload 5.3 K 179 0.002 0.01 %

Emails delivered Emails / mo Emails /

day

Emails / employee /

day

%

Attempted 134 M 4.4 M 59

Blocked 86 M 2.8 M 38 63.2 %

Delivered 39 M 1.3 M 17 29.7 %

Delivered, marked

“Marketing”

9 M 306 K 4 7.2 %

3.A Email Security Appliance – Cisco IT

Malware

Spam

30 Deployed


3B: AMP for Endpoints

AMP for EndpointsNext-Gen Endpoint Security

Being Deployed across all Laptops,

Some Smartphones.

AMP for Endpoints blocks malicious files at

initial inspection and uses sandbox

to inspect unknown

AMP for Endpoints continuously analyzes

all file activity to detect malicious behavior

and retrospectively alert

AMP for Endpoints shows full history of

compromise,

and provides outbreak control and

quarantine capabilities


3C: Securing the User: Phishing

BRKCOC-4500 48


3C: Security education campaign – Phishing

• Phishing is #1 source of endpoint compromise

• Different levels of sophistication and difficulty each quarter

• Remember it only takes one Phish to compromise YOU

Q1New Doctor

13%

Q2Background Check

19%

Q3Account Closing

10%

Q4Plan Recruitment

5%

BRKCOC-4500 49


3C: Phishing Education - Results

• Reduce likelihood of data loss or breach – it only takes one click

• Generate buzz and educate users

• Leverage third party provider for full solution –deliver and measure each phishing campaign per user

• Enterprise program consists of

o Fully operational process (targets over 138K users per phish)

o Central Phishpond site, multiple awareness channels

o Partnership with support organizations

o Guidelines for sending legitimate e-mails

o Feedback – improve Cisco e-mail security products

By the Numbers

• Over 750K phish sent since

program inception

• Reduced corporate click rate

from from 30% to 5-10%

• Habitual clickers – dropped re-

test click rate from 12% to 1%

BRKCOC-4500 50


AMP for Endpoints in

Laptop

HOME OFFICE

4:Behind the Scenes: Working From Home OfficeSecure Mobile Employee Off-Prem (Home Office),accessing On-Prem, Off-Prem Services

Cisco Virtual Office

(CVO) Router

Laptop

Cisco Security

Manager

Cisco ASR

VPN Hub Router

CAS Router

(CA Certs)

DMZ

Distribution

Layer

Cisco ISE MDM

A

B

DC

Internet

Intranet

Internet

Umbrella

Internet

Video Devices

NGIPS

VPN

BRKCOC-4500 51


4B: CVO Spoke Provisioning

CVO 443

Internet

SMG SDG Registration server

Active Directory

CSM

EMAN

https://cvo-setup.cisco.com (user enters credentials)

Send base configuration for IPSec to SMG

Client OK

Send full configuration

• CVO shipped to

Employee

• Plug into home network

• Shipped with base

configuration

-Simple NAT config

-DHCP client poolData Tunnel Established

Device and Service Management

System

-Emergency Termination script

*Contains username and associated CVO hostname

Kills NHRP and DMVPN

tunnel to spoke

Spoke presents Cert to Hub

ISEHub removes CN, forwards to AAA

https://cvo-setup.cisco.com/


Anyconnect

Client

5.Behind the Scenes: Mobile (on Laptop)Secure Mobile Employee Off-Prem (mobile laptop),accessing On-Prem, Off-Prem Services


Laptop (Windows)

Any public

wireless access point

Laptop

Cisco ASA

VPN Hub Firewall

CAS Router

(CA Certs)

Cisco ISE MDM

2-factor auth

Umbrella

A

B

Internet

Intranet

Internet

Internet

DMZ

Distribution

Layer

NGIPS

VPN

BRKCOC-4500 53

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54

AnyConnect

• Installed on all Cisco owned

client devices

• Root Certificate installed on

client

ASA-5585

• Profiling script running

• Screensaver?

• OS version?

• Virus scan version?

• User profile

ISE

• Posture assessment

• Authentication

5A:Secure VPN Connectivity with AnyConnect

General Profile installed when clients connect to ASA

VPN cluster gateways

Users have a choice of regional clusters to connect to

Access lists configured on group-policy for specific users:

Extranet…

Cluster sizes from 2-10 ASA’s depending on regional

headcount

Round-Robin VPN load balancing


5.B Umbrella Endpoint Deployment

AnyConnect module bootstrap: 78k clients in one week, 100k clients in 2 weeks, 3 cases generated

First week of the roaming client deployment: 431k additional blocks across 12.2k unique hosts (10% of fleet)

Top 100 users generated 70% of roaming client blocks

Covers all ports and protocols, not just web or email

Audit trail of DNS queries from devices when not connected to Cisco

BRKCOC-4500 55

(April 2017)


6. Behind the Scene: Mobile (on Smartphone)Secure Mobile Employee Off-Prem (mobile smartphone),accessing On-Prem, Off-Prem Services

Anyconnect Client


phone (Android)

Any public

wireless access point

Smartphone

Cisco ASA

VPN Hub Firewall

CAS Router

(CA Certs)

Cisco ISE MDM

Umbrella

2-factor auth

A

B

C

D

E

Internet

Intranet

Internet

DMZ

Distribution

Layer

Internet

NGIPS

VPN

BRKCOC-4500 56


• Any Trusted Device

• Industry Standard Platforms

• Cisco AnyConnect and Device Mgmt.

• Pervasive Wireless and ISE

Scaled Architecture

• BYOD-only Smartphones and Tablets

• Corporate Laptops

• Optional Corporate Mobile Service

• Strong Policy and Rules of Use

Security

• Service Provider Relationships

• Pro-active cost optimization strategies

• Industry-first pricing models

Spend Management

• User-Driven Progression

• Collaboration Apps

• Enterprise and LOB Selection

• Cisco eStore

Robust App Lifecycle

• Proactive Communications

• Self-Service Content

• One to Many Interactive Support

• Traditional One to One

Social Support

6A: Employee Mobility is More Than Just BYOD


11,056 41,113 15,587 380

68,607

Mobile

Devices

(BYOD)

471

6B: Cisco IT Mobile Device Landscape


6B: Mobile Device Standard

• Device to user attribution

• Encryption

• 6 character PIN / password

• Jailbreak / Rooted Detection

• 10 Minute Auto Lock

• Anti-malware

• Minimum OS Version

• Remote Wipe

• Hardware/Software Inventory

BRKCOC-4500 59


6B: “Secured” vs “Trusted” Devices at Cisco

Network Edge

Core Network

6 Digit

PIN10 Minute

Timeout

Remote

Wipe

Management

Encryption

SECURED

TRUSTED


7. Network: Data Center to Internet

Data

Center

Corp

NetDC

GW

App

FW

E-

Commerce

Front-end

E-

Commerce

Back-end WAN

AMP for

NetworksThreatGrid

Corp

FWCloud Resources

Unknown Email

Source

Internet

DMZ

GW

ISE

WSA

AMP for

Endpoint

UmbrellaESA

BRKCOC-4500 61


8. Network Data Inspection: Stealthwatch

Data

Center

Corp

NetDC

GW

WAN

Corp

FWCloud Resources

Unknown Email

Source

Internet

DMZ

GW

ASR

ASR

StealthwatchStealthwatch

CTACTA

CSIRT –

Security Incident Response

N3KN3K

ASR

BRKCOC-4500 62


8: Netflow and Stealthwatch

BRKCOC-4500 63


Internet

Data

Center

ISP

Gateways

NetFlow

Collector

DC

Gateways

Corporate Backbone

NetFlow exported

at network choke

points

8.Incident Detection: NetFlow

Collect at chokepoints for egress detection

• 180 exporting devices at DMZ

and DC gateways

• Reviewing 325,000 flows /

second, 28 billion flows / day

BRKCOC-4500 64


NetFlow Retention

65

SJC

4-18 months

RCDN

10 months

RTP

4 months

LON

26 months

BGL

5-9 months

BRKCOC-4500


9. Network Inspection: In ProgressEncrypted Threat Analytics (ETA)

Data

Center

Corp

NetDC

GW

WAN

Corp

FWCloud Resources

Unknown Email

Source

Internet

DMZ

GW

StealthwatchStealthwatch

CTACTA

CSIRT –

Security Incident Response

N3KN3K

ASRASR

ASR

Cat 9K

Encrypted Traffic

BRKCOC-4500 66


Encrypted Traffic Analytics (ETA)Cisco research

Known

malware traffic

Known

benign traffic

Extract observable

features in the data

Employ machine

learning techniques to

build detectors

Known malware

sessions detected

in encrypted traffic with

99% accuracy

“Identifying encrypted malware traffic with contextual flow data” AISec ’16 | Blake Anderson, David McGrew (Cisco Fellow)


Make the most of the

unencrypted fields

Identify the content type through

the size and timing of packets

Initial Data PacketSequence of Packet

Lengths and Times

How can we inspect encrypted traffic?

Self-Signed certificate

Data exfiltration

C2 message

Who’s who of the Internet’s

dark side

Threat

Intelligence Map

Broad behavioral information about the

servers on the Internet.


Malware traffic

Benign traffic

Watchlist

address

Prevalent

addresscisco.com

c15c0.com

afb32d75.com

Unusual fingerprint

Unusual cert

Typical fingerprint

Typical cert

Self-Signed Certificate

Data Exfiltration

C2 Message

Google search

Bestafera

ETA studied Internet encrypted data featuresCisco research

TCP/IP DNS TLS SPLT


Cisco IT’s ACI DesignFlexible Design with Automation in Mind

10. Data Center – Layers of Security

Virtual

Security

Gateway

(VSG)

Prime Network

Service

Controller

(PNSC)

Virtual

ASA

ASA

5585

vLAN

For ACI, Add

APIC

Contracts

and

Application

Profiles

Nexus 9500

enforcement

Tetration

Analytics 2.0

End Host

Enforcement

VRF

End Host

Enforcement

BRKCOC-4500 70


application we are analyzing

flows to other applications (in

the DC)

flows within Cisco Network

flows to/from

Internet

10.A - DC Network: Tetration Analytics: Netflow (x 5) in the

Data Center

BRKCOC-4500 71


Application Discovery Whitelist Policy Recommendation(Available in JSON, XML, and YAML)

{ "src_name": "App","dst_name": "Web", "whitelist": [{ "port": [0, 0], "proto": 1, "action": "ALLOW"

}, { "port": [80, 80], "proto": 6, "action": "ALLOW"

}, { "port": [443, 443], "proto": 6, "action": "ALLOW"

}]

}

10.A - DC Network -- Tetration Analytics provides Whitelist Policy Recommendation


10.A Policies – Are they being followed?

Tetration Analytics outcome – real example

73

• Sensors collect every DC flow

• Look for security policy violations

• Validate Security compliance

• Identify “before” and “after” attack

behaviors

• Identify potentially compromised

hosts

• Create Whitelist policies

• Run security policy simulations

SecurityInternet

DB Proxy

Non-Prod DB

Lab

BRKCOC-4500

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicPicture credit- https://wiki.shibboleth.net

10.B Securing the Application

Host / Endpoint Vulnerability Scan

Scanning during agile dev/ops delivery

IBM Security Appscan Enterprise: BAVA, DAVA tests


10.B Results: Reducing Application VulnerabilitiesRequirements vs. Enhancements

Service Owner

Score Cards

*Pending

Service Executives

Vulnerabilities

& Performance

*Trending

CIO

Unified

Services Metrics

*Aging and Trending

Vulnerabilities Declined 64% – On-time Closure Increased to 86%

0%

20%

40%

60%

80%

100%

*Q1 FY12 Q1 FY13 Q1 FY14 Q1 FY15 Q1 FY16 Q2 FY16 Q3 FY16

Unified Security Metrics

Vulnerability Open % SLA On Time Closure %

* = Pre USM Reporting




• Conclusion

• Resources

Agenda


Successful Attacks have to work multiple times

Reconnaissance:Find users from public sites like Facebook / LinkedIn

1

You

Got

Mail!!!

Naïve user opens the exploit that installs malware backdoor

3

Attacker targets other servers / devices to escalate privileges – admin status

4

Lateral movement through servers -Data acquired

5

Data transferred externally

6Data Monetized.We Lose.

7

Attacker sends targeted email with malicious attachment (or bad website tricks user into clicking malware download).

2

BRKCOC-4500 77


When you have to Start Somewhere …

• Cisco Umbrella & Investigate

• Cisco Catalyst 38509300 Series Switch

• Cisco 5500 series Adaptive Security Appliance

(ASA)

• Cisco Sourcefire NextGen Intrusion Prevention

System (FirePOWER 7125)

• Cisco UCS C240 and C220

• Cisco StealthWatch (Virtual Edition)

• Cisco S300V Web Security Appliance (WSA) (VM)

• Splunk

• Qualys & RedSeal

Umbrella




• Conclusion

• Resources

Agenda


For more information:

Cisco Security - www.cisco.com/security Cisco Security advisories -http://tools.cisco.com/security/center/publicationListing.x Cisco SAFE arcitecture - www.cisco.com/go/safeLatest Threat Information -http://tools.cisco.com/security/center/navigation.x?i=118Cisco Security Community –https://communities.cisco.com/community/technology/securityCisco Security products –http://www.cisco.com/c/en/us/products/security/index.htmlCisco Security services -http://www.cisco.com/c/en/us/products/security/service-listing.html Trustworthy Systems -http://www.cisco.com/web/solutions/trends/trustworthy_systems/index.html

BRKCOC-4500 80


More Online Resources

Cisco Security Portal:

• Security Advisory: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/

• Event Response Page http://www.cisco.com/web/about/security/intelligence/

• IntelliShield Alert http://tools.cisco.com/security/center/

• Protecting IOS http://www.cisco.com/web/about/security/intelligence/integrity-assurance.html

Blog Posts including Mitigation, Detection and Best Practices:• http://blogs.cisco.com/security/

• http://blog.talosintelligence.com/

Cisco Security and Services:• http://www.cisco.com/go/security

• http://www.cisco.com/c/en/us/products/security/service-listing.html

81

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/

http://www.cisco.com/web/about/security/intelligence/

http://tools.cisco.com/security/center/

http://www.cisco.com/web/about/security/intelligence/integrity-assurance.html

http://blogs.cisco.com/security/

http://blog.talosintelligence.com/

http://www.cisco.com/go/security

http://www.cisco.com/c/en/us/products/security/service-listing.html


Cisco Mid-Year 2017 Security Report

• VERY interesting

• 90 pages

• Download from here (requires some user info):

• http://www.cisco.com/c/en/us/products/security/annual_security_report.html

• Or just search on “Cisco Annual Security Report”

http://www.cisco.com/c/en/us/products/security/annual_security_report.html


Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#BRKCOC-4500


• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.

Complete Your Online Session Evaluation

http://ciscolive.com/Online

http://www.ciscolive.com/global/on-demand-library/


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Tech Circle

• Meet the Engineer 1:1 meetings

• Related sessions

85BRKCOC-4500

Thank you

Documents

Inside Cisco IT: Security Overview How it Works Inside Cisco · Inside Cisco IT: Security Overview – How it Works Inside Cisco EVERY DAY Rich Gore Cisco IT Senior Manager BRKCOC-4500