Upload
lemien
View
251
Download
0
Embed Size (px)
Citation preview
Inside Cisco IT: Security Overview –How it Works Inside CiscoEVERY DAY
Rich Gore
Cisco IT Senior Manager
BRKCOC-4500
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKCOC-4500
• The Challenge of Security at Cisco
• What does a successful break-in look like?
• Behind the Scenes: Every Day Security
• Conclusion
• Resources
Agenda
• The Challenge of Security at Cisco
• What does a successful break-in look like?
• Behind the Scenes: Every Day Security
• Conclusion
• Resources
Agenda
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6BRKCOC-4500
141K Workforce
94 Countries
~1.5M IP Addresses
217K Infra Devices
275K Total Hosts
2500+ IT Applications
28K Remote Office Connections
via Cisco Virtual Office
Cisco Trusted Enterprise: What We Must Protect13 major Internet connections
~47 TB bandwidth used daily
1350 Labs
220+ Acquisitions
300+ partner extranet connections
600+ Cloud ASPs
WebEx, Meraki, OpenDNS and Growing Portfolio of Cloud Offers
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
28 BillionNetflows analyzed /day (StealthWatch)
2.5 MillionEmail transactions blocked /day(ESA)
2.0 MillionWeb transactions blocked (WSA)
47 TBInternet Traffic inspected
1.2 TrillionSIEM Events / day across network
7.6 BillionDNS requests / day (Umbrella)
17KFiles analyzed/day (ThreatGrid/AMP)
Scope Agent Results
1232 Devices Deployed
For detection & prevention
InfoSec Team members
Data Analytics
(4TB/day)
& Security
Services
4.4 MEmails received per day (ESA)
Phish click rate down 4xover 3 year Phishpond program
13.4 MillionIntrusion alert/day (NG-IPS)
6.25 MillionDNS requests blocked (Umbrella)
75 K Employees
498Offices
94Countries
141 KConnected
Stakeholders
217 KConnected
User Devices
1.5 MIP Addresses
Used in Cisco
IN ONE DAY: Security Challenge Inside Cisco
In one dayIn one day
DNS requests blocked (Umbrella)
22 Managed Incidents (CSIRT)
175
1000 Phish from CSIRT BRKCOC-4500 7
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
DEVICES
NET
APPS
DATA
Proactive Controls
Device Management
Visibility and Defense
Network & Identity
Access Control
AMP for Network
AMP for Endpoints
Threat
Intelligence
Web and Email
Protection
Firewalls &
Intrusion Protection
InfoSec Monitoring
Awareness & Training
8
The Answer: Defense in Depth
BRKCOC-4500
• The Challenge of Security at Cisco
• What does a successful break-in look like?
• Behind the Scenes: Every Day Security
• Conclusion
• Resources
Agenda
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Successful Attacks have to work multiple times
Reconnaissance:Find users from public sites like Facebook / LinkedIn
1
You
Got
Mail!!!
Naïve user opens the exploit that installs malware backdoor
3
Attacker targets other servers / devices to escalate privileges – admin status
4
Lateral movement through servers -Data acquired
5
Data transferred externally
6Data Monetized.We Lose.
7
Attacker sends targeted email with malicious attachment (or bad website tricks user into clicking malware download).
2
BRKCOC-4500 10
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11BRKCOC-4500
Successful Attacks: How well do they work?
60% of data is stolen in
HOURS
85%of point-of-sale intrusions
aren’t discovered for
WEEKS
54%of breaches remain
undiscovered for
MONTHS
51%increase in companies
reporting a $10 million
or more loss in the last
3 YEARS
“A community that hides in plain sight avoids detection and attacks swiftly.”— Cisco Security Annual Security Report.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
How Well do they work at Cisco? Detection Results
Capability: Quarantine a device, blocking access to part of, or the entire network, and enable remediation with help of IT Support, and/or user self-help
Business Value:
• Ability to follow devices with active malware and block network access
• Lower operational costs and faster response times to contain and remediate
• Prevent data leakage
Complexity:
• Designing rules for differentiated network access.
• What CAN a user access when quarantined?
Time to Detect – Time to Contain = Exposure Window
BRKCOC-4500 12
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13BRKCOC-4500
Demonstrating Security Value inside Cisco: Executive Communication
• The Challenge of Security at Cisco
• What does a successful break-in look like?
• Behind the Scenes: Every Day Security
• Conclusion
• Resources
Agenda
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1-6: A Day In the Life at Cisco – for employees
BRKCOC-4500 15
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1-6: A Day In the Life at Cisco – for employees
Data
Center WAN
BRKCOC-4500 15
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1-6: A Day In the Life at Cisco – for employees
Data
Center WAN
Cloud Resources
Unknown Email
Source
Internet
BRKCOC-4500 15
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1-6: A Day In the Life at Cisco – for employees
Data
Center WAN
Cloud Resources
Unknown Email
Source
Internet
BRKCOC-4500 15
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1-6: A Day In the Life at Cisco – for employees
Data
Center WAN
Cloud Resources
Unknown Email
Source
Internet
BRKCOC-4500 15
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1-6: A Day In the Life at Cisco – for employees
Data
Center WAN
Cloud Resources
Unknown Email
Source
Internet
BRKCOC-4500 15
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1-6: A Day In the Life at Cisco – for employees
Data
Center WAN
Cloud Resources
Unknown Email
Source
Internet
BRKCOC-4500 15
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
7-10: A Day in the Life at Cisco – for Infosec
Data
Center WAN
Cloud Resources
Unknown Email
Source
Internet
BRKCOC-4500 22
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
7-10: A Day in the Life at Cisco – for Infosec
Data
Center WAN
Cloud Resources
Unknown Email
Source
Internet
BRKCOC-4500 22
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
7-10: A Day in the Life at Cisco – for Infosec
Data
Center WAN
Cloud Resources
Unknown Email
Source
Internet
BRKCOC-4500 22
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
7-10: A Day in the Life at Cisco – for Infosec
Data
Center WAN
Cloud Resources
Unknown Email
Source
Internet
BRKCOC-4500 22
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco ISE,
Trustsec
Cisco Access
Switch
End User Devices
IP Camera
Badge
Reader
Trusted
Device
Standard
1. Behind the Scenes: Employee at Work Employee commutes to Cisco site, badges in, logs into their Cisco managed laptop, gets authenticated, and connects to Wired or Wireless LAN.
Cisco ACS (Radius)
Device MDM
AMP for Endpoints in Laptop
Wireless Access Point
Internet Access
Cisco Intranet Resource Access
Intranet
Internet
A
B
C
D
802.1x
BRKCOC-4500 26
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1.A Security – Badge Reader Data Flow
HR
Space
Manage
ment
SSOT Master
SJC RTP AMS BGL
Directory
Workplace
Resources
HR Data Entry Portal
Special Absence Database
Contingent Worker Database
Employee Connection
or Collaboration ToolsOn
Demand
Region1 Region2 Region3 Region4
Regional
Badging
Offices
New Hire Process
Cardholder Data Changes
Termination
Badge Extension and
Deactivation
Leave of Absence Changes
Employment Category Changes
Default Access Level Assignment
Image Transfer Downstream
Contractor and Vendor Changes
Intelligent Data Comparison
Transaction Processing
Threshold
Termination Threshold
Email Summary and Notification
Advanced Data Analysis
Automated Processes
Cisco - SIZE:Card Readers 10220Employee Badges (Active) 70016Contractor Badges (Active) 38150Access Levels 5515
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Situational Awareness Information
SFOC Analyst
Desktop
Policy Engine
IP and Analog Cameras
Telepresence and Spark
Radios, Mobile Phones, IP Phones
Access Control
Notification Systems
IPICS Dispatch Console
Cisco IT Infrastructure (WAN, DC)
Third-Party Sensors
Situation Detection Situation Response Situation Monitoring
Alarm, Events, Video Monitoring
1.B – Security Cameras – Monitoring and Response8,424 IP Security Cameras at Cisco
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1.B Video Analytics:Comparing Employee Picture to a Video Camera Output
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1.A,B SFOC - Security & Facilities Operations Centers
RTP
San Jose
Shanghai
Bangalore
London
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1.C Securing the Device:Trusted Laptop Standard
• Device to user attribution
• Full Content Encryption
• Complex password
• 10 Minute Auto Lock
• Anti-malware – AMP 4 E, AV/HIPS
• Updated OS version
• Updated software versions
• Hardware/Software Inventory
87,864 10,107
37,103
BRKCOC-4500 31
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32BRKCOC-4500
1.D AD: Authentication/Authorization Basic Flow
PS
N PS
N
MTV-VIPs
PS
N PS
N
RTP-VIPs
AAA RADIUS Server
1. MTV-VIP
2. ALN-VIP
3. RTP-VIP
PS
N
ALN-VIPs
User/
Endpoint Network Access
Device (US)
ISE Policy NodesAD Domain
Controllers
AD-DC-MTV
AD-DC-ALN
AD-DC-RTP
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-4500
1.D Single Global ISE Deployment (WLAN, CVO, LAN, VPN)
AER
RTP
ALN
SNG
Secondary ISE PAN/M&T
ISE PSNs
Primary ISE PAN/M&T
24 ISE Nodes
20 PSNs; 8 DC (Node Groups)
1.5 Million active profiled “Endpoints”
Max ~450K Concurrent “Endpoints”
TYO
HKG
BGL
33
MTV
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34BRKCOC-4500
1.D ISE Across Networks
Identity Services Engine
Wireless Devices
AnyConnect VPNUmbrella
AMP For Endpoints
WSAESA
AMP For Network
Wired Network Devices
Adaptive Security
Appliance
Device Management
StealthWatch
AMP Threat-Grid
FireSight
Home Access (CVO)
UmbrellaCisco Core Network
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
2. Behind the Scenes: Browsing the WebEmployee opens CEC browser, logs into internal applications or external web sites to get information, download a file, and do work.
Cisco ISE
Cisco Access Switch
Wireless Access
Point
AMP for Endpoints
in Laptop
Umbrella
DMZ
Distribution
Layer
Firewall
Internal
Resources
WSA
AMP Management
Console
ThreatGrid
All other AMP
devices
Cloud Resources
Unknown Web Site
Laptop
Intranet
Internet
A
B
D
E
802.1x
Firewall
NGIPS
C
BRKCOC-4500 35
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Multifactor / Cloud Authentication:
Static passwords are the #1 target for theft as they can be used to bypass security controls
2.A Passwords – Multifactor Auth
Mitigations:
1. “Swipe Instead Of Type”: End-user multifactor application for Trusted Device
2. One Time Passwords (OTP) as catch-all
3. Multi Factor Authentication designs for static password resets
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
2.B Umbrella Network Deployment
DNS BGP
ASNIP
DOMAIN
ADDITIONAL NETWORK SECURITY/VISIBILITY
StealthWatch
WSA (+ESA)
FIREPOWER
April 2016
Solution is easy to deploy and rollback• preserves existing solution and adds security
offered by OpenDNS as an overlay.• Lightweight implementation with no changes
to the network, DHCP scopes or statically defined end clients.
Planning and change management for 90 Days
30 Minutes to implement
Acquisition process updated to include 0-day rollout of Umbrella providing immediate security and visibility with no hardware requirements
BRKCOC-4500 37
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
2B: Umbrella Deployment Results at Cisco
• 166k Malware events blocked in the first 24
hours, reduces WSA load:
• 62% fewer “bad web reputation” blocks
• 96% fewer “bad URL category” blocks
• 82% fewer “malware” related blocks
INTERNET
MALWARE
BOTNETS/C2
PHISHING
& HERE!
LANCOPE
WSA (+ESA)
FIREPOWER
AMP
AMP
AMP
AMP
AMP
AMP
AMP
AMP
MERAKI
AMP
AMP
ASA
HER
E
HER
EHERE
HER
E
HER
E
HQ
Branch Branch
Mobile
Mobile
BRKCOC-4500 38
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39BRKCOC-4500
2.C Web Security Appliance
Malware Blocked in One Day:• 441K – Trojan Horse
• 61K - Other Malware
• 29K - Encrypted Files (monitored)
• 16.4K - Adware Messages
• 1K – Trojan Downloaders
• 55 - Phishing URLs
• 22 - Commercial System Monitors
• 5 - Worms
• 3 - Dialers
Cisco Web Traffic Stats:
• 330-360M web visits/day
• 6-7M (2%) blocked (now 2M)
WSA Blocked Transactions:
• 93.5% - Web Reputation (now 98.9%)
• 4.5% - URL Category (now 0.5%)
• 2% - Anti-Malware (now 1.1%)
80 Deployed
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40BRKCOC-4500
2.D Cisco AMP Threatgrid: Automatically submit suspicious files – 17,000 per dayAutomated analysis, from edge to endpoint
Submission
Analyst or system (API)
submits suspicious sample to
Threat Grid.
Suspicious
file
Edge
Endpoints
ASA w/FPS ESA
Next Gen
IPSWSA
AMP for
Endpoints
AMP for
Networks
14 appliances
Avg. 7 min / analysis
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41BRKCOC-4500
2D: ThreatGrid Output - Prioritized
450+ behavioral indicators (and growing)• Malware families, malicious behaviors, and more
• Detailed description and actionable information
Prioritize threats with confidence• Enhance SOC analyst and IR knowledge and effectiveness
(and security product)
Easy-to-understand Threat Scores guide decision making
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
FireSIGHTManagement Center
100%**
2D: Advanced Malware Protection: Integrated Threat Defense
1% of all
WSA
transactions
blocked
NG-IPS 83xx
and VM series
deployed
Passive
and Inline
capabilities
25K+
quarterly
alerts
80 WSAs/
30 ESA
Deployed
3K+ email
files blocked
by AMP
monthly
14 TG
appliances
Deployed
On-Prem
Sandboxing
10K+ files
analyzed
every 24hrs.
Analytics
Engine
Machine
Learning
Engine
30K+
agents
deployed
13 iPOP’s Globally
Cloud
Enabled AMP
Eight Global Appliances Deployed**Deployment Progress Completion
AMP for Endpoints30%** deployment in progress
AMP for Networks50%** ISR, NGIPS; FP9300s beginning
Threat Grid/AMP100%**
AMP for Web and Email100%**
BRKCOC-4500 424
1
5
2
6
3
7 8UCS
C220 M4
Intel
Inside
XEO N
Console!
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
2.E Cloud Services Security
140
182
237
308
400
0
100
200
300
400
500
2011 2012 2013 2014 2015
Nu
mb
er
of P
rovid
ers
CAGR
= 30%
Cloud Providers
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Product As a Service
ERP
Meeting Place On-Prem
Documentation In-House
Team Collaboration IWE
(WebEx Social)
Call Manager On-Prem Spark Call
in the cloud
43BRKCOC-4500
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Privacy and Data Security
Application Security
Infrastructure Security
Authenticationand
Authorization
Vulnerability Management
Logging and Auditability
Support and Operations
IncidentAnalysis and
Response
Business Continuity
CASPR
Models
Public
Confidential
Highly
Confidential
Restricted
44
2.E CASPRCloud & Application Service Provider Remediation
BRKCOC-4500
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
3. Behind the Scenes: Getting EMailEmployee downloads email and reads them and responds, and perhaps also clicks on a hyperlink or opens an attachment.
Cisco ISE
Cisco Access Switch
Laptop
Wireless Access
Point
AMP for Endpoints
in Laptop
Cloud Resources
Unknown Email Source
MS
Exchange
(email)
ESA
AMP Management
Console
ThreatGrid
All other AMP
devices
Intranet
Intranet
Internet
A
CC
DMZ
Distribution
Layer
Firewall
802.1x
NGIPS
BRKCOC-4500 45
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46BRKCOC-45002.8 M Emails blocked each day
ESA Blocked Emails Emails* / mo Emails / day Emails / employee / day %
By reputation 81 M 2.65 M 35.4 93.6 %
By spam content 4.89 M 161 K 2.2 5.8 %
By invalid receipts 573 K 18.7 K 0.25 0.7 %
Virus payload 5.3 K 179 0.002 0.01 %
Emails delivered Emails / mo Emails /
day
Emails / employee /
day
%
Attempted 134 M 4.4 M 59
Blocked 86 M 2.8 M 38 63.2 %
Delivered 39 M 1.3 M 17 29.7 %
Delivered, marked
“Marketing”
9 M 306 K 4 7.2 %
3.A Email Security Appliance – Cisco IT
Malware
Spam
30 Deployed
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
3B: AMP for Endpoints
AMP for EndpointsNext-Gen Endpoint Security
Being Deployed across all Laptops,
Some Smartphones.
AMP for Endpoints blocks malicious files at
initial inspection and uses sandbox
to inspect unknown
AMP for Endpoints continuously analyzes
all file activity to detect malicious behavior
and retrospectively alert
AMP for Endpoints shows full history of
compromise,
and provides outbreak control and
quarantine capabilities
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
3C: Securing the User: Phishing
BRKCOC-4500 48
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
3C: Security education campaign – Phishing
• Phishing is #1 source of endpoint compromise
• Different levels of sophistication and difficulty each quarter
• Remember it only takes one Phish to compromise YOU
Q1New Doctor
13%
Q2Background Check
19%
Q3Account Closing
10%
Q4Plan Recruitment
5%
BRKCOC-4500 49
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
3C: Phishing Education - Results
• Reduce likelihood of data loss or breach – it only takes one click
• Generate buzz and educate users
• Leverage third party provider for full solution –deliver and measure each phishing campaign per user
• Enterprise program consists of
o Fully operational process (targets over 138K users per phish)
o Central Phishpond site, multiple awareness channels
o Partnership with support organizations
o Guidelines for sending legitimate e-mails
o Feedback – improve Cisco e-mail security products
By the Numbers
• Over 750K phish sent since
program inception
• Reduced corporate click rate
from from 30% to 5-10%
• Habitual clickers – dropped re-
test click rate from 12% to 1%
BRKCOC-4500 50
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP for Endpoints in
Laptop
HOME OFFICE
4:Behind the Scenes: Working From Home OfficeSecure Mobile Employee Off-Prem (Home Office),accessing On-Prem, Off-Prem Services
Cisco Virtual Office
(CVO) Router
Laptop
Cisco Security
Manager
Cisco ASR
VPN Hub Router
CAS Router
(CA Certs)
DMZ
Distribution
Layer
Cisco ISE MDM
A
B
DC
Internet
Intranet
Internet
Umbrella
Internet
Video Devices
NGIPS
VPN
BRKCOC-4500 51
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
4B: CVO Spoke Provisioning
CVO 443
Internet
SMG SDG Registration server
Active Directory
CSM
EMAN
https://cvo-setup.cisco.com (user enters credentials)
Send base configuration for IPSec to SMG
Client OK
Send full configuration
• CVO shipped to
Employee
• Plug into home network
• Shipped with base
configuration
-Simple NAT config
-DHCP client poolData Tunnel Established
Device and Service Management
System
-Emergency Termination script
*Contains username and associated CVO hostname
Kills NHRP and DMVPN
tunnel to spoke
Spoke presents Cert to Hub
ISEHub removes CN, forwards to AAA
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Anyconnect
Client
5.Behind the Scenes: Mobile (on Laptop)Secure Mobile Employee Off-Prem (mobile laptop),accessing On-Prem, Off-Prem Services
AMP for Endpoints in
Laptop (Windows)
Any public
wireless access point
Laptop
Cisco ASA
VPN Hub Firewall
CAS Router
(CA Certs)
Cisco ISE MDM
2-factor auth
Umbrella
A
B
Internet
Intranet
Internet
Internet
DMZ
Distribution
Layer
NGIPS
VPN
BRKCOC-4500 53
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
AnyConnect
• Installed on all Cisco owned
client devices
• Root Certificate installed on
client
ASA-5585
• Profiling script running
• Screensaver?
• OS version?
• Virus scan version?
• User profile
ISE
• Posture assessment
• Authentication
5A:Secure VPN Connectivity with AnyConnect
General Profile installed when clients connect to ASA
VPN cluster gateways
Users have a choice of regional clusters to connect to
Access lists configured on group-policy for specific users:
Extranet…
Cluster sizes from 2-10 ASA’s depending on regional
headcount
Round-Robin VPN load balancing
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
5.B Umbrella Endpoint Deployment
AnyConnect module bootstrap: 78k clients in one week, 100k clients in 2 weeks, 3 cases generated
First week of the roaming client deployment: 431k additional blocks across 12.2k unique hosts (10% of fleet)
Top 100 users generated 70% of roaming client blocks
Covers all ports and protocols, not just web or email
Audit trail of DNS queries from devices when not connected to Cisco
BRKCOC-4500 55
(April 2017)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
6. Behind the Scene: Mobile (on Smartphone)Secure Mobile Employee Off-Prem (mobile smartphone),accessing On-Prem, Off-Prem Services
Anyconnect Client
AMP for Endpoints in
phone (Android)
Any public
wireless access point
Smartphone
Cisco ASA
VPN Hub Firewall
CAS Router
(CA Certs)
Cisco ISE MDM
Umbrella
2-factor auth
A
B
C
D
E
Internet
Intranet
Internet
DMZ
Distribution
Layer
Internet
NGIPS
VPN
BRKCOC-4500 56
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57BRKCOC-4500
• Any Trusted Device
• Industry Standard Platforms
• Cisco AnyConnect and Device Mgmt.
• Pervasive Wireless and ISE
Scaled Architecture
• BYOD-only Smartphones and Tablets
• Corporate Laptops
• Optional Corporate Mobile Service
• Strong Policy and Rules of Use
Security
• Service Provider Relationships
• Pro-active cost optimization strategies
• Industry-first pricing models
Spend Management
• User-Driven Progression
• Collaboration Apps
• Enterprise and LOB Selection
• Cisco eStore
Robust App Lifecycle
• Proactive Communications
• Self-Service Content
• One to Many Interactive Support
• Traditional One to One
Social Support
6A: Employee Mobility is More Than Just BYOD
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58BRKCOC-4500
11,056 41,113 15,587 380
68,607
Mobile
Devices
(BYOD)
471
6B: Cisco IT Mobile Device Landscape
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
6B: Mobile Device Standard
• Device to user attribution
• Encryption
• 6 character PIN / password
• Jailbreak / Rooted Detection
• 10 Minute Auto Lock
• Anti-malware
• Minimum OS Version
• Remote Wipe
• Hardware/Software Inventory
BRKCOC-4500 59
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60BRKCOC-4500
6B: “Secured” vs “Trusted” Devices at Cisco
Network Edge
Core Network
6 Digit
PIN10 Minute
Timeout
Remote
Wipe
Management
Encryption
SECURED
TRUSTED
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
7. Network: Data Center to Internet
Data
Center
Corp
NetDC
GW
App
FW
E-
Commerce
Front-end
E-
Commerce
Back-end WAN
AMP for
NetworksThreatGrid
Corp
FWCloud Resources
Unknown Email
Source
Internet
DMZ
GW
ISE
WSA
AMP for
Endpoint
UmbrellaESA
BRKCOC-4500 61
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
8. Network Data Inspection: Stealthwatch
Data
Center
Corp
NetDC
GW
WAN
Corp
FWCloud Resources
Unknown Email
Source
Internet
DMZ
GW
ASR
ASR
StealthwatchStealthwatch
CTACTA
CSIRT –
Security Incident Response
N3KN3K
ASR
BRKCOC-4500 62
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
8: Netflow and Stealthwatch
BRKCOC-4500 63
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet
Data
Center
ISP
Gateways
NetFlow
Collector
DC
Gateways
Corporate Backbone
NetFlow exported
at network choke
points
8.Incident Detection: NetFlow
Collect at chokepoints for egress detection
• 180 exporting devices at DMZ
and DC gateways
• Reviewing 325,000 flows /
second, 28 billion flows / day
BRKCOC-4500 64
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NetFlow Retention
65
SJC
4-18 months
RCDN
10 months
RTP
4 months
LON
26 months
BGL
5-9 months
BRKCOC-4500
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
9. Network Inspection: In ProgressEncrypted Threat Analytics (ETA)
Data
Center
Corp
NetDC
GW
WAN
Corp
FWCloud Resources
Unknown Email
Source
Internet
DMZ
GW
StealthwatchStealthwatch
CTACTA
CSIRT –
Security Incident Response
N3KN3K
ASRASR
ASR
Cat 9K
Encrypted Traffic
BRKCOC-4500 66
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67BRKCOC-4500
Encrypted Traffic Analytics (ETA)Cisco research
Known
malware traffic
Known
benign traffic
Extract observable
features in the data
Employ machine
learning techniques to
build detectors
Known malware
sessions detected
in encrypted traffic with
99% accuracy
“Identifying encrypted malware traffic with contextual flow data” AISec ’16 | Blake Anderson, David McGrew (Cisco Fellow)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68BRKCOC-4500
Make the most of the
unencrypted fields
Identify the content type through
the size and timing of packets
Initial Data PacketSequence of Packet
Lengths and Times
How can we inspect encrypted traffic?
Self-Signed certificate
Data exfiltration
C2 message
Who’s who of the Internet’s
dark side
Threat
Intelligence Map
Broad behavioral information about the
servers on the Internet.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69BRKCOC-4500
Malware traffic
Benign traffic
Watchlist
address
Prevalent
addresscisco.com
c15c0.com
afb32d75.com
Unusual fingerprint
Unusual cert
Typical fingerprint
Typical cert
Self-Signed Certificate
Data Exfiltration
C2 Message
Google search
Bestafera
ETA studied Internet encrypted data featuresCisco research
TCP/IP DNS TLS SPLT
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco IT’s ACI DesignFlexible Design with Automation in Mind
10. Data Center – Layers of Security
Virtual
Security
Gateway
(VSG)
Prime Network
Service
Controller
(PNSC)
Virtual
ASA
ASA
5585
vLAN
For ACI, Add
APIC
Contracts
and
Application
Profiles
Nexus 9500
enforcement
Tetration
Analytics 2.0
End Host
Enforcement
VRF
End Host
Enforcement
BRKCOC-4500 70
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
application we are analyzing
flows to other applications (in
the DC)
flows within Cisco Network
flows to/from
Internet
10.A - DC Network: Tetration Analytics: Netflow (x 5) in the
Data Center
BRKCOC-4500 71
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72BRKCOC-4500
Application Discovery Whitelist Policy Recommendation(Available in JSON, XML, and YAML)
{ "src_name": "App","dst_name": "Web", "whitelist": [{ "port": [0, 0], "proto": 1, "action": "ALLOW"
}, { "port": [80, 80], "proto": 6, "action": "ALLOW"
}, { "port": [443, 443], "proto": 6, "action": "ALLOW"
}]
}
10.A - DC Network -- Tetration Analytics provides Whitelist Policy Recommendation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
10.A Policies – Are they being followed?
Tetration Analytics outcome – real example
73
• Sensors collect every DC flow
• Look for security policy violations
• Validate Security compliance
• Identify “before” and “after” attack
behaviors
• Identify potentially compromised
hosts
• Create Whitelist policies
• Run security policy simulations
SecurityInternet
DB Proxy
Non-Prod DB
Lab
BRKCOC-4500
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicPicture credit- https://wiki.shibboleth.net
10.B Securing the Application
Host / Endpoint Vulnerability Scan
Scanning during agile dev/ops delivery
IBM Security Appscan Enterprise: BAVA, DAVA tests
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 75BRKCOC-4500
10.B Results: Reducing Application VulnerabilitiesRequirements vs. Enhancements
Service Owner
Score Cards
*Pending
Service Executives
Vulnerabilities
& Performance
*Trending
CIO
Unified
Services Metrics
*Aging and Trending
Vulnerabilities Declined 64% – On-time Closure Increased to 86%
0%
20%
40%
60%
80%
100%
*Q1 FY12 Q1 FY13 Q1 FY14 Q1 FY15 Q1 FY16 Q2 FY16 Q3 FY16
Unified Security Metrics
Vulnerability Open % SLA On Time Closure %
* = Pre USM Reporting
• The Challenge of Security at Cisco
• What does a successful break-in look like?
• Behind the Scenes: Every Day Security
• Conclusion
• Resources
Agenda
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Successful Attacks have to work multiple times
Reconnaissance:Find users from public sites like Facebook / LinkedIn
1
You
Got
Mail!!!
Naïve user opens the exploit that installs malware backdoor
3
Attacker targets other servers / devices to escalate privileges – admin status
4
Lateral movement through servers -Data acquired
5
Data transferred externally
6Data Monetized.We Lose.
7
Attacker sends targeted email with malicious attachment (or bad website tricks user into clicking malware download).
2
BRKCOC-4500 77
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 78BRKCOC-4500
When you have to Start Somewhere …
• Cisco Umbrella & Investigate
• Cisco Catalyst 38509300 Series Switch
• Cisco 5500 series Adaptive Security Appliance
(ASA)
• Cisco Sourcefire NextGen Intrusion Prevention
System (FirePOWER 7125)
• Cisco UCS C240 and C220
• Cisco StealthWatch (Virtual Edition)
• Cisco S300V Web Security Appliance (WSA) (VM)
• Splunk
• Qualys & RedSeal
Umbrella
• The Challenge of Security at Cisco
• What does a successful break-in look like?
• Behind the Scenes: Every Day Security
• Conclusion
• Resources
Agenda
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
For more information:
Cisco Security - www.cisco.com/security Cisco Security advisories -http://tools.cisco.com/security/center/publicationListing.x Cisco SAFE arcitecture - www.cisco.com/go/safeLatest Threat Information -http://tools.cisco.com/security/center/navigation.x?i=118Cisco Security Community –https://communities.cisco.com/community/technology/securityCisco Security products –http://www.cisco.com/c/en/us/products/security/index.htmlCisco Security services -http://www.cisco.com/c/en/us/products/security/service-listing.html Trustworthy Systems -http://www.cisco.com/web/solutions/trends/trustworthy_systems/index.html
BRKCOC-4500 80
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
More Online Resources
Cisco Security Portal:
• Security Advisory: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
• Event Response Page http://www.cisco.com/web/about/security/intelligence/
• IntelliShield Alert http://tools.cisco.com/security/center/
• Protecting IOS http://www.cisco.com/web/about/security/intelligence/integrity-assurance.html
Blog Posts including Mitigation, Detection and Best Practices:• http://blogs.cisco.com/security/
• http://blog.talosintelligence.com/
Cisco Security and Services:• http://www.cisco.com/go/security
• http://www.cisco.com/c/en/us/products/security/service-listing.html
81
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Mid-Year 2017 Security Report
• VERY interesting
• 90 pages
• Download from here (requires some user info):
• http://www.cisco.com/c/en/us/products/security/annual_security_report.html
• Or just search on “Cisco Annual Security Report”
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKCOC-4500
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.
Complete Your Online Session Evaluation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
85BRKCOC-4500