Embed Size (px)
Timothy Snow, CCIE
Consulting Systems Engineer, Security
Putting the BDA Methodology to work
Threat Centric Secure Access
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Global Networks are Under Attack
Did You Know That You Are Likely Already Infected?
Malicious Traffic is Visible on 100% of Corporate Networks*
Cisco 2014 Annual Security Report
*Companies connect to domains that host malicious files or services
“Treat Every User as Hostile.” Stolen Identity, Malicious Intent
CIO of a Global Investment Banking, Securities, Investment Management Firm
An Erosion of Trust Nothing Should be Trusted – Apps, Certificates, Cloud, Devices, Users…
“Treat Enterprise as Untrusted.” Senior Executive of a Global Internet Search Firm
4
Network
Sees All Traffic
Routes All Requests Sources All Data
Controls All Flows
Handles All Devices
Touches All Users
Shapes All Streams
Secure Access Framework Aligning with the Cybersecurity Framework Core
Before
Discover
Enforce
Harden
During
Detect
Block
Defend
After
Scope
Contain
Remediate
Identify Protect Detect Respond Recover
• Device Inventory
• Guest Authentication
• Certificate Enrollment
• Authentication and
Authorization Services
• Access Control
• Segmentation
• Endpoint Compliance
• System Hardening
• Anomalies and Events
• Security Continuous
Monitoring
• Detection Processes
• Response Planning
• Analysis
• Mitigation
• IR / Comms
• Recovery Planning
• Improvements
• Communications
Secure Access Framework Aligning with the Cybersecurity Framework Core
Before
Discover
Enforce
Harden
During
Detect
Block
Defend
After
Scope
Contain
Remediate
Identify Protect Detect Respond Recover
• Device Inventory
• Guest Authentication
• Certificate Enrollment
• Authentication and
Authorization Services
• Access Control
• Segmentation
• Endpoint Compliance
• System Hardening
• Anomalies and Events
• Security Continuous
Monitoring
• Detection Processes
• Response Planning
• Analysis
• Mitigation
• IR / Comms
• Recovery Planning
• Improvements
• Communications
Cisco Identity Services Engine (ISE) Delivering Visibility, Context, and Control to Secure Network Access
NETWORK / USER
CONTEXT
How
What Who
Where When
REDUCE NETWORK UNKNOWNS AND APPLY THE RIGHT LEVEL OF
SECURE ACCESS CONSISTENTLY ACROSS WIRED, WIRELESS and VPN
Secure
Access
BYOD and
Enterprise
Mobility
Guest
Access
Authentication Services
Segmentation Services
Authorization Services
Compliance Services
API and Threat Services
Guest Services Compliance Segmentation
1. Hotspot
2. Self Service with SMS
3. Sponsor Approval Required
Guest Services
asdf1234
Compliance Segmentation
1. Hotspot
2. Self Service with SMS
3. Sponsor Approval Required
Approved! credentials
username: trex42
password: littlearms
Visiting email?
Guest Services
Compliance Segmentation
1. Hotspot
2. Self Service with SMS
3. Sponsor Approval Required
Guest Services
Guest Services Compliance Segmentation
Verizon DBIR 2014: Recommended Controls
Apple
Lexmark Telepresence
VMware
Samsung
Blackberry
Xerox Microsoft
Motorola WYSE
Cisco
Guest Services Compliance Segmentation
Xerox
Printers
Mobile
Devices
Microsoft
Devices
Gaming
Systems
IP Phones
Apple
Lexmark Telepresence
VMware
Samsung
Blackberry
Xerox Microsoft
Motorola WYSE
Cisco
Guest Services Compliance Segmentation
Guest Services Compliance Segmentation
2015 Verizon Data Breach Report
Guest Access
Personal Devices
Remote VPN User
Wireless User
Wired User
IT Managed Devices
Guest Services Compliance Segmentation
OS Compliance
• Service Packs
• Hotfixes with SCCM Integration
• OS/Browser versions
Endpoint Compliance
• File data
• Services
• Applications/processes
• Registry Keys
Antivirus & Antispyware
• Installation and signatures
Allow
Limited Access
Deny
Allow
Limited Access
Guest Access
Personal Devices
Remote VPN User
Wireless User
Wired User
IT Managed Devices
Deny
Guest Services Compliance Segmentation
Allow
Limited Access
Deny
Manage Mobile Apps
Secure Content Distribution
Identify Protect Respond Recover
• Device Inventory
• Guest Authentication
• Certificate Enrollment
• Authentication and
Authorization Services
• Access Control
• Segmentation
• Endpoint Compliance
• System Hardening
• Response Planning
• Analysis
• Mitigation
• IR / Comms
• Recovery Planning
• Improvements
• Communications
Secure Access Framework Aligning with the Cybersecurity Framework Core
Before
Discover
Enforce
Harden
During
Detect
Block
Defend
After
Scope
Contain
Remediate
During Detect
Block
Defend
During
Detect
Block
Defend
Detect
• Anomalies and Events
• Security Continuous
Monitoring
• Detection Processes
Identity Services Engine
Oracle
AD
SAP
What are you accessing?
Tablet
Laptop
Desktop
What are you?
Yuki
(sales)
Himapata
(HR)
Tuyet
(IT)
Who are you?
Japan
India
Vietnam
Where are you connecting?
19:30
16:00
16:00
When are you connecting? VPN
WiFi
Wired
How are you connecting?
During Detect
Block
Defend
Network as an Enforcer Security Group Tagging (SGT)
Identity Services Engine
Oracle
AD
SAP
88
15
1
Tablet
Laptop
Desktop
During Detect
Block
Defend
Network as an Enforcer Security Group Access Control (SGACL)
Oracle
AD
SAP 88 15 1
❌ ❌
88 15 1
❌
88 15 1
❌ ❌
88
15
1
Tablet
Laptop
Desktop
Sales No access to SAP over VPN after 18:00
No access to Oracle
No access to AD
HR Full access to Oracle over Wireless
No access to SAP over Wireless
No access to AD
IT Full access over Wired and Wireless
During Detect
Block
Defend
Network as a Sensor Cisco Cyber Threat Defense (CTD)
Switching
Infrastructure Data Center
Infrastructure
Firewall
Infrastructure Routing
Infrastructure
Identity Services Engine
Who
Who What How
Where When
More context
Network as a Sensor Advanced Threat Detection
Denial of Service SYN Half Open; ICMP/UDP/Port Flood
Worm Propagation Worm Infected Host Scans and Connects to the Same Port Across
Multiple Subnets, Other Hosts Imitate the same Above Behavior
Fragmentation Attack Host Sending Abnormal # Malformed Fragments.
Botnet Detection When Inside Host Talks to Outside C&C Server
for an Extended Period of Time
Host Reputation Change Inside Host Potentially Compromised or
Received Abnormal Scans or Other Malicious Attacks
Network Scanning TCP, UDP, Port Scanning Across Multiple Hosts
Data Exfiltration Large Outbound File Transfer VS. Baseline
During Detect
Block
Defend
Network as a Sensor Cisco Cyber Threat Defense (CTD)
Switching
Infrastructure Data Center
Infrastructure
Firewall
Infrastructure Routing
Infrastructure
Identity Services Engine
Alarms
Flow collection trend
Top Applications
Active Alarms
Cisco CTD : Dashboard
Alarms
Users
Activity &
Applications
Host Host groups and
classifications View
Flows
Cisco CTD: Host Detail
Segmentation Monitoring with StealthWatch Clear visibility into any traffic
traversing the environment
Traffic violating segmentation
policy generates an alarm
Network as a Sensor Detect Anomalous Traffic Flows
Detect User Access Policy Violations Detect Rogue Devices, Access Points & More
Network as an Enforcer Segment the Network to Contain the Attack
Encrypt the Traffic to Defend Man in The Middle Attack
Secure the Branch for Direct Internet Access
Network as a Mitigation Accelerator Automated, Near Real-Time Threat Mitigation
The Role of the Network for Security
During
Detect
Block
Defend
Detect
• Anomalies and Events
• Security Continuous
Monitoring
• Detection Processes
Identify Protect
• Device Inventory
• Guest Authentication
• Certificate Enrollment
• Authentication and
Authorization Services
• Access Control
• Segmentation
• Endpoint Compliance
• System Hardening
Secure Access Framework Aligning with the Cybersecurity Framework Core
Before
Discover
Enforce
Harden
During
Detect
Block
Defend
Respond Recover
• Response Planning
• Analysis
• Mitigation
• IR / Comms
• Recovery Planning
• Improvements
• Communications
After
Scope
Contain
Remediate
After Scope
Contain
Remediate
Context is the Currency of the Solution Integration Realm …but it’s not easy to execute
I have NBAR info!
I need identity…
I have firewall logs!
I need identity…
I have sec events! I need reputation…
I have NetFlow!
I need entitlement…
I have MDM info!
I need location…
I have app inventory info!
I need posture…
I have identity & device-type!
I need app inventory & vulnerability…
I have threat data!
I need reputation…
I have location!
I need identity…
But Integration
Burden is on IT
Departments
We Need
to Share
Context &
Take Network
Actions
I have reputation info! I need threat data…
I have application info!
I need location & auth-group… SIO
`
? Vulnerability Assessment
Packet Capture & Forensics
Policy-based Service Levels (e.g. QoS)
Policy-based Security Actions (e.g. investigation)
Mobile Device Management
IoT Policy Management
SIEM & Threat Defense
Control
IAM & SSO
CISCO ISE
Cisco Sourcefire
Context Policy
pxGrid
CONTEXT
Policy Violations and Threats can be based
upon a single violation or multiple indicators
`
? Vulnerability Assessment
Packet Capture & Forensics
Policy-based Service Levels (e.g. QoS)
Policy-based Security Actions (e.g. investigation)
Mobile Device Management
IoT Policy Management
SIEM & Threat Defense
Control
IAM & SSO
CISCO ISE
Cisco Sourcefire
Context Policy
pxGrid
CONTEXT
User and Device Flow Record Realized Attacks on the infrastructure Application Bandwidth Analysis
`
? Vulnerability Assessment
Packet Capture & Forensics
Policy-based Service Levels (e.g. QoS)
Policy-based Security Actions (e.g. investigation)
Mobile Device Management
IoT Policy Management
SIEM & Threat Defense
Control
IAM & SSO
CISCO ISE
Cisco Sourcefire
Context Policy
pxGrid
CONTEXT
Source
Destination
IT Staff
Mobile
Devices
Guests
Payroll Intranet Internet
IT Manager
X X
X
X X
X
X X
35
Combined API Framework and Integration Points
BEFORE Policy and
Control
AFTER Analysis and Remediation
Identification and Block
DURING
Network Infrastructure & Policy Mgt.
Vulnerability
Management
SIEM & Threat Defense Packet Brokering
(Taps)
Custom Detection Remediation and Incident
Response
Packet Capture &
Forensics
IAM/SSO Mobility
Ecosystem Partners – Apply Throughout the Threat Continuum
Performance
Management &
Visualization
In Summary…..
Consistent Secure Access
A Solid Foundation Today & Tomorrow
Simplified, Unified
Policy Management
for Access
Innovation & Market
Leadership in NAC, at
the core of Cisco
Security & Solutions
Unparalleled Visibility & Context
Get a Clearer Picture
of Who and What Is
On Your Network
Detect Threats from
Compromised Devices
via Health Checks &
SIEM/TD
Advanced Threat Containment
Cisco ISE is the Key Component for Supporting
Unified Access and Achieving Overall Security Objectives.
