Upload
robb-boyd
View
339
Download
0
Embed Size (px)
Citation preview
11© 2016 Cisco and/or its affiliates. All rights reserved.
3 Ways to Secure Your Network
Presenters: Robb Boyd, Ziad Sarieddine, Beth Barach, Player Pate, Guy Telner
June 14, 2016
22© 2016 Cisco and/or its affiliates. All rights reserved.
What is on my network and why does it matter?
3© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Stop and contain threats
What visibility can help you do
See and share rich user and device details
Control all access throughout the network
from one place
4© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ISE is a powerful visibility and control technology
Network ResourcesAccess Policy
Traditional Cisco TrustSec®
BYOD Access
Threat Containment
Guest Access
Role-BasedAccess
Identity Profilingand Posture
A centralized security solution that automates context-aware access to network resources and shares contextual data
NetworkDoor
Physical or VM
ISE pxGridController
Who
Compliant
What
When
Where
How
Context
Threat (New!)Vulnerability (New!)
Threat Score
5© 2016 Cisco and/or its affiliates. All rights reserved.
6© 2016 Cisco and/or its affiliates. All rights reserved.
7© 2016 Cisco and/or its affiliates. All rights reserved.
8© 2016 Cisco and/or its affiliates. All rights reserved.
9© 2016 Cisco and/or its affiliates. All rights reserved.
10© 2016 Cisco and/or its affiliates. All rights reserved.
Coffee break
11© 2016 Cisco and/or its affiliates. All rights reserved.
12© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
I have identity & device!I need geo-location & MDM…
I have application info!I need location & device-type
I have location!I need app &
identity…
ISE
I have sec events!I need identity &
device…
I have MDM info!I need location…
ISE pxGridOpen* sharing to get answers faster. Control to stop threats
ISEpxGrid
Any-Any Sharing• Publish• Subscribe
ISE Sharing• Identity Context
ISE Network Control• Adaptive Network
Control
* IETF Standards Track: Managed Incident Lightweight Exchange (MILE)
13© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Switch Router
Stealthwatch
WirelessAD
pxGridISENetwork
Making visibility more effective through sharing1. Identify what it is:
ISE creates identity context: user, device type, posture, authorization level, location, threat score?
2. Share the identity contextISE shares with behavioral analysis technology
“It looks like Kevin on a Lenovo X1 Carbon MS Laptop and he’s clean.”
“Hey ISE, let’s put Kevin in quarantine until he cleans up his act”
“Looks like Kevin’s laptop has been infected with malware.”
3. Watch the behaviorsMonitor device behaviors for anomalies
4. Stop bad things Take action to contain a device through ISE using the network as an enforcer
“Hey Stealthwatch, here’s the detail on that IP address you’re asking about.”
“Roger that Stealthwatch. Hey network, put Kevin into quarantine until I tell you to let him back on.”
14© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Stealthwatch and Cisco ISE
pxGrid
Real-Time Visibility into All Network Layers• Data intelligence throughout network• Discovery of assets• Network profile• Security policy monitoring• Anomaly detection• Accelerated incident response
Cisco® Identity Services Engine Mitigation Action
Context InformationNetFlow
Cisco Stealthwatch
15© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Stealthwatch and ISE Integration
16© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Stealthwatch and ISE Integration
17© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Visibility Through NetFlow10.1.8.3
172.168.134.2
InternetFlow Information PacketsSOURCE ADDRESS 10.1.8.3
DESTINATION ADDRESS 172.168.134.2
SOURCE PORT 47321
DESTINATION PORT 443
INTERFACE Gi0/0/0
IP TOS 0x00
IP PROTOCOL 6
NEXT HOP 172.168.25.1
TCP FLAGS 0x1A
SOURCE SGT 100
: :
APPLICATION NAME NBAR SECURE-HTTP
RoutersSwitches
Visibility into every network conversation:• Every record • Every device• Everywhere
18© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Conversational Flow Record
• Highly scalable (enterprise-class) collection
• High compression => long-term storage• Months of data retention
When Who
Where
WhatWho
Security group
More context
19© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Behavioral and Anomaly Detection ModelBehavioral Algorithms Are Applied to Build “Security Events”
SECURITYEVENTS (94 +)
ALARMCATEGORY RESPONSE
Addr_Scan/tcpAddr_Scan/udpBad_Flag_ACK**Beaconing HostBot Command Control ServerBot Infected Host - Attempted Bot Infected Host - SuccessfulFlow_Denied..ICMP Flood..Max Flows InitiatedMax Flows Served.Suspect Long FlowSuspect UDP ActivitySYN Flood
Concern
Exfiltration
C&C
Recon
Data hoarding
Exploitation
DDoS target
Alarm table
Host snapshot
Syslog / SIEM
Mitigation
COLLECT AND ANALYZE FLOWS
FLOWS
20© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Stealthwatch Demo - Dashboard
21© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
List of Alarms for Data Exfiltration
Alarm Triggers
22© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
View of Data Exfiltration Host and Traffic
23© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Data Exfiltration Query
24© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Data Exfiltration Traffic Details
25© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Stealthwatch for Macro-Level VisibilityFight advanced threats with actionable intelligence and analytics
• Obtain comprehensive, scalable enterprise visibility and security context
• Gain real-time situational awareness of traffic
• Benefit from network segmentation
• Detect and analyze network behavior anomalies
• Easily detect behaviors linked to advanced persistent threats (APTs), insider threats, distributed denial-of-service (DDoS) attacks, and malware
• Collect and analyze holistic network audit trails
• Achieve faster root cause analysis
• Conduct thorough forensic investigations
• Accelerate network troubleshooting and threat mitigation
• Respond quicklyto threats bytaking action to quarantine through
Cisco® Identity Services Engine
• Continuously improve enterprise security posture
Monitor Detect Analyze Respond
26© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Visibility from the Core to the Edge
27© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Defense Orchestrator: Security Policy Management Simplified
Policy change management
Policy modeling, analysis and optimization
Policy monitoring and
reporting
Scalable orchestration of changes
Simple searchReports Notifications
Security policy management
• Import from offline• Discover direct from
device
Device onboarding
28© 2016 Cisco and/or its affiliates. All rights reserved.
Next Steps For further information on
Technology 1 Technology 2 Technology 3
Please visit the Cisco Security page: http://www.cisco.com/c/en/us/products/security/index.html
Register for the next event in the Cisco Network Insider series “Cisco Mobility for Hospitality” on June 28 at 10am PT/ 1pm ET
https://grs.cisco.com/grsx/cust/grsEventSite.html?EventCode=14207&LanguageId=1&KeyCode=
Thank you for your participation!
2929© 2016 Cisco and/or its affiliates. All rights reserved.
Check us out on cisco.com/go/securityto learn more about:
ISE Stealthwatch Cisco Defense Orchestrator