Cisco security the evolution continues

Cisco Security The Evolution Continues

Tim Ryan, Security Consulting Systems Engineer – CCIE, CISSP

US Public Sector

Cisco Confidential 2© 2013-2014 Cisco and/or its affiliates. All rights reserved.

1. Next Generation Security Model

2. ASA + Sourcefire = Next Gen FW / Gen 2 IPS

3. Web Security / Filtering Review

4. Access Control Technology - ISE

Agenda


3

BEFOREDetect Block Defend

DURING AFTERControlEnforce Harden

ScopeContain

Remediate

What Device Types, Users & Applications should be on the Network?

Attack Continuum

Network Endpoint Mobile Virtual Cloud

Point in time Continuous

BEFORE THE ATTACK: You need to know what's on your network to be able to defend it – devices / OS / services / applications / users (FireSight)

Access Controls, Enforce Policy, Manage Applications And Overall Access To Assets.

Access Controls reduce the surface area of attack, but there will still be holes that the bad guys will find. ATTACKERS DO NOT DISCRIMINATE. They will find any gap in defenses and exploit it to achieve their objective

The Next Generation Security Model


Challenges with Traditional ‘Defense-in-Depth’ Security


Integrated Threat Defense Across the Attack Continuum

Firewall/VPN NGIPS

Security Intelligence

Web Security

Advanced MalwareProtection

BEFOREDiscoverEnforceHarden

DURINGDetectBlock

Defend

AFTERScope

ContainRemediate

Attack Continuum

Visibility and Automation

Granular App Control

Modern Threat Control

Retrospective Security

IoCs/IncidentResponse


Introducing FirePOWER Services for ASA

ASA

FirePOWER Services Blade

• Models: ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X with SSD drive.

• FirePOWER Services Software Module

• Add Licenses & Subscriptions

• Models: ASA 5585-X-SSP10, ASA 5585-X-SSP20, ASA 5585-X-SSP40, ASA 5585-X-SSP60

• FirePOWER Services HW Module Required

• Add Licenses & Subscriptions

Proven Cisco ASA firewalling+ Industry leading NGIPS and AMP Cisco ASA with FirePOWER Services


Multilayered Protection – Next Gen FW + Gen2 IPS

► World’s most widely deployed, enterprise-class ASA stateful firewall

► Granular Cisco® Application Visibility and Control (AVC)

► Industry-leading FirePOWER Next-Generation IPS (NGIPS)

► Reputation- and category-based URL filtering

► Advanced Malware Protection

Cisco ASA

Identity-Policy Control & VPN

URL Filtering(Subscription)

FireSIGHTAnalytics & Automation

Advanced Malware

Protection(Subscription)

Application Visibility & ControlNetwork Firewall

Routing | Switching

Clustering & High Availability

WWW

Cisco Collective Security Intelligence Enabled

Built-in Network Profiling

Intrusion Prevention

(Subscription)

• Visibility over – Network, Device, Application, Threat Detection & Mitigation


FirePOWER Services for ASA: SubscriptionsFirePOWER Services for ASA Included

*

Appliance FeatureDefaults

Configurable Fail Open ✓

Connection/Flow Logging ✓

Network, User, and Application Discovery [4] ✓

Traffic filtering / ACLs ✓

NSS Leading IPS Engine ✓

Comprehensive Threat Prevention ✓

Security Intelligence (C&C, Botnets, SPAM etc) ✓

Blocking of Files by Type, Protocol, and Direction ✓

Basic DLP in IPS Rules (SSN, Credit Card etc.) ✓

Access Control: AVC - Enforcement by Application ✓

Access Control: Enforcement by User ✓IPS and

App Updates

IPS Rule and Application Updates Annual Fee

URL Filtering URL Filtering Subscription Annual Fee

MalwareProtection

Subscription for Malware Blocking, Continuous File Analysis, Malware Network Trajectory

Annual Fee

App Visibility / Control

URL Filtering

Advanced Malware Protection

Next Gen IPS

VPN Termination

ACL’s – Protocol Inspection

Routing

Network Address Translation

Base ASA

Firewall

SourcefireServices

* Included - Smartnet Required for Security Intell. Updates

9© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Security Intelligence Black List Objects


Sourcefire on ASA Licensing

Cisco Restricted 11© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Virtual or Physical FireSIGHT Management Center required

All FirePOWER Service device licenses are managed on the FireSIGHT Management Console. A license key from the FireSIGHT Management Center is required for registering PAKs

Licenses are specific to each ASA model and mapped to managed ASA devices

Subscriptions must be purchased on both elements of an HA pair

Term licenses have a start and end date, beyond the end date requires renewal to receive subscription updates.

Application Visibility and Control updates are included in SMARTnet Services

IPS subscription is a pre-requisite for Advanced Malware Protection (AMP) sub

SSDs are included in all new ASA FirePOWER Services hardware SKUs

Licensing Notes


Five Subscription Packages to Choose From for Each Appliance

• 1 and 3 year terms

• AVC is part of the default offering

• AVC updates are included in SMARTnet

• IPS is required before AMP or URL license can be added

IPS

URL

URL

IPS

TAMCTACTA

URL

URL

AMP

IPS

TAM

AMP

IPS


FireSIGHT Management Center Sizing Guidance

13

* Max number of devices is dependent upon sensor type and event rate

750FS750-K9

1500FS1500-

K9

3500FS3500-K9

VirtualFS-VMW-SW-K9

Max. Devices

Managed*10 35 150 Virtual FireSIGHT

Management CenterUp to 25 Managed Devices

Event Storage 100 GB 125 GB 400 GB

Max. Network

Map (hosts / users)

2K/2K 50K/50K 300K/300K

Also available:

Lower-priced Virtual FireSIGHT Management Center offerings limited to 2 and 10 FirePOWER

Services (only) devices managed (note: enforced by support!!).

FS-VMW-2-SW-K9FS-VMW-10-SW-K9

These special offerings do not

manage FirePOWER Appliances.

Events per Sec (EPS) 2000 6000 10000


Component License Name and Features Enabled License Type Fulfillment

FirePOWER Services

Protect Enables FirePOWER Services (IPS and AVC Core Functionality)

Perpetual License (Included)

PAK claim certificate ships

with Appliance/Upgra

de LicenseControl

IPS IPS Subscription Service Contract(Purchase)

Services support Contract only

URL Filtering URL Filtering Subscription Term License (Purchase)


with URL Subscriptions

MalwareProtection AMP Subscription Term License

(Purchase)


with AMP Subscriptions

FireSIGHT Management

CenterFireSIGHT Network Awareness Perpetual License

(Included)


with Appliance/Software Download

FirePOWER Services Licensing Reference


SourcefireGen2 IPS / Next Gen Firewall Features


Network Discovery & Connection Awareness

Host discovery

Identifies OS, protocols and

services running on each host

Reports on potential

vulnerabilities present on each

host based on the information it’s

gathered

Application identification

FireSIGHT can identify over 1900

unique applications using OpenAppID

Includes applications that

run over web services such as

Facebook or LinkedIn

Applications can be used as criteria for

access control

User discovery

Monitors for user IDs transmitted as services are used

Integrates with MS AD servers to

authoritatively ID users

Authoritative users can be used as access control

criteria

FireSIGHTWhat are the Key FireSIGHT Components?


Discovery is reported to you by way of events

• Connection events are recorded as every connection in a monitored network is seen

• Host events are recorded when something new on a host is detected or a change to a host is detected

Information about all the hosts in your environment is stored in host profiles

Sourcefire FireSIGHT TechnologyFireSIGHT Discovery


By knowing the details of what’s running in your environment, the Sourcefire System can produce a list of what vulnerabilities likely exist

This allows the Sourcefire System to put intrusion events in context for more accurate and actionable alerting

Which would matter more to you?

• A code red attack against a host running Linux in your environmentOr

• A code red attack against a host running a vulnerable version of Windows in your environment



With FireSIGHT, IPS events are assigned an impact level

• 0 – host not on monitored networks• 4 – no entry for the host in the network map• 3 – host not running the service or protocol that was attacked• 2 – host is running the service or protocol that was attacked• 1 – host is running the service or protocol that was attacked an a

vulnerability is against the service or protocol is mapped to the host

FireSIGHT also lets you fine-tune your IPS polices by recommending rules to protect against the known vulnerabilities in your environment


Firesight Management Center - FMCIntrusion Events with Impact Levels

Firesight Management Center – Threat Information

Malware Detected & Blocked


BEFOREControlEnforceHarden

DURINGDetectBlock

Defend

AFTERScope

ContainRemediate

Network

Endpoint

Anti-Malware Protection & the Attack Continuum

File RetrospectionFile Trajectory

Contextual AwarenessControl Automation

File RetrospectionFile TrajectoryDevice TrajectoryFile Analysis

Indications of CompromiseOutbreak Control

In-line Threat Detection and Prevention

File Execution Blocking


Sourcefire Deployment Options Appliance, ASA, Virtual

33© 2013-2014 Cisco and/or its affiliates. All rights reserved. 33

8270/8360* 8260 8250 8140

8120/ (8150 > AMP) 7120 7115

7030 70207010

20 Gbps

10 Gbps

6 Gbps

4 Gbps2 Gbps

1 Gbps

750Mbps

250 Mbps

100 Mbps50 Mbps

Fix

ed I

nter

face

sM

odul

ar I

nter

face

s

IPS Throughput

Sta

ckab

le

8130

40 Gbps

30 Gbps

8290

Sourcefire Hardware Appliances

60Gbps 8390*45 Gbps 8370*

15Gbps 8350*

1.25Gbps 7125

7110/ (7150 > AMP)

500 Mbps

SSL2000

SSL1500

SSL8200

Appliances & SFR on ASA Managed via (Defense Center) FireSight Management Center Appliances-10, 35, 150 devicesVM- 2, 10 or 25 devices

Model #

AMP optimized Appliances8150 – 2 Gbps AMP7150 – 500 Mbps AMP


Perf

orm

ance

and S

cala

bili

ty

1 RU Platforms

Branch Office/Internet Edge

200Mbps - 2 Gbps: Firewall

100 – 725 Mbs: Next Gen IPS

30-160 Mbps: NGIPS, AVC, AMP* Performance numbers to be finalized

Cisco ASA Product Family - Sourcefire Services Performance Specifications

2 RU Platforms - 5585

Internet Edge/Campus/Data Center

2 – 20 Gbps: Firewall

1.2 – 6 Gbps: Next Gen IPS

650Mbps – 2.4 Gbps:NGIPS, AVC, AMP

ASA 5512-X ASA 5515-XASA 5525-X

ASA 5545-X

ASA 5555-X

ASA 5585-SSP10

ASA 5585-SSP20

ASA 5585-SSP40

ASA 5585-SSP60

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 35

VMware Hypervisor (vSwitch & dvSwitch)

Term-based licensing (vCPU, not socket)

4 CPU & 16 CPU Bundles only – until dec 14

100 user Trial version .ova file available

10 Interfaces (VMware Limitation)

Up to 200 VLAN sub-interfaces

1000 VxLANs – SDN/ACI support

1-2 Gbps versions (cpu dependent)

Hyper-V coming late 2014

Virtual ASA - May 2014 – ver 9.2

Security for the Virtual World

UCSVirtual AccessStorage

Data security authenticate & access control

Port security authentication, QoS features

Virtual FirewallReal-time MonitoringFirewall Rules

Virtual FirewallVirtual IPS

Remote VPN to ASAv

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 36

Data Sheet Metric 1 vCPU 2 vCPU 3 vCPU 4 vCPU

Stateful Inspection Throughput (Maximum) 1 Gbps 1.2 Gbps 1.5 Gbps 2 Gbps

Stateful Inspection Throughput (Multi-Protocol)

500 Mbps 600 Mbps 750 Mbps 1 Gbps

Concurrent Sessions 100,000 250,000 350,000 500,000

Connections Per Second 10,000 15,000 15,000 20,000

Packets Per Second (64 Byte) 450,000 500,000 600,000 700,000

VLANs 50 100 100 200

Cisco® Cloud Web Security Users 100 250 250 500

S2S IPSec IKEv1 Client VPN User Sessions 250 250 250 750

Cisco AnyConnect® or Clientless User Sessions 250 250 250 750

ASAv PERFORMANCE


Collective Security Intelligence (CSI)

Contextual Device, Network and End-Point Visibility

Classic Stateful Firewall

Gen1 IPSApplication VisibilityWeb—URL Controls

AV and Basic Protections

NGIPS

Vulnerability Management

*Client Anti-Malware (AMP)

Correlated SIEM Eventing

Incident Control System

Network Anti-Malware

Controls (AMP)

Behavioral Indications of Compromise

User Identity

NGFW

Open APP-ID SNORT Open IPS

Host Trajectory Retrospective Analysis

NG Sandbox for Evasive Malware

Auto-Remediation / Dynamic Policies

Integrated Threat Defense System *Agent

Adaptive Security

Sandboxing

Classic Stateful Firewall

Retrospective DetectionMalware File Trajectory

Threat Hunting

Forensics and Log Management

Dynamic Outbreak ControlsURL and IP Reputation

1

2

Cisco Threat Defense System – 5000 Foot ViewBEFORE DURING AFTER Cisco OnlyCisco and Others

Management Interfaces

n


Cisco Security Portfolio IPS & NGIPS

• Cisco ASA 5500-X IPS

• Sourcefire Next Gen

IPS

• Sourcefire Virtual

NGIPS

Web Security

• Web Security Appliance (WSA)

• Virtual WSA • Cisco Cloud Web

Security• CX Web Filtering

Firewall & NGFW

• Cisco ASA 5500-X Series

• Cisco ASA 5585-X

• Sourcefire Appliances

Advanced Malware Protection

• Cloud Based Analytics• FireAMP Windows• FireAMP Mobile • FireAMP Virtual• AMP Network

appliance

Identity Services & Access Control

• Cisco Identity Services Engine (ISE)

• Cisco Access Control Server (ACS)

Email Security

• Email Security Appliance (ESA)

• Virtual ESA• Cisco Cloud Email

Security

UTM

• Meraki MX Serieis: Firewall, IPS, AVC, Anti-Malware, URL Filtering

VPN

• Cisco AnyConnect VPN

• Site to Site VPN – ASA & Router Based

Cisco SIO & Sourcefire VRT

Passive - Device, OS & Application Fingerprinting


Web Filtering/Security Comparisons

WSA, Sourcefire, CWS, Meraki

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40Cisco Confidential – Redistribution Prohibited

Cisco Web Security Options

• Inline: Next Gen IPS - Multi-port GE/10GE/40GE

• Anti-Malware- Network & Agent based

• Web filtering

• Application control across all ports

• SIO & VRT Threat Intelligence

• Defense Center- Threat Detection Correlation view

• Internet B/w from 50Mbps - 60 Gbps – High Performance Platform

• Inline - Next Gen firewall plus Web filtering

• Anti-Virus, IPS (Snort)

• Cloud Managed

• Application control across all ports

• Traffic Shaping

• Simple Configuration & Monitoring

• CIPA- SafeSearch, YouTube for EDU

• Internet B/W less than 1 Gbps

• Transparent Re-direct via Router, ASA, WSA, Anyconnect Agent (Win, mac)

• Port 80/443 – SSL Decrypt

• Anti Malware from Sourcefire & multiple malware scanners

• Granular Filtering using Cisco Web usage control

• Web security for mobile users without the need for VPN

• SIO & VRT Threat Intelligence – Web Reputation

• Dynamic Web Categorization

• CIPA- SafeSearch, YouTube for EDU - per policy

• Internet B/w – no Limit

• Transparent Re-direct via WCCP or Browser Proxy

• Port 80/443-SSL Decrypt

• Anti Malware from Sourcefire plus Sophos & McAfee

• DLP for Web

• Granular Url Filtering CWUC

• App Control

• Central Logging or Splunk

• Video/Audio bandwidth throttling – Media Apps

• SIO & VRT Threat Intelligence – Web Rep

• Dynamic Web Categorization & Caching

• CIPA- SafeSearch, YouTube for EDU

• Internet B/w – Depends on # of WSA’s & Requests / Sec.

MerakiCloud Web Security

(aka –ScanSafe)

IronPort(Web Security Appliance)

Physical or VirtualSourcefire

Feature Comparison -- Appliance

Cisco WSA Sourcefire

Antimalware Webroot, Sophos, McAfee & Now AMP Via Blacklist and AMP

Adaptive scanning Queue Yes No

Zero-day protection / Threat Intelligence SIO-VRT VRT-SIO

Botnet protection L4TM Botnet & CnC Blacklist

Data loss prevention On-box data controls/ICAP with Third Party DLP Vendors

Yes via Snort rule

Reputation filtering Yes Yes

URL classification Pre-defined & custom categories Yes

Dynamic classification Yes No

App visibility & control Extensive and granular Extensive

SaaS controls Yes via SAML API support

Detailed threat reporting Extensive Yes

On-box reporting Yes Yes

Off-box reporting Yes via M-Series Yes via Estreamer App

Centralized admin Yes via M-Series Yes

Deployment Methods WCCP or PAC files In-Line with all traffic

Ports covered 80, 443 All

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42Cisco Confidential – Redistribution Prohibited

Strong Inbound Web Protection

WWW

Time of Request

Time of Response

Cisco® SIO

URL Filtering

Reputation Filter

Dynamic Content Analysis (DCA)

Signature-based Anti-Malware Engines

Advanced Malware Protection Cloud

Block

WWW

Block

WWW

Block

WWW

Allow

WWW

Warn

WWW

WWW

Partial Block

Block

WWW

Block

WWW

Block

WWW


Policy Management

Webroot

SophosIRONPORT

DVS ENGINE

McAfee

• Deep content inspection - High-performance scanning• Multiple verdict engines

• Webroot• Sophos• McAfee

• Adaptive scanning is a decision engine - Decides how long an object can sit on the scanner queue

• If the object times out is it marked as Unscannable• Unscannable objects can be blocked or allowed

• Assigns each transaction a Risk Score based on:• Web Reputation Score

• Content type

• AV scanners available or licensed

• AV scanner catch rate for the content type

• AV scanner scanning cost

Cisco IronPort Dynamic Vectoring and Streaming (DVS) Engine

NOTE: For a single policy group, you cannot use both Sophos and McAfee


Phone-home Domains

Phone-home IPs, Subnets, CIDRs

Malware Detection(Layer 4 Traffic Monitor)

Total signature set: over 150,000

Phishing URLs & Domains

Malware URLs & Domains

Malware User Agents

Malware Signatures

Malware Protection(Web Proxy)

Widest Signature Set Available at Gateway

Comprehensive Security Solution

WSA: Malware Detection and Protection


Explicit Forward Mode vs. Transparent Mode

Explicit Mode

• Client directs traffic to proxy server

• Requires no network infrastructure to redirect client request

• Proxy resolves hostname of target web server

• Authentication is straight-forward

• Client config must change (several options available)

Transparent Mode

• Client directs traffic to target web server

• Network infrastructure (such as WCCP) redirects client request to proxy server

• Client resolves hostname of target web-server

• Authentication can be problematic


CWS is best positioned with customers who: Have a distributed network with remote branches with internet

breakout points and do not want to backhaul internet traffic to main HQ

Require web protection for roaming users when off network without having to backhaul external traffic via VPN (CWS allows secure split tunnelling)

Have existing Cisco infrastructure or are considering purchasing/upgrading firewalls and routers for easy integration and redirection to the cloud

Have already invested or are going to invest in cloud services Want a centralized web filtering policy for all users, static or

roaming, at all locations, and at all times Want a comprehensive insight into web activity through flexible

reports, and do not want to install any local infrastructure for reporting capabilities

Positioning CWS Against WSA and ASA NGFW

Full positioning document: http://wwwin.cisco.com/data-shared/stg/pmtool/ASA_CX/ngfw_wsa_ss_positioning.pdf

http://wwwin.cisco.com/data-shared/stg/pmtool/ASA_CX/ngfw_wsa_ss_positioning.pdf


Authentication, Authorization, Accounting

Cisco Identity Services Engine

Authentication, Authorization, and Accounting

“Who” is Connecting, What Access Rights are Assigned to them, and Where is it Logged?

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48

Cisco Secure Access Architecture with ISEIdentity and Context-Centric Security for Policy Enforcement

48

WHENWHATWHERE

HOWWHO

Identity

Security Policy Attributes

Centralized Policy Engine

Business-Relevant Policies

User and Devices

Dynamic Policy & Enforcement

MDM - External IntegrationMONITORING AND REPORTINGSECURITY POLICY ENFORCEMENT

Access Lists, Vlans, Security Tags


•Centralized Policy Enforcement

•RADIUS Server - AAA

•Secure Group Tagging

•Posture Assessment

•Guest Access Services

•Device Profiling

•Monitoring

•Troubleshooting

•Reporting

Free ACS 5.x License with order for: ISE Base License (min. 1000 device count) & a Physical ISE Appliance

Identity Services Engine Features

49

Device Control

Device Registration

Wireless & Wired Supplicant and Certificatee Provisioning

Mobile Device Management

* Certificate Authority – AD, PKI, ISE 1.3

* Multi AD support

* MDM integration & some functions in ISE

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50

ISE is a Standards-Based AAA RADIUS ServerAccess Control System Must Support All Connection Methods

50

ISE Policy Server

VPN

Cisco Prime

Wired

Wireless

VPN

Supports Cisco and 3rd-Party solutions via standard RADIUS, 802.1X, EAP, and VPN Protocols

RADIUS802.1X = EAPoLAN

802.1X = EAPoLAN

SSL / IPsec

WebAuth & MAC Bypass


Detailed Visibility into System Operations

51


ISE Session Log – Session Tracking & SearchingDisconnect Device Search: user / device


Mobile Device Management (MDM)Extending “Posture” Assessment and Remediation to Mobile Devices

BEFORE DURING AFTER


Evolving Roles of ISE and MDMsEnterprise

App Distribution & Mgmt

Inventory/CostManagement

DataBackup

Classification/ProfilingEnrollment & RegistrationSecure Network Access

(Wireless, Wired, VPN)

Context-Aware Access Control (Role, Location,

etc.)

Cert + Supplicant Provisioning

Network PolicyEnforcement

Policy Compliance (Jailbreak,

PIN Lock, etc.)

Data Loss Prevention (Container,

encryption, wipe)

ISE MDM

EnterpriseApp Policy

Native ISE functionality• Profiling• Authentication• Policy Enforcement

ISE 1.0 & 1.1Native ISE functionality• Enrollment/Registration• Self-Enroll Portal• Certificate Enrollment• Blacklisting

ISE 1.1MR (Jul ‘12)

ISE API for MDM’s• Additional device data• Policy compliance• Data wipe

ISE 1.2


ISE Integration with 3rd-PartyMDM Vendors

MDM device registration via ISE– Non registered clients redirected

to MDM registration page Restricted access

– Non compliant clients will be given restricted access based on policy

Endpoint MDM agent– Compliance– Device applications check

Device action from ISE– Device stolen -> wipe data on

client

v2.3v6.2v5.0 v7.1

MCMS

55

v7.0 SP3 v4.1.10 v13.2 Patch 5v1.0


Customizable Portal Use Cases


HotspotGuest Flow #1

Goal: Get them on the Internet with AUP acceptance no matter who they are and remember who they are next time so you don’t get in their way.

44:6D:77:B4:FD:01

I Agree

Acceptable Use PolicyI promise to be good.

Day Ends

44:6D:77:B4:FD:01


Self Service with SMS

Goal: Get them on the Internet as long as you have a 3rd party identifier that proves who the user is.

optionaloptional


Fill In A Simple Form Check Your Email Connect to WFI

hansolonerfherder

Self Service with Email Verification

Sponsored Flow

Hi! Can I get on your Wi-

Fi?Sure. I just

need a little information.

Print, email & SMS

credentials. Cool!

TrustSec Enabled Network SegmentationCampus and Branch Segmentation

Business Drivers includePCI for Financial data, HIPAA Medical DataMedical Device Seperation within VLANAccess Control with

Secure Group Access

• Rules defined by business function & Roles

• 80% + reduction over manual rules

• Simple to add/remove rules Enterprise Wide

• Topology-independent• Scalable• One Policy for Wired or

Wireless

BEFOREDetect Block

Defend

DURING AFTERControlEnforce Harden

ScopeContain

Remediate

Attack Continuum

Network Endpoint Mobile Virtual Cloud

Point in time Continuous

AFTER THE ATTACK: Cross Device Information Sharing - Evolvinginvariably some attacks will be successful, and customers need to be able to determine the scope of the damage, contain the event, remediate, and bring operations back to normalAlso need to address a broad range of attack vectors, with solutions that operate everywhere the threat can manifest itself – on the network, endpoint, mobile devices, virtual environments, including cloud

The Next Generation Security Model

Thank you.