securing digital business with security everywhere · of each file as it crosses the data center....

Henry Ong

Security SE Manager - ASEAN

Securing Digital Business with Security Everywhere

Global Security Sales Organization

Digital Disruption Drives the Hacker Economy There is a multi-billion dollar global industry targeting your prized assets

Social Security

$1

Mobile Malware

$150

$ Bank

Account Info >$1000 depending on account type

and balance

Facebook Accounts $1 for an

account with 15 friends

Credit Card Data

$0.25-$60

Malware Development

$2500 (commercial

malware)

DDoS

DDoS as A Service ~$7/hour

Spam $50/500K

emails Medical

Records >$50

Exploits $1000- $300K

© 2015 Cisco and/or its affiliates. All rights reserved. 2

$450 Billion to

$1 Trillion

???

“Cat and Mouse” Game

The Security Effectiveness Gap

Goal for Effective Security

A Threat-Centric Security Model

ATTACK CONTINUUM

Point-in-Time Continuous

Network Endpoint Mobile Virtual Cloud

BEFORE Discover

Enforce

Harden

AFTER Scope

Contain

Remediate

Detect

Block

Defend

DURING

Premiere Portfolio in the Industry

Best of Breed | Architectural Approach

Threat Intelligence

Visibility

Cloud Network Integrated

Web

W W W

Email

NGFW/NGIPS Advanced Threat

Policy and Access UTM

Integrated for Best Threat Protection

Cisco Advanced Malware Detection Lattice

Continuous Protection Reputation Filtering Behavioral Detection

9

1-to-1

Signatures

Generic

Signatures

Machine

Learning IOCs

Dynamic

Analysis

Advanced

Analytics

Device Flow

Correlation

Point-in-Time Detection Alone Will Never Be 100% Effective

Point-in-Time Protection

File Reputation and Sandboxing

Retrospective Security

Continuous Analysis

When Malware Strikes, Have Answers

Where did it come

from?

Who else is

infected?

What is it doing? How do I stop it?

Device Trajectory File Trajectory

Auto Remediation File Analysis

The AMP Everywhere Architecture AMP Protection Across the Extended Network for an Integrated Threat Defense

AMP

Threat Intelligence

Cloud

Windows OS Android Mobile Virtual MAC OS CentOS, Red Hat

Linux for servers

and datacenters

AMP on Web and Email Security Appliances AMP on Cisco® ASA Firewall

with Firepower Services

AMP Private Cloud Virtual Appliance

AMP on Firepower NGIPS

Appliance

(AMP for Networks)

AMP on Cloud Web Security and Hosted Email

CWS/CTA

Threat Grid

Malware Analysis + Threat

Intelligence Engine

AMP on ISR with Firepower

Services

AMP for Endpoints

AMP for Endpoints

Remote Endpoints

AMP for Endpoints can be

launched from AnyConnect

Shared intelligence

Shared contextual

awareness

Consistent policy

enforcement

Cisco Firepower™ Management Center

Talos

Firepower 4100 Series Firepower 9300 Platform

Visibility Radware

DDoS Network analysis Email Threats

Identity and NAC DNS Firewall URL

Industry’s First Fully Integrated threat-focused NGFW

spotlight on systems at high risk for an active breach

Correlating Weak Signals Into Indicators Of Compromise

Supplement security with specialized protection along common attack vectors

AMP for Web and Email

File Reputation captures a fingerprint

of each file as it crosses the data

center. Automatically block malicious

files and apply policies.

File Sandboxing analyzes unknown

files that are traversing the data

center. The secure environment

combines human and machine

analysis to generate a disposition.

File Retrospection provides continuous

analysis of files over time, updating

with the AMP cloud-based intelligence.

If a file disposition changes to

malicious, admins are notified.

Email Security

Solutions: ESA

Web Security

Solutions: WSA, CWS

Adding Security at the DNS Layer.

91.3% of malware uses DNS

68% of organizations

don’t monitor it

A blind spot for attackers to gain command and control, exfiltrate data, and redirect traffic

DNS is the fastest way to establish Security Everywhere

INTERNET

MALWARE

C2/BOTNETS

PHISHING

AV

AV

AV AV

ROUTER/UTM

AV AV

ROUTER/UTM

SANDBOX

PROXY

NGFW

NETFLOW

AV AV

AV AV

MID LAYER

LAST LAYER

MID LAYER

LAST

LAYER

MID LAYER

Endpoint

Endpoint

BENEFITS

Alerts Reduced 2-10x; Improves your SIEM

Block malware before it hits the enterprise

Contains malware if already inside

Internet access Is faster; Not slower

Provision globally in under 30 minutes

FIRST

LAYER

Threat Prevention Not just threat detection

Protects On & Off Network Not limited to devices forwarding traffic through on-prem appliances

Turnkey & Custom API-Based Integrations Does not require professional services to setup

Block by Domains, IPs & URLs for All Ports Not just IP addresses or domains only over ports 80/443

Always Up to Date No need for device to VPN back to an on-prem server for updates

UMBRELLA

A New Layer of Breach Protection

A T T A C K C O N T I N U U M

BEFORE Discover

Enforce

Harden

AFTER Scope

Contain

Remediate

Detect

Block

Defend

DURING

Consistent Protection for ANY Workload, 24 x 7

Network as a Sensor

Network as an Enforcer

Synergies Through Integration The Network and Security

RECONNAISSANCE

BOTNET

DATA

HOARDING

SPREADING

MALWARE

POLICY

VIOLATION

Network as a Sensor to Identify Indicators of Compromise

Host

Reputation

Change

Inside Host Potentially

Compromised

Denial of

Service

SYN Half Open; ICMP/UDP/Port

Flood

Discoverable IOCs by Lancope StealthWatch

Botnet

Detection

When Inside Host Talks to Outside

C&C Server

Fragmentation

Attack

Host Sending Abnormal # Malformed Fragments

Worm

Propagation

Worm Infected Host Scans, etc.

Large Outbound File Transfer VS.

Baseline

Data

Exfiltration

Network

Scanning

TCP, UDP, Port Scanning Across

Multiple Hosts

• Not Intuitive

• Complex

• Long Time to Identity

User Device, Location

ISE & Lancope Integration More Intelligence and Richer Context

Identity Malicious Traffic Faster with More Context

Enhanced Visibility – User, Location, Device

Before Now

Host 1.2.3.4 Scanning Ports of Host 3.3.3.3 Host 1.2.3.4 Scanning Ports of Host 3.3.3.3

VPN

Laptop

Seattle

Finance

POS

Ethernet

New York

B. Thomas

ADMIN ZONE

ENTERPRISE ZONE

POS ZONE

VENDOR ZONE

Network as an Enforcer And make visibility actionable through segmentation and automation

• Cisco ISE

• Cisco Networking Portfolio

• Cisco NetFlow

• Lancope StealthWatch

• Cisco TrustSec Software-Defined

Segmentation

EMPLOYEE ZONE

DEV ZONE

Network Resources Access Policy

Traditional Cisco

TrustSec®

BYOD Access

Threat Containment

Guest Access

Role-Based

Access

Identity Profiling

and Posture

Who

Compliant

What

When

Where

How

Cisco Identity Services Engine (ISE)

A centralized security solution that automates context-aware access to network resources and shares

contextual data

Network

Door

Context

ISE pxGrid

Controller

Software Defined Network Segmentation with SGTs

Access Layer

Enterprise

Backbone

Voice

VLAN

Voice

Data

VLAN

Employee

Aggregation Layer

Supplier

Guest

VLAN

BYOD

BYOD

VLAN

Non-

Compliant

Quarantine

VLAN

VLAN

Address

DHCP Scope

Redundancy

Routing

Static ACL

VACL

Security Policy based on Topology

High cost and complex maintenance

Voice

VLAN

Voice

Data

VLAN

Employee Supplier BYOD Non-

Compliant

Use existing topology and automate

security policy to reduce OpEx

ISE

No VLAN Change

No Topology Change

Central Policy Provisioning

Micro/Macro Segmentation

Employee Tag

Supplier Tag

Non-Compliant Tag

Access Layer

Enterprise

Backbone

DC Firewall

DC Servers

Policy

TrustSec Traditional

Segmentation

Cisco Rapid Threat Containment Solution Faster Time-to-Containment

• Cisco ASA with Firepower

Services

• FirePOWER NGIPS Appliances

• Cisco AMP for Networks

• Firepower on Cisco ISR

• Cisco FireSIGHT

Management Center

• Automated Contextual Analysis

and Threat Qualification

• Continuous Threat Intelligence

Updates to Threat Sensors

• Cisco FireSIGHT and Cisco ISE

Automate Containment

• Policy Enforcement from Cisco

TrustSec, Downloadable ACL,

or VLAN

Threat Visibility Automated

Enforcement

Advanced

Threat Sensors

Cisco: 17.5 hours Industry TTD rate:* 100 days

Detect infections earlier and act faster

• Automated attack

correlation

• Indications of

compromise

• Local or cloud

sandboxing

• Malware infection

tracking

• Two-click containment

• Malware analysis

Source: Cisco® 2016 Annual Security Report

*Median time to detection (TTD)

JAN

MONDAY

1

JAN

FEB

MAR

APR

Packet Brokering Network Infrastructure &

Policy Management

Performance

Management &

Visualization Mobility

Packet

Capture &

Forensics SIEM & Analytics

Remediation

& Incident

Response

Vulnerability

Management

Custom

Detection

Firewall/Access Control IAM/SSO

Cisco Security Technical Alliances (CSTA)

Security Across the Extended Network

Minimize Complexity

Streamline Deployment

Reduce Costs

Security

Everywhere

Enables Security as a Growth

Engine