yes , you can protect your endpoints!€¦ · yes , you can protect your endpoints! szilard...

Yes, You can protectyour endpoints!

Szilard Csordas, Security Consultantscsordas [at] cisco.com

Endpoint Footprint Problem:• Anti-Virus/Anti-Spyware agent

• IPSec/SSLVPN agent

• Host IPS/FW agent

• 802.1x authentication supplicant

• Data Loss Prevention(DLP) agent

• Malware Prevention agent

• Web Filtering agent

• Behavior/Heuristics agent

• More?

TOO MANY AGENTS!

Everything is Encrypted!

Introducing Anyconnect• Latest version is AnyConnect 4.3

• See table in Appendix for OS Support

AnyConnect Module Installation OptionsPackage for your Favorite Deployment Tool

Mobile installed via App Store

Group Policy

AnyConnect Module Installation Options

Client Provisioning

Automatic Upgrades from cisco.com with 4.3*

* Can be disabled some or all Users via VPN/ISE configuration

ISE posture required for any module to be installed

Deployment Use Cases• Remote Access VPN with

Centralized Controls

• Prevention / Detection• Network Visibility• Endpoint Compliance• Enterprise Access• Admin/Troubleshooting (not covered)

Remote Access VPN

Recommended for Centralized Controls• Manual – requiring the enduser to manually connect to VPN.

• Automatic using Always-On and Trusted Network Detection, requires little interaction.

Protection / DetectionAdvance Malware Protection for Endpoint (AMP4E)

Umbrella Roaming Security

What is Advanced Malware Protection for Endpoint (AMP4E)•

• Cloud connected & managed

• Focused on two modes of operation• Something I know à Prevention = Security Mode• Something I don’t know…yet à Retrospection = Incident Response Mode

• Supported on

• Deployed Standalone or AnyConnect Enabled - ISE or VPN

https://youtu.be/xvol1L80Yvs

AMP4E - How does it work?

AMPCloud

Connector records activity related to file executions

Visibility of Executions (History to Current)

TCP 443

AMP4E – Right Click on FileIs it known by Cisco?Compare with 3rd party

Dig Deeper• Analyze with AMP ThreatGrid• File Details and Network

Profile• Retrieve File

Take action• Detect • Block• Allow

AMP4E – Detailed File Analysis from ThreatGrid

AMPEasy classification by using Severity (95+

Bad, 70+ suspicious) and Confidence Threat Scoring

AMP4E – Other ways to parse

Vulnerable Software -Application <-> CVE

Prevalence – Low Execution Count (unique files worth investigation)

Analyze will trigger Fetch if file not

already in repository

AMP4E – Integration with AMP for Networks

AMP4E detected threat reported in FMC > IoCs and can include OpenIoCs

AMP4E Installed, Quarantine

AMP4E DeploymentThrough ISE or ASA or Directly from PortalAMP Enabler Profile Editor Direct from Portal / Via URL

What is Umbrella Roaming Client?• Off Trusted network protection across all ports for both Domain and IP

• Added layer of protection for existing security controls

• AnyConnect 4.3 (Windows / Mac)

• Existing Roaming Client (Windows / Mac)

How does it work? First Match Rule Table by Identity

CiscoUmbrella

EncryptedAuthenticatedDNS/IP Security Filtered

208.67.222.222208.67.220.220

On Trusted NetworkClient goes dormantNetwork is Protected

Root/SP DNS

Local Corp DNS20

Am I by protected by Umbrella?

http://welcome.opendns.com/

Phishing testing - > http://www.internetbadguys.com/

Adult Content Testing -> http://www.exampleadultsite.com

Umbrella Provides Visibility

Filtered by Identity,

Service and Date for

easy data mining and reporting

Identify Cloud services being used (Shadow IT)

Umbrella Provides Protection

Overview Security Activity

Dashboard highlighting protections

Detailed Reports by Identity, Time, Domain…etc

Integration with Cisco and 3rd

parties

Internal IP available via Virtual Appliance*

Network Visibility

Network Visibility Module

• for 4.2MR1 – 4.2.1022

• Supported on Windows and Mac devices

• Apex License Required

• Integration with Lancope 6.8, LiveAction, Splunk (Enterprise 6.0 with Collector 64-bit Linux) and Plixer

User Visibility Device Visibility

Application Visibility Location/Network DomainNetwork Visibility

Flow Collector

SMC-manager

EndpointCollector

Context Included:• User• Application• Device• Location: To / From

to Existing Alarms and Flow Data

Network NetFlow/NSEL

NVM with Stealthwatch

NVM Configuration TemplateSuppression and Throttling

<?xm l version="1.0" encoding="UTF-8"?>

Broadcast and Multicast Suppression

Throttling so not to overwhelm VPN

NVM Configuration TemplateFlexible Data Collection Policy

DataLoss is just one alarm

Suspect Data Loss: 3

Insider Threat – Bad Behavior Discovery

HTTPS Unclassified now KnownAnyConnect NVM with Lancope Stealthwatch

• Application Identified – Dropbox

• Application Hash – Who else is running?

• Identity – nedzaldivar (even without ISE or Identity, from non domain asset)

Verify Application is CorrectAnyConnect NVM with Cisco Stealthwatch

Corporate AssetsNetwork Access Manager(NAM)

What is Network Access Manager (Windows Only)• 802.1x Supplicant

• EAP-Chaining

• MacSEC

AES-128Encrypted

802.1AE – replay protection for every packetUn-Encrypted

Single Authentication/Authorization Session

EAP-Chaining – ISE Log Example

• User and Machine Tied together

• EAP-FAST Required

MacSec ISE Configuration ExampleISE Authorization Result is MacSEC

ISE Authorization Policy

Compliance(Posture)

BRKSEC-

Compliance (Posture)• Provides deep inspection in OS, File, Certificate, Registry, Anti-Virus, Anti-

Spyware, Person Firewall, Ports open, Running processes…etc

• AC Anyconnect Apex license required!

Options

• Hostscan with VPN connecting to an

• ISE Posture with connecting to Wired, Wireless or VPN using

With ASA 9.2, inline Posture node is not required. Change of Authorization is natively supported option

ISE PostureRegistry check for Machine joined to Domain

Endpoint Visibility ASA Hostscan ISE Posture

Policy Framework DAP ISE+VPN

Updates Every 3 months Dynamically

IP, Hostname, Mac address Yes Yes

Certificate Fields Yes Yes

BIOS Serial Number Yes No

Personal Firewall Yes No

File CRC32 Check Yes Yes

Disk Encryption No Yes

SHA256 File Check No Yes

USB Check No Yes*

OS Support Windows, Mac, Linux Windows, Mac

BRKSEC-2051 40

Summary

• AnyConnect reduces Agent Sprawl!

• Added Security with each module

• Provides Visibility and Control

• Complexity of networks is equal on endpoints

Thank you

yes , you can protect your endpoints!€¦ · yes , you can protect your endpoints! szilard...

Documents

windows protocols errata...windows integrated: these...

google cloud endpoints

e is for endpoint ii: how to implement the vital layers to...

rulindo.gov.rwrulindo.gov.rw/fileadmin/templates/jobs/abakozi_bashinzwe_iter...n/a...

eproc.punjab.gov.pkeproc.punjab.gov.pk/biddingdocuments/61315_bidding... ·...

securing your endpoints

eproc.punjab.gov.pkeproc.punjab.gov.pk/biddingdocuments/65442_bidding... ·...

meridian endpoints

transitional provisions -...

clinical trial endpoints for use in medical product ... - 03...

cisco endpoints endpoints • ciscoipphones,page1 •...

yes , you can protect your endpoints!...yes , you can...

· m. irfan no no no yes agreed yes yes no no 15000 yes...

© 2008 mcafee, inc. “endpoint” security defining the...

securing browsers to protect endpoints and enterprises...

north american fdi trends...cylance’s technology to our...

study endpoints

influenza endpoints during clinical trials · influenza...

3m™ novec™ 1230 fire protection fluid protect what...

testing convergence at endpoints