creating a culture of pervasive security forum 2018 - 5 mr. vats… · digital security...
TRANSCRIPT
Creating a Culture of Pervasive Security
Vatsun ThirapatarapongManaging Director, Cisco Systems (Thailand)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
An irreversible digital economy
Hyperconnectivity
Unlimited computing power
Cloudcomputing
Mobile computing
Continuous stream and access to information
Pervasivecybersecurity
The Digital Economy
and Technology are Interconnected
Source: IDC 2016
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Every organization is an IT company
Fast innovation ↔ fast IT
Data
Internet of Things
Digital security
Presentation ID 3© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
“Trust” – The keystone of a digital company
TrustBrand Reputation
Customers
Partners Relationships
Privacy
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5Presentation ID
Digitization fundamentally changes security landscape
Speed of business
New richer targets
Increased impact/loss
Emergence of Cybercrime as-a-service
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
122K workforce
170 countries
~3M IP addresses
215K infra devices
275K total hosts
2500+ IT applications
26K connected Cisco virtual offices
Defending Cisco What We Must Protect
• 300 partner extranet connections• 600+ Cloud ASPs
• 16 major Internet connections• ~47 TB bandwidth used daily
• 50+ and growing portfolio of Cloud offers: WebEx, Meraki, Umbrella
• 1350 labs• 180+ acquisitions
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
47TB traffic inspected
710 security devices
4TB security data collected
1.2T security events
7.6B DNS records
14.7M intrusions alerts (iDS/IPS w/AMP)
350M web transactions
28B NetFlows
22 incidents managed
Defending Cisco A Day in Security
• 6,385,333 internet threats blocked (WSA w/AMP)
• 2,509,724 email threats blocked(ESA w/AMP)
• 282,767 host/antivirus threats blocked
• 17,000 files analyzed• (AMP/threat grid)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
The digital enterprise – Cisco circa 2007
Business process outsourcing
Business platform
Buying/selling
Supply chain partners
Business processes Products
Commercial platform
Product platform
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Workforce efficiency and
innovation
Customer and citizen
experiences
Process and business model
disruption
Our customers’ digital transformations
Multiple consumption modelsMonetization models
Buying and pricing and models (powered by analytics)Commercial platform
Digital supply chain partnersEcosystem platform
The digital enterprise – Cisco circa 2017Digitally aligning with our customers transformation
Technology platform (digital products)
IoTSecurityNetwork CollaborationService provider
Data center
9
Data
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Digital Security Architecture Framework – Circa 2007
Network services
Cisco network DLPIDSFW VPN ….
Email Encryption
PGPData security
Network and system management
Logging Logging
Logging Logging
Monitoring
AlertingAD LDAP
Device security CSAAltiris CredentAV
Application and service security
Platform security
XML GWAudit XML GWAudit
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Modern Perimeter
Traditional Perimeter
Corporate Networks;On-site Users, Endpoints, Server, and
AppsCloud Applications
Hybrid Cloud
Personal Devices
Vendors & ContractorsMobile Devices
Remote Employees
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Digital Security Architecture Framework – Circa 2017
Identity and access management
Data protection program
Integrated threat defense
Monitoring everything and maturing responses
Network Identity Devices Data ApplicationMonitoring and
response
Policy and standards
Security architecture
Threat landscapeLaws and regulations
TechnologyCustomer and
business requirementsRisk appetite
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Strategic, Operational, and Tactical Issues
26%can be addressed by
products alone
74% might also require people and/or processes to address
People
Products Policies
An overemphasis on product solutions can leave openings for attackers
Pervasive Security
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Pervasive Security Framework
Trusted Resources (Private/Third Party/Hybrid Cloud)
Validated Identity
People
Governance & Operational Excellence
Adaptive Defense (Detect, Respond, Mitigate)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Governance and Operational Excellence
Comprehensive Telemetry, Integrated Intelligence, Pervasive Detection, Playbooks
Trusted Resources (Private/Third Party/Hybrid Cloud )
Validated Identity
People
Governance & Operational Excellence
Adaptive & Integrated Defense (Detect, Respond, Mitigate)
• Standards & Policies • Risk Assessments
• Vulnerability Management• Analytics, Metrics & Reporting
• Privacy Engineering• Architecture Reviews
• COBC • Targeted Awareness
• Security Primes & Advocates• Partner Security Architects
• Security Training (Ninja, SKE, EMS) • Business Partnerships
Identity• Federated (Inbound/outbound)• Strong Multi-Factor
• Posture AssessmentContextual Access ControlLocation, Time, Role• Separation
(User<->Admin)
Endpoint• Profiling• Registration
Users
Network• ESA/WSA• AnyConnect
• Pervasive Protection• Adaptive Access
& Control
Service• Application• Endpoint
• NGFW/IPS• AMP
Data• Ownership • Accountability• Visibility
• Host• XaaS
• ISE• ACI
Accountability
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Unified Security Metrics
0
10
20
30
40
50
60
70
80
90
100
Q1FY12 Q1FY16 Q1FY17 Q1FY18
SLA on-time closure % Vulnerability open %
* = Pre USM Reporting
*
Impl
emen
tati
on
Sustained Performance
Balancing Features vs. Operational Efficacy
Requirements vs. Enhancements
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
People
Trusted Resources (Private/Third Party/Hybrid Cloud )
Validated Identity
People• COBC • Targeted Awareness
• Security Primes & Advocates• Partner Security Architects
• Security Training (Ninja, SKE, EMS) • Business Partnerships
Identity• Federated (Inbound/outbound)• Strong Multi-Factor
• Posture AssessmentContextual Access ControlLocation, Time, Role• Separation
(User<->Admin)
Endpoint• Profiling• Registration
Users
Network• ESA/WSA• AnyConnect
• Pervasive Protection• Adaptive Access
& Control
Service• Application• Endpoint
• NGFW/IPS• AMP
Data• Ownership • Accountability• Visibility
• Host• XaaS
• ISE• ACI
Governance & Operational Excellence
• Standards & Policies • Risk Assessments
• Vulnerability Management• Analytics, Metrics & Reporting
• Privacy Engineering• Architecture Reviews
Accountability
Comprehensive Telemetry, Integrated Intelligence, Pervasive Detection, Playbooks
Adaptive & Integrated Defense (Detect, Respond, Mitigate)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Education Campaign – Phishing
• Phishing is #1 source of endpoint compromise
• Different levels of sophistication and difficulty each quarter
• Remember it only takes one Phish to compromise YOU
Q1New Doctor
Q2Background Check
Q3Account Closing
Q4Plan Recruitment
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Partner Security Architect
InfoSec Team
• Security SMEs
• Security architecture reviews
• Trusted advisors
• Establishes security technology baselines
• Formal approval for exceptions
• Establishes corporate security policies andguidelines
Expanding Accountability
Service Executive
1 or more primes
Service Owner
1 or more primes
Service Security Prime
• CSO of the Service
• Single point of accountability
• Increase communication and awareness around security
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Validated Identity
People
Trusted Resources (Private/Third Party/Hybrid Cloud )
Validated IdentityIdentity• Federated (Inbound/outbound)• Strong Multi-Factor
• Posture AssessmentContextual Access ControlLocation, Time, Role• Separation
(User<->Admin)
Endpoint• Profiling• Registration
Network• ESA/WSA• AnyConnect
• Pervasive Protection• Adaptive Access
& Control
Service• Application• Endpoint
• NGFW/IPS• AMP
Data• Ownership • Accountability• Visibility
• Host• XaaS
• ISE• ACI
Governance & Operational Excellence
• Standards & Policies • Risk Assessments
• Vulnerability Management• Analytics, Metrics & Reporting
• Privacy Engineering• Architecture Reviews
• COBC • Targeted Awareness
• Security Primes & Advocates• Partner Security Architects
• Security Training (Ninja, SKE, EMS) • Business Partnerships
Users Accountability
Comprehensive Telemetry, Integrated Intelligence, Pervasive Detection, Playbooks
Adaptive & Integrated Defense (Detect, Respond, Mitigate)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Trusted Device and Differentiated Access
28% Increase in worker satisfaction
500KEliminated per year in device upgrade spend
56%Case load lowered per device
$
Trusted device
More controls needed to scale access and services
Remote Wipe (Cisco Data)
Anti-Malware
Encryption (Cisco Data)
Minimum OS
Software Patching
Rooted Device Detection (Mobile Devices Only)
Device Registration
Password/Screen-lock Enforcement
Hardware/Software Inventory
ISE Enabled Policy
Differentiated access
Trusted device
More controls needed to scale access and services
Remote Wipe (Cisco Data)
Anti-Malware
Encryption (Cisco Data)
Minimum OS
Software Patching
Rooted Device Detection (Mobile Devices Only)
Device Registration
Password/Screen-lock Enforcement
Hardware/Software Inventory
IdentityApplication
and dataNetwork
Content
WorkforceData
ID Management
Cisco ISE
Devices
InstantMessaging
Conferencing
Tagging
SDN
Cisco pxGrid
Policy Management
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC.
Flexible Authentication Options for Users
Mobile Push · U2F · Wearables Soft Token ·HW Token
Phone Call · SMS
Biometrics
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialINDUSTRIAL DEVICES
Cisco Industrial Network Director
IND
pxGrid
IoT profiles ships with ISE 2.4. Profiling data collection via pxGrid from IND
FACTORY
MEDICAL DEVICES
UPLOAD
250+ Medical device profiles
Medical profiles XML upload. Profiling data collection via usual means
HOSPITAL
Medical and IoT Visibility
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Visibility
AnyConnect Identity Extensions (ACIDex) | Device Sensor (DS)
Cisco ISE
The profiling service in Cisco ISE identifies the devices that connect to your network
ACIDex
Endpoints send
interesting data,
that reveal their
device identity
DS
DSFeed Service
(Online/Offline)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Trusted Resources
Validated Identity
People
Trusted Resources (Private/Third Party/Hybrid Cloud )Integrated Defense• ESA/WSA• AnyConnect
• Pervasive Protection• Adaptive Access
& Control
CASPR• Application• Endpoint
• NGFW/IPS• AMP
Data Protection• Ownership • Accountability• Visibility
• Host• XaaS
• ISE• ACI
Governance & Operational Excellence
• Standards & Policies • Risk Assessments
• Vulnerability Management• Analytics, Metrics & Reporting
• Privacy Engineering• Architecture Reviews
• COBC • Targeted Awareness
• Security Primes & Advocates• Partner Security Architects
• Security Training (Ninja, SKE, EMS) • Business Partnerships
Users
Identity• Federated (Inbound/outbound)• Strong Multi-Factor
• Posture AssessmentContextual Access ControlLocation, Time, Role• Separation
(User<->Admin)
Endpoint• Profiling• Registration
Accountability
Comprehensive Telemetry, Integrated Intelligence, Pervasive Detection, Playbooks
Adaptive & Integrated Defense (Detect, Respond, Mitigate)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialFaster time to Detection, Faster time to Remediate
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Comprehensive Telemetry, Integrated Intelligence, Pervasive Detection, Playbooks
Adaptive & Integrated Defense (Detect, Respond, Mitigate)
Adaptive Defense
People
Trusted Resources (Private/Third Party/Hybrid Cloud )Network• ESA/WSA• AnyConnect
• Pervasive Protection• Adaptive Access
& Control
Service• Application• Endpoint
• NGFW/IPS• AMP
Data• Ownership • Accountability• Visibility
• Host• XaaS
• ISE• ACI
Governance & Operational Excellence
• Standards & Policies • Risk Assessments
• Vulnerability Management• Analytics, Metrics & Reporting
• Privacy Engineering• Architecture Reviews
• COBC • Targeted Awareness
• Security Primes & Advocates• Partner Security Architects
• Security Training (Ninja, SKE, EMS) • Business Partnerships
Users Accountability
Validated IdentityIdentity• Federated (Inbound/outbound)• Strong Multi-Factor
• Posture AssessmentContextual Access ControlLocation, Time, Role• Separation
(User<->Admin)
Endpoint• Profiling• Registration
Adaptive Defense (Detect, Respond, Mitigate)Comprehensive Telemetry, Integrated Intelligence, Pervasive Detection, Playbooks
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Adaptive DefenseEnabling active response to threats
Information Sharing
Network Services
Detection Tools
Playbook
Collect/analyze
1.2T events throughout network
47TB traffic inspected
15B NetFlows analyzed/day
4.8B DNS records
4TB data collected and analyzed
~200 Plays
Mitigate Remediate
Cisco.com
What are we trying to protect?
Active Directory Servers
End User Laptop
DoS attackSQL InjectionDirectory Traversal
What are the threats?
Lateral Movement Account Compromise Malware
MalwarePhishing AttacksDriveby Download
NetFlow monitoringIPS/IDS detectionSystem Logs
How do we detect them?
NetFlow alertsUser Activity HIPS logs
HIPS/AV logsESA logsWSA logs
Engage ISPInvestigate
How do we respond?
P1 incidentInvestigate
ReimageInvestigate
Machine Learning in action
Third party datasourcesThird party
datasources
Hardware sensors
Hardware sensors
Software sensorsSoftware sensors
Headers and context of each and
every packet in the DC
Applications(REST / Python / Scala / SQL / R*)
Application Dependencies
MappingPolicies
Baseline w/existing
flows
Infrastructure agnostic enforcement
Deviation
Events
Forensics
History
Real time
Simulation and impact analysis
Investigation
Machine Learning
Exports / API
Data Lake access
KnowledgeEvolutions
New flows…
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The inability to examine encrypted traffic reduces visibility of threats active on the network.
Encrypted Traffic Analytics allows enhanced telemetry to be sent to Stealthwatch. Select events are sent to Cognitive Threat Analytics for additional analysis of potential malware.
This allowed us to use our existing infrastructure to gain insights into malicious activity that was previously unseen. We had over 99% success in true positive identification of malware within encrypted sessions using this technology.
Challenge
Solution
ResultETA Stealthwatch CTA
ETA, Stealthwatch and CognitiveSeeing the unseen at machine speed
www.cisco.com/go/securityreport
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Key Takeaways
Trust is the keystone of a digital companyEvery company is a digital company
Ransomware and exposed development systems are sign of the times Threat landscape continues to expand
Digital security architecture must address entire threat landscape Approach to security must keep pace
Implement architectural approach to security, automate processes to reduce time to react and contain attacks
Adopt integrated defense approach
Thank you