securing your data center - cisco•a trace of every conversation in your network •an ability to...
TRANSCRIPT
Arief Santoso – [email protected]
Cyber Security Specialist – GSSO, Cisco Systems
18 Jan 2018
Data is currency... and data centers need protecting
Securing your Data Center
FBI’s Most Wanted
© 2018 Cisco and/or its affiliates. All rights reserved.
Percentage of security team’s time
47%Servers
29%Customer data
24%Endpoints
of the security team’s time is spent on security in the data center76%
FBI’s Most Wanted FBI’s Most WantedFBI’s Most Wanted
© 2018 Cisco and/or its affiliates. All rights reserved.
© 2018 Cisco and/or its affiliates. All rights reserved.
How is data being stolen?
86%81%
© 2018 Cisco and/or its affiliates. All rights reserved.
Data Center Security… It takes an architecture!
Threat protection“Stop the breach”
Segmentation“Reduce the
attack surface”
Visibility“See everything”
Threat intelligence - Talos
Intent-based
Automation
Analytics
© 2018 Cisco and/or its affiliates. All rights reserved.
Building a true data center security architecture
© 2018 Cisco and/or its affiliates. All rights reserved.
ArchitectureIntegrated
PortfolioBest of breed
© 2018 Cisco and/or its affiliates. All rights reserved.
NGFW
NGIPS
Breach Detection
Systems
(Cisco AMP)
NGFW(test average)
NGIPS(test average)
Stopping the most threats in NSS Labs testing year after year
2010 2012 2013 2014 20162011
100
98
96
94
92
90
88
86
84
82
Cisco
Test Average
2017
What best of breed security looks like!
The power of Cisco Talos!
98.9% efficacy = 6.8M missed threats/year
© 2018 Cisco and/or its affiliates. All rights reserved.
Analytics
(Stealthwatch, Tetration)
Advanced
MalwarePolicy and Access
(ISE, NGFW, Tetration, ACI)
NGFW/
NGIPS
Point product approach failsIt takes an integrated architecture
Threat protection
Visibility
Segmentation
Management
(CloudCenter, APIC,
FMC, Tetration)
pxGrid
Security
Group Tag/EP
G
APIsIntel
sharingAutomation
© 2018 Cisco and/or its affiliates. All rights reserved.
Data centers are changingCisco Security grows with you
Application centric
infrastructure
ACI fabric
Virtualization
and cloudTraditional
data center
© 2018 Cisco and/or its affiliates. All rights reserved.
Cisco datacenter security solutions – focus areas
Network and application analytics
• Stealthwatch
• Tetration
VisibilityThreat protection
• NGFW/NGIPS
• Advanced Malware Protection (AMP)
Threat preventionFirewall and access control
• NGFW, ACI, Tetration Policy Orchestration
• FMC, CloudCenter
• APIC, ISE
Segmentation
Integrated
© 2018 Cisco and/or its affiliates. All rights reserved.
• Comprehensive,
contextual network flow
visibility
• Real-time situational
awareness of traffic
Monitor
• Detect anomalous
network behavior
• Detect network
behaviors indicative of
threats: worms, insider
threats, DDoS and
malware
Detect
• Quickly scope an incident
• Network troubleshooting
• One click quarantine
Respond
See and detect more threat in your DCCisco Stealthwatch
Analyze
• Holistic network audit trail
• Threat hunting and
forensic investigations
Switch Router Router Firewall Data Center
Switch
ServerUser
WAN
ServerDevice
End-to-End
Network
Visibility
© 2018 Cisco and/or its affiliates. All rights reserved.
Threat
detection and hunting
Application traffic
modeling &
visibility
Access control
policy and audit
Anomalous
behavior
Integrated with other security solutions 1+1=3
Greater visibility and security togetherCisco Tetration and Stealthwatch
© 2018 Cisco and/or its affiliates. All rights reserved.
01 0302
Cisco Tetration
• Full visibility into application components including workloads,
processes and application behavior in the data center
• Application dependency mapping
• Application segmentation policies (whitelist/blacklist)
• Forensic search and application anomaly detection
Visibility: See application components & their behavior
© 2018 Cisco and/or its affiliates. All rights reserved.
Visibility: See across the enterprise network
01 0302
• Enterprise-wide network visibility across users, hosts, networks, and infrastructure
(switches, routers, firewalls, servers)
• Collects network flow and other data to provide network visibility for understanding
network wide traffic and discover threats
• Real-time situational awareness of users, devices, and applications
• Network flow monitoring of policy violations validates enterprise-wide network access
to facilitate compliance and segmentation requirements
Cisco Stealthwatch
Enterprise Network
Branch
Campus
Data Center
Cloud
© 2018 Cisco and/or its affiliates. All rights reserved.
The 360º Data Centre visibility Cisco provides
© 2018 Cisco and/or its affiliates. All rights reserved.
Stealthwatch & Tetration working together
Pivot from Stealthwatch to
Tetration interface during
an investigation
Tetration
Analytics
© 2018 Cisco and/or its affiliates. All rights reserved.
Stealthwatch Cloud Stealthwatch
Enterprise
What about cloud visibility?
Private network monitoring Enterprise network
monitoringPublic cloud monitoring
Suitable for enterprises & commercial
businesses using public cloud services
On-premises virtual or hardware
appliance
On-premises network monitoring On-premises network monitoringPublic cloud monitoring
Suitable for SMBs & commercial
businesses
Suitable for enterprises & large
businesses
Software as a Service (SaaS) Software as a Service (SaaS)
© 2018 Cisco and/or its affiliates. All rights reserved.
Visibility Through NetFlow10.1.8.3
172.168.134.2
InternetFlow Information Packets
SOURCE ADDRESS 10.1.8.3
DESTINATION ADDRESS
172.168.134.2
SOURCE PORT 47321
DESTINATION PORT 443
INTERFACE Gi0/0/0
IP TOS 0x00
IP PROTOCOL 6
NEXT HOP 172.168.25.1
TCP FLAGS 0x1A
SOURCE SGT 100
: :
APPLICATION NAMENBAR SECURE-
HTTP
RoutersSwitches
NetFlow Provides• A trace of every conversation in your network
• An ability to collect records everywhere in your
network (switch, router, or firewall)
• Network usage measurements
• An ability to find north-south as well as
east-west communication
• Lightweight visibility compared to Switched Port
Analyzer (SPAN)-based traffic analysis
• Indications of compromise (IOC)
• Security group information
© 2018 Cisco and/or its affiliates. All rights reserved.
StealthWatch System Overview
NetFlow / NBAR / NSEL
Network
Devices
StealthWatch
FlowCollector
• Collect and analyze
• Up to 4000 sources
• Up to 240,000 flows per
second (FPS) sustained
SPAN
StealthWatch
FlowSensor
Generate
NetFlow
Non-NetFlow-
Capable Device
• Management and reporting
• Up to 25 FlowCollectors
• Up to 6 million FPS globally
StealthWatch
Management
Console
© 2018 Cisco and/or its affiliates. All rights reserved.
StealthWatch System
pxGrid
Real-Time Visibility into All Network Layers
• Data intelligence throughout network
• Discovery of assets
• Network profile
• Security policy monitoring
• Anomaly detection
• Accelerated incident response
Cisco® Identity
Services Engine Mitigation Action
Context InformationNetFlow
StealthWatch
© 2018 Cisco and/or its affiliates. All rights reserved.
Cisco Stealthwatch Cloud: Public Cloud Monitoring
© 2018 Cisco and/or its affiliates. All rights reserved.
Quick and easy security for dynamic environments
Stealthwatch
Cloud
Public Cloud
• VPC Flow Logs
• Other data sources
• NetFlow
• Mirror port
• Other data sources
© 2018 Cisco and/or its affiliates. All rights reserved.
Using modeling to detect security events
Dynamic Entity Modeling
Collect Input Draw ConclusionsPerform Analysis
System Logs
Security Events
Passive DNS
External Intel
Config Changes
Vulnerability Scans
IP Meta Data
Dynamic
Entity
Modeling
Group
Consistency
Rules
Forecast
Role
What ports/protocols does the device
continually access?
What connections does it
continually make?
Does it communicate internally only?
What countries does it talk to?
How much data does the device normally
send/receive?
What is the role of the device?
© 2018 Cisco and/or its affiliates. All rights reserved.
Integrate easily with all your current systems
SaaS Management Portal
Web Platforms
SIEM AWS
And Other Platforms
S3SQS
Stealthwatch
Cloud
SNS
© 2018 Cisco and/or its affiliates. All rights reserved.
See all public cloud activity through telemetry.
Additional AWS Data Sources
Config Lambda
Inspector IAM
Cloud Trail Cloud Watch
Stealthwatch
Cloud
AWSVPC Flow
Logs
Require Agents
© 2018 Cisco and/or its affiliates. All rights reserved.
Global visibility like no one else….
00I00 I00I0I II0I0I 0II0I I0I00I0I0 0II0I0II 0I00I0I I0 00
II0III0I 0II0II0I II00I0I0 0I00I0I00 I0I0 I0I0 I00I0I00
III00II 0II00II I0I0II0II0 I0 I0 I00 00I0 I000 0II0 00
III00II I000I0I I000I0I I000I0I II 0I00 I0I000 0II0 00
00I I0I0I0 I0I0III000 I0I00I0I 0II0I0 I00I0I0I0I 000
II0II0I0I0I I0I0I0I 0I0I0I0I 0I0I00I0 I0I0I0I 0II0I0I0I
0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I0
00I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I
III00II 0II00II I0I000 0II0 00I0I00 I0 I000I0I 0II 0I0I0I
III00II 0II00II 0I0I0I0I 0I I0 I00 000II0 I0I0 0II0 00
24 7 365 Operations
AMPAdvanced Malware
Protection
Cisco
Cognitive Threat Analytics (CTA)
© 2018 Cisco and/or its affiliates. All rights reserved.
Cisco Stealthwatch Cloud: Private Network Monitoring
© 2018 Cisco and/or its affiliates. All rights reserved.
Detect threats and see network activity using existing telemetry sourcesVirtual Sensors
Collect from all these sources
NetFlow
SIEM
IPFIX
DNS
Active Directory
Gigamon
Any Mirror/SPAN
Switches FirewallsApplication
Servers
DNS Lookup
IP Traffic Data
Threat
Detection
Other Security Data
Use DNS Lookups
to link dynamics IPs
to a host name
Stealthwatch
Cloud
Mirror/Span
Ports
Load
Balancers
© 2018 Cisco and/or its affiliates. All rights reserved.
Data Center Segment
Accounting Segment
Core Switching
Stealthwatch Cloud fits seamlessly into your existing network architecture with no messy reorganizationVirtual Sensors
SIEM
Syslog
SNMP
SW Cloud
Virtual Appliance
SaaS Portal
Stealthwatch
CloudMgmt
NetFlow
IPFIX
Encrypted Private Tunnel
Span
© 2018 Cisco and/or its affiliates. All rights reserved.
Segmentation:Reduce the Attack Surface
01 0302
Cisco NGFW
East-WestProcess to
Process
North-South
PerimeterCisco ACI
Cisco Tetration
© 2018 Cisco and/or its affiliates. All rights reserved.
ROOM
ACCESS
ONLY
(Micro-Segmentation)
ACCESS
ALL
AREAS
(Edge Security)
BUILDIN
G
ACCESS
ONLY
(Segmentation)
ZERO
TRUST
Segmentation
© 2018 Cisco and/or its affiliates. All rights reserved.
East-WestProcess to
Process
North-South
Perimeter
North-South
Perimeter
Segmentation: Reduce the Attack Surface
01 0302
Segmentation across
multiple clouds
Cisco NGFW
Cisco ACI
Cisco Tetration
© 2018 Cisco and/or its affiliates. All rights reserved.
ACI
Tetration
Next-gen
Firewall
Threat Protection: Stop the Breach
By strategically deploying threat sensors north-south, east-west
01 0302
Multi-Layered Threat SensorsQuickly detect, block, and respond dynamically when threats
arise to prevent breaches from impacting the business
Next-Gen Firewall
with AMP
Next-Gen IPS
with AMP
Stealthwatch
Next-Gen Firewall
with Radware DDoS
Cisco ACI
Cisco Tetration
© 2018 Cisco and/or its affiliates. All rights reserved.
Protect the WorkloadEverywhere
030201
Pervasive Enforcement with NGFW + Identity Services Engine (ISE)
ISE + NGFW
Firepower
Management Center
BYOD
Guest Access
Segmentation
Set access control policies
pxGrid
Propagate
• User Context
• Device context
• Location
• Access policies
• Threat / IOC
Propagate rules and context
TrustSec + NGFW
Employee Tag
Supplier Tag
Server Tag
Guest Tag
Quarantine Tag
Suspicious Tag
Establish a secure network
Policy automation
ISE
Remediate breaches automatically
ISE + pxGrid
+ TrustSec +
NGFW
Dynamic Access Control with open framework
© 2018 Cisco and/or its affiliates. All rights reserved.
40
• Addresses key DC challenges: threat-centric, visibility, compliance
• The only approach with kill chain approach to the threat lifecycle
• Industry’s most comprehensive threat intelligence with TALOS
• Pervasive security offering between on premise and cloud
• Elastic scale with pay-as-you-grow model
Cisco ACI + Cisco Advanced Security Advantages:
Centralized Policy
Automation
Secure Multi-Tenancy with Whitelisting
Attribute-Based Microsegmentation
VM-Based Segmentation
Industry Compliance
Standards (PCI)
vm vm vm
ACI Group Policy
APIC integration
Threat-Centric
Protection
Deep traffic inspection
Real-time Threat
Intelligence
Forensic Analysis
APIC
Dynamic Workload
Quarantine
Cisco Advanced Security – ASA / Firepower / AMP
Native ACI Security
Cisco ACI and Advanced Security
© 2018 Cisco and/or its affiliates. All rights reserved.
© 2018 Cisco and/or its affiliates. All rights reserved.
© 2018 Cisco and/or its affiliates. All rights reserved.
© 2018 Cisco and/or its affiliates. All rights reserved.
© 2018 Cisco and/or its affiliates. All rights reserved.
© 2018 Cisco and/or its affiliates. All rights reserved.
Our Customers want to feel safe…..
and together we can help