yes , you can protect your endpoints!€¦ · yes , you can protect your endpoints! szilard...

Yes, You can protectyour endpoints!

Szilard Csordas, Security Consultantscsordas [at] cisco.com

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Endpoint Footprint Problem:• Anti-Virus/Anti-Spyware agent

• IPSec/SSLVPN agent

• Host IPS/FW agent

• 802.1x authentication supplicant

• Data Loss Prevention(DLP) agent

• Malware Prevention agent

• Web Filtering agent

• Behavior/Heuristics agent

• More?

TOO MANY AGENTS!

2


Everything is Encrypted!

3


Introducing Anyconnect• Latest version is AnyConnect 4.3

• See table in Appendix for OS Support

4


AnyConnect Module Installation OptionsPackage for your Favorite Deployment Tool

Mobile installed via App Store

Group Policy

5


AnyConnect Module Installation Options

Client Provisioning

Automatic Upgrades from cisco.com with 4.3*

* Can be disabled some or all Users via VPN/ISE configuration

6

ISE posture required for any module to be installed


Deployment Use Cases• Remote Access VPN with

Centralized Controls

• Prevention / Detection• Network Visibility• Endpoint Compliance• Enterprise Access• Admin/Troubleshooting (not covered)

7

Remote Access VPN


Recommended for Centralized Controls• Manual – requiring the enduser to manually connect to VPN.

• Automatic using Always-On and Trusted Network Detection, requires little interaction.

9

Protection / DetectionAdvance Malware Protection for Endpoint (AMP4E)

Umbrella Roaming Security


What is Advanced Malware Protection for Endpoint (AMP4E)•

• Cloud connected & managed

• Focused on two modes of operation• Something I know à Prevention = Security Mode• Something I don’t know…yet à Retrospection = Incident Response Mode

• Supported on

• Deployed Standalone or AnyConnect Enabled - ISE or VPN

https://youtu.be/xvol1L80Yvs

11


AMP4E - How does it work?

12

AMPCloud

Connector records activity related to file executions

Visibility of Executions (History to Current)

TCP 443

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

AMP4E – Right Click on FileIs it known by Cisco?Compare with 3rd party

Dig Deeper• Analyze with AMP ThreatGrid• File Details and Network

Profile• Retrieve File

Take action• Detect • Block• Allow


AMP4E – Detailed File Analysis from ThreatGrid

AMPEasy classification by using Severity (95+

Bad, 70+ suspicious) and Confidence Threat Scoring

14


AMP4E – Other ways to parse

Vulnerable Software -Application <-> CVE

Prevalence – Low Execution Count (unique files worth investigation)

Analyze will trigger Fetch if file not

already in repository

15


AMP4E – Integration with AMP for Networks

AMP4E detected threat reported in FMC > IoCs and can include OpenIoCs

16


AMP4E Installed, Quarantine

17


AMP4E DeploymentThrough ISE or ASA or Directly from PortalAMP Enabler Profile Editor Direct from Portal / Via URL

18


What is Umbrella Roaming Client?• Off Trusted network protection across all ports for both Domain and IP

• Added layer of protection for existing security controls

• AnyConnect 4.3 (Windows / Mac)

• Existing Roaming Client (Windows / Mac)

19


How does it work? First Match Rule Table by Identity

CiscoUmbrella

EncryptedAuthenticatedDNS/IP Security Filtered

208.67.222.222208.67.220.220

On Trusted NetworkClient goes dormantNetwork is Protected

Root/SP DNS

Local Corp DNS20


Am I by protected by Umbrella?

http://welcome.opendns.com/

Phishing testing - > http://www.internetbadguys.com/

Adult Content Testing -> http://www.exampleadultsite.com

21


Umbrella Provides Visibility

Filtered by Identity,

Service and Date for

easy data mining and reporting

Identify Cloud services being used (Shadow IT)

22


Umbrella Provides Protection

Overview Security Activity

Dashboard highlighting protections

Detailed Reports by Identity, Time, Domain…etc

Integration with Cisco and 3rd

parties

Internal IP available via Virtual Appliance*

23

Network Visibility


Network Visibility Module

• for 4.2MR1 – 4.2.1022

• Supported on Windows and Mac devices

• Apex License Required

• Integration with Lancope 6.8, LiveAction, Splunk (Enterprise 6.0 with Collector 64-bit Linux) and Plixer

User Visibility Device Visibility

Application Visibility Location/Network DomainNetwork Visibility

25


AWAY

Flow Collector

SMC-manager

EndpointCollector

Context Included:• User• Application• Device• Location: To / From

to Existing Alarms and Flow Data

WORK

Network NetFlow/NSEL

NVM with Stealthwatch

26


NVM Configuration TemplateSuppression and Throttling

<?xm l version="1.0" encoding="UTF-8"?>

<NVM Profile xsi:noNam espaceSchem aLocation="NVM Profile.xsd" xm lns:xsi=http://www.w3.org/2001/XM LSchem a-instance>

Broadcast and Multicast Suppression

Throttling so not to overwhelm VPN

27


NVM Configuration TemplateFlexible Data Collection Policy

28


DataLoss is just one alarm

Suspect Data Loss: 3

29


Insider Threat – Bad Behavior Discovery

30


HTTPS Unclassified now KnownAnyConnect NVM with Lancope Stealthwatch

• Application Identified – Dropbox

• Application Hash – Who else is running?

• Identity – nedzaldivar (even without ISE or Identity, from non domain asset)

31


Verify Application is CorrectAnyConnect NVM with Cisco Stealthwatch

32

Corporate AssetsNetwork Access Manager(NAM)


What is Network Access Manager (Windows Only)• 802.1x Supplicant

• EAP-Chaining

• MacSEC

AES-128Encrypted

802.1AE – replay protection for every packetUn-Encrypted

Single Authentication/Authorization Session

34


EAP-Chaining – ISE Log Example

• User and Machine Tied together

• EAP-FAST Required

35


MacSec ISE Configuration ExampleISE Authorization Result is MacSEC

ISE Authorization Policy

36

Compliance(Posture)

BRKSEC-


Compliance (Posture)• Provides deep inspection in OS, File, Certificate, Registry, Anti-Virus, Anti-

Spyware, Person Firewall, Ports open, Running processes…etc

• AC Anyconnect Apex license required!

Options

• Hostscan with VPN connecting to an

• ISE Posture with connecting to Wired, Wireless or VPN using

38


With ASA 9.2, inline Posture node is not required. Change of Authorization is natively supported option

ISE PostureRegistry check for Machine joined to Domain

39


Endpoint Visibility ASA Hostscan ISE Posture

Policy Framework DAP ISE+VPN

Updates Every 3 months Dynamically

IP, Hostname, Mac address Yes Yes

Certificate Fields Yes Yes

BIOS Serial Number Yes No

Personal Firewall Yes No

File CRC32 Check Yes Yes

Disk Encryption No Yes

SHA256 File Check No Yes

USB Check No Yes*

OS Support Windows, Mac, Linux Windows, Mac

BRKSEC-2051 40


Summary

• AnyConnect reduces Agent Sprawl!

• Added Security with each module

• Provides Visibility and Control

• Complexity of networks is equal on endpoints

41

Thank you

yes , you can protect your endpoints!€¦ · yes , you can protect your endpoints! szilard...

Documents