Professional Documents
Culture Documents
BRKCRS-1449 - DNA For Securing Enterprise Networks 2018
BRKCRS-1449 - DNA For Securing Enterprise Networks 2018
Architecture for
Securing Enterprise
Networks
Jerome Dolphin, Systems Engineer
CCIE#17805, CCDE#2013::3
jedolphi@cisco.com
BRKCRS-1449
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Abstract
There are two approaches to network security, one is to an overlay security architecture that
most of the ‘security only’ companies tend to believe in and the other approach is to have a
comprehensive, network-enabled approach to cybersecurity, which we at Cisco believe in.
In this introductory session you will learn why enterprise security has to be multilayered,
and how Cisco’s network enables you to do ‘Security Everywhere’. During the course of the
session you will learn how to quickly identify, isolate, and counter cyber-threats through
network visibility and enforcement with Cisco Stealthwatch, Cognitive Threat Analytics,
Identity Services Engine and TrustSec. You will also learn how integrated security solutions
such as Cisco Advanced Malware Protection implement effective threat defence for the
enterprise branch
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Before We Start
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
And, Please Fill Out the Survey
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Cisco Digital Network Architecture
Network-enabled Applications
Security and
Open and Programmable | Standards-Based
Compliance
Virtualisation
Physical and Virtual Infrastructure | App Hosting
Cloud-enabled | Software-delivered
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
2017 Cisco Annual Cybersecurity Report
Expanding attack
surface
Multi-stage
multi-vector
threats
Defenders under
resourced
Flooded
with products
https://www.cisco.com/c/m/en_au/products/security/offers/annual-cybersecurity-report-2017.html
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
2017 Cisco Annual Cybersecurity Report
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Security is Fundamentally…
Visibility Control
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Context Based Visibility and Control
Allowed Traffic
Denied Traffic
Employee
Supplier Server
Network Fabric
Easier to create & apply policy Quarantine High Risk
based on such context Segment
Shared Internet
Server
Employee
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
For Example…
Internet
https://www.reddit.com/r/talesfromtechsupport/comments/6ovy0h/how_the_coffeemachine_took_down_a_factories/
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Policy and Access
Advanced
Segmentation Malware
Protection Conclusion
Start
Policy and Behavioural Rapid Threat
Access
Analysis Containment
Cisco ISE and AnyConnect
CISCO ISE SIEM, MDM, NBA, IPS, IPAM, etc.
WHO WHEN
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
A Cisco Network Enables Device Profiling
Endpoints send DS
interesting data,
that reveal their DS
Feed Service
device identity
Cisco ISE (Online/Offline)
ACIDex
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Active and Passive Methods to Build ‘User’ Context
1 DOMAIN\Jim
(AD Login)
Jim 3
2
Jim Logged in
Passive Identity
Alice?
Active Identity
Yes AD
Cisco ISE
1 2
3
Alice
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Visibility into Users and Groups
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Visibility into Endpoint Applications
Who
What
When
Where
How
Wired / WLAN / VPN access
Posture
Cisco AnyConnect 4.4 Cisco ISE Threat
Vulnerability
Application
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
ISE Also Checks..
Check endpoint health
Posture defines the state of compliance
with the company’s security policy
Qualys Antivirus
AUTHENTICATE USER/DEVICE
Posture: Unknown / Non-Compliant ?
QUARANTINE
Limited Access: VLAN / dACL / SGTs
Anti-Virus?
Platform
POSTURE ASSESMENT Integrations
Check Hotfix, AV, Pin lock, Jail broken, etc. Microsoft SCCM
REMEDIATION
WSUS, Launch App, Scripts, MDM, etc.
Mobile Device
AUTHORIsATION CHANGE Management
Full Access – VLAN / dACL / SGTs. MDM Service
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Authorisation – Control Access
Remediation
Guest
VLAN 4
Employees
Contractor VLAN 3
Employee 16 bit SGT assignment and
permit ip any any deny ip host <protected>
permit ip any any Per port / Per Domain / Per MAC SGT based Access Control
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Sharing Context
Sharing is securing
Enhance Context (For Access Policy)
Threat, Vulnerability Index, MDM attributes, etc
Who
What
VulnerabilityM
anagement
When • SYSLOG NGFW Firewall
Where
• PXGRID
How
IDS/IPS
• REST API VulnerabilityM
Posture anagement Web
Cisco ISE Security
Threat
Vulnerability
Log Cloud
Context Management Service IPAM
Contextual Actions
Identity based Firewall policies, Eco System Partners
Vulnerability based cloud access,
User / Group based behavioural analysis, etc
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
More on Cisco ISE
FOR YOUR REFERENCE
• Online content
• http://www.cisco.com/go/ise
• https://www.youtube.com/c/ciscoisenetworksecurity
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Segmentation
Advanced
Segmentation Malware
Protection Conclusion
Start
Policy and Behavioural Rapid Threat
Access
Analysis Containment
Traditional Segmentation is Operationally Heavy
Applications
access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165
access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428
access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511
access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945
access-list
access-list
102
102
permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116
deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959
Enforcement
access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993
access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848 IP based policies.
access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878
access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216 ACLs, Firewall
access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111
access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175
Enterprise
rules
access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
Backbone
Propagation
Aggregation Layer Carry segment context
Limitations of Traditional
Static ACL VACL over the network
Routing Segmentation through VLAN tags /
Access Layer IP address / VRF
Redundancy • Security Policy based on
DHCP Scope Topology
Classification
Address • High cost and complex
Static / Dynamic
VLAN maintenance Non-Compliant Voice Employee Supplier BYOD
VLAN assignments
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Introducing Cisco TrustSec
Destination
Egress Policy App_Serv Prod_Serv
Employee Permit All Deny All
Source
App_Serv Permit All Deny All
Prod_Serv Deny All Permit All
ISE Directory
Remote
Access Production
Servers
8 SGT
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
CLASSIFICATION PROPAGATION ENFORCEMENT
Classification
Campus
Access Distribution Core DC Core DC Access
MAB Enterprise
Backbone
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
CLASSIFICATION PROPAGATION ENFORCEMENT
Propagation IETF
http://tinyurl.com/sgt-draft
http://tinyurl.com/sxp-draft
• LISP: SGT (16 bit) insertion in the Nonce field (24 bit) Routers
(SXP Aggregation) Firewall
Switches Routers
6 10.4.9.5
ETHERNET IPSEC
6 10.4.9.5
Switches 5 10.0.1.2
Speaker Listener
5 10.0.1.2
Switches
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
CLASSIFICATION PROPAGATION ENFORCEMENT
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
CLASSIFICATION PROPAGATION ENFORCEMENT
Deploy
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
TrustSec Reduces Operational Costs for
Segmentation
“Based on the results of the PCI validation and PCI Internal Network Penetration and
Segmentation Test, it is Verizon’s opinion that Cisco TrustSec can successfully perform
network segmentation, for the purpose of PCI scope reduction.”
http://bit.ly/pci-trustsec-report
“Cisco has made great strides in integrating support for the TrustSec framework across its
product lines” - “Flexibility to Segregate Resources Without Physical Segmentation or
Managing VLANs” - “Reduction in ACL Maintenance, Complexity and Overhead”
http://blogs.cisco.com/security/gartners-perspective-on-cisco-trustsec
“Cisco TrustSec enabled the organisations interviewed, to reduce operational costs by
avoiding additional IT headcount, deploy new environments faster, and implement consistent
and effective network segmentation resulting in lower downtime.”
http://bit.ly/ts-forrester-report
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
More on Cisco TrustSec
FOR YOUR REFERENCE
• Online content
• https://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/index.html
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Behavioural Analysis
Advanced
Segmentation Malware
Protection Conclusion
Start
Policy and Behavioural Rapid Threat
Access
Analysis Containment
Stealthwatch in a Nutshell
Actionable Outcomes
Identity
Analytics
Network Transactional Contextual Intelligence
Engine
Cisco Stealthwatch: Is a collector and aggregator of network telemetry for the purposes of data
modelling, security analysis and monitoring.
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Conversational Flow Record => The General Ledger
Who What Who
How
More context
When Where
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Stealthwatch System Components
Stealthwatch Cloud
• Cloud hosted; SaaS
Stealthwatch Enterprise
• Public cloud (IaaS) monitoring
• On-premises appliances
• On-prem visibility for small
• On-premises visibility and
deployments
telemetry collection
Stealthwatch
Cloud
(Coming 6.10.2)
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Stealthwatch Enterprise System Components
Threat Intelligence
Cognitive Analytics Stealthwatch • Known C&C Servers
• Cloud hosted Analytics Cloud Threat • TOR Entrance & Exits
Cognitive
• Global Risk Map Intelligence
Analytics
License
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Host Groups: Logical Buckets of IP Space
Hierarchical structure
Examples:
IP Address list
• My DNS Servers are 10.1.1.10 and 10.1.1.11
• All my POSs are 10.20.20.0/24
• My HQ is 10.0.0.0/8
• Etc.
Inter-system relationships
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Stealthwatch Learning Engines
Stealthwatch “On Box” Cognitive Analytics Stealthwatch Cloud
• Behavioural Analysis • Cloud Hosted • SaaS delivered
• Anomaly detection through • Multi-layer Machine Learning • Behavioural Analysis
statistical learning • Anomaly detection through • Anomaly detection through
• Unsupervised Learning Engine statistical learning statistical learning
• User Defined Behaviour Analysis • Supervised Learning Engine • Role Classification
• Malware classification
Stealthwatch Enterprise © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Stealthwatch Enterprise “On-Box” Security Model
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Alarm Categories
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Modeling Group Policy in Stealthwatch
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Stealthwatch Engine Placement
Cognitive
Analytics
• Proxy log table
• Bi-flows for:
• From Inside to Outside (default)
• DNS from inside to anywhere Detections
• From configured groups to outside returned
and other configured groups
HTTPS
Telemetry
Sources
NetFlow &
IPFIX
Flow Collector:
• Create the “General Ledger”
• Policy and Behavioural Analytics
• Statistical Learning, Anomaly detection
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Cognitive Analytics and Supervised Learning
Enhanced NetFlow
Exporter
Major Use Cases:
• Cryptographic Compliance Audit
• Threat detection without decryption
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Crypto Compliance (ETA)
Are my services cryptographic compliant.
Branch routers
(ASR 1000 Series, 4000 Series ISR, Cisco IOS® XE 16.6.2 Included in SEC/k9 license
CSR, ISRv)
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
More on Cisco Stealthwatch
FOR YOUR REFERENCE
• Online content
• http://www.cisco.com/go/stealthwatch
• http://cs.co/ats-youtube
• Cognitive Analytics:
• https://www.ciscolive.com/global/on-demand-library/?search=BRKSEC-
2444#/session/1473287217533001vYSn
• https://www.cisco.com/c/en/us/solutions/enterprise-networks/enterprise-network-security/eta.html
• https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/bartos
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Advanced Malware Protection
Advanced
Malware
Segmentation Protection
Conclusion
Start
Policy and Behavioural Rapid Threat
Access
Analysis Containment
It’s Impossible to Block 100% of Threats, 100% of the Time
✓ ?
✓ ?
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Do Security Different!
• Plan A: Prevention • Plan B: Retrospection
• Speed: Real-time, dynamic • Track system behaviours
decisions trained on real- regardless of disposition
world data
• “In-flight” correction
• High accuracy, low false (machine learning)
positives / negatives
• Contain & correct damage,
• Raise the bar, reduce attack expel embedded intruders
surface
• Reveals malicious activity
• Mode: Constant Security
• Mode: Continuous Incident
Control
Response
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
AMP Everywhere Threat Defence
Visibility
Threat
Intelligence
WWW
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
AMP Everywhere Architecture
Threat Grid
Talos
AMP Cloud
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
AMP for Endpoints – Next Generation Endpoint
Security
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
AMP for Endpoints Philosophy
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
How Does it Work?
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
AMP Unity – See Once, Protect Everywhere
Common Objects Global Trajectory
Whitelists Blacklists
AMP Cloud
WWW
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Advanced Malware Protection Summary
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
More on Advanced Malware Protection
FOR YOUR REFERENCE
• Online content
• http://www.cisco.com/go/amp
• http://cs.co/ats-youtube
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Rapid Threat Containment
Advanced
Malware
Segmentation Protection
Conclusion
Start
Policy and Behavioural Rapid Threat
Access
Analysis Containment
Threat Containment
Rapid Threat Containment w/
Stealthwatch & ISE
2. SW is Also 1. SW is Analysing
Merging Identity Flows from Flow
Data from ISE Collector
3. Admin is Alerted of
Suspicious Behaviour
WWW
Controller
NGFW
Flow Collector
FMC
i-Net
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Threat Containment
Rapid Threat Containment w/
Stealthwatch & ISE
4. Admin Initiates
Endpoint Quarantine
(EPS over pxGrid)
WWW
Controller
5. Endpoint
Assigned Quarantine
NGFW + CoA-Reauth Sent
Flow Collector
FMC
i-Net
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Threat Containment
Rapid Threat Containment w/
Stealthwatch & ISE
6. New Traffic Rules
apply to the new state
of the endpoint
Flow Collector
FMC
i-Net
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Threat Containment
Rapid Threat Containment with Firepower
Management Centre and ISE
WWW
Controller MnT
3. pxGrid EPS
1. Security Action: Quarantine
Events / IOCs + Re-Auth
NGFW Reported
2. Correlation
FMC
Rules Trigger
i-Net Remediation Action
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Threat Containment
Rapid Threat Containment with Firepower
Management Centre and ISE
WWW
4. Endpoint
Assigned Quarantine
+ CoA-Reauth Sent
Controller MnT
NGFW
FMC
i-Net
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Threat Containment
Rapid Threat Containment with AMP,
FMC and ISE
WWW
1. Threat /
IOCs Reported
Controller MnT
3. pxGrid EPS
Action: Quarantine
+ Re-Auth
NGFW
2. Correlation
FMC
Rules Trigger
i-Net Remediation Action
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Threat Containment
Rapid Threat Containment with AMP,
FMC and ISE
WWW
4. Endpoint
Assigned Quarantine
+ CoA-Reauth Sent
Controller MnT
NGFW
FMC
i-Net
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
More on Rapid Threat Containment
FOR YOUR REFERENCE
• Online content
• http://www.cisco.com/go/rtc
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Conclusion
Advanced
Malware
Segmentation Protection
Conclusion
Start
Policy and Behavioural Rapid Threat
Access
Analysis Containment
Complete Your Online
Session Evaluation
• Give us your feedback and
receive a Cisco Live 2018 Cap
by completing the overall event
evaluation and 5 session
evaluations.
• All evaluations can be completed
via the Cisco Live Mobile App.
Don’t forget: Cisco Live sessions will be
available for viewing on demand after the
event at www.CiscoLive.com/Global.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Digital Network Architecture for Enterprise Security
SERVICES
BRANCH OFFICE
Network Integrated Security Data Center
Network Campus Internet
Network
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Thank you