1213 Security CKN

Security as a Foundation for SP
Digital Transformation
December 2017
Our Presenters
Amy Henderson is the Security Services Taslimm Quraishi has several years of
portfolio manager for Advanced Services at experience developing, managing, and
Cisco. She has over 5 years of experience as delivering security and risk-based services
a product manager developing IT-based to Fortune 500 companies, with vertical
services to help clients simplify their lives, expertise in communications/service
and meet their business objectives. provider.
Amy Henderson Taslimm Quraishi

Security Services Portfolio Service Provider Security Principle & Director
Manager
Brad Garnett is a Team Leader of Incident
Steve Nowell is a Solutions Architect with Response at Cisco Security Services with over
twenty years of experience, ten of which are ten years of experience in the information
at Cisco, in both security and route / switch security field focusing efforts on: Digital
technologies. Most of his background has Forensics, Incident Response, Cyber Security
been focused solely with Service Providers. Attacks, Malware, Threat Intelligence,
Cybercrime, and hacktivism.
Steve Nowell Brad Garnett

Service Provider Solutions Architect Team Leader, Incident Response
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Market Opportunities and
1 Challenges
Your Digital Transformation

2 Journey
a
Agenda Evaluating if you are ready
Building & Assessing your

b secure foundation
Maintaining your digital
c solution
3 Questions
Digitization is creating opportunities
Telco, cable, and web: Digitization leading to cloud, 5G, IoT
More cloudification
4x cloud traffic increase
More IoT
Half connected devices Are M2M
$ Sizable $
More video
Service Provider 8x mobile traffic increase
economic opportunity
5G rollouts begin
4.7x traffic of LTE
Key Security Challenges for Service Providers
34% of service providers said they lost revenue due to attacks in 2016*
Changing Dynamics Reducing Complexity Speeding Innovation Talent Shortage
*Cisco 2017 Midyear Cybersecurity Report

Fragmented Ecosystem for SPs to turn to…
Your network is your business
EMPLOYE
BRAND
E DATA
Telco Gaming
WAN
SERVICE PRODUCTION SERVICE GAMING

CONTENT CONTENT
AVAILABILITY NETWORK AVAILABILITY ECONOMY
Take 7 Cable & Media Web

www… www…
WAN
SERVICE CUSTOMER PRODUCTION SOURCE

IP CONTENT
AVAILABILITY DATA NETWORK CODE
Maintaining your
Where are you in digital solution?
your Digital
Transformation
journey?
Building &
Assessing
Evaluating your secure
if you are foundation?
ready?
How do you know when you’re ready?
Mergers and
CISO transition
acquisitions
Preparing for a Adoption of new

compliance audit technology
Cisco Security Service’s approach
People Process Technology
Executive Security
Current State Risk Security
Target State GapsSecure Secure
Secure Network
Management Intelligence Management Assurance Systems Applications
Maturity Level Key
Security Security Resilience Secure Network
Responsibility, 1 Risk Management 3 M Design and
Level 0
Charter&Governance Program Architecture
Absent 0
Privileged Identity Regulatory & Internal Secure Access
Security Metrics & Security Incident Security Enclave Level 1 Data Privacy and
Reporting
and Access 1 Response and DDOS
4Compliance H
Provisioning
Management 1
Protection
Management Management Capability Initial
Level 2
OSS and2BSS
Activity and Vendor, Partner, & Customer/Subscrib
Architecture Strategy Business Continuity Virtualized Network &
Repeatable
& Management
Infrastructure Log 1 & Disaster Recovery
3Virtual Operator erM
Access
Cloud Environments Security
Management Management Management Level 3
Defined 3
Network Intrusion
Security Education/ / Threat / and Fraud Backup and Customer Software
Awareness Training 0 Asset Classification
3Penetration Testing
H
Recovery
Defenses & CleanLevel 4
and App Security
Activity Analytics and Management and Red Teaming Pipe Managed 4
Physical Configuration, Encryption / Level 5
Infrastructure
Vulnerability
1 Change & Patch 3Customer Trust
M
Data
Secure Orchestration
Optimal 5
Data Exfiltration
Management Management & Automation Defense
Security Management Masking
Crisis Management Application

Support 2 Development / 3 L
Management
Example CMPA Findings
• Assign ownership & create IR plan

People •Is there an owner ready to lead an Incident
• Additional Threat Analysts/analytics would be a
Response scenario? crucial addition to SOC
•Are skill sets positioned optimally? • Emphasize a continuing training culture within the
•Are SOC resources appropriately skilled? organization
• Manage passwords via best practice

Process • Are passwords being managed appropriately? • Identify vulnerabilities and improve speed to
• Is network vulnerability discovered and tracked? remediation via patching
• Are third-parties leveraged to assess the network? • Further utilize objective, third-party assistance in the
assessment of your network
• Appropriate segmentation needed

Technology • Is the network (micro) segmented appropriately? • Utilize secure protocols wherever possible to
• Is internal communication appropriately secured? obfuscate sensitive communications
• Is sensitive data stored with appropriate controls? • Implement encryption and authentication on
sensitive ones + CASB
Maintaining your
your Digital
Transformation
journey?
Building &
Assessing
ready?
Example Penetration Test Progression
Exploited a known backdoor Previously

Lack
Actionable
Sensitive
of segmentation
data
information
compromised
intelligence
was discovered
obtained
allowed
gained
data was
for
through
movement
attacking
utilized
the
a to
known
from
the
exploited
access
SP
system
exploit,
and
and
backdoor
its
manipulate
tocustomers.
which
system.
allowed
could
multiple
Additional
have
for full
crucial
been
control
access of
Obtained access to sensitive systems through patched.
was
systems
access
gained
systems.
at the
through
OS level
this within
lateral the
movement.
test scope.
unfettered lateral movement Information obtained through this exploit was
utilized for further movement and access
Compromised a wealth of operational data through domain.
Obtained admin control of servers
Compromised several access systems

Build a secure foundation
Infrastructure ACL (iACL)
Steady-State – Traffic destined to subscriber:
Allowed
Customers Internet
SP Infrastructure
PE Int. Int.
Peer Peer
R1
iACL Applied
Build a secure foundation
Infrastructure ACL (iACL)
Steady-State – Traffic destined to infrastructure:
Blocked!
Internet
SP Infrastructure
PE Int. Int.
Peer Peer
R1
iACL Applied
Blocking Traffic
Maintaining your
your Digital
Transformation
journey?
Building &
Assessing
ready?
Making sure you’re prepared – maintain security
Organization’s
testing/development Attackers maintained C2 malware zero A/V
Targeted attack by a network environment persistence in the detection rate, which was
nation state actor targeted, which lacked environment for 5+ utilized for persistence
security controls and months into environment
monitoring
Attack and investigative timeline
Cisco IR: Forensic Investigation

Command and Control (C2) via C2malware.exe
StealthWatch Deployment
Customer Internal
Investigation Cisco IR: On-Site
Law Enforcement Notification
C2 traffic observed
by law enforcement
Cisco IR
Engaged
C2Malware.exe
identified
Dwell Time (July – December)
10th
1st – 4th 30th 14th 15th 12th
11th
July January February
Our approach
Deployed Visibility Tools
• Deployed StealthWatch into existing
Visibility infrastructure to identify other
Tools potentially malicious traffic
• Deployed AMP for Endpoints to

Forensics facilitate endpoint, network analysis,
• Malware reverse engineering, and remediation
memory forensics, and disk forensics Forensics
performed on affected hosts
Testing Results
Testing
Results • App Pen Testing group conducted
application hardening post-incident
response
Communication
• Prescribed mechanism, rhythm, and Communicatio
n
audience for each level of incident
severity
Could this have been prevented or minimized?
Communication and
Incident Response Plan Collaboration Test the IR Plan
•Descriptive IR Plan
Where are you in
Remember… Maintaining your
•Communication
digital solution?
your Digital •Periodic Table Top
Transformation Exercises
journey?
•Segmentation
Building &
•People •Manage
Assessing
Evaluating Passwords
your secure and
•Process
if you are Patching
foundation?
ready?
•Technology •Visibility
Cisco Approach:
Best of Breed Integrated Architecture
SP Security
Services Network
UTM Analytics
Secure
Internet
Email Gateway
Advanced Policy and

Malware Access
NGFW/ Web
WWW
NGIPS
What first step can I take to gain visibility into my SP networks?
Security Online Visibility Assessment (SOVA)
What is a SOVA?
• SOVA is a “free” 14-day non-intrusive cloud based network and
security visibility offer for all our customers. It works by deploying a
lightweight virtual SOVA Collector in the network that forwards
network telemetry in passive mode to the SOVA cloud for analysis.
After (14) of collecting real time data (internal & external), the cloud
generates a confidential standard report for the customer free of
charge consisting criteria such as Internal Monitored Networks, SMB
& Telnet Risks, Remote Access Breach, etc.
• Pick a network segment and get started today
Sign up for your “Free” SOVA today!

https://salesconnect.cisco.com/c/r/salesconnect/index.ht
ml#/program/PAGE-10733
For more information on Cisco
Security Services, please visit
http://cisco.com/go/securityservices

1213 Security CKN

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

1213 Security CKN

Uploaded by

Copyright:

Available Formats

Security as a Foundation for SP

Amy Henderson Taslimm Quraishi

Steve Nowell Brad Garnett

Your Digital Transformation

Building & Assessing your

Changing Dynamics Reducing Complexity Speeding Innovation Talent Shortage

*Cisco 2017 Midyear Cybersecurity Report

SERVICE PRODUCTION SERVICE GAMING

Take 7 Cable & Media Web

SERVICE CUSTOMER PRODUCTION SOURCE

Preparing for a Adoption of new

People Process Technology

Crisis Management Application

• Assign ownership & create IR plan

• Manage passwords via best practice

• Appropriate segmentation needed

Exploited a known backdoor Previously

Obtained admin control of servers

Compromised several access systems

Cisco IR: Forensic Investigation

Dwell Time (July – December)

• Deployed AMP for Endpoints to

Advanced Policy and

• Pick a network segment and get started today

Sign up for your “Free” SOVA today!

You might also like