devnet-1180security from the cloud

Ben Munroe and Nitin Kumar

Learn how to achieve safe cloud app usage

Cisco Cloud Access Security with Elastica

2© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

And you wouldn’t useemail without security

? ??

? ?

??

??? ?

You must secure them

You wouldn’t run your business without email

As your business adopts cloud apps

Every time you adopt a new technology, you have to secure it


Cloud apps are becoming an essential part of business

How are you protecting them?

Remote access

Agility and speed

Better collaboration

Improved productivity

Cost effective

Sensitive data leakage

Compliance risks Insider risk

Malware & viruses


Understand the risk of cloud apps in your business

Shadow ITUse of unsanctioned apps

This is a problem because your IT department:•Can’t see what apps are used•Aren’t able of identify risky apps•Are powerless to set informed app controls

of employees admit to using unapproved apps1

72%of IT depts use 6 or more unapproved apps2

26% of enterprise IT spend in 2015 will be managed outside of IT departments3

35%


Source: 1CIO Insight; 2,3Gartner


Understand the risk of data usage in cloud apps


This is a problem because your IT department:•Can’t stop data leakage and compliance

risks•Aren’t able to block inbound risky content •Are unable to stop risky users and activities

of organizations lost sensitive data via file sharing1

90%of apps have risks if not properly used2

72%files per user are broadly shared across organizations3

185

Shadow DataUse of sanctioned apps in unsanctioned ways

Source: 1Ponemon, 2013 Cost of Data Breach Study;2CIO Insight; 3Elastica


Businesses

Don’t count on app providers to secure your information

App Providers

Cloud Apps

75% of mobile apps fail basic security tests1 … and they can’t control your user behavior

Source: 1: Gartner


Businesses

Cloud access security is your responsibility

App Providers

Cloud Apps


Cisco with Elastica can help

SaaS Visibility

Monitor cloud app usage in real time

Extended Granular Control

Gain control of a cloud-first, mobile-first world

Intelligent Protection

Combat evolving threats using data science


View activities in real time

IT gains full visibility into all cloud app usage

Identify and evaluate all cloud apps with their risks

Know how and what data users share in real time

See every cloud app transaction on a dynamic, intuitive user interface

Identify malware

SaaS Visibility


Manage a cloud-first, mobile-first world

IT control extends to every cloud app transaction

Choose what cloud apps to sanction

Manage data sharing with global policies across any cloud app

Take critical actions through a centralized SOC style dashboard

Block risky activities in real time

Extended Granular Control


Combat evolving threats

Stay ahead of threats using data science power

Prioritize business-ready cloud apps

Classify content dynamically with semantic analysis

Analyze root cause of threats with incident reconstruction

Detect malware and attacks with machine learning mechanisms

Intelligent Protection


Shadow IT Risk Assessment Report

Business Readiness Rating™

Audit Score

Shadow Data Risk Assessment

After

StreamIQ™

ThreatScore™

ContentIQ™

Reports & Analysis

Cisco Cloud Access Security

Cloud Apps ? ?

?? ?? ?

IO IOI

IO IOI

ProtectIO IOI

IO IOI

Cloud SOC Policy IO IOI

IO IOI

?

54541717

IO IOI

IO IOI

??

IO IOI

Audit

Detect

?

Investigate

WSA Before

During

Elastica CloudSOC™

OtherAppliances

ASA

In collaboration with

Data Account User

SecurityOperations

CenterAnalyze &

ControlSecurlet™ Gateway

Cisco Confidential 13© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Use Cases


Powerful Architecture for Cloud Access Security

Cloud App APIs(Securlets)

AUDIT Shadow IT and Data Risk

INVESTIGATE incidents and respond

PROTECT against intrusions in cloud apps accounts

DETECT exploitations of cloud app accountsStreamIQ™

ContentIQ™

ThreatScore™

Comprehensive Cloud App Security Stack

Cisco CASby Elastica

Methods1. Proxy chaining2. PAC file

Methods1. SCP/SFTP log import2. Direct upload (manual)3. On premises VA

Proxy LogsWSA, CWS & more

App Traffic via Gateway


Use Case 1: customer wants to understand the Cloud app usage in their business

On-premises LogsWSA Log Export




Methods1. Log import using SCP

or SFTP2. Direct upload

(manual)3. SpanVA


Use Case 1: Audit Deployment Methods

Direct to CloudOn Prem Virtual Appliance

CloudSOC

SCP

SFTP

CloudSOC

SCPSFTP

Syslog

SCP/FTPFile Share

HTTPS

Perimeter Perimeter

Audit


Audit Support for Cisco WSA

• Two main WSA log file subscriptions used by most administrators are Access Log and W3C Access Log which record all Web Proxy traffic.

• These logs can be configured to either• FTP them onto the Appliance • FTP them onto an FTP server• SCP push • Syslog Push

• Minimum support WSA version: AsyncOS 7.7

Powered By

SCP


WSA Configuration: Log Formats• Access Logs:

• Access: Raw(FTP)#Fields: %t %e %a %w/%h %s %2r %A %H/%d %c %D %Xr%?BLOCK_SUSPECT_USER_AGENT,MONITOR_SUSPECT_USER_AGENT?%<User-Agent:%!%-%.1415047174.449 196 192.168.1.117 TCP_MISS/200 3323 GEThttps://dropbox.com/_remote/?m_id=MediaRemoteInstance&&instance_id=26361fd9-6e5d-337d-8063-b181309f65b4&lead_id=6f7f6100-be1b-3001-8275-276fa52c4f97 - DIRECT/dropbox.com text/htmlDEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",135.63,0,-,"-","-"> -

• Access: SyslogOct 22 15:05:26 192.168.1.143 accesslogs: #Version: 1.0_#Date: 2014-10-22 15:05:27_#System: 192.168.1.143- mgmt.ironport.elastica.local_#Software: AsyncOS for Web 7.7.0-761_#Fields: %t %e %a %w/%h %s %2r %A%H/%d %c %D %Xr %?BLOCK_SUSPECT_USER_AGENT,MONITOR_SUSPECT_USER_AGENT?%<User-Agent:%!%-%._Oct 22 15:10:54 192.168.1.143 accesslogs: Info: 1414015852.062 224 192.168.1.61 TCP_MISS/200 58471 GEThttp://www.dropbox.com/ - DIRECT/www.dropbox.com text/html DEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",2088.25,0,-,"-","-"> -

• W3C Logs• W3C: Raw(FTP)#Fields: timestamp x-elapsed-time c-ip sc-result-code sc-http-status sc-bytes cs-method cs-url cs-usernames-hierarchy s-hostname cs-mime-type x-acltag x-result-code x-suspect-user-agent1415057846.023 222 192.168.1.117 TCP_CLIENT_REFRESH_MISS 200 1540 POST http://us-west-2.console.aws.amazon.com/xa/dealcontent/v2/GetDealStatus?nocache=1415057845571 - DIRECT us-west-2.console.aws.amazon.com application/json DEFAULT_CASE_12-DefaultGroup-DefaultGroup-

• W3C: SyslogNov 3 13:53:02 192.168.1.143 sk_w3c: #Version: 1.0_#Date: 2014-11-03 13:53:02_#System: 192.168.1.143 -mgmt.ironport.elastica.local_#Software: AsyncOS for Web 7.7.0-761_#Fields: timestamp x-elapsed-time c-ipsc-result-code sc-http-status sc-bytes cs-method cs-url cs-username s-hierarchy s-hostname cs-mime-type xacltagx-result-code x-suspect-user-agent_Nov 3 13:53:14 192.168.1.143 sk_w3c: Info: 1415051592.801 169 192.168.1.117 TCP_MISS 200 387 GETCopyright (C) 2015 Elastica, Inc. Confidential Information. Do Not Distribute. 3 ofhttp://us-west-2.console.aws.amazon.com/1/batch/1/OP/ATVPDKIKX0DER:181-8582357-6795158:1809Q9620X7X4F45Z5DR$uedata=s:%2Fuedata%2Fnvp%2Funsticky%2F181-8582357-6795158%2FGateway%2Fntpoffrw%3Ful%26v%3D0.64.0%26id%3D1809Q9620X7X4F45Z5DR%26ctb%3D1%26m%3D1%26sc%3D1809Q9620X7X4F45Z5DR%26pc%3D37002%26tc%3D-<-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",18.32,0,-,"-","-">


WSA Configuration: Enable Logging


Elastica Configuration: Configure SCP


WSA Configuration: Configure SCP


SSH Key Configuration


Use Case 2: Securlet and Gateway Deployment MethodsDetect

… and many more

Securlet Elastica Gateway


Use Case 2: customer wants to apply acceptable use policy to Box cloud storage

Cloud App APIs(Securlets)




ContentIQ™

ThreatScore™



Methods1. Purely API driven


Cloud Access Gateway ExplainedGateway vs API(Securlet)• Policy remediation can take place in either the Elastica Gateway or via the application specific API• Gateway and API can be used in tandem, it is not an either or situation

Gateway components• There are three configuration components for enabling the gateway.PAC File

•Directs traffic to gateway•Standard browser setting

SSO Helper

•Browser plug in•Installs first time user hits gateway

Gateway Certificate

•For SSLD•Required for operation


Future looking integrated architecture

Proxy LogsWSA, CWS & more





ContentIQ™

ThreatScore™


Methods1. Proxy chaining2. PAC file

Methods1. SCP/SFTP log import2. Direct upload (manual)3. On premises VA


App Traffic via Gateway

devnet-1180security from the cloud

Technology

cloud apps shadow

risk of cloud apps

business ready cloud

risky apps

cloud app transaction

mobile apps

risk of data usage

data users