security @ cisco roadshow 2017
TRANSCRIPT
Cisco Roadshow 2017
Nikos Mourtzinos, CCIE #9763
Cisco Security Product Sales Specialist
Cisco Integrated Threat Defense
Security as a Business Enabler
The Security Problem
Changing Business Models
Dynamic Threat Landscape
Complexity and Fragmentation
Digital Disruption Drives the Hacker EconomyThere is a multi-billion dollar global industry targeting your prized assets
Social Security
$1
MobileMalware
$150
$Bank
Account Info>$1000 depending
on account type and balance
FacebookAccounts$1 for an
account with 15 friends
Credit CardData
$0.25-$60
MalwareDevelopment
$2500(commercial
malware)
DDoS
DDoS asA Service~$7/hour
Spam$50/500K
emails MedicalRecords
>$50
Exploits$1000-$300K
$450 Billion
World’s biggest data breaches
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Recent Breaches
Failure of Legacy Security Architectures
Limited Visibility
Endpoint AV
UTM ServicesIPS
Network AV
Web Security
EmailSecurity
Edge Firewall
Lacks Correlation Manual Response
internet
Endpoint Alert
Email AlertWeb Alert
IDS AlertAV Alert
Vendor 1
Vendor 2
Vendor 3
Vendor 4
Vendor 5
NAC
Vendor 6
Complexity and Fragmentation
Customer Questions
WHAT Cisco Security DO ?
HOW WE DO IT ?
WHAT MAKES US DIFFERENT ?
WHAT OTHER Customers SAY ?
What Cisco Security do ?only company with security product revenue exceeding a $2 billion annualized run rate with double-digit growth
Market Recognition : Focus on NSS, acquisitions, integration, Market Recognition
BEST SECURITYCOMPANY
Security Value Map Leader:NGFW, NGIPS and Breach Detection Systems (AMP) Cisco’s Security Everywhere...
“that’s pretty brilliant”
Interop 2016
Cisco Best NGFW awardCisco’s Network Security Portfolio finally stands on its own merit
Cisco is Investing in Security Growth
1995
•• PIX Firewall which was foundation of current ASA-X •• Top Leader of
contents security
2007 2009 2013 2014
•• Leading Dynamic Malware Analysis (Sandbox)
•• Currently Integrated to AMP
•• Top Leader of Cloud-based Web Security
•• Snort®, ClamAV®, Open source projects Founder
•• VRT World-class research
•• Top Leader of IPS
•• Top Leaders of security advisory services
•• Provides risk management and compliance to Fortune 500 customers
2015
•• Leading securityanalytics platform to defend against advanced cyber threats
•• Cloud based DNS security service
2016
Packet Brokering Network Infrastructure & Policy Management
Performance Management &
VisualizationMobility
Packet Capture & Forensics
SIEM & Analytics
Remediation & Incident Response
Vulnerability Management
Custom Detection
Firewall/Access Control
DiscoverEnforceHarden
DetectBlockDefend
ScopeContain
Remediate
IAM/SSO
Ecosystem and Integration
Combined API Framework
HOW WE DO IT ?
Security Architecture
TALOS ThreatIntelligence Cloud
1. ASA 5500X
1. FMC Management, Reporting,Analytics
1. ASA Firepower
Security Architecture
TALOS ThreatIntelligence Cloud
Windows OS Android Mobile Virtual MAC OS
CentOS, Red Hat Linux for servers and datacenters
2. AMP for Endpoints
2. AMP for Endpoints
Remote Endpoints
AMP for Endpoints can be launched from Cisco AnyConnect®
1. ASA 5500X
1. FMC Management, Reporting,Analytics
1. ASA Firepower2. AMP for endpoint
Security Architecture
TALOS ThreatIntelligence Cloud
Windows OS Android Mobile Virtual MAC OS
CentOS, Red Hat Linux for servers and datacenters
2. AMP for Endpoints
2. AMP for Endpoints
Remote Endpoints
AMP for Endpoints can be launched from Cisco AnyConnect®
1. ASA 5500X
3. Email Security
1. FMC Management, Reporting,Analytics
1. ASA Firepower2. AMP for endpoint3. Email Security
Security Architecture
TALOS ThreatIntelligence Cloud
Windows OS Android Mobile Virtual MAC OS
CentOS, Red Hat Linux for servers and datacenters
2. AMP for Endpoints
2. AMP for Endpoints
Remote Endpoints
AMP for Endpoints can be launched from Cisco AnyConnect®
1. ASA 5500X
3. Email Security4. Cisco Identity Services Engine(Cisco ISE)
1. FMC Management, Reporting,Analytics
1. ASA Firepower2. AMP for endpoint3. Email Security4. Cisco ISE
Malware Protection
Cisco ASA Firepower
Network Profiling
CISCO COLLECTIVE SECURITY INTELLIGENCE
URL Filtering
Integrated Software - Management
WWW
Identity-Policy Control
Identity Based Policy Control
Network Profiling
Analytics & AutomationApplication
Visibility &Control
Intrusion Prevention
High Availability
Network Firewall and
Routing
Enhanced Security & Simplifies Operations & Cost Savings
Superior Network Visibility
Servers, hosts, Mobiles Applications, OS, Vulnerabilities,
Impact Assessment & Correlation
Threat correlation reduces actionable events by up to 99%
Automated Tuning
Adjust IPS policies automatically based on network changes
World Class Research Center
Security Intelligence
Indications of Compromise
Warning indicator to more rapidly remediate threats
Advanced Malware Protection
Analyses files to block malware
Superior Network VisibilitySuperior Network
Visibility
Rogue hosts, Vulnerabilities,Applications, OS, Servers, Mobiles
Categories
Hosts üNetwork Servers üRouters & Switches üMobile Devices üPrinters üVoIP Phones üVirtual Machines üOperating Systems üApplications (Web , Client etc) üUsers üFile Transfers üCommand & Control Servers üThreats üVulnerabilities ü
You can’t protect
what you can’t see”
Real-time notifications of changes
Security IntelligenceWorld-Class Threat Research
19.7BThreats Per Day
1.4M
1.1M
1.8B
1B
8.2B
Incoming Malware Samples Per Day
Sender Base Reputation Queries
Per Day
Web Filtering Blocks Per Month
AV Blocks Per Day
Spyware Blocks Per Month
250Threat Researchers
100TBThreat Intelligence
World Class Research Center
Security Intelligence
http://blog.talosintel.com
Automated TuningAdjust IPS policies automatically
based on network changes
Automated Tuning
• Automated Recommended Rules based on Organization’s Infrastructure
• Automated IPS Policies based on Changes
• Simplifies Operations & Reduces Costs
NSS IPS Test Key Findings:Protection varied widely between 31% and 99%. Tuning is required, and is most important for remote attacks against servers and their applications. Organizations that do not tune could be missing numerous “catchable” attacks.
Impact Assessment & CorrelationImpact Assessment &
Correlation
Automatically Correlatesall intrusion events
ImpactAssessmentThreatcorrelationreducesactionableevents
Threat correlation reduces actionable events by up to 99%
1
2
3
4
0
IMPACT FLAG ADMINISTRATOR ACTION WHY
Act Immediately; Vulnerable
Event corresponds with vulnerability mapped to host
Investigate; Potentially Vulnerable
Relevant port openor protocol in use, but no vulnerability mapped
Good to Know; Currently Not Vulnerable
Relevant port not open or protocol not in use
Good to Know; Unknown Target
Monitored network,but unknown host
Good to Know; Unknown Network
Unmonitored network
Advanced Malware ProtectionAnalyses files to block malware
Advanced Malware Protection
Analyses files to detect and block malware
• File Reputation
• Big data analytics
• Dynamic Analysis with Sandboxing (outside-looking-in)
• Continuous analysis
Cisco Confidential 24© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Advanced Malware Protection
Network Traffic
1) File Capture
Cisco Confidential 25© 2013-2014 Cisco and/or its affiliates. All rights reserved.
TALOSCisco Collective
Security Intelligence
1) File Capture
Advanced Malware Protection
Network Traffic
2) Send File Fingerprint SHA256
Cisco Confidential 26© 2013-2014 Cisco and/or its affiliates. All rights reserved.
1) File Capture
Advanced Malware Protection
Malware Alert!
3) File look-up returns "malware”File dropped immediately
Network Traffic
2) Send File Fingerprint SHA256
TALOSCisco Collective
Security Intelligence
Cisco Confidential 27© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Advanced Malware Protection
Network Traffic
AMP File Reputation =Unknown
AMP Dynamic Malware
Analysis
4
5
Sandboxing
Cisco Confidential 29© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Network Traffic
AMP File Reputation =Unknown
AMP Dynamic Malware
Analysis
Retrospective Incidents
AMP Retrospection
TALOS
4
5
6
Advanced Malware Protection
Indications of Compromise (IoCs) Indications of Compromise
IPS Events
Malware Backdoors CnC Connections
Exploit Kits Admin Privilege Escalations
Web App Attacks
SI Events
Connections to Known CnC IPs
MalwareEvents
Malware Detections
Malware Executions
Office/PDF/Java Compromises
Dropper Infections
Warning indicator to more rapidly remediate threats
Early warning indicator to rapidly remediate threats before they spread
31© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Correlation
32© 2013-2014 Cisco and/or its affiliates. All rights reserved.
33© 2013-2014 Cisco and/or its affiliates. All rights reserved.
AMP Protection Across the Extended Network
AMP ThreatIntelligence Cloud
Windows OS Android Mobile Virtual MAC OS
CentOS, Red Hat Linux for servers and datacenters
AMP for Endpoints
AMP for Endpoints
Remote Endpoints
AMP for Endpoints can be launched from Cisco AnyConnect®
What do you get with AMP for Endpoints?inspect processes and files,
Track malware’s spread and communications
Identifies Known and unknown threats
Quarantine Threats on the Endpoint
Includes Antivirus and 0day threat detection
Where did the malware come from?Where has the malware been?What is it doing?
What happened?
How do we stop it?
Automatically Quarantine Threats on the Endpoint
What do you get with AMP for Endpoints?
Email is still the #1 threat vector
Phishing
Spoofing
Ransomware
Messages contain attachments and URL’s
Socially engendered messages are well crafted
and specific
Credential “hooks” give criminals access to your
systems
94% of phish mail has malicious attachments1
30% of phishing messages are opened1
$500M
Loss incurred due to phishing attacks in a year by US companies2
12016 Cisco Annual Security Report22016 Verizon Data Breach Report, Kerbs on Security
Cisco Email Security (Overview)
BeforeAfterDuring
Tracking User click Activity
(Anti-Phish)
ReportingMessage Track
Management
Allow Warn
AdminHQ
File Sandboxing & Retrospection
Anti-Spam and
Anti-Virus
Mail Flow Policies Data Loss
Protection Encryption
Before During
X X XX
X XXX
X
Inbound Email
Outbound Email
ContentControls
Block Partial Block
X
EmailReputation
AcceptanceControls File
ReputationAnti-SpamAnti-Virus Outbreak
Filters
X
Mail FlowPolicies Forged
EmailDetection
X
Incoming Threat
HIPAAOutbound Liability
Anti-PhishThreatGrid URL Rep & Cat
CiscoAppliance VirtualCloud
Talos
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Identity Services Engine
Who/What is currently connected on the Network ?
How Do I Control Who and What Access the Network/Resources?
ComplianceInsider ThreatOnce inside, threats can spread quickly
How to Quarantine a User ?
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Who What Where When How
Virtual machine client, IP device, guest, employee, and remote user
Policy Controller
Wired Wireless VPN
Business-Relevant Policies
Identity ContextPolicy Management Increases Operational Efficiency
Onboarding & MDM Integration Increases Productivity and Improves User Experience
Device Profiling & Posture RemediationProvides Comprehensive Secure Access
Network Enforcement Decreases Operational Costs
All-in-One Enterprise Policy Control
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Enterprise Mobility
Who?
When?
Where?
How?
What?
Employee Guest
Personal Device Company Asset
Wired Wireless VPN
@ Vessel Headquarters
Weekends (8:00am – 5:00pm) GMT
42© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ASA Firepower & Cisco ISE
Next Gen Intrusion Prevention &Advanced Malware Protection
Threat Detection Quarantine Action
SpeedsTime-to-ContainmentsoinfectedendpointsarequicklyandautomaticallyremovedasthreatsLowerscostsasoperationaloverheadandmalware-relatedcostsareminimized,whileenablinguseofalready-deployedCisconetworkingdevicesforenforcement
Network
Cisco® ISE
Visibility
Correlation
Automated Actions
Protect users wherever they access the internet
Malware Phishing
C2 Callbacks
DNS is used by every device on your network.
First line of defense against internet threatsUmbrella OpenDNS
SeeVisibility to protect access everywhere
LearnIntelligence to see attacks
before they launch
BlockStop threats before
connections are made
Key pointsVisibility and protection everywhere
Deployment in minutes
Integrations to amplify existing investments
208.67.222.222
Umbrella OpenDNS
The fastest and easiest way to block threats
MalwareC2 Callbacks
Phishing
Global prevention withCisco Umbrella and AMP
AMP
CloudLock API Access (Cloud to Cloud)
Public APIs
Cisco ASA NGFW
ManagedUsers
ManagedDevices
ManagedNetwork
UnManagedUsers
UnManagedDevices
UnManagedNetwork
ADMINOAUTH
ACCESS
Users/Accounts Data
What CloudLock Protects
Applications
Addressing the Top Threats in the Cloud
Top Threats CloudLock
Data Breaches
Weak Identity, Credential and Access Management
Insecure Interfaces and APIs
Account Hijacking
Malicious Insiders
Source: Cloud Security Alliance (CSA), 2016
51© 2013-2014 Cisco and/or its affiliates. All rights reserved.
What makes us Different ?
Visibility “You can’t protect what you can’t see”
Automated Tuning of NGIPS Automated Impact AssessmentIndications of Compromise (IoCs)
Enhances Security, Simplifies Operations & Reduces Costs
Dynamic Analysis with Sandboxing
NSS Labs Detection Results (100% breach detection rate, Fastest time to detection)
Continuous analysis Retrospection and integration of ASA Firepower AMP & ESA AMP with AMP for Endpoint(key differentiator that caused serious issues to Competitors)
Unified Management (Firepower Management Center)
NGFW configuration & event management, vulnerability management, impact assessment, retrospective analysis & correlation
52© 2013-2014 Cisco and/or its affiliates. All rights reserved.
What makes us Different ?
Email Threats #1,Spear Phishing, Spoofed emails, Randsomware
Protect #1 Enhance Email Security
Who/What is currently connected How Do I Control Who and What Access the Network/Resources?How to Quarantine a User ?
ISE and ISE / Firepower Integration
Integration with AMP for Endpoint
inspect processes and files,Track malware’s spread and communicationsAutomatically Quarantine Threats
53© 2013-2014 Cisco and/or its affiliates. All rights reserved.
54© 2013-2014 Cisco and/or its affiliates. All rights reserved.
§ A leader for 3rd year in a row in BDS test – detecting 100% of malware, exploits & evasions.
§ Faster time to detection than any other vendor
§ Cisco delivers breach detection across more platforms and attack vectors than any other solution - blocking more threats, faster.
A Leader in Security EffectivenessOnly Cisco with its architectural approach to security can provide an integrated solution that can see a threat once and block it everywhere.
Figure1.NSSBreachDetectionTestResultsforCisco- August2016
WHAT OTHER Customers SAY ?
http://www.cisco.com/c/en/us/products/security/customer-case-study.html
Case Study
George Venianakis, CCIE™ #8418Head, Global MSS & GX Operations
SpeedCast
February 7th 2017, Divani Caravel
Who are we and what we doA leading Global Communications and IT Service Provider
ASX:SDA – HQHK - 1200 Employees – 90 CountriesMaritimeEnergy
EnterpriseTELCOMining
GovernmentNGOMedia
Challenge
• Create an Inmarsat-enabled DataCenter and PoP• Close to a hundred percent network availability• Deliver ISP and connectivity to maritime vessels• Remotely and Centrally managed• State of the art security offerings• Simplified and fully programmable approach• Single Vendor platform• Limited ICT staff resources.
Solution
• Cluster of ASA-X NGFW w/FirePOWER® and FireSIGHT®• REST API management approach• Quad ASR4K• Simplified Operations, Management And Support• IPS, AMP, AVC, URL Filtering• Full Reporting• Small-to-Moderate CAPEX• Small OPEX• Rigid, Unified, Security Services offerings
Visibility through FireSIGHT
Protocols, Events, Risk
Files Dispersion
Geolocation Information
File Trajectory
BenefitsSimplified, REST API-based, centralized management available to the involved staff while maintaining low headcount for operations.
State of the art automated services, availability and reliabilityof the networking services as well as robust scalability to meet future needs.
Low OPEX
Why Cisco Now
With Cisco, there’s never been a better time to know what’s happening in our entire network. There’s never been a better time to be protected as the threats are stopped before, during and after the attacks. We can automate security, even after attacks, across physical, virtual and cloud to reduce complexity and quickly remediate attacks.
“We have achieved all of our predefined targets with no surprises.
With ASA-X Next Generation Firewalls we operate a complete, transparent and rigid security infrastructure with unparalleled resilience, availability and scalability”