Jamey Heary

Cisco Distinguished Systems EngineerCCIE 7680

May 2016

Building a True Security Architecture One Capability at a Time

AgendaCurrent State of Security

Cisco Security

Security as an Architecture- Stories

Summary

State of Security

Cyberwar is Raging!!

Why is the Security Industry Approach Failing?

• It is not a fair fight to begin with

• People, Process and Technology Issues• Hacking People, Malicious Insiders

Security Technology Issues

• Silo’d Point Products. Nothing works together!

• Bolt on security, whack a mole strategy

• We are designing in complexity on purpose!

• Hyper focused on Prevention = anemic detection/scoping & Incident Response

• Lack of real network and security visibility

Architecture Fail

Working together Fail

Bolt-on Fail

Cisco Security

Cisco Security Homepage Cisco.com/go/security

Cisco Security is Rockin it!

Best Security Company, 2016

Cisco’s Security Everywhere …“that’s pretty brilliant”

“Cisco’s strength in its Security business shows it is not an ‘old’ tech company”

“Network security architects … need to adopt new products and/or services that will enable the network to be an integral part of a strategy that focuses on detecting and responding to security incidents.”

“Vendors Like Palo Alto, FireEye Are Selling Legacy Technology”

“Cisco is making all the right moves… software-focused, cloud-friendly portfolio with double-digit growth in Security and acquisitions like OpenDNS”

CIO Survey’s 1st in Customer Preference

Cisco Security Execution and Investment

ThreatGRIDacquired

SourcefireAcquired

Active Threat

Analytics

Black Hat 2014: Talos

Integrated Threat Defense

Vision

AMP Everywhere w/Threat Grid

Incident Response Service

Cisco ASA w/ FirePOWER Services for Mid-Size and

Branch environments

Global Security Sales Organization

Cisco ASA w/ FirePOWER

Services

ACI + FirePOWER Services

RSAC: AMP Everywhere; OpenAppID

Security and Trust

OrganizationSecurity

Everywhere

2013 2016

Portcullis acquired

OpenDNS

Acquired

OpenDNS/

Threat Grid

Integrated

LancopeAcquired

Neohapsis

Acquired

Security Everywhere

Extended

Firepower

NGFW and

Security

Advisory

Service for

Segmentation unveiled

CognitiveAcquired

Invested ~$5B in last 36 months!

2010 2012 2013 2014 20152011

100

98

96

94

92

90

88

86

84

82

NGFW

NGIPS

BDS (Cisco AMP)

NGFW(test average)

NGIPS(test average)

A Track record of Best-of-Breed Security Effectiveness Best of Breed Efficacy in NSS Labs testing Year after Year

Cisco

Test Average

Magic Quadrant Ranking

NGIPS “Leader” since 2006

Email Security “Leader” since 2005

Network Access Control (NAC) “Leader” since 2011

Web Security “Leader” 3 of past 4 years

Network Performance Monitoring and Diagnostics “Leader” (Lancope)

Enterprise Network Firewalls / UTM “Challenger”

SSLVPN (no longer updated) “Leader”

Comprehensive Best-of-Breed Security Capabilities

Cisco Confidential

WWW

DNS

Network Fabric, Threat Intelligence and Analytics

NGFW/

NGIPS

Advanced Threat

and AnalyticsPolicy and

Access

Web and

DNS

Email Endpoint

Capabilities Working Together

Simple | Open | Automated | Effective

The Cisco Advantage

Best of Breed Portfolio

Architectural Approach

Only Cisco can build a true E2E security architecture

Without an Architecture it is a mess of complexity!What makes an Architecture an Architecture?

Just Three things IMHO

1. Capabilities/Solutions (Ideally best of breed)

2. That work well together

3. Effectively

Cisco is building the Industry’s first Threat-Centric Security Architecture

INNOVATION

SAFE Simplifies SecurityMethod Overview

1. Identify your goals

2. Break down your network into manageable pieces

3. Criteria for success of the business (requirements in each PIN/domain)

4. Categorize your Risks, Threats and Policies

5. Build the Security SolutionA. Capabilities Phase

B. Architecture Phase

C. Low-level Design Phase

Format: Whiteboard, Diagrams and/or Presentation

Security Capabilities Design – Branch Example

Host-based Security

Wireless WirelessIntrusionPrevention

Posture Assess-ment

Access Control +TrustSec

Flow Analytics

L2//L3 Network

L2//L3 Network

Host-based Security

Posture Assess-ment

Access Control +TrustSec

Flow Analytics

Web Security Services

Firewall Next-Gen Intrusion Prevention System

Anti-Malware

Flow Analytics

AVC-Application Visibility Control

Threat Intelligence

VPN

Wireless ManagerWeb browsing

Wired Clerk processingcredit card transaction

Wireless Controller

Switch Next-Generation Firewall/Router

To Data Center

To Cloud

WAN

• Use Best Practices to identify applicable security capabilities

• No Products and No Devices in this phase; that comes next

• Identify security capabilities that best mitigate threats, risks and policy

Management

Security

Services and

Applications

Security

Services

Platform

Infrastructure

Element

Layer

Cisco Platform-Based Security ArchitectureHardware Agnostic, Integrated and 3rd Party Friendly

Common Security Policy & Management

Common Security Policy and Management

Orchestration

Security Management APIs

Cisco APICAPIs

Platform APIs

Cloud Intelligence APIs

Physical Appliance Virtual Cloud

Access Control

Context Awareness

Content Inspection

Application Visibility

Threat Prevention

Device API: OpenFlow, OpenStack, Rest, Yang

Cisco Networking Operating Systems (Enterprise, Data Center, Service Provider, Cloud)

Route–Switch–Compute ASIC Data Plane Software Data Plane

APIs APIs

Cisco Security Applications Third-Party Security Applications

APIs

Web AccessNGIPS Adv. Malw

WAF SaaS VisibAnti-Virus FPCNAC DLPDDoS

Integrated Management

SERVICES

LAYER

ANALYTICS

LAYER

Global & Local Threat Intelligence

Email

Raw Data (Cisco + 3rd Party) Threat Research Analytics Engines

ENFORCEMENT

LAYER

Partnerships Cisco Portfolio

FW/NGFW

TELEMETRY

INTELLIGENCE

Polic

y Auto

matio

n, A

PIs

and C

ontro

ller In

tegra

tion

Network Platforms

Security Platforms

Router / Switches / Server

Cloud Platform

OpenDNS, Email, CWS,

Stealthwatch, Defense Orchestrator

Endpoint Platform

AnyConnect

AMP

Umbrella

Cisco Integrated Threat Defense ArchitectureStuff simply works together

Control

Cisco

AnyConnect®FirePowerCisco CWS

WWW

Cisco WSACisco ASACisco ESA

Visibility

WWW

Web

Endpoints

Devices

Networks

Email

IPS

Difference between a paperweight and a NGFW?

Best-of-Breed Global Threat Intelligence Cloud

24x7x365

operations

40+ languages

More than US$100 million

spent on dynamic research

and development

Info

rma

tio

nA

ctio

ns

Cisco® Collective Security IntelligencePervasive across Portfolio

www.talosintel.com

Threat Intel

See the UnseenUnprecedented Intel Breadth & Depth

Daily Security IntelligenceDaily Threats Blocked

Deployed Security Devices

Daily Malware Sandbox Reports

120TBSecurity

Intelligence

1.6MDeployed

Devices

19.7BThreats

Blocked

150,000Micro-

applications

1,000Applications

93BDaily Email

Messages

35%Enterprise

Email

13BWeb

Requests

150MDeployed

Endpoints

3-5 minUpdates

Cisco Security Intelligence

Global VisibilityGlobal Footprint

5BDaily Email

Connections

4.5BDaily Email

Blocks

14MDeployed

Access

Gateway

75,000FireAMP

Updates

6,000New Clam

AV Sigs

1.1MSandbox

Reports

Cisco Talos Research

Finding Bad Guys,

one 0-day at a time

Prevention Says easy, Does hardCriminals only have to find one vuln; Be prepared

BEFOREDiscover

Enforce

Harden

AFTERScope

Contain

Remediate

Attack Continuum

Detect

Block

Defend

DURING

Shared Context & Security Intelligence

The power of a Cisco Security Architecture

A collection of stories

Malicious Code

Launches

Alice, the contractor,

Clicks a Link or

Malvertising

Ransomware

Payload

Malicious

Infrastructure

Story 1: Ransomware

How Cisco Protects Customers

OpenDNS Next-Gen Firewall AMP Lancope

OpenDNS blocks the DNS request

NGFW blocks the connection/file

Web Security w/AMP blocks the file

AMP for Endpoint blocks the file &

communication back to home

OpenDNS blocks the request

NGFW blocks the connection

Lancope detects the activity

OR

Ransomware

Payload

Bob Downloads

Malicious Email

Attachment

OR

Email Security w/AMP

blocks the file

OpenDNS Email Security AMP Lancope

AMP for Endpoint blocks

the file & communication

back to home

Cisco TrustSecBuilding block of a true security architecture

• TrustSec is a context-based TAG firewall/access control solution

• Cisco ISE is the central policy engine for Trustsec

• Classification of systems/users based on context

(user role, device, location, posture, threat, access method…)

• The context-based classification propagates using SGT tags

• SGT used by firewalls, stealthwatch, routers and switches to make intelligent

forwarding or blocking decisions in the DC

Users,

Device

Switch Router DC NGFW DC Switch

HR Servers

Enforcement

SGT Transport

Fin Servers SGT = 4

SGT = 10

ISE DirectoryClassification

SGT:5

30© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Architecture: Network & Security working together

WLAN

ControllerVPN Remote

Access Access Switch

Firewall

ISE

Policy Server

Business Data

App / Storage

Corp Asset

Endpoints

Corp Network

Device Type: Apple Mac

User: Mary

AD Group: Employee

Asset Registration: Yes

Posture: Compliant

Physical Location: Lobby

Policy Mapping SGT: Employee

Source Destination Action

IP SGT IP SGT Service Action

Any Employee Any Biz Server HTTPS Allow

Any Suspicious Any Biz Server Any Deny

Firewall Rules

• Differentiated Network Access based on Context

• Security Group Tag is added to every packet from

host

• Massive Firewall rule simplification

• Policy Enforcement regardless of IP address/vlan

• Accelerated service provisioning

• Consistent policy assignment regardless of

access method

Architecture: Rapid Threat Containment

WLAN

Controller

Quarantine is based on MAC Address

preventing compromised device accessing

from other location / access methods

NGFW

Policy

Server

Business Data

App / Storage

Compromised

Endpoint

10.10.10.10 (aa:bb:cc:dd:ee:ff)

Corp Network

Source Destination Action

IP SGT IP SGT Service Action

Any Employee Any Biz Server HTTPS Allow

Any Suspicious Any Biz Server Any Deny

Firewall Rules

NGFW StealthwatchEvent: Malware

Source IP: 10.10.10.10/32

Response: Quarantine

OS Type: Windows 8

User: Mary

AD Group: Employee

Asset Registration: Yes

Posture: Non-Compliant

Physical Location: Lobby

MAC Address: aa:bb:cc:dd:ee:ff

Policy Mapping SGT: Suspicious

PXGRID: EPS Quarantine: 10.10.10.10

Access Switch

Story 2: Security Automation – Dynamic Segmentation

32

Enabling Network-Wide Identity & Context SharingCisco Platform Exchange Grid – pxGrid

INFRASTRUCTURE FOR A ROBUST SECURITY ECOSYSTEM

• Single framework – develop once, instead of to multiple APIs

• Control what & where context is shared among platforms

• Bi-directional – share and consume context at the same time

• Extremely Scalable

• Integrating with Cisco SDN for broad network control functions

AD

Single, Pub/SubOpen Framework

Real-time & Secure

pxGridContext

Sharing

NGFW

Story 3: Security Automation – Rapid Threat Containment

VPN

Bob

Cisco NGFW cutting-edge AutomationNot your grandma’s NGFW

Context Rich

Creates a host profile Internally, ISE pxgrid,

3rd party host scan data

Impact Assessment

Threat correlation reduces actionable

events by up to 99%

Automated Tuning

Adjust IPS policies automatically

based on traffic profile

App Identification you can trust

OpenAppID

Demo

• Breaches will happen. Be Prepared.

Scenario

• Zero-day Malware gets through and infects Bob’s wireless PC and then spreads to a single server in the DC he has access to

• AMP sees the unknown file and sends it to the sandbox

• Malware tries to spread from Bob and the server.

Story 4: Security Retrospection– Scope, contain, remediate

Web

Filtering and

Reputation

Security

Intelligence

File Type

Blocking

Application

Visibility &

Control

Indicators of

CompromiseTraffic

Intelligence

File

ReputationCognitive

Threat

Analytics

XXX X

After

www.website.com

X

File

Retrospection

Roaming User

Reporting

Log Extraction

Management

Allow Warn BlockPartial

Block

NGFW/

Meraki

AMP

ApplianceWSA/CWS ESA AMP EndpointAdmin

Cisco Security Architecture

Threats

File

Sandbox

X

AMP Everywhere

Integrated

A New Layer of Breach ProtectionIndustries first recursive DNS Security Solution

Threat PreventionDNS is common to almost all threats

Protects On & Off NetworkNot limited to devices forwarding traffic through on-premiseappliances

Partner & Custom IntegrationsBlock based on malware analysis (Threatgrid, FireEye, etc.)

Block by Domains for All Ports No added latency

Incredibly easy to POV/Deploy30min deploy time

UMBRELLA & Investigate

DNS Protection and Intel

• Previous automated Software defined segmentation drastically limits the attack surface available to the malware to spread

• OpenDNS prevents C&C connection

• Stealthwatch (flow behavior analytics) alerts on C&C and host lock

The Cisco Security Architecture Goes to Work

Card Processor

Hacked

Server

POS Terminals

ASA

Firewall

Private

WAN

(truste

d)

Credit Card

Processor

ASA

Firewall

Stores Data CenterU

pd

ate

s f

rom

PO

S S

erv

er

HT

TP

S

Credit Card Processing HTTPS

Internet

ISR G2

Routers

ISR G2

Routers

Wireless

AP

Wireless POS

C3850

Unified

Acces

s

Network as a Sensor– Host Lock Violation and Suspect Data LossHost Lock Violation - CTD

Public

InternetCompromised

Server

StealthWatch FlowCollector

StealthWatch Management

Console

Cisco ISE

Command and

Collect

• Stealthwatch uses pxGrid to have ISE change the SGT to compromised

• Hosts are now in quarantine and ISE posture assessment can start self-patching

• Within <5mins AMP returns a malicious verdict on the file. All AMP devices are now alerting and dropping file. AMP on endpoint will kill the process and shutdown the malware on infected hosts

• All domains discovered by AMP threatgrid are passed to OpenDNS for blocking providing an umbrella of threat coverage

• Both AMP and Stealthwatch can be used to investigate and scope breach

The Cisco Security Architecture Goes to Work

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43

When Malware Strikes, Have Answers - AMP

Where did it come

from?

Who else is

infected?

What is it doing? How do I stop it?

Device Trajectory

File Trajectory

File Analysis Automated Remediation

Near Future: Threat Centric NAC: ISE 2.1*EndPoints based on Incidents and Indicators

ISE Threat Centric NAC

Network as

a Sensor

and

Enforcer,

and

Integrated

Threat

Defense

Story 5: Cisco ACI Security

EPG

“Internet”EPG

“Web”

Solving the inline problem elegantly– Service graphs & chaining

FireSIGHT Management

CenterAlerts

Network Visibility

Policy Management

Analytics

Remediation

Application Policy

Infrastructure

Controller (APIC)

Service Graph

Contracts

NGIPS/NGFW

Advanced Malware Protection

Policy and events

Basic configuration

and health

Intelligent Remediation

VRF1 pod1net

ASA and Firepower Insertion into ACI

Web host

Web EPG

App host

App EPG

DB host

DB EPG

NGIPS

ASA5525 ClusterRouted L3FW Context

Dynamic Routing to vPCGoTo

ASA virtualRoutedL3FW Context

GoTo

ASAv

Firepower 7010Inline NGIPS

GoThrough

Outside host

Outside Network

NGFW Cluster

FabricPerimeter

Outside

Router

L3out3

ASA DP 1.2.3.4Firepower DP 1.0.1

So much more I’d like to tell you,So many more use cases

Reach out to your Cisco account team

In Summary

Simple, Effective, Integrated & Open Security

Cisco SecurityLeapfrogging the Market

Our Approach is Unique

Strategy is for amateurs.

Execution is for professionals.

Appendix

Cisco’s Comprehensive Best-of-Breed Security Portfolio

WWW

Threat Intelligence and Analytics

Open | Simple | Integrated | Automated

NGFW/

NGIPS

Advanced

Threat

Policy and

Access

Web Email Endpoint

Building Blocks Working Together as an Architecture

10I000 0II0 00 0III000 II1010011 101 1100001 110

Working Together to Create a True Security Architecture

Cisco FTD

ASA w/ FPCisco Web &

Email SecurityCisco

NGIPS

Common Identity, Policy and Context Sharing

Malware Prevention /

Sandboxing

10I000 0II0 00 0III000 II1010011 101 1100001 110

110000III000III0 I00I II0I III0011 0110011 101000 0110 00

101000 0II0 00 0III000 III0I00II II II0000I II0

100I II0I III00II 0II00II I0I000 0II0 00

Context-aware

SegmentationNetwork Integration

Context Visibility

Cisco AMP Client

AMP

OpenDNSTrustsec

ISE

PxgridNaaS

NaaE

Cisco

Pervasive & Integrated

Across the Portfolio

Remediation

Pervasive & Integrated Across Cisco

Across the whole Attack Continuum

Attack Continuum

Network-Integrated,

Broad Sensor Base,

Context sharing and

Automation

Continuous Advanced

Threat Protection, Cloud-

Based Security Intelligence

Leading products working

together as a system

Built for Scale, Consistent

Control, Management

Visibility-Driven Threat-Focused Integrated

BEFOREDiscover

Enforce

Harden

AFTERScope

Contain

Remediate

Detect

Block

Defend

DURING

How to Build a Security ArchitectureSAFE Simplifies SecurityMethod Overview

1. Identify your goals

2. Break down your network into manageable pieces

3. Criteria for success of the business (requirements in each PIN/domain)

4. Categorize your Risks, Threats and Policies

5. Build and model the Security Architecture

A. Capabilities Phase

B. Architecture Phase

C. Low-level Design Phase

Format: Whiteboard, Diagrams and/or Presentation

Reference Architectures

ISE 2.1 Feature List Guest and SSO Enhancements

Microsoft Intune & SCCM Integration

ACS to ISE Migration Features

Smart Licensing

Third party NAD Support

EasyConnect

Streamlined Visibility

Context directory

Customizable Dashboard

Expanded Profiling Capabilities

Threat Centric NAC

TrustSec Workflow Enhancements

TrustSec / ACI Policy Plane Integration

New Posture Compliance Check

Cisco Meraki

Cisco Meraki: Cloud-managed Networks

Meraki MS

Ethernet Switches

Meraki SM

Mobile Device

Management

Meraki MR

Wireless LAN

Meraki MX

Security

Appliances

Meraki MX Security Appliances

6 models scaling from small branch to campus / datacenter

Complete networking and security in a single appliance

Zero-touch site to site

VPN

WAN optimization

NG firewall

Content filtering

WAN link-bonding

Intrusion Prevention

Feature

highlights

Future support for:

• AMP

• IPFIX

Systems Manager Mobile Device Management

Device Management controls iOS, Android, Mac, and Windows devices

Cloud-based - no on-site appliances or software, works with any vendor’s network

Free for up to 100 seats

Centralized app

deployment

Device security

Rapid provisioning

Backpack™ file sharing

Asset management

Feature

highlights

AMP

IPFIX

Future

support

“Yellow” Retail

WAN

Data Centre

“Yellow” Retail

3rd-party supplier

“Blue” RetailStore

Core Network

(Transit)

“Yellow” RetailStore

“Yellow” Retail Router: TAG everything “yellow”

Allow “Yellow” & “Purple”

DC Router:

Allow yellow to yellow Allow blue and

Yellow to purple

Tag “Yellow” apps “Yellow”

Tag “Shared” apps “Purple”

“Blue” Retail Router: TAG everything “Blue”

Allow “Blue” & “Purple”

SharedApps

RetailApps

Simplify: Segmenting traffic with SGTSecurity Domain Level classifications

6

7

“Blue” Retail

WAN

“Blue” Retail

3rd-party supplier

SGACL

SGACLSGACL

Cisco Security Solution PartnersCombined Program – Over 60+ Partners

Combined API Framework and Integration Points

BEFOREPolicy and

Control

AFTERAnalysis

and Remediation

Identificationand Block

DURING

Infrastructure & Mobility

RemediationVulnerability Management

SIEMVisualizationNetwork Access Taps

Custom Detection Incident ResponseFull Packet Capture

IAM/SSO