devnet-1123csta - cisco security technical alliances, new program for ecosystem built on...

Cisco Security Technical AlliancesDouglas Hurd – Technical Alliances

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update

• CSTA: What is it?

• Why it matters

• Integration points & Use Cases

• Getting More information

Outline

As the threat from the industrialized hackers grows, new, novel solutions will need to evolve to counteract the threat, so that our customers can defeat the attackers….open architectures with best of breed solution providers is the only way to go. The era of the closed, black box architectures is dead!

John Negron, SVP WW Sales - Cisco Security


Cisco Security Technical Alliances is…An umbrella program covering multiple partner ecosystems in the BU

Sourcefire Technology Partner Program

ISE Ecosystem

ThreatGrid

SSP Partners

Content

ASA

AnyConnect


• Typically use dozens of different security products

• No one does it all. Customers cherry pick.

• Want security products to work together

• Overwhelmed with event data and rely on SIEM

• Integration can spur Automation and.. • Help with policy maintenance• Speed response time • Reduce time to resolve critical events• Reduce TCO

Why you should careOverwhelmed customers?


Comprehensive Security Portfolio IPS & NGIPS

• Cisco IPS 4300 Series

• Cisco ASA 5500-X Series integrated IPS

• FirePOWER NGIPS

• FirePOWER NGIPS w/ Application Control

• FirePOWER Virtual NGIPS

Web Security• Cisco Web Security

Appliance (WSA)

• Cisco Virtual Web Security Appliance (vWSA)

• Cisco Cloud Web Security

Firewall & NGFW• Cisco ASA 5500-X Series

• Cisco ASA 5500-X w/ NGFW license

• Cisco ASA 5585-X w/ NGFW blade

• FirePOWER NGFW

Advanced Malware Protection

• FireAMP

• FireAMP Mobile

• FireAMP Virtual

• AMP for FirePOWER license

• Dedicated AMP FirePOWER appliance

NAC +Identity Services

• Cisco Identity Services Engine (ISE)

• Cisco Access Control Server (ACS)

Email Security• Cisco Email Security

Appliance (ESA)

• Cisco Virtual Email Security Appliance (vESA)

• Cisco Cloud Email Security

UTM• Meraki MX

VPN• Cisco AnyConnect VPN


• eStreamer API• Send FireSIGHT event data to SIEMs

• Host Input API• Collect vulnerability and other other host info

• Remediation API• Programmatic response to third parties from

FireSIGHT• JDBC Database Access API

• Supports queries from other applications • pxGrid

• Bi-directional context sharing framework for ISE, ecosystem partners

• MDM API• Enables 3rd party MDM partners to make

mobile device posture part of ISE access policy• External Restful Services (ERS)

• Adds 3rd party asset data to ISE inventory database

• ThreatGrid API• Hand off suspicious files for analysis• Automate submission of files for analysis / create

custom or batch threat feeds• SSA

• Cisco and third party applications in service chain configuration

• Management API for ASA• Third party management of ASA, policy auditing

• Other Integration Points• Cloud, ESA, WSA, AnyConnect

Integration Points Across the Security Portfolio

Cisco Security is committed to an extensible product portfolio because it helps our customers deploy the best possible defense


CSTA Ecosystem Partners – Fire, ISE & More


• Secure and efficient mechanism for moving event data from the Defense Center to another platform

• Provides access to detailed event information including meta data

• Used by the majority of Sourcefire customers

• Backwards compatible

eStreamer ExplainedFireSIGHT Management Center

Device Defense Center eStreamer Client

SIEMAnalytics Platform


eStreamer, Syslog & CEFFireSIGHT Management Center

Syslog CEF 2.0 eStreamer

Data format Unstructured, Text Unstructured, Text Structured, Binary

Protocol UDP UDP TCP

Secure Unsecure Secure with TLS Secure

Delivery Not Acknowledged Not Acknowledged Acknowledged

Packet No No Yes

Request-able No No Yes

Extra Data No Some Yes

Flow records No No Yes


Host Input APIFireSIGHT Management Center Augment FireSIGHT database with third party data

→ Vulnerability and OS info from active scanners

→ Enhance Impact Flag correlation

→ Populate existing or custom data fields


Remediation APIFireSIGHT Management Center Initiated by User Defined Correlation Rules

Configure alerts and actions based on rules. Can involve most kinds of events

→ Support single or multiple conditions i.e., time of day, Source IP, Type of event, User ID

Remediation can include executing a Perl script that parses event data fields for external consumption. Many possibilities:

→ Make a policy change

→ Use NAC to disconnect an IP

→ Initiate a digital forensics process

!


JDBC Database Access ExplainedFireSIGHT Management Center• Query all EVENT data

• Query all HOST data intrusion

• Also, discovery, user activity, correlation, connection, vulnerability, and application and URL statistics database


JDBC Database Access ExplainedFireSIGHT Management Center

Enables 3rd party reporting and analytics including visualization


Integration Points for ISE(Cisco Identity Services Engine)

• MDM APIEnables 3rd party MDM partners to make

mobile device posture part of ISE access

policy

• External Restful Services (ERS)Adds 3rd party asset data to ISE inventory

database

• pxGridBi-directional context sharing framework for

ISE, ecosystem partners

Cisco ISE is an open ecosystem for ERS and pxGrid integration with information posted on DevNet.

MDM/EMM integration is by application only. To apply, reach out to: [email protected]


I have identity & device!I need geo-location & MDM…

I have application info!I need location & device-type

I have location!I need app & identity…

Cisco ISE as pxGrid Controller

Publish Publish

Discover TopicDiscover Topic

Continuous FlowDirected QuerypxGrid

ContextSharing

Authorize

PublishDiscover Topic

Continuous Flow

Directed Query

CISCO ISE

Autho

rize

Authorize

Continuous FlowDirected Query

I have sec events!I need identity & device…

I have MDM info!I need location…

pxGrid: Partners Connecting to Cisco Security Platforms…and to Other PartnersAuthenticate Authorize Publish Discover Subscribe Query


WHY CUSTOMERS CARE

Cisco pxGrid Context-Sharing & Network MitigationConnecting Partners to Cisco Security Platforms

Cisco Provides Network Context to Customer IT

Platforms

Use Eco-Partner Context for Cisco Network Policy

for Customers

Cisco Shares User/Device & Network Context with IT

Infrastructure

Cisco Receives Context from Eco-Partners to Make Better Network

Access Policy

1 2 3Help Customer IT

Environments Reach into the Cisco Network

CISCO PLATFORM ECO-PARTNER

CONTEXT

CISCO PLATFORM ECO-PARTNER

CONTEXT

ECO-PARTNER CISCO PLATFORM

CISCO NETWORK

ACTION

MITIGATE

Puts “Who, What Device, What Access” with Events. Way Better

than Just IP Addresses!

Creates a Single Place for Comprehensive Network Access

Policy thru Integration

Decreases Time, Effort and Cost to Responding to Security and

Network Events


VulnerabilityAssessment

Packet Capture& Forensics

SIEM &Threat Defense

IAM & SSO

pxGrid

SECURITY THRUINTEGRATION

pxGrid – Industry Adoption Critical Mass as of June 201518 Partner Platforms and 9 Technology Areas Since Release 7 Months Ago

Net/App Performance

IoT Security

Cisco ISE Cisco WSA

Cloud AccessSecurity

?


Integration Points Across the Security PortfolioThreatGrid, Cisco AnyConnect

• ThreatGrid APIHand off suspicious files for analysis

• AnyConnect SDKVPN client provisioning and

configuration for mobile and traditional

compute

ThreatGrid and AnyConnect ecosystems are specific-purpose and by application only.

If you have an integration idea, reach out to: [email protected]


Cisco® AMP Threat Grid’s REST API automates sample analysis, enrichment and reporting− Automate submission from numerous technologies (host or network)− Pull results into numerous technologies

Your Existing Security

Get the most from existing security investments

Threat ContentEnrichment

Threat IntelligenceFeeds

FirewallNetwork

TapsSIEM Log Mgmt

SecurityPartners

EndpointSecurity

Gateway,Proxy

IPS/IDS

Threat GridMalware Analysis & Threat Intelligence

Advance Malware Protection - ThreatGrid ThreatGrid APIs


Security Services Architecture

Common Architecture

Virtual, Physical and Cloud

Security Services Platform

Platforms that runs SSA

and applications

SSA SSPSecurity Services Platform (SSP)


Security Services Platform (SSP)

Existing Solution

Sandbox Appliance x1

Load Balancerx1

IDS/IPS x4

NATx2

NG-Firewall x2

Web Proxyx4

New Solution

Security Services Platform


Security Services Architecture (SSA)

SSAOS

FW

IPS

WEB

WAF

DDOS

SSL


Check Out Related DevNet Security Sessions

• Cisco pxGrid Developers Learning Lab – in the DevNet Zone

• DEVNET-1123 - CSTA - Cisco Security Technical Alliances OverviewTuesday, Jun 9, 2:00 PM - 2:30 PM

• DEVNET-1124 - Cisco pxGrid: A New Architecture for Security Platform Integration Tuesday, Jun 9, 3:00 PM - 3:30 PM

• DEVNET-1010 - Using Cisco pxGrid for Security Platform IntegrationThursday, Jun 11, 9:00 AM - 10:00 AM


For More Information…

• DevNet Microsites:https://developer.cisco.com/security

• pxGrid SDK, Tutorials & Test Tools:http://cisco.com/go/pxgrid

• Forums:https://supportforums.cisco.com/community/4561/security

• CSTA Partner Listing Customers: http://www.cisco.com/c/en/us/products/security/partner-ecosystem.html

https://developer.cisco.com/security

http://cisco.com/go/pxgrid

https://supportforums.cisco.com/community/4561/security

http://www.cisco.com/c/en/us/products/security/partner-ecosystem.html


CSTA Partners at Cisco Live US 2015

Stand 2223: FireSIGHT Remediation API sends F5 host target information for real-time blocking

Stand 2501:‘Packet Broker’ helps with many traffic visibility, maintenance and high availability architectures

Stand 3128: Integrates with ISE. Provides important mobile device posture information

Stand 1035: Integrates with ASA. Collects policy information for security risk modeling, change control, audit and compliance

Stand 1624, Partner Village: PxGrid, end point posture information and transaction data from ISE

Stand 1624, Partner Village: SIEM and analytics platform. Collects data FireSIGHT via eStreamer, from ISE, WSA, and ASA through syslog



Stand 1301: ‘Packet Broker’ helps with many traffic visibility, maintenance and high availability architectures

Stand 1524 : Integrates with ASA. Collects policy information for security risk modeling, change control, audit and compliance

Stand 2319, SIEM and analytics platform. Collects data FireSIGHT via eStreamer, from ISE, WSA, CSA, ASA and ThreatGrid through syslog

Stand 2211: Full packet capture and session analysis. Integrates with FireSIGHT via community patch extending IPS event analysis

Stand 3405: FireSIGHT’s Host Input API collects vulnerability report to augment threat data



Stand 2517: ‘‘Packet Broker’ helps with many traffic visibility, maintenance and high availability architectures

Stand 3300: ‘Packet Broker’ helps with many traffic visibility, maintenance and high availability architectures

Stand 1324: Integrates with ASA. Collects policy information for security risk modeling, change control, audit and compliance (al)

Stand 2023: Infrastructure, Load balancing and FireSIGHT Remediation API


Alliance Components and Expertise

Integration Area Expert Time Zone email

All ask-csta-pm

ISE/PxGrid Scott Pope San Jose scottp

ISE/PxGrid Brian Gonsalves San Jose bgonsalv

SSA Chris Morosco San Jose group.cmorosco

ThreatGRID Dan Franklin New York dafrankl

Cloud Jasper Chan San Jose jaspchan

FireSIGHT MC Douglas Hurd New York dohurd

Competitive Eco Shyue Hong Chuang Singapore schuang


https://23.22.6.78/en-US/account/login?return_to=/en-US/

devnet-1123csta - cisco security technical alliances, new program for ecosystem built on...

Technology

x series cisco asa

svp ww sales cisco security

x w ngfw license cisco

batch threat feeds ssa

party management of

estreamer api

ecosystem partners mdm

firesight event data