devnet-1123csta - cisco security technical alliances, new program for ecosystem built on...
TRANSCRIPT
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update
• CSTA: What is it?
• Why it matters
• Integration points & Use Cases
• Getting More information
Outline
As the threat from the industrialized hackers grows, new, novel solutions will need to evolve to counteract the threat, so that our customers can defeat the attackers….open architectures with best of breed solution providers is the only way to go. The era of the closed, black box architectures is dead!
John Negron, SVP WW Sales - Cisco Security
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update
Cisco Security Technical Alliances is…An umbrella program covering multiple partner ecosystems in the BU
Sourcefire Technology Partner Program
ISE Ecosystem
ThreatGrid
SSP Partners
Content
ASA
AnyConnect
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update
• Typically use dozens of different security products
• No one does it all. Customers cherry pick.
• Want security products to work together
• Overwhelmed with event data and rely on SIEM
• Integration can spur Automation and.. • Help with policy maintenance• Speed response time • Reduce time to resolve critical events• Reduce TCO
Why you should careOverwhelmed customers?
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update
Comprehensive Security Portfolio IPS & NGIPS
• Cisco IPS 4300 Series
• Cisco ASA 5500-X Series integrated IPS
• FirePOWER NGIPS
• FirePOWER NGIPS w/ Application Control
• FirePOWER Virtual NGIPS
Web Security• Cisco Web Security
Appliance (WSA)
• Cisco Virtual Web Security Appliance (vWSA)
• Cisco Cloud Web Security
Firewall & NGFW• Cisco ASA 5500-X Series
• Cisco ASA 5500-X w/ NGFW license
• Cisco ASA 5585-X w/ NGFW blade
• FirePOWER NGFW
Advanced Malware Protection
• FireAMP
• FireAMP Mobile
• FireAMP Virtual
• AMP for FirePOWER license
• Dedicated AMP FirePOWER appliance
NAC +Identity Services
• Cisco Identity Services Engine (ISE)
• Cisco Access Control Server (ACS)
Email Security• Cisco Email Security
Appliance (ESA)
• Cisco Virtual Email Security Appliance (vESA)
• Cisco Cloud Email Security
UTM• Meraki MX
VPN• Cisco AnyConnect VPN
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update
• eStreamer API• Send FireSIGHT event data to SIEMs
• Host Input API• Collect vulnerability and other other host info
• Remediation API• Programmatic response to third parties from
FireSIGHT• JDBC Database Access API
• Supports queries from other applications • pxGrid
• Bi-directional context sharing framework for ISE, ecosystem partners
• MDM API• Enables 3rd party MDM partners to make
mobile device posture part of ISE access policy• External Restful Services (ERS)
• Adds 3rd party asset data to ISE inventory database
• ThreatGrid API• Hand off suspicious files for analysis• Automate submission of files for analysis / create
custom or batch threat feeds• SSA
• Cisco and third party applications in service chain configuration
• Management API for ASA• Third party management of ASA, policy auditing
• Other Integration Points• Cloud, ESA, WSA, AnyConnect
Integration Points Across the Security Portfolio
Cisco Security is committed to an extensible product portfolio because it helps our customers deploy the best possible defense
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update
CSTA Ecosystem Partners – Fire, ISE & More
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update
• Secure and efficient mechanism for moving event data from the Defense Center to another platform
• Provides access to detailed event information including meta data
• Used by the majority of Sourcefire customers
• Backwards compatible
eStreamer ExplainedFireSIGHT Management Center
Device Defense Center eStreamer Client
SIEMAnalytics Platform
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update
eStreamer, Syslog & CEFFireSIGHT Management Center
Syslog CEF 2.0 eStreamer
Data format Unstructured, Text Unstructured, Text Structured, Binary
Protocol UDP UDP TCP
Secure Unsecure Secure with TLS Secure
Delivery Not Acknowledged Not Acknowledged Acknowledged
Packet No No Yes
Request-able No No Yes
Extra Data No Some Yes
Flow records No No Yes
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update
Host Input APIFireSIGHT Management Center Augment FireSIGHT database with third party data
→ Vulnerability and OS info from active scanners
→ Enhance Impact Flag correlation
→ Populate existing or custom data fields
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update
Remediation APIFireSIGHT Management Center Initiated by User Defined Correlation Rules
Configure alerts and actions based on rules. Can involve most kinds of events
→ Support single or multiple conditions i.e., time of day, Source IP, Type of event, User ID
Remediation can include executing a Perl script that parses event data fields for external consumption. Many possibilities:
→ Make a policy change
→ Use NAC to disconnect an IP
→ Initiate a digital forensics process
!
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update
JDBC Database Access ExplainedFireSIGHT Management Center• Query all EVENT data
• Query all HOST data intrusion
• Also, discovery, user activity, correlation, connection, vulnerability, and application and URL statistics database
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update
JDBC Database Access ExplainedFireSIGHT Management Center
Enables 3rd party reporting and analytics including visualization
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update
Integration Points for ISE(Cisco Identity Services Engine)
• MDM APIEnables 3rd party MDM partners to make
mobile device posture part of ISE access
policy
• External Restful Services (ERS)Adds 3rd party asset data to ISE inventory
database
• pxGridBi-directional context sharing framework for
ISE, ecosystem partners
Cisco ISE is an open ecosystem for ERS and pxGrid integration with information posted on DevNet.
MDM/EMM integration is by application only. To apply, reach out to: [email protected]
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update
I have identity & device!I need geo-location & MDM…
I have application info!I need location & device-type
I have location!I need app & identity…
Cisco ISE as pxGrid Controller
Publish Publish
Discover TopicDiscover Topic
Continuous FlowDirected QuerypxGrid
ContextSharing
Authorize
PublishDiscover Topic
Continuous Flow
Directed Query
CISCO ISE
Autho
rize
Authorize
Continuous FlowDirected Query
I have sec events!I need identity & device…
I have MDM info!I need location…
pxGrid: Partners Connecting to Cisco Security Platforms…and to Other PartnersAuthenticate Authorize Publish Discover Subscribe Query
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update
WHY CUSTOMERS CARE
Cisco pxGrid Context-Sharing & Network MitigationConnecting Partners to Cisco Security Platforms
Cisco Provides Network Context to Customer IT
Platforms
Use Eco-Partner Context for Cisco Network Policy
for Customers
Cisco Shares User/Device & Network Context with IT
Infrastructure
Cisco Receives Context from Eco-Partners to Make Better Network
Access Policy
1 2 3Help Customer IT
Environments Reach into the Cisco Network
CISCO PLATFORM ECO-PARTNER
CONTEXT
CISCO PLATFORM ECO-PARTNER
CONTEXT
ECO-PARTNER CISCO PLATFORM
CISCO NETWORK
ACTION
MITIGATE
Puts “Who, What Device, What Access” with Events. Way Better
than Just IP Addresses!
Creates a Single Place for Comprehensive Network Access
Policy thru Integration
Decreases Time, Effort and Cost to Responding to Security and
Network Events
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update
VulnerabilityAssessment
Packet Capture& Forensics
SIEM &Threat Defense
IAM & SSO
pxGrid
SECURITY THRUINTEGRATION
pxGrid – Industry Adoption Critical Mass as of June 201518 Partner Platforms and 9 Technology Areas Since Release 7 Months Ago
Net/App Performance
IoT Security
Cisco ISE Cisco WSA
Cloud AccessSecurity
?
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update
Integration Points Across the Security PortfolioThreatGrid, Cisco AnyConnect
• ThreatGrid APIHand off suspicious files for analysis
• AnyConnect SDKVPN client provisioning and
configuration for mobile and traditional
compute
ThreatGrid and AnyConnect ecosystems are specific-purpose and by application only.
If you have an integration idea, reach out to: [email protected]
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update
Cisco® AMP Threat Grid’s REST API automates sample analysis, enrichment and reporting− Automate submission from numerous technologies (host or network)− Pull results into numerous technologies
Your Existing Security
Get the most from existing security investments
Threat ContentEnrichment
Threat IntelligenceFeeds
FirewallNetwork
TapsSIEM Log Mgmt
SecurityPartners
EndpointSecurity
Gateway,Proxy
IPS/IDS
Threat GridMalware Analysis & Threat Intelligence
Advance Malware Protection - ThreatGrid ThreatGrid APIs
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update
Security Services Architecture
Common Architecture
Virtual, Physical and Cloud
Security Services Platform
Platforms that runs SSA
and applications
SSA SSPSecurity Services Platform (SSP)
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update
Security Services Platform (SSP)
Existing Solution
Sandbox Appliance x1
Load Balancerx1
IDS/IPS x4
NATx2
NG-Firewall x2
Web Proxyx4
New Solution
Security Services Platform
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update
Security Services Architecture (SSA)
SSAOS
FW
IPS
WEB
WAF
DDOS
SSL
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update
Check Out Related DevNet Security Sessions
• Cisco pxGrid Developers Learning Lab – in the DevNet Zone
• DEVNET-1123 - CSTA - Cisco Security Technical Alliances OverviewTuesday, Jun 9, 2:00 PM - 2:30 PM
• DEVNET-1124 - Cisco pxGrid: A New Architecture for Security Platform Integration Tuesday, Jun 9, 3:00 PM - 3:30 PM
• DEVNET-1010 - Using Cisco pxGrid for Security Platform IntegrationThursday, Jun 11, 9:00 AM - 10:00 AM
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update
For More Information…
• DevNet Microsites:https://developer.cisco.com/security
• pxGrid SDK, Tutorials & Test Tools:http://cisco.com/go/pxgrid
• Forums:https://supportforums.cisco.com/community/4561/security
• CSTA Partner Listing Customers: http://www.cisco.com/c/en/us/products/security/partner-ecosystem.html
Thank you
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update 26
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update
CSTA Partners at Cisco Live US 2015
Stand 2223: FireSIGHT Remediation API sends F5 host target information for real-time blocking
Stand 2501:‘Packet Broker’ helps with many traffic visibility, maintenance and high availability architectures
Stand 3128: Integrates with ISE. Provides important mobile device posture information
Stand 1035: Integrates with ASA. Collects policy information for security risk modeling, change control, audit and compliance
Stand 1624, Partner Village: PxGrid, end point posture information and transaction data from ISE
Stand 1624, Partner Village: SIEM and analytics platform. Collects data FireSIGHT via eStreamer, from ISE, WSA, and ASA through syslog
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update
CSTA Partners at Cisco Live US 2015
Stand 1301: ‘Packet Broker’ helps with many traffic visibility, maintenance and high availability architectures
Stand 1524 : Integrates with ASA. Collects policy information for security risk modeling, change control, audit and compliance
Stand 2319, SIEM and analytics platform. Collects data FireSIGHT via eStreamer, from ISE, WSA, CSA, ASA and ThreatGrid through syslog
Stand 2211: Full packet capture and session analysis. Integrates with FireSIGHT via community patch extending IPS event analysis
Stand 3405: FireSIGHT’s Host Input API collects vulnerability report to augment threat data
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update
CSTA Partners at Cisco Live US 2015
Stand 2517: ‘‘Packet Broker’ helps with many traffic visibility, maintenance and high availability architectures
Stand 3300: ‘Packet Broker’ helps with many traffic visibility, maintenance and high availability architectures
Stand 1324: Integrates with ASA. Collects policy information for security risk modeling, change control, audit and compliance (al)
Stand 2023: Infrastructure, Load balancing and FireSIGHT Remediation API
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Security Ecosystem Update
Alliance Components and Expertise
Integration Area Expert Time Zone email
All ask-csta-pm
ISE/PxGrid Scott Pope San Jose scottp
ISE/PxGrid Brian Gonsalves San Jose bgonsalv
SSA Chris Morosco San Jose group.cmorosco
ThreatGRID Dan Franklin New York dafrankl
Cloud Jasper Chan San Jose jaspchan
FireSIGHT MC Douglas Hurd New York dohurd
Competitive Eco Shyue Hong Chuang Singapore schuang