threat centric secure access - cisco · secure content distribution . ... management siem &...

Timothy Snow, CCIE

Consulting Systems Engineer, Security

Putting the BDA Methodology to work

Threat Centric Secure Access

© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Global Networks are Under Attack

Did You Know That You Are Likely Already Infected?

Malicious Traffic is Visible on 100% of Corporate Networks*

Cisco 2014 Annual Security Report

*Companies connect to domains that host malicious files or services

“Treat Every User as Hostile.” Stolen Identity, Malicious Intent

CIO of a Global Investment Banking, Securities, Investment Management Firm

An Erosion of Trust Nothing Should be Trusted – Apps, Certificates, Cloud, Devices, Users…

“Treat Enterprise as Untrusted.” Senior Executive of a Global Internet Search Firm

Network

Sees All Traffic

Routes All Requests Sources All Data

Controls All Flows

Handles All Devices

Touches All Users

Shapes All Streams

Secure Access Framework Aligning with the Cybersecurity Framework Core

Before

Discover

Enforce

Harden

During

Detect

Block

Defend

After

Scope

Contain

Remediate

Identify Protect Detect Respond Recover

• Device Inventory

• Guest Authentication

• Certificate Enrollment

• Authentication and

Authorization Services

• Access Control

• Segmentation

• Endpoint Compliance

• System Hardening

• Anomalies and Events

• Security Continuous

Monitoring

• Detection Processes

• Response Planning

• Analysis

• Mitigation

• IR / Comms

• Recovery Planning

• Improvements

• Communications

Cisco Identity Services Engine (ISE) Delivering Visibility, Context, and Control to Secure Network Access

NETWORK / USER

CONTEXT

How

What Who

Where When

REDUCE NETWORK UNKNOWNS AND APPLY THE RIGHT LEVEL OF

SECURE ACCESS CONSISTENTLY ACROSS WIRED, WIRELESS and VPN

Secure

Access

BYOD and

Enterprise

Mobility

Guest

Access

Authentication Services

Segmentation Services


Compliance Services

API and Threat Services

Guest Services Compliance Segmentation

1. Hotspot

2. Self Service with SMS

3. Sponsor Approval Required

Guest Services

asdf1234

Compliance Segmentation

1. Hotspot



Approved! credentials

username: trex42

password: littlearms

Visiting email?

Guest Services

Compliance Segmentation

1. Hotspot



Guest Services


Verizon DBIR 2014: Recommended Controls

Apple

Lexmark Telepresence

VMware

Samsung

Blackberry

Xerox Microsoft

Motorola WYSE

Cisco


Xerox

Printers

Mobile

Devices

Microsoft

Devices

Gaming

Systems

IP Phones

Apple

Lexmark Telepresence

VMware

Samsung

Blackberry

Xerox Microsoft

Motorola WYSE

Cisco



2015 Verizon Data Breach Report

Guest Access

Personal Devices

Remote VPN User

Wireless User

Wired User

IT Managed Devices


OS Compliance

• Service Packs

• Hotfixes with SCCM Integration

• OS/Browser versions

Endpoint Compliance

• File data

• Services

• Applications/processes

• Registry Keys

Antivirus & Antispyware

• Installation and signatures

Allow

Limited Access

Deny

Allow

Limited Access

Guest Access

Personal Devices

Remote VPN User

Wireless User

Wired User

IT Managed Devices

Deny


Allow

Limited Access

Deny

Manage Mobile Apps

Secure Content Distribution

Identify Protect Respond Recover






• Access Control

• Segmentation




• Analysis

• Mitigation

• IR / Comms


• Improvements

• Communications


Before

Discover

Enforce

Harden

During

Detect

Block

Defend

After

Scope

Contain

Remediate

During Detect

Block

Defend

During

Detect

Block

Defend

Detect



Monitoring


Identity Services Engine

Oracle

AD

SAP

What are you accessing?

Tablet

Laptop

Desktop

What are you?

Yuki

(sales)

Himapata

(HR)

Tuyet

(IT)

Who are you?

Japan

India

Vietnam

Where are you connecting?

19:30

16:00

16:00

When are you connecting? VPN

WiFi

Wired

How are you connecting?

During Detect

Block

Defend

Network as an Enforcer Security Group Tagging (SGT)


Oracle

AD

SAP

88

15

1

Tablet

Laptop

Desktop

During Detect

Block

Defend

Network as an Enforcer Security Group Access Control (SGACL)

Oracle

AD

SAP 88 15 1

❌ ❌

88 15 1

❌

88 15 1

❌ ❌

88

15

1

Tablet

Laptop

Desktop

Sales No access to SAP over VPN after 18:00

No access to Oracle

No access to AD

HR Full access to Oracle over Wireless

No access to SAP over Wireless

No access to AD

IT Full access over Wired and Wireless

During Detect

Block

Defend

Network as a Sensor Cisco Cyber Threat Defense (CTD)

Switching

Infrastructure Data Center

Infrastructure

Firewall

Infrastructure Routing

Infrastructure


Who

Who What How

Where When

More context

Network as a Sensor Advanced Threat Detection

Denial of Service SYN Half Open; ICMP/UDP/Port Flood

Worm Propagation Worm Infected Host Scans and Connects to the Same Port Across

Multiple Subnets, Other Hosts Imitate the same Above Behavior

Fragmentation Attack Host Sending Abnormal # Malformed Fragments.

Botnet Detection When Inside Host Talks to Outside C&C Server

for an Extended Period of Time

Host Reputation Change Inside Host Potentially Compromised or

Received Abnormal Scans or Other Malicious Attacks

Network Scanning TCP, UDP, Port Scanning Across Multiple Hosts

Data Exfiltration Large Outbound File Transfer VS. Baseline

During Detect

Block

Defend

Network as a Sensor Cisco Cyber Threat Defense (CTD)

Switching

Infrastructure Data Center

Infrastructure

Firewall

Infrastructure Routing

Infrastructure


Alarms

Flow collection trend

Top Applications

Active Alarms

Cisco CTD : Dashboard

Alarms

Users

Activity &

Applications

Host Host groups and

classifications View

Flows

Cisco CTD: Host Detail

Segmentation Monitoring with StealthWatch Clear visibility into any traffic

traversing the environment

Traffic violating segmentation

policy generates an alarm

Network as a Sensor Detect Anomalous Traffic Flows

Detect User Access Policy Violations Detect Rogue Devices, Access Points & More

Network as an Enforcer Segment the Network to Contain the Attack

Encrypt the Traffic to Defend Man in The Middle Attack

Secure the Branch for Direct Internet Access

Network as a Mitigation Accelerator Automated, Near Real-Time Threat Mitigation

The Role of the Network for Security

During

Detect

Block

Defend

Detect



Monitoring


Identify Protect






• Access Control

• Segmentation




Before

Discover

Enforce

Harden

During

Detect

Block

Defend

Respond Recover


• Analysis

• Mitigation

• IR / Comms


• Improvements

• Communications

After

Scope

Contain

Remediate

After Scope

Contain

Remediate

Context is the Currency of the Solution Integration Realm …but it’s not easy to execute

I have NBAR info!

I need identity…

I have firewall logs!

I need identity…

I have sec events! I need reputation…

I have NetFlow!

I need entitlement…

I have MDM info!

I need location…

I have app inventory info!

I need posture…

I have identity & device-type!

I need app inventory & vulnerability…

I have threat data!

I need reputation…

I have location!

I need identity…

But Integration

Burden is on IT

Departments

We Need

to Share

Context &

Take Network

Actions

I have reputation info! I need threat data…

I have application info!

I need location & auth-group… SIO

`

? Vulnerability Assessment

Packet Capture & Forensics

Policy-based Service Levels (e.g. QoS)

Policy-based Security Actions (e.g. investigation)

Mobile Device Management

IoT Policy Management

SIEM & Threat Defense

Control

IAM & SSO

CISCO ISE

Cisco Sourcefire

Context Policy

pxGrid

CONTEXT

Policy Violations and Threats can be based

upon a single violation or multiple indicators

`








Control

IAM & SSO

CISCO ISE

Cisco Sourcefire

Context Policy

pxGrid

CONTEXT

User and Device Flow Record Realized Attacks on the infrastructure Application Bandwidth Analysis

`








Control

IAM & SSO

CISCO ISE

Cisco Sourcefire

Context Policy

pxGrid

CONTEXT

Source

Destination

IT Staff

Mobile

Devices

Guests

Payroll Intranet Internet

IT Manager

X X

X

X X

X

X X

35

Combined API Framework and Integration Points

BEFORE Policy and

Control

AFTER Analysis and Remediation

Identification and Block

DURING

Network Infrastructure & Policy Mgt.

Vulnerability

Management

SIEM & Threat Defense Packet Brokering

(Taps)

Custom Detection Remediation and Incident

Response

Packet Capture &

Forensics

IAM/SSO Mobility

Ecosystem Partners – Apply Throughout the Threat Continuum

Performance

Management &

Visualization

In Summary…..

Consistent Secure Access

A Solid Foundation Today & Tomorrow

Simplified, Unified

Policy Management

for Access

Innovation & Market

Leadership in NAC, at

the core of Cisco

Security & Solutions

Unparalleled Visibility & Context

Get a Clearer Picture

of Who and What Is

On Your Network

Detect Threats from

Compromised Devices

via Health Checks &

SIEM/TD

Advanced Threat Containment

Cisco ISE is the Key Component for Supporting

Unified Access and Achieving Overall Security Objectives.

threat centric secure access - cisco · secure content distribution . ... management siem &...

Documents