using your network as a sensor for enhanced visibility and security
TRANSCRIPT
Securing the Enterprise NetworkThe Network as Security
Brian Korn, Sr. Marketing Manager, CiscoChris Smithee, Director of Strategic Alliances, Lancope
Sep 2014 v 3.9.8
Complementing Advanced Malware Protection and Traditional Security
Cisco Confidential 2© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Agenda
• Security Market TrendsYou are Already Infected, Erosion of Trust
Attack Surface and Sophistication Increasing
Discovery of Breaches and Mitigation May Take Months
• The Threat Centric Security Model – Before, During, After An
Attack
• The Role of the Network for SecurityNetwork Complements Advanced Malware Protection and Perimeter Security
Network as a Sensor - You Can’t Protect What You Can’t See
Network as an Enforcer
Network as a Mitigation Accelerator
Cisco Confidential 3© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Global Enterprise Networks are Under Attack
Did You Know That You Are Already Infected?
Malicious Traffic is Visible on 100% of Corporate Networks*
Cisco 2014 Annual Security Report
*Companies connect to domains that host malicious files or services
“Treat Every User as Hostile.”Stolen Identity, Malicious Intent
CIO of a Global Investment Banking, Securities, Investment Management Firm
An Erosion of TrustNothing Should be Trusted – Apps, Certificates, Cloud, Devices, Users…
“Treat Enterprise as Untrusted.”Senior Executive of a Global Internet Search Firm
“Network Security is Critical”Network has the Visibility of
Devices, Users, Location, and Applications
Cisco Confidential 6© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Enterprise Attack Surface is Increasing
Sophisticated Threats Difficult to Detect
Slow and Complex Mitigation
* P
onem
on
Institu
te S
tudy
Enterprise Attack Surface Is IncreasingDriven by Increase in Mobility, Cloud Services, and IoT
Growth in M2M IP Traffic2013–18**50BIoT Connected “Smart Objects”
by 2020* 36X* Cisco IBSG, ** Cisco VNI: Global Mobile Data Traffic Forecast 2013-2018
3.3 55% 77BMobile Devices Per Knowledge Worker*
IP Traffic Mobile by 2017**
App Downloads in 2014***
* Cisco IBSG, ** Cisco 2013 VNI, *** IDC
545 3X 44%Cloud Cloud AppsPer Organization*
Cloud TrafficGrowth by 2017**
Annual Cloud Workload Growth***
* Skyhigh Networks Industry Report, ** Cisco Global Cloud Index, *** Cisco VNI Global Mobile Data Traffic Forecast,
The Industrialization of Hacking: Cyber Crime as a BusinessThreats Grow More Sophisticated Every Day
Criminals Know More About Your Network Than You DoInitial Malware May Remain Dormant For Months to Learn Vulnerabilities and Network
Custom Malware Developed to Attack After Learning Your Vulnerabilities
Viruses1990–2000
Worms2000–2005
Spyware and Rootkits2005–Today
APTs CyberwareToday +
Sophisticated Attacks,
Attack As Service
Phishing, Low Sophistication
20001990 1995 2005 2010 2015 2020
Hacking Becomesan Industry
Threat Mitigation and Remediation Takes Even Longer
Discovery of Breaches Takes a Long TimeAttackers are Fast, Defenders are Slow
Malicious Breaches take 80 Days to Discover123 Days to Resolve on Average
Ponemon Institute Study
100%of companies connect
to domains that host
malicious files
or services
60%of data is stolen
in hours
54%of breaches
remain undiscovered
for months
Cisco Confidential 10© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Art of Network Security Strategic Advice
Unite the ForcesAdvanced Malware Protection Threat Centric SecurityNetwork as a Sensor, Enforcer, and Mitigation Accelerator
Cisco Confidential 11© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ATTACK CONTINUUM
The Threat Centric Security Model
BEFOREDiscover
Enforce
Harden
AFTERScope
Contain
Remediate
Detect
Block
Defend
DURING
Visibility & Defense Across the Entire Attack Continuum
Network as an
Enforcer
Network as a
Mitigation Accelerator
Network as a
Sensor
AC
I AC
I
Cisco Confidential 12© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Network as a Sensor
User MalwareDevice Traffic Apps
Cisco Confidential 13© 2013-2014 Cisco and/or its affiliates. All rights reserved.
You Can’t Protect What You Can’t SeeThe Network Gives Deep and Broad Visibility
0101
0100
1011
0101
0100
1011
0101
0100
1011
0101
0100
1011
Cisco Confidential 14© 2013-2014 Cisco and/or its affiliates. All rights reserved.
What Can the Network Do for You? Network as Sensor
Detect Anomalous Traffic Flows, Malwaree.g. Communication with Malicious Hosts, Internal Malware Propagation, Data Exfiltration
Detect App Usage, User Access Policy Violationse.g. Maintenance Contractor Accessing Financial Data
Detect Rogue Devices, APs and Moree.g. Maintenance Contractor Connecting an Unauthorized AP in Bank Branch to Breach
Cisco Confidential 15© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Detect the Undetected… Proactively!
User MalwareAppsTrafficDevice
Network as a SensorNetwork Visibility, Control, Context, and Analytics
ACI Vision: Policy Based, Automated Security at Scale
Rogue AP Detection (Wireless Security Module)
Non-Compliant Device Detection (Device Sensor, ISE)
Internal & External Device Reputation Change Detection (NetFlow, Lancope)
Cisco Confidential 16© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Detect the Undetected… Proactively!
User MalwareAppsTrafficDevice
Network as a SensorNetwork Visibility, Control, Context, and Analytics
ACI Vision: Policy Based, Automated Security at Scale
Traffic Pattern Anomaly Detection (NetFlow, Lancope, NBAR2)
Network DDoS Attack Detection (Control Plane Policing, CleanAir)
APT Source & Path Detection (NetFlow, ISE, Lancope)
Malware Command & Control Traffic Detection (NetFlow, Lancope)
Cisco Confidential 17© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Detect the Undetected… Proactively!
User MalwareAppsTrafficDevice
Network as a SensorNetwork Visibility, Control, Context, and Analytics
ACI Vision: Policy Based, Automated Security at Scale
Application Behavior Anomaly Detection (NBAR2)
Cisco Confidential 18© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Detect the Undetected… Proactively!
User MalwareAppsTrafficDevice
Network as a SensorNetwork Visibility, Control, Context, and Analytics
ACI Vision: Policy Based, Automated Security at Scale
User Access Violation Detection (Identity Services Engine, TrustSec)
Cisco Confidential 19© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Detect the Undetected… Proactively!
User MalwareAppsTrafficDevice
Network as a SensorNetwork Visibility, Control, Context, and Analytics
ACI Vision: Policy Based, Automated Security at Scale
Email and Web Malware Detection (ISR, Cisco Cloud Web Security)
Intrusion, Botnet, Advanced Persistent Threats, SQL Injection, Malware Detection (IPS Module, Wireless IPS (wIPS), Sourcefire NGIPS)
Internal Malware Propagation Detection (NetFlow, Lancope)
Malware Data Exfiltration Detection (NetFlow, Lancope)
Early Warning Intelligence (Cisco Security Intelligence Operations)
Cisco Confidential 20© 2013-2014 Cisco and/or its affiliates. All rights reserved.
NetFlow – The Heart of Network as a SensorPath to Self Learning Networks
Network Flows are Attack Signatures
A Powerful Information Source for Every Network Conversation
Each and Every Network Conversation
over an Extended Period of Time
Source and Destination IP Address, IP Ports,
Time, Data Transferred, and More
Stored for Future Analysis
A Critical Toolto Identify a Security Breach
Identify Anomalous Activity
Reconstruct the Sequence of Events
Forensic Evidence and Regulatory Compliance
NetFlow for Full Details, NetFlow-Lite for 1/n Samples
Cisco Confidential 21© 2013-2014 Cisco and/or its affiliates. All rights reserved.
NetFlow – The Heart of Network as a SensorExample: NetFlow Alerts With Lancope StealthWatch
Denial of ServiceSYN Half Open; ICMP/UDP/Port Flood
Worm PropagationWorm Infected Host Scans and Connects to the Same Port Across
Multiple Subnets, Other Hosts Imitate the Same Above Behavior
Fragmentation AttackHost Sending Abnormal # Malformed Fragments.
Botnet DetectionWhen Inside Host Talks to Outside C&C Server
for an Extended Period of Time
Host Reputation ChangeInside Host Potentially Compromised or
Received Abnormal Scans or Other Malicious Attacks
Network ScanningTCP, UDP, Port Scanning Across Multiple Hosts
Data ExfiltrationLarge Outbound File Transfer VS. Baseline
Cisco Confidential 22© 2013-2014 Cisco and/or its affiliates. All rights reserved.
NetFlow – The Heart of Network as a SensorNetFlow in Action: As an Attack Progresses
Breach Stages Detection
Vulnerability Exploration
Attacker Scans IP Addresses and Ports to Explore Vulnerabilities (OS, User, App.)
1 NetFlow Can Detect on Scans Across IP Address Ranges
NetFlow Can Detect on Scans Down IP Ports on Every IP Address
Install Malware on 1st Host
Attacker Installs Software to Gain Access 2
NetFlow Can Detect on Inbound Admin Traffic From an Unexpected Location
Connection to “Command and Control”
Malware Creates Outbound Connection With C&C System for Further Instructions
3 NetFlow Can Detect Outbound Connections to Known
C&C IP Addresses
Spreading Malware to Other Hosts
Attack Other Systems on the Intranet Through Vulnerability Exploitation
4 NetFlow Can Detect Scans Across IP Address Ranges
by Internal Hosts
NetFlow Can Detect Scans Down IP Ports on Every IP Address by Internal Hosts
Data Exfiltration
Export Data to a 3rd Party Server5
NetFlow Can Detect Extended Flows (HTTP, FTP, GETMAIL, MAPIGET and More) and Data Transfer to New External Hosts
Cisco Confidential 23© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Art of Network Security Strategic Advice
Know Your NormalNetwork as a SensorTraffic, Flows, Apps, Devices, Users
Cisco Confidential 24© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Network as an Enforcer
Cisco Confidential 25© 2013-2014 Cisco and/or its affiliates. All rights reserved.
What Can the Network Do for You? Network as Enforcer
Segment the Network to Contain the AttackTrustSec - Secure Group Tagging, VRF, ISE and More
Encrypt the Traffic to Protect the Data in MotionMACsec for Wired, DTLS for Wireless, IPSec/SSL for WAN and More
Secure The Branch for Direct Internet AccessIWAN, Cloud Web Security and More
Cisco Confidential 26© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Art of Network Security Strategic Advice
Divide and DefendSegment the Network to Contain the AttackTrustSec, ISE, VLAN/VRF/EVN, ACLs
Cisco Confidential 27© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Network as an Enforcer
Segment the Network and Enforce Policy to Contain the Attack
Segment Network To Contain the Attack
Access ControlFor Granular and Consistent Policy
User Access Control based on Device, Location, Network Type, Time, and More (ISE)
Physical and Virtual Port-Level Permit and Denial (Access Control Lists)
Consistent Policy Across Wired/Wireless/Remote Access (ISE, Unified Access Switches)
Role-Based, Topology and Access-Independent Access Control (TrustSec/SGT, ISE)
Network Segmentation (VLAN, TrustSec/SGT, VRF/EVN)
Cisco Confidential 28© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco TrustSecPolicy-Defined Role-Based Segmentation
Flexible and Scalable Policy Enforcement
Switch Router DC FW DC Switch
Simplified Access Management
Accelerated Security Operations
Consistent Policy Anywhere
Who can talk to whom
Who can access protected assets
How systems can talk to other systems
Desired Policy
Cisco Confidential 29© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Block Stolen Credentials from Accessing Credit Card DataTrustSec Role-Based Segmentation to Contain the Attack
Enforce
ISE
Cisco
Identity Service Engine
Credit Card Data
Criminal with stolen maintenance contractor identity tries to
access credit card data
Traffic is tagged with maintenance contractor user group
identity TrustSec policy blocks access to credit card data due to
maintenance group tag mismatch with financial group tag
ISE enforces policy across Wired, Wireless, and VPN
Security
Group Tags
Detect
802.1X
MAB
WebAuth CISCO SWITCHES, ROUTERS, WIRELESS ACCESS POINTS
ISE: Network-Wide Policy EnforcementUnified Policies Across the Distributed Enterprise
Identity (802.1X)-Enabled Network
IDENTITY
CONTEXT
WHO WHAT WHERE WHEN HOW
Guest Access
Profiling
Posture
Security Camera G/W Vicky Sanchez Francois Didier Frank Lee Personal iPad
Agentless AssetChicago Branch
Employee, MarketingWireline3 p.m.
ConsultantHQ - StrategyRemote Access6 p.m.
GuestWireless9 a.m.
Employee OwnedWireless HQ
Cisco Confidential 31© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Art of Network Security Strategic Advice
Encrypt Your Data in MotionProtect Your Data with MACSec, IPSec, DTLS, CISF
Cisco Confidential 32© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Encrypt and Prevent Snooping to Protect Your DataEnforce Network Security to Prevent Prying Eyes
Network as an EnforcerACI Vision: Policy Based, Automated Security at Scale
Encrypt Data Prevent Spoofing
Snooping Prevention:
Catalyst Integrated Security Feature Set (Port Security, DHCP Snooping, IP Source Guard,
Dynamic ARP Inspection), IPv6 First Hop Security
Wireless Spectrum Attack Prevention: CleanAir
Enforce Multi-Layered Encryption:
LAN Link (Wired) Encryption: MACsecLAN Link (Wireless) Encryption: DTLS
WAN Link Encryption: IPSec, SSLMobile Device Encryption: ISE with MDM
Cisco Confidential 33© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Secure your WAN InfrastructureIntelligent WAN for the Branch
Scalable WAN and Internet Access
Highly Secure Connectivity
Integrated Cloud Web Security, Real-time Web
Filtering with Application Visibility & Control
Scalable Security via Dynamic Multipoint VPN
(DMVPN)
Scalable Hardware–Based Cryptography
Common Integrated Firewall/IPS
Robust Authentication
Improved Application Performance at Lower Costs
Consistent Across Any Transport
Automatic Site-to-Site IPsec Tunnels
Zero-touch Hub Configuration
Secure Local Internet Breakout with Encapsulated
Traffic
Network as an EnforcerACI Vision: Policy Based, Automated Security at Scale
Cisco Confidential 34© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Art of Network Security Strategic Advice
Enable Built-In Network DefensesYou Have Already Invested in Your NetworkActivate TrustSec, NetFlow, Encryption, and More.
Cisco Confidential 35© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Network as a Mitigation Accelerator
Cisco Confidential 36© 2013-2014 Cisco and/or its affiliates. All rights reserved.
What Can the Network Do for You? Network as a Mitigation Accelerator
Decrease Time to Remediatione.g. SourceFire Integration for Network-Wide Rapid Threat Detection and Mitigation
Automate Configuration and Provisioninge.g. ACL, QoS, and Secure Branch Automation
Enable Open, Programmable Network Abstractione.g. RESTful API Integration, CLI Hardware Compatibility
Cisco Confidential 37© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Art of Network Security Strategic Advice
Automate to AccelerateDecrease time to RemediationPolicy-Based Automation through APIC Enterprise Module
Cisco Confidential 38© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Attackers are Fast, Defenders are SlowToday’s Security Model - Complex, Not Fast Enough
Discovery of Breaches Takes a Long Time
Threat Mitigation Takes a Long Time Too
Cisco Confidential 39© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Vision: Network as Security Sensor and Enforcer, Accelerated by ACI
Accelerated by ACI
Automate Security Configuration, Change Management & Threat MitigationAPIC-EM Simplifies deployment and configuration
Network as a Security Sensor
Network as a Security Enforcer
Support Consistent Policy
Across the Network, Users, and Devices
APIC-EM automates Policy (ISE) and
Segmentation (TrustSec) Deployment
Detect More Threats and
Provide Greater Visibility at Scale
APIC-EM Scales NetFlow & Lancope
Cisco Confidential 40© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Policy-Based Security at Scale
Open & Automated
Enabled By APIC-EM
Cisco Vision: Network as Security Sensor and Enforcer, Accelerated by ACI
Current direction of roadmap
Sensor Enforcer
Cisco Confidential 41© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Encrypt Links and Enable CISF
Protect Your Data
Top 5 Steps for Network as Security
Enable NetFlow
Know Your Normal
Detect the Undetected… Proactively
Deploy TrustSec/Segmentation
Contain the Attack
Role-Based, Topology and Access Independent
Deploy APIC-EM
Accelerate the Security Configs and Mitigation
Deploy Intelligent WAN
Secure Branch Offices with Direct Internet Access
Visibility-Driven Threat-Focused Platform-Based
Cisco Confidential 42© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Art of Network Security Strategic Advice
Unite the ForcesAdvanced Malware Protection Threat Centric SecurityNetwork as a Sensor, Enforcer, and Mitigation Accelerator
Thank you.