Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s...
Transcript of Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s...
![Page 1: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/1.jpg)
Effective Security:
Defending against Encrypted threatsWilliam Young – Global Security Solutions Architect
#williamdyoung
![Page 2: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/2.jpg)
Encryption is the Bad
Guys Friend
Expect 70% of attacks to
be encrypted by 2019
75% of Web Traffic will be encrypted by 2019–NSS Labs, Nov 2016
Google Research
SSL/TLS Decrypt:• Expensive
• Defeats the purpose
• Doesn’t always work
![Page 3: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/3.jpg)
• Many applications will break.. (Certificate Pinning, HPKP, etc)
• New protocols (TLS 1.3, SPDY, HTTP2, QUIC)
• Vendors pushing TLS (Microsoft, Apple, Google, Facebook, etc)
• Privacy and compliance
• Decryption is computationally expensive!
Challenges with hardware / software decryption
![Page 4: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/4.jpg)
Certificate Pinning Example – Dropbox Client
![Page 5: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/5.jpg)
HTTP/2 challenges on proxy/ngfw/<insert nw-device here>
• HTTP/2 encrypted with TLS
• Binary Format & Header Compressions need to be parsed (no more cleartext)
• Single TCP connection reuse
![Page 6: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/6.jpg)
QUIC challenges on proxy/ngfw/<insert nw-device here…>
• QUIC is always encrypted
• QUIC is using multiplexed streams
• ..and most likely soon also across multiple paths (IETF..)
• Can use IPv4 and IPv6 concurrently to same client
• If QUIC is not understood, connections look like unrelated UDP connections
• QUIC can be initiated from client and from server• Where is now inbound and where is outbound?
![Page 7: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/7.jpg)
Network:
What can we do in the Firewall?
![Page 8: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/8.jpg)
NGFW Policy decisions for traffic decryption
8
Decryption
SSL-Policy
Access-Policy
IPS, App, etc.
![Page 9: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/9.jpg)
Detecting the requested Host
The requested hostname is usually detected by one of several methods:
Transparent Request (Transparent proxy, FW)
1. Check the SNI Name in the TLS Client hello
2. Check the CN Field in the Subject of the Server Certificate
![Page 10: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/10.jpg)
Partial TLS Handshake (TLS 1.0 – 1.2)
TLS Client TLS Server
TLS ClientHelloSNI=www.example.com
TLS ServerHelloCertificate for www.example.netSession key (encrypted with private key)
Desired server
Actual server
Server certificate can avoid decrypting if entire site is blacklisted or whitelisted
![Page 11: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/11.jpg)
TLS ServerHelloServer’s Diffie-Hellman key{ Certificate for www.example.net }{ Session key (encrypted with private key) }
Partial TLS Handshake (TLS 1.3)
TLS Client TLS Server
TLS ClientHelloSNI=www.example.comClient’s Diffie-Hellman key
Desired server
Actual server{Encrypted by DH}
![Page 12: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/12.jpg)
SSL Policy Rule Actions
For internal Traffic
going outside
For external Traffic
going to internal
server (via passive
interface)
![Page 13: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/13.jpg)
SSL Inspection on Passive Interface
If the TLS connection uses PFS, traffic inspection is not possible…
Client ServerTAP
NGFW withcopy of Server key and cert
ABC
ABC
ABC#$*#$*
![Page 14: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/14.jpg)
Inspect Outgoing Traffic
Action: Decrypt and
resign It replaces the key ONLY in the
Self-Signed Certificate, instead
of the whole certificate.
It causes the client browser does
warn that the certificate is self-
signed.
Certificate to be used
![Page 15: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/15.jpg)
Rule matching criteria
• Multiple criteria for matching the rule
DN of the destination
certificate
Some predefined sites
that are undecryptable
![Page 16: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/16.jpg)
Settings per SSL Policy Rules
• Certificate Status:• Revoked, self-signed, not yet valid, expired,
invalid issuer, invalid signature, valid.
• Cipher suite
• SSL version
If the certificate matches any of
the selected statuses, the rule
matches the traffic.
![Page 17: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/17.jpg)
Example Rules for certificate checking
Block
Certificate
Errors
Exclude
Self-
signed
Certificate
Errors
![Page 18: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/18.jpg)
Example Rules – Checking Self-Signed
BLOCK or whatever Action you
want...
Include
Self-
signedIgnore all
others
![Page 19: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/19.jpg)
Further firewall actions with TLS Decryption
• SNI is always enabled
• No automatic download of missing intermediate certificates• Manual upload required
• No action on certificate check for undecrypted HTTPS connection in the default settings
• Client is responsible for any error message
• Can not prompt the client in case you have an error
• SSL Policy needs to be attached to an access policy
![Page 20: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/20.jpg)
Security Service Gateway
Users
Radware
ADC
Cisco
Firepower
Radware
ADC
Data Center
Visibility for inbound and outbound encrypted traffic
Chain multiple inspections services
- Load-balance service elements within a group
- Bypass failed groups
Bypass URLS/Sites, IP addresses based on categories/policy
Mix/match inspection elements, i.e., passive/active inspection elements
Inspection elements can be L2/L3
- Bump in the wire, routed, transparent, opaque.
Up to 45 Gbps of SSL/TLS throughput, and 100K CPS
- TLS 1.3 Support
FIPS 140-2 Compliant
Fully patent protected
- More details at: http://www.google.com/patents/US7769994
![Page 21: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/21.jpg)
Network:
What can be done without Encryption?
![Page 22: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/22.jpg)
Firepower Management
Center
Threat Intelligence Director
Ingest Security IntelligenceGenerate Rich Incident
ReportsCorrelate Observations Refine Security Posture
Ingests
“flat files”
STIX Observations
Third-Party Sources
• Threat intelligence feeds
• Threat intelligence platforms
Cisco Security Appliances
• Cisco Firepower NGFW
• Cisco FirePOWER NGIPSThreat Intelligence
Director
Assimilates Third-Party Security Intelligence
![Page 23: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/23.jpg)
Leverage Security Intelligence Feeds
• IP Address, DNS, and URL Feeds
• Multiple categories: Malware, Phishing, Command and Control and more
• Black/White-list URL with one click
• Fast-flux domain support
• TALOS and 3rd party feeds
![Page 24: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/24.jpg)
“Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.”
Gartner’s Top 10 Security Predictions 2016
![Page 25: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/25.jpg)
Current decryption methods are becoming obsolete
Encrypted Traffic
Non-Encrypted
Traffic
How do you Analyze threats without decrypting traffic flows?
Can We Actually Solve This?
![Page 26: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/26.jpg)
Encrypted Traffic Analytics (ETA)Visibility and malware detection without decryptionUsing the Network as a Sensor
Malware in
encrypted traffic
Cryptographic
compliance
• End to end confidentiality
• Channel integrity during inspection
• Adapts with encryption standards
Is the payload within the TLS
session malicious?
• Audit for TLS policy violations
• Passive detection of Ciphersuite
vulnerabilities
• Continuous monitoring of network
opacity
How much of my digital business
uses strong encryption?
![Page 27: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/27.jpg)
Encrypted Traffic Analytics (ETA) Technical solution overview
Enhanced analytics and machine learning
Integration with ISE and TrustsecEnhanced NetFlow from Cisco’s
newest switches and routers
Cisco® Cloud Services
Encrypted
traffic
exporters
Stealthwatch/ETA
Netflow collector(s)
Malware
detection and
cryptographic
compliance
Higher VisibilityInnovative detectionLeveraged network
Catalyst 9k
ISR, ASR*
![Page 28: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/28.jpg)
Global-to-local knowledge
correlation results in higher
precision of threat findings
Stealthwatch enhanced analytics
and machine learning reduces
threat investigation time
Enhanced NetFlow with encrypted
traffic analytics from Cisco’s
newest switches and routers
Network Sensors
SPLTIDP
srcIP, dstIP, srcPort, dstPort, prot, startTime, stopTime,
numBytes, numPackets, IDP, SPLT
Sequence of Packet Lengths and Times
The SPLT field gives us visibility beyond the first packet of the
encrypted flows.
Initial Data Packet
The first packets of any connection contain valuable
data about the content.
Encrypted Traffic Analytics (ETA)The Technology
![Page 29: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/29.jpg)
NetFlow Analytics with Cloud Intelligence
Enhanced analytics and machine learning
Global-to-local knowledge correlation
Higher Precision Faster Investigation Leveraged Network
Enhanced NetFlow from Cisco’s newest switches and routers
Cisco
Cloud
Network
Meta-Data
Cisco
Stealthwatch 99% Threat
Detection
Accuracy
0.01% False
Positives*
*Cisco research findings
Encrypted Traffic Analytics (ETA)
29
![Page 30: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/30.jpg)
Visibility Through NetFlow
10.1.8.3
172.168.134.2
InternetFlow Information Packets
SOURCE ADDRESS 10.1.8.3
DESTINATION ADDRESS
172.168.134.2
SOURCE PORT 47321
DESTINATION PORT 443
INTERFACE Gi0/0/0
IP TOS 0x00
IP PROTOCOL 6
NEXT HOP 172.168.25.1
TCP FLAGS 0x1A
SOURCE SGT 100
: :
APPLICATION NAMENBAR SECURE-
HTTP
RoutersSwitches
NetFlow Provides• A trace of every conversation in your network
• An ability to collect records everywhere in your
network (switch, router, or firewall)
• Network usage measurements
• An ability to find north-south as well as
east-west communication
• Lightweight visibility compared to Switched Port
Analyzer (SPAN)-based traffic analysis
• Indications of compromise (IOC)
• Security group information
![Page 31: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/31.jpg)
Behavioral and Anomaly Detection ModelBehavioral Algorithms Are Applied to Build “Security Events”
SECURITY
EVENTS (94 +)ALARM
CATEGORY RESPONSE
Addr_Scan/tcp
Addr_Scan/udp
Bad_Flag_ACK**
Beaconing Host
Bot Command Control Server
Bot Infected Host - Attempted
Bot Infected Host - Successful
Flow_Denied
.
.
ICMP Flood
.
.
Max Flows Initiated
Max Flows Served
.
Suspect Long Flow
Suspect UDP Activity
SYN Flood
Concern
Exfiltration
C&C
Recon
Data hoarding
Exploitation
DDoS target
Alarm table
Host snapshot
Syslog / SIEM
Mitigation
COLLECT AND
ANALYZE FLOWS
FLOWS
![Page 32: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/32.jpg)
Investigating a Host
Summary
Communication
patterns
![Page 33: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/33.jpg)
Cloud:
What services can be delivered?
![Page 34: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/34.jpg)
What about DNS protection?Cisco Umbrella
Umbrella Cloud Service
Enterprise-wide
deployment in minutes
Malware
C2 Callbacks
Phishing
Intelligence to see
attacks before launched
Visibility and
protection everywhere
Stop threats before
connections are made
![Page 35: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/35.jpg)
Authoritative DNS logs
Used to find:
Newly staged infrastructures
Malicious domains, IPs, ASNs
DNS hijacking
Fast flux domains
Related domains
User request patterns
Used to detect:
Compromised systems
Command and control callbacks
Malware and phishing attempts
Algorithm-generated domains
Domain co-occurrences
Newly registered domains
Gather intelligence and enforce security at the DNS layer
Any device
Recursive DNS
root
com.
domain.com.
Authoritative DNS
![Page 36: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/36.jpg)
Cisco Talos feeds
Partner feeds
Custom URL block list
Requests for “risky” domainsIntelligent proxy
URL inspection
File inspectionAV Engines
Cisco AMP
![Page 37: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/37.jpg)
Intelligent proxy
Deeper inspection
Decryption and inspection when needed
Safe
Original destinations
Security controls
DNS and IP enforcement
Risky domain inspection
through proxy
Selective SSL decryption
File inspection (AMP and AV)
Blocked
Modified destination
Internet trafficOn and off-network
DestinationsOriginal destination or block page
![Page 38: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/38.jpg)
Cisco Umbrella and ThreatGrid integration
Suspect Domain Protection
Dynamic Analysis
Static Analysis
Threat Intelligence
AMP Threat Grid
Domain Based IOC Data
File
Sample
ASA /FP
Mobile
AMPFIREPOWERFIREPOWER Web
SecESA
Firewall Appliance Web
Security
Security
Security
Analyst
AMP ThreatGrid Enabled Security Solutions
Protected Clients
Immediate Protection from domain based IOCs
Benefits
Automated integration
Full AMP Solution Coverage
![Page 39: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/39.jpg)
Enterprise-wide deployment in minutes
Off-network protection
No additional agents to
deploy with AnyConnect
Or Umbrella roaming client
works alongside other VPNs
for DNS and IP redirection
AnyConnectWLAN
ControllerISR 4K
Cisco networking
Out-of-the-box integration
Use of tags for granular
filtering and reporting
Policies per VLAN/SSID
On-network protection
DNS/DHCP serversWireless APs
Simple configuration change
to redirect DNS
Policies for corporate
and guests
Roaming client
![Page 40: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/40.jpg)
Endpoint:
First (and last!) line of defense
![Page 41: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/41.jpg)
Security in the Endpoint
Network
Visibility
Threat
Protection
Roaming
Protection
NETWORK VISIBILITY
MODULE
• NETFLOW DATA FROM
ENDPOINT
• DEVICE + USERNAME
• APPLICATION AND PROCESS
DATA
UMBRELLA ROAMING
AGENT
• PROTECTS ENDPOINT
INTERNET TRAFFIC
• OFF PREM DNS PROTECTION
• PER USER / GROUP
REPORTING & POLICY
ADVANCED MALWARE
PREVENTION
• ON AND OFF PREM FILE / MALWARE
BLOCKING
![Page 42: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/42.jpg)
On Premise
Secure Access On and Off PremiseAlways-On and transparent connectivity with Trusted Network Detection
Off Premise
Untrusted
ASA
No VPN Required
User
VPN Required
User
![Page 43: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/43.jpg)
Flow Analytics security from the endpointWith the AnyConnect Network Visibility Module (NVM)
Endpoint Context• IPFIX-Based NetFlow Record
• Unique Device ID
• Device Name (bsmith-WIN) and OS
Version
• Domain\User Name (Amer\bsmith)
• Local DNS (starbucks.com)
• Target DNS ( amceco.box.com)
• Interface (Intel ® Dual Band Wireless)
• Process/Container Name (iexplorer.exe)
Process ID (hash)
• Parent Process Name (foobar.exe)
Parent ID (hash)
Collection &
Analytics ServicesNetFlow Collector
![Page 44: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/44.jpg)
AMP Continuous Analysis and Retrospective Security
0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110
1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
Web
WWW
Endpoints NetworkEmail DevicesIPS
File Fingerprint and Metadata
Process Information
Continuous feed
Continuous analysis
File and Network I/O
Breadth and Control points:
Telemetry Stream
Talos + Threat Grid Intelligence
TrajectoryBehavioral
Indications
of Compromise
Threat
Hunting
Retrospective
Detection
![Page 45: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/45.jpg)
Mobile device security solutions are disruptive and leave gaps
PROBLEM
Custom
browser
app
VPN profile
(always-on
or on-demand)
Global
HTTP
proxy
END-USERS
ADMIN-USERS
![Page 46: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/46.jpg)
iOS Security Connector:
SOLUTION
No user
behavior
changes
All network
activity is
seen
Works with
ALL apps
Best visibility
and performance
ADMIN-USERS
Work as
usual
END-USERS
![Page 47: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/47.jpg)
iOS Security ConnectorOne iOS app – two extensions
AUDITING & CORRELATION
ENCRYPTION & ENFORCEMENT
AMP
UMBRELLA
Umbrella app extension
Clarityapp extension
UMBRELLA EXTENSION
• Visibility and
control for all
applications
• Defends
against attacks
and data
exfiltration
CLARITY EXTENSION
• Audits
encrypted and
clear text
flows by
users, apps,
and devices
Supervised
iPhone / iPad
![Page 48: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/48.jpg)
Intelligence Matters
![Page 49: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/49.jpg)
TALOS – Unmatched Visibility, Research, and Analytics
Threats Across the Internet
Threats Inside your Network
Hundreds of Thousands Customers
7.3T Threats Blocked Annually
250+ Threat Researchers
Tens of Millions Users
Hundreds of Threat Analytic
Engines
![Page 50: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/50.jpg)
Build an Architecture –Security that works together
Endpoint CloudNetwork
Integrated Best of Breed
![Page 51: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/51.jpg)
Endpoint
Cisco WSAor Firepower
Cisco Stealthwatch
Cisco WSA, Firepower, or Umbrella
Cisco Umbrella
Cisco ISE
Cisco Firepower Threat Defense
Cisco AMP
Internal Users to InternetProtecting the Employees
AdvancedMalware Protection
Application Control
Anti-Virus
NGIPS
Identity Authorization
Employee
Segmentation/ TrustSec
Firewall
Internet
GeoFiltering
LoggingReporting
Recursive DNS Security
Flow AnalyticsURLFiltering
SSLDecryption
SIEM
NetworkAnti-Malware
WebProxy
Data LeakageProtection (DLP)
![Page 52: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/52.jpg)
![Page 53: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/53.jpg)
250+Full Time Threat Intel Researchers
MILLIONSOf Telemetry Agents
4Global Data Centers
1100+Threat Traps
100+Threat Intelligence Partners
THREAT INTEL
1.5 MILLIONDaily Malware Samples
600 BILLIONDaily Email Messages
16 BILLIONDaily Web Requests
Honeypots
Open Source Communities
Vulnerability Discovery (Internal)
Product Telemetry
Internet-Wide Scanning
20 BILLION
Threats Blocked
INTEL SHARING
Talos Intel Background
Customer Data Sharing Programs
Provider Coordination Program
Open Source Intel Sharing
3rd Party Programs (MAPP)
Industry Sharing Partnerships (ISACs)
500+Participants
![Page 54: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/54.jpg)
Cisco secure access solutions – focus areas
Network and security analytics
• Stealthwatch
• ISE
• Encrypted Traffic Analysis
VisibilityThreat protection
• NGFW/NGIPS
• Advanced Malware Protection (AMP)
• Umbrella / CloudLock
Threat preventionFirewall and access control
• DNA
• ISE
• NGFW
Segmentation
Integrated
![Page 55: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/55.jpg)
Cisco Security Architecture
Cisco Security Homepage
Cisco.com/go/security
![Page 56: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/56.jpg)
The Only Way
![Page 57: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/57.jpg)
Rapid Threat Containment & Threat Centric NACCisco Firepower Management Center (FMC) and Cisco Identity Service Engine (ISE)
Benefits
Detect Threats Early
Firepower scans activity and publishes events
to ISE
Automate Endpoint Containment
ISE alerts the network of suspicious activity according
to policy
Integrate Best-of-Breed Security
Growing ecosystem of threat defense partners
integrate with ISE
![Page 58: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/58.jpg)
MnT
FMC
Rapid Threat Containment with Firepower Management Center and ISE
Controller
WWW
NGFW
2. Correlation
Rules Trigger
Remediation Action
3. pxGrid EPS
Action: Quarantine
+ Re-Auth
1. Security
Events / IOCs
Reported
i-Net
58
![Page 59: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/59.jpg)
MnT
FMC
Rapid Threat Containment with Firepower Management Center and ISE
Controller
WWW
NGFW
4. Endpoint Assigned
Quarantine + CoA-
Reauth Sent
i-Net
59
![Page 60: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/60.jpg)
ISE
Switches Routers Wireless
EndpointsIOT PhonesPrinters
WSA ESAFMC SMC
TALOS AMP/TG UmbrellaCTA
SIEM
VMC
Net Protocols
pxGrid
AMP/TG API
Firepower API
Syslog
Talos API
Cloud Services
Infrastructure & Devices
pxGrid
Generic APIRadius
Netflow
DNS
Legend
60
![Page 61: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/61.jpg)
https://developer.cisco.com/site/security/
Cisco API Resources
![Page 62: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/62.jpg)
Tetration answers your Critical Questions
What was out of Policy?
Network DVR VisibilityAut. Policy Discovery
Policy Enforcement
Application Dependency
Who talks with who? Audit & Compliancy
![Page 63: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/63.jpg)
Cisco Segmentation with Active Threat Response
Step3 Dynamic Enforcement
Step1: Control policy and audit Step2: Anomaly Detection
![Page 64: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/64.jpg)
• Comprehensive,
contextual network flow
visibility
• Real-time situational
awareness of traffic
Monitor
• Detect anomalous
network behavior
• Detect network
behaviors indicative of
threats: worms, insider
threats, DDoS and
malware
Detect
• Quickly scope an incident
• Network troubleshooting
• One click quarantine
Respond
Detect Data Center threats with Stealthwatch
Analyze
• Holistic network audit trail
• Threat hunting and
forensic investigations
Switch Router Router Firewall Data Center
Switch
ServerUser
WAN
ServerDevice
End-to-End
Network
Visibility
![Page 65: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/65.jpg)
Threat
detection and hunting
Application traffic
modeling &
visibility
Access control
policy and audit
Anomalous
behavior
Integrated with other security solutions 1+1=3
Greater visibility and security togetherCisco Tetration and Stealthwatch
![Page 66: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/66.jpg)
Cisco Tetration Connection ManagerAutomated security policy recommendation
Step2: Auto-generation of whitelist policies
Whitelist policy recommendation
• Identifies application intent
• Generates 4 tuple policies
Export into Cisco solutions
• Export in JSON, XML and YAML
• Import into ACI, ASA, NGFW
Step1: Behavior analysis
Application conversations Conversation details/
process bindings
Legacy Rule
Cleanup
![Page 67: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/67.jpg)
![Page 68: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/68.jpg)
TrustSec Functions
Endpoint
Group tag management
Group policy management
Security
Group
Tags
Enforcement
EnforcementThreat
Defense
Propagation
Inline tagging or data plane
(many options)
Classification
Static
classification
Endpoint
identification
Dynamic
classification
SGT-enabled network
Central management
Software-Defined Segmentation
Open technology
Heterogeneous environment
Control plane
(SXP or pxGrid)
Switch
Router
Firewall
Wireless
![Page 69: Effective Security: Defending against Encrypted threats€¦ · TLS ServerHello Server’s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } Partial](https://reader036.fdocuments.net/reader036/viewer/2022081522/5f21bd9e76610e6cb73b56b6/html5/thumbnails/69.jpg)
TrustSec integration – ACI (Data Center)
ACI Policy DomainTrustSec Policy Domain
Switch Router Router Firewall Nexus9000 Nexus9000 ServerUser
SGT
over
Ethernet
IPSec / DMVPN /
GETVPN / SXPClassification
WAN(GETVPN
DMVPN
IPSEC)
ISE creates matching Security
Groups for Endpoint Groups
ISE exchanges IP-SGT/EPG
‘Name bindings’
IP-ClassId, VNI bindingsIP-Security Group bindings
exchanged with network
Spine Leaf
Cisco ISE 2.1 Cisco APIC-DC
Security Groups End Point Groups