Security @ Cisco Roadshow 2017

Cisco Roadshow 2017

Nikos Mourtzinos, CCIE #9763

Cisco Security Product Sales Specialist

Cisco Integrated Threat Defense

Security as a Business Enabler

The Security Problem

Changing Business Models

Dynamic Threat Landscape

Complexity and Fragmentation

Digital Disruption Drives the Hacker EconomyThere is a multi-billion dollar global industry targeting your prized assets

Social Security

$1

MobileMalware

$150

$Bank

Account Info>$1000 depending

on account type and balance

FacebookAccounts$1 for an

account with 15 friends

Credit CardData

$0.25-$60

MalwareDevelopment

$2500(commercial

malware)

DDoS

DDoS asA Service~$7/hour

Spam$50/500K

emails MedicalRecords

>$50

Exploits$1000-$300K

$450 Billion

World’s biggest data breaches

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Recent Breaches

Failure of Legacy Security Architectures

Limited Visibility

Endpoint AV

UTM ServicesIPS

Network AV

Web Security

EmailSecurity

Edge Firewall

Lacks Correlation Manual Response

internet

Endpoint Alert

Email AlertWeb Alert

IDS AlertAV Alert

Vendor 1

Vendor 2

Vendor 3

Vendor 4

Vendor 5

NAC

Vendor 6

Complexity and Fragmentation

Customer Questions

WHAT Cisco Security DO ?

HOW WE DO IT ?

WHAT MAKES US DIFFERENT ?

WHAT OTHER Customers SAY ?

What Cisco Security do ?only company with security product revenue exceeding a $2 billion annualized run rate with double-digit growth

Market Recognition : Focus on NSS, acquisitions, integration, Market Recognition

BEST SECURITYCOMPANY

Security Value Map Leader:NGFW, NGIPS and Breach Detection Systems (AMP) Cisco’s Security Everywhere...

“that’s pretty brilliant”

Interop 2016

Cisco Best NGFW awardCisco’s Network Security Portfolio finally stands on its own merit

Cisco is Investing in Security Growth

1995

•• PIX Firewall which was foundation of current ASA-X •• Top Leader of

contents security

2007 2009 2013 2014

•• Leading Dynamic Malware Analysis (Sandbox)

•• Currently Integrated to AMP

•• Top Leader of Cloud-based Web Security

•• Snort®, ClamAV®, Open source projects Founder

•• VRT World-class research

•• Top Leader of IPS

•• Top Leaders of security advisory services

•• Provides risk management and compliance to Fortune 500 customers

2015

•• Leading securityanalytics platform to defend against advanced cyber threats

•• Cloud based DNS security service

2016

Packet Brokering Network Infrastructure & Policy Management

Performance Management &

VisualizationMobility

Packet Capture & Forensics

SIEM & Analytics

Remediation & Incident Response

Vulnerability Management

Custom Detection

Firewall/Access Control

DiscoverEnforceHarden

DetectBlockDefend

ScopeContain

Remediate

IAM/SSO

Ecosystem and Integration

Combined API Framework

HOW WE DO IT ?

Security Architecture

TALOS ThreatIntelligence Cloud

1. ASA 5500X

1. FMC Management, Reporting,Analytics

1. ASA Firepower



Windows OS Android Mobile Virtual MAC OS

CentOS, Red Hat Linux for servers and datacenters

2. AMP for Endpoints


Remote Endpoints

AMP for Endpoints can be launched from Cisco AnyConnect®

1. ASA 5500X


1. ASA Firepower2. AMP for endpoint







Remote Endpoints


1. ASA 5500X

3. Email Security


1. ASA Firepower2. AMP for endpoint3. Email Security







Remote Endpoints


1. ASA 5500X

3. Email Security4. Cisco Identity Services Engine(Cisco ISE)


1. ASA Firepower2. AMP for endpoint3. Email Security4. Cisco ISE

Malware Protection

Cisco ASA Firepower

Network Profiling

CISCO COLLECTIVE SECURITY INTELLIGENCE

URL Filtering

Integrated Software - Management

WWW

Identity-Policy Control

Identity Based Policy Control

Network Profiling

Analytics & AutomationApplication

Visibility &Control

Intrusion Prevention

High Availability

Network Firewall and

Routing

Enhanced Security & Simplifies Operations & Cost Savings

Superior Network Visibility

Servers, hosts, Mobiles Applications, OS, Vulnerabilities,

Impact Assessment & Correlation

Threat correlation reduces actionable events by up to 99%

Automated Tuning

Adjust IPS policies automatically based on network changes

World Class Research Center

Security Intelligence

Indications of Compromise

Warning indicator to more rapidly remediate threats

Advanced Malware Protection

Analyses files to block malware

Superior Network VisibilitySuperior Network

Visibility

Rogue hosts, Vulnerabilities,Applications, OS, Servers, Mobiles

Categories

Hosts üNetwork Servers üRouters & Switches üMobile Devices üPrinters üVoIP Phones üVirtual Machines üOperating Systems üApplications (Web , Client etc) üUsers üFile Transfers üCommand & Control Servers üThreats üVulnerabilities ü

You can’t protect

what you can’t see”

Real-time notifications of changes

Security IntelligenceWorld-Class Threat Research

19.7BThreats Per Day

1.4M

1.1M

1.8B

1B

8.2B

Incoming Malware Samples Per Day

Sender Base Reputation Queries

Per Day

Web Filtering Blocks Per Month

AV Blocks Per Day

Spyware Blocks Per Month

250Threat Researchers

100TBThreat Intelligence

World Class Research Center


http://blog.talosintel.com

Automated TuningAdjust IPS policies automatically

based on network changes

Automated Tuning

• Automated Recommended Rules based on Organization’s Infrastructure

• Automated IPS Policies based on Changes

• Simplifies Operations & Reduces Costs

NSS IPS Test Key Findings:Protection varied widely between 31% and 99%. Tuning is required, and is most important for remote attacks against servers and their applications. Organizations that do not tune could be missing numerous “catchable” attacks.

Impact Assessment & CorrelationImpact Assessment &

Correlation

Automatically Correlatesall intrusion events

ImpactAssessmentThreatcorrelationreducesactionableevents

Threat correlation reduces actionable events by up to 99%

1

2

3

4

0

IMPACT FLAG ADMINISTRATOR ACTION WHY

Act Immediately; Vulnerable

Event corresponds with vulnerability mapped to host

Investigate; Potentially Vulnerable

Relevant port openor protocol in use, but no vulnerability mapped

Good to Know; Currently Not Vulnerable

Relevant port not open or protocol not in use

Good to Know; Unknown Target

Monitored network,but unknown host

Good to Know; Unknown Network

Unmonitored network

Advanced Malware ProtectionAnalyses files to block malware


Analyses files to detect and block malware

• File Reputation

• Big data analytics

• Dynamic Analysis with Sandboxing (outside-looking-in)

• Continuous analysis

Cisco Confidential 24© 2013-2014 Cisco and/or its affiliates. All rights reserved.


Network Traffic

1) File Capture


TALOSCisco Collective


1) File Capture


Network Traffic

2) Send File Fingerprint SHA256


1) File Capture


Malware Alert!

3) File look-up returns "malware”File dropped immediately

Network Traffic

2) Send File Fingerprint SHA256

TALOSCisco Collective




Network Traffic

AMP File Reputation =Unknown

AMP Dynamic Malware

Analysis

4

5

Sandboxing


Network Traffic

AMP File Reputation =Unknown

AMP Dynamic Malware

Analysis

Retrospective Incidents

AMP Retrospection

TALOS

4

5

6


Indications of Compromise (IoCs) Indications of Compromise

IPS Events

Malware Backdoors CnC Connections

Exploit Kits Admin Privilege Escalations

Web App Attacks

SI Events

Connections to Known CnC IPs

MalwareEvents

Malware Detections

Malware Executions

Office/PDF/Java Compromises

Dropper Infections

Warning indicator to more rapidly remediate threats

Early warning indicator to rapidly remediate threats before they spread

31© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Correlation

AMP Protection Across the Extended Network

AMP ThreatIntelligence Cloud



AMP for Endpoints

AMP for Endpoints

Remote Endpoints


What do you get with AMP for Endpoints?inspect processes and files,

Track malware’s spread and communications

Identifies Known and unknown threats

Quarantine Threats on the Endpoint

Includes Antivirus and 0day threat detection

Where did the malware come from?Where has the malware been?What is it doing?

What happened?

How do we stop it?

Automatically Quarantine Threats on the Endpoint

What do you get with AMP for Endpoints?

Email is still the #1 threat vector

Phishing

Spoofing

Ransomware

Messages contain attachments and URL’s

Socially engendered messages are well crafted

and specific

Credential “hooks” give criminals access to your

systems

94% of phish mail has malicious attachments1

30% of phishing messages are opened1

$500M

Loss incurred due to phishing attacks in a year by US companies2

12016 Cisco Annual Security Report22016 Verizon Data Breach Report, Kerbs on Security

Cisco Email Security (Overview)

BeforeAfterDuring

Tracking User click Activity

(Anti-Phish)

ReportingMessage Track

Management

Allow Warn

AdminHQ

File Sandboxing & Retrospection

Anti-Spam and

Anti-Virus

Mail Flow Policies Data Loss

Protection Encryption

Before During

X X XX

X XXX

X

Inbound Email

Outbound Email

ContentControls

Block Partial Block

X

EmailReputation

AcceptanceControls File

ReputationAnti-SpamAnti-Virus Outbreak

Filters

X

Mail FlowPolicies Forged

EmailDetection

X

Incoming Threat

HIPAAOutbound Liability

Anti-PhishThreatGrid URL Rep & Cat

CiscoAppliance VirtualCloud

Talos

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39

Identity Services Engine

Who/What is currently connected on the Network ?

How Do I Control Who and What Access the Network/Resources?

ComplianceInsider ThreatOnce inside, threats can spread quickly

How to Quarantine a User ?


Who What Where When How

Virtual machine client, IP device, guest, employee, and remote user

Policy Controller

Wired Wireless VPN

Business-Relevant Policies

Identity ContextPolicy Management Increases Operational Efficiency

Onboarding & MDM Integration Increases Productivity and Improves User Experience

Device Profiling & Posture RemediationProvides Comprehensive Secure Access

Network Enforcement Decreases Operational Costs

All-in-One Enterprise Policy Control


Enterprise Mobility

Who?

When?

Where?

How?

What?

Employee Guest

Personal Device Company Asset

Wired Wireless VPN

@ Vessel Headquarters

Weekends (8:00am – 5:00pm) GMT


ASA Firepower & Cisco ISE

Next Gen Intrusion Prevention &Advanced Malware Protection

Threat Detection Quarantine Action

SpeedsTime-to-ContainmentsoinfectedendpointsarequicklyandautomaticallyremovedasthreatsLowerscostsasoperationaloverheadandmalware-relatedcostsareminimized,whileenablinguseofalready-deployedCisconetworkingdevicesforenforcement

Network

Cisco® ISE

Visibility

Correlation

Automated Actions

Protect users wherever they access the internet

Malware Phishing

C2 Callbacks

DNS is used by every device on your network.

First line of defense against internet threatsUmbrella OpenDNS

SeeVisibility to protect access everywhere

LearnIntelligence to see attacks

before they launch

BlockStop threats before

connections are made

Key pointsVisibility and protection everywhere

Deployment in minutes

Integrations to amplify existing investments

208.67.222.222

Umbrella OpenDNS

The fastest and easiest way to block threats

MalwareC2 Callbacks

Phishing

Global prevention withCisco Umbrella and AMP

AMP

CloudLock API Access (Cloud to Cloud)

Public APIs

Cisco ASA NGFW

ManagedUsers

ManagedDevices

ManagedNetwork

UnManagedUsers

UnManagedDevices

UnManagedNetwork

ADMINOAUTH

ACCESS

Users/Accounts Data

What CloudLock Protects

Applications

Addressing the Top Threats in the Cloud

Top Threats CloudLock

Data Breaches

Weak Identity, Credential and Access Management

Insecure Interfaces and APIs

Account Hijacking

Malicious Insiders

Source: Cloud Security Alliance (CSA), 2016


What makes us Different ?

Visibility “You can’t protect what you can’t see”

Automated Tuning of NGIPS Automated Impact AssessmentIndications of Compromise (IoCs)

Enhances Security, Simplifies Operations & Reduces Costs

Dynamic Analysis with Sandboxing

NSS Labs Detection Results (100% breach detection rate, Fastest time to detection)

Continuous analysis Retrospection and integration of ASA Firepower AMP & ESA AMP with AMP for Endpoint(key differentiator that caused serious issues to Competitors)

Unified Management (Firepower Management Center)

NGFW configuration & event management, vulnerability management, impact assessment, retrospective analysis & correlation


What makes us Different ?

Email Threats #1,Spear Phishing, Spoofed emails, Randsomware

Protect #1 Enhance Email Security

Who/What is currently connected How Do I Control Who and What Access the Network/Resources?How to Quarantine a User ?

ISE and ISE / Firepower Integration

Integration with AMP for Endpoint

inspect processes and files,Track malware’s spread and communicationsAutomatically Quarantine Threats


§ A leader for 3rd year in a row in BDS test – detecting 100% of malware, exploits & evasions.

§ Faster time to detection than any other vendor

§ Cisco delivers breach detection across more platforms and attack vectors than any other solution - blocking more threats, faster.

A Leader in Security EffectivenessOnly Cisco with its architectural approach to security can provide an integrated solution that can see a threat once and block it everywhere.

Figure1.NSSBreachDetectionTestResultsforCisco- August2016

WHAT OTHER Customers SAY ?

http://www.cisco.com/c/en/us/products/security/customer-case-study.html

Case Study

George Venianakis, CCIE™ #8418Head, Global MSS & GX Operations

SpeedCast

February 7th 2017, Divani Caravel

Who are we and what we doA leading Global Communications and IT Service Provider

ASX:SDA – HQHK - 1200 Employees – 90 CountriesMaritimeEnergy

EnterpriseTELCOMining

GovernmentNGOMedia

Challenge

• Create an Inmarsat-enabled DataCenter and PoP• Close to a hundred percent network availability• Deliver ISP and connectivity to maritime vessels• Remotely and Centrally managed• State of the art security offerings• Simplified and fully programmable approach• Single Vendor platform• Limited ICT staff resources.

Solution

• Cluster of ASA-X NGFW w/FirePOWER® and FireSIGHT®• REST API management approach• Quad ASR4K• Simplified Operations, Management And Support• IPS, AMP, AVC, URL Filtering• Full Reporting• Small-to-Moderate CAPEX• Small OPEX• Rigid, Unified, Security Services offerings

Visibility through FireSIGHT

Protocols, Events, Risk

Files Dispersion

Geolocation Information

File Trajectory

BenefitsSimplified, REST API-based, centralized management available to the involved staff while maintaining low headcount for operations.

State of the art automated services, availability and reliabilityof the networking services as well as robust scalability to meet future needs.

Low OPEX

Why Cisco Now

With Cisco, there’s never been a better time to know what’s happening in our entire network. There’s never been a better time to be protected as the threats are stopped before, during and after the attacks. We can automate security, even after attacks, across physical, virtual and cloud to reduce complexity and quickly remediate attacks.

“We have achieved all of our predefined targets with no surprises.

With ASA-X Next Generation Firewalls we operate a complete, transparent and rigid security infrastructure with unparalleled resilience, availability and scalability”

Security @ Cisco Roadshow 2017

Business

Transcript of Security @ Cisco Roadshow 2017