Hybrid Cloud Security

#CLMEL Hybrid Cloud Security Cisco CloudCentre, AMP for Endpoints, Tetration Analytics, StealthWatch Cloud, ACI+ISE w/TrustSec, ASA/Firepower NGFW, Cloudlock, OpenDNS Umbrella, Cisco Threat Response, Duo Security

Brenden Buresh – Principal Systems Engineer Jeff Fanelli – Principal Systems Architect

BRKSEC-2719

#CLMEL Cisco Webex Teams

Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Open the Cisco Events Mobile App 2 Find your desired session in the “Session Scheduler” 3 Click “Join the Discussion” 4 Install Webex Teams or go directly to the team space 5 Enter messages/questions in the team space cs.co/ciscolivebot#BRKSEC-2719

• Cisco CloudCentre

Agenda • AMP for Endpoints

• Tetration Analytics Part1 - ADM

• StealthWatch Cloud

• Simplifying Security Visibility Demo

• ACI+ISE w/TrustSec

• ASA/Firepower NGFW

• Tetration Analytics Part2 – Enforcement

• Cloudlock

• OpenDNS Umbrella

• Simplifying Security Segmentation Demo #2

• Cisco Threat Response

• Duo Security

• Multi-Layered Threat Protection Demo #3

Big and Fast Data Application Architecture Hybrid Cloud Virtualisation Continuous development Multicloud orchestration Expanded attack surface Micro Services Workload portability Increase in east-west traffic APIs Zero trust model

Integrated

Visibility Segmentation Threat Protection “See Everything” “Reduce the “Stop the Breach” Attack Surface”

Visibility Segmentation Threat Protection Network and Firewalls and Application Automated Threat Detection, Application Analytics Segmentation Blocking, and Response Stealthwatch Tetration ASA/NGFW NGFW/NGIPS AMP + Cisco Threat Response ACI/TrustSec + Tetration Stealthwatch + Tetration OpenDNS Umbrella AMP + OpenDNS Umbrella Integrated

Threat Visibility Segmentation Prevention

Client Stealthwatch AMP ACI ASAv OpenDNS AMP Server AV/AM Cloud Threat TrustSec NGFWv Umbrella Tetration Workload Response

“lack of visibility and governance across multiple clouds ”

“inefficient methods to monitor and optimise cloud consumption and Evolving on- costs” Adopting

premises “to develop fast across public clouds environment multiple environments”

“to manage infrastructure for both old and new applications”

“complex process for integration with other ecosystem solutions”

CloudCentre Suite

Evolving on- Adopting premises public clouds environment

New and One integrated End to end existing platform lifecycle applications

Data Centre

Private Cloud

Public Cloud

End to End Lifecycle One Integrated New and Existing Container Platform Applications as Service

#CLMEL BRKSEC-2719 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Workload Manager Abstraction of application profile from infrastructure End-to-end infrastructure and application lifecycle management • Blueprint once, deploy anywhere Profile • Integrate with CI/CD toolchain • Govern and control user and cloud accounts, environments and budgets

Benefits: Increase workload Workload Manager UI Cloud Private/ management efficiencies, accelerate Personalities Public Clouds time to value, provide governance and policy across multiple clouds

Cloud usage optimisation and cost reduction across multiple clouds • Use automated recommendations to optimise consumption • Simplify inventory and total spend reporting across clouds, accounts and users • Implement right sizing aligned with policy

Benefits: Provide consumption visibility across clouds, right-size cloud instances, control spend and reduce cloud costs

Ecosystem integration standardised Invoke using adapters and workflows 1 Target Response • Extend Workload Manager services and actions Invoke • Execute workflows with business and 2 Target technical logic Response • Use included adapters or create custom adapters ~ Invoke Benefits: Eliminate repetitive tasks and N Target broaden scope of cloud orchestration, Response simplify business process and reduce human error End

Business (ITSM) Development (DevOps) CloudCentre Suite AppDynamics

Model Deploy Manage Optimise Monitor Map

Cisco Intersight

Stealthwatch

Automation Cloud Services CCP ACI Tetration

UCS HyperFlex Nexus ACI Anywhere

Threat Intelligence - TALOS

Network Endpoint Cloud

Services

Most challenging areas to defend:

57% 56% 56% Mobile Devices Cloud Data User Behaviour

*Source: Cisco 2018 Security Capabilities Benchmark Study

Advanced evasion techniques: • Fileless malware • Environmentally-aware malware • Polymorphism • Exploit legitimate processes

Stop Malware Eliminate Blind Discover Unknown Using multiple detection Spots Threats and protection mechanisms The network and endpoint, With proactive threat hunting working together across all operating systems

Reduce Prevent Detect Risk • Antivirus • Static analysis • Vulnerable software • Fileless malware detection • Sandboxing • Low prevalence • Cloud lookups (1:1, • Malicious Activity • Proxy log analysis 1:many) Protection • Client Indicators of • Machine learning Compromise • Device flow correlation • Cloud Indicators of Compromise

VoIP Printers Security Thermostats Phones Cameras

Monitor process activity and guard against attempts to hijack legitimate applications.

• Monitor Process behaviour at execution • Tuned to detect tell-tale ransomware signs • Quarantine and terminate associated files and processes • Log and alert encryption attempt

#CLMEL BRKSEC-2719 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 Dynamic Analysis and Sandboxing Execute, Analyse & Test Malware Behaviour to Discover Unknown Zero-Day Threats

Suspicious File

AMP for Endpoints Analysis Report Threat Grid

#CLMEL BRKSEC-2719 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 Cloud Based Analysis - See Once, Block Everywhere Share Intelligence Across Network, Web, Email, and Endpoints

Talos Talos AMP Cloud Threat Grid

Endpoint

NGFW NGIPS ISR CES/ESA WSA/SIG

What happened?

Where did the malware come from?

Where has the malware been?

What is it doing?

How do we stop it?

Threat hunting

One click remediation

Intelligence correlation

#CLMEL BRKSEC-2719 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 Tetration Analytics Part1 - ADM Tetration Analytics Hybrid Cloud Workload Protection Attribute and Behaviour Based Security Policy and Segmentation

Baseline Software workload vulnerabilities posture

Application insight Process behaviour deviation

Cisco Tetration Generate segmentation Enforce policy segmentation policies

Event Cisco Web GUI REST API notification Tetration apps

Data collection layer Cisco Tetration Software sensor and enforcement (Virtual/Bare metal/Containers)

Embedded network sensors* (telemetry only) Third-party sources (configuration data) ERSPAN sensors* (telemetry only)

Netflow sensors* (Augmentation for telemetry) Analytics engine

*Note: Telemetry only; no workload protection functionalities

On-premises appliance options Virtual appliance options Cisco Tetration™ SaaS

Cisco Tetration™ Platform Cisco Tetration-M Cisco Tetration Virtual • Software-as-a-service model: (large form factor) (small form factor) • Suitable for deployments of No need to purchase, install, manage hardware or software • Suitable for deployments • Suitable for less than 1000 workloads of more than 5000 deployments of less • Supported in VMware ESXi- • Fully managed and operated workloads than 5000 workloads based environment or AWS by Cisco • Built-in redundancy or Azure public cloud • Suitable for commercial • Scales to up to 25,000 Includes: • Public cloud instances customers and SaaS- workloads • 6 Cisco UCS C220 owned by customer first/SaaS-only customers servers • Published system Includes: • Flexible pricing model; lower • 2 Cisco Nexus 9300 specification (CPU cores, barrier to entry • 36 Cisco UCS® C220 platform switches memory, storage, etc.,) for servers ESXi based deployments • Quick turn up • 3 Cisco Nexus® 9300 • Scales to 25,000 workloads platform switches

Software subscription license based on number of workloads; available in 1-, 3-, and 5-year terms

BM VM VM VM BM

® Cisco Nexus 9000 Series  VM BM

Network-only sensors, Bare-metal, VM, host-only sensors, or both (preferred) and switch VM VM telemetry

Bare-metal     and VM telemetry BM VM BM VM VM BM Cisco Tetration Analytics™ platform Brownfield VM telemetry VM BM (AMI …) Bare metal and VM VM BM

    Unsupervised machine VM BM learning BM VM VM BM Behaviour analysis BM

On-premises and cloud workloads (AWS)

Application workspaces Baseline workload protection posture Baseline policy

Process behaviour

Application Insights

Network communications

Contextual Predictive Automated network-wide visibility threat analytics detection and response

Behavioural modeling Unknown threats

Machine learning Insider threat

Global threat intelligence Encrypted malware

Using existing network infrastructure Policy violations

Stealthwatch Cloud Stealthwatch Enterprise

Enterprise network Public cloud monitoring Private network monitoring monitoring

Public cloud monitoring On-premises network monitoring On-premises network monitoring

Suitable for enterprises & commercial Suitable for SMBs & commercial Suitable for enterprises & large businesses using public cloud services businesses businesses

On-premises virtual or hardware Software as a Service (SaaS) Software as a Service (SaaS) appliance

Stealthwatch Cloud

Native Cloud Logs Premises Network Logs

NetFlow

Stealthwatch Cloud IPFIX Virtual Appliance Mirror/Span

• SaaS Management Portal SIEM Public Cloud

SQS SNS

S3 Pub/Sub Storage Stealthwatch Cloud Email

Web Platforms And Other Platforms

Collect Input Perform Analysis Draw Conclusions

IP Meta Data Role What is the role of the device?

System Logs What ports/protocols does the device Group continually access? Security Events Dynamic What connections does it Passive DNS Consistency Entity continually make? Modeling External Intel Does it communicate internally only? Rules What countries does it talk to? Vulnerability Scans How much data does the device normally Forecast Config Changes send/receive?

Excessive failed access attempts

DDoS and amplification attacks

Potential data exfiltration ALERT: Anomaly detected

95% Stealthwatch Cloud alerts rated as “helpful” by customers Geographically unusual remote access

Suspected botnet interaction

http://www.cisco.obsrvbl.com/snapshots X Detailed inventory and network traffic reports

Ongoing dashboard visualisations

Expandable view of alerts

http://www.cisco.obsrvbl.com/roles X Unlimited users

No patching necessary

Available anywhere

New features added monthly

Support available

Amazon Account Role Created for API Stealthwatch Cloud in Account Permissions allow Stealthwatch Cloud Stealthwatch to read AWS Cloud services CloudTrail Inspector

Amazon CloudWatch GuardDuty Lambda

SaaS Portal Inspector Config Amazon VPC

GCP Account

Stealthwatch API Cloud User with permissions Stealthwatch Cloud

Permissions allow Virtual Private Cloud Stealthwatch Cloud to read GCP Flow Logs Google Compute Engine

SaaS Portal

Azure Virtual Network TLS Private Tunnel Stealthwatch Cloud Virtual Appliance Stealthwatch Cloud Virtual Appliance is UDP destination Stealthwatch for flow agents; collects and sends data upstream to Cloud Stealthwatch Cloud analysis engine

Linux Servers with Windows OS w/ 3rd Stealthwatch Cloud Party Flow Agent Sensor SaaS Portal

**Flow Agent Must Generate 5 Tuple Flow Feed

Core Switching Data Centre Segment

TLS Private Tunnel

NetFlow Stealthwatch Mgmt Cloud Span

Stealthwatch Cloud Virtual Appliance Accounting Segment IPFIX

Syslog SNMP

SIEM

SaaS Portal

Collect from all these sources

NetFlow DNS Use DNS Lookups Stealthwatch SIEM Active Directory to link dynamics IPs Cloud to a host name IPFIX Gigamon

Any Mirror/SPAN

DNS Lookup

IP Traffic Data Other Security Data

Mirror/Span Load Application Threat Switches Firewalls Ports Balancers Servers Detection

How can I deploy and monitor Cloud Centre my cloud infrastructure? Stealthwatch Cloud

Will my network security policies move with my workload? OpenDNS Umbrella

Do my workloads satisfy AMP for Endpoints security compliance? Tetration Endpoint Agent

Maintain infrastructure visibility Stealthwatch Cloud and threat detection

OpenDNS Umbrella Granular visibility to Internet traffic

AMP for Endpoints Endpoint application, process & Tetration Endpoint Agent flow visibility

ACI Multi-POD ACI Remote-Leaf ACI Multicloud Multiple Networks Physical Remote Leaf ACI Extensions to (Pods) in a single extends an Availability Public Clouds (AWS, Availability Zone Zone (Fabric) to Azure, GCP) (Fabric) ACI 3.0 remote locations ACI 4.0

ACI 2.0 ACI 3.1 H1CY19 ACI Multi-Site ACI vPod Multiple Availability Virtual POD extends an Zones (Fabrics) in a Availability Zone (Fabric) Single Region ’and’ to remote locations Multi-Region Policy Management

#CLMEL BRKSEC-2719 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56 ACI Anywhere Technical Details Centralised Provisioning of Multi-Cloud Routing and Segmentation Public Cloud Site A

App VNET-1 Azure

Multi-Site Orchestrator Virtual Machine

Virtual Network Peering

VNET

Virtual Machine

App VNET-2 Microsoft Express Route

App VPC-1 VNF VNF VNF VNF VM CSR1000V

DMZ Edge Fabric CSR1000V AWS Direct AWS Instances Connect

CoLo TGW - Infra VPC VGW VM VM VM

ACI Anywhere - Centralised AWS Instances On-Premise Fabrics Provisioning and Management of AWS Region App VPC-2 Multi-Cloud Routing Public Cloud Site B

Traditional Segmentation Group Based Policy Employee Tag

Supplier Tag DC Servers

Non-Compliant Tag Static ACL DC Firewall/Switch

Routing Enterprise Enterprise Micro/Macro Segmentation Redundancy Backbone Backbone Central Policy Provisioning DHCP Scope ISE Address Aggregation Layer No Topology Change VACL Policy VLAN No VLAN Change Access Layer Access Layer

Non-Compliant Voice Employee Supplier BYOD Voice Non-Compliant Employee Supplier BYOD

Quarantine Voice Data Guest BYOD Voice Data VLAN VLAN VLAN VLAN VLAN VLAN VLAN

Security Policy based on Topology Use existing topology and automate High cost and complex maintenance security policy to reduce OpEx

Threat Mobility Services Intelligence Engine Who System Mobile Device managers Managers What When Directory Vulnerability Services Scanners Where Stealthwatch

How • pxGrid Firepower services Posture • REST API • Syslog DNAC Cisco ISE Threat Vulnerability + 3rd Party partners

Endpoints Scalable Group

Visibility and Access Control Context Reuse ISE builds context and applies access control restrictions to users and devices by eco-system partners for analysis and control

Identity Services Engine (ISE): a centralised security solution that automates context-aware access

Trusted Device Groups Destination Trusted App/Services

Trusted Partners Cloud Cloud Server Server Group App A App B A B Public/Private Cloud Policy Enforcement Cloud

Trusted Asset

Trusted

Group Source

On Prem Partners Enforcement on every PIN on Premise

Credentials Profiling Posture

users things SIEM Identity (e.g. Active Directory)

pxGrid Cisco Identity Services CASB

Location Vulnerability Behavior Analytics Scalable Groups

Attributes Placement Profiling

DB App Web

Scalable Groups

Source Group Destination Group Contract @ VN-X @ VN-Y users

things Application End-points

Identity CONTRACT BLUE Identity

Classifier Action

Port Number Permit IP Address Deny Application Type Copy Gold Service

#CLMEL BRKSEC-2719 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63 Enterprise Wide Policy Identity Federation APIC/ MSO DNA Centre Identity Federation Tetration • Network Controller Platform ACI Insights • Network Data Platform ACI Assurance ISE CloudCentre

Intent Based ACI Data Policy SDA Campus Centre Fabric Fabric

Common Identity across the Database App Web Entire Network User Group User Identity Application and Server Identity (People and their Devices) #CLMEL BRKSEC-2719 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64 Cross Domain Architectural View Connect the User to the Application What is SD-Access? Campus Fabric + Automation & Assurance SD Access – Coming Soon

APIC--EM 1.2.X0 GUI approach provides automation of all Campus Fabric configurations, ISE NDP management and group-based policy.

DNA Center Leverages DNA Center to integrate external Service Components (ISE & NDP), and orchestrate your entire LAN, WLAN and WAN network.

B B Campus Fabric – Shipping Now

CLI or API form of the new Overlay C vSmart Controllers Fabric solution for your Enterprise SDA Campus networks. Campus CLI approach provides backwards Fabric compatibility and customization, Box-by-Box. API approach provides automation via NETCONF / YANG.

Path 2 MPLS Los Angeles Branch 4G LTE Chicago Branch

DB App Web

End to End Functions Application Policy, Connectivity Assurance, Troubleshooting User Group

Prevent breaches Deep network and Automate operations automatically to keep security visibility to to save time, reduce the business moving detect and stop threats complexity, and work fast smart

Time to detection of a Savings from Leader in the 2018 Gartner MQ successful breach security automation

Cisco ~4.6 hours Industry ~100 Days First year $184K Source: 2018 Cisco CyberSecurity Report

Read the Report

You can complement and strengthen your security portfolio with a Cisco® NGFW. The Cisco NGFW helps you prevent breaches, get deep visibility to detect and stop threats fast, and automate your network and security operations to save time and work smart.

NGIPS URL

AVC AMP VPN IPSEC AVC - Application Visibility and Control (S2S & RAVPN) NGIPS – Next-Generation Intrusion Prevention System AMP – Advanced Malware Protection VPN – Virtual Private Network SI URL – URL filtering SI – Security Intelligence

FTDNGFWv Appliance

Cisco Firepower Cisco Firepower Management Center Device Manager (FMC) (FDM) Centralized Manager On-box manager

Helps administrators enforce consistent access policies, For easy on-box management rapidly troubleshoot security of single FTD or pair of FTDs running in HA events, and view summarized Available on KVM, reports across the deployment ESXi and Physical Appliances Files and database API

VPN IPSEC and SSL ASAv 9.10.x REST API

Route based VPN VTI

Management ASA Appliance CLI, ASDM, CSM and CDO

NGFWv Instance (Marketplace) ASA instance (Marketplace) c3.xlarge, c4.xlarge c3.large, c3.xlarge FMCv Instance (Marketplace) c4.large, c4.xlarge c3.xlarge, c3.2xlarge m4.large, m4.xlarge c4.xlarge, c4.2xlarge large instance is ASAv10, xlarge instance is ASAv30 SSD storage on c3 instance and EBS storage on c4 or m4 instance

NGFWv Instance (Marketplace) Standard D3 and D3v2 ASAv Instance (Marketplace) FMCv Instance (Marketplace) Standard D3 and D3v2 NEW Standard D3v2 and D4v2 Available from FMC/FTD release 6.4 D3 and D3v2 instance is ASAv30 Standard_D3v2 (4 CPU, memory: 14GB) Standard_D4v2 (8CPU, Memory: 28GB)

Routed mode (NGFWv) - AWS Passive mode (NGFWv) - AWS Routed mode (NGFWv) - Azure

• Passive mode is only applicable to NGFWv in AWS

Routed mode (ASAv) - AWS Routed mode (ASAv) - Azure

Base License AWS Azure Firewall, AVC • Bring you own license • Bring you own license NGFW Term based • Hourly or Annual Threat, URL, AMP license

Standard License AWS Azure Firewall, throughput • Bring you own license • Bring you own license ASA Anyconnect Apex • Hourly or Annual License SSL, IPSEC license

ASAv entitlement in Public Cloud AWS (ASAv10 & ASAv30): ASAv10 & ASAv30 entitlement (1G*, 250 (ASAv10) or 750 (ASAv30) VPN endpoints) Azure (ASAv30): ASAv5, ASAv10 & ASAv30 entitlement (100M (ASAv5), 1G*(ASAv10 or ASAv30), 50 (ASAv5), 250 (ASAv10) or 750 (ASAv30) VPN endpoints) Note: No Cisco TAC support from AWS pay-as-you-go model license model but you can purchase one year TAC support from listed partner: Purchase TAC Support * Maximum throughput is measured with traffic under ideal conditions

Autogenerated based on application behaviour

Workload context Unified and metadata Policy

User and User groups

Communication control App behaviour detection Vulnerability detection

• Automated whitelist policy • Process hash, lineage, • Installed package tracking based on application attributes • Weekly CVE tracking behaviour • New command, new user • Vulnerability scoring • Policy enforcement to enable • Account modification segmentation • Threat intelligence ingestion • Privilege escalation • Tracking of policy compliance • Shell-code execution • Outlier detection • Raw sockets

Cisco Tetration™ automatically converts your intent into blacklist and whitelist rules

Intent Rules

Block nonproduction applications from DENY SOURCE 10.0.0.0/8 DEST 128.0.0.0/8 talking to production applications

Allow HR applications to use the ALLOW SOURCE 128.0.10.0/16 DEST employee database 128.0.11.0/16

ALLOW SOURCE * DEST 128.0.100.0/ 16 PORT = 80 Block all HTTP connections that are not destined for web servers DENY SOURCE * DEST * PORT = 80

Virtual Containers

Process Pods

Denies Allows Container Host OS

Denies Allows Endpoint

Hypervisor Virtual Network Container Networking Interface

Network Infrastructure Bare metal Cloud Intent is rendered as security rules in native operating system firewalls Process (IP sets in Linux and Microsoft Windows Firewall in Process Windows Server) Denies Allows Denies Allows

Endpoint Any infrastructure, Any networking, Same Endpoint security model, Rich context Network infrastructure Cloud infrastructure

Malware and Gaps in visibility ransomware and coverage

Compromised Data breaches accounts and and compliance malicious insiders

SaaS

Users Data Apps

HQ Roaming user Branch

Users/Accounts Data Applications

. Who is doing what in . Do I have toxic and . How can I monitor app my cloud applications? regulated data in the cloud? usage and risk? . How do I detect account . Do I have data that is being . Do I have any 3rd party compromises? shared inappropriately? connected apps? . Are malicious insiders . How do I detect policy . How do I revoke risky apps? extracting information? violations?

North America 9:00 AM ET In one hour Login

Africa 10:00 AM ET . Distance from the US Data export to the Central African Republic: 7362 miles . At a speed of 800 mph, it would take 9.2 hours to travel between them

Data exposure per organization

2% Accessible publicly

Accessible by 10% external collaborators

Accessible 12% organization-wide

of external sharing done with 24,000 files non-corporate email addresses publicly accessible per organization 70%

Source: Cloudlock CyberLab

PII Education General PHI PCI

. SSN/ID . Inappropriate . Email address . HIPAA . Credit card numbers content . IP address . Health numbers . Driver license . Student loan . Passwords/ identification . Bank account numbers application login numbers numbers . Passport information information (global) . SWIFT codes numbers . FERPA . Medical compliance prescriptions

Discover and Control

Compromised Data Exposures OAuth Discovery and Accounts and Leakages Control

Privacy and Insider Threats Shadow IT Compliance Violations

User and Entity Cloud Data Loss Apps Firewall Behavior Analytics Prevention (DLP)

Cisco Ecosystem FedRAMP ATO Integrated, architectural Cisco Cloudlock has received approach to security, a FedRAMP Authority To vendor viability Cisco Operate (ATO) Cloudlock

Smartest Intelligence Proven Track Record CyberLab, crowd-sourced community Deployed at over 700 trust ratings organizations and supporting deployments over 750,000 users

Built into the foundation of the internet Malware C2 Callbacks Phishing Intelligence to see attacks before launched

Visibility and protection everywhere

208.67.222.222 Enterprise-wide deployment in minutes

Integrations to amplify existing investments

Benefits

First line Block malware before it hits the enterprise NGFW Netflow Contains malware Proxy if already inside

Sandbox Router/UTM Internet access is faster AV AV AV AV AV Provision globally in minutes HQ BRANCH ROAMING

DNS = Domain Name System Umbrella First step in connecting to the internet

Precedes file execution and IP connection Cisco.com 72.163.4.161

Used by all devices

Port agnostic

Umbrella provides: Safe Blocked request request Connection for safe requests

Prevention for user and malware- initiated connections

Proxy inspection for risky domains

Cisco Talos feeds Cisco WBRS URL inspection Partner feeds Custom URL block list

AV Engines File inspection Cisco AMP

Web- and email-based infection Command and control callback Malvertising / exploit kit Malicious payload drop Phishing / web link Encryption keys Watering hole compromise Updated instructions

Stop data exfiltration and ransomware encryption

Data

• Cisco Talos feed of malicious Security researchers domains, IPs, and URLs • Industry renown researchers • Umbrella DNS data — 150B requests per day • Build models that can automatically classify and score domains and IPs Models

• Dozens of models continuously analyze millions of live events per second Ransomware Web server Malware Web server • Automatically uncover malware, ransomware, and other threats

Email delivery Domain/IP Malvertising Domain/IP

Spike rank model Detect domains with sudden Co-occurrence model spikes in traffic Identifies other domains looked up in rapid succession of a given domain Predictive IP space monitoring Analyzes how servers are hosted Natural language processing model to detect future malicious domains Detect domain names that spoof terms and brands Dozens more models

HQ All office locations IoT BYOD Any device on your network ON-NETWORK OFF-NETWORK Roaming laptops and Branch supervised iOS devices Roaming Every port and protocol Supervised iOS devices

ALL PORTS AND PROTOCOLS

On-network coverage With one setting change Integrated with Cisco SD-WAN, Cisco ISR 1K and 4K series, Cisco Meraki MR, and Cisco WLAN controllers

Off-network laptop coverage With AnyConnect VPN client integration Or with any VPN using lightweight Umbrella client ANY DEVICE ROAMING / BRANCH ON NETWORK MOBILE OFFICES Or with Umbrella Chromebook client

Off-network mobile coverage With Cisco Security Connector

YOUR CURRENT SECURITY STACK

Threat analysis feed AMP Threat Grid + Others Umbrella

Appliance-based detection + Others IOCs Threat intelligence platform + Others

Cloud Access Security Broker Cloudlock + Others

Custom integrations Python Script Bro IPS + Others

Broadest Most open coverage of malicious platform for integration destinations and files

Easiest Most predictive connect-to-cloud intelligence to stop deployment threats earlier

ASA / Firepower NGFW How can I enforce policy at the North / South perimeter? • Workload edge firewall • TrustSec SGT enforcement

Tetration Analytics How can I enforce East-West traffic / µ-segmentation • Integrated workload firewall • Application dependency mapping

OpenDNS Umbrella How can I stop outbound malicious traffic? • Workload DNS security • White-list Internet access

ASA / Firepower NGFW

• Workload edge firewall Edge firewalling on IP or SGT • TrustSec SGT enforcement

Tetration Analytics • Integrated workload firewall East-West / micro-segmentation • Application dependency mapping

OpenDNS Umbrella White-list only internet policy • Workload DNS security Infection prevention • White-list Internet access

Open APIs · Developer Environment · Services Cisco Threat Response Deploy Policy

Detect Investigate Remediate

Cisco Security Portfolio

3rd Network User/ Endpoint Cloud Parties160+ security Leading Threat Intelligence tech partners

Key pillar of our integrated security architecture

• Automates integrations across Cisco security products • Reduces the time and effort spent on key security operations functions: . Detection . Investigation . Remediation • Included as part of Cisco Security product licenses

1 Intelligence Sources Investigate (search interface) Casebook via 2 Browser Plug-In

3 High-Fidelity Events Incident Manager

Observables: AMP for Email NGFW/ Cisco Threat Virus • File hash Umbrella • IP address Endpoints Security NGIPS Talos Grid Total • Domain • URL • Have we seen these observables? Where? • Are these observables suspicious or • More... • Which endpoints connected to the domain/URL? malicious?

Cisco Threat Response Multiple Cisco Products and Intel/Identity Context Detect Investigate Remediate

IR Team

Other Existing Products Existing Stand-alone and Intel/Identity Context SIEM SOAR (optional) SOC

Any User Any Device Any App In Any Location Employee Corporate-Issued Data Centre On-Premises Contractor Bring-Your-Own Multi-Cloud On-VPN Partner IoT SaaS Off-Network

Location ≠ Trust Trust Erodes Restrict Access Automate Policy Don’t grant access to Don’t rely only on Prioritise enforcing Adjust access using data based on where one-time verification the least privileges dynamic context requests originate in of user, device, and for a limited time for to improve policy the network or DC workload trust your high-risk data efficacy and simplicity

Threat-Centric Trust-Centric Basic security maturity to prevent Good security practice to verify before attacks via an intelligence-based granting access via a identity-based policy — then detect, investigate, policy — for any user, any device,

and remediate any app, in any location Dynamic Context

Public Cloud Private Public Cloud SaaS Apps Cloud IaaS

Trusted Identity Added to Cisco’s Portfolio

Verifies User and Device Trust

Cloud Intent-based Networking Endpoint

SDP Approach to SDP Approach to Network Access App Access

Cisco Identity Services Engine (ISE)

Trusted Access across Hybrid IT Enterprises

IoT Access App / Services Mobile & BYOD App / Services Solution Access Solution On-Prem Cloud On-Prem Cloud

Head- User + On-Prem ISEISE ISE orISE Duo** Duo less On-Prem ISE ISE Device Device Off-Prem ISEISE*☨ or or Duo Duo*☨ DuoDuo MFA

☨ Integrated with AnyConnect *Duo Beyond with Network Gateway (i.e. reverse proxy) **Duo Access for BYOD

● Identify corporate-owned & BYOD

● Verify if devices are out-of-date and potentially vulnerable to security risks

● Block devices access to critical applications

● Apply policies consistently for any device platform: Windows, MacOS, iOS & Android

● Customisable security policies

● Global, App & Group Level controls

● Establishes a level of trust based on users and devices

Cloud Apps Duo Access Gateway [SAML/SSO] Web/SSH (Duo Network Gateway)

Access Duo Auth VPN, Virtual or Device Proxy Desktop, etc. [Radius/LDAP] Primary Auth User (AD, Azure-AD, Duo Integrated LDAP, etc.) (azure-ad, rdp, MFA ssh, Windows, Device app, api, etc)

Duo Cloud Platform

Multi-Factor Authentication User MFA Device User Device Policy Management Management Visibility Policy Check

Core service and policy engine is always in the • Duo Push cloud • Mobile Passcode • Phone, SMS • HOTP Token • U2F/WebAuthN • Bypass

Trusted User Trusted Device 10.0.0.1-4

Tier 1

*.domain.local Tier 2 SSH Public Internet DNG 192.0.0.1/24 (443) Tier 3

Security Groups

Use Duo Beyond to secure access to internal networks and the public cloud.

● Deploy a Duo Network Gateway in the DMZ using Docker, with both “public” and “internal” access. ● Configure your SAML IdP for primary auth. ● Configure DNG with Duo for secondary auth. ● Configure a web application on the DNG for your protected “internal” application. ● Create public DNS entries for your protected internal web apps to point to the DNG’s public interface. ● Users access the “internal” app using their browser.

Requirements

1. Cisco ASA 8.3 or later 2. Cisco FTD 6.3 or later 3. Duo Auth proxy

Learn more about AnyConnect RADIUS integration

Are my cloud workloads being Stealthwatch Cloud attacked? • AMP Threat Grid • Umbrella Investigate

How do I connect and correlate Cisco Threat Response my security tools? • Zero day malware protection • Event correlation and visualisation

OpenDNS- AMP for UmbrellaEndpoints How do I contain a breach? • Command & control prevention • Whitelist / Blacklisting

Stealthwatch Cloud Automatics security monitoring and • AMP Threat Grid alerting in public cloud • Umbrella Investigate

Cisco Threat Response Simplifies and correlates security • Zero day malware protection events across hybrid cloud • Event correlation and visualisation

OpenDNS Umbrella - AMPInfected for workloadsEndpoints are contained • Command & control prevention in real-time • Whitelist / Blacklisting

Integration across our security, data centre and cloud platforms is a key differentiator

Consistent effective security capabilities are critical drivers

Customers benefit from superior visibility, segmentation and threat protection Hybrid Cloud Foundation

• Give us your feedback and receive a complimentary Cisco Live 2019 Power Bank after completing the overall event evaluation and 5 session evaluations. • All evaluations can be completed via the Cisco Live Melbourne Mobile App. • Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at:

https://ciscolive.cisco.com/on-demand-library/

#CLMEL #CLMEL