#CLUS Advanced Security Integration, Tips & Tricks Aaron T. Woland, CCIE #20113 Principal Engineer, Advanced Threat Security BRKSEC-3557 #CLUS Cisco Webex Teams Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Find this session in the Cisco Events App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space Webex Teams will be moderated cs.co/ciscolivebot#BRKSEC-3557 by the speaker until June 18, 2018. #CLUS BRKSEC-3557 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Advanced Security Integration, Tips & Tricks Aaron Woland, CCIE# 20113 Principal Engineer Advanced Threat Security [email protected] @AaronWoland https://cisco.app.box.com/v/Loxx-Public http://www.networkworld.com/blog/secure-network-access/ http://cs.co/ise-community #CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Sarcasm “If we can’t laugh at ourselves, then we cannot laugh at anything at all” BRKSEC-3557 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Warning: This is my therapy session BRKSEC-3557 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Disclaimer: “All Comments are my own, and are not representative of Cisco… Any correlation to real live persons or situations was completely unintentional... Blah Blah Blah...” #CLUS BRKSEC-3557 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Important: Hidden Slide Alert Look for this “For Your Reference” Symbol in your PDF’s FFoor rY Yoouur r There is a tremendous amount of hidden content, for you to use later! RReefferreennccee https://cisco.app.box.com/v/Loxx-Public #CLUS BRKSEC-3557 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Please fill out the survey #CLUS BRKSEC-3557 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Agenda • Introduction • Level Setting • TC-NAC • Rapid Threat Containment • Working with Limits • Simplify • Cisco Visibility • Conclusion #CLUS BRKSEC-3557 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Our environment for this Tectorial • Cisco Switching • Stealthwatch Cloud • Tenable • Cisco Routing • Cognitive (CTA) • Verodin • Firepower NGFW / FMC • AMP • Splunk • Firepower NGIPS • ThreatGrid • Phantom • Stealthwatch Enterprise • Umbrella • Identity • Services Engine • Security Packet Analyzer #CLUS BRKSEC-3557 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 The Environment Service Now TG AMP CTA Verodin SW Cloud AD NGFW SW-C Collector ISE WSA Umb-VA Tetration UDP Endpoint Flow collector SMC NGIPS Director Concentrator IDS SPA > Tenable Alt Path The Network NVM Collector splunk Phantom FMC nvzFlow netFlow #CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC13 -3557 Visit Us at the Cisco Investments Village in the World of Solutions REMOVE ASSUMPTIONS. SECURITY INSTRUMENTATION PLATFORM (SIP) PROVE SECURITY. Verodin is the first business platform purpose- built to measure, manage and improve security effectiveness with quantifiable, evidence-based metrics. Verodin empowers users to continuously validate the people, processes and technologies that safeguard business-critical assets. Tenable – A comprehensive portfolio for every organization Cyber Exposure platform providing visibility into any asset on any computing platform – from traditional to cloud to IoT Vulnerability management with extensive compliance reporting and dashboards World’s most trusted vulnerability assessment technology, powering Tenable.io and SecurityCenter • In the lab, we are using Phantom (acquired by Splunk) for security automation. • Could use the security automation tool of your choice: • Exabeam • IBM Resilient • Swim Lane • Demisto • Etc #CLUS BRKSEC-3557 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 Agenda • Introduction • Level Setting • TC-NAC • Rapid Threat Containment • Working with Limits • Simplify • Cisco Visibility • Conclusion #CLUS BRKSEC-3557 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 #CLUS BRKSEC-3557 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Vocabulary Level Set (Here’s Those TLA’s) • Quarantine – a term that seems to mean something different to everyone you speak to • Endpoint Protection Services (EPS) – Added in ISE 1.2. Advertised in 1.3 w/ pxGrid. • Can assign an endpoint to Quarantine only. • Used with or Without pxGrid • Adaptive Network Control (ANC) – EPS renamed to ANC in 1.4. New ANC Functionality added in 2.0. • Create ANC “classifications” (aka: name spaces) – and endpoints can be assigned to those classifications. • Quarantine, Kick_off_Network, Investigate, Nuke_From_Orbit, etc. • Used with or without pxGrid in v2.2+. • Rapid Threat Containment (RTC) – the “solution level” of integrating products together that use ANC or EPS • Change of Authorization (CoA) – The ability to dynamically change the level of access an endpoint has on the network. • Course of Action (CoA) – The recommended correctional action for an infected system. • TrustSec – A simple Tag that represents the full context of an endpoint/user – yet powerful. #CLUS BRKSEC-3557 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 Vocabulary Level Set (Here’s Those FLA’s) • Platform eXchange Grid (pxGrid) – A communication bus (not an API) designed to rapidly share security data at large scale, without the pains of a point-API or being application specific. • Uses a Publish/Subscribe (Pub/Sub) model to share information. • Has Central, Proxy, and Broker mechanisms. • Structured Threat Information Expression (STIX) – A language used to share Cyber Threat Intelligence (CTI), aka: threat data. • It’s a format, not a transport protocol. It requires something like TAXII or pxGrid to carry it between consumers and producers of the STIX data. • Trusted Automated eXchange of Intelligence Information (TAXII) – Protocol used to exchange CTI over secure communication (HTTPS). • Designed specifically to carry STIX CTI. • Follows a Publish / Subscribe (pub/sub) model, similar to pxGrid – but Central model only. • Common Vulnerability Scoring System (CVSS) – Open standard for assessing the severity of computer vulnerabilities. #CLUS BRKSEC-3557 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Threat Containment FFoor rY Yoouru r EPS / ANC Mitigation Actions RReferenncece ANC Mitigation Actions EPS RESTful API ANC 1.0(legacy EPS) ANC 2.0(enhanced EPS) • Quarantine • Quarantine Includes legacy EPS functionality CISCO ECO- • Unquarantine • Unquarantine Note: The remediation and provisioning ISE PARTNER • Shutdown • Port Bounce actions have been depreciated in ISE • Terminate 2.1 • Shutdown • Apply Endpoint Policy by MAC or IP ACTION • Re-Authenticate • Clear Endpoint Policy by MAC or IP • Get Endpoint By IP • Create/Update/Delete Policy • Get Policy By Name MITIGATE • Get All Policies • Get Endpoints By MAC • Get All Endpoints • Get Endpoint by Policy Available in ISE 1.2 + Available in pxGrid Available in pxGrid & starting in ISE 1.3 + ANC API (ISE 2.1) #CLUS BRKSEC-3557 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Threat Centric NAC (TC-NAC) TC-NAC Attack Vectors In the News 2016 Verizon Breach Report • “Older Vulnerabilities are still heavily targeted” • “All the patching is for naught, if we aren’t patching the right things” 2017 Cisco Annual Cybersecurity Report • “Threats specifically seek vulnerable browsers and plugins. • “Adversaries See Opportunity in Unpatched Software” #CLUS BRKSEC-3557 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 TC-NAC Threat Centric NAC Cisco ISE protects your Create ISE authorization policies based on the threat and vulnerability attributes network from data breaches by segmenting compromised and vulnerable endpoints for remediation. - Vulnerability assessments AMP Tenable - Threat events Compliments Posture - Threat notifications - CVSS Who Vulnerability data tells endpoint’s - IOC posture from the outside What Expanded control When driven by threat intelligence and vulnerability assessment data Where Network Access Policy Faster response How with automated, real-time policy Posture updates based on vulnerability Cisco ISE data and threat metrics Threat Endpoints Vulnerability #CLUS BRKSEC-3557 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 TC-NAC FFoor rY Yoouru r Threat Centric NAC explained RReferenncece Reduce vulnerabilities, contain threats IOC CVSS “Threat detected” Vulnerability scan 1 4 Malware infection Infection spread Quarantine and 3 Vulnerability detected Remediate Cisco AMP 2 Malware scans for vulnerable endpoints Vulnerable host Compromised endpoints spread malware by Flag compromised and vulnerable hosts and limit exploiting known vulnerabilities in the network access to remediation Segment Most endpoint AMP deployed in ‘visibility only’ mode Common Vulnerability Scoring System (CVSS) | Indicators of Compromise (IOC) | Advanced Malware Protection (AMP) #CLUS BRKSEC-3557 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 TC-NAC Threat Centric NAC Pick Vulnerability assessment vendor of your choice Cisco CTA • TC-NAC supports Tenable, Qualys, Cognitive Threat Analytics (CTA) STIX and Rapid7. SCAN REQUEST • A standard “listener” will be SCANNER CVSS Score supported for threats using the