5. Why a Security Architecture?
Ability to Defend Getting More Complex
• Attack Surface Diversity: Growing exponentially
due to IoT, SaaS / IaaS, and personal device
trends
• Threats: Continuous rise in sophistication
of attackers combined with rapid evolution
of attacker techniques and tools
• Detection: Efficacy of classical detection
methods eroding
• User Behavior: No longer constrained to
IT controlled places, apps or devices
The Security
Effectiveness Gap
6. Process of Attacks
Research, and
select targets
Pair remote access
malware with exploits
Deliver
cyberweapons by
email, website and
attachments
Install payloads to
gain persistent
access
7. Source: Verizon 2014 Data Breach Investigations Report
Time to compromise
Time to discovery25%
50%
75%
100%
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
Percent of breaches where time to compromise (orange)/
time to discovery (blue) was days or less
Time to Detection
100Industry Days
Industry Result
10. Multiple features
within the
same product
Solution
Management
Multiple
products that
work together
Unified
configuration
and reporting
Functional
Integration has to have Layers
11. Event information
improves visibility
Threat Intelligence
speeds time to detection
Automated Policy
changes allow faster
response
Contextual Awareness
builds granular controls
across the network
Sharing Data Through Integration
12. Threat Grid
Sourcefire
2013 2016
Portcullis
OpenDNS
Lancope
Neohapsis
Cloudlock
2014 2015
AMP
Everywhere;
OpenAppID
Talos
established
Cisco ASA
with
Firepower
Services
Integrated
Threat Defense
Vision; AMP
Threat Grid
Firepower
NGFW
unveiled
Network as a
Sensor and
Enforcer
Cisco
Umbrella
SIG
Identity
Services
Engine 2.0
Integration has Driven Cisco’s Portfolio Growth
15. Functional Integration: Talos Threat Intelligence
221BTotal Threats
1.4M
AV Blocks Per
Day
2.6M
Blocks Per
Second
9.9B
Total Blocks Per
Month
1.5M
Malware Samples
Per Day
1.8B
Spyware Blocks
Per Month
8.2B
Web Filtering
Blocks Per Month
991MWeb + Malware
Threats
19.7BThreats Per Day
1B
Sender Base
Reputation Queries
Per Day
16. Shared intelligence
Shared contextual
awareness
Consistent policy
enforcement
Cisco Firepower™ Management Center
Functional Integration: Firepower Threat Defense
Talos
Firepower 4100 Series Firepower 9300 Platform
Visibility
Radware
DDoS
Network
analysis Email Threats
Identity
and NAC DNS FirewallURL
17. Application Control
WAN Optimization, Traffic
Shaping, Content Filtering
Security
NG Firewall, Client VPN,
Site to Site VPN, IDS/IPS
Networking
NAT/DHCP, 3G/4G Cellular,
Static Routing, Link Balancing
Functional Integration: Meraki
19. AMP Threat
Intelligence Cloud
Windows OS Android Mobile Virtual MAC OS
CentOS, Red Hat
Linux for servers
and datacenters
AMP on Web and Email
Security Appliances
AMP on ASA with Firepower™
Services
AMP Private Cloud
Virtual Appliance
AMP on Firepower
NGIPS Appliance
AMP on Cloud Web Security
and Hosted Email
CWS/
CTA
Threat Grid
Malware Analysis +
Threat Intelligence
AMP on ISR with
Firepower Services
AMP for Endpoints
AMP for Endpoints
Remote Endpoints
AMP for Endpoints can
be launched from Cisco
AnyConnect®
AMP on Meraki® MX
Solution Integration: Advanced Malware Protection
20. Cisco WSA (Web Security Appliance)
External Telemetry (BlueCoat Sec. GW)
Cisco CWS (Cloud Web Security)
Cisco
Cognitive Threat
Analytics (CTA)
Confirmed Threats
Detected Threats
Incident
Response
Threat Alerts
HQ
STIX / TAXII API
CTACTACTA
HQ
Web Security
Gateways
Cloud
Web Security
Gateways
Web Access Logs
Breach Detection &
Advanced Threat Visibility
Solution Integration: Web and Endpoint
25. Solution Integration: Rapid Threat Containment
Automatically Defend Against Threats with Firepower and ISE
FMC aggregates and
correlates sensor data
FMC alerts ISE. ISE
then changes the
user’s/device’s access
policy to suspicious
Corporate user
downloads file, not
knowing it’s actually
malicious
Based on the new
policy, network
enforcers
automatically restrict
access
Device is quarantined
for remediation or
mitigation
26. Endpoint User
Opened an email
Downloading malware
Which stole data
Integration in Action: The Attack
That visited a website
Through the firewall
27. AMP for Endpoints
And shares the event information
Firepower Management Console
Analyzes the file
with Threat Grid
Blocking the malware
retrospectively
Protecting the data center
Email Security
Web Security
Integration in Action: Sharing Events
Alerts are Snared Between Products Providing Visibility
28. Integration in Action: Sharing Events
Alerts are Snared Between Products Providing Visibility
29. Threat Grid
Firepower
Management
Console
Data Center
Email Security
Web Security
Shares a policy
update with the
Identity Services
Engine
Quarantining the
user automatically
Integration in Action: Sharing Policy
Automatic Response to Threats
32. Firepower
Management
Console
Threat Grid
Data Center
Email Security
Web Security
Identity Services
Engine
AMP for Endpoints
Cloud Security
Integration in Action: Threat Intelligence
Profiling what users and devices are really on the network
33. Integration in Action: Sharing Context
Profiling What Users and Devices are Really on the Network
36. 100 percent focused Cisco Security initiatives
Real integration benefit across portfolio
Coordinate support with key partners
Host community supported code
Identify candidates for deeper integration
Cisco Solution Partner Program (SPP) DevNet
Cisco Security
Technical Alliance
Program
Firepower
ISE
Threat Grid
FP9300
Content
ASA
AnyConnect
OpenDNS
pxGrid
Stealthwatch
Fore more information go to http://www.cisco.com/go/csta
3rd Party Integration: CSTA
Cisco Security Technical Alliance
37. • eStreamer API
• Send Firepower event data to SIEMs
• Host Input API
• Collect vulnerability and other other host info
• Remediation API
• Programmatic response to third parties from FireSIGHT
• JDBC Database Access API
• Supports queries from other applications
• Read/Write API for Firepower
• Supports FW and Risk Management technologies
• Threat Intelligence Director
• Collect, correlate, take action on third party Threat Intelligence
• Management API for ASA
• Third party management of ASA, policy auditing
• pxGrid
• Bi-directional context sharing framework for ISE, ecosystem partners
• MDM API
• Enables 3rd party MDM partners to make mobile device posture part
of ISE access policy
• External Restful Services (ERS)
• Adds 3rd party asset data to ISE inventory database
• AMP Cloud-based API
• Externalize event data for all 3rd party apps
• Ingest threat data from third parties
• Threat Grid API
• Hand off suspicious files for analysis
• Queries entire dataset for correlation or historical/geographic significance
• Automate submission of files for analysis
• Create custom or batch threat feeds
• FirePOWER 9300 (SSP) REST API
• Cisco and third party applications in service chain configuration
• AnyConnect Network Visibility Module Collection
• AnyConnect provides IPFIX data
• AnyConnect EDM/MDM
• VPN Services
• OpenDNS Investigate
• Query OpenDNS for threat intelligence
• OpenDNS Umbrella
• Add addresses to customer specific enforcement
• CloudLock Enterprise API
• Reporting/Management
• CloudLock Development APIs
• Access micro-services
• Other Integration Points
• ESA, WSA
3rd Party Integration: Open Standard API’s
38. EDM/MDM Endpoint and
Custom Detection
Forensics and IR Other SIEM & Analytics
NPM/APM and
Visualization
IAM/SSO
Threat
IntelligenceCASB
UEBA
Firewall and
Policy
Management
Deception
Orchestration
Vulnerability
Management
3rd Party Integration: Ecosystem Partners
41. Effective Security Needs to be
Simple
Security built into the
network and designed to
work together
1 2 3
Open
Integrate across the Cisco
portfolio and 3rd party products
Automated
Instantaneous remediation
reduce time to detection
save time and money
42. VS.
*Source Cisco Midyear Security Report, 2016
Industry Days
100 Cisco Hours
~13
Integrate Automate: Reduce Time to Detection