Cisco Connect 2018 Thailand

1. Pichaiwood Prabudhanitisarn
Cybersecurity Specialist
April 2018
Creating an Effective Security Architecture
Cybersecurity Strategy
An Integrated Approach

2. Last 20 years of security:
Got a problem?
Buy a Box
Firewall

3. Same Old Song and Dance
2000’s
Application
Control
FW/VPN
IDS / IPS
UTM
NAC
AV
PKI
1980’s
2010’s
1990’s
Sandboxing

4. The Existing Security Stack…
Firewall
VPN
Email Security
Web Security
DLP
SIEM
Replacement Box
Failover
Persistent Threats
IDS
Firewall 2.0
VPN 2.0
Email Security 2.0
Web Security 2.0
DLP 2.0
SIEM 2.0
Replacement Box 2.0
Failover 2.0
Persistent Threats 2.0
IDS 2.0

5. Why a Security Architecture?
Ability to Defend Getting More Complex
• Attack Surface Diversity: Growing exponentially
due to IoT, SaaS / IaaS, and personal device
trends
• Threats: Continuous rise in sophistication
of attackers combined with rapid evolution
of attacker techniques and tools
• Detection: Efficacy of classical detection
methods eroding
• User Behavior: No longer constrained to
IT controlled places, apps or devices
The Security
Effectiveness Gap

6. Process of Attacks
Research, and
select targets
Pair remote access
malware with exploits
Deliver
cyberweapons by
email, website and
attachments
Install payloads to
gain persistent
access

7. Source: Verizon 2014 Data Breach Investigations Report
Time to compromise
Time to discovery25%
50%
75%
100%
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
Percent of breaches where time to compromise (orange)/
time to discovery (blue) was days or less
Time to Detection
100Industry Days
Industry Result

8. Integration = Effective Security

9. API’s Alone
are not the Answer

10. Multiple features
within the
same product
Solution
Management
Multiple
products that
work together
Unified
configuration
and reporting
Functional
Integration has to have Layers

11. Event information
improves visibility
Threat Intelligence
speeds time to detection
Automated Policy
changes allow faster
response
Contextual Awareness
builds granular controls
across the network
Sharing Data Through Integration

12. Threat Grid
Sourcefire
2013 2016
Portcullis
OpenDNS
Lancope
Neohapsis
Cloudlock
2014 2015
AMP
Everywhere;
OpenAppID
Talos
established
Cisco ASA
with
Firepower
Services
Integrated
Threat Defense
Vision; AMP
Threat Grid
Firepower
NGFW
unveiled
Network as a
Sensor and
Enforcer
Cisco
Umbrella
SIG
Identity
Services
Engine 2.0
Integration has Driven Cisco’s Portfolio Growth

13. Unified Management
Endpoint CloudNetwork
Visibility
Threat Intelligence -
Services
Integrated Architectural Approach

14. UTM
Network
Analytics
Advanced Malware
Secure Internet Gateway
WebW W W
Policy and Access
Email
NGFW/ NGIPS
Cloud Access Security
Premiere Portfolio in the Industry

15. Functional Integration: Talos Threat Intelligence
221BTotal Threats
1.4M
AV Blocks Per
Day
2.6M
Blocks Per
Second
9.9B
Total Blocks Per
Month
1.5M
Malware Samples
Per Day
1.8B
Spyware Blocks
Per Month
8.2B
Web Filtering
Blocks Per Month
991MWeb + Malware
Threats
19.7BThreats Per Day
1B
Sender Base
Reputation Queries
Per Day

16. Shared intelligence
Shared contextual
awareness
Consistent policy
enforcement
Cisco Firepower™ Management Center
Functional Integration: Firepower Threat Defense
Talos
Firepower 4100 Series Firepower 9300 Platform
Visibility
Radware
DDoS
Network
analysis Email Threats
Identity
and NAC DNS FirewallURL

17. Application Control
WAN Optimization, Traffic
Shaping, Content Filtering
Security
NG Firewall, Client VPN,
Site to Site VPN, IDS/IPS
Networking
NAT/DHCP, 3G/4G Cellular,
Static Routing, Link Balancing
Functional Integration: Meraki

18. Network
ISR/ASR
Advanced
Malware
Umbrella
Web
W W W
ISE
Email
NGFW/ NGIPS
Threat Grid
Stealthwatch
Event
Threat Intel
Policy
Context
Meraki
Cloudlock
Solution Integration: Cisco Portfolio

19. AMP Threat
Intelligence Cloud
Windows OS Android Mobile Virtual MAC OS
CentOS, Red Hat
Linux for servers
and datacenters
AMP on Web and Email
Security Appliances
AMP on ASA with Firepower™
Services
AMP Private Cloud
Virtual Appliance
AMP on Firepower
NGIPS Appliance
AMP on Cloud Web Security
and Hosted Email
CWS/
CTA
Threat Grid
Malware Analysis +
Threat Intelligence
AMP on ISR with
Firepower Services
AMP for Endpoints
AMP for Endpoints
Remote Endpoints
AMP for Endpoints can
be launched from Cisco
AnyConnect®
AMP on Meraki® MX
Solution Integration: Advanced Malware Protection

20. Cisco WSA (Web Security Appliance)
External Telemetry (BlueCoat Sec. GW)
Cisco CWS (Cloud Web Security)
Cisco
Cognitive Threat
Analytics (CTA)
Confirmed Threats
Detected Threats
Incident
Response
Threat Alerts
HQ
STIX / TAXII API
CTACTACTA
HQ
Web Security
Gateways
Cloud
Web Security
Gateways
Web Access Logs
Breach Detection &
Advanced Threat Visibility
Solution Integration: Web and Endpoint

21. Stealthwatch
Campus/DC
Switches/WLC
Cisco Routers /
3rd Vendor Devices
Network Sensors Network Enforcers
Policy & Context
Sharing
NGIPS
ISE/
TrustSec
NGFW
Solution Integration: Network Security

22. Firepower Device
Manager
Easy management of
common security and
policy tasks
Comprehensive security
administration and
automation of multiple
appliances
Firepower Management
Center
Cisco Defense
Orchestrator
Centralized cloud-based
policy management of
multiple deployments
On-box Centralized Cloud-based
Management Integration: Security Architecture

23. Single interface to manage policy for:
• ASA/ ASAv
• ASA with Firepower™ Services
• Cisco Firepower™ NGFW
• Cisco® Web Security Appliance
• Cisco Umbrella
Management Integration: Cisco Defense Orchestrator

24. Prove it.

25. Solution Integration: Rapid Threat Containment
Automatically Defend Against Threats with Firepower and ISE
FMC aggregates and
correlates sensor data
FMC alerts ISE. ISE
then changes the
user’s/device’s access
policy to suspicious
Corporate user
downloads file, not
knowing it’s actually
malicious
Based on the new
policy, network
enforcers
automatically restrict
access
Device is quarantined
for remediation or
mitigation

26. Endpoint User
Opened an email
Downloading malware
Which stole data
Integration in Action: The Attack
That visited a website
Through the firewall

27. AMP for Endpoints
And shares the event information
Firepower Management Console
Analyzes the file
with Threat Grid
Blocking the malware
retrospectively
Protecting the data center
Email Security
Web Security
Integration in Action: Sharing Events
Alerts are Snared Between Products Providing Visibility

28. Integration in Action: Sharing Events
Alerts are Snared Between Products Providing Visibility

29. Threat Grid
Firepower
Management
Console
Data Center
Email Security
Web Security
Shares a policy
update with the
Identity Services
Engine
Quarantining the
user automatically
Integration in Action: Sharing Policy
Automatic Response to Threats

30. Integration in Action: Sharing Policy
Automatic Response to Threats

31. Firepower
Management
Console
Threat Grid
Data Center
Email Security
Web Security
Identity Services
Engine
AMP for Endpoints
Cloud Security
Integration in Action: Threat Intelligence
Detect Once, Protect Everywhere

32. Firepower
Management
Console
Threat Grid
Data Center
Email Security
Web Security
Identity Services
Engine
AMP for Endpoints
Cloud Security
Integration in Action: Threat Intelligence
Profiling what users and devices are really on the network

33. Integration in Action: Sharing Context
Profiling What Users and Devices are Really on the Network

34. Integration in Action
AMP
TALOS
ISE
NGFW

35. Integration with
3rd Party Products

36. 100 percent focused Cisco Security initiatives
Real integration benefit across portfolio
Coordinate support with key partners
Host community supported code
Identify candidates for deeper integration
Cisco Solution Partner Program (SPP) DevNet
Cisco Security
Technical Alliance
Program
Firepower
ISE
Threat Grid
FP9300
Content
ASA
AnyConnect
OpenDNS
pxGrid
Stealthwatch
Fore more information go to http://www.cisco.com/go/csta
3rd Party Integration: CSTA
Cisco Security Technical Alliance

37. • eStreamer API
• Send Firepower event data to SIEMs
• Host Input API
• Collect vulnerability and other other host info
• Remediation API
• Programmatic response to third parties from FireSIGHT
• JDBC Database Access API
• Supports queries from other applications
• Read/Write API for Firepower
• Supports FW and Risk Management technologies
• Threat Intelligence Director
• Collect, correlate, take action on third party Threat Intelligence
• Management API for ASA
• Third party management of ASA, policy auditing
• pxGrid
• Bi-directional context sharing framework for ISE, ecosystem partners
• MDM API
• Enables 3rd party MDM partners to make mobile device posture part
of ISE access policy
• External Restful Services (ERS)
• Adds 3rd party asset data to ISE inventory database
• AMP Cloud-based API
• Externalize event data for all 3rd party apps
• Ingest threat data from third parties
• Threat Grid API
• Hand off suspicious files for analysis
• Queries entire dataset for correlation or historical/geographic significance
• Automate submission of files for analysis
• Create custom or batch threat feeds
• FirePOWER 9300 (SSP) REST API
• Cisco and third party applications in service chain configuration
• AnyConnect Network Visibility Module Collection
• AnyConnect provides IPFIX data
• AnyConnect EDM/MDM
• VPN Services
• OpenDNS Investigate
• Query OpenDNS for threat intelligence
• OpenDNS Umbrella
• Add addresses to customer specific enforcement
• CloudLock Enterprise API
• Reporting/Management
• CloudLock Development APIs
• Access micro-services
• Other Integration Points
• ESA, WSA
3rd Party Integration: Open Standard API’s

38. EDM/MDM Endpoint and
Custom Detection
Forensics and IR Other SIEM & Analytics
NPM/APM and
Visualization
IAM/SSO
Threat
IntelligenceCASB
UEBA
Firewall and
Policy
Management
Deception
Orchestration
Vulnerability
Management
3rd Party Integration: Ecosystem Partners

39. Services Brings it All Together

40. Advisory
• Custom Threat Intelligence
• Cybersecurity Assessments
Integration
• Integration Services
• Security Optimization Services
Managed
• Managed Threat Defense
• Remote Managed Services
Cisco Security Services

41. Effective Security Needs to be
Simple
Security built into the
network and designed to
work together
1 2 3
Open
Integrate across the Cisco
portfolio and 3rd party products
Automated
Instantaneous remediation
reduce time to detection
save time and money

42. VS.
*Source Cisco Midyear Security Report, 2016
Industry Days
100 Cisco Hours
~13
Integrate Automate: Reduce Time to Detection

43. simple open automated
Effective Security