Cisco Connect 2018 Malaysia

1. Tengku Shahrizam
Cyber Security Consultant, CCIE#16734
Cisco Systems
Creating an Effective Security Architecture
Integrate, Automate, Overcome

2. Last 20 years of security:
Got a problem?
Buy a Box
Firewall

3. The Existing Security Stack…
Firewall
VPN
Email Security
Web Security
DLP
SIEM
Replacement Box
Failover
Persistent Threats
IDS
Firewall 2.0
VPN 2.0
Email Security 2.0
Web Security 2.0
DLP 2.0
SIEM 2.0
Replacement Box 2.0
Failover 2.0
Persistent Threats 2.0
IDS 2.0

4. Why a Security Architecture?
Ability to Defend Getting More Complex
• Attack Surface Diversity: Growing exponentially
due to IoT, SaaS / IaaS, and personal device
trends
• Threats: Continuous rise in sophistication
of attackers combined with rapid evolution
of attacker techniques and tools
• Detection: Efficacy of classical detection
methods eroding
• User Behavior: No longer constrained to
IT controlled places, apps or devices
The Security
Effectiveness Gap

5. Process of Attacks
Research, and
select targets
Pair remote access
malware with exploits
Deliver
cyberweapons by
email, website and
attachments
Install payloads to
gain persistent
access

6. Source: Verizon 2014 Data Breach Investigations Report
Time to compromise
Time to discovery25%
50%
75%
100%
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
Percent of breaches where time to compromise (orange)/
time to discovery (blue) was days or less
Time to Detection
100Industry Days
Industry Result

7. VS.
*Source Cisco Midyear Security Report, 2016
Industry Days
100 Cisco Hours
~13
Integrate Automate: Reduce Time to Detection

8. Integration = Effective Security

9. API’s Alone
IS NOT the Answer

10. Multiple features
within the
same product
Solution
Management
Multiple
products that
work together
Unified
configuration
and reporting
Functional
Integration has to have Layers

11. Event information
improves visibility
Threat Intelligence
speeds time to detection
Automated Policy
changes allow faster
response
Contextual Awareness
builds granular controls
across the network
Sharing Data Through Integration

12. Unified Management
Endpoint CloudNetwork
Visibility
Threat Intelligence -
Services
Integrated Architectural Approach

13. UTM
Network
Analytics
Advanced Malware
Secure Internet Gateway
WebW W W
Policy and Access
Email
NGFW/ NGIPS
Cloud Access Security
Premiere Portfolio in the Industry

14. Functional Integration: Talos Threat Intelligence
221BTotal Threats
1.4M
AV Blocks Per
Day
2.6M
Blocks Per
Second
9.9B
Total Blocks Per
Month
1.5M
Malware Samples
Per Day
1.8B
Spyware Blocks
Per Month
8.2B
Web Filtering
Blocks Per Month
991MWeb + Malware
Threats
19.7BThreats Per Day
1B
Sender Base
Reputation Queries
Per Day

15. Shared intelligence
Shared contextual
awareness
Consistent policy
enforcement
Cisco Firepower™ Management Center
Functional Integration: Firepower Threat Defense
Talos
Firepower 4100 Series Firepower 9300 Platform
Visibility
Radware
DDoS
Network
analysis Email Threats
Identity
and NAC DNS FirewallURL

16. Application Control
WAN Optimization, Traffic
Shaping, Content Filtering
Security
NG Firewall, Client VPN,
Site to Site VPN, IDS/IPS
Networking
NAT/DHCP, 3G/4G Cellular,
Static Routing, Link Balancing
Functional Integration: Meraki

17. Network
ISR/ASR
Advanced
Malware
Umbrella
Web
W W W
ISE
Email
NGFW/ NGIPS
Threat Grid
Stealthwatch
Event
Threat Intel
Policy
Context
Meraki
Cloudlock
Solution Integration: Cisco Portfolio

18. Firepower Device
Manager
Easy management of
common security and
policy tasks
Comprehensive security
administration and
automation of multiple
appliances
Firepower Management
Center
Cisco Defense
Orchestrator
Centralized cloud-based
policy management of
multiple deployments
On-box Centralized Cloud-based
Management Integration: Security Architecture

19. Prove it.

20. Solution Integration: Rapid Threat Containment
Automatically Defend Against Threats with Firepower and ISE
FMC aggregates and
correlates sensor data
FMC alerts ISE. ISE
then changes the
user’s/device’s access
policy to suspicious
Corporate user
downloads file, not
knowing it’s actually
malicious
Based on the new
policy, network
enforcers
automatically restrict
access
Device is quarantined
for remediation or
mitigation

21. Endpoint User
Opened an email
Downloading malware
Which stole data
Integration in Action: The Attack
That visited a website
Through the firewall

22. AMP for Endpoints
And shares the event information
Firepower Management Console
Analyzes the file
with Threat Grid
Blocking the malware
retrospectively
Protecting the data center
Email Security
Web Security
Integration in Action: Sharing Events
Alerts are Snared Between Products Providing Visibility

23. Integration in Action: Sharing Events
Alerts are Snared Between Products Providing Visibility

24. Threat Grid
Firepower
Management
Console
Data Center
Email Security
Web Security
Shares a policy
update with the
Identity Services
Engine
Quarantining the
user automatically
Integration in Action: Sharing Policy
Automatic Response to Threats

25. Integration in Action: Sharing Policy
Automatic Response to Threats

26. Firepower
Management
Console
Threat Grid
Data Center
Email Security
Web Security
Identity Services
Engine
AMP for Endpoints
Cloud Security
Integration in Action: Threat Intelligence
Detect Once, Protect Everywhere

27. Integration in Action: Sharing Context
Profiling What Users and Devices are Really on the Network

28. Integration with
3rd Party Products

29. 100 percent focused Cisco Security initiatives
Real integration benefit across portfolio
Coordinate support with key partners
Host community supported code
Identify candidates for deeper integration
Cisco Solution Partner Program (SPP) DevNet
Cisco Security
Technical Alliance
Program
Firepower
ISE
Threat Grid
FP9300
Content
ASA
AnyConnect
OpenDNS
pxGrid
Stealthwatch
Fore more information go to http://www.cisco.com/go/csta
3rd Party Integration: CSTA
Cisco Security Technical Alliance

30. • eStreamer API
• Send Firepower event data to SIEMs
• Host Input API
• Collect vulnerability and other other host info
• Remediation API
• Programmatic response to third parties from FireSIGHT
• JDBC Database Access API
• Supports queries from other applications
• Read/Write API for Firepower
• Supports FW and Risk Management technologies
• Threat Intelligence Director
• Collect, correlate, take action on third party Threat Intelligence
• Management API for ASA
• Third party management of ASA, policy auditing
• pxGrid
• Bi-directional context sharing framework for ISE, ecosystem partners
• MDM API
• Enables 3rd party MDM partners to make mobile device posture part
of ISE access policy
• External Restful Services (ERS)
• Adds 3rd party asset data to ISE inventory database
• AMP Cloud-based API
• Externalize event data for all 3rd party apps
• Ingest threat data from third parties
• Threat Grid API
• Hand off suspicious files for analysis
• Queries entire dataset for correlation or historical/geographic significance
• Automate submission of files for analysis
• Create custom or batch threat feeds
• FirePOWER 9300 (SSP) REST API
• Cisco and third party applications in service chain configuration
• AnyConnect Network Visibility Module Collection
• AnyConnect provides IPFIX data
• AnyConnect EDM/MDM
• VPN Services
• OpenDNS Investigate
• Query OpenDNS for threat intelligence
• OpenDNS Umbrella
• Add addresses to customer specific enforcement
• CloudLock Enterprise API
• Reporting/Management
• CloudLock Development APIs
• Access micro-services
• Other Integration Points
• ESA, WSA
3rd Party Integration: Open Standard API’s

31. Advisory
• Custom Threat Intelligence
• Cybersecurity Assessments
Integration
• Integration Services
• Security Optimization Services
Managed
• Managed Threat Defense
• Remote Managed Services
Cisco Security Services Bring it All Together

32. simple open automated
Effective Security

33. Threat Grid
Sourcefire
2013 2016
Portcullis
OpenDNS
Lancope
Neohapsis
Cloudlock
2014 2015
AMP
Everywhere;
OpenAppID
Talos
established
Cisco ASA
with
Firepower
Services
Integrated
Threat Defense
Vision; AMP
Threat Grid
Firepower
NGFW
unveiled
Network as a
Sensor and
Enforcer
Cisco
Umbrella
SIG
Identity
Services
Engine 2.0
Integration has Driven Cisco’s Portfolio Growth

34. Cisco WSA (Web Security Appliance)
External Telemetry
Cisco CWS (Cloud Web Security)
Cisco
Cognitive Threat
Analytics (CTA)
Confirmed Threats
Detected Threats
Incident
Response
Threat Alerts
HQ
STIX / TAXII API
CTACTACTA
HQ
Web Security
Gateways
Cloud
Web Security
Gateways
Web Access Logs
Breach Detection &
Advanced Threat Visibility
Solution Integration: Web and Endpoint

35. Stealthwatch
Campus/DC
Switches/WLC
Cisco Routers /
3rd Vendor Devices
Network Sensors Network Enforcers
Policy & Context
Sharing
NGIPS
ISE/
TrustSec
NGFW
Solution Integration: Network Security

36. EDM/MDM Endpoint and
Custom Detection
Forensics and IR Other SIEM & Analytics
NPM/APM and
Visualization
IAM/SSO
Threat
IntelligenceCASB
UEBA
Firewall and
Policy
Management
Deception
Orchestration
Vulnerability
Management
3rd Party Integration: Ecosystem Partners