Downloaded 40 times
Uploaded byCisco DevNet
Cisco Security Technical Alliances
The Cisco Security Technical Alliances program coordinates integration between Cisco security products and third-party vendors. It provides APIs and frameworks to enable deeper product integration and automation. This allows for use cases like rapid threat containment by sharing context between the Cisco Firepower Management Center and Identity Services Engine, and collecting host and vulnerability data via the Host Input API. The roadmap includes expanding supported APIs and growing the ecosystem of integrated partners.
More Related Content
Similar to Cisco Security Technical Alliances
More from Cisco DevNet
![5G Explained! A High Level Overview [Introduction]](https://cdn.slidesharecdn.com/ss_thumbnails/5gexplainedahighleveloverview-260119165306-cc137a3e-thumbnail.jpg?width=640&height=640&fit=bounds)
Cisco Security Technical Alliances
- 2. Cisco Security TechnicalAlliances Douglas Hurd – Cisco Security Alliance Team
- 3. • Introduction toCisco Security • What is CSTA and why should you care? • API Set • Integration Use Cases • Roadmap • Partnerships • More Information Agenda
- 4. Cisco Security –Committed to an Open Architecture • Cybersecurity is a boutique business • No one does it all. Enterprise customers typically use 50 different cyber security vendor products • Overwhelmed with event data • More context can help with policy maintenance • Better security when products work together • Automation speeds response time to critical events • New companies start up all the time • Consolidation is never ending
- 5. Cisco Security TechnicalAlliances is… A program covering multiple partner ecosystems in Cisco Security Cisco Solution Partner Program (SPP) DevNet Cisco Security Technical Alliance Program FireSIGHT ISE ThreatGrid FP9300 Content ASA AnyConnect OpenDNS pxGrid 100 percent focused Cisco Security initiatives Real integration benefit across portfolio Coordinates support with key partners Host community supported code Identify candidates for deeper integration
- 6. • eStreamer API •Send FireSIGHT event data to SIEMs • Host Input API • Collect vulnerability and other other host info • Remediation API • Programmatic response to third parties from FireSIGHT • JDBC Database Access API • Supports queries from other applications • pxGrid • Bi-directional context sharing framework for ISE, ecosystem partners • MDM API • Enables 3rd party MDM partners to make mobile device posture part of ISE access policy • External Restful Services (ERS) • Adds 3rd party asset data to ISE inventory database • AMP Cloud-based API • Externalize event data for all 3rd party apps • ThreatGrid API • Hand off suspicious files for analysis • Automate submission of files for analysis / create custom or batch threat feeds • FirePOWER 9300 REST API • Cisco and third party applications in service chain configuration • Management API for ASA • Third party management of ASA, policy auditing • Other Integration Points • Cloud, ESA, WSA, AnyConnect Integration Points Across the Security Portfolio
- 7. Integration Use Cases– FireSIGHT •eStreamer: Used by over 90 percent of FireSIGHT customers •Host input API: Allows for the importation of host and vulnerability data
- 8. eStreamer – PowerfulEvent Forwarding with Context •Used by almost all FireSIGHT (Sourcefire) customers •Comprehensive event records with minute detail *Context) •Will be available all ASA customers Syslog CEF 2.0 eStreamer Data format Unstructured Unstructured, Text Structured, Binary Protocol UDP UDP TCP Secure Unsecure Secure with TLS Secure Delivery Not Acknowledged Not Acknowledged Acknowledged Packet No No Yes Request-able No No Yes Extra Data No Some Yes (detail not in syslog) Flow records No No Yes
- 9. Use Case: Device& Network-Location, Access-Type Aware Application Access Control access to applications based on end-user status, such as their location, device used, device posture, access method Integration Use Cases - Identity & Access Management Sharing ISE Context with Applications for Coarse-Grained Control within IAM Platforms Mobile Device Reg with MDM Access Permit Context: Share with IAM USER : PROFILE : POSTURE User/Device Context User/Device Context Policy and Enforcement in IAM Platform Policy: No patient record app access on BYOD devices Mobile Device ⅹ Reg with MDM ⅹ Access Permit Auth/Z Auth/Z
- 10. Integration Use Cases– ISE & pxGrid: Rapid Threat Containment With Cisco Firepower Management Center (FMC) and Identity Service Engine (ISE) Rapid Threat Containment with FMC and ISEWhat’s new for ISE 2.0? Cisco Firepower Management Center integration with ISE identifies and addresses suspicious activity, based on pre-defined security policies. Benefits • Integrate with Cisco Advanced Malware Protection (AMP) for malware protection • Trigger quarantine actions, per policy with Cisco FireSight and ISE integration • Admit or deny access to contractor portal Capabilities FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious Access denied per security policy Automate alerts Leveraging ISE ANC to alert the network of suspicious activity according to policy Detect threats early FireSight scans activity and publishes events to pxGrid Corporate user downloads file Leverage a growing ecosystem of partners that provide rapid threat containment by integrating with ISE FMC monitors user activity and file integrity Based on the new tag, ISE enforces policy on the network
- 11. Rapid Threat ContainmentEcosystem Enabling 3rd Parties to Use pxGrid Adaptive Network Control for Network Mitigation Actions What’s new for ISE 2.0? The pxGrid framework enables Cisco to integrate with ecosystem partners to provide customers with a solution that suits their existing infrastructure. Minimize costs Reduce the resources required to security and network events by facilitating access to the Cisco network Benefits Simplified management Create a single place for policy management by integrating ISE with vendor solutions A host of new partners… …to join our flourishing Rapid Threat Containment ecosystem. Utilizing integration via pxGrid Adaptive Network Control, ISE enables security ecosystem partners from a range of technology areas to take network mitigation and investigation actions in response to security events. Integration Use Cases – ISE & pxGrid: Rapid Threat Containment
- 12. Integration Use Case- ThreatGrid Suspicious file Analysis report Edge Endpoints Firewalls & UTM Email Security Security Analytics Web Security Endpoint Security Network Security 3rd Party Integration Security monitoring platforms Deep Packet Inspection Gov, Risk, Compliance SIEM Dynamic Analysis Static Analysis Threat Intelligence AMP Threat Grid Cisco Security Solutions Network Security Solutions Suspicious file Premium content feeds Security Teams
- 13. Integration Use Case- AnyConnect Network Visibility Module Endpoint Context for Visibility, Auditing, and Analytics Enhanced EndpointsEnhanced Endpoints ContextContext Collector & ReportingCollector & Reporting Cisco / PartnersCisco / Partners Enhance Netflow Records With Endpoint/User Data with Application Activity
- 14. High Level Architecture WWW Netflow/IPFIXCollector Netflow/IPFIX Server Send Application and Network Telemetry Reports/analysis of application + data + user/endpoint information New AnyConnect Module for Windows and OS X WORK
- 15. Roadmap •June 2016 –Read/Write API for FirePOWER Support for Import/Export of Firewall and Intrusion policy Partnerships will include Skybox, Tufin, Algosec, Firemon •Late 2016 – Fire & ISE Supported native integration of FireSIGHT’s remediation capability through ISE ad pxGrid •All 2016 – NVM and RTC Ecosytem build out • Adding proven partnerships •Mid 2017 – Management API for FirePOWER 3rd party management of FirePOWER deployment
- 16. Packet Brokering Network Infrastructure& Policy Management Performance Management & Visualization Mobility Packet Capture & Forensics SIEM & Analytics Remediation & Incident Response Vulnerability Management Custom Detection Firewall/Access Control Discover Enforce Harden Detect Block Defend Scope Contain Remediate IAM/SSO Cisco Security Technical Alliances Partnerships 2016
- 17. More Information onCisco Security Technical Alliances •Devnet for Security: https://developer.cisco.com/security •Current list of partners: http://www.cisco.com/c/en/us/products/security/partner-ecosystem.html •FireSIGHT Support forum: https://supportforums.cisco.com/community/12226126/firepower-api •FireSIGHT downloads: https://supportforums.cisco.com/community/12226126/firepower-api#quicktabs-community_activity=1 dohurd@cisco.com
- 18.
- 19. The new securitymodel Network Endpoint Mobile Virtual Cloud Point in Time ContinuousThreat Intelligence X DURING Detect Block Defend AFTER Scope Contain Remediate BEFORE Discover Enforce Harden
- 20. Vulnerability Assessment Packet Capture & Forensics SIEM& Threat Defense IAM & SSO pxGrid – Industry Adoption Critical Mass as of June 2015 18 Partner Platforms and 9 Technology Areas Since Release 7 Months Ago Net/App Performance IoT Security Cisco ISE Cisco WSA Cloud Access Security ?
- 21. Integration Use Case– AnyConnect and NVM SSL / DTLS VPN IPsec VPN HostScan /ISE Agent Cloud Web Security L2 Supplicant (Win Only) Switches and Wireless controllers ASA WSAISE/ACS Cloud Web Security + AMP Head End Devices ASR/ CSR ISR Basic VPN Adv. VPN/Services Other Services Network Visibility Module AMP Enabler NEW!
Editor's Notes
- #7 Now and future Include Open APIs,
- #12 With pxGrid, Cisco is committed to an open, platform-based framework that allows us to improve the efficacy of Cisco's industry-leading offerings, such as the combined solution of Rapid Threat Containment with Firepower and ISE. The pxGrid framework also enables Cisco to integrate with ecosystem partners where it provides our customers with a solution that suits their existing infrastructure. New pxGrid firewall and access control partners include Check Point and Infoblox which now leverage all context provided by ISE, via Identity Awareness, including information such as device info, end user, IP and MAC address. Firewall/Access Control: Utilizing Cisco pxGrid, integration between Cisco ISE and access control partners enables identity and device-based policy and reporting, as well as network mitigation response to severe access violation events. New partners: Check Point and Infoblox Rapid Threat Containment: Utilizing integration via pxGrid Adaptive Network Control, Cisco ISE enables security ecosystem partners from a broad variety of technology areas to take network mitigation and investigation actions in response to security events. New partners: Infoblox, Invincea, E8 Security, SAINT, and Huntsman Existing ecosystem partners: Hawk Defense, Lancope, Splunk, LogRhythm, NetIQ, Tenable, Bayshore, Rapid 7, Elastica Individual partner descriptions for the new partners to the ecosystem: Check Point: Check Point Identity Awareness will now leverage all context provided by ISE to gather device info, end user, IP, MAC address etc for more accurate and reliable firewall identification. Check Point and pxGrid integration deliver on the following use cases: Infoblox: Integration with Cisco ISE enables Infoblox IP Address Management and DNS Firewall platforms to associate users, devices and privilege level with management and security events to assess risk and take mitigation actions. Invincea: Integration of Invincea’s user behavior security analytics with network mitigation actions provided by Cisco ISE and pxGrid enables fast response to critical threats. E8 Security: E8 integrates their big data security analytics with Cisco pxGrid to enable rapid network mitigation actions via Cisco ISE for high severity threats. Huntsman Security: Integration with Cisco pxGrid enables Huntsman to quickly respond to critical security and compliance events by executing network mitigation actions via Cisco ISE. Saint: Using pxGrid with Cisco Identity Services Engine, SAINT increases the speed of analyzing security vulnerabilities and speeds and simplifies your network response. Hawk Defense: Hawk uses the Cisco FireSIGHT Management Center's eStreamer API to collect and parse event data into its SIEM platform for analysis and archiving and can take network mitigation actions using Cisco ISE and pxGrid. LogRhythm: LogRhythm will now develop to pxGrid and provide adaptive network control mitigation functions.
- #13 Threat Grid draws on the capabilities and infrastructures you already have in place, and provides a common analysis engine across all of them. Combining proprietary analysis technology with secure, cloud-based capabilities, it analyzes all of that data, identifies key indicators of malicious behavior, and provides the global and historical context you need to take action. Here is a really high level overview on what AMP Threat Grid does. Threat Grid enables a customer to upload a sample through our portal or via our API from any of our Cisco Security Solutions. We then do our proprietary analysis of the sample – an automated process that allows for a large volume of samples to be analyzed by static and dynamic methods quickly. We take an outside-in approach to analysis – at large scale and volume – and the end result is enriched content that enables faster, more informed decision making. T: Threat Grid enables security analysts, as well as the engineering teams, to incorporate the threat intelligence into their security monitoring platforms and partner solutions in order to proactively defend against future attacks. <click>
- #14 Theme – Better Visibility + Deeper Auditing + insightful Telemetry Providing tool for Analysis of Users/Devices/Application Enhancing Netflow records with endpoint/user data and application activity. (2) Cisco AC NVM is able to provide the following: Superior Visibility into all users, connected devices on a network and the applications running on the endpoints that allows for more accurate information of users/devices/applications. Auditing Intelligence by analysis of users/devices/applications running in the network. This type of information can be shared between security/network group and desktop group A Telemetry Platform, collecting contextual information from endpoints that permit network/security admin to share the info with desktop admin to minimize the spread of network threats across the network.
- #17 Needs network critical in packet brokering Is checkpoint in the right place?
- #20 There is no Silver Bullet to Security. Everybody will be breached at some point. Here at Cisco, we ask the question, ‘Would you do Security differently if you knew you were going to be breached?’ The answer is invariably yes Security can be thought of, then, in terms of Before an Attack, During and Attack and After an Attack. We are going to show the security portfolio in terms of a graphical, simplistic network diagram and how each solution ties into the continuum. In all truth, most solutions cover the attack continuum with their feature lists. However, for simplicity we are going to show each solution where they best fit into the attack continuum as a whole. We will also begin with the product function and end with the product names. THERE ARE THREE STAGES TO AN ATTACK: BEFORE, DURING, AND AFTER LETS LOOK AT BEFORE AN ATTACK – BEFORE AN ATTACK: CUSTOMERS NEED TO KNOW WHAT THEY ARE DEFENDING….YOU NEED TO KNOW WHATS ON YOUR NETWORK TO BE ABLE TO DEFEND IT – DEVICES / OS / SERVICES / APPLICATIONS / USERS THEY NEED TO IMPLEMENT ACCESS CONTROLS, ENFORCE POLICY AND BLOCK APPLICATIONS AND OVERALL ACCESS TO ASSETS. THIS IS WHERE CUSTOMERS SPEND MOST OF THEIR TIME AND MONEY….THE HOPE IS TO REDUCE THE ATTACKABLE SURFACE SPACE OF THE NETWORK. UNFORTUNATELY, ATTACKERS HAVE A RELATIVELY EASY TIME PENETRATING THE PERIMETER OF A NETWORK EVEN WITH GOOD ACCESS CONTROLS. DURING THE ATTACK: WHEN ATTACKS GET THROUGH, WE NEED TO BE ABLE TO DETECT THEM MUST HAVE THE BEST DETECTION OF THREATS THAT YOU CAN GET ONCE WE DETECT ATTACKS, WE CAN BLOCK THEM AND DEFEND the ENVIRONMENT AFTER THE ATTACK: INVARIABLY ATTACKS WILL BE SUCCESSFUL, AND Customers NEED TO BE ABLE TO DETERMINE THE SCOPE OF THE DAMAGE, CONTAIN THE EVENT, REMEDIATE, AND BRING OPERATIONS BACK TO NORMAL