With over a dozen APIs and integrations points, Cisco’s security product portfolio offers many ways to share and collect from other complementary technologies including MDM, EDM, SIEM, IR and Vulnerability Management. Cisco’s CSTA program focuses on helping customers achieve a higher level of security through automation and more intelligent event attribution.

2. Cisco Security Technical Alliances
Douglas Hurd – Technical Alliances

3. • CSTA: What is it?
• Why it matters
• Integration points & Use Cases
• Getting More information
Outline
As the threat from the industrialized hackers grows, new, novel solutions will need to evolve to
counteract the threat, so that our customers can defeat the attackers….open architectures with
best of breed solution providers is the only way to go. The era of the closed, black box
architectures is dead!
John Negron, SVP WW Sales - Cisco Security

4. Cisco Security Technical Alliances is…
An umbrella program covering multiple partner ecosystems in the BU
Sourcefire Technology Partner Program
ISE Ecosystem
ThreatGrid
SSP Partners
Content
ASA
AnyConnect

5. • Typically use dozens of different security products
• No one does it all. Customers cherry pick.
• Want security products to work together
• Overwhelmed with event data and rely on SIEM
• Integration can spur Automation and..
• Help with policy maintenance
• Speed response time
• Reduce time to resolve critical events
• Reduce TCO
Why you should care
Overwhelmed customers?

6. Comprehensive Security Portfolio
IPS & NGIPS
• Cisco IPS 4300 Series
• Cisco ASA 5500-X Series
integrated IPS
• FirePOWER NGIPS
• FirePOWER NGIPS w/
Application Control
• FirePOWER Virtual
NGIPS
Web Security
• Cisco Web Security
Appliance (WSA)
• Cisco Virtual Web Security
Appliance (vWSA)
• Cisco Cloud Web Security
Firewall & NGFW
• Cisco ASA 5500-X Series
• Cisco ASA 5500-X w/
NGFW license
• Cisco ASA 5585-X w/
NGFW blade
• FirePOWER NGFW
Advanced Malware
Protection
• FireAMP
• FireAMP Mobile
• FireAMP Virtual
• AMP for FirePOWER
license
• Dedicated AMP
FirePOWER appliance
NAC +
Identity Services
• Cisco Identity Services
Engine (ISE)
• Cisco Access Control
Server (ACS)
Email Security
• Cisco Email Security
Appliance (ESA)
• Cisco Virtual Email Security
Appliance (vESA)
• Cisco Cloud Email Security
UTM
• Meraki MX
VPN
• Cisco AnyConnect VPN

7. • eStreamer API
• Send FireSIGHT event data to SIEMs
• Host Input API
• Collect vulnerability and other other host info
• Remediation API
• Programmatic response to third parties from
FireSIGHT
• JDBC Database Access API
• Supports queries from other applications
• pxGrid
• Bi-directional context sharing framework for ISE,
ecosystem partners
• MDM API
• Enables 3rd party MDM partners to make
mobile device posture part of ISE access policy
• External Restful Services (ERS)
• Adds 3rd party asset data to ISE inventory
database
• ThreatGrid API
• Hand off suspicious files for analysis
• Automate submission of files for analysis / create
custom or batch threat feeds
• SSA
• Cisco and third party applications in service chain
configuration
• Management API for ASA
• Third party management of ASA, policy auditing
• Other Integration Points
• Cloud, ESA, WSA, AnyConnect
Integration Points Across the Security Portfolio
Cisco Security is committed to an
extensible product portfolio
because it helps our customers
deploy the best possible defense

8. CSTA Ecosystem Partners – Fire, ISE & More

9. • Secure and efficient mechanism for moving event data
from the Defense Center to another platform
• Provides access to detailed event information including
meta data
• Used by the majority of Sourcefire customers
• Backwards compatible
eStreamer Explained
FireSIGHT Management Center
Device Defense Center eStreamer Client
SIEM
Analytics
Platform

10. eStreamer, Syslog & CEF
FireSIGHT Management Center
Syslog CEF 2.0 eStreamer
Data format Unstructured, Text Unstructured, Text Structured, Binary
Protocol UDP UDP TCP
Secure Unsecure Secure with TLS Secure
Delivery Not Acknowledged Not Acknowledged Acknowledged
Packet No No Yes
Request-able No No Yes
Extra Data No Some Yes
Flow records No No Yes

11. Host Input API
FireSIGHT Management Center
 Augment FireSIGHT database with third party data
→ Vulnerability and OS info from active scanners
→ Enhance Impact Flag correlation
→ Populate existing or custom data fields

12. Remediation API
FireSIGHT Management Center
 Initiated by User Defined Correlation
Rules
 Configure alerts and actions based on
rules. Can involve most kinds of events
→ Support single or multiple conditions i.e.,
time of day, Source IP, Type of event, User
ID
 Remediation can include executing a
Perl script that parses event data fields
for external consumption. Many
possibilities:
→ Make a policy change
→ Use NAC to disconnect an IP
→ Initiate a digital forensics process
!

13. JDBC Database Access Explained
FireSIGHT Management Center
• Query all EVENT data
• Query all HOST data intrusion
• Also, discovery, user activity, correlation, connection, vulnerability,
and application and URL statistics database

14. JDBC Database Access Explained
FireSIGHT Management Center
Enables 3rd party reporting and analytics including visualization

15. Integration Points for ISE
(Cisco Identity Services Engine)
• MDM API
Enables 3rd party MDM partners to make
mobile device posture part of ISE access
policy
• External Restful Services (ERS)
Adds 3rd party asset data to ISE inventory
database
• pxGrid
Bi-directional context sharing framework for
ISE, ecosystem partners
Cisco ISE is an open ecosystem for
ERS and pxGrid integration with
information posted on DevNet.
MDM/EMM integration is by
application only. To apply, reach out
to:
partnering-csta@cisco.com

16. I have identity & device!
I need geo-location & MDM…
I have application info!
I need location & device-type
I have location!
I need app & identity…
Cisco ISE as pxGrid Controller
Publish Publish
Discover TopicDiscover Topic
Continuous Flow
Directed QuerypxGrid
Context
Sharing
CISCO ISE
Continuous Flow
Directed Query
I have sec events!
I need identity & device…
I have MDM info!
I need location…
pxGrid: Partners Connecting to Cisco Security Platforms…and to Other Partners
Authenticate  Authorize  Publish  Discover  Subscribe  Query

17. WHY CUSTOMERS CARE
Cisco pxGrid Context-Sharing & Network Mitigation
Connecting Partners to Cisco Security Platforms
Cisco Provides Network
Context to Customer IT
Platforms
Use Eco-Partner Context
for Cisco Network Policy
for Customers
Cisco Shares User/Device &
Network Context with IT
Infrastructure
Cisco Receives Context from Eco-
Partners to Make Better Network
Access Policy
1 2 3
Help Customer IT
Environments Reach into
the Cisco Network
CISCO PLATFORM ECO-PARTNER
CONTEXT
CISCO PLATFORM ECO-PARTNER
CONTEXT
ECO-PARTNER CISCO PLATFORM
CISCO NETWORK
ACTION
MITIGATE
Puts “Who, What Device, What
Access” with Events. Way Better
than Just IP Addresses!
Creates a Single Place for
Comprehensive Network Access
Policy thru Integration
Decreases Time, Effort and Cost
to Responding to Security and
Network Events

18. Vulnerability
Assessment
Packet Capture
& Forensics
SIEM &
Threat Defense
IAM & SSO
pxGrid
SECURITY THRU
INTEGRATION
pxGrid – Industry Adoption Critical Mass as of June
2015
18 Partner Platforms and 9 Technology Areas Since Release 7 Months Ago
Net/App
Performance
IoT
Security
Cisco ISE Cisco WSA
Cloud Access
Security
?

19. Integration Points Across the Security Portfolio
ThreatGrid, Cisco AnyConnect
• ThreatGrid API
Hand off suspicious files for analysis
• AnyConnect SDK
VPN client provisioning and
configuration for mobile and traditional
compute
ThreatGrid and AnyConnect ecosystems are
specific-purpose and by application only.
If you have an integration idea, reach out to:
partnering-csta@cisco.com

20.  Cisco® AMP Threat Grid’s REST API automates sample analysis, enrichment and reporting
− Automate submission from numerous technologies (host or network)
− Pull results into numerous technologies
Your Existing Security
Get the most from existing security investments
Threat Content
Enrichment
Threat Intelligence
Feeds
Firewall
Network
Taps
SIEM Log Mgmt
Security
Partners
Endpoint
Security
Gateway,
Proxy
IPS/IDS
Threat Grid
Malware Analysis & Threat Intelligence
Advance Malware Protection - ThreatGrid
ThreatGrid APIs

21. Security Services Architecture
Common Architecture
Virtual, Physical and Cloud
Security Services Platform
Platforms that runs SSA
and applications
Security Services Platform (SSP)

22. Security Services Platform (SSP)
Existing Solution
Sandbox Appliance
x1
Load Balancer
x1
IDS/IPS
x4
NAT
x2
NG-Firewall
x2
Web Proxy
x4
New Solution
Security Services Platform

23. Security Services Architecture (SSA)
SSA
OS
FW
IPS
WEB
WAF
DDOS
SSL

24. Check Out Related DevNet Security Sessions
• Cisco pxGrid Developers Learning Lab – in the DevNet Zone
• DEVNET-1123 - CSTA - Cisco Security Technical Alliances Overview
Tuesday, Jun 9, 2:00 PM - 2:30 PM
• DEVNET-1124 - Cisco pxGrid: A New Architecture for Security Platform Integration
Tuesday, Jun 9, 3:00 PM - 3:30 PM
• DEVNET-1010 - Using Cisco pxGrid for Security Platform Integration
Thursday, Jun 11, 9:00 AM - 10:00 AM

25. For More Information…
• DevNet Microsites:
https://developer.cisco.com/security
• pxGrid SDK, Tutorials & Test Tools:
http://cisco.com/go/pxgrid
• Forums:
https://supportforums.cisco.com/community/4561/security
• CSTA Partner Listing Customers:
http://www.cisco.com/c/en/us/products/security/partner-ecosystem.html

26. Thank you

27. CSTA Partners at Cisco Live US 2015
Stand 2223: FireSIGHT Remediation API sends F5 host target
information for real-time blocking
Stand 2501:‘Packet Broker’ helps with many traffic visibility,
maintenance and high availability architectures
Stand 3128: Integrates with ISE. Provides important mobile
device posture information
Stand 1035: Integrates with ASA. Collects policy information for security
risk modeling, change control, audit and compliance
Stand 1624, Partner Village: PxGrid, end point posture
information and transaction data from ISE
Stand 1624, Partner Village: SIEM and analytics platform. Collects data
FireSIGHT via eStreamer, from ISE, WSA, and ASA through syslog

28. CSTA Partners at Cisco Live US 2015
Stand 1301: ‘Packet Broker’ helps with many traffic visibility,
maintenance and high availability architectures
Stand 1524 : Integrates with ASA. Collects policy information for security
risk modeling, change control, audit and compliance
Stand 2319, SIEM and analytics platform. Collects data FireSIGHT via
eStreamer, from ISE, WSA, CSA, ASA and ThreatGrid through syslog
Stand 2211: Full packet capture and session analysis. Integrates with
FireSIGHT via community patch extending IPS event analysis
Stand 3405: FireSIGHT’s Host Input API collects vulnerability
report to augment threat data

29. CSTA Partners at Cisco Live US 2015
Stand 2517: ‘‘Packet Broker’ helps with many traffic visibility,
maintenance and high availability architectures
Stand 3300: ‘Packet Broker’ helps with many traffic visibility,
maintenance and high availability architectures
Stand 1324: Integrates with ASA. Collects policy information for security
risk modeling, change control, audit and compliance (al)
Stand 2023: Infrastructure, Load balancing and FireSIGHT Remediation API

30. Alliance Components and Expertise
Integration Area Expert Time Zone email
All ask-csta-pm
ISE/PxGrid Scott Pope San Jose scottp
ISE/PxGrid Brian Gonsalves San Jose bgonsalv
SSA Chris Morosco San Jose group.cmorosco
ThreatGRID Dan Franklin New York dafrankl
Cloud Jasper Chan San Jose jaspchan
FireSIGHT MC Douglas Hurd New York dohurd
Competitive Eco Shyue Hong Chuang Singapore schuang

31. https://23.22.6.78/en-
US/account/login?return_to=/en-US/