With over a dozen APIs and integrations points, Cisco’s security product portfolio offers many ways to share and collect from other complementary technologies including MDM, EDM, SIEM, IR and Vulnerability Management. Cisco’s CSTA program focuses on helping customers achieve a higher level of security through automation and more intelligent event attribution.
Similar to DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosystem Built on APIs/Integration Points in the Security Portfolio (20)
3. • CSTA: What is it?
• Why it matters
• Integration points & Use Cases
• Getting More information
Outline
As the threat from the industrialized hackers grows, new, novel solutions will need to evolve to
counteract the threat, so that our customers can defeat the attackers….open architectures with
best of breed solution providers is the only way to go. The era of the closed, black box
architectures is dead!
John Negron, SVP WW Sales - Cisco Security
4. Cisco Security Technical Alliances is…
An umbrella program covering multiple partner ecosystems in the BU
Sourcefire Technology Partner Program
ISE Ecosystem
ThreatGrid
SSP Partners
Content
ASA
AnyConnect
5. • Typically use dozens of different security products
• No one does it all. Customers cherry pick.
• Want security products to work together
• Overwhelmed with event data and rely on SIEM
• Integration can spur Automation and..
• Help with policy maintenance
• Speed response time
• Reduce time to resolve critical events
• Reduce TCO
Why you should care
Overwhelmed customers?
7. • eStreamer API
• Send FireSIGHT event data to SIEMs
• Host Input API
• Collect vulnerability and other other host info
• Remediation API
• Programmatic response to third parties from
FireSIGHT
• JDBC Database Access API
• Supports queries from other applications
• pxGrid
• Bi-directional context sharing framework for ISE,
ecosystem partners
• MDM API
• Enables 3rd party MDM partners to make
mobile device posture part of ISE access policy
• External Restful Services (ERS)
• Adds 3rd party asset data to ISE inventory
database
• ThreatGrid API
• Hand off suspicious files for analysis
• Automate submission of files for analysis / create
custom or batch threat feeds
• SSA
• Cisco and third party applications in service chain
configuration
• Management API for ASA
• Third party management of ASA, policy auditing
• Other Integration Points
• Cloud, ESA, WSA, AnyConnect
Integration Points Across the Security Portfolio
Cisco Security is committed to an
extensible product portfolio
because it helps our customers
deploy the best possible defense
9. • Secure and efficient mechanism for moving event data
from the Defense Center to another platform
• Provides access to detailed event information including
meta data
• Used by the majority of Sourcefire customers
• Backwards compatible
eStreamer Explained
FireSIGHT Management Center
Device Defense Center eStreamer Client
SIEM
Analytics
Platform
10. eStreamer, Syslog & CEF
FireSIGHT Management Center
Syslog CEF 2.0 eStreamer
Data format Unstructured, Text Unstructured, Text Structured, Binary
Protocol UDP UDP TCP
Secure Unsecure Secure with TLS Secure
Delivery Not Acknowledged Not Acknowledged Acknowledged
Packet No No Yes
Request-able No No Yes
Extra Data No Some Yes
Flow records No No Yes
11. Host Input API
FireSIGHT Management Center
Augment FireSIGHT database with third party data
→ Vulnerability and OS info from active scanners
→ Enhance Impact Flag correlation
→ Populate existing or custom data fields
12. Remediation API
FireSIGHT Management Center
Initiated by User Defined Correlation
Rules
Configure alerts and actions based on
rules. Can involve most kinds of events
→ Support single or multiple conditions i.e.,
time of day, Source IP, Type of event, User
ID
Remediation can include executing a
Perl script that parses event data fields
for external consumption. Many
possibilities:
→ Make a policy change
→ Use NAC to disconnect an IP
→ Initiate a digital forensics process
!
13. JDBC Database Access Explained
FireSIGHT Management Center
• Query all EVENT data
• Query all HOST data intrusion
• Also, discovery, user activity, correlation, connection, vulnerability,
and application and URL statistics database
14. JDBC Database Access Explained
FireSIGHT Management Center
Enables 3rd party reporting and analytics including visualization
15. Integration Points for ISE
(Cisco Identity Services Engine)
• MDM API
Enables 3rd party MDM partners to make
mobile device posture part of ISE access
policy
• External Restful Services (ERS)
Adds 3rd party asset data to ISE inventory
database
• pxGrid
Bi-directional context sharing framework for
ISE, ecosystem partners
Cisco ISE is an open ecosystem for
ERS and pxGrid integration with
information posted on DevNet.
MDM/EMM integration is by
application only. To apply, reach out
to:
partnering-csta@cisco.com
16. I have identity & device!
I need geo-location & MDM…
I have application info!
I need location & device-type
I have location!
I need app & identity…
Cisco ISE as pxGrid Controller
Publish Publish
Discover TopicDiscover Topic
Continuous Flow
Directed QuerypxGrid
Context
Sharing
CISCO ISE
Continuous Flow
Directed Query
I have sec events!
I need identity & device…
I have MDM info!
I need location…
pxGrid: Partners Connecting to Cisco Security Platforms…and to Other Partners
Authenticate Authorize Publish Discover Subscribe Query
17. WHY CUSTOMERS CARE
Cisco pxGrid Context-Sharing & Network Mitigation
Connecting Partners to Cisco Security Platforms
Cisco Provides Network
Context to Customer IT
Platforms
Use Eco-Partner Context
for Cisco Network Policy
for Customers
Cisco Shares User/Device &
Network Context with IT
Infrastructure
Cisco Receives Context from Eco-
Partners to Make Better Network
Access Policy
1 2 3
Help Customer IT
Environments Reach into
the Cisco Network
CISCO PLATFORM ECO-PARTNER
CONTEXT
CISCO PLATFORM ECO-PARTNER
CONTEXT
ECO-PARTNER CISCO PLATFORM
CISCO NETWORK
ACTION
MITIGATE
Puts “Who, What Device, What
Access” with Events. Way Better
than Just IP Addresses!
Creates a Single Place for
Comprehensive Network Access
Policy thru Integration
Decreases Time, Effort and Cost
to Responding to Security and
Network Events
18. Vulnerability
Assessment
Packet Capture
& Forensics
SIEM &
Threat Defense
IAM & SSO
pxGrid
SECURITY THRU
INTEGRATION
pxGrid – Industry Adoption Critical Mass as of June
2015
18 Partner Platforms and 9 Technology Areas Since Release 7 Months Ago
Net/App
Performance
IoT
Security
Cisco ISE Cisco WSA
Cloud Access
Security
?
19. Integration Points Across the Security Portfolio
ThreatGrid, Cisco AnyConnect
• ThreatGrid API
Hand off suspicious files for analysis
• AnyConnect SDK
VPN client provisioning and
configuration for mobile and traditional
compute
ThreatGrid and AnyConnect ecosystems are
specific-purpose and by application only.
If you have an integration idea, reach out to:
partnering-csta@cisco.com
20. Cisco® AMP Threat Grid’s REST API automates sample analysis, enrichment and reporting
− Automate submission from numerous technologies (host or network)
− Pull results into numerous technologies
Your Existing Security
Get the most from existing security investments
Threat Content
Enrichment
Threat Intelligence
Feeds
Firewall
Network
Taps
SIEM Log Mgmt
Security
Partners
Endpoint
Security
Gateway,
Proxy
IPS/IDS
Threat Grid
Malware Analysis & Threat Intelligence
Advance Malware Protection - ThreatGrid
ThreatGrid APIs
21. Security Services Architecture
Common Architecture
Virtual, Physical and Cloud
Security Services Platform
Platforms that runs SSA
and applications
Security Services Platform (SSP)
24. Check Out Related DevNet Security Sessions
• Cisco pxGrid Developers Learning Lab – in the DevNet Zone
• DEVNET-1123 - CSTA - Cisco Security Technical Alliances Overview
Tuesday, Jun 9, 2:00 PM - 2:30 PM
• DEVNET-1124 - Cisco pxGrid: A New Architecture for Security Platform Integration
Tuesday, Jun 9, 3:00 PM - 3:30 PM
• DEVNET-1010 - Using Cisco pxGrid for Security Platform Integration
Thursday, Jun 11, 9:00 AM - 10:00 AM
25. For More Information…
• DevNet Microsites:
https://developer.cisco.com/security
• pxGrid SDK, Tutorials & Test Tools:
http://cisco.com/go/pxgrid
• Forums:
https://supportforums.cisco.com/community/4561/security
• CSTA Partner Listing Customers:
http://www.cisco.com/c/en/us/products/security/partner-ecosystem.html
27. CSTA Partners at Cisco Live US 2015
Stand 2223: FireSIGHT Remediation API sends F5 host target
information for real-time blocking
Stand 2501:‘Packet Broker’ helps with many traffic visibility,
maintenance and high availability architectures
Stand 3128: Integrates with ISE. Provides important mobile
device posture information
Stand 1035: Integrates with ASA. Collects policy information for security
risk modeling, change control, audit and compliance
Stand 1624, Partner Village: PxGrid, end point posture
information and transaction data from ISE
Stand 1624, Partner Village: SIEM and analytics platform. Collects data
FireSIGHT via eStreamer, from ISE, WSA, and ASA through syslog
28. CSTA Partners at Cisco Live US 2015
Stand 1301: ‘Packet Broker’ helps with many traffic visibility,
maintenance and high availability architectures
Stand 1524 : Integrates with ASA. Collects policy information for security
risk modeling, change control, audit and compliance
Stand 2319, SIEM and analytics platform. Collects data FireSIGHT via
eStreamer, from ISE, WSA, CSA, ASA and ThreatGrid through syslog
Stand 2211: Full packet capture and session analysis. Integrates with
FireSIGHT via community patch extending IPS event analysis
Stand 3405: FireSIGHT’s Host Input API collects vulnerability
report to augment threat data
29. CSTA Partners at Cisco Live US 2015
Stand 2517: ‘‘Packet Broker’ helps with many traffic visibility,
maintenance and high availability architectures
Stand 3300: ‘Packet Broker’ helps with many traffic visibility,
maintenance and high availability architectures
Stand 1324: Integrates with ASA. Collects policy information for security
risk modeling, change control, audit and compliance (al)
Stand 2023: Infrastructure, Load balancing and FireSIGHT Remediation API
30. Alliance Components and Expertise
Integration Area Expert Time Zone email
All ask-csta-pm
ISE/PxGrid Scott Pope San Jose scottp
ISE/PxGrid Brian Gonsalves San Jose bgonsalv
SSA Chris Morosco San Jose group.cmorosco
ThreatGRID Dan Franklin New York dafrankl
Cloud Jasper Chan San Jose jaspchan
FireSIGHT MC Douglas Hurd New York dohurd
Competitive Eco Shyue Hong Chuang Singapore schuang
Automated response is something that is starting happen
500 companies at the RSA event
- Multiple disparate programs need to be consolidated to unify messaging, mission, sales collateral
- The new program creates a ‘brand’ that can be communicated externally, more easily used as a sales asset, positioned as an advantage that Cisco security has
Now and future
Include Open APIs,
This is a can of worms. The GOOD kind
Not all third party products fit perfectly into the BDA framework but this is a good way to present the breadth and power of Cisco Security’s combined ecosystem
Make this slide part of any high level corporate presentation. Customers and prospects always start asking questions. Buying questions.
Sets you up for another more in depth meeting opening discussions for more incremental product sales
Now and future
Include Open APIs,
ISE integrates with many networking & IT platforms to do 3 things:
Make customer IT platforms user/identity, device and network aware
How: Share ISE context with ecosystem partner products/platforms
Why this matters to customers: Answers “who, what authz group, what device, what type of access, where” associated with events. Enables use of all of those in policies and analytics. Way better than just using IP addresses and ports!
Make ISE a better network policy platform for customers
How: Ecosystem platforms share their context with ISE so ISE can use it in network policy
Why this matters to customers: Creates a single place for comprehensive network policy. ISE will never natively have all policy elements needed for this, but it can source them through ecosystem integrations.
Help customer IT environments integrate and reach into the Cisco network
How: Ecosystem platforms leverage ISE to take network actions on users and device (e.g. quarantine a device)
Why this matters to customers: Decreases time, effort and cost to responding to security and network events
Now and future
Include Open APIs,
Earlier I talked about Threat Grid’s ability to unify all of the threat defense and intelligence tools you use in your enterprise. We’ve done this by really focusing on integration and automation.
We provide a framework and API to automate the entire threat defense process, from submitting samples to using and disseminating the results of analyses. That includes pulling information into third-party products such as EnCase, AMP for Endpoints, traditional antivirus solutions, and network packet capture solutions such as RSA. It also includes reporting back to the original endpoint or network products, and feeding the information to intrusion detection systems, proxies, SIEMs, and visualization tools such as Splunk, Maltego, Palantir, and others.
Ultimately, you can take the large amount of data you’re producing in your environment and continually correlate it with the petabytes of global threat data we process through the Threat Grid platform. So you can reduce the reaction time of your SOC team, increase the accuracy and capabilities of your forensics team, and empower your engineering groups to block threats more proactively and automatically. That’s what we mean by unified malware analysis and threat intelligence.