We re ready. Are you?

Transcription

1 We re ready. Are you?

2 Network as a Sensor and Enforcer Matt Robertson, Technical Marketing Engineer BRKSEC-2026

3 Why are we here today?

4

5

6 Insider Threats

7 Leverage the network Identify and control policy, behaviour and threats SGT: Enforce Group Policy NetFlow: Transactional data ISE: Discover assets & direct policy StealthWatch: Transactional visibility & intelligence Context sharing and dynamic response

8 Agenda Introduction Understanding the Landscape Components of Network Visibility Enforce Policy Design and Model Policy Discover and Classify Assets Segmenting the Network Active Monitoring Policy NBAD Adaptive Network Control Summary

9 About Me Matthew Robertson Security Technical Marketing Engineer Partner Product Team Development and Technical Marketing Focused on advanced threat detection Author of 3 CVD s I am Canadian!

10 Agenda Introduction Understanding the Landscape Components of Network Visibility

11 Segmentation begins with visibility Who is on the network You can t protect what you can t see and what are they up to?

12 ISE: Identifying the Who Authentication (host supplied): User & Device Authentication MAC Authentication bypass Web portal Authenticated Session Table Attributes Profile (collected): Infrastructure provided (DHCP, HTTP, etc) Signature based ISE is cool! BRKSEC-2695 with Imran Bashir Thursday, Nov 5, 9:30 AM 11:30 AM

13 eth0/1 eth0/2 NetFlow: Identifying the what port port 80 Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent SGT DGT TCP Flags 10:20: eth0/ TCP SYN,ACK,PSH 10:20: eth0/ TCP SYN,ACK,FIN

14 NetFlow = Transactional Visibility A single NetFlow Record provides a wealth of information Router# show flow monitor CYBER-MONITOR cache IPV4 SOURCE ADDRESS: IPV4 DESTINATION ADDRESS: TRNS SOURCE PORT: TRNS DESTINATION PORT: 443 INTERFACE INPUT: Gi0/0/0 FLOW CTS SOURCE GROUP TAG: 100 FLOW CTS DESTINATION GROUP TAG: 1010 IP TOS: 0x00 IP PROTOCOL: 6 ipv4 next hop address: tcp flags: 0x1A interface output: Gi0/1.20 counter bytes: 1482 counter packets: 23 timestamp first: 12:33: timestamp last: 12:33: ip dscp: 0x00 ip ttl min: 127 ip ttl max: 127 application name: nbar secure-http

15 Components for NetFlow Security Monitoring StealthWatch Management Console Management and reporting Up to 25 FlowCollectors Up 6 million fps globally StealthWatch FlowCollector Collect and analyze Up to 2000 sources Up to sustained 240,000 fps UDP Director UDP Packet copier Forward to multiple collection systems NetFlow Cisco Network Best Practice: Centralize collection globally StealthWatch FlowSensor (VE) Generate NetFlow data Additional contextual fields (ex. App, URL, SRT, RTT)

16 eth0/1 eth0/2 NetFlow Collection: Flow Stitching Uni-directional flow records port 1024 Start Time Interface Src IP Src Port Dest IP Dest Port Proto port 80 Pkts Sent Bytes Sent 10:20: eth0/ TCP :20: eth0/ TCP SGT DGT Start Time Client IP Client Port Server IP Server Port Proto Client Bytes Client Pkts Server Bytes Server Pkts Client SGT Server SGT Interfaces 10:20: TCP eth0/1 eth0/2 Bi-directional: Conversation flow record Allows easy visualization and analysis

17 NetFlow Collection: De-duplication Start Time port 1024 Sw1 ASA port 80 Client IP Client Port Server IP Server Port Prot o Client Bytes Client Pkts Server Bytes Server Pkts App Client SGT Server SGT Exporter, Interface, Direction, Action 10:20: TCP HTTP Sw1, eth0, in Sw1, eth1, out Sw2, eth0, in Sw2, eth1, out ASA, eth1, in ASA, eth0, out, Permitted ASA eth0, in, Permitted ASA, eth1, out Sw3, eth1, in Sw3, eth0, out Sw1, eth1, in Sw1, eth0, out Sw2 Sw3

18 Adding Context and Situation Awareness Known Command & Control Servers NAT Events Application & URL Application User Identity URL & Username

19 Conversational Flow Record Who What Who When Where How More context Highly scalable (enterprise class) collection High compression => long term storage Months of data retention

20 Conversational Flow Record: Exporters Path the flow is taking through the network

21 Traffic Analysis with StealthWatch can help: Discovery Identify business critical applications and services across the network Identify additional IOCs Policy & Segmentation Network Behaviour Anomaly Detection (NBAD) Better understand / respond to an IOC: Audit trail of all host-to-host communication

22 Agenda Introduction Understanding the Landscape Components of Network Visibility Segmenting the Network

23 Segmentation: Controlling the threats Macro Segmentation: Define business critical/relevant zones Employees Production Development Micro Segmentation: Define segmentation policy within zones Ex: user to user policy

24 Simplifying Segmentation with TrustSec Traditional Segmentation Static ACL Routing Redundancy DHCP Scope Address VLAN Enterprise Backbone VACL Aggregation Layer Access Layer TrustSec Micro/Macro Segmentation Central Policy Provisioning No Topology Change No VLAN Change DC Servers Enterprise Backbone DC Firewall / Switch Policy Access Layer ISE Non-Compliant Voice Employee Supplier BYOD Voice Non-Compliant Employee Supplier BYOD Quarantine VLAN Voice VLAN Data VLAN Guest VLAN Security Policy based on Topology High cost and complex maintenance BYOD VLAN Employee Tag Supplier Tag Non-Compliant Tag Voice VLAN Data VLAN Use existing topology and automate security policy to reduce OpEx

25 Network Segmentation with TrustSec TrustSec Segmentation provides Segmentation based on RBAC, independent from address based topology Role based on AD, LDAP attributes, device type, location, time, access methods, etc Use Tagging technology to represent logical group, traffic sent along with tag Tag based policy enforcement on switch, router, and firewall Centrally define segmentation policy, which can be invoked anywhere on the network SGT: Manager Username: johnd Group: Store Managers Location: Store Office Time: Business Hour Enforcement Switches Routers Firewall DC Switch Hypervisor SW Resource

26 What TrustSec Provides Software defined Network Segmentation Context-based Data Access Agile Security Policy Changes and Simpler Management Context based Service Chaining

27 TrustSec Functions Classification Propagation Enforcement 5 Employee 6 Supplier 8 Suspicious A B 8 5 Static Dynamic Inline SXP WAN SGACL SGFW SGZBFW

28 TrustSec in Action Remote Access ISE Directory Application Servers 8 SGT 5 SGT Wireless Network Users Switch Routers DC Firewall DC Switch Application Servers 7 SGT Classification Propagation Enforcement

29 User to Data Center Access Control with TrustSec Regardless of topology or location, policy (Security Group Tag) stays with users, devices, and servers Data Center Firewall Campus Core Data Center TrustSec simplifies ACL management for intra/inter- VLAN traffic Building 3 WLAN Data VLAN Voice Access Layer Voice Employee Suppliers Guest Non-Compliant Main Building Data VLAN Employee Tag Supplier Tag Guest Tag Non-Compliant Tag

30 Campus Segmentation with TrustSec Enforcement is based on the Security Group Tag, can control communication in same VLAN Data Center Firewall Campus Core Data Center Access Layer Building 3 Data VLAN (200) Voice Voice Employee Employee Guest Quarantine Main Building Data VLAN (100) Employee Tag Supplier Tag Guest Tag Quarantine Tag 35

31 Agenda Introduction Understanding the Landscape Components of Network Visibility Discover and Classify Assets Segmenting the Network

32 ISE as a Telemetry Source Maintain historical session table Correlate NetFlow to username Build User-centric reports Device/User Authentication Device Profiling StealthWatch Management Console syslog Cisco ISE Authenticated Session Table

33 Locate Services and Applications Search for assets based on transactional data: Ex. Protocol (HTTP Servers, FTP Server, etc) Identify servers

34 Locate Assets Find hosts communicating on the network Pivot based on transactional data

35 Host Groups: Applied Situational Awareness Virtual container of multiple IP Addresses/ranges that have similar attributes Lab servers Best Practice: classify all known IP Addresses in one or more host groups

36 Classify Assets with Host Groups User defined Model any Process/Application

37 Understand Behaviour List of all hosts communicating with HTTP Servers

38 Understand Behaviour Complete list of all hosts communicating with HTTP Servers: who, what, when, where, how

39 Classify Applications Classify business critical applications

40 Model Business Critical Processes PCI Zone Map Overall system profile Inter-system relationships

41 Agenda Introduction Understanding the Landscape Components of Network Visibility Design and Model Policy Discover and Classify Assets Segmenting the Network

42 Starting a TrustSec Design Discuss assets to protect Classification Mechanisms Policy Enforcement Points Propagation Methods Example: Cardholder Data, Medical Record, intellectual data Example: Dynamic, Static, etc. DC segmentation (DC virtual/ physical switches or virtual/physical Firewalls) User to DC access control (Identify capable switches or firewalls in the path) Inline Tagging SXP DM-VPN GET-VPN IPSec OTP etc..

43 Security Group Initial Considerations Unlike traditional segmentation/access control Adding dynamically assigned groups later with TrustSec should be easy No configuration impact on infrastructure Keep groups as simple as possible whilst still meeting policy requirements Should not be necessary to transfer complexity, e.g. extensive AD groups, into Security Groups Consider if all roles need a tag assigned? Remember that group membership may change

44 How to Tag Users / Devices? TrustSec decouples network topology and security policy to simplify access control and segmentation Classification process groups network resources into Security Groups User/Device/ Location Cisco Access Layer MAC PC Web Authentication Profiling MAB ISE IP-SGT NX-OS/ CIAC/ Hypervisors VLAN-SGT Port-SGT Data Center/ Virtualization 802.1X IOS/Routing Port Profile Address Pool-SGT IPv4 Subnet-SGT IPv6 Prefix-SGT IPv6 Prefix Learning IPv4 Prefix Learning Campus & VPN Access non-cisco & legacy environment Business Partners and Supplier Access Controls

45 Identify Where SGTs Need to be Assigned End User, Endpoint is classified with SGT SVI interface is mapped to SGT Physical Server is mapped to SGT Campus Access Distribution Core DC Core EOR DC Access Enterprise Backbone SRC: VLAN is mapped to SGT WLC FW Hypervisor SW BYOD device is classified with SGT Virtual Machine is mapped to SGT

46 Enabling Classifications Many migration options can be used to make enabling easy If per-user authorization is not in place Enabling VLAN, subnet, L3 Interface mappings can provide coarse classification initially Per-user authorization and SXP can then override static classification Many systems may get Unknown SGT assignments initially Focus on the explicit classifications needed to meet policy Keeping classifications simple can mean days not weeks to enable

47 Typical Deployment Approach PCI Server Campus Network Production Server Users, Endpoints Catalyst Switches/WLC (3K/4K/6K) N7K Development Server Monitor Mode authentication port-control auto authentication open dot1x pae authenticator AUTH=OK SGT= PCI User (105) SRC \ DST Employees (100) PCI Server (2000) Prod Server (1000) Dev Server (1010) Permit all Permit all Permit all PCI User (105) Permit all Permit all Permit all Unknown (0) Permit all Permit all Permit all 1. Users connect to network, Monitor mode allows traffic regardless of authentication 2. Authentication can be performed passively resulting in SGT assignments 3. Classified traffic traverses the network allowing monitoring and validation that: - Assets are correctly classified - Traffic flows to assets are as predicted/expected

48 Configuring inline tagging cts manual config for inline tagging generally used cts dot1x alternative depends on AAA reachability - unless new critical auth feature used & timers set carefully interface TenGigabitEthernet1/5 cts manual policy static sgt 2 trusted Always shut and no shut interfaces after any cts manual or cts dot1x change C6K2T-CORE-1#sho cts interface brief Global Dot1x feature is Enabled Interface GigabitEthernet1/1: CTS is enabled, mode: MANUAL IFC state: OPEN Authentication Status: NOT APPLICABLE Peer identity: "unknown" Peer's advertised capabilities: "" Authorization Status: SUCCEEDED Peer SGT: 2:device_sgt Peer SGT assignment: Trusted SAP Status: NOT APPLICABLE Propagate SGT: Enabled Cache Info: Expiration : N/A Cache applied to link : NONE L3 IPM: disabled.

49 Creating the policy matrix Destination Group How do I know my policy works? How do I decide what protocols? How do I know if I am tagging? Source Group Action

50 SGT in NetFlow Fields Source Group Tag: Retrieved from the packet Destination Group Tag: Derived based on destination IP Address Switch Derived SGT: 4K Only: Value applied on the packet on egress SGT Table 6K only: export in NetFlow template data tables mapping Security Group Tags to Security Group Names SGACL Drop Record 6k only: Generate a flow record on a SGACL drop

51 SGT-NetFlow Device List Device First Release SGT DGT Switch- Derived SGT SGT Table SGACL Drop Record Catalyst 6500 (Sup2T) IOS 15.1(1)SY1 Yes (match) Yes (match) No Yes Yes (dedicated monitor) ISR, ASR, CSR IOS XE 3.13S Yes Yes No No No Catalyst 3850, 3650 IOS XE 3.7.1E IOS XE 3.6.3E* Yes (match) Yes (match) No No No Catalyst 4500 (Sup 7-E, 7L-E, 8-E) IOS XE 3.7.1E IOS XE 3.6.3E* Yes (collect) Yes (collect) Yes No No ASA No No No No NSEL Record StealthWatch FlowSensor 6.8 Yes No No No No

52 Considerations: 3850! Ingress: SGT Sources: Derived from packet header DGT Sources: Derived based on destination IP lookup SGACL enforcement must be enabled Trunk link only Egress: SGT Sources: Incoming packet header Port configured SGT IP to SGT mapping DGT Sources: Derived based on destination IP lookup Requires SGACL enforcement to be enabled Trunk link only flow monitor cts-cyber-monitor-in exporter StealthWatch-FC cache timeout active 60 record cts-cyber-3k-in!! flow monitor cts-cyber-monitor-out exporter StealthWatch-FC cache timeout active 60 record cts-cyber-3k-out! interface GigabitEthernet1/0/1 ip flow monitor cts-cyber-monitor-in input ip flow monitor cts-cyber-monitor-out output! vlan configuration 100 ip flow monitor cts-cyber-monitor-in input ip flow monitor cts-cyber-monitor-out output!

53 Considerations: 3850! flow record cts-cyber-3k-in match datalink mac source address input match datalink mac destination address input match ipv4 tos match ipv4 ttl match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input match flow direction match flow cts source group-tag match flow cts destination group-tag collect counter bytes long collect counter packets long collect timestamp absolute first collect timestamp absolute last!! flow record cts-cyber-3k-out match ipv4 tos match ipv4 ttl match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match flow direction match flow cts source group-tag match flow cts destination group-tag collect counter bytes long collect counter packets long collect timestamp absolute first collect timestamp absolute last!

54 Considerations: 4500 Sup 7-E, 7L-E, 8-E SGT: Packet header Maximum 12K distinct SRC-IP s DGT: Derived based on destination IP Switch Derived SGT: SGT enforced on the packet from the switch Policy acquisition SGT in the packet SGT lookup on source IP Port SGT lookup SGT on packet at egress! flow record cts-cyber-4k match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input match flow direction collect flow cts source group-tag collect flow cts destination group-tag collect flow cts switch derived-sgt collect transport tcp flags collect interface output collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last!

55 Considerations: 6500 Sup 2T TrustSec data table: Export SGT-SGN mapping in NetFlow template! flow record cts-cyber-6k match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match flow cts source group-tag match flow cts destination group-tag collect transport tcp flags collect interface output collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last! SGACL Drop: Flow record generated on a drop Requires dedicated Flow Monitor SGT: Packet header IP-SGT lookup DGT Derived based on destination IP lookup

56 Considerations: 6500 Sup2T SGACL Drop config: Exporter and monitor:! flow exporter ise destination source TenGigabitEthernet2/1 transport udp 9993 option cts-sgt-table timeout 10! flow monitor FNF_SGACL_DROP exporter ise record cts-record-ipv4! cts role-based ip flow monitor FNF_SGACL_DROP dropped! flow exporter CYBER_EXPORTER destination source TenGigabitEthernet2/1 transport udp 2055 option cts-sgt-table timeout 10! flow monitor CYBER_MONITOR exporter CYBER_EXPORTER cache timeout active 60 record cts-cyber-6k!

57 Considerations: ISR, ASR, CSR! flow record cts-cyber-ipv4 match ipv4 protocol match ipv4 source address match ipv4 destination address SGT: Packet header IP-SGT lookup DGT Destination IP lookup match transport source-port match transport destination-port match interface input match flow direction match flow cts source group-tag match flow cts destination group-tag collect routing next-hop address ipv4 collect ipv4 dscp collect ipv4 ttl minimum collect ipv4 ttl maximum collect transport tcp flags collect interface output collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last collect application name!

58 Modeling Policy in StealthWatch Custom event triggers on traffic condition Rule name and description SGT DGT Trigger on traffic in both directions; Successful or unsuccessful

59 Modeling Policy in StealthWatch Create flow-based rules for all proposed policy elements Policy Violation alarm will trigger if condition is met. Simulating proposed drop.

60 Modeling Policy: Alarm Occurrence Alarm dashboard showing all Policy alarms Details of Employee to Productions Servers alarm occurrences

61 Modeled Policy: Flow Details How When Who Where What Who Yes Tune Is this communication permissible? No Respond SGT DGT

62 Agenda Introduction Understanding the Landscape Components of Network Visibility Enforce Policy Design and Model Policy Discover and Classify Assets Segmenting the Network

63 Enabling Enforcement Egress Enforcement Security Group ACL PCI Server Campus Network Production Server Users, Endpoints Catalyst Switches/WLC (3K/4K/6K) N7K Development Server Monitor Mode SRC \ DST PCI Server (2000) Prod Server (1000) Dev Server (1010) Employees (100) Deny all Deny all Permit all PCI User (105) Permit all Permit all Permit all Unknown (0) Deny all Deny all Permit all Enforcement may be enabled gradually per destination Security Group basis Initially use SGACLs with deny logging enabled (remove log later if not required) Keep default policy as permit and allow traffic unknown SGT during deployment

64 Centralized SGACL Management in ISE

65 Applying SGACL policies in ISE (Tree view)

66 Applying SGACL policies (Matrix View) Portal_ACL permit tcp dst eq 443 permit tcp dst eq 80 permit tcp dst eq 22 permit tcp dst eq 3389 permit tcp dst eq 135 permit tcp dst eq 136 permit tcp dst eq 137 permit tcp dst eq 138 permit tcp des eq 139 deny ip

67 SGT=3 SGT=4 SGT=5 SGACL Downloads New Servers provisioned, e.g. Prod Server & Dev Server Roles DC switches requests policies for assets they protect Policies downloaded & applied dynamically Prod_Servers Dev_Servers What this means: All controls centrally managed Security policies de-coupled from network No switch-specific security configs needed Wire-rate policy enforcement One place to audit network-wide policies Switches request policies for assets they protect SGACL Enforcement Prod_Server (SGT=7) Dev_Server (SGT=10) Switches pull down only the policies they need

68 Enabling Policy Enforcement in Switches After setting up SGT/SGACL in ISE, you can now enable SGACL Enforcement on network devices Devices need to be defined in ISE and provisioned to talk to ISE (omitted from these slides for brevity) Enabling SGACL Enforcement Globally and for VLAN Switch(config)#cts role-based enforcement Switch(config)#cts role-based enforcement vlan-list 40 If switches have SGT assignments they will download policy for the assets they are protecting As example - defining IP to SGT mapping for servers on a switch Switch(config)#cts role-based sgt-map sgt 5 Switch(config)#cts role-based sgt-map sgt 6 Switch(config)#cts role-based sgt-map sgt 7

69 Policy Enforcement on Firewalls: ASA SG-FW Security Group definitions from ISE Switches inform the ASA of Security Group membership Trigger FirePower services by SGT policies Can still use Network Object (Host, Range, Network (subnet), or FQDN) AND / OR the SGT

70 Agenda Introduction Understanding the Landscape Components of Network Visibility Enforce Policy Design and Model Policy Discover and Classify Assets Segmenting the Network Active Monitoring Policy NBAD

71 Active Monitoring

72 Segmentation Monitoring in StealthWatch Custom event triggers on traffic condition Rule name and description SGT DGT Trigger on traffic in both directions; Successful or unsuccessful

73 Segmentation Monitoring with StealthWatch Alarm dashboard showing all Policy alarms

74 Segmentation Monitoring with StealthWatch PCI Zone Map Define communication policy between Zones Monitor for violations

75 StealthWatch NBAD Model Track and/or measure behaviour/activity Notification of security event generated Algorithm Security Event Alarm Suspicious behaviour observed or anomaly detected

76 Alarm Categories Each category accrues points.

77 Example Alarm Category: Concern Index Concern Index: Track hosts that appear to compromising network integrity Security events. Over 90 different algorithms.

78 StealthWatch: Alarms Alarms Indicate significant behaviour changes and policy violations Known and unknown attacks generate alarms Activity that falls outside the baseline, acceptable behaviour or established policies

79 Agenda Introduction Understanding the Landscape Components of Network Visibility Enforce Policy Design and Model Policy Discover and Classify Assets Segmenting the Network Active Monitoring Policy NBAD Adaptive Network Control

80 Adaptive Network Control: Managing the Threat

81 Adaptive Network Control: Quarantine Extension of the endpoint monitoring and controlling capabilities Enable a change of the authorization state Through administrative action Without modification of the overall authorization policy Triggered from the Admin node Supported in both wired and wireless environments Endpoint management through three actions: Quarantine Unquarantine Shutdown wired access ports Endpoint control based on IP or MAC address

82 ANC Quarantine Flow 3. PAN issues quarantine instruction to MnT MnT 8. Quarantine check 2. StealthWatch issues quarantine instruction to PAN PAN 4. MnT instructs PSN to invoke a CoA PSN 5. Endpoint is disconnected through CoA 9. Quarantine profile applied 7. RADIUS request 1. Endpoint is connected 6. Endpoint reconnects and authenticates

83 Quarantine from StealthWatch

84 ANC Quarantine: ISE Live Log EPSStatus check Security Group Assignment

85 Configuring Endpoint Protection Services (ANC) 1. Enable EPS 2. Create an authorization profile to use for quarantine action 3. Update the authorization policy Leverage exception authorization rule Quarantine status condition Authorization profile for quarantine action 4. Control endpoints Manually quarantine or unquarantine Based on IP or MAC address

86 Exception Authorization Policy Best Practice EPSStatus in Session Assign to SGT Suspicous_Investigate and Permit Access

87 Suspicous_Investigate Egress Policy Create an Egress Policy for the suspicious Security Group

88 SGACL Create meaningful SGACL for Suspicious hosts: Restrict applications and services Block access to Business Critical Processes Prevent access to Intellectual Property

89 SGT Based Policy Based Routing route-map native_demo permit 10 match security-group source tag Employee match security-group destination tag Critical_Asset set interface Tunnel1! route-map native_demo permit 20 match security-group source tag Suspicious match security-group destination tag Critical_Asset set interface Tunnel2! route-map native_demo permit 30 match security-group source tag Guest set vrf Guest Inspection Router Policy-based Routing based on SGT Router / Firewall Network A User B Suspicious Enterprise WAN User A Employee SGT-based VRF Selection VRF-GUEST User C Guest Available Today: Cisco IOS XE Release 3.16S (ASR 1000) as well as ASA5500-X (9.5.1)

90 FirePOWER Services Redirect Create service policy to forward suspicious traffic to FirePOWER Services

91 Agenda Introduction Understanding the Landscape Components of Network Visibility Enforce Policy Design and Model Policy Discover and Classify Assets Segmenting the Network Active Monitoring Policy NBAD Adaptive Network Control Summary

92 Related Sessions: TECSEC-2678 Network as a Sensor and Enforcer Matt Robertson, Fay Ann Lee, Imran Bashir Tuesday, Nov 3, 9:00 AM - 4:00 PM BRKCRT-2206 Cisco Cyber Security Analyst Specialist Certification James Risler Wednesday, Nov 4, 5:15-6:45 PM BRKSEC-2150 Cisco SAFE approach to threat defense Jamey Heary Wednesday, Nov 4, 11:15 AM - 12:45 PM BRKSEC-2695 Building an Enterprise Access Control Architecture using ISE and TrustSec Imran Bashir Thursday, Nov 5, 9:30 AM 11:30 AM

93 Key Takeaways The network is a key asset for threat detection and control NetFlow and Lancope StealthWatch provides visibility and intelligence TrustSec is used to dynamically (micro)segment the network

94 Thank you

95