Digital Network Architecture for Securing Enterprise Networks

Size: px

Start display at page:

Download "Digital Network Architecture for Securing Enterprise Networks"

Oswald Park
5 years ago
Views:

2 Digital Network Architecture for Securing Enterprise Networks Matt Robertson Evgeny Mirolyubov Technical Marketing Engineers, Advanced Threat Solutions

Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3.

3 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot# 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Digital Network Architecture Network-enabled Applications Cloud Service Management Policy Orchestration Open APIs Developers Environment Insights and Experiences Principles Automation

4 Cisco Digital Network Architecture Network-enabled Applications Cloud Service Management Policy Orchestration Open APIs Developers Environment Insights and Experiences Principles Automation Abstraction and Policy Control from Core to Edge Open and Programmable Standards-Based Virtualization Analytics Network Data, Contextual Insights Physical and Virtual Infrastructure App Hosting Cloud-enabled Software-delivered Automation and Assurance Security and Compliance 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

5 Security starts with visibility 60% 85% 54% of data is stolen in HOURS of point-of-sale intrusions aren t discovered for WEEKS of breaches remain undiscovered for MONTHS 51% increase in companies reporting a $10 million or more loss in the last 3 YEARS A community that hides in plain sight avoids detection and attacks swiftly. Cisco Security Annual Security Report Cisco and/or its affiliates. All rights reserved. Cisco Public 6

6 Security needs context based visibility and control Allowed Traffic Denied Traffic Employee Clear understanding of traffic flow with context Easier to create & apply policy based on such context Quarantine Supplier Network Fabric Server High Risk Segment Shared Server Internet Employee 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 SECURING ACCESS ROLE-BASED SEGMENTATION CONTENT CONTROLS BEHAVIOURAL ANALYSIS Let the permitted and authorized ones in Logical separation based on privileged access, facilitating dynamic threat control Controlling the content allowed in Inspecting, analyzing activity after letting in 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 Today s Session Matt Robertson Technical Marketing Engineer ATS: Security Analytics Evgeny Mirolyubov Technical Marketing Engineer ATS: Advanced Malware Protection Securing Access Advanced Malware Protection Summary Start Role Based Segmentation Behavioural Analysis

10 Before we start = Introductory session FOR YOUR REFERENCE = Hidden Slide / Quick glance More on <topic> slide = Other sessions, links for more details 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 Securing Access Matt Robertson Technical Marketing Engineer ATS: Security Analytics Securing Access Advanced Malware Protection Summary Start Role Based Segmentation Behavioural Analysis

12 Cisco ISE and AnyConnect WHO WHEN CISCO ISE SIEM, MDM, NBA, IPS, IPAM, etc. WHAT HOW WHERE HEALTH PxGRID & APIs THREATS CVSS ACCESS POLICY FOR ENDPOINTS FOR NETWORK Partner Eco System WIRED WIRELESS VPN Role-based Access Control Guest Access BYOD Secure Access 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 A Cisco network enables device profiling Endpoints send interesting data, that reveal their device identity DS DS Cisco ISE ACIDex DS Device Sensor (DS) on IOS and AireOS ACIDex ` AnyConnect Identity Extensions 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 A Cisco network enables device profiling ACTIVE PROBES Netflow DHCP DNS HTTP RADIUS NMAP SNMP AD DEVICE SENSOR ANYCONNECT CDP LLDP DHCP HTTP H323 SIP MDNS ACIDex ISE data collection methods for Device profiling Endpoints send DS interesting data, that reveal their DS device identity Cisco ISE ACIDex DS Device Sensor (DS) on IOS and AireOS ACIDex ` AnyConnect Identity Extensions 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

15 A Cisco network enables device profiling ACTIVE PROBES Netflow DHCP DNS HTTP RADIUS NMAP SNMP AD DEVICE SENSOR ANYCONNECT CDP LLDP DHCP HTTP H323 SIP MDNS ACIDex ISE data collection methods for Device profiling Endpoints send interesting data, that reveal their device identity DS DS Cisco ISE Feed Service (Online/Offline) ACIDex DS Device Sensor (DS) on IOS and AireOS ACIDex ` AnyConnect Identity Extensions 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

16 A Cisco network enables device profiling ACTIVE PROBES Netflow DHCP DNS HTTP RADIUS NMAP SNMP AD DEVICE SENSOR ANYCONNECT CDP LLDP DHCP HTTP H323 SIP MDNS ACIDex ISE data collection methods for Device profiling Endpoints send interesting data, that reveal their device identity DS DS Cisco ISE Feed Service (Online/Offline) ACIDex DS Device Sensor (DS) on IOS and AireOS ACIDex ` AnyConnect Identity Extensions 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

18 Active and passive methods to build user context Jim 1 3 Cisco ISE Alice? Yes 2 AD Active Identity Alice Active Identity IP to User mapping got via active interaction between ISE and the client via 802.1X, Web authentication, Remote access VPN, etc Cisco and/or its affiliates. All rights reserved. Cisco Public 14

19 Active and passive methods to build user context 1 DOMAIN\Jim (AD Login) Passive Identity Jim 3 2 Jim Logged in 1 3 Cisco ISE Alice? Yes AD 2 Active Identity Alice Passive Identity IP to User mapping got via passive means like AD WMI events, AD Agents, Syslog, SPAN sessions and more. Active Identity IP to User mapping got via active interaction between ISE and the client via 802.1X, Web authentication, Remote access VPN, etc Cisco and/or its affiliates. All rights reserved. Cisco Public 14

21 Visibility into endpoint applications Who What When Cisco AnyConnect 4.4 Wired / WLAN / VPN access Cisco ISE Where How Posture Threat Vulnerability Application 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

22 What about posture assessment? Check endpoint health Posture defines the state of compliance with the company s security policy Posture Flow Qualys Antivirus Anti Virus Vendors AUTHENTICATE USER/DEVICE Posture: Unknown / Non-Compliant? QUARANTINE Limited Access: VLAN / dacl / SGTs POSTURE ASSESMENT Check Hotfix, AV, Pin lock, Jail broken, etc. Anti-Virus? Platform Integrations Microsoft SCCM REMEDIATION WSUS, Launch App, Scripts, MDM, etc. AUTHORIZATION CHANGE Full Access VLAN / dacl / SGTs. MDM Mobile Device Management Service 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17

23 Authorization control access 3 Major authorization options for access control DACL / Named / URL ACL VLANs Security Group Tags Downloadable ACL (Wired) or Named ACL or URL ACL (Wireless) Dynamic VLAN Assignments (Per MAC VLANs) Cisco TrustSec Remediation Employee permit ip any any Contractor deny ip host <protected> permit ip any any Employees VLAN 3 Guest VLAN 4 Per port / Per Domain / Per MAC 16 bit SGT assignment and SGT based Access Control 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

24 Sharing context Sharing is securing Enhance Context (For Access Policy) Threat, Vulnerability Index, MDM attributes, etc Who What When Where How Posture Threat Vulnerability Context Cisco ISE SYSLOG PXGRID REST API Vulnerability Management Contextual Actions Identity based Firewall policies, Vulnerability based cloud access, User / Group based behavioral analysis, etc NGFW IDS/IPS Log Management Vulnerability Management Cloud Service Eco System Partners Firewall Web Security IPAM 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

25 More Cisco ISE FOR YOUR REFERENCE Cisco Live sessions BRKSEC-2059 Deploying ISE in a dynamic environment BRKSEC-2464 Let s get practical with your network security by using Cisco Identity Services Engine BRKCOC-2279 Inside Cisco IT: How Cisco IT deploy ISE and TrustSec across the enterprise BRKSEC-3699 Designing ISE for scale & high availability TECSEC-2672 Breaking the ice with ISE Online content Cisco and/or its affiliates. All rights reserved. Cisco Public 20

26 Role Based Segmentation Matt Robertson Technical Marketing Engineer ATS: Security Analytics Securing Access Advanced Malware Protection Summary Start Role Based Segmentation Behavioural Analysis

27 Traditional segmentation is operationally heavy Applications access-list 102 deny udp gt eq 2165 access-list 102 deny udp lt gt 428 access-list 102 permit ip eq gt 1511 access-list 102 deny tcp gt gt 1945 access-list 102 permit icmp lt eq 116 access-list 102 deny udp eq eq 959 access-list 102 deny tcp eq lt 4993 access-list 102 deny tcp eq lt 848 access-list 102 deny ip eq gt 4878 access-list 102 permit icmp lt eq 1216 access-list 102 deny icmp gt gt 1111 access-list 102 deny ip eq eq 4175 access-list 102 permit tcp lt gt 1462 access-list 102 permit tcp gt lt 4384 Enterprise Backbone Aggregation Layer Access Layer Non-Compliant Voice Employee Supplier BYOD Quarantine VLAN Voice VLAN Data VLAN Guest VLAN BYOD VLAN 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

28 Traditional segmentation is operationally heavy Applications access-list 102 deny udp gt eq 2165 access-list 102 deny udp lt gt 428 access-list 102 permit ip eq gt 1511 access-list 102 deny tcp gt gt 1945 access-list 102 permit icmp lt eq 116 access-list 102 deny udp eq eq 959 access-list 102 deny tcp eq lt 4993 access-list 102 deny tcp eq lt 848 access-list 102 deny ip eq gt 4878 access-list 102 permit icmp lt eq 1216 access-list 102 deny icmp gt gt 1111 access-list 102 deny ip eq eq 4175 access-list 102 permit tcp lt gt 1462 access-list 102 permit tcp gt lt 4384 Enterprise Backbone Aggregation Layer Access Layer Enforcement IP based policies. ACLs, Firewall rules Propagation Carry segment context over the network through VLAN tags / IP address / VRF Non-Compliant Voice Employee Supplier BYOD Classification Static / Dynamic VLAN assignments Quarantine VLAN Voice VLAN Data VLAN Guest VLAN BYOD VLAN 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

29 Traditional segmentation is operationally heavy Applications access-list 102 deny udp gt eq 2165 access-list 102 deny udp lt gt 428 access-list 102 permit ip eq gt 1511 access-list 102 deny tcp gt gt 1945 access-list 102 permit icmp lt eq 116 access-list 102 deny udp eq eq 959 access-list 102 deny tcp eq lt 4993 access-list 102 deny tcp eq lt 848 access-list 102 deny ip eq gt 4878 access-list 102 permit icmp lt eq 1216 access-list 102 deny icmp gt gt 1111 access-list 102 deny ip eq eq 4175 access-list 102 permit tcp lt gt 1462 access-list 102 permit tcp gt lt 4384 Static ACL Routing Redundancy DHCP Scope Address VLAN Limitations of Traditional Segmentation Security Policy based on Topology High cost and complex maintenance Non-Compliant Voice Enterprise Backbone VACL Employee Aggregation Layer Access Layer Supplier BYOD Enforcement IP based policies. ACLs, Firewall rules Propagation Carry segment context over the network through VLAN tags / IP address / VRF Classification Static / Dynamic VLAN assignments Quarantine VLAN Voice VLAN Data VLAN Guest VLAN BYOD VLAN 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

30 Introducing Cisco TrustSec Remote Access Wireless Network ISE Directory Production Servers 8 SGT Employees Switch Routers DC Firewall DC Switch Application Servers 7 SGT 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

31 Introducing Cisco TrustSec 5 SGT Remote Access Wireless Network ISE Directory Production Servers 8 SGT Employees Switch Routers DC Firewall DC Switch Application Servers 7 SGT 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

32 Introducing Cisco TrustSec 5 SGT Remote Access Wireless Network ISE Directory Production Servers 8 SGT Employees Switch Routers DC Firewall DC Switch Application Servers 7 SGT Classification 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

33 Introducing Cisco TrustSec Remote Access Wireless Network ISE 5 SGT Directory Production Servers 8 SGT Employees Switch Routers DC Firewall DC Switch Application Servers 7 SGT Classification Propagation 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

34 Introducing Cisco TrustSec Source Destination Egress Policy Employee App_Serv Permit All Prod_Serv Deny All App_Serv Permit All Deny All Prod_Serv Deny All Permit All Remote Access Wireless Network ISE 5 SGT Directory Production Servers 8 SGT Employees Switch Routers DC Firewall DC Switch Application Servers 7 SGT Classification Propagation Enforcement 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

35 Classification CLASSIFICATION PROPAGATION ENFORCEMENT Dynamic Classification Static Classification Campus Access Distribution Core DC Core DC Access Enterprise Backbone WLC Firewall Hypervisor SW 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

36 Classification CLASSIFICATION PROPAGATION ENFORCEMENT Dynamic Classification Static Classification MAB Campus Access Distribution Core DC Core DC Access Enterprise Backbone WLC Firewall Hypervisor SW 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

37 Classification CLASSIFICATION PROPAGATION ENFORCEMENT Dynamic Classification Static Classification L3 Interface (SVI) to SGT L2 Port to SGT MAB Campus Access Distribution Core DC Core DC Access Enterprise Backbone WLC Firewall Hypervisor SW VLAN to SGT Subnet to SGT VM (Port Profile) to SGT 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

38 CLASSIFICATION PROPAGATION ENFORCEMENT Propagation Inline Methods Ethernet Inline Tagging: (EtherType:0x8909) 16-Bit SGT encapsulated within Cisco Meta Data (CMD) payload. IPSec / L3 Crypto: Cisco Meta Data (CMD) uses protocol 99, and is inserted to the beginning of the ESP/AH payload. LISP: SGT (16 bit) insertion in the Nonce field (24 bit) Switches ETHERNET Routers IPSEC 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

39 CLASSIFICATION PROPAGATION ENFORCEMENT Propagation Inline Methods Ethernet Inline Tagging: (EtherType:0x8909) 16-Bit SGT encapsulated within Cisco Meta Data (CMD) payload. IPSec / L3 Crypto: Cisco Meta Data (CMD) uses protocol 99, and is inserted to the beginning of the ESP/AH payload. SGT Exchange Protocol (SXP) IP-to-SGT binding exchange over 64999/TCP Cisco ISE can be a SXP speaker / Listener LISP: SGT (16 bit) insertion in the Nonce field (24 bit) Switches Routers ETHERNET IPSEC Switches Speaker Routers (SXP Aggregation) Listener Firewall Switches 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

Propagation CLASSIFICATION PROPAGATION ENFORCEMENT IETF http://tinyurl.com/sgt-draft http://tinyurl.

IPSec / L3 Crypto: Cisco Meta Data (CMD) uses protocol 99, and is inserted to the beginning of the ESP/AH payload.

40 Propagation CLASSIFICATION PROPAGATION ENFORCEMENT IETF Inline Methods Ethernet Inline Tagging: (EtherType:0x8909) 16-Bit SGT encapsulated within Cisco Meta Data (CMD) payload. IPSec / L3 Crypto: Cisco Meta Data (CMD) uses protocol 99, and is inserted to the beginning of the ESP/AH payload. SGT Exchange Protocol (SXP) IP-to-SGT binding exchange over 64999/TCP Cisco ISE can be a SXP speaker / Listener LISP: SGT (16 bit) insertion in the Nonce field (24 bit) Switches Routers ETHERNET IPSEC Switches Speaker Routers (SXP Aggregation) Listener Firewall Switches 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

CLASSIFICATION PROPAGATION ENFORCEMENT TrustSec enforcement policy

43 CLASSIFICATION PROPAGATION ENFORCEMENT Consistent policy deployment TRUSTSEC POLICY MATRIX CATALYST SWITCHES NEXUS SWITCHES VIRTUAL SWITCHES INDUSTRIAL SWITCHES WIRELESS ACCESS POINTS ROUTING PLATFORMS 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

CLASSIFICATION PROPAGATION ENFORCEMENT Consistent policy deployment TRUSTSEC POLICY MATRIX Push and deploy TrustSec policies consistently across switching, wireless and routing

44 CLASSIFICATION PROPAGATION ENFORCEMENT Consistent policy deployment TRUSTSEC POLICY MATRIX Push and deploy TrustSec policies consistently across switching, wireless and routing infrastructure Deploy CATALYST SWITCHES NEXUS SWITCHES VIRTUAL SWITCHES INDUSTRIAL SWITCHES WIRELESS ACCESS POINTS ROUTING PLATFORMS 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

TrustSec reduces operational costs for segmentation Based on the results of the PCI validation and PCI Internal Network Penetration and Segmentation Test, it is Verizon s opinion that Cisco TrustSec

48 TrustSec reduces operational costs for segmentation Based on the results of the PCI validation and PCI Internal Network Penetration and Segmentation Test, it is Verizon s opinion that Cisco TrustSec can successfully perform network segmentation, for the purpose of PCI scope reduction. Cisco has made great strides in integrating support for the TrustSec framework across its product lines - Flexibility to Segregate Resources Without Physical Segmentation or Managing VLANs - Reduction in ACL Maintenance, Complexity and Overhead Cisco TrustSec enabled the organizations interviewed, to reduce operational costs by avoiding additional IT headcount, deploy new environments faster, and implement consistent and effective network segmentation resulting in lower downtime Cisco and/or its affiliates. All rights reserved. Cisco Public 29

49 More on Cisco TrustSec FOR YOUR REFERENCE Cisco Live sessions BRKSEC-3690 Advanced Security Group Tags: The Detailed Walkthrough Online content Cisco and/or its affiliates. All rights reserved. Cisco Public 30

50 Today s Session Evgeny Mirolyubov Technical Marketing Engineer ATS: Advanced Malware Protection Securing Access Advanced Malware Protection Summary Start Role Based Segmentation Behavioural Analysis

51 Do Security Differentt Plan B: Retrospection Track system behaviors regardless of disposition In-flight correction (machine learning) Contain & correct damage, expel embedded intruders Reveals malicious activity Mode: Continuous Incident Response 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

52 Do Security Differentt Plan A: Prevention Speed: Real-time, dynamic decisions trained on realworld data High accuracy, low false positives / negatives Raise the bar, reduce attack surface Mode: Constant Security Control Plan B: Retrospection Track system behaviors regardless of disposition In-flight correction (machine learning) Contain & correct damage, expel embedded intruders Reveals malicious activity Mode: Continuous Incident Response 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

WSA / Umbrella Endpoint 2018 Cisco and/or

55 AMP for Endpoints Next Generation Endpoint Security Cloud Managed, subscription based SaaS Option of cloud or private cloud deployment Protects Windows, Mac, Linux CentOS and RedHat, Android, ios Meets and exceeds capabilities of a solution required for PCI and HIPAA compliance AMP Everywhere integrated architecture 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

56 AMP for Endpoints Philisophy Prevent Prevent attacks and block malware in real time Detect Continuously monitor to reduce time to detection Respond Accelerate investigations and remediate faster and more effectively 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

64 AMP Unity See Once, Protect Everywhere Common Objects Whitelists Blacklists AMP Cloud Endpoints Network Appliances Content Appliances WWW NGIPS NGFW WSA ESA/CES 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Appliances Content Appliances WWW NGIPS NGFW WSA ESA/CES 2018

65 AMP Unity See Once, Protect Everywhere Common Objects Global Trajectory Whitelists Blacklists AMP Cloud Endpoints Network Appliances Content Appliances WWW NGIPS NGFW WSA ESA/CES 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Advanced Malware Protection Summary Make the unknown, known See once, block everywhere

67 Behavioural Analysis Matt Robertson Technical Marketing Engineer ATS: Security Analytics Securing Access Advanced Malware Protection Summary Start Role Based Segmentation Behavioural Analysis

69 Stealthwatch in a Nutshell Cisco Stealthwatch: Is a collector and aggregator of network telemetry for the purposes of data modelling, security analysis and monitoring Cisco and/or its affiliates. All rights reserved. Cisco Public

70 Stealthwatch in a Nutshell Network Transactional Cisco Stealthwatch: Is a collector and aggregator of network telemetry for the purposes of data modelling, security analysis and monitoring Cisco and/or its affiliates. All rights reserved. Cisco Public

71 Stealthwatch in a Nutshell Identity Network Transactional Contextual Intelligence Classification Cisco Stealthwatch: Is a collector and aggregator of network telemetry for the purposes of data modelling, security analysis and monitoring Cisco and/or its affiliates. All rights reserved. Cisco Public

72 Stealthwatch in a Nutshell Identity Network Transactional Contextual Intelligence Data Model Classification Cisco Stealthwatch: Is a collector and aggregator of network telemetry for the purposes of data modelling, security analysis and monitoring Cisco and/or its affiliates. All rights reserved. Cisco Public

73 Stealthwatch in a Nutshell Identity Network Transactional Analytics Engine Contextual Intelligence Data Model Classification Cisco Stealthwatch: Is a collector and aggregator of network telemetry for the purposes of data modelling, security analysis and monitoring Cisco and/or its affiliates. All rights reserved. Cisco Public

Stealthwatch in a Nutshell Actionable Outcomes Identity

Intelligence Data Model Classification Cisco Stealthwatch:

purposes of data modelling, security analysis and

74 Stealthwatch in a Nutshell Actionable Outcomes Identity Network Transactional Analytics Engine Contextual Intelligence Data Model Classification Cisco Stealthwatch: Is a collector and aggregator of network telemetry for the purposes of data modelling, security analysis and monitoring Cisco and/or its affiliates. All rights reserved. Cisco Public

Conversational Flow Record => The General Ledger

and compression Months of data retention 2018

78 Conversational Flow Record => The General Ledger Who What Who When Where How More context Stitched and de-duplicated Conversational representation Highly scalable data collection and compression Months of data retention 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43

80 Stealthwatch System Components Stealthwatch Enterprise On-premises appliances On-premises visibility and telemetry collection (Coming ) Stealthwatch Cloud 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44

Public cloud (IaaS) monitoring On-prem visibility for small deployments (Coming 6.10.

81 Stealthwatch System Components Stealthwatch Enterprise On-premises appliances On-premises visibility and telemetry collection Stealthwatch Cloud Cloud hosted; SaaS Public cloud (IaaS) monitoring On-prem visibility for small deployments (Coming ) Stealthwatch Cloud 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44

82 Stealthwatch Enterprise System Components Cognitive Analytics Stealthwatch Cloud Threat Intelligence License

83 Stealthwatch Enterprise System Components Cognitive Analytics Stealthwatch Cloud Threat Intelligence License Stealthwatch Flow Collector Collect and analyze Up to 4000 exporters Up to sustained 240,000 fps 4 physical and 3 virtual models

84 Stealthwatch Enterprise System Components Cognitive Analytics Stealthwatch Cloud Threat Intelligence License Stealthwatch Management Console Management and reporting Up to 25 Flow Collectors Up 6 million fps globally 2 physical and virtual models High Availability Stealthwatch Flow Collector Collect and analyze Up to 4000 exporters Up to sustained 240,000 fps 4 physical and 3 virtual models

85 Stealthwatch Enterprise System Components Cognitive Analytics Stealthwatch Cloud Threat Intelligence License Stealthwatch Management Console Management and reporting Up to 25 Flow Collectors Up 6 million fps globally 2 physical and virtual models High Availability UDP Director UDP Packet copier Forward to multiple destinations High Availability 2 physical and virtual models Stealthwatch Flow Collector Collect and analyze Up to 4000 exporters Up to sustained 240,000 fps 4 physical and 3 virtual models

86 Stealthwatch Enterprise System Components Cognitive Analytics Stealthwatch Cloud Threat Intelligence License Stealthwatch Management Console Management and reporting Up to 25 Flow Collectors Up 6 million fps globally 2 physical and virtual models High Availability UDP Director UDP Packet copier Forward to multiple destinations High Availability 2 physical and virtual models Stealthwatch Flow Collector Collect and analyze Up to 4000 exporters Up to sustained 240,000 fps 4 physical and 3 virtual models Stealthwatch Flow Sensor Generate IPFIX from SPAN/TAP 256 bytes of payload Physical and virtual models

87 Stealthwatch Enterprise System Components Cognitive Analytics Stealthwatch Cloud Threat Intelligence License Stealthwatch Management Console Management and reporting Up to 25 Flow Collectors Up 6 million fps globally 2 physical and virtual models High Availability UDP Director UDP Packet copier Forward to multiple destinations High Availability 2 physical and virtual models Endpoint License Concentrator Collect AnyConect NVM flow data and forward to Flow Collector Virtual Appliance Stealthwatch Flow Collector Collect and analyze Up to 4000 exporters Up to sustained 240,000 fps 4 physical and 3 virtual models Stealthwatch Flow Sensor Generate IPFIX from SPAN/TAP 256 bytes of payload Physical and virtual models

88 Stealthwatch Enterprise System Components Cognitive Analytics Stealthwatch Cloud Threat Intelligence License Stealthwatch Management Console Management and reporting Up to 25 Flow Collectors Up 6 million fps globally 2 physical and virtual models High Availability UDP Director UDP Packet copier Forward to multiple destinations High Availability 2 physical and virtual models Endpoint License Concentrator Collect AnyConect NVM flow data and forward to Flow Collector Virtual Appliance Cisco Security Packet Analyzer Rolling full packet capture 2 physical models Stealthwatch Flow Collector Collect and analyze Up to 4000 exporters Up to sustained 240,000 fps 4 physical and 3 virtual models Stealthwatch Flow Sensor Generate IPFIX from SPAN/TAP 256 bytes of payload Physical and virtual models

89 Stealthwatch Enterprise System Components Cognitive Analytics Cloud hosted Analytics Global Risk Map Cognitive Analytics Stealthwatch Cloud Threat Intelligence License Stealthwatch Management Console Management and reporting Up to 25 Flow Collectors Up 6 million fps globally 2 physical and virtual models High Availability UDP Director UDP Packet copier Forward to multiple destinations High Availability 2 physical and virtual models Endpoint License Concentrator Collect AnyConect NVM flow data and forward to Flow Collector Virtual Appliance Cisco Security Packet Analyzer Rolling full packet capture 2 physical models Stealthwatch Flow Collector Collect and analyze Up to 4000 exporters Up to sustained 240,000 fps 4 physical and 3 virtual models Stealthwatch Flow Sensor Generate IPFIX from SPAN/TAP 256 bytes of payload Physical and virtual models

Stealthwatch Cloud Threat Intelligence License Threat

Management Console Management and reporting Up to 25 Flow

models High Availability UDP Director UDP Packet copier Forward

models Endpoint License Concentrator Collect AnyConect NVM flow

Security Packet Analyzer Rolling full packet capture 2 physical

exporters Up to sustained 240,000 fps 4 physical and 3 virtual

90 Stealthwatch Enterprise System Components Cognitive Analytics Cloud hosted Analytics Global Risk Map Cognitive Analytics Stealthwatch Cloud Threat Intelligence License Threat Intelligence Known C&C Servers TOR Entrance & Exits Stealthwatch Management Console Management and reporting Up to 25 Flow Collectors Up 6 million fps globally 2 physical and virtual models High Availability UDP Director UDP Packet copier Forward to multiple destinations High Availability 2 physical and virtual models Endpoint License Concentrator Collect AnyConect NVM flow data and forward to Flow Collector Virtual Appliance Cisco Security Packet Analyzer Rolling full packet capture 2 physical models Stealthwatch Flow Collector Collect and analyze Up to 4000 exporters Up to sustained 240,000 fps 4 physical and 3 virtual models Stealthwatch Flow Sensor Generate IPFIX from SPAN/TAP 256 bytes of payload Physical and virtual models

92 Stealthwatch Cloud System Components Stealthwatch Cloud API Amazon Web Services Other AWS Data Cloud Trail Cloud Watch Inspector IAM Config Lambda VPC Flow Logs Public Cloud Monitoring 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

93 Stealthwatch Cloud System Components Stealthwatch Cloud https API Stealthwatch Cloud Sensor(s) Amazon Web Services NetFlow/IPFIX SPAN Network Private Network Monitoring Other AWS Data Cloud Trail Cloud Watch Inspector IAM Config Lambda VPC Flow Logs Public Cloud Monitoring 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

Stealthwatch Cloud System Components Stealthwatch Cloud https API https Stealthwatch Cloud Sensor(s) Amazon Web Services Stealthwatch Cloud Sensor(s) NetFlow/IPFIX SPAN Network Private Network

94 Stealthwatch Cloud System Components Stealthwatch Cloud https API https Stealthwatch Cloud Sensor(s) Amazon Web Services Stealthwatch Cloud Sensor(s) NetFlow/IPFIX SPAN Network Private Network Monitoring Other AWS Data Cloud Trail Cloud Watch Inspector IAM Config Lambda VPC Flow Logs Other Public Cloud Public Cloud Monitoring 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

96 Data Analysis with Stealthwatch: Visibility and Discovery Identify business critical applications and services across the network Policy and segmentation modelling and monitoring 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47

97 Data Analysis with Stealthwatch: Visibility and Discovery Identify business critical applications and services across the network Policy and segmentation modelling and monitoring Identify Indicators of Compromise (IoC) Policy & Segmentation Network Behaviour & Anomaly Detection (NBAD) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47

Data Analysis with Stealthwatch: Visibility and Discovery Identify business critical applications and services across the network Policy and segmentation modelling and monitoring Identify Indicators

98 Data Analysis with Stealthwatch: Visibility and Discovery Identify business critical applications and services across the network Policy and segmentation modelling and monitoring Identify Indicators of Compromise (IoC) Policy & Segmentation Network Behaviour & Anomaly Detection (NBAD) Accelerated response to an IOC: Leverage the General Ledger for retrospective investigation 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47

Host Groups: Logical Buckets of IP Space Hierarchical

.1.1.10 and 10.1.1.11 All my POSs are 10.20.

IP Address list A host can exist in multiple Host Groups A

99 Host Groups: Logical Buckets of IP Space Hierarchical structure Examples: My DNS Servers are and All my POSs are /24 My HQ is /8 Etc. IP Address list A host can exist in multiple Host Groups A Host can not be simultaneously Inside and Outside 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48

101 Monitoring of Traditional Segmentation Policies PCI Zone Map Forbidden Relationship Find this session online: BRKSEC-2026 Building Network Security Policy Through Data Intelligence Inter-system relationships 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

103 Stealthwatch Learning Engines Stealthwatch On Box Behavioural Analysis Anomaly detection through statistical learning Unsupervised Learning Engine User Defined Behaviour Analysis 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

104 Stealthwatch Learning Engines Stealthwatch On Box Behavioural Analysis Anomaly detection through statistical learning Unsupervised Learning Engine User Defined Behaviour Analysis Cognitive Analytics Cloud Hosted Multi-layer Machine Learning Anomaly detection through statistical learning Supervised Learning Engine Malware classification 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

105 Stealthwatch Learning Engines Stealthwatch On Box Behavioural Analysis Anomaly detection through statistical learning Unsupervised Learning Engine User Defined Behaviour Analysis Cognitive Analytics Cloud Hosted Multi-layer Machine Learning Anomaly detection through statistical learning Supervised Learning Engine Malware classification Stealthwatch Enterprise 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Analysis Cognitive Analytics Cloud Hosted

Classification Stealthwatch Enterprise 2018

106 Stealthwatch Learning Engines Stealthwatch On Box Behavioural Analysis Anomaly detection through statistical learning Unsupervised Learning Engine User Defined Behaviour Analysis Cognitive Analytics Cloud Hosted Multi-layer Machine Learning Anomaly detection through statistical learning Supervised Learning Engine Malware classification Stealthwatch Cloud SaaS delivered Behavioural Analysis Anomaly detection through statistical learning Role Classification Stealthwatch Enterprise 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

107 Stealthwatch Engine Placement Telemetry Sources weblogs Management and reporting NetFlow & IPFIX Flow Collector: Create the General Ledger Policy and Behavioural Analytics Statistical Learning, Anomaly detection 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

108 Stealthwatch Engine Placement Proxy log table Bi-flows for: From Inside to Outside (default) DNS from inside to anywhere From configured groups to outside and other configured groups Detections returned Cognitive Analytics HTTPS weblogs HTTPS Management and reporting SSO UI Pivot Telemetry Sources NetFlow & IPFIX Flow Collector: Create the General Ledger Policy and Behavioural Analytics Statistical Learning, Anomaly detection 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

110 Stealthwatch Enterprise On-Box Security Model Track and/or measure behaviour/activity Algorithm Security Event Suspicious behaviour observed or anomaly detected 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52

Security Event Alarm Suspicious behaviour observed or anomaly

111 Stealthwatch Enterprise On-Box Security Model Track and/or measure behaviour/activity Notification of security event generated Algorithm Security Event Alarm Suspicious behaviour observed or anomaly detected 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52

113 Modeling Group Policy in Stealthwatch Custom event triggers on traffic condition Rule name and description Source Tag Destination Tag Trigger on traffic in both directions; Successful or unsuccessful 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54

trigger if condition is met. Simulating proposed drop.

114 Modeling Group Policy in Stealthwatch Create flow-based rules for all proposed policy elements Policy Violation alarm will trigger if condition is met. Simulating proposed drop Cisco and/or its affiliates. All rights reserved. Cisco Public 55

Use Cases: Cryptographic Compliance Audit Threat detection without

116 Encrypted Traffic Analytics New NetFlow Fields: Sequence of Packet Lengths and Times (SPLT) Initial Data Packet (IDP) Enhanced NetFlow Exporter Major Use Cases: Cryptographic Compliance Audit Threat detection without decryption 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57

117 Crypto Compliance (ETA) Are my services cryptographic compliant. Filter/sort results on cryptographic information (ex. SSL vs TLS) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58

118 Encrypted Traffic Analytics Support FOR YOUR REFERENCE Solution Element Software Version License Enterprise switches (Cisco Catalyst 9000 Series)* Branch routers (ASR 1000 Series, 4000 Series ISR, CSR, ISRv) Cisco IOS XE Cisco IOS XE Included in Cisco DNA Advantage license/ Cisco ONE Advanced Included in SEC/k9 license Stealthwatch with CA v6.9.1 (Available now) Management Console, Flow Collector, Stealthwatch with CA and ETA v6.9.2 Flow Rate License 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

119 Rapid Threat Containment with TrustSec, ISE and Stealthwatch Employee Supplier Server Cisco StealthWatch Event: TCP SYN Scan Source IP: Role: Supplier Response: Quarantine Quarantine High Risk Segment Shared Server Internet Employee 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60

120 Rapid Threat Containment with TrustSec, ISE and Stealthwatch Employee ISE Change Authorization Quarantine Server Cisco StealthWatch Event: TCP SYN Scan Source IP: Role: Supplier Response: Quarantine Quarantine Network Fabric High Risk Segment Shared Server Internet Employee 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60

121 More on Cisco Stealthwatch Cisco Live sessions BRKSEC-3014 Security Monitoring with StealthWatch: The detailed walkthrough BRKSEC-2047 Behind the Perimeter: Fighting Advanced Attackers TECSEC-2484 Advanced Threat / Stealthwatch Design & Deploy Seminar BRKSEC-2809 Applied Advanced Network Telemetry: ETA and Beyond Online content Cognitive Analytics: FOR YOUR REFERENCE CTA_SEVT_Security_PDF.pdf Cisco and/or its affiliates. All rights reserved. Cisco Public 62

122 Summary Matt Robertson Technical Marketing Engineer ATS: Security Analytics Securing Access Advanced Malware Protection Summary Start Role Based Segmentation Behavioural Analysis

123 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot# 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All

124 Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public

125 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66

127 Summary Visibility and Control Everywhere WAN SERVICES Network Integrated Security Data Center Network Campus Network Internet BRANCH OFFICE Respond to threats faster DATA CENTER Public Cloud Centralized policy, control and reporting CAMPUS NETWORK 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68

128 Summary Visibility and Control Everywhere WAN SERVICES Network Integrated Security Data Center Network Campus Network Internet BRANCH OFFICE Respond to threats faster DATA CENTER Public Cloud Centralized policy, control and reporting CAMPUS NETWORK Infrastructure to secure Information 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68

129 Thank you

130

Identity Based Network Access

Identity Based Network Access Identity Based Network Access - Agenda What are my issues Cisco ISE Power training What have I achieved What do I want to do What are the issues? Guest Student Staff Contractor