Cloud Managed Security Architecture & Design

Transcription

1

2 BRKSEC-2602 Cloud Managed Security Architecture & Design Michael Geller Principal Engineer, GSAT

3 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brksec Cisco and/or its affiliates. All rights reserved. Cisco Public

4 Abstract and Introductory Thoughts The Cloud Managed Security session provides an in depth discussion of the security services available for Managed Security Services Providers (MSSP). We take an architectural approach to show the audience how to find threats faster using the Cloud. Borders and Trust boundaries are always moving We will discuss how to use Managed Security Services to keep up and stay ahead 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

5 My Personal & Professional Life 21 Years in Cisco Distinguished Speaker Principal Engineer Security Other Cisco Live Session: BRKNMS-3043 Focus on Cloud and Service Providers for Security Areas of focus: MSSP, SDN/NFV, SecOPS 2 kids, 1 wife BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 Agenda Introduction MSS Architecture MSS Service Catalog Orchestration, SOC & Assurance How To Build and Deploy Conclusion

7 Introduction

8 Core Security Principles Visibility See Everything Complete visibility of users, devices, networks, applications, workloads and processes Segmentation Reduce the Attack Surface Prevent attackers from moving laterally east-west with application whitelisting and micro-segmentation Threat protection Stop the Breach Quickly detect, block, and respond to attacks before hackers can steal data or disrupt operations BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10 MSSP / CSOC Discussion Elements Security Intelligence (inc. threat feeds ) Security Controls Physical, Virtual (VNFs), Cloud Management Applications (Policy & MACDs) Health & Availability Logs, Events and Analytics (SIEM) Portals BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 Security Leads to Higher Partner Profitability BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 When it comes to security, a vendor buffet is not a strategy BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Security Services Protect your business and customers during digital transformation Stop threats at the edge Control who gets onto your network Find and contain problems fast Protect users wherever they work Simplify network segmentation BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 Stop threats at the edge Path Forward NGFW/ UTM Firepower/ Meraki Advanced Threat Advanced Malware Protection (AMP) Security Security Appliance with AMP Drive NGFW transition and scale new platforms Build out virtual form factors Extend cloud security Services Migration and Deployment BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15 Protect users wherever they work Path Forward Endpoint Protection from the Cloud Advanced Threat Endpoint Deployment Umbrella AMP for Endpoints AnyConnect Cisco Security Connector AMP for Endpoints go big! Deliver secure internet gateway with Umbrella Services Incident Response Emergency and Proactive Services BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 Control who gets onto your network and cloud Policy and Access Control Identity Services Engine (ISE) Key to SD-Access CASB Cloudlock Path Forward Expand IoT visibility Cloudlock + Umbrella Services Security Segmentation Services Deployment Services BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 Simplify network segmentation Path Forward Software Defined Segmentation Access Data Center Trustsec SDA Tetration Leverage network for security architecture Closer integration between Tetration and Stealthwatch Services Security Segmentation Services SD-Access Services BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 Find and contain problems fast Anomaly Detection AMP Stealthwatch Analytics Encrypted Traffic Analytics Path Forward Stealthwatch Cloud (Observable Networks) Leverage network via ETA Continue to leverage AMP across the portfolio Services Incident Response - Active Threat Analytics Services BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 MSS Architecture

20 Design Goal: Unified Security Service Chain Across Access Methods ILL LTE IP Security Service Chain WiFi BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 Capex Complexity The MSSP Evolution The Security Hub - DC Cloud Managed CPE (ISR, NGFW, SD-WAN) Platform Umbrella Time To Market BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 Disrupting The Market With Managed Security What It Takes To Build An MSSP Security Service Management & Assurance Security Service Management (inc. Ubiqube) Customer Portal, Operator s Portal, Single Pane of Glass OSS-BSS Integration Service Assurance SOC, Incident Response, Threat Feeds & Analytics Security Service Management as a Service - CMS Orchestration - 1 Use ACI/APIC with KVM/VMWare Orchestration & Security Services Cisco & Partner Security Services FWaaS VPNaaS aaS ContentaaS, Anti-MalwareaaS, CloudSecaaS NGFWaaS Net Number SS7 FWaaS + Others Data Center/Network Layer Group tag management & Policy Automation ACI Data Center Focus: Segmentation, Policy & Analytics Addition of the Next Service to the Portfolio Orchestration - 2 VMS NSO/ESC Linkage to Mobile and Other NSO Orchestrated Services BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 Unified Security Service Chain Across Access Methods LTE and SIM-Based WiFi LTE PCRF / SCEF UE1 (APN1: Intel) UE1 (APN1: BMW) CORE + IMS Security Service Chain Ex: FW, Content, IPS, rules Internet 1. UE with APN 1 requests session to PGW 2. PGW opens Gx communication with PCRF 3. PCRF applies the rule 4. PGW chooses next hop 5. UE with APN 1 has the session with the security rule applied Note: If a specific IMSI needs a special rule, it can also be done by PCRF BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 Unified Security Service Chain Across Access Methods With SAMOG WiFi - SAMOG PCRF / SCEF UE1 (APN1: Intel) UE1 (APN1: BMW) SaMOG S2a Non LBO Traffic LBO Traffic PGW Security rules GW Security Service Chain Ex: FW, Content, IPS, rules Internet 1. SaMOG communicates with PGW for non LBO traffic (Sec rule applies - same as option with PGW) 2. For LBO SaMOG uses the IP address from its IP pool 3. The LBO hop IP address should be configured to a Security rule GW, which would apply the security rules 4. UE has the session with the security rule applied BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 Play to the Market Sweetspots 2. Secure Internet Gateway Logs, Events and Analytics 1. Security 3. Network Security FW, VPN, IPS NaaS & NaaE End-Point BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26 MSS Service Catalog

27 What Your Customers Will Buy Power of the Cisco Architecture BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 What Your Customers Will Buy Unrivaled global threat research and intelligence BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29 Premiere portfolio in the industry Best of breed and integrated architecture Network Analytics UTM Cloud Access Secure Internet Gateway Advanced Malware Threat Intelligence Policy and Access NGFW/NGIPS www Web BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 Cisco s Unfair Advantage: AMP Everywhere AMP Threat Intelligence Cloud Remote Endpoints AMP for Endpoints AMP for Networks (AMP on Firepower NGIPS Appliance bundle) Threat Grid Malware Analysis + Threat Intelligence Engine AMP Private Cloud Virtual Appliance AMP on Cisco NGFW Firewalls and Meraki MX AMP for Endpoints AMP on Web and Security Appliances AMP on ISR with Firepower Services Windows OS Android Mobile Virtual MAC OS AMP for Endpoints can be launched from AnyConnect CentOS, Red Hat Linux for servers and datacenters SIG / CTA AMP on Umbrella SIG and Hosted BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 The Architectural Advantage in Action 1 AMP Cloud 2 Threat Grid Network Endpoint Cloud Threat Endpoint AMP for Endpoint 3 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 There s STILL Something About Ransomware and STILL 99% Effective Against it! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 Gartner: The Secure Internet Gateway (SIG) Service Platform BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 Cisco s Secure Internet Gateway Vision Threat intelligence, cross-product analytics, APIs, and integrations DNS-Layer Proxy File Sandbox 3 rd -Party CASB App visibility Inbound New inspection controls and control* inspection* product* Leveraging Cisco s global footprint *Future 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

35 Continue Innovating.trying to solve the hard problems Finding malicious activity in encrypted traffic New Catalyst 9K* * Other devices will be supported soon NetFlow Telemetry for encrypted malware detection and cryptographic compliance Cisco Stealthwatch Metadata Cognitive Analytics Malware detection and cryptographi c compliance Enhanced NetFlow Leveraged network Faster investigation Higher precision Stronger protection Enhanced NetFlow from Cisco s newest switches and routers Enhanced analytics and machine learning Global-to-local knowledge correlation Continuous Enterprise-wide compliance BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36 Solution Component 1: Cisco Umbrella

37 UMBRELLA HIGHLIGHTS Built into foundation of the internet Malware C2 Callbacks Phishing Destinations Original destination or block page Safe Original destinations Blocked Modified destination Security controls DNS and IP enforcement Risky domain inspection through proxy SSL decryption available Intelligent proxy Deeper inspection Internet traffic On and off-network 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

38 User Experience Company Logo Network Operations Consumer Experience BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 38

39 ENFORCEMENT MSSP organization Centralized settings MSP admins Centralized reports Customer 1 Customer 20K Subscription Admin and settings Reports Subscription Admin and settings Reports BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 39

40 Solution Component 2: Security Services Chain

41 Solution Flow ILL Threat Sandboxing Service AMP Threatgrid LTE WiFi App Optimization Required? Yes, Add CSR to Front of Service Chain ASA+NGFW deployed next. FW, VPN (RA/S2S), IPS, URL filtering, AVC & app signatures, Anti-X (Malware) Full Proxy Required? Yes, WCCP connection to WSAv End Point Policy AMP for Endpoints Cisco + Partner Services: SIEM -Exabeam/Cisco AS LOG Management - Exabeam/Cisco AS WAF-FTDv or Partner DLP Partner (Digital Guardian) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 Virtual Appliance Models Firewall as a Service and VPN as a Service NGFWv Model Disk Mem(GB) vcpu NGFWv ASAv Model Disk(GB) Mem(GB) vcpu ASAv ASAv ASAv ASAv Web Security as a Service Model Disk (GB) WSAv Mem(GB ) vcpu S000V S100V S300V S600V 2.4 TB CSR1000v SEC Throughput Disk(GB) vcpu Mem(GB) vcpu Mem(GB) 10 Mbps Mbps Mbps Mbps Mbps Gbps Gbps Gbps AMP Private Cloud AMPv Mode Disk (GB) Mem(GB) vcpu Cloud Mode Air Gap Mode AX BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 42

43 Uncover hidden threats in the environment Advanced Malware Protection (AMP) File Reputation c File & Device Trajectory AMP for Endpoint Log AMP for Network Log? Known Signatures Fuzzy Fingerprinting Indications of compromise Threat Grid Sandboxing Advanced Analytics Dynamic analysis Threat intelligence Threat Disposition Uncertain Safe Risky Sandbox Analysis Enforcement across all endpoints Block known malware Investigate files safely Detect new threats Respond to alerts BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 43

44 AMP FOR ENDPOINTS HIGHLIGHTS Protection across endpoints Network Endpoint Content The endpoint platform has device trajectory, elastic search, and outbreak control, which in this example is shown quarantining recently detected malware on a device that has the AMP for Endpoints connector installed 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

45 Meraki and Stealthwatch/ETA

46 Cisco Meraki Cloud Managed UTM ++ WAN Optimization Next-Generation Firewall Device Management All Managed from the Cloud Content Filtering Switching User Management Intrusion Prevention V Wireless Auto VPN Bonjour Gateway Application Management Routing Network Infrastructure Unified Threat Management Mobile Management BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 46

47 Solution Highlights (continued) Wired + wireless Instant search Client fingerprints Location analytics Application QoS 24 Real-time control Intuitive Web-Based Dashboard BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 47

48 Stealthwatch in a Nutshell BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 48

49 Stealthwatch NaaS/NaaE Portfolio Security and Network Monitoring Stealthwatch Management Console Stealthwatch Learning Agent Manager (aka SCA) Flow Collector UDP Director Cisco ISE NetFlow, syslog, SNMP FlowSensor VMware ESX with FlowSensor VE NetFlow enabled infrastructure AWS Cloud Stealthwatch Cloud License ISR 4K w/ios XE Stealthwatch Learning Agent (aka DLA) User and Device Information New Additions to portfolio Feeds of emerging threat information SLIC / Talos BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 49

50 Orchestration, SOC & Assurance

51 Automated Security Service Delivery To DC & To CPE ILL OpenAPIs Service Catalog Service Interfaces Service Interface VMS Service Creation Platform Service Offers Service Infrastructure Data Platforms LTE NSO Orchestrator NSO Core Function Packs Security Service Chain VBranch Service Pack ENCS Service Dashboard VNF-Manager (ESC) Network Functions Virtualization Infrastructure Software (NFVIS) Security Service Chain WiFi ENCS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 51

52 Onboarding of CPE Device Cisco VMS Ordering Portal OpenAPIs Service Interfaces Service Interface VMS Service Creation Platform Service Offers Service Infrastructure Data Platforms NSO Orchestrator NSO Core Function Packs VBranch Service Pack ENCS Service Dashboard vbranch CPE Service VNF-Manager (ESC) Network Functions Virtualization Infrastructure Software (NFVIS) Onboard NFV-IS Infrastructure to ENCS Onboard ENCS/NFVI ENCS Or ISR BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 52

53 Automated Security Service Delivery To DC & To CPE + SD-WAN ILL Service Interfaces Service Interface OpenAPIs VMS Service Creation Platform Service Offers Service Catalog Viptela on AWS vmanage Orchestrator Service Infrastructure Data Platforms LTE NSO Orchestrator NSO Core Function Packs Security Service Chain VBranch Service Pack Viptela Microservic e vsmart Controllers ENCS Service Dashboard Viptela vedge VNF vedge Routers VNF-Manager (ESC) Network Functions Virtualization Infrastructure Software (NFVIS) Security Service Chain WiFi ENCS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 53

54 Services are Required to Support The Full Security Lifecycle BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 54

55 Advisory Core Security Services Custom Threat Intelligence Threat Analysis of external DNS and, optionally, internal traffic Rich and Actionable Intelligence Report prepared by Expert Analysts Cybersecurity Assessments Ethical Hacking services to assess Security Posture Advanced Persistent Threat service to test Customer Incident Response and security controls Integration Integration Services Architecture, Plan, and Build Services for Secure Solutions that includes Cisco and Third- Party products Cisco Identity Services Engine (ISE) Plan, Build, and Update Security Optimization Services Enablement of Customer Security and Network Staff with ongoing support from Security Experts Optimize security of architectures, solutions, and products to meet business needs Managed Managed Threat Defense Sophisticated Real-Time Detection and Rapid Threat Response Best-n-Class Technology, and Leading Security Expertise and Analytics Remote Managed Services Managed and Co-Managed Security Service Provider for Cisco and Third-Party Security Products 24/7/365 management and monitoring for changes, advanced analytics, event response, and incident management BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 55

56 How To Build & Deploy

57 Secure Connectivity An Enterprise or SMB Offer BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 57

58 1 + 2 Consolidated Service Chain View Client ISRv ISRv ETA w/ Stealthwatch DNS-based security Web Filtering vedge SD-WAN WAN Internet VPN Termination ASAv vedge NGFWv AMP ETA with Stealthwatch SD-WAN Firewall IPS Malware Protection URL Filtering Public Cloud Internet Private DC AnyConne ct AMP Umbrella VPN Client BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 58

59 Branch to Branch Zero Trust Model Client 4 5 ISRv Umbrell a vedge ETA w/ Stealthwatch DNS-based security Web Filtering SD-WAN Server to Server between DCs WAN Public Cloud vedge NGFWv AMP SD-WAN Firewall IPS Malware Protection ETA with Stealthwatch NGFWv AMP Firewall IPS Malware Protection vedge SD-WAN Private DC WAN vedge SD-WAN ISRv Umbrell a ETA w/ Stealthwatch DNS-based security Web Filtering Client BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 59

60 Services /24 MSSP Topology Mgmt CIMC Mgmt CIMC Mgmt CIMC ISRv.2.1 vedge.1 TC /24.2 ENCS ISRv vedge.1 ENCS2.1 TC / / / / PC PC L4-7 L4-7 Branch A Tenant 1 Branch B Tenant MPLS Internet v /24 Qradar ESX1.1 RW Vision v / / vedge / vedge / ISRv.2.1 NGFWv.5.2 NGFWv vedge.1 ENCS ENCS / / ENCS3 CIMC.3 CIMC /24 Mgmt ASAv Mgmt ASAv Branch C TC PC L4-7 Tenant 2 Mobile User Tenant 1 VLAN CIMC Mgmt CSP1 vsmart vbond CIMC Mgmt.25. CSP2.1 RW DPVA v /24 Services /24.27 vsmart vbond vman age.26 ASR v /24.11 v /24.12 FMC.251 RW DPVA SMC.2 SWFC ASA.18.2 DNS.2.6 WWW / Mgmt CIMC Cloud Layer 3 Switch Private DC Tenant 1 Layer 3 Switch NTP / CIMC.78 Portal.34 VMS Internal HA Portal.35 VMS CP DNS VMS Control Plane Services Public Cloud Private DC PC.100 L4-7 TC PC.100 L4-7 TC Cloud Services (Internet) VLAN 9 SD-WAN Services /24 Lab Services /23 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 60

61 Services /24 Mgmt CIMC Mgmt CIMC Mgmt CIMC /24 ETA VPN.1 ISRv.2.1 vedge.1 Umbrella / /24 VPN ETA ISRv vedge /24.2 ENCS1 ENCS / Umbrella.101 TC Branch A Tenant 1 Branch B Tenant 1 Branch C Tenant 2.1 Mobile User Tenant 1 VLAN CIMC Mgmt CSP1 VLAN MPLS Internet.2 vsmart vbond MSSP Topology CIMC Mgmt.25. CSP2 SD-WAN Services / RW DPVA v / Services /24.27 vsmart vbond vman age.26 ASR Qradar ESX v /24 RW Vision v /24 v /24 TC PC L4-7 VPN IPS Web VPN IPS Web / vedge / vedge /24 ETA VPN Security Security ISRv.2.1 NGFWv.5.2 NGFWv vedge.1 ENCS4.90 AMP.2 FW.95 ENCS5 AMP FW / / ENCS3 CIMC.3 CIMC.3 Umbrella /24 Mgmt ASAv Mgmt ASAv TC RA VPN AMP PC PC L4-7 L4-7 Umbrella Where are Security Functions Enabled? DDOS ETA v /24 RA VPN.12 FMC.251 RW DPVA SMC ETA.2 SWFC RA VPN AS A DNS.2.6 WWW / Mgmt CIMC Cloud Layer 3 Switch Private DC Tenant 1 Layer 3 Switch NTP /24.2 CIMC.78 Portal.34 HA Portal.35 VMS Control Plane Services Public Cloud Private DC Cloud Services (Internet) Lab Services /23 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 61.1 VMS Internal VMS CP DNS PC.100 L4-7 TC PC.100 L4-7 TC Umbrella AMP ThreatGrid

62 Conclusion

63 Please Complete Your Online Session Evaluation BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 63

64 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brksec Cisco and/or its affiliates. All rights reserved. Cisco Public

65 Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public

66 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 66

67 Thank you

68