Key Security Measures to Enable Next-Generation Data Center Transformation Bill McGee Senior Manager, Security Solutions Cisco Systems, Inc.
Agenda Data Center Security Challenges Secure DC Strategies Secure DC Cyber Defense Cisco Secure DC Solutions New ASA Solutions Sourcefire IPS and AMP Control Without Compromise 3
Data Center Security Challenges
Edge Security was not designed to support the advances being made in the Data Center 5
Data Center Security Perception Ease of Provisioning Just 32% have a way to automate firewall rule management Over 50% Find it challenging to add security without impeding business goals 52% Feel their data centers are compromised due to accommodating firewalls Over 40% Perceive security as an inhibitor 54% plan to make significant security improvements or upgrades, or redesign the data center network entirely, over the next year. Maximized Performance 73% Don t believe current firewall and/or IPS technology meets today s increased performance requirements. The percentage of respondents that say speed and performance are critical when evaluating firewall and IPS solutions for data center 91% Pervasive Protection Results show that organizations are underprepared. 67% report instances of downtime over the past 12 months due to malware-related incidents. Organizations that automate firewall rules are twice as likely to report high confidence in firewall/ips solutions AND twice as likely to report zero downtime from malwarerelated incidents 6
Traditional Data Center Security Challenges Difficult Provisioning Provisioning takes days or weeks Forced to dumb down the data center Lose critical flexibility and responsiveness Limited Scalability Required to hairpin traffic for inspection Security becomes a bottleneck Separate Management Separate management for each device No coordination between DC and security Cumbersome Policy ACL overload Policies created by hand No coordination between security and UCS Closed Architecture Tied to a specific hypervisor and vswitch No or limited APIs No multi-tenant segmentation No support for DC applications 7
Provisioning Erode efficiency gains and can delay new services implementation by weeks or months Performance Insufficient performance and limited scalability Protection Limited threat awareness, limited visibility and fails to proactively defend the data center from emerging threats 8
9
Secure DC Strategies
Key Data Center Security Trends Scalability: Need for policy enforcement for high speed networks Resiliency: High availability is imperative for applications Expanded Deployment Options: Policy enforcement on inter-dc traffic Segmentation: Policy between specific groups, users, or applications Contextual Analysis: Global and local threat correlation Virtualization: Security for east-west traffic in multi-hypervisor environments 11
Data Center Security Solution Purchase Drivers Source: Infonetics Research, Inc. Data Center Security Strategies And Vendor Leadership Report, March 25, 2014 12
1. Security Must Be Designed for the Data Center Ease of Provisioning Optimum Performance Actionable Protection Must be deployed dynamically and quickly Ties data center and security policy together Gives the right tool to the right team Optimized for DC performance east/west data bursts Highly available and resilient Matches security performance to network performance Supports asymmetrical traffic flows North-south protection East-west protection Signature-based protection Reputation-based protection Signature-less protection Custom application inspection 13
2. Security Must Be Part of The DC Architecture Traditional DC Application-Centric DC Policy Engine Role-Based Policy and Management Physical and Virtual Security Scalable Enforcement Data Center UCS Manager Resource Provisioning Monitoring Apps Programmable Provisioning Apps Networking Apps Physical and Virtual Security Data Center Fabric End-User Apps Provisionable Policy-Based Security Provisioning Scalable Security for Physical and Virtual/Cloud Simplified Policy and Management Service-Based Security Provisioning Scalable Security for Physical and Virtual/Cloud Centralized Policy and Management 14
3. Security Must Adapt As Data Centers Evolve WAN WAN WAN VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM 15
4. Security Must Address The Attack Continuum Attack Continuum BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Network Endpoint Mobile Virtual Cloud Point in Time Continuous 16
5. Data Centers Don t Exist In A Vacuum If data has any street value whether it s a major corporation s intellectual property or an individual s healthcare data it is desirable and, therefore, at risk. And most organizations, large and small, have already been compromised and don t even know it: 100 percent of business networks analyzed by Cisco have traffic going to websites that host malware. Cisco 2014 Annual Security Report 17
Secure DC Cyber Defense
Losing the Data Center Moving from end user compromise to losing the data center Step 1 End User Compromise Step 2 Compromise Server Step 3 Install VMBR Most organizations rely solely on access control and segmentation for threat capabilities SubVirt, Blue Pill, Vitriol are VMBRs User browses the Internet User is authorized to access server per ACLs Cyber Defenders Need More Capabilities VMs are now under cyber attacker control 19
The Attack Chain Cyber Attacker Process to Develop Capabilities Survey Develop Test Execute Accomplish Users/Employees? Default Passwords? Open Ports? Operating Systems? Counter Measures? Phishing Campaign? Objectives Data Theft Destruction Recon? Command and Control? Required Capabilities? Custom Malware? Open source Malware? Polymorphic Engines? Anti-detection? Phishing Campaign? Purchase Malware? Did rootkit Install? Two way communications? successful? Detected? Operating Systems? Web farms? Network Map? Have time? Malware drop End User Devices Email Servers Web Servers Gain second foothold Lateral Movement Evade Detection Extract data Plant evidence Hide additional rootkits Destroy artifacts Own the target! 20
Cyber Threat Management System Mapping Capabilities to The BDA Attack Continuum Threat Management System Capabilities Description Before During After Products Threat Containment and Remediation File, packet, and flow based inspection and analysis for threats End point protection agents, network based flow protection Cloud based end point file analysis, network based file analysis, network based flow analysis, signature based analysis, sandbox analysis Connections and flows analysis and remediation Sourcefire FireSIGHT, Intrusion Protection, Network based AMP, Email AMP, CWS AMP, FireAMP for End User and Mobile Access Control and Segmentation Access control policies, segmentation, secure separation End point group assignments, security zones, user to asset access policies Fabric enforcement, firewall policy enforcements, traffic normalization and protocol compliance Policy enforcement and logging ASA 5585-X, SGTs, SGACLs, SXP, and TrustSec capable switching fabric or ACI Fabric with ASAv Identity Management User identity and access posturing, network based user context User mapping to groups, resources, and acceptable access locations User context analysis User access and threat origination analysis and remediation Active Directory, Cisco ISE, Sourcefire FireSIGHT Application Visibility and Control File control and trajectory, network file trajectory, application quarantine Policies to limit and control access to internal and external applications Enforcement of application control policies Visibility into all applications being accessed and running on network Sourcefire Access Control, Sourcefire NGFW Logging and Traceability Management Threat forensics and compliance Proper configuration of threat management system reporting Active out of band logging Immediate access by proper threat function management platform. Consolidation of logs into central repository for further forensics and compliance Defense Center for short term logs, Lancope Stealthwatch for longer term NetFlow analysis logs, SPLUNK SIEM for log management compliance 21
Mapping Threat Capabilities to Controls Controls Can be Implemented Where There Are Capabilities Threat Containment Access Control and Segmentation Identity Management Application Management Logging and Traceability Capability File, packet and flow based inspection and analysis for threats Access control and segmentation User identity and access posturing, network based user context Application visibility and control Threat Forensics and compliance NIST SP 800-53 Relevant Controls Incident Response, Maintenance, Media Protection, Risk Assessment, System and Information Integrity Access Control, System and Communications Protection Access Control System and Information Integrity, Access Control Audit and Accountability SANs Top 20 Critical Security Controls Continuous Vulnerability Assessment and Remediation, Malware Defenses, Data Protection Inventory of Authorized and Unauthorized Devices, Boundary Defense, Controlled Access Based on the Need to Know, Secure Network Engineering Controlled Access Based on the Need to Know, Secure Network Engineering Inventory of Auhorized and Unauthorized Software, Secure Network Engineering Maintenance, Monitoring, and Analysis of Audit Logs NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations states organizations can consider defining a set of security capabilities as a precursor to the security control selection process. protection of information being processed, stored, or transmitted by information systems, seldom derives from a single safeguard or counter measure (i.e. security control). 22
Covering The Entire Attack Continuum Attack Continuum BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall VPN NGIPS Advanced Malware Protection NGFW UTM Web Security Network Behavior Analysis NAC + Identity Services Email Security Visibility and Context 23
Secure Data Center Threat Management New Threat Management Capabilities Threat Management System Capabilities Description Products Threat Containment and Remediation File, packet, and flow based inspection and analysis for threats Sourcefire FireSIGHT, Intrusion Protection, Network based AMP, Email AMP, CWS AMP, FireAMP for End User and Mobile Access Control and Segmentation Access control policies, segmentation, secure separation ASA 5585-X, SGTs, SGACLs, SXP, and TrustSec capable switching fabric or ACI Fabric with ASAv Identity Management User identity and access posturing, network based user context Active Directory, Cisco ISE, Sourcefire FireSIGHT Application Visibility and Control File control and trajectory, network file trajectory, application quarantine Sourcefire Access Control, Sourcefire NGFW Logging and Traceability Management Threat forensics and compliance Defense Center for short term logs, Lancope Stealthwatch for NetFlow based analysis, SIEM for log management compliance 24
Secure DC Portfolio Comprehensive Set of Capabilities for The Cyber Defender Four solutions jointly validated to create a complete solution Modular Approach Industry s Most Comprehensive Security Solution 25
Cisco s Latest Secure DC Solutions
ASAv and ASA 5585-X Cisco ASA Virtual Firewall Full ASA Feature Set Hypervisor Independent vswitch Agnostic Dynamic Scalability Cisco ASA 5585-X Series 16-node clustering Up to 640 Gbps throughput Multi-site clustering Manage clusters as a single device Load balancing between physical and virtual ASAs Support Traditional and Next-Gen Data Centers (SDN, ACI) Fully integrated into ACI APIC-based provisioning, orchestration, and management 27
FirePOWER NGIPS and AMP Industry-Best NG Intrusion Prevention Real-Time Contextual Awareness Full Stack Visibility Unparalleled Performance and Scalability Detects and Inspects Custom Applications Easily add Application Control, URL Filtering, and Advanced Malware Protection (AMP) with optional subscription licenses 28
New Secure Data Center CVD The Latest in A Series of Secure DC Designs Focused on Cyber Threat Defense - Fully Tested and Validated Architecture - Best Practices Design and Blueprint Integrates Cisco and Sourcefire Technologies See the Secure DC demo stations in the World of Solutions Security 29
Control Without Compromise
We are the global leader in data center security 31
Cisco Data Center Security Leadership Part 1 Part 2 Source: Infonetics Research, Inc. Data Center Security Strategies And Vendor Leadership Report, March 25, 2014 32
33
Protect your data center while maintaining the flexibility and performance you need 34
Participate in the My Favorite Speaker Contest Promote Your Favorite Speaker and You Could be a Winner Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress) Send a tweet and include Your favorite speaker s Twitter handle Two hashtags: #CLUS #MyFavoriteSpeaker You can submit an entry for more than one of your favorite speakers Don t forget to follow @CiscoLive and @CiscoPress View the official rules at http://bit.ly/cluswin 36
Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online 37
Continue Your Education Demos in the Cisco Campus Walk-in Self-Paced Labs Table Topics Meet the Engineer 1:1 meetings 38