Key Security Measures to Enable Next-Generation Data Center Transformation

Similar documents
Data Center Security. Fuat KILIÇ Consulting Systems

Deploying Intrusion Prevention Systems

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

Cisco Cloud Security for Public & Private Cloud Villayat Muhammad : Technical Leader BRKSEC-2016

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

Resilient WAN and Security for Distributed Networks with Cisco Meraki MX

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Sourcefire Network Security Analytics: Finding the Needle in the Haystack

Advanced Malware Protection. Dan Gavojdea, Security Sales, Account Manager, Cisco South East Europe

Agile Security Solutions

About the Authors. Tom Hogue, Security Solutions Manager, Security Business Group, Cisco

The Internet of Everything is changing Everything

AlgoSec: How to Secure and Automate Your Heterogeneous Cisco Environment

Cisco Cyber Range. Paul Qiu Senior Solutions Architect June 2016

Cisco Firepower NGFW. Anticipate, block, and respond to threats

A New Security Model for the IoE World. Henry Ong SE Manager - ASEAN Cisco Global Security Sales Organization

Intelligent WAN Sumanth Kakaraparthi Principal Product Manager PSOCRS-2010

SDN Security BRKSEC Alok Mittal Security Business Group, Cisco

Virtualized Video Processing: Video Infrastructure Transformation Yoav Schreiber, Product Marketing Manager, Service Provider Video BRKSPV-1112

Cisco ASA with FirePOWER Services

Segmentation. Threat Defense. Visibility

Next Generation IPS and Advance Malware Protection. Mahmoud Rabi Consulting Systems Engineer - Security

The Internet of Everything is changing Everything

Cisco Security Exposed Through the Cyber Kill Chain

Cisco ASA 5500-X NGFW

Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer

Stop Threats Before They Stop You

Cisco Cyber Threat Defense Solution 1.0

The Importance of Threat-Centric Security

Cisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339

Aby se z toho bezpečnostní správci nezbláznili Cisco security integrace. Milan Habrcetl Cisco CyberSecurity Specialist Mikulov, 5. 9.

SECURING THE NEXT GENERATION DATA CENTER. Leslie K. Lambert Juniper Networks VP & Chief Information Security Officer July 18, 2011

Cisco Secure Access Control

Cisco Firepower NGIPS Tuning and Best Practices

Intuit Application Centric ACI Deployment Case Study

Design and Deployment of SourceFire NGIPS and NGFWL

CCIE Collaboration Lab

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Protection - Before, During And After Attack

Snort: The World s Most Widely Deployed IPS Technology

Cisco Tetration Analytics

Building Resilience in a Digital Enterprise

Expert Reference Series of White Papers. Cisco Completes the Security Picture with Sourcefire

Firewall nové generace na platformě SF, přístupové politiky, analýza souborů, FireAMP a trajektorie útoků

Industrial Defender ASM. for Automation Systems Management

Threat Detection and Mitigation for IoT Systems using Self Learning Networks (SLN)

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Cisco UCS Director and ACI Advanced Deployment Lab

AMP for Endpoints & Threat Grid

An Investment Checklist

Assessing the Business Value of the Secured Datacenter

Securing the Empowered Branch with Cisco Network Admission Control. September 2007

Security Challenges and

Cisco Comstor

Distributed Branch Deployment Costs

Borderless Networks. Tom Schepers, Director Systems Engineering

Cisco Solution Support

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

The threat landscape is constantly

How to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption

Protecting Your Digital Business: The Case for Next-Generation Intrusion Prevention

Network Visibility and Segmentation

Next generation branch with SD-WAN and NFV

Cisco Security Enterprise License Agreement

Cisco Advanced Malware Protection. May 2016

Cisco Security. Advanced Malware Protection. Guillermo González Security Systems Engineer Octubre 2017

Intelligent Cybersecurity for the Real World Scott Lovett Vice President, Global Security Sales

Deploying Cloud Network Services Prime Network Services Controller (formerly VNMC)

Business Resiliency Through Superior Threat Defense

RSA NetWitness Suite Respond in Minutes, Not Months

Advanced Malware Protection: A Buyer s Guide

A Unified Threat Defense: The Need for Security Convergence

DNA Automation Services Offerings

UCS Management Deep Dive

Internet of Things. Tanja Hess Consulting Systems Engineer 2nd June 2016

Threat Centric Network Security

Cisco Cloud Architecture with Microsoft Cloud Platform Peter Lackey Technical Solutions Architect PSOSPG-1002

CloudCenter for Developers

Cisco Self Defending Network

align security instill confidence

NETWORKING &SECURITY SOLUTIONSPORTFOLIO

Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics

Intelligent Cyber Security for Real World

How-To Threat Centric NAC Cisco AMP for Endpoints in Cloud and Cisco Identity Service Engine (ISE) Integration using STIX Technology

Cisco Ransomware Defense The Ransomware Threat Is Real

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

Designing and Building a Cybersecurity Program

PSODCT-2088

Compare Security Analytics Solutions

Securing Your Amazon Web Services Virtual Networks

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

Infoblox as Part of the Ecosystem

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Enabling Quality of Service with Cisco SDN. Jon Snyder

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Software-Define Secure Networks The Future of Network Security for Digital Learning

Cloud-Enable Your District s Network For Digital Learning

Cisco Enterprise Cloud Suite for Service Providers. Cisco Knowledge Network Data Center Jan 16, 2018

Transcription:

Key Security Measures to Enable Next-Generation Data Center Transformation Bill McGee Senior Manager, Security Solutions Cisco Systems, Inc.

Agenda Data Center Security Challenges Secure DC Strategies Secure DC Cyber Defense Cisco Secure DC Solutions New ASA Solutions Sourcefire IPS and AMP Control Without Compromise 3

Data Center Security Challenges

Edge Security was not designed to support the advances being made in the Data Center 5

Data Center Security Perception Ease of Provisioning Just 32% have a way to automate firewall rule management Over 50% Find it challenging to add security without impeding business goals 52% Feel their data centers are compromised due to accommodating firewalls Over 40% Perceive security as an inhibitor 54% plan to make significant security improvements or upgrades, or redesign the data center network entirely, over the next year. Maximized Performance 73% Don t believe current firewall and/or IPS technology meets today s increased performance requirements. The percentage of respondents that say speed and performance are critical when evaluating firewall and IPS solutions for data center 91% Pervasive Protection Results show that organizations are underprepared. 67% report instances of downtime over the past 12 months due to malware-related incidents. Organizations that automate firewall rules are twice as likely to report high confidence in firewall/ips solutions AND twice as likely to report zero downtime from malwarerelated incidents 6

Traditional Data Center Security Challenges Difficult Provisioning Provisioning takes days or weeks Forced to dumb down the data center Lose critical flexibility and responsiveness Limited Scalability Required to hairpin traffic for inspection Security becomes a bottleneck Separate Management Separate management for each device No coordination between DC and security Cumbersome Policy ACL overload Policies created by hand No coordination between security and UCS Closed Architecture Tied to a specific hypervisor and vswitch No or limited APIs No multi-tenant segmentation No support for DC applications 7

Provisioning Erode efficiency gains and can delay new services implementation by weeks or months Performance Insufficient performance and limited scalability Protection Limited threat awareness, limited visibility and fails to proactively defend the data center from emerging threats 8

9

Secure DC Strategies

Key Data Center Security Trends Scalability: Need for policy enforcement for high speed networks Resiliency: High availability is imperative for applications Expanded Deployment Options: Policy enforcement on inter-dc traffic Segmentation: Policy between specific groups, users, or applications Contextual Analysis: Global and local threat correlation Virtualization: Security for east-west traffic in multi-hypervisor environments 11

Data Center Security Solution Purchase Drivers Source: Infonetics Research, Inc. Data Center Security Strategies And Vendor Leadership Report, March 25, 2014 12

1. Security Must Be Designed for the Data Center Ease of Provisioning Optimum Performance Actionable Protection Must be deployed dynamically and quickly Ties data center and security policy together Gives the right tool to the right team Optimized for DC performance east/west data bursts Highly available and resilient Matches security performance to network performance Supports asymmetrical traffic flows North-south protection East-west protection Signature-based protection Reputation-based protection Signature-less protection Custom application inspection 13

2. Security Must Be Part of The DC Architecture Traditional DC Application-Centric DC Policy Engine Role-Based Policy and Management Physical and Virtual Security Scalable Enforcement Data Center UCS Manager Resource Provisioning Monitoring Apps Programmable Provisioning Apps Networking Apps Physical and Virtual Security Data Center Fabric End-User Apps Provisionable Policy-Based Security Provisioning Scalable Security for Physical and Virtual/Cloud Simplified Policy and Management Service-Based Security Provisioning Scalable Security for Physical and Virtual/Cloud Centralized Policy and Management 14

3. Security Must Adapt As Data Centers Evolve WAN WAN WAN VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM 15

4. Security Must Address The Attack Continuum Attack Continuum BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Network Endpoint Mobile Virtual Cloud Point in Time Continuous 16

5. Data Centers Don t Exist In A Vacuum If data has any street value whether it s a major corporation s intellectual property or an individual s healthcare data it is desirable and, therefore, at risk. And most organizations, large and small, have already been compromised and don t even know it: 100 percent of business networks analyzed by Cisco have traffic going to websites that host malware. Cisco 2014 Annual Security Report 17

Secure DC Cyber Defense

Losing the Data Center Moving from end user compromise to losing the data center Step 1 End User Compromise Step 2 Compromise Server Step 3 Install VMBR Most organizations rely solely on access control and segmentation for threat capabilities SubVirt, Blue Pill, Vitriol are VMBRs User browses the Internet User is authorized to access server per ACLs Cyber Defenders Need More Capabilities VMs are now under cyber attacker control 19

The Attack Chain Cyber Attacker Process to Develop Capabilities Survey Develop Test Execute Accomplish Users/Employees? Default Passwords? Open Ports? Operating Systems? Counter Measures? Phishing Campaign? Objectives Data Theft Destruction Recon? Command and Control? Required Capabilities? Custom Malware? Open source Malware? Polymorphic Engines? Anti-detection? Phishing Campaign? Purchase Malware? Did rootkit Install? Two way communications? successful? Detected? Operating Systems? Web farms? Network Map? Have time? Malware drop End User Devices Email Servers Web Servers Gain second foothold Lateral Movement Evade Detection Extract data Plant evidence Hide additional rootkits Destroy artifacts Own the target! 20

Cyber Threat Management System Mapping Capabilities to The BDA Attack Continuum Threat Management System Capabilities Description Before During After Products Threat Containment and Remediation File, packet, and flow based inspection and analysis for threats End point protection agents, network based flow protection Cloud based end point file analysis, network based file analysis, network based flow analysis, signature based analysis, sandbox analysis Connections and flows analysis and remediation Sourcefire FireSIGHT, Intrusion Protection, Network based AMP, Email AMP, CWS AMP, FireAMP for End User and Mobile Access Control and Segmentation Access control policies, segmentation, secure separation End point group assignments, security zones, user to asset access policies Fabric enforcement, firewall policy enforcements, traffic normalization and protocol compliance Policy enforcement and logging ASA 5585-X, SGTs, SGACLs, SXP, and TrustSec capable switching fabric or ACI Fabric with ASAv Identity Management User identity and access posturing, network based user context User mapping to groups, resources, and acceptable access locations User context analysis User access and threat origination analysis and remediation Active Directory, Cisco ISE, Sourcefire FireSIGHT Application Visibility and Control File control and trajectory, network file trajectory, application quarantine Policies to limit and control access to internal and external applications Enforcement of application control policies Visibility into all applications being accessed and running on network Sourcefire Access Control, Sourcefire NGFW Logging and Traceability Management Threat forensics and compliance Proper configuration of threat management system reporting Active out of band logging Immediate access by proper threat function management platform. Consolidation of logs into central repository for further forensics and compliance Defense Center for short term logs, Lancope Stealthwatch for longer term NetFlow analysis logs, SPLUNK SIEM for log management compliance 21

Mapping Threat Capabilities to Controls Controls Can be Implemented Where There Are Capabilities Threat Containment Access Control and Segmentation Identity Management Application Management Logging and Traceability Capability File, packet and flow based inspection and analysis for threats Access control and segmentation User identity and access posturing, network based user context Application visibility and control Threat Forensics and compliance NIST SP 800-53 Relevant Controls Incident Response, Maintenance, Media Protection, Risk Assessment, System and Information Integrity Access Control, System and Communications Protection Access Control System and Information Integrity, Access Control Audit and Accountability SANs Top 20 Critical Security Controls Continuous Vulnerability Assessment and Remediation, Malware Defenses, Data Protection Inventory of Authorized and Unauthorized Devices, Boundary Defense, Controlled Access Based on the Need to Know, Secure Network Engineering Controlled Access Based on the Need to Know, Secure Network Engineering Inventory of Auhorized and Unauthorized Software, Secure Network Engineering Maintenance, Monitoring, and Analysis of Audit Logs NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations states organizations can consider defining a set of security capabilities as a precursor to the security control selection process. protection of information being processed, stored, or transmitted by information systems, seldom derives from a single safeguard or counter measure (i.e. security control). 22

Covering The Entire Attack Continuum Attack Continuum BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall VPN NGIPS Advanced Malware Protection NGFW UTM Web Security Network Behavior Analysis NAC + Identity Services Email Security Visibility and Context 23

Secure Data Center Threat Management New Threat Management Capabilities Threat Management System Capabilities Description Products Threat Containment and Remediation File, packet, and flow based inspection and analysis for threats Sourcefire FireSIGHT, Intrusion Protection, Network based AMP, Email AMP, CWS AMP, FireAMP for End User and Mobile Access Control and Segmentation Access control policies, segmentation, secure separation ASA 5585-X, SGTs, SGACLs, SXP, and TrustSec capable switching fabric or ACI Fabric with ASAv Identity Management User identity and access posturing, network based user context Active Directory, Cisco ISE, Sourcefire FireSIGHT Application Visibility and Control File control and trajectory, network file trajectory, application quarantine Sourcefire Access Control, Sourcefire NGFW Logging and Traceability Management Threat forensics and compliance Defense Center for short term logs, Lancope Stealthwatch for NetFlow based analysis, SIEM for log management compliance 24

Secure DC Portfolio Comprehensive Set of Capabilities for The Cyber Defender Four solutions jointly validated to create a complete solution Modular Approach Industry s Most Comprehensive Security Solution 25

Cisco s Latest Secure DC Solutions

ASAv and ASA 5585-X Cisco ASA Virtual Firewall Full ASA Feature Set Hypervisor Independent vswitch Agnostic Dynamic Scalability Cisco ASA 5585-X Series 16-node clustering Up to 640 Gbps throughput Multi-site clustering Manage clusters as a single device Load balancing between physical and virtual ASAs Support Traditional and Next-Gen Data Centers (SDN, ACI) Fully integrated into ACI APIC-based provisioning, orchestration, and management 27

FirePOWER NGIPS and AMP Industry-Best NG Intrusion Prevention Real-Time Contextual Awareness Full Stack Visibility Unparalleled Performance and Scalability Detects and Inspects Custom Applications Easily add Application Control, URL Filtering, and Advanced Malware Protection (AMP) with optional subscription licenses 28

New Secure Data Center CVD The Latest in A Series of Secure DC Designs Focused on Cyber Threat Defense - Fully Tested and Validated Architecture - Best Practices Design and Blueprint Integrates Cisco and Sourcefire Technologies See the Secure DC demo stations in the World of Solutions Security 29

Control Without Compromise

We are the global leader in data center security 31

Cisco Data Center Security Leadership Part 1 Part 2 Source: Infonetics Research, Inc. Data Center Security Strategies And Vendor Leadership Report, March 25, 2014 32

33

Protect your data center while maintaining the flexibility and performance you need 34

Participate in the My Favorite Speaker Contest Promote Your Favorite Speaker and You Could be a Winner Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress) Send a tweet and include Your favorite speaker s Twitter handle Two hashtags: #CLUS #MyFavoriteSpeaker You can submit an entry for more than one of your favorite speakers Don t forget to follow @CiscoLive and @CiscoPress View the official rules at http://bit.ly/cluswin 36

Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online 37

Continue Your Education Demos in the Cisco Campus Walk-in Self-Paced Labs Table Topics Meet the Engineer 1:1 meetings 38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback