Integrated threat defense 3 3-16 v2

The latest and greatest

Jamie Sanbower, CCIEx3 13637Security [email protected] Threat Defense

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialAgendaProblem SpaceITD OverviewCompelling IntegrationsIntegrated SolutionsSummary

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

2

Problem Space


# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialTodays Advanced Threat is Not Just a Single Entity

100%of companies connect to domains that host malicious files or services54%of breachesremain undiscoveredfor months60%of data is stolen in hours

avoids detection and attacks swiftlyIt is a Community that hides in plain sight100 percent of companies surveyed by Cisco have connections to domains that are known to host malicious files or services. (2014 CASR)

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialAdversaries are no longer lone wolves, but have become a community that knows each other, trades intellectual property, and sometimes works together.

Most importantly, the speed of attacks has accelerated. Many now do their damage in days or hours, while it may take months for victims to discover theyve been attacked and respond. To be truly effective, defenders must approach real-time abilities to detect and respond to attacks.

Finally, every organization directly encounters malicious content or actors. While most interactions do not result in harm, adversaries do not lack for opportunity.4

YEARS

MONTHSImpact of a Breach

HOURSBreach occurs60% data in breaches is stolen in hours54% of breaches remain undiscovered for monthsInformation of up to 750 million individuals on the black market over last three years

STARTSource: Verizon Data Breach Report 2014Source: Verizon Data Breach Report 2012Source: Verizon Data Breach Report 2012Source: Verizon Data Breach Report 2012

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential1) http://www.wired.com/images_blogs/threatlevel/2012/03/Verizon-Data-Breach-Report-2012.pdf & MTD Sales Deck

2) http://www.wired.com/images_blogs/threatlevel/2012/03/Verizon-Data-Breach-Report-2012.pdf & MTD Sales Deck

3) So in the most basic of terms, as a result of breaches over the past three years, the personal information of up to 750 million individuals is or could be for sale on the criminal black market to be used for identity theft, credit card fraud, and countless other illegal activities. (This is from Rosch Testimony)

5

Abundant Security Tools, right?

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialITD Overview



Faster Time to Detection, Faster Time to Remediate

Cisco Confidential

Integrated Threat Defense Architecture

VisibilityControlIntelligenceContext


8

Our GoalCisco Confidential

Detect and Defeat Advanced Threats Across Breadth of Targets

Multilayered Protection for Known and Emerging Threats

Deliver Security Across the Extended Network


9

Integrated Threat Defense Architecture Defined

What: Detection and response framework for enabling faster threat responses

Why: Achieve better outcomes minimize damage from attacks, reduce the time to detect and respond to threats, make technologies work more efficiently and effectively How: Collects more information from deployed infrastructure in an automated and efficient mannerCisco ConfidentialThe Future of Security


10

Expanding Firepower Management CenterCisco and partner Information SharingStandardize Threat Intelligence & FeedspxGrid as a transport

How Cisco is delivering ITD

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialCompelling Integrations




Control

Cisco AnyConnect

FirePower

Cisco CWS

WWW

Cisco WSACisco ASACisco ESA

Visibility

WWWWeb

Endpoints

DevicesNetworks

EmailIPS

Cisco Global Threat Intelligence Cloud

1.6 millionglobal sensors100 TBof data received per day150 million+ deployed endpoints

35% worldwide email traffic13 billionweb requests24x7x365 operations40+languages

More than US$100 million spent on dynamic research and development3- to 5- minute updates5,500+IPS signatures produced8 million+rules per day200+ parameters tracked70+publications produced

Information

Actions

Cisco Collective Security Intelligence

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialCiscos Security Intelligence Operation, or SIO, is a big part of a complete security architecture that we use to protect you.

Cisco SIO provides a 24x7 view into global traffic activity, enabling Cisco to analyze anomalies, uncover new threats, and track traffic trends. It is the largest threat detection network in the world, providing proven, zero-day threat protection to all users wherever they are.

T: So, thats where our intelligence comes from but how much do we really see?

SIO is constantly refreshing information that adds intelligence to your network security devices every 3-5 minutes. Blacklist and reputation lists of domains, URLs, IP, and in some cases files Spam traps are used to catch emails that may not pass through our appliancesHoneypots find attackers so we can analyze their methodsCrawlers scan the web, making note of malicious contentDeep files inspections apply analytics to spot malicious contentDomain/WHOIS information is used to build a database of malicious actors are and domains

14

DNS Requests Per Day70BBGP PeeringPartners500Daily Active Users65MEnterprise Customers10KIntegrating OpenDNSDiverse Set of Data


PRODUCTS & TECHNOLOGIESUmbrellaEnforcementNetwork security service protects any device, anywhere

InvestigateIntelligenceDiscover and predict attacks before they happen


208.67.222.222

MALWAREBOTNETPHISHING

A new layer of breach protection with Internet-wide visibility on and off the network Extend ATDs (AMP Threat Grid, FireEye, Check Point) beyond the perimeter, and take immediate action on your IOCsIdentify targeted attacks by comparing your activity versus the worldsInvestigate related attacks using a live graph of Internet activityOpenDNS UMBRELLA

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialOpenDNS Umbrella and ThreatGrid integrationSuspect Domain Protection

Dynamic AnalysisStatic AnalysisThreat Intelligence

AMP Threat Grid

Domain Based IOC DataFileSample

ASA /FP

MobileAMPFIREPOWER

FIREPOWER

Web Sec

ESA

FirewallApplianceWeb SecurityE-Mail SecuritySecurity AnalystAMP ThreatGrid Enabled Security SolutionsProtected Clients

Immediate Protection from domain based IOCsBenefitsAutomated integrationFull AMP Solution Coverage

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialDedicated FirePOWERAppliance

Web & EmailSecurity Appliances

Private Cloud

Cloud Based Web Security & Hosted Email

MacOS XVirtual

PC

Broadest Deployment OptionsBest-in-Class Detection

Leader in Security Effectiveness FirePOWER Services on ASA

Coming Q1CY16Meraki MXAdvanced Malware Protection EverywhereCisco ConfidentialMobile

AnyConnect

FirePOWER Services on ISR


19

Best-of-Breed Cisco Advanced Malware ProtectionContinuous ProtectionReputation FilteringBehavioral Detection

Dynamic AnalysisMachine LearningFuzzy Finger-printingAdvanced AnalyticsOne-to-OneSignatureIndications of CompromiseDevice Flow Correlation

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential20These seven features break down into two types.

Reputation filteringBehavioral detection.

Reputation filtering is comprised of three key features. The first of which, is One-to-One Signatures

AMP EverywhereAMP Protection Across the Extended Network for an Integrated Threat Defense

AMPThreat IntelligenceCloud

Windows OS

Android Mobile

Virtual

MAC OS

CentOS, Red Hat Linux for servers and datacenters

AMP on Web and Email Security Appliances

AMP on Cisco ASA Firewall with Firepower ServicesAMP Private Cloud Virtual ApplianceAMP on Firepower NGIPS Appliance (AMP for Networks)

AMP on Cloud Web Security and Hosted Email

CWS/CTA

Threat GridMalware Analysis + Threat Intelligence EngineAMP on ISR with Firepower Services

EndpointsEndpointsNetwork Edge

AMP for EndpointsData Center

AMP for EndpointsRemote Endpoints

AMP for Endpoints can be launched from AnyConnect

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialWith AMP Everywhere, organizations can deploy a security architectures that shares information and provides an integrated threat defense, from network edge to data center to endpoints, across all attack vectors.21

When Malware Strikes, Have AnswersWhere did it come from?Who else is infected?What is it doing?

Device Trajectory

File Trajectory

File Analysis

Automated Remediation

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialCisco ASA with FirePOWER ServicesIndustrys First Threat-Focused Next-Generation Firewall

FeaturesCisco ASA firewalling combined with Sourcefire Next-Generation IPSAdvanced Malware Protection (AMP)Best-in-class security intelligence, application visibility and control (AVC), and URL filtering

BenefitsSuperior, multilayered threat protection Unprecedented network visibility Integrated threat defense across the entire attack continuumReduced cost and complexity

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential23

Fully IntegratedThreat Focused

Unified ManagementFW / applications / IPSCisco AMP network / endpointAnalysis and remediationCisco security solutionsApplication-aware DDoSNetworkwide visibilityIndustry-best threat protectionKnown and unknown threatsTrack / contain / recoverAcross attack continuumManage, control, and investigateAutomatically prioritizeAutomatically protectCisco Firepower Threat Defense

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialFirepower NGFW doesnt just deliver on our convergence story, it also delivers a fully integrated, threat protection platform. Integration extends beyond simply security services, and includes integration across networks and endpoints and with other Cisco security solutions. Our Threat-focused capabilities are industry leading both for known and unknown threats via our NGIPS and AMP functions. Unified Management is new with Firepower NGFW and our 6.0 release of Firepower Management Center - now just one policy for FW, threat, and file disposition with a single interface.

24

New Converged Software Image:Firepower Threat DefenseContains all Firepower Services plus select ASA capabilities Single Manager: Firepower Management Center*

Same subscriptions as FirePOWER Services, enabled by Smart Licensing:Threat (IPS + SI + DNS)Malware (AMP + ThreatGrid)URL Filtering

Converged Software Firepower Threat Defense* Also manages Firepower Appliances, Firepower Services (not ASA Software)

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialSo what is included in this converged software which we are calling firepower threat defense ? well, it contains all Firepower Services capabilities weve spoken about today along with select ASA Functionality.

It is managed by a single manager, which is the the FireSIGHT management center 6.0. Btw, This same manager also manages Firepower appliance and Firepower services, but not the actual ASA software.

How is it licensed ? We are using the same subscriptions as Firepower services, but now these subscriptions are provided via smart licensing. Thats IPS, AMP and URL Filtering. As weve mentioned before, for the Firepower Threat Defense converged software image, we will start with early customer trials beginning with the Firepower 6.0 release in Q4 of this calendar year.

2503/03/16

NetflowNGIPSLancope StealthWatchAMPAMP Threat GridFireSIGHT ConsoleCWSWSAESAFirePOWER Services

ISE is the cornerstone of your Cisco solutions

ISE

HowWhatWhoWhereWhen

DURING

AFTER

BEFORE

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialISE is an enabler of many other Cisco security solutions by providing them with better visibility, context, and control. With ISE, you can optimize downstream security services. It really serves as the cornerstone for a context and policy architecture, leveraging pxGrid technology to make security solutions context-aware. With the ability to connect these disparate solutions, ISE can help accelerate the security capabilities and reduce the overall time-to-attribution and time-to-remediation for advanced network threats including containing malicious threats through dynamic segmentation with Cisco TrustSec-enabled hardware.

T:

26

And easily integrates with partner solutions HowWhatWhoWhereWhen

ISE pxGridcontroller

Cisco Meraki

2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

23

SIEMEMM/MDMFirewallVulnerabilityAssessmentThreat DefenseIoTIAM/SSOPCAPWeb SecurityCASBPerformance Management

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialOne of the major problems that enterprises face is that they have multiple security vendors and all of these disparate solutions work independently of each other. Cisco ISE and Cisco pxGrid are designed to confront that challenge head-on with an ecosystem covering a broad range of technologies and vendor partners that comprise customer IT environments.

When partner platforms integrate with Cisco ISE, there are three powerful benefits to enterprises:ISE makes partners context-aware Contextual awareness offers deeper insight into the context surrounding a security event. Many partner platforms provide IP or MAC addresses as key identifiers. How much easier would it be to triage security events if you knew that an event was tied to a person, device, and location?Partner data improves ISE network access policy With more data from more places, its possible to fine-tune ISE access policy even more granularly to ensure that the right level of access is being provided at any given moment.Partner platforms can take action with ISE Quickest way to minimize time-to-attribution and time-to-remediation? Link a partner platform with ISE. The partner platform gains the context to more accurately identify the threat as well as the capability to send a signal to ISE to take action to quarantine or kick off a delinquent actor on the network.

T: And the ISE story doesnt stop here

27

2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialEnable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)When

Where

Who

How

What

Cisco and Partner Ecosystem

ISE

Cisco NetworkpxGridcontroller

ISE collects contextual data from network1Context is shared via pxGrid technology2Partners use context to improve visibility to detect threats3Partners can direct ISE to rapidly contain threats4ISE uses partner data to update context and refine access policy5

Context

32145

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialCisco Platform Exchange Grid (pxGrid) enables multivendor, cross-platform network system collaboration among parts of the IT infrastructure such as security monitoring and detection systems, network policy platforms, asset and configuration management, identity and access management platforms, and virtually any other IT operations platform.

When business or operational needs arise, ecosystem partners can use pxGrid to share contextual information with Cisco platforms that use pxGrid as well as any ecosystem partner system that uses pxGrid. Cisco pxGrid provides a unified framework that enables ecosystem partners to integrate to pxGrid once, then share context bidirectionally with many platforms without the need to adopt platform-specific APIs. Partners can also direct ISE to take remediation or other network action along the same channels of communication. Then, ISE can use the partner data to update context and refine access policies, resulting in tighter, more comprehensive security.

pxGrid is fully secured and customizable, enabling partners to share only what they want to share and consume only context relevant to their platform. This level of customizability ensures scalability when integrating with one or multiple systems. Furthermore, pxGrid enables ecosystem partner platforms to execute network actions with the Cisco network infrastructure.

T: pxGrid really turns ISE into an enabler of your overall security system

28

Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies

BenefitsIntegrate with Cisco Web Security Appliance for controlling who can access what on the WebRetrieve classification data from ISE over PxGrid. Use TrustSec for simplifying operationsUse TrustSec for policy classification abstraction and ease of operations

CapabilitiesSimplify AdministrationSingle source of identity and Contextual data. Using TrustSec for contextual data abstraction makes classification much simpler on the WSA

ComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance

Who: DoctorWhat: LaptopWhere: OfficeWho: DoctorWhat: iPadWhere: OfficeWho: GuestWhat: iPadWhere: Office

Identity Service Engine

WSA

Confidential Patient RecordsEmployeeIntranet

Better VisibilityDetailed reporting to understand how, when, and from what devices users access Web resources.

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialISE 2.0 integrates Cisco Firepower Management Center to deliver greater rapid threat containment, which basically enables the network itself to inspect and act as an enforcer of user access.

In the use case included here, FireSIGHT Management Center is able to scan the activity of authorized users across all approved devices that are connected to the corporate network. Whenever suspicious activity, malware, or any other potential threats are detected, FMC alerts ISE using pxGrid, and the Security Group Tag is automatically changed to suspicious. Based on that new SGT, ISE automatically enforces policy on the network. According to policy, the device is contained for remediation or mitigation.

Through the automated inspection and enforcement of network access policy, FireSight and ISE provide greater network security through early threat detection and rapid threat containment.

Finally, customers have the ability to leverage Ciscos growing partner ecosystem to implement the rapid threat containment solution that is best for their current infrastructure and business needs. Cisco has a rapidly growing ecosystem of partners that leverage ISE and pxGrid to deliver rapid threat security. 29

Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity, based on pre-defined security policies.

BenefitsIntegrate with Cisco Advanced Malware Protection (AMP) for malware protectionTrigger quarantine actions, per policy with Cisco FireSight and ISE integration

CapabilitiesFMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspiciousDevice is contained for remediation or mitigationaccess is denied per security policy

Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policyDetect threats earlyFireSight scans activity and publishes events to pxGrid

Corporate user downloads file

Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE

FMC scans the user activity and downloaded file

Based on the new tag, ISE automatically enforces policy on the network

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialISE 2.0 integrates Cisco Firepower Management Center to deliver greater rapid threat containment, which basically enables the network itself to inspect and act as an enforcer of user access.

In the use case included here, FireSIGHT Management Center is able to scan the activity of authorized users across all approved devices that are connected to the corporate network. Whenever suspicious activity, malware, or any other potential threats are detected, FMC alerts ISE using pxGrid, and the Security Group Tag is automatically changed to suspicious. Based on that new SGT, ISE automatically enforces policy on the network. According to policy, the device is contained for remediation or mitigation.

Through the automated inspection and enforcement of network access policy, FireSight and ISE provide greater network security through early threat detection and rapid threat containment.

Finally, customers have the ability to leverage Ciscos growing partner ecosystem to implement the rapid threat containment solution that is best for their current infrastructure and business needs. Cisco has a rapidly growing ecosystem of partners that leverage ISE and pxGrid to deliver rapid threat security. 30

Firepower and ISE Rapid Threat Containment

Network as an Enforcer = Industry Leading AutomationCompromiseDetectionDynamicContainmentNetwork as an EnforcerFireSIGHTThreat data Sharing

!Alert!

Switch

Router

VPN & FirewallWireless Controller

Mitigation


31

Example Capabilities Architected into Network Fabric

Network as an EnforcerNetwork as a SensorAccelerate Containment

Reduce Lateral Movement, Enforce Dynamic Granular Access Control, Compliance Adherence

Detect Anomalous Traffic Flows, Rogue Devices/Aps, User Access Policy Violations

Automate Quarantine, Traffic Redirection, Real-Time Application of ACLs


32

Integrated Solutions



10I000 0II0 00 0III000 II1010011 101 1100001 110

Working together to create a Security Architecture

Cisco ASAw/FirePOWERCisco Web & Email SecurityCisco NGIPSCommon Identity, Policy and Context SharingMalware Prevention / Sandboxing

10I000 0II0 00 0III000 II1010011 101 1100001 110110000III000III0 I00I II0I III0011 0110011 101000 0110 00101000 0II0 00 0III000 III0I00II II II0000I II0100I II0I III00II 0II00II I0I000 0II0 00

Cisco AMP

Cisco Network Integration

Cisco TrustSec

Cisco Identity Services

Cisco Collective Security Intelligence

ISEContext-aware SegmentationWired/Wireless and VPN

Pervasive & IntegratedAcross the Portfolio ContextVisibilityCisco AMPClient

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialData gathering and telemetry

focused on the threat. Causes slip throughvisually show what others are dealing with but that it is not shared

34

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialSummary


# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialComprehensive CapabilityCisco ConfidentialSecurity Capabilities

WWW

Integrated Threat Defense

Open|Pervasive|Integrated|ContinuousNGFW/NGIPSAdvancedThreatPolicy and AccessWebEmailUTM

Cisco Confidential


373/2/16Cisco Live 2013

Hosted Identity Services ThreatGRID applianceAdvanced Threat AnalyticsRadWARE, and ZIX partnershipsCisco ASA with FirePOWER ServicesNetwork as a Sensor and Enforcer ACI Integration with ASA and FirePOWERNeohapsis and OpenDNS AcquisitionsAMP EverywhereAcquisition of Lancope and PorticullisFirePOWER Services on ISRNew Platforms(ASA 5506, 5508, 5516, 5506-H, & FirePOWER 9300)AMP in AnyConnectMassive Innovation and Investment



Technology

Integrated threat defense 3 3-16 v2