Cisco Connect 2018 Thailand - Security automation and programmability mr. khoo boo leng_cisco
Automation & Programmability Network Security
Khoo Boo Leng (khoo@cisco.com)
Technical Solution Architect APJ GSP Architecture
Digitization Is Disrupting The SP business
The world has gone mobile Traffic growth, driven by video
Rise of cloud computing Machine-to-Machine
Changing
Customer
Expectations
Ubiquitous Access
to Apps & Services
10X Mobile Traffic Growth
From 2013-2019
Changing Enterprise
Business Models
Efficiency & Capacity
Soon to
Change SP
Architectures/
Service Delivery
Emergence of the Internet of Everything
Process ThingsPeople Data
PetabytesperMonth
Other (43%, 25%)120,000
100,000
80,000
60,000
40,000
20,000
0
Internet Video (57%, 75%)
2013 2014 2015 2016 2017 2018
23% Global
CAGR 2013-
2018
Dynamic Threat Landscape
Increasing Threat Sophistication
Risks to Service Providers
and Their Customers
In Spite of Layers of Defense
Malware is getting
through control
based defenses
Malware
Prevention
is NOT
100%
Breach
Existing tools are
labor intensive and require
expertise
Each stage represents a separate process
silo attackers use to their advantage.
Attack Continuum
BEFORE
Discover
Enforce
Harden
AFTER
Scope
Contain
Remediate
Detect
Block
Defend
DURING
SP’s Are Approaching NFVi & Automation in Multiple Ways
Different solutions required to address different “Buying Centers”
Use Case Specific,
e.g.
vMS, VPC
Orchestration Led
Infrastructure Led
Use Case Led
• Bottom-up approach
• Buying Center – Network &
DC infrastructure team
• Common MANO solution for
different use cases
• Buying Center – NMS/OSS team
• Top-down approach
• Business outcome driven
• Buying Center – BU/Biz Vertical
Includes VNF-
M and NFV
Orchestrator
Hardware, VIM (OpenStack) and SDN Controller
We are leading with
vMS & Mobility
Modular offer with
NSO, ESC, CTCM
Emerging trend,
needs packaging
Infrastructure led approach
aka NFVI is gaining prominence!
Automation & Programmability Security Exploit
AutoSploit automates the exploitation
of remote hosts
Targets are collected automatically
as well by employing the Shodan.io API
Metasploit modules will run
programmatically comparing the name of
the module to the initial search query
It’s all about context
Event + network &
user context
Event + network
context
Event
Event: Attempted Privilege Gain
Target: 96.16.242.135
Event: Attempted Privilege Gain
Target: 96.16.242.135 (vulnerable)
Host OS: iPhone
Apps: Mail, Browser, Twitter
Location: Whitehouse, US
Event: Attempted Privilege Gain
Target: 96.16.242.135 (vulnerable)
Host OS: iPhone
Apps: Mail, Browswer, Twitter
Location: Whitehouse, US
User ID: dtrump
Full Name: Donald Trump
Department: Executive Office
Context has the capability of fundamentally changing the interpretation of your event data.
Keys Security Focus
Visibility
“See Everything”
Complete visibility of users, devices,
networks, applications, workloads
and processes
Threat protection
“Stop the Breach”
Quickly detect, block, and respond to
attacks before hackers can steal data
or disrupt operations
Segmentation
“Reduce the Attack Surface”
Prevent attackers from moving laterally
east-west with application whitelisting and
micro-segmentation
Gain Visibility, Intelligence, and Automation
Leverage information from other solutions to gain
complete network visibility and security analytics
Company
Host
Everything
must touch
the network
Know
every host
Access Audit
Record every
conversation
Understand
what’s normal
Posture
Get alerted to
change
Detect
Provides unique visibility into
what’s happening across your
entire network
Visibility and
Analytics
Detects anomalies and threats faster
with real-time analysis and advanced
forensics capabilities
Generates notifications
automatically when anomalies are
detected on the network
Network as a Sensor
Consistently Apply Policy, Control Access to Resources, &
Block Attacks
Consistently delivers security
policy across branch, campus, data
center, and cloud
Simplifies network
segmentation with a software-
defined approach
Shrinks the attack surface
by preventing lateral movement of
potential threats
TrustSec
Segmentation Policy Enforced Across the Extended Network
Switch Router VPN and
Firewall
DC Switch Wireless
Controller
Control access to network segments and resources
according to your security policy by working with ISENetwork as an Enforcer
The Need For Integrated Threat Defense
Integrated Management
Global & Local Threat Intelligence
Raw Data Threat Research Analytics
Network Platforms Cloud Platform Endpoint Platform
Services
DDoS | WAF | LB/ADC | Anti-Virus | SaaS Visib | DLP | FPC
FW/NGFW | NGIPS | Web | Email | Adv. Malw | Access
Shrink the Time to Detect and Contain
Shared Visibility and Context, Analytics, and Automation
Telemetry
Intelligence
SERVICES
LAYER
ANALYTICS
LAYER
ENFORCEMENT
LAYER
Behavioral Threat
Analytics
Network Behavioral
Analytics
Network Enforcement
& Malware Detection
Malware Sandboxing
(Adv. Threat Protect.)
Integration Through Context Sharing
CoA Triggered
ISE through pxGrid receives information
on threat
User Isolated
Change Authorization of machine
causing issue
SIEM
Firepower
Firewall
Custom
Detection
Stealthwatch
Network
Switch Router DC FW DC SwitchWireless
Network as an Enforcer ThreatSecurity Intelligence
Automatic or Initiated by IT Admin
~5 Seconds
ISE
pxGrid
Get Information
Solutions such as Vulnerability
Assessment, Firepower, Stealthwatch
detect malicious activity
SecuringAutomation & Programmability Network
Multiple layers of security to protect NFVi & SDN
1
2
7
3
5
4
6
1. Securing Controller
2. Securing Infrastructure
3. Securing Network Services
4. Securing Application
5. Securing Management &
Orchestration
6. Securing API
7. Securing Communication
8. Security Technologies
8
Securing Infrastructure
▪ Secure Operation
• Keep device OS up to date
• Monitor PSIRT and perform
bug scrub
• Centralize log collection and
monitoring
• Configuration Management
▪ Management Plane
• Use secure protocols to
manage Infrastructure: SSH,
SCP, HTTPs, SNMPv3, with
ACL to restrict access
• Control management and
monitor session with AAA
• Use encrypted local password
• Protect Console, AUX and
VTY
• Disable unused services, no
initial configuration via TFTP
▪ Control Plane
• Protect control plane: CoPP,
Routing protocol Security,
FHRP security
• ICMP redirects, icmp
unreachable, proxy arp
• Securing routing protocols:
peer authentication, route
filtering, managing resource
consumption
▪ Data Plane
• Protect data plane: DAI, IP
Source Guard, Port Security,
unicast RPF etc.
• Infrastructure ACLs, any-
spoofing ACLs, for Hardening
of devices
• Disable IP source routing
• Private VLAN
▪ Application Security
• Digital Signing of Code
• Certification Process
• Resource Allocation
• Code Isolation
• Strong Typing
• AAA (PKI)
▪ Underlying platform Security
• Keep system updated apply patches & fixes
• Strong password
• Disable unnecessary protocols, Services and ports
• Authentication, Authorization and Accounting, with RBAC
• Enable host based firewall, allow only required ports
SecuringApplication, Services & Software Development Life Cycle
▪ Secure Development Lifecycle
• Threat Modeling
• Understanding and prioritizing risk
• Threat, Mitigation, Test
▪ Secure Design Principles
• Principle of Least Privilege
• Fail Safely
• Economy of Mechanism
• Avoid (in)Security by Obscurity
• Psychological Acceptability
• Defense in Depth
• Perform Static Code Analysis: Buffer Overflow, Resource Leaks, Null Pointer Deference
• Follow Secure Coding Guidelines
Cisco Secure Development Lifecycle (CSDL)
Securing Orchestration /Automation / Provisioning/API & Communications
• Orchestration and Automation servers should
reside on a secure management network,
protected by firewall.
• Use Authentication , Authorization and
Accounting, assign Role Base Access
Control, least privilege
• Ensure hardening of underlying platform:
Disable unused services, configure host
based firewall and allow only required ports,
Use logging and monitoring, use NTP
• Enforce strong passwords
• Use secure communication protocols
between portal, orchestrator and element
managers
• Ensure configuration and change
management is in place.
• Consider High Availability solution
• Use authentication and authorization
• Use encryption: Transport Layer Security, SSL, SSH, HTTPS
• Revocation of Access and authorization using OCSP.
• Proactively using policy or reactively as mitigation option to an
attack
• Logging of authentication and authorization
• Manageability / Scalability
Transport
Attack
• URL/message body
modification
• learn confidential information
Mitigation
• Use secure transport (https)
• Education
Attack
• Denial of Service
• Too many messages
• Too many connections
• Very large payloads
• Crafted inputs that can
cause system crashes
Mitigation:
• Rate limiting
• Threat Analysis of your
infrastructure
• Input validations
Infrastructure
Attacks
• Brute force
• Phishing
• Privilege escalation
Mitigation
• Strong authentication
• RBA
• Least privilege principle
• Info leakage via payload or
error messages.
• Review outbound data
(error messages, payload)
Authorization and
Authentication
Attack
• SQL injections
• XSS
• Buffer overflow attacks
Mitigation:
https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
Input Validation
MnT
FMC
Controller
WWW
NGFW
2. Correlation Rules
Trigger Remediation Action
3. pxGrid EPS Action:
Quarantine + Re-Auth
1. Security Events /
IOCs Reported
i-Net
Servers
Or
End User
MnT
FMC
Controller
WWW
NGFW
4. Endpoint Assigned
Quarantine + CoA-Reauth
Sent
i-Net
Servers
Or
End User
FMC
Controller
WWW
NGFW
i-Net
Flow Collector
1. SW is Analyzing Flows from
Flow Collector
2. SW is Also Merging Identity
Data from ISE
3. Admin is Alerted of
Suspicious Behavior
4. Admin Initiates Endpoint
Quarantine
(EPS over pxGrid)
5. Endpoint
Assigned
Quarantine +
CoA-Reauth Sent
Servers
Or
End User
FMC
Controller
WWW
NGFW
i-Net
Flow Collector
New Traffic Rules apply to the new
state of the endpoint
6a. Could Deny Access
(ingress)
6b. Could Filter it within
network (egress)
6b. Could Filter it within
network (egress)
Servers
Or
End User
MnT
FMC
Threat Intelligence Integration
Controller
WWW
NGFW
2. Correlation Rules
Trigger Remediation
Action
3. pxGrid EPS Action:
Quarantine + Re-Auth
i-Net
1. Threat /
IOCs Reported
Servers
Or
End User
MnT
FMC
Controller
WWW
NGFW
4. Endpoint Assigned
Quarantine + CoA-Reauth Sent
i-Net
Threat Intelligence Integration
Servers
Or
End User
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Shared intelligence
Shared contextual
awareness
Consistent policy
enforcement
Firepower Management Center
Talos
Firepower 4100 Series Firepower 9300 Platform
Visibility
Radware
DDoS
Network
analysis Email Threats
Identity &
NAC DNS FirewallURL
Summary: Advanced Intelligence & Integrated Defense
Validated By EANTC/Light Reading
Enterprise, Endpoints &
Sensors
Access Transport – Core & SP DC/Cloud
Leased BH
or Internet
Managementand
Orchestration
1
23 3 4
5
1
2
3
4
5
Security effectiveness
Chaining and stitching
Orchestrating in SDN and NFV
Multi-tenant
Performance, scalability, and resiliency
http://www.lightreading.com/nfv/nfv-tests-and-trials/testing-ciscos-virtualized-security-products/v/d-id/721575?
Cisco Connect 2018 Thailand - Security automation and programmability mr. khoo boo leng_cisco

More Related Content

PPT
Redefining Endpoint Security
PDF
Whitepaper IBM Qradar Security Intelligence
PPT
Auditing Check Point Firewalls
PDF
Complete Endpoint protection
PPTX
IBM QRadar Xforce
PDF
Data Center Server security
PDF
IBM QRadar Security Intelligence Overview
PDF
VIPER Labs - VOIP Security - SANS Summit
Redefining Endpoint Security
Whitepaper IBM Qradar Security Intelligence
Auditing Check Point Firewalls
Complete Endpoint protection
IBM QRadar Xforce
Data Center Server security
IBM QRadar Security Intelligence Overview
VIPER Labs - VOIP Security - SANS Summit

What's hot (20)

PDF
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
PPT
Palo alto networks next generation firewalls
PPTX
Detección y mitigación de amenazas con Check Point
PPTX
Owasp Proactive Controls for Web developer
PDF
Cloud Security - Made simple
PDF
2012-12-12 Seminar McAfee ESM
PDF
UTM Cyberoam
PDF
Check point presentation june 2014
PDF
Cheatsheet for your cloud project
PDF
Redefining siem to real time security intelligence
PPTX
Check Point designing a security
PPTX
Multi domain security-management_technical_presentation
PPTX
ICS case studies v2
PPTX
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
PPTX
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
PDF
Bulding Soc In Changing Threat Landscapefinal
PPTX
Discover Synchronized Security - Sophos Day Netherlands
PDF
MID_SIEM_Boubker_EN
PPTX
Beginner's Guide to SIEM
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Palo alto networks next generation firewalls
Detección y mitigación de amenazas con Check Point
Owasp Proactive Controls for Web developer
Cloud Security - Made simple
2012-12-12 Seminar McAfee ESM
UTM Cyberoam
Check point presentation june 2014
Cheatsheet for your cloud project
Redefining siem to real time security intelligence
Check Point designing a security
Multi domain security-management_technical_presentation
ICS case studies v2
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
Bulding Soc In Changing Threat Landscapefinal
Discover Synchronized Security - Sophos Day Netherlands
MID_SIEM_Boubker_EN
Beginner's Guide to SIEM
Ad

Similar to Cisco Connect 2018 Thailand - Security automation and programmability mr. khoo boo leng_cisco (20)

PPTX
Cisco Security DNA
PPTX
nsx overview with use cases 1.0
PPTX
Security and-visibility
PDF
004_Cybersecurity Fundamentals Network Security.pdf
PDF
Security Delivery Platform: Best practices
PDF
infraxstructure: Piotr Wojciechowski "Secure Data Center"
PDF
A modern approach to safeguarding your ICS and SCADA systems
PDF
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
PPTX
Cisco Network Insider: Three Ways to Secure your Network
PPTX
Cisco Connect 2018 Indonesia - Cybersecurity Strategy
PPTX
Webinar 2.1 - Network protection and devices.pptx
PPTX
New Threats, New Approaches in Modern Data Centers
PDF
The Network as a Sensor, Cisco and Lancope
DOCX
Proactive Network Monitoring & Cybersecurity Solutions
PPT
Security Capability Model - InfoSec Forum VIII
PPTX
Introduction to Network Security TITU.pptx
PPTX
A guide to Sustainable Cyber Security
PDF
Sscp Systems Security Certified Practitioner Allinone Exam Guide Third Editio...
PDF
Securing and Managing the Oracle HTTP Server - White Paper
PPT
Information Security
Cisco Security DNA
nsx overview with use cases 1.0
Security and-visibility
004_Cybersecurity Fundamentals Network Security.pdf
Security Delivery Platform: Best practices
infraxstructure: Piotr Wojciechowski "Secure Data Center"
A modern approach to safeguarding your ICS and SCADA systems
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Cisco Network Insider: Three Ways to Secure your Network
Cisco Connect 2018 Indonesia - Cybersecurity Strategy
Webinar 2.1 - Network protection and devices.pptx
New Threats, New Approaches in Modern Data Centers
The Network as a Sensor, Cisco and Lancope
Proactive Network Monitoring & Cybersecurity Solutions
Security Capability Model - InfoSec Forum VIII
Introduction to Network Security TITU.pptx
A guide to Sustainable Cyber Security
Sscp Systems Security Certified Practitioner Allinone Exam Guide Third Editio...
Securing and Managing the Oracle HTTP Server - White Paper
Information Security
Ad

More from NetworkCollaborators (20)

PDF
Cisco Connect 2018 Singapore - Cybersecurity strategy
PDF
Cisco Connect 2018 Singapore - Cisco Incident Response Services
PDF
Cisco Connect 2018 Singapore - Do more than keep the lights on
PDF
Cisco Connect 2018 Singapore - jordan koh
PDF
Cisco Connect 2018 Singapore - Changing the Security Equation
PDF
Cisco Connect 2018 Singapore - Transforming Enterprises in a Multi-Cloud World
PDF
Cisco Connect 2018 Singapore - The Network Intuitive
PDF
Cisco Connect 2018 Singapore - Cisco CMX
PDF
Cisco Connect 2018 Singapore - Easing the Transition
PDF
Cisco Connect 2018 Singapore - Cisco SD-WAN
PDF
Cisco Connect 2018 Singapore - Cisco Software Defined Access
PDF
Cisco Connect 2018 Singapore - En06 jason pernell
PDF
Cisco Connect 2018 Singapore - Secure data center building a secure zero trus...
PDF
Cisco Connect 2018 Singapore - Next generation hyperconverged infrastructure
PDF
Cisco Connect 2018 Singapore - Data center transformation a customer perspec...
PDF
Cisco Connect 2018 Singapore - delivering intent for data center networking
PDF
Cisco Connect 2018 Philippines - ben green
PDF
Cisco Connect 2018 Philippines - do more than keeping the lights on
PDF
Cisco Connect 2018 Philippines - jaymen quah
PDF
Cisco Connect 2018 Philippines - The workplace of the future
Cisco Connect 2018 Singapore - Cybersecurity strategy
Cisco Connect 2018 Singapore - Cisco Incident Response Services
Cisco Connect 2018 Singapore - Do more than keep the lights on
Cisco Connect 2018 Singapore - jordan koh
Cisco Connect 2018 Singapore - Changing the Security Equation
Cisco Connect 2018 Singapore - Transforming Enterprises in a Multi-Cloud World
Cisco Connect 2018 Singapore - The Network Intuitive
Cisco Connect 2018 Singapore - Cisco CMX
Cisco Connect 2018 Singapore - Easing the Transition
Cisco Connect 2018 Singapore - Cisco SD-WAN
Cisco Connect 2018 Singapore - Cisco Software Defined Access
Cisco Connect 2018 Singapore - En06 jason pernell
Cisco Connect 2018 Singapore - Secure data center building a secure zero trus...
Cisco Connect 2018 Singapore - Next generation hyperconverged infrastructure
Cisco Connect 2018 Singapore - Data center transformation a customer perspec...
Cisco Connect 2018 Singapore - delivering intent for data center networking
Cisco Connect 2018 Philippines - ben green
Cisco Connect 2018 Philippines - do more than keeping the lights on
Cisco Connect 2018 Philippines - jaymen quah
Cisco Connect 2018 Philippines - The workplace of the future

Recently uploaded (20)

PDF
Transform-Your-Factory-with-AI-Driven-Quality-Engineering.pdf
PDF
Improvisation in detection of pomegranate leaf disease using transfer learni...
PDF
5-Ways-AI-is-Revolutionizing-Telecom-Quality-Engineering.pdf
PDF
INTERSPEECH 2025 「Recent Advances and Future Directions in Voice Conversion」
PDF
Transform-Your-Streaming-Platform-with-AI-Driven-Quality-Engineering.pdf
PDF
Lung cancer patients survival prediction using outlier detection and optimize...
PPTX
Module 1 Introduction to Web Programming .pptx
PDF
Convolutional neural network based encoder-decoder for efficient real-time ob...
PPTX
MuleSoft-Compete-Deck for midddleware integrations
PPT
Galois Field Theory of Risk: A Perspective, Protocol, and Mathematical Backgr...
PDF
Comparative analysis of machine learning models for fake news detection in so...
PDF
CXOs-Are-you-still-doing-manual-DevOps-in-the-age-of-AI.pdf
PDF
Produktkatalog für HOBO Datenlogger, Wetterstationen, Sensoren, Software und ...
PDF
Accessing-Finance-in-Jordan-MENA 2024 2025.pdf
PDF
Flame analysis and combustion estimation using large language and vision assi...
PDF
Statistics on Ai - sourced from AIPRM.pdf
DOCX
search engine optimization ppt fir known well about this
PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
PDF
The-Future-of-Automotive-Quality-is-Here-AI-Driven-Engineering.pdf
PDF
The-2025-Engineering-Revolution-AI-Quality-and-DevOps-Convergence.pdf
Transform-Your-Factory-with-AI-Driven-Quality-Engineering.pdf
Improvisation in detection of pomegranate leaf disease using transfer learni...
5-Ways-AI-is-Revolutionizing-Telecom-Quality-Engineering.pdf
INTERSPEECH 2025 「Recent Advances and Future Directions in Voice Conversion」
Transform-Your-Streaming-Platform-with-AI-Driven-Quality-Engineering.pdf
Lung cancer patients survival prediction using outlier detection and optimize...
Module 1 Introduction to Web Programming .pptx
Convolutional neural network based encoder-decoder for efficient real-time ob...
MuleSoft-Compete-Deck for midddleware integrations
Galois Field Theory of Risk: A Perspective, Protocol, and Mathematical Backgr...
Comparative analysis of machine learning models for fake news detection in so...
CXOs-Are-you-still-doing-manual-DevOps-in-the-age-of-AI.pdf
Produktkatalog für HOBO Datenlogger, Wetterstationen, Sensoren, Software und ...
Accessing-Finance-in-Jordan-MENA 2024 2025.pdf
Flame analysis and combustion estimation using large language and vision assi...
Statistics on Ai - sourced from AIPRM.pdf
search engine optimization ppt fir known well about this
Taming the Chaos: How to Turn Unstructured Data into Decisions
The-Future-of-Automotive-Quality-is-Here-AI-Driven-Engineering.pdf
The-2025-Engineering-Revolution-AI-Quality-and-DevOps-Convergence.pdf

Cisco Connect 2018 Thailand - Security automation and programmability mr. khoo boo leng_cisco

  • 2. Automation & Programmability Network Security Khoo Boo Leng ([email protected]) Technical Solution Architect APJ GSP Architecture
  • 3. Digitization Is Disrupting The SP business The world has gone mobile Traffic growth, driven by video Rise of cloud computing Machine-to-Machine Changing Customer Expectations Ubiquitous Access to Apps & Services 10X Mobile Traffic Growth From 2013-2019 Changing Enterprise Business Models Efficiency & Capacity Soon to Change SP Architectures/ Service Delivery Emergence of the Internet of Everything Process ThingsPeople Data PetabytesperMonth Other (43%, 25%)120,000 100,000 80,000 60,000 40,000 20,000 0 Internet Video (57%, 75%) 2013 2014 2015 2016 2017 2018 23% Global CAGR 2013- 2018 Dynamic Threat Landscape Increasing Threat Sophistication Risks to Service Providers and Their Customers
  • 4. In Spite of Layers of Defense Malware is getting through control based defenses Malware Prevention is NOT 100% Breach Existing tools are labor intensive and require expertise Each stage represents a separate process silo attackers use to their advantage. Attack Continuum BEFORE Discover Enforce Harden AFTER Scope Contain Remediate Detect Block Defend DURING
  • 5. SP’s Are Approaching NFVi & Automation in Multiple Ways Different solutions required to address different “Buying Centers” Use Case Specific, e.g. vMS, VPC Orchestration Led Infrastructure Led Use Case Led • Bottom-up approach • Buying Center – Network & DC infrastructure team • Common MANO solution for different use cases • Buying Center – NMS/OSS team • Top-down approach • Business outcome driven • Buying Center – BU/Biz Vertical Includes VNF- M and NFV Orchestrator Hardware, VIM (OpenStack) and SDN Controller We are leading with vMS & Mobility Modular offer with NSO, ESC, CTCM Emerging trend, needs packaging Infrastructure led approach aka NFVI is gaining prominence!
  • 6. Automation & Programmability Security Exploit AutoSploit automates the exploitation of remote hosts Targets are collected automatically as well by employing the Shodan.io API Metasploit modules will run programmatically comparing the name of the module to the initial search query
  • 7. It’s all about context Event + network & user context Event + network context Event Event: Attempted Privilege Gain Target: 96.16.242.135 Event: Attempted Privilege Gain Target: 96.16.242.135 (vulnerable) Host OS: iPhone Apps: Mail, Browser, Twitter Location: Whitehouse, US Event: Attempted Privilege Gain Target: 96.16.242.135 (vulnerable) Host OS: iPhone Apps: Mail, Browswer, Twitter Location: Whitehouse, US User ID: dtrump Full Name: Donald Trump Department: Executive Office Context has the capability of fundamentally changing the interpretation of your event data.
  • 8. Keys Security Focus Visibility “See Everything” Complete visibility of users, devices, networks, applications, workloads and processes Threat protection “Stop the Breach” Quickly detect, block, and respond to attacks before hackers can steal data or disrupt operations Segmentation “Reduce the Attack Surface” Prevent attackers from moving laterally east-west with application whitelisting and micro-segmentation
  • 9. Gain Visibility, Intelligence, and Automation Leverage information from other solutions to gain complete network visibility and security analytics Company Host Everything must touch the network Know every host Access Audit Record every conversation Understand what’s normal Posture Get alerted to change Detect Provides unique visibility into what’s happening across your entire network Visibility and Analytics Detects anomalies and threats faster with real-time analysis and advanced forensics capabilities Generates notifications automatically when anomalies are detected on the network Network as a Sensor
  • 10. Consistently Apply Policy, Control Access to Resources, & Block Attacks Consistently delivers security policy across branch, campus, data center, and cloud Simplifies network segmentation with a software- defined approach Shrinks the attack surface by preventing lateral movement of potential threats TrustSec Segmentation Policy Enforced Across the Extended Network Switch Router VPN and Firewall DC Switch Wireless Controller Control access to network segments and resources according to your security policy by working with ISENetwork as an Enforcer
  • 11. The Need For Integrated Threat Defense Integrated Management Global & Local Threat Intelligence Raw Data Threat Research Analytics Network Platforms Cloud Platform Endpoint Platform Services DDoS | WAF | LB/ADC | Anti-Virus | SaaS Visib | DLP | FPC FW/NGFW | NGIPS | Web | Email | Adv. Malw | Access Shrink the Time to Detect and Contain Shared Visibility and Context, Analytics, and Automation Telemetry Intelligence SERVICES LAYER ANALYTICS LAYER ENFORCEMENT LAYER Behavioral Threat Analytics Network Behavioral Analytics Network Enforcement & Malware Detection Malware Sandboxing (Adv. Threat Protect.)
  • 12. Integration Through Context Sharing CoA Triggered ISE through pxGrid receives information on threat User Isolated Change Authorization of machine causing issue SIEM Firepower Firewall Custom Detection Stealthwatch Network Switch Router DC FW DC SwitchWireless Network as an Enforcer ThreatSecurity Intelligence Automatic or Initiated by IT Admin ~5 Seconds ISE pxGrid Get Information Solutions such as Vulnerability Assessment, Firepower, Stealthwatch detect malicious activity
  • 13. SecuringAutomation & Programmability Network Multiple layers of security to protect NFVi & SDN 1 2 7 3 5 4 6 1. Securing Controller 2. Securing Infrastructure 3. Securing Network Services 4. Securing Application 5. Securing Management & Orchestration 6. Securing API 7. Securing Communication 8. Security Technologies 8
  • 14. Securing Infrastructure ▪ Secure Operation • Keep device OS up to date • Monitor PSIRT and perform bug scrub • Centralize log collection and monitoring • Configuration Management ▪ Management Plane • Use secure protocols to manage Infrastructure: SSH, SCP, HTTPs, SNMPv3, with ACL to restrict access • Control management and monitor session with AAA • Use encrypted local password • Protect Console, AUX and VTY • Disable unused services, no initial configuration via TFTP ▪ Control Plane • Protect control plane: CoPP, Routing protocol Security, FHRP security • ICMP redirects, icmp unreachable, proxy arp • Securing routing protocols: peer authentication, route filtering, managing resource consumption ▪ Data Plane • Protect data plane: DAI, IP Source Guard, Port Security, unicast RPF etc. • Infrastructure ACLs, any- spoofing ACLs, for Hardening of devices • Disable IP source routing • Private VLAN
  • 15. ▪ Application Security • Digital Signing of Code • Certification Process • Resource Allocation • Code Isolation • Strong Typing • AAA (PKI) ▪ Underlying platform Security • Keep system updated apply patches & fixes • Strong password • Disable unnecessary protocols, Services and ports • Authentication, Authorization and Accounting, with RBAC • Enable host based firewall, allow only required ports SecuringApplication, Services & Software Development Life Cycle ▪ Secure Development Lifecycle • Threat Modeling • Understanding and prioritizing risk • Threat, Mitigation, Test ▪ Secure Design Principles • Principle of Least Privilege • Fail Safely • Economy of Mechanism • Avoid (in)Security by Obscurity • Psychological Acceptability • Defense in Depth • Perform Static Code Analysis: Buffer Overflow, Resource Leaks, Null Pointer Deference • Follow Secure Coding Guidelines Cisco Secure Development Lifecycle (CSDL)
  • 16. Securing Orchestration /Automation / Provisioning/API & Communications • Orchestration and Automation servers should reside on a secure management network, protected by firewall. • Use Authentication , Authorization and Accounting, assign Role Base Access Control, least privilege • Ensure hardening of underlying platform: Disable unused services, configure host based firewall and allow only required ports, Use logging and monitoring, use NTP • Enforce strong passwords • Use secure communication protocols between portal, orchestrator and element managers • Ensure configuration and change management is in place. • Consider High Availability solution • Use authentication and authorization • Use encryption: Transport Layer Security, SSL, SSH, HTTPS • Revocation of Access and authorization using OCSP. • Proactively using policy or reactively as mitigation option to an attack • Logging of authentication and authorization • Manageability / Scalability
  • 17. Transport Attack • URL/message body modification • learn confidential information Mitigation • Use secure transport (https) • Education Attack • Denial of Service • Too many messages • Too many connections • Very large payloads • Crafted inputs that can cause system crashes Mitigation: • Rate limiting • Threat Analysis of your infrastructure • Input validations Infrastructure Attacks • Brute force • Phishing • Privilege escalation Mitigation • Strong authentication • RBA • Least privilege principle • Info leakage via payload or error messages. • Review outbound data (error messages, payload) Authorization and Authentication
  • 18. Attack • SQL injections • XSS • Buffer overflow attacks Mitigation: https://www.owasp.org/index.php/REST_Security_Cheat_Sheet Input Validation
  • 19. MnT FMC Controller WWW NGFW 2. Correlation Rules Trigger Remediation Action 3. pxGrid EPS Action: Quarantine + Re-Auth 1. Security Events / IOCs Reported i-Net Servers Or End User
  • 20. MnT FMC Controller WWW NGFW 4. Endpoint Assigned Quarantine + CoA-Reauth Sent i-Net Servers Or End User
  • 21. FMC Controller WWW NGFW i-Net Flow Collector 1. SW is Analyzing Flows from Flow Collector 2. SW is Also Merging Identity Data from ISE 3. Admin is Alerted of Suspicious Behavior 4. Admin Initiates Endpoint Quarantine (EPS over pxGrid) 5. Endpoint Assigned Quarantine + CoA-Reauth Sent Servers Or End User
  • 22. FMC Controller WWW NGFW i-Net Flow Collector New Traffic Rules apply to the new state of the endpoint 6a. Could Deny Access (ingress) 6b. Could Filter it within network (egress) 6b. Could Filter it within network (egress) Servers Or End User
  • 23. MnT FMC Threat Intelligence Integration Controller WWW NGFW 2. Correlation Rules Trigger Remediation Action 3. pxGrid EPS Action: Quarantine + Re-Auth i-Net 1. Threat / IOCs Reported Servers Or End User
  • 24. MnT FMC Controller WWW NGFW 4. Endpoint Assigned Quarantine + CoA-Reauth Sent i-Net Threat Intelligence Integration Servers Or End User
  • 25. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Shared intelligence Shared contextual awareness Consistent policy enforcement Firepower Management Center Talos Firepower 4100 Series Firepower 9300 Platform Visibility Radware DDoS Network analysis Email Threats Identity & NAC DNS FirewallURL Summary: Advanced Intelligence & Integrated Defense
  • 26. Validated By EANTC/Light Reading Enterprise, Endpoints & Sensors Access Transport – Core & SP DC/Cloud Leased BH or Internet Managementand Orchestration 1 23 3 4 5 1 2 3 4 5 Security effectiveness Chaining and stitching Orchestrating in SDN and NFV Multi-tenant Performance, scalability, and resiliency http://www.lightreading.com/nfv/nfv-tests-and-trials/testing-ciscos-virtualized-security-products/v/d-id/721575?