Cisco Connect 2018 Thailand - Cybersecurity strategy an integrated approach khun pichaiwood prabudhanitisarn_cisco
- 1. Pichaiwood Prabudhanitisarn Cybersecurity Specialist April 2018 Creating an Effective Security Architecture Cybersecurity Strategy An Integrated Approach
- 2. Last 20 years of security: Got a problem? Buy a Box Firewall
- 3. Same Old Song and Dance 2000âs Application Control FW/VPN IDS / IPS UTM NAC AV PKI 1980âs 2010âs 1990âs Sandboxing
- 4. The Existing Security Stack⊠Firewall VPN Email Security Web Security DLP SIEM Replacement Box Failover Persistent Threats IDS Firewall 2.0 VPN 2.0 Email Security 2.0 Web Security 2.0 DLP 2.0 SIEM 2.0 Replacement Box 2.0 Failover 2.0 Persistent Threats 2.0 IDS 2.0
- 5. Why a Security Architecture? Ability to Defend Getting More Complex âą Attack Surface Diversity: Growing exponentially due to IoT, SaaS / IaaS, and personal device trends âą Threats: Continuous rise in sophistication of attackers combined with rapid evolution of attacker techniques and tools âą Detection: Efficacy of classical detection methods eroding âą User Behavior: No longer constrained to IT controlled places, apps or devices The Security Effectiveness Gap
- 6. Process of Attacks Research, and select targets Pair remote access malware with exploits Deliver cyberweapons by email, website and attachments Install payloads to gain persistent access
- 7. Source: Verizon 2014 Data Breach Investigations Report Time to compromise Time to discovery25% 50% 75% 100% 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Percent of breaches where time to compromise (orange)/ time to discovery (blue) was days or less Time to Detection 100Industry Days Industry Result
- 8. Integration = Effective Security
- 9. APIâs Alone are not the Answer
- 10. Multiple features within the same product Solution Management Multiple products that work together Unified configuration and reporting Functional Integration has to have Layers
- 11. Event information improves visibility Threat Intelligence speeds time to detection Automated Policy changes allow faster response Contextual Awareness builds granular controls across the network Sharing Data Through Integration
- 12. Threat Grid Sourcefire 2013 2016 Portcullis OpenDNS Lancope Neohapsis Cloudlock 2014 2015 AMP Everywhere; OpenAppID Talos established Cisco ASA with Firepower Services Integrated Threat Defense Vision; AMP Threat Grid Firepower NGFW unveiled Network as a Sensor and Enforcer Cisco Umbrella SIG Identity Services Engine 2.0 Integration has Driven Ciscoâs Portfolio Growth
- 13. Unified Management Endpoint CloudNetwork Visibility Threat Intelligence - Services Integrated Architectural Approach
- 14. UTM Network Analytics Advanced Malware Secure Internet Gateway WebW W W Policy and Access Email NGFW/ NGIPS Cloud Access Security Premiere Portfolio in the Industry
- 15. Functional Integration: Talos Threat Intelligence 221BTotal Threats 1.4M AV Blocks Per Day 2.6M Blocks Per Second 9.9B Total Blocks Per Month 1.5M Malware Samples Per Day 1.8B Spyware Blocks Per Month 8.2B Web Filtering Blocks Per Month 991MWeb + Malware Threats 19.7BThreats Per Day 1B Sender Base Reputation Queries Per Day
- 16. Shared intelligence Shared contextual awareness Consistent policy enforcement Cisco Firepowerâą Management Center Functional Integration: Firepower Threat Defense Talos Firepower 4100 Series Firepower 9300 Platform Visibility Radware DDoS Network analysis Email Threats Identity and NAC DNS FirewallURL
- 17. Application Control WAN Optimization, Traffic Shaping, Content Filtering Security NG Firewall, Client VPN, Site to Site VPN, IDS/IPS Networking NAT/DHCP, 3G/4G Cellular, Static Routing, Link Balancing Functional Integration: Meraki
- 18. Network ISR/ASR Advanced Malware Umbrella Web W W W ISE Email NGFW/ NGIPS Threat Grid Stealthwatch Event Threat Intel Policy Context Meraki Cloudlock Solution Integration: Cisco Portfolio
- 19. AMP Threat Intelligence Cloud Windows OS Android Mobile Virtual MAC OS CentOS, Red Hat Linux for servers and datacenters AMP on Web and Email Security Appliances AMP on ASA with Firepowerâą Services AMP Private Cloud Virtual Appliance AMP on Firepower NGIPS Appliance AMP on Cloud Web Security and Hosted Email CWS/ CTA Threat Grid Malware Analysis + Threat Intelligence AMP on ISR with Firepower Services AMP for Endpoints AMP for Endpoints Remote Endpoints AMP for Endpoints can be launched from Cisco AnyConnectÂź AMP on MerakiÂź MX Solution Integration: Advanced Malware Protection
- 20. Cisco WSA (Web Security Appliance) External Telemetry (BlueCoat Sec. GW) Cisco CWS (Cloud Web Security) Cisco Cognitive Threat Analytics (CTA) Confirmed Threats Detected Threats Incident Response Threat Alerts HQ STIX / TAXII API CTACTACTA HQ Web Security Gateways Cloud Web Security Gateways Web Access Logs Breach Detection & Advanced Threat Visibility Solution Integration: Web and Endpoint
- 21. Stealthwatch Campus/DC Switches/WLC Cisco Routers / 3rd Vendor Devices Network Sensors Network Enforcers Policy & Context Sharing NGIPS ISE/ TrustSec NGFW Solution Integration: Network Security
- 22. Firepower Device Manager Easy management of common security and policy tasks Comprehensive security administration and automation of multiple appliances Firepower Management Center Cisco Defense Orchestrator Centralized cloud-based policy management of multiple deployments On-box Centralized Cloud-based Management Integration: Security Architecture
- 23. Single interface to manage policy for: âą ASA/ ASAv âą ASA with Firepowerâą Services âą Cisco Firepowerâą NGFW âą CiscoÂź Web Security Appliance âą Cisco Umbrella Management Integration: Cisco Defense Orchestrator
- 24. Prove it.
- 25. Solution Integration: Rapid Threat Containment Automatically Defend Against Threats with Firepower and ISE FMC aggregates and correlates sensor data FMC alerts ISE. ISE then changes the userâs/deviceâs access policy to suspicious Corporate user downloads file, not knowing itâs actually malicious Based on the new policy, network enforcers automatically restrict access Device is quarantined for remediation or mitigation
- 26. Endpoint User Opened an email Downloading malware Which stole data Integration in Action: The Attack That visited a website Through the firewall
- 27. AMP for Endpoints And shares the event information Firepower Management Console Analyzes the file with Threat Grid Blocking the malware retrospectively Protecting the data center Email Security Web Security Integration in Action: Sharing Events Alerts are Snared Between Products Providing Visibility
- 28. Integration in Action: Sharing Events Alerts are Snared Between Products Providing Visibility
- 29. Threat Grid Firepower Management Console Data Center Email Security Web Security Shares a policy update with the Identity Services Engine Quarantining the user automatically Integration in Action: Sharing Policy Automatic Response to Threats
- 30. Integration in Action: Sharing Policy Automatic Response to Threats
- 31. Firepower Management Console Threat Grid Data Center Email Security Web Security Identity Services Engine AMP for Endpoints Cloud Security Integration in Action: Threat Intelligence Detect Once, Protect Everywhere
- 32. Firepower Management Console Threat Grid Data Center Email Security Web Security Identity Services Engine AMP for Endpoints Cloud Security Integration in Action: Threat Intelligence Profiling what users and devices are really on the network
- 33. Integration in Action: Sharing Context Profiling What Users and Devices are Really on the Network
- 35. Integration with 3rd Party Products
- 36. 100 percent focused Cisco Security initiatives Real integration benefit across portfolio Coordinate support with key partners Host community supported code Identify candidates for deeper integration Cisco Solution Partner Program (SPP) DevNet Cisco Security Technical Alliance Program Firepower ISE Threat Grid FP9300 Content ASA AnyConnect OpenDNS pxGrid Stealthwatch Fore more information go to http://www.cisco.com/go/csta 3rd Party Integration: CSTA Cisco Security Technical Alliance
- 37. âą eStreamer API âą Send Firepower event data to SIEMs âą Host Input API âą Collect vulnerability and other other host info âą Remediation API âą Programmatic response to third parties from FireSIGHT âą JDBC Database Access API âą Supports queries from other applications âą Read/Write API for Firepower âą Supports FW and Risk Management technologies âą Threat Intelligence Director âą Collect, correlate, take action on third party Threat Intelligence âą Management API for ASA âą Third party management of ASA, policy auditing âą pxGrid âą Bi-directional context sharing framework for ISE, ecosystem partners âą MDM API âą Enables 3rd party MDM partners to make mobile device posture part of ISE access policy âą External Restful Services (ERS) âą Adds 3rd party asset data to ISE inventory database âą AMP Cloud-based API âą Externalize event data for all 3rd party apps âą Ingest threat data from third parties âą Threat Grid API âą Hand off suspicious files for analysis âą Queries entire dataset for correlation or historical/geographic significance âą Automate submission of files for analysis âą Create custom or batch threat feeds âą FirePOWER 9300 (SSP) REST API âą Cisco and third party applications in service chain configuration âą AnyConnect Network Visibility Module Collection âą AnyConnect provides IPFIX data âą AnyConnect EDM/MDM âą VPN Services âą OpenDNS Investigate âą Query OpenDNS for threat intelligence âą OpenDNS Umbrella âą Add addresses to customer specific enforcement âą CloudLock Enterprise API âą Reporting/Management âą CloudLock Development APIs âą Access micro-services âą Other Integration Points âą ESA, WSA 3rd Party Integration: Open Standard APIâs
- 38. EDM/MDM Endpoint and Custom Detection Forensics and IR Other SIEM & Analytics NPM/APM and Visualization IAM/SSO Threat IntelligenceCASB UEBA Firewall and Policy Management Deception Orchestration Vulnerability Management 3rd Party Integration: Ecosystem Partners
- 39. Services Brings it All Together
- 40. Advisory âą Custom Threat Intelligence âą Cybersecurity Assessments Integration âą Integration Services âą Security Optimization Services Managed âą Managed Threat Defense âą Remote Managed Services Cisco Security Services
- 41. Effective Security Needs to be Simple Security built into the network and designed to work together 1 2 3 Open Integrate across the Cisco portfolio and 3rd party products Automated Instantaneous remediation reduce time to detection save time and money
- 42. VS. *Source Cisco Midyear Security Report, 2016 Industry Days 100 Cisco Hours ~13 Integrate Automate: Reduce Time to Detection
- 43. simple open automated Effective Security