Cisco Connect 2018 Thailand - Security automation and programmability mr. khoo boo leng_cisco
- 2. Automation & Programmability Network Security Khoo Boo Leng ([email protected]) Technical Solution Architect APJ GSP Architecture
- 3. Digitization Is Disrupting The SP business The world has gone mobile Traffic growth, driven by video Rise of cloud computing Machine-to-Machine Changing Customer Expectations Ubiquitous Access to Apps & Services 10X Mobile Traffic Growth From 2013-2019 Changing Enterprise Business Models Efficiency & Capacity Soon to Change SP Architectures/ Service Delivery Emergence of the Internet of Everything Process ThingsPeople Data PetabytesperMonth Other (43%, 25%)120,000 100,000 80,000 60,000 40,000 20,000 0 Internet Video (57%, 75%) 2013 2014 2015 2016 2017 2018 23% Global CAGR 2013- 2018 Dynamic Threat Landscape Increasing Threat Sophistication Risks to Service Providers and Their Customers
- 4. In Spite of Layers of Defense Malware is getting through control based defenses Malware Prevention is NOT 100% Breach Existing tools are labor intensive and require expertise Each stage represents a separate process silo attackers use to their advantage. Attack Continuum BEFORE Discover Enforce Harden AFTER Scope Contain Remediate Detect Block Defend DURING
- 5. SP’s Are Approaching NFVi & Automation in Multiple Ways Different solutions required to address different “Buying Centers” Use Case Specific, e.g. vMS, VPC Orchestration Led Infrastructure Led Use Case Led • Bottom-up approach • Buying Center – Network & DC infrastructure team • Common MANO solution for different use cases • Buying Center – NMS/OSS team • Top-down approach • Business outcome driven • Buying Center – BU/Biz Vertical Includes VNF- M and NFV Orchestrator Hardware, VIM (OpenStack) and SDN Controller We are leading with vMS & Mobility Modular offer with NSO, ESC, CTCM Emerging trend, needs packaging Infrastructure led approach aka NFVI is gaining prominence!
- 6. Automation & Programmability Security Exploit AutoSploit automates the exploitation of remote hosts Targets are collected automatically as well by employing the Shodan.io API Metasploit modules will run programmatically comparing the name of the module to the initial search query
- 7. It’s all about context Event + network & user context Event + network context Event Event: Attempted Privilege Gain Target: 96.16.242.135 Event: Attempted Privilege Gain Target: 96.16.242.135 (vulnerable) Host OS: iPhone Apps: Mail, Browser, Twitter Location: Whitehouse, US Event: Attempted Privilege Gain Target: 96.16.242.135 (vulnerable) Host OS: iPhone Apps: Mail, Browswer, Twitter Location: Whitehouse, US User ID: dtrump Full Name: Donald Trump Department: Executive Office Context has the capability of fundamentally changing the interpretation of your event data.
- 8. Keys Security Focus Visibility “See Everything” Complete visibility of users, devices, networks, applications, workloads and processes Threat protection “Stop the Breach” Quickly detect, block, and respond to attacks before hackers can steal data or disrupt operations Segmentation “Reduce the Attack Surface” Prevent attackers from moving laterally east-west with application whitelisting and micro-segmentation
- 9. Gain Visibility, Intelligence, and Automation Leverage information from other solutions to gain complete network visibility and security analytics Company Host Everything must touch the network Know every host Access Audit Record every conversation Understand what’s normal Posture Get alerted to change Detect Provides unique visibility into what’s happening across your entire network Visibility and Analytics Detects anomalies and threats faster with real-time analysis and advanced forensics capabilities Generates notifications automatically when anomalies are detected on the network Network as a Sensor
- 10. Consistently Apply Policy, Control Access to Resources, & Block Attacks Consistently delivers security policy across branch, campus, data center, and cloud Simplifies network segmentation with a software- defined approach Shrinks the attack surface by preventing lateral movement of potential threats TrustSec Segmentation Policy Enforced Across the Extended Network Switch Router VPN and Firewall DC Switch Wireless Controller Control access to network segments and resources according to your security policy by working with ISENetwork as an Enforcer
- 11. The Need For Integrated Threat Defense Integrated Management Global & Local Threat Intelligence Raw Data Threat Research Analytics Network Platforms Cloud Platform Endpoint Platform Services DDoS | WAF | LB/ADC | Anti-Virus | SaaS Visib | DLP | FPC FW/NGFW | NGIPS | Web | Email | Adv. Malw | Access Shrink the Time to Detect and Contain Shared Visibility and Context, Analytics, and Automation Telemetry Intelligence SERVICES LAYER ANALYTICS LAYER ENFORCEMENT LAYER Behavioral Threat Analytics Network Behavioral Analytics Network Enforcement & Malware Detection Malware Sandboxing (Adv. Threat Protect.)
- 12. Integration Through Context Sharing CoA Triggered ISE through pxGrid receives information on threat User Isolated Change Authorization of machine causing issue SIEM Firepower Firewall Custom Detection Stealthwatch Network Switch Router DC FW DC SwitchWireless Network as an Enforcer ThreatSecurity Intelligence Automatic or Initiated by IT Admin ~5 Seconds ISE pxGrid Get Information Solutions such as Vulnerability Assessment, Firepower, Stealthwatch detect malicious activity
- 13. SecuringAutomation & Programmability Network Multiple layers of security to protect NFVi & SDN 1 2 7 3 5 4 6 1. Securing Controller 2. Securing Infrastructure 3. Securing Network Services 4. Securing Application 5. Securing Management & Orchestration 6. Securing API 7. Securing Communication 8. Security Technologies 8
- 14. Securing Infrastructure ▪ Secure Operation • Keep device OS up to date • Monitor PSIRT and perform bug scrub • Centralize log collection and monitoring • Configuration Management ▪ Management Plane • Use secure protocols to manage Infrastructure: SSH, SCP, HTTPs, SNMPv3, with ACL to restrict access • Control management and monitor session with AAA • Use encrypted local password • Protect Console, AUX and VTY • Disable unused services, no initial configuration via TFTP ▪ Control Plane • Protect control plane: CoPP, Routing protocol Security, FHRP security • ICMP redirects, icmp unreachable, proxy arp • Securing routing protocols: peer authentication, route filtering, managing resource consumption ▪ Data Plane • Protect data plane: DAI, IP Source Guard, Port Security, unicast RPF etc. • Infrastructure ACLs, any- spoofing ACLs, for Hardening of devices • Disable IP source routing • Private VLAN
- 15. ▪ Application Security • Digital Signing of Code • Certification Process • Resource Allocation • Code Isolation • Strong Typing • AAA (PKI) ▪ Underlying platform Security • Keep system updated apply patches & fixes • Strong password • Disable unnecessary protocols, Services and ports • Authentication, Authorization and Accounting, with RBAC • Enable host based firewall, allow only required ports SecuringApplication, Services & Software Development Life Cycle ▪ Secure Development Lifecycle • Threat Modeling • Understanding and prioritizing risk • Threat, Mitigation, Test ▪ Secure Design Principles • Principle of Least Privilege • Fail Safely • Economy of Mechanism • Avoid (in)Security by Obscurity • Psychological Acceptability • Defense in Depth • Perform Static Code Analysis: Buffer Overflow, Resource Leaks, Null Pointer Deference • Follow Secure Coding Guidelines Cisco Secure Development Lifecycle (CSDL)
- 16. Securing Orchestration /Automation / Provisioning/API & Communications • Orchestration and Automation servers should reside on a secure management network, protected by firewall. • Use Authentication , Authorization and Accounting, assign Role Base Access Control, least privilege • Ensure hardening of underlying platform: Disable unused services, configure host based firewall and allow only required ports, Use logging and monitoring, use NTP • Enforce strong passwords • Use secure communication protocols between portal, orchestrator and element managers • Ensure configuration and change management is in place. • Consider High Availability solution • Use authentication and authorization • Use encryption: Transport Layer Security, SSL, SSH, HTTPS • Revocation of Access and authorization using OCSP. • Proactively using policy or reactively as mitigation option to an attack • Logging of authentication and authorization • Manageability / Scalability
- 17. Transport Attack • URL/message body modification • learn confidential information Mitigation • Use secure transport (https) • Education Attack • Denial of Service • Too many messages • Too many connections • Very large payloads • Crafted inputs that can cause system crashes Mitigation: • Rate limiting • Threat Analysis of your infrastructure • Input validations Infrastructure Attacks • Brute force • Phishing • Privilege escalation Mitigation • Strong authentication • RBA • Least privilege principle • Info leakage via payload or error messages. • Review outbound data (error messages, payload) Authorization and Authentication
- 18. Attack • SQL injections • XSS • Buffer overflow attacks Mitigation: https://www.owasp.org/index.php/REST_Security_Cheat_Sheet Input Validation
- 19. MnT FMC Controller WWW NGFW 2. Correlation Rules Trigger Remediation Action 3. pxGrid EPS Action: Quarantine + Re-Auth 1. Security Events / IOCs Reported i-Net Servers Or End User
- 20. MnT FMC Controller WWW NGFW 4. Endpoint Assigned Quarantine + CoA-Reauth Sent i-Net Servers Or End User
- 21. FMC Controller WWW NGFW i-Net Flow Collector 1. SW is Analyzing Flows from Flow Collector 2. SW is Also Merging Identity Data from ISE 3. Admin is Alerted of Suspicious Behavior 4. Admin Initiates Endpoint Quarantine (EPS over pxGrid) 5. Endpoint Assigned Quarantine + CoA-Reauth Sent Servers Or End User
- 22. FMC Controller WWW NGFW i-Net Flow Collector New Traffic Rules apply to the new state of the endpoint 6a. Could Deny Access (ingress) 6b. Could Filter it within network (egress) 6b. Could Filter it within network (egress) Servers Or End User
- 23. MnT FMC Threat Intelligence Integration Controller WWW NGFW 2. Correlation Rules Trigger Remediation Action 3. pxGrid EPS Action: Quarantine + Re-Auth i-Net 1. Threat / IOCs Reported Servers Or End User
- 24. MnT FMC Controller WWW NGFW 4. Endpoint Assigned Quarantine + CoA-Reauth Sent i-Net Threat Intelligence Integration Servers Or End User
- 25. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Shared intelligence Shared contextual awareness Consistent policy enforcement Firepower Management Center Talos Firepower 4100 Series Firepower 9300 Platform Visibility Radware DDoS Network analysis Email Threats Identity & NAC DNS FirewallURL Summary: Advanced Intelligence & Integrated Defense
- 26. Validated By EANTC/Light Reading Enterprise, Endpoints & Sensors Access Transport – Core & SP DC/Cloud Leased BH or Internet Managementand Orchestration 1 23 3 4 5 1 2 3 4 5 Security effectiveness Chaining and stitching Orchestrating in SDN and NFV Multi-tenant Performance, scalability, and resiliency http://www.lightreading.com/nfv/nfv-tests-and-trials/testing-ciscos-virtualized-security-products/v/d-id/721575?