cisco integrated security solutions · dna center faster adoption endpoint visibility posture &...
TRANSCRIPT
© 2020 Cisco and/or its affiliates. All rights reserved.
Cisco Integrated Security SolutionsWhat’s new (part II)
Dragan Novaković[email protected] 2020.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
Agenda
1
2
3
Cisco ISE
Email & Web Security
Cisco Umbrella4
Cisco AMP
Segmentation, Policy & AccessCisco ISE
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco
Rapid ThreatContainment
Compliance
SegmentationSecure Access
Endpoint Visibility
ISE is at the heart of Cisco’s Zero Trust Solution
3.0
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco
Moving from excessive trust to “Zero Trust”A comprehensive approach to securing all access across your networks, applications, and environment.
WorkforceEnsure only the right users and secure
devices can access applications.
WorkloadsSecure all connections within your
apps, across multi-cloud.
WorkplaceSecure all user and device connections
across your network, including IoT.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco
Cisco Zero Trust
Secure the WorkforceWith Duo
User-bound Device Access
Secure Your WorkloadsWith Tetration
Workload Access
ServersApps
Databases
SaaS
Data Center
Application Access
Secure the WorkplaceWith SD-Access
Network Access
User & Devices
IoT Devices
WirelessNetwork Traffic
Corporate Network
WANRouting
+
All Corp IT
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco
Next phase of Endpoint Visibility
Endpoint Visibility
Secure Access
Compliance
RTC
Segmentation
Next generation endpoint visibility with AI-driven analytics and network driven deep
packet inspection
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
Introducing Next Generation Profiling
ML Analytics
EndpointProfiling
DataAggregation
3rd Party Visibility
Tool
CMDB Connector
DPI-based Fingerprint/
Behavior
Network Telemetry
Probes
Easy Onboarding
Tools
Continuous Analytics
High Fidelity VisibilityCrowd-sourced, ML driven analytics to automate clustering continuously
Rapidly reduce unknowns by aggregating various source of device fingerprints
Intelligence in the EdgeHardware embedded DPI to find fingerprints from application payload
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
DNA classifies endpoints using four independent label categories for more flexible profiling
What is Multi Factor Classification?
Device Type Hardware Model Hardware Manufacturer Operating System
MacBook ProLaptop Apple macOS 10.14.6
CT Scanner Optima CT540 GE Windows 8
Smartphone Galaxy S8 Samsung Android 9.0
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
Mirrored (SPAN’ed) traffic
TelemetrySensor
DNA Center
Faster Adoption
Endpoint Visibility
Posture & Vulnerability Assessment
Anomaly Detection
Ecosystem Integration
Faster Adoption
Brownfield/Multi-Vendor Visibility with Telemtry Sensor
Brownfield Network
• Lower barrier for customers to experience their endpoint visibility.
• Create sales motion for customer to replace their legacy switches to Catalyst 9000.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
ISE 2.7 Features
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
New features and quality improvements on ISE
Reliable profilingProfiling ownership | Stable static
classification
WAN SurvivabilityLightweight session DB on PSNs
Newer appliancesFaster MnT performance
Suggested Rel.ISE 2.6 as suggested release
Onboarding
User Private Network (UPN)
Simplified Guest
Experience
Visibility & Context
Manufacturer Usage
Description
Unique Device Identifier
UI: Guided Walkthroughs
Platform
2 million concurrent endpoints
Large VMs and SNS3600 appliances
Secure SMTP
Threat Containment
Posture: Grace Period
Incident Response via IBM Q-Radar
Posture: Custom
messages
EcosystemIntegrations
REST support for external
Admins
Multiple DNAC-ISE integration*
User and Device context
in Tetration
ISE 2.6 and 2.7 Features
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
Improved scale and performance
3600
3500500,000 Endpoints100 Endpoints 20,000 Endpoints
1:1 redundancy
Small HA Deployment2 x (PAN+MNT+PSN)
Small Multi-node Deployment2 x (PAN+MNT), <= 5 PSN
Large Deployment2 PAN, 2 MNT, <=50 PSN
§ Applies to both physical and virtual deployment
§ Compatible with load balancers
Lab andEvaluation
2 Million Endpoints100 Endpoints 50,000 Endpoints
2.6
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
Guided walkthrough for ease of administration
Certain ISE configurations are too complex, and administrators need document reference to make desired changes to the system.
Problem
ISE 2.7 will have guided walkthroughs to assist in configuring specific use cases
Solution
None
Caveats / Prerequisites
2.7
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
User Private Network
In an MDU, on a shared network, end users are unable to use their consumer devices like they do at home
Problem
Registration of devices to claim ownership and creating “nano” segmentation per user. Allows for movement across UPNs initiated by end users.
Solution
ISE 2.7, Cat9800 (IOS-XE 17.1), DNAC , Cisco hosted Cloud Service, Mobile App
Caveats / Prerequisites
• All users on the same network• Everyone sees every other device• No device ownership concept• Device discovery & usage hampered
Solving Multi-Dwelling-Unit Networking Challenges
2.7
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
Simplified Guest User Experience
After self-registration, guest users need to wait for sponsor approval and credentials to be shared for gaining network access
Problem
Guest Auto Login feature in ISE 2.7 provides the ability for guests to log in automatically without credentials after sponsor approval.
Solution
None
Caveats / Prerequisites
Auto-login on sponsor approval | Phone number as username
Request sponsor to approve
Guest authorized for access
Sponsor approves guest account
2.7
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
Secure SMTP
Enterprises cannot use insecure protocols and thereby need support for Secure SMTP in ISE.
Problem
ISE 2.7 will support use of TLS/SSL encryption for Secure SMTP. Both passwords and certificates will be supported for authentication.
Solution
None
Caveats / Prerequisites
2.7
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
Higher scale, better performance and reliable servicesLightweight Session Directory (LSD) on PSNs
Frequent access to session-data from MnTnode causing various performance issues, such as delays in CoA, MnT overload & limited scale.
Problem
Starting ISE 2.6, PSNs have LSD (Redis DB), with it the nodes lookup sessions locally and replicate it to other nodes directly without choking the MnT node.
Solution
The LSD feature stores only the session attributes required for CoA
Caveats / Prerequisites
With
out L
SD
With
LSD
PAN/MnT
PSNs
SessionLookup
PAN/MnT
PSNs
SessionLookup
Session Update
In case the session is not found in local LSD, then the PSNs requests it from MnT node.
RabitMQ
2.6
Cisco Email Security
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
Talos Team
Attackers rely primarily on email to distribute spam, malware, and other threats. To prevent breaches, you need a powerful email security solution.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
Email Security Development Priorities
Efficacy Integration User Experience Office 365
Improved phishing detection with Cloud based URL analysis
Faster lookup times via new cloud architecture
New scanning engines for emerging threats
3rd phase of integration with Cisco Threat Response
Advanced Phishing Sensor on CES/ESA
Publish of Public API for Configuration
New User Interface for Cloud Email Security
New interface for Registered Envelope Service
Domain Protection and Advanced Phishing Reports
East / West email visibility
Reading of Reporting and Mailbox data from Exchange
Native integration with Exchange folders (Junk, Quarantine, etc.)
On-demand retraction of emails
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
2019 2020
Thought Leadership
January June September February
Threat Efficacy
Infrastructure Expansion
Cisco on Cisco Integration
Platform Enhancements
External Threat Feeds Support Using STIX over TAXII standard
v12.0 v12.5 v13.0 v13.5
Sender Domain Reputation (SDR) Domain reputation, age based filtering
Japan, Australia CES DC Launch
GDPR Compliance for CES
Cisco Threat Response Integration
ThreatGrid Cluster support
DANE Support: Meet EU standards
Smart Licensing: Simplified licensing
How-TosNew UI SMA APIs
Enhanced IMS Engine: Revamped Intelligent Multi-scan engine to better detect spams, phishing
New EU Data center: Germany DC in preparation for Brexit
Cisco Threat Response : Support for multiple regions (US, EU)
CRES Easy open: Pull based encryption
X95 Platform support: new and better performing platform
Auto Remediation for Exchange 2016+
SafePrint File Disarm and Reconstruction
Efficacy Improvements: Enhanced anti-spam with additional profiles & improved outbreak filters for better phishing detection
Mailbox On-Demand Retraction: For On-prem, cloud and Hybrid O365, MS Exchange
Email Security Releases in 2019-2020.
Phishing Improvements: Detection of credential phishing, malware download, browser attack links
Site-to-site VPN for APJC customers
Load balancers for US CES data centers
Cisco Threat Response: Casebook, Pivot menu support
CEF logs & AWS S3 bucket upload
SSO access to Email gateways via SAML
New UI for Email Gateway for RTQ
Integration of Advanced Phishing Protection sensor, Domain Protection “My Domains” Report
New multi-tenant dashboard in CES
Load balancers for EU, APJC data centers
Scalable SMA: To handle more gateways
CRES Custom branded CRES UI
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
New! x95 Hardware Refresh for ESA/WSA/SMAData Sheets Product
Overview with Migration Guide
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
Version 13.0 SummaryESA 13.0 Enhancements
• Enhancements to Mailbox Auto Remediation
• Exchange Hybrid support
• Exchange 2013, 2016 support
• O365 Multi-tenant support
• Cisco Threat Response – pivot menu, casebook
• Single Log Line (CEF)
• SAML for administrative authentication
• FIPS/CC Certification
• Phishing enhancements - phase 1
• x95 platform support
• Reporting / Tracking / Quarantine UI on ESA
w/APIs
SMA 13.0 Enhancements
• SMA UX – phase 3
• Configuration of Quarantines
• Scheduled Reporting
• PDF of reports in new UI format
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
Mailbox Auto Remediation Enhancements
Cisco Email Security
Office 365(main tenant)
Office 365(Secondary tenant)
Graph API
MS Exchange 2016, 2019
Appliance (HW/VM) Cloud
EWS API
Graph API supports Exchange 2013/2016 Hybrid Deployments
EWS API supports Exchange 2013/2016 Standalone
Deployments
Multiple Tenants can use a single MAR action with Chained Profiles
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
CEF Formatted Logs
CEF allows for standardized log format so that SIEM vendors can easily ingest logs
All data / verdicts / actions on the email are logged into a single entry after the final action of the email is taken
CEF uses reduces disk consumption in SIEM applications, with faster indexing
S3 Buckets will be supported for log transfers
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
CEF Formatted Logs
Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
CEF:0|Cisco|ESA|11.1|SERIAL|0|IP|HostName|SenderGroup|ICID|MFP|Action|MID|[email protected]|[email protected] |Make Christmas Magical again!|Policy|IPAS|AV|AMP|GRM|CF|OF|Drop
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
Cisco Threat Response – Phase 2
New Reporting, Tracking and Quarantine
Pivoting from ESA/SMA to CTR
More context on specific observables
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
• SSO Authentication• Map roles to groups• SAML verified against
ADFS, Azure AD and Duo
• ESA and SMA
SAML for Administrative Authentication
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
SafePrint
Malicious & Suspicious Document Types or URLs in Attachments
AV, AMP & TG, URL Filter
MTA
Safe Print
Malicious / Suspicious
Drop / Quarantine
Do Safe Print
Deliver / no Attachment
Deliver / Safe Print
ESA
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
SafePrint – Content Disarm
End User
Effectively Disarm potentially malicious documents delivering a Safe File
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
AsyncOS 13.5
ESA 13.5 Summary
• Phishing Enhancements - CUA
• APP Integration on Cisco Email Gateway
• Performance and Scalability Enhancements
• Cisco Success Network & Telemetry
SMA 13.6 Summary
• Reporting Scalability enhancements on SMA
• Load-Balancer / Centralized Management
• Dashboard
• Configuration
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
Enhanced coverage on:
o Credential Phishing (Financial, Brand, Documents, Surveys)
o File-Based Malware (Emotet)
o Browser Exploits
o Shortened URL services
Cloud URL Analysis (CUA)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
ESA & APP Integration
APP sensor is now on Cisco Email Gateway• No additional VMs required to deploy sensor• Enable forwarding as last blade on ESA/CES• Basic summary of APP detections on ESA/CES with
ability to pivot into APP portal for further details
APP PortalAPP Sensor
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
Cisco Success Network & Telemetry
Usage Information and Statistics
Email Security Security Services Exchange (SSE) Cloud
Analytics on collected Telemetry Data = Increased Visibility
Effectiveness of the Product Increases = Improved Customer Experience
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
On-Demand Email Retraction
Admin
Search for a Malware:(File / URL / Domain / IP / Message ID) Pull from O365, Exchange
Select and Remove from mailboxes
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco
On previous versions of AsyncOS for SMA:• Max 20-25 ESAs to single SMA.
o Best practices forced split SMA per function:§ Reporting/Tracking§ Monitoring§ Quarantine
Now with AsyncOS 13.6 for SMA:• 40+ ESAs can connect to single SMA for Reporting.
How?• Reworked SMA to ESA communications provides 2-4% CPU savings.• Improved reporting aggregation decreases CPU and IOPS.
Adding to savings on resources and benefiting overall OS performance and scalability!
:
:
Security Management Appliance (SMA)
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco
Cisco Domain Protection Reporting Integration
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco
Cisco Domain Protection Reporting Integration
Dragan [email protected] 2020.
On Premise Web ProtectionWSA Product Update
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
July 2019 11.8 December 2019 12.0
WSA Releases in 2019. and 2020.
• UX refresh / REST API
• ISE enhancements (VDI / fallback)• Threat categories
• Multiple categories• Threat Grid cluster support• CTR integration (SMA)
• Passthrough without certificate check• O365 bypass and exception list
• Multi-config master (SMA)• Threat categories
• High Performance (phase I)
• TLS 1.3• CTR integration (WSA)
• UX refresh (WSA)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
Adoption Privacy Security Performance• Finalized in March ‘18
• Supported by all major browsers
• 18% of Alexa ranked sitessupport it
• More of the handshake is encrypted
• Including the certificate
• Faster handshake
• TLS false start
• Resumption
• Insecure / obsolete ciphers removed
• No renegotiation
• No compression
WSA TLS 1.3 Decryption Benefits
TLS v1.3
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco © 2019 Cisco and/or its affiliates. All rights reserved. Cisco
High Performance WSA
S690 and S695 double their previous performance
2xPerformance
Phase I: 12.0Phase II: 12.5
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco AsyncOS 12.0
New Reporting UI• Less cluttered• More modern• Customizable
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
Query the WSA or SMA Web Tracking DatabaseCTR integration
Domain
Destination IP
URL
Filename
File Hash
Observables
AsyncOS 12.0
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
System Health Dashboard
CPU by Process
Memory
Disk
Status Info
RPS
Bandwidth
Decrypt Rate
Traffic Profile
AsyncOS 12.5
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
System Health Dashboard
Status
Latency
Historical Alerts
ISE
AMP
Service Details
Authentication
WBRS
And More…AsyncOS 12.5
AMP for Endpoints: Recent Enhancements
• Key capabilities:Advanced search; pre-defined, customizable queries; forensics snapshot
• Primary use cases:Threat hunting; IT operations enablement, and vulnerability and compliance tracking
• Benefits:Faster investigation leads to quicker response, and ultimately lower cost of the breach
• Seamless investigation and remediation with Cisco Threat Response
Save time by automating threat hunting and investigation withOrbital Advanced Search
Relentless Breach Defense
AMP for Endpoints Search
• Look inside your Org (File Trajectory, Device Trajectory, File Analysis, Users, Groups, Policies, and other sources) for:• SHA256• File Name• Device Name• URL• IP• User Name
Orbital Advanced Search
• Run complex queries on your endpoints for threat indicators
• Run live search on demand or on a schedule
• Get the answers you need about your endpoints in near real time
• Store queries in the cloud or apps like Cisco Threat Response
OrbitalCloud
AMP Connector Process(sfc.exe)
Engine LayerImmunet Protect
DriverCisco AMPHEUR Driver
Immunet SelfProtect Driver
Cisco ELAMDriver
TETRA Driver(Trufos)
Immunet NetworkMonitor Driver
(DFC)
Cisco EventFramework Driver
URL ScannerEngine
DriverLayer
KDF DriverInstance
AMP EndpointCloud
Response (Policy)
Event
Hash Lookup
Heartbeat
OsQuery Tableslocally on the system
> 200 tables
Orbital Deamon
Cisco AMP Orbital(orbital-ampwin.exe)
DBDB
DB
• Orbital Enablement is a single click in the policy• After activation, Orbital will be installed
by the AMP Connector (sfc.exe)
• Orbital Deamon constantly adds information into the Orbital Databases• SQL-Lite is used• https://www.osquery.io/schema/4.1.2
Static Connectionestablished by
orbital-ampwin.exe
• orbital[.eu].amp.cisco.com:443 TCP• ncp[.eu].orbital.amp.cisco.com:443 TCP• Based on Google Protocol Buffers
https://developers.google.com/protocol-buffers/
Orbital Advanced Search
OrbitalCloud
AMP Connector Process(sfc.exe)
Engine LayerImmunet Protect
DriverCisco AMPHEUR Driver
Immunet SelfProtect Driver
Cisco ELAMDriver
TETRA Driver(Trufos)
Immunet NetworkMonitor Driver
(DFC)
Cisco EventFramework Driver
URL ScannerEngine
DriverLayer
KDF DriverInstance
AMP EndpointCloud
Response (Policy)
Event
Hash Lookup
Heartbeat
OsQuery Tableslocally on the system
> 200 tables
Orbital Deamon
Cisco AMP Orbital(orbital-ampwin.exe)
DBDB
DB
• Orbital Enablement is a single click inthe policy.• After activation, Orbital will be installed
by the AMP Connector (sfc.exe).
• Orbital Deamon constantly adds information into the Orbital Databases• SQL-Lite is used• https://www.osquery.io/schema/4.1.2
Static Connectionestablished by
orbital-ampwin.exe
• orbital[.eu].amp.cisco.com:443 TCP• ncp[.eu].orbital.amp.cisco.com:443 TCP• Based on Google Protocol Buffers
https://developers.google.com/protocol-buffers/
Orbital Advanced Search
OrbitalCloud Click to to open Orbital ConsoleAMP Endpoint
Cloud
OsQuery Tableslocally on the system
> 200 tables
Orbital Deamon
Cisco AMP Orbital(orbital-ampwin.exe)
DBDB
DB
Static Connectionestablished by
orbital-ampwin.exe
• host:<hostname>• ip:<IP-address, type auto-detected>• ip4:<IPv4-address>• ip6:<IPv6-address>• mac:<MAC-address>• os: <operating-system: darwin,linux,windows>• all
Orbital - Run a query
OrbitalCloud Click to to open Orbital ConsoleAMP Endpoint
Cloud
OsQuery Tableslocally on the system
> 200 tables
Orbital Deamon
Cisco AMP Orbital(orbital-ampwin.exe)
DBDB
DB
Static Connectionestablished by
orbital-ampwin.exe
Orbital - Run a query
OrbitalCloud Click to to open Orbital ConsoleAMP Endpoint
Cloud
OsQuery Tableslocally on the system
> 200 tables
Orbital Deamon
Cisco AMP Orbital(orbital-ampwin.exe)
DBDB
DB
Static Connectionestablished by
orbital-ampwin.exe
Orbital - Query Response
Orbital – Predefined Catalog
OrbitalCloud
Orbital and Threat Grid
OsQuery Tableslocally on the system
> 200 tables
Orbital Deamon
Cisco AMP Orbital(orbital-ampwin.exe)
DBDB
DB
Static Connectionestablished by
orbital-ampwin.exe
Threat GridCloud
OrbitalCloud
AMP Orbital and Threat Grid
OsQuery Tableslocally on the system
> 200 tables
Orbital Deamon
Cisco AMP Orbital(orbital-ampwin.exe)
DBDB
DB
Static Connectionestablished by
orbital-ampwin.exe
Threat GridCloud
Query for all activeendpoints
Predefined Query Statement by Threat Grid using table registry
Parameters to refine thequery statement
The Registry key is not available on any ofthe queried endpoints
Export the whole Report as .JSON File
AMP4E
Orbital Advanced SearchUse Cases
Search for malicious artifacts in near
real-time to accelerate your hunt for threats.
Threat Hunting
Check system status (OS versions, patches etc.), ensuring hosts comply with policies.
Vulnerability and Compliance
Get to the root cause of the incident fast, to speed up remediation.
Incident Investigation
Track disk space, memory, and other
IT operations artifacts quickly.
IT Operations
Relentless Breach Defense
• Isolate infected hosts from the rest of the network
• Contain the threat without losing forensics data
• Shrink remediation cost by limiting the scale of attack
• Fast endpoint reactivation once remediation is complete
• Take action directly from the AMP Console, Cisco Threat Response or API scripting
Contain the attack fast withEndpoint Isolation
Relentless Breach Defense
AMP Connector Process(sfc.exe)
Engine LayerImmunet Protect
DriverCisco AMPHEUR Driver
Immunet SelfProtect Driver
Cisco ELAMDriver
TETRA Driver(Trufos)
Immunet NetworkMonitor Driver
(DFC)
Cisco EventFramework Driver
URL ScannerEngine
DriverLayer
KDF DriverInstance
AMP EndpointCloud
Event
Hash Lookup
Heartbeat
Response
Start IsolationStop Isolation
NEW: Added new Optionsfor cloud lookups to speedup isolation informationdelivery to AMP connector
Isolation Statusattached to theCloud Response
System is isolated from the network andis only able to access configured resources
Isolation can be activated manuallyor using the API (Integration)
AMP Endpoint Isolation
• A new Indicators page maps Cloud Indications of Compromise (IOCs) to the MITRE ATT&CK knowledge base of tactics and techniques
• You can search/filter the knowledge base by indicator name, tactics, and techniques
Gain deeper insight on Cisco’s CoverageIndicators of Compromise
Relentless Breach Defense
• A new feature which allows actions to be driven by events to automate common tasks when a threat is detected
• Capture a forensic snapshot when an endpoint is compromised
• Isolate a computer upon compromise
• Submit a file to Threat Grid for dynamic analysis upon detection
• Move a computer a computer to an audit group upon compromise
Drive more automation for incident response with Automated Actions
Relentless Breach Defense
Continuously verify trust to prevent compromised devices from accessing Duo-protected applications
AMP for Endpoints
Save time letting the good guys in and keeping the bad guys outAMP and Duo Integration
Secure and Trusted Access
Users use their devices to access application.
Endpoint security from Cisco running on the device detects malware.
It notifies theMFA about the infected device.
MFA blocks that device from accessing apps.
Block malicious devices from accessing applications.
Protect applications from infected devices A4E + Duo
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco
Cisco Umbrella
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco
Firewall
Web gateway
DNS-layer security
Data loss prevention
On-prem security converges in the cloud for more effective protection of branch offices and roaming users
Firewall
Transformation to the secure internet gateway
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco
Endpoint
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco
Endpoint
Microsoft Intune MDM
AnyConnectIPv6
Automatic HostnameUpdates Dashboard
Enterprise ConnectFor MacOS
MacOS ManagedPreferences ERC
AnyConnect SWGUser & Machine
GA
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco
Cloud Access Security Broker Cloudlock
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco
CASB & Cloudlock
Data LossPrevention
Advanced App Control
TenantRestrictions
Cloud Malware
New App Connectors
Updating ExistingApp Connectors
CiscoSSO
Webex TeamsUEBAC
loud
lock
Um
brel
laGALAFuture
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco
Cloud Malware (Umbrella) - Currently in LACASB
Current Gap: Data at rest in Cloud Storage
Solution: Detect and quarantine malicious files:• Endpoints that aren’t covered
by AMP• Unmanaged devices• External sharing- preventing spread
of malware to other companies
LA Functionality:• Detect (AMP/AV), quarantine and
report malware files• O365, Box, Dropbox and Webex
Teams platforms • Simple OAuth customer onboarding
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco
Intel & Reporting
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco
Intel & Reporting
DNS overHTTPS
File Type Reporting
Application ReportingDNS & CDFW
License Page
Activity SearchExclude
GALAFuture
Parent OrgCentralized Reports
Threat Lens
DNSSEC
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco
Activity Search Exclude – GAReporting
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco
Threat Lens – LAReporting
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco
Investigate: Passive DNS – Now GA• What is Passive DNS?
Historical database of DNS records
• Useful for threat hunters to go back in time to find missed compromises
• Further inspect the track record of a domain without tipping off bad actors that infrastructure they may still use is under suspicion
• Shows up to 4 years of history
• More than just DNS record values: Also includes security categorization history for a full sense of a domain’s security history
• Included in all Investigate packages (including API)
Reporting
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco
Investigate: Risk Scores – GA
Security Indicators provide information on how overall risk score is calculated
Popularity Index: the number of different hosts querying a domain over time, a large change may contribute to an increase in risk
Lexical Score: Domain shares some lexical content with known malicious domains. Highly popular domains usually have high lexical scores, eg. google.com, apple.com
The Umbrella Risk score is made up of hundreds of features that might indicate whether of domain is compromised.
Reporting
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco
Reporting Application Visibility – CDFW & DNS
New Columns Add Columns App Filtering
Reporting
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco
• Support DNSSEC Do bit – Client supports DNSSEC
• All DNS resolution supports DNSSEC, including non-customers
• No reporting support
• Recommendation: do not enable DNSSEC with on-premise DDI
DNSSEC - GASecurity
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco
Recommended Solution: DNSCrypt
Recommended Deployment
Security
• DNSCrypt provides a cryptographically secure method of communication between a DNS client and Cisco Umbrella, and thus verifies that responses have originated from our resolvers.
• Both the Umbrella Roaming Client and the Umbrella Virtual Appliance use DNSCrypt in their default configurations.
• We believe that the use of DNSCrypt, in combination with DNSSEC validation between Umbrella and authorities, will provide the equivalent protection for DNS clients that full DNSSEC support would provide, while still maintaining the ability for Cisco Umbrella to provide the security protection for which it is intended.
(DNSCrypt protection)
(DNSSEC validation)
(DNSSEC validation)
Root and TLDDNS Servers
AuthoritativeDNS Servers
Umbrella Resolver(Recursive DNS)
Client Machine(No DNSSEC validation)
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco
License SummaryDashboard
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco https://bit.ly/2T10F62
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco
Efficacy Testing – DNS-layer & SWG• Data captured in Nov-Dec 2019 by AV-TEST, using their samples • Threats tested were new & no vendor was given advanced knowledge• Products configured to provide highest level of protection• Umbrella SWG & DNS tested separately
DNS SWG