cisco integrated security solutions · dna center faster adoption endpoint visibility posture &...

© 2020 Cisco and/or its affiliates. All rights reserved.

Cisco Integrated Security SolutionsWhat’s new (part II)

Dragan Novaković[email protected] 2020.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco

Agenda

1

2

3

Cisco ISE

Email & Web Security

Cisco Umbrella4

Cisco AMP

Segmentation, Policy & AccessCisco ISE


Rapid ThreatContainment

Compliance

SegmentationSecure Access

Endpoint Visibility

ISE is at the heart of Cisco’s Zero Trust Solution

3.0


Moving from excessive trust to “Zero Trust”A comprehensive approach to securing all access across your networks, applications, and environment.

WorkforceEnsure only the right users and secure

devices can access applications.

WorkloadsSecure all connections within your

apps, across multi-cloud.

WorkplaceSecure all user and device connections

across your network, including IoT.


Cisco Zero Trust

Secure the WorkforceWith Duo

User-bound Device Access

Secure Your WorkloadsWith Tetration

Workload Access

ServersApps

Databases

SaaS

Data Center

Application Access

Secure the WorkplaceWith SD-Access

Network Access

User & Devices

IoT Devices

WirelessNetwork Traffic

Corporate Network

WANRouting

+

All Corp IT


Next phase of Endpoint Visibility

Endpoint Visibility

Secure Access

Compliance

RTC

Segmentation

Next generation endpoint visibility with AI-driven analytics and network driven deep

packet inspection


Introducing Next Generation Profiling

ML Analytics

EndpointProfiling

DataAggregation

3rd Party Visibility

Tool

CMDB Connector

DPI-based Fingerprint/

Behavior

Network Telemetry

Probes

Easy Onboarding

Tools

Continuous Analytics

High Fidelity VisibilityCrowd-sourced, ML driven analytics to automate clustering continuously

Rapidly reduce unknowns by aggregating various source of device fingerprints

Intelligence in the EdgeHardware embedded DPI to find fingerprints from application payload


DNA classifies endpoints using four independent label categories for more flexible profiling

What is Multi Factor Classification?

Device Type Hardware Model Hardware Manufacturer Operating System

MacBook ProLaptop Apple macOS 10.14.6

CT Scanner Optima CT540 GE Windows 8

Smartphone Galaxy S8 Samsung Android 9.0


Mirrored (SPAN’ed) traffic

TelemetrySensor

DNA Center

Faster Adoption

Endpoint Visibility

Posture & Vulnerability Assessment

Anomaly Detection

Ecosystem Integration

Faster Adoption

Brownfield/Multi-Vendor Visibility with Telemtry Sensor

Brownfield Network

• Lower barrier for customers to experience their endpoint visibility.

• Create sales motion for customer to replace their legacy switches to Catalyst 9000.


ISE 2.7 Features


New features and quality improvements on ISE

Reliable profilingProfiling ownership | Stable static

classification

WAN SurvivabilityLightweight session DB on PSNs

Newer appliancesFaster MnT performance

Suggested Rel.ISE 2.6 as suggested release

Onboarding

User Private Network (UPN)

Simplified Guest

Experience

Visibility & Context

Manufacturer Usage

Description

Unique Device Identifier

UI: Guided Walkthroughs

Platform

2 million concurrent endpoints

Large VMs and SNS3600 appliances

Secure SMTP

Threat Containment

Posture: Grace Period

Incident Response via IBM Q-Radar

Posture: Custom

messages

EcosystemIntegrations

REST support for external

Admins

Multiple DNAC-ISE integration*

User and Device context

in Tetration

ISE 2.6 and 2.7 Features


Improved scale and performance

3600

3500500,000 Endpoints100 Endpoints 20,000 Endpoints

1:1 redundancy

Small HA Deployment2 x (PAN+MNT+PSN)

Small Multi-node Deployment2 x (PAN+MNT), <= 5 PSN

Large Deployment2 PAN, 2 MNT, <=50 PSN

§ Applies to both physical and virtual deployment

§ Compatible with load balancers

Lab andEvaluation

2 Million Endpoints100 Endpoints 50,000 Endpoints

2.6


Guided walkthrough for ease of administration

Certain ISE configurations are too complex, and administrators need document reference to make desired changes to the system.

Problem

ISE 2.7 will have guided walkthroughs to assist in configuring specific use cases

Solution

None

Caveats / Prerequisites

2.7


User Private Network

In an MDU, on a shared network, end users are unable to use their consumer devices like they do at home

Problem

Registration of devices to claim ownership and creating “nano” segmentation per user. Allows for movement across UPNs initiated by end users.

Solution

ISE 2.7, Cat9800 (IOS-XE 17.1), DNAC , Cisco hosted Cloud Service, Mobile App


• All users on the same network• Everyone sees every other device• No device ownership concept• Device discovery & usage hampered

Solving Multi-Dwelling-Unit Networking Challenges

2.7


Simplified Guest User Experience

After self-registration, guest users need to wait for sponsor approval and credentials to be shared for gaining network access

Problem

Guest Auto Login feature in ISE 2.7 provides the ability for guests to log in automatically without credentials after sponsor approval.

Solution

None


Auto-login on sponsor approval | Phone number as username

Request sponsor to approve

Guest authorized for access

Sponsor approves guest account

2.7


Secure SMTP

Enterprises cannot use insecure protocols and thereby need support for Secure SMTP in ISE.

Problem

ISE 2.7 will support use of TLS/SSL encryption for Secure SMTP. Both passwords and certificates will be supported for authentication.

Solution

None


2.7


Higher scale, better performance and reliable servicesLightweight Session Directory (LSD) on PSNs

Frequent access to session-data from MnTnode causing various performance issues, such as delays in CoA, MnT overload & limited scale.

Problem

Starting ISE 2.6, PSNs have LSD (Redis DB), with it the nodes lookup sessions locally and replicate it to other nodes directly without choking the MnT node.

Solution

The LSD feature stores only the session attributes required for CoA


With

out L

SD

With

LSD

PAN/MnT

PSNs

SessionLookup

PAN/MnT

PSNs

SessionLookup

Session Update

In case the session is not found in local LSD, then the PSNs requests it from MnT node.

RabitMQ

2.6

Cisco Email Security


Talos Team

Attackers rely primarily on email to distribute spam, malware, and other threats. To prevent breaches, you need a powerful email security solution.


Email Security Development Priorities

Efficacy Integration User Experience Office 365

Improved phishing detection with Cloud based URL analysis

Faster lookup times via new cloud architecture

New scanning engines for emerging threats

3rd phase of integration with Cisco Threat Response

Advanced Phishing Sensor on CES/ESA

Publish of Public API for Configuration

New User Interface for Cloud Email Security

New interface for Registered Envelope Service

Domain Protection and Advanced Phishing Reports

East / West email visibility

Reading of Reporting and Mailbox data from Exchange

Native integration with Exchange folders (Junk, Quarantine, etc.)

On-demand retraction of emails


2019 2020

Thought Leadership

January June September February

Threat Efficacy

Infrastructure Expansion

Cisco on Cisco Integration

Platform Enhancements

External Threat Feeds Support Using STIX over TAXII standard

v12.0 v12.5 v13.0 v13.5

Sender Domain Reputation (SDR) Domain reputation, age based filtering

Japan, Australia CES DC Launch

GDPR Compliance for CES

Cisco Threat Response Integration

ThreatGrid Cluster support

DANE Support: Meet EU standards

Smart Licensing: Simplified licensing

How-TosNew UI SMA APIs

Enhanced IMS Engine: Revamped Intelligent Multi-scan engine to better detect spams, phishing

New EU Data center: Germany DC in preparation for Brexit

Cisco Threat Response : Support for multiple regions (US, EU)

CRES Easy open: Pull based encryption

X95 Platform support: new and better performing platform

Auto Remediation for Exchange 2016+

SafePrint File Disarm and Reconstruction

Efficacy Improvements: Enhanced anti-spam with additional profiles & improved outbreak filters for better phishing detection

Mailbox On-Demand Retraction: For On-prem, cloud and Hybrid O365, MS Exchange

Email Security Releases in 2019-2020.

Phishing Improvements: Detection of credential phishing, malware download, browser attack links

Site-to-site VPN for APJC customers

Load balancers for US CES data centers

Cisco Threat Response: Casebook, Pivot menu support

CEF logs & AWS S3 bucket upload

SSO access to Email gateways via SAML

New UI for Email Gateway for RTQ

Integration of Advanced Phishing Protection sensor, Domain Protection “My Domains” Report

New multi-tenant dashboard in CES

Load balancers for EU, APJC data centers

Scalable SMA: To handle more gateways

CRES Custom branded CRES UI


New! x95 Hardware Refresh for ESA/WSA/SMAData Sheets Product

Overview with Migration Guide

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/214616-migrating-a-configuration-from-an-older.html


Version 13.0 SummaryESA 13.0 Enhancements

• Enhancements to Mailbox Auto Remediation

• Exchange Hybrid support

• Exchange 2013, 2016 support

• O365 Multi-tenant support

• Cisco Threat Response – pivot menu, casebook

• Single Log Line (CEF)

• SAML for administrative authentication

• FIPS/CC Certification

• Phishing enhancements - phase 1

• x95 platform support

• Reporting / Tracking / Quarantine UI on ESA

w/APIs

SMA 13.0 Enhancements

• SMA UX – phase 3

• Configuration of Quarantines

• Scheduled Reporting

• PDF of reports in new UI format


Mailbox Auto Remediation Enhancements

Cisco Email Security

Office 365(main tenant)

Office 365(Secondary tenant)

Graph API

MS Exchange 2016, 2019

Appliance (HW/VM) Cloud

EWS API

Graph API supports Exchange 2013/2016 Hybrid Deployments

EWS API supports Exchange 2013/2016 Standalone

Deployments

Multiple Tenants can use a single MAR action with Chained Profiles


CEF Formatted Logs

CEF allows for standardized log format so that SIEM vendors can easily ingest logs

All data / verdicts / actions on the email are logged into a single entry after the final action of the email is taken

CEF uses reduces disk consumption in SIEM applications, with faster indexing

S3 Buckets will be supported for log transfers


Cisco Threat Response – Phase 2

New Reporting, Tracking and Quarantine

Pivoting from ESA/SMA to CTR

More context on specific observables


• SSO Authentication• Map roles to groups• SAML verified against

ADFS, Azure AD and Duo

• ESA and SMA

SAML for Administrative Authentication


SafePrint

Malicious & Suspicious Document Types or URLs in Attachments

AV, AMP & TG, URL Filter

MTA

Safe Print

Malicious / Suspicious

Drop / Quarantine

Do Safe Print

Deliver / no Attachment

Deliver / Safe Print

ESA


SafePrint – Content Disarm

End User

Effectively Disarm potentially malicious documents delivering a Safe File


AsyncOS 13.5

ESA 13.5 Summary

• Phishing Enhancements - CUA

• APP Integration on Cisco Email Gateway

• Performance and Scalability Enhancements

• Cisco Success Network & Telemetry

SMA 13.6 Summary

• Reporting Scalability enhancements on SMA

• Load-Balancer / Centralized Management

• Dashboard

• Configuration


Enhanced coverage on:

o Credential Phishing (Financial, Brand, Documents, Surveys)

o File-Based Malware (Emotet)

o Browser Exploits

o Shortened URL services

Cloud URL Analysis (CUA)


ESA & APP Integration

APP sensor is now on Cisco Email Gateway• No additional VMs required to deploy sensor• Enable forwarding as last blade on ESA/CES• Basic summary of APP detections on ESA/CES with

ability to pivot into APP portal for further details

APP PortalAPP Sensor


Cisco Success Network & Telemetry

Usage Information and Statistics

Email Security Security Services Exchange (SSE) Cloud

Analytics on collected Telemetry Data = Increased Visibility

Effectiveness of the Product Increases = Improved Customer Experience


On-Demand Email Retraction

Admin

Search for a Malware:(File / URL / Domain / IP / Message ID) Pull from O365, Exchange

Select and Remove from mailboxes


On previous versions of AsyncOS for SMA:• Max 20-25 ESAs to single SMA.

o Best practices forced split SMA per function:§ Reporting/Tracking§ Monitoring§ Quarantine

Now with AsyncOS 13.6 for SMA:• 40+ ESAs can connect to single SMA for Reporting.

How?• Reworked SMA to ESA communications provides 2-4% CPU savings.• Improved reporting aggregation decreases CPU and IOPS.

Adding to savings on resources and benefiting overall OS performance and scalability!

:

:

Security Management Appliance (SMA)


Cisco Domain Protection Reporting Integration

Dragan [email protected] 2020.

On Premise Web ProtectionWSA Product Update


July 2019 11.8 December 2019 12.0

WSA Releases in 2019. and 2020.

• UX refresh / REST API

• ISE enhancements (VDI / fallback)• Threat categories

• Multiple categories• Threat Grid cluster support• CTR integration (SMA)

• Passthrough without certificate check• O365 bypass and exception list

• Multi-config master (SMA)• Threat categories

• High Performance (phase I)

• TLS 1.3• CTR integration (WSA)

• UX refresh (WSA)


Adoption Privacy Security Performance• Finalized in March ‘18

• Supported by all major browsers

• 18% of Alexa ranked sitessupport it

• More of the handshake is encrypted

• Including the certificate

• Faster handshake

• TLS false start

• Resumption

• Insecure / obsolete ciphers removed

• No renegotiation

• No compression

WSA TLS 1.3 Decryption Benefits

TLS v1.3

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco © 2019 Cisco and/or its affiliates. All rights reserved. Cisco

High Performance WSA

S690 and S695 double their previous performance

2xPerformance

Phase I: 12.0Phase II: 12.5

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco AsyncOS 12.0

New Reporting UI• Less cluttered• More modern• Customizable


Query the WSA or SMA Web Tracking DatabaseCTR integration

Domain

Destination IP

URL

Filename

File Hash

Observables

AsyncOS 12.0


System Health Dashboard

CPU by Process

Memory

Disk

Status Info

RPS

Bandwidth

Decrypt Rate

Traffic Profile

AsyncOS 12.5


System Health Dashboard

Status

Latency

Historical Alerts

ISE

AMP

Service Details

Authentication

WBRS

And More…AsyncOS 12.5

AMP for Endpoints: Recent Enhancements

• Key capabilities:Advanced search; pre-defined, customizable queries; forensics snapshot

• Primary use cases:Threat hunting; IT operations enablement, and vulnerability and compliance tracking

• Benefits:Faster investigation leads to quicker response, and ultimately lower cost of the breach

• Seamless investigation and remediation with Cisco Threat Response

Save time by automating threat hunting and investigation withOrbital Advanced Search

Relentless Breach Defense

AMP for Endpoints Search

• Look inside your Org (File Trajectory, Device Trajectory, File Analysis, Users, Groups, Policies, and other sources) for:• SHA256• File Name• Device Name• URL• IP• User Name

Orbital Advanced Search

• Run complex queries on your endpoints for threat indicators

• Run live search on demand or on a schedule

• Get the answers you need about your endpoints in near real time

• Store queries in the cloud or apps like Cisco Threat Response

OrbitalCloud

AMP Connector Process(sfc.exe)

Engine LayerImmunet Protect

DriverCisco AMPHEUR Driver

Immunet SelfProtect Driver

Cisco ELAMDriver

TETRA Driver(Trufos)

Immunet NetworkMonitor Driver

(DFC)

Cisco EventFramework Driver

URL ScannerEngine

DriverLayer

KDF DriverInstance

AMP EndpointCloud

Response (Policy)

Event

Hash Lookup

Heartbeat

OsQuery Tableslocally on the system

> 200 tables

Orbital Deamon

Cisco AMP Orbital(orbital-ampwin.exe)

DBDB

DB

• Orbital Enablement is a single click in the policy• After activation, Orbital will be installed

by the AMP Connector (sfc.exe)

• Orbital Deamon constantly adds information into the Orbital Databases• SQL-Lite is used• https://www.osquery.io/schema/4.1.2

Static Connectionestablished by

orbital-ampwin.exe

• orbital[.eu].amp.cisco.com:443 TCP• ncp[.eu].orbital.amp.cisco.com:443 TCP• Based on Google Protocol Buffers

https://developers.google.com/protocol-buffers/



OrbitalCloud





Cisco ELAMDriver



(DFC)


URL ScannerEngine

DriverLayer

KDF DriverInstance

AMP EndpointCloud

Response (Policy)

Event

Hash Lookup

Heartbeat


> 200 tables

Orbital Deamon


DBDB

DB

• Orbital Enablement is a single click inthe policy.• After activation, Orbital will be installed

by the AMP Connector (sfc.exe).

• Orbital Deamon constantly adds information into the Orbital Databases• SQL-Lite is used• https://www.osquery.io/schema/4.1.2


orbital-ampwin.exe

• orbital[.eu].amp.cisco.com:443 TCP• ncp[.eu].orbital.amp.cisco.com:443 TCP• Based on Google Protocol Buffers




OrbitalCloud Click to to open Orbital ConsoleAMP Endpoint

Cloud


> 200 tables

Orbital Deamon


DBDB

DB


orbital-ampwin.exe

• host:<hostname>• ip:<IP-address, type auto-detected>• ip4:<IPv4-address>• ip6:<IPv6-address>• mac:<MAC-address>• os: <operating-system: darwin,linux,windows>• all

Orbital - Run a query


Cloud


> 200 tables

Orbital Deamon


DBDB

DB


orbital-ampwin.exe

Orbital - Run a query


Cloud


> 200 tables

Orbital Deamon


DBDB

DB


orbital-ampwin.exe

Orbital - Query Response

Orbital – Predefined Catalog

OrbitalCloud

Orbital and Threat Grid


> 200 tables

Orbital Deamon


DBDB

DB


orbital-ampwin.exe

Threat GridCloud

OrbitalCloud

AMP Orbital and Threat Grid


> 200 tables

Orbital Deamon


DBDB

DB


orbital-ampwin.exe

Threat GridCloud

Query for all activeendpoints

Predefined Query Statement by Threat Grid using table registry

Parameters to refine thequery statement

The Registry key is not available on any ofthe queried endpoints

Export the whole Report as .JSON File

AMP4E

Orbital Advanced SearchUse Cases

Search for malicious artifacts in near

real-time to accelerate your hunt for threats.

Threat Hunting

Check system status (OS versions, patches etc.), ensuring hosts comply with policies.

Vulnerability and Compliance

Get to the root cause of the incident fast, to speed up remediation.

Incident Investigation

Track disk space, memory, and other

IT operations artifacts quickly.

IT Operations


• Isolate infected hosts from the rest of the network

• Contain the threat without losing forensics data

• Shrink remediation cost by limiting the scale of attack

• Fast endpoint reactivation once remediation is complete

• Take action directly from the AMP Console, Cisco Threat Response or API scripting

Contain the attack fast withEndpoint Isolation






Cisco ELAMDriver



(DFC)


URL ScannerEngine

DriverLayer

KDF DriverInstance

AMP EndpointCloud

Event

Hash Lookup

Heartbeat

Response

Start IsolationStop Isolation

NEW: Added new Optionsfor cloud lookups to speedup isolation informationdelivery to AMP connector

Isolation Statusattached to theCloud Response

System is isolated from the network andis only able to access configured resources

Isolation can be activated manuallyor using the API (Integration)

AMP Endpoint Isolation

• A new Indicators page maps Cloud Indications of Compromise (IOCs) to the MITRE ATT&CK knowledge base of tactics and techniques

• You can search/filter the knowledge base by indicator name, tactics, and techniques

Gain deeper insight on Cisco’s CoverageIndicators of Compromise


• A new feature which allows actions to be driven by events to automate common tasks when a threat is detected

• Capture a forensic snapshot when an endpoint is compromised

• Isolate a computer upon compromise

• Submit a file to Threat Grid for dynamic analysis upon detection

• Move a computer a computer to an audit group upon compromise

Drive more automation for incident response with Automated Actions


Continuously verify trust to prevent compromised devices from accessing Duo-protected applications

AMP for Endpoints

Save time letting the good guys in and keeping the bad guys outAMP and Duo Integration

Secure and Trusted Access

Users use their devices to access application.

Endpoint security from Cisco running on the device detects malware.

It notifies theMFA about the infected device.

MFA blocks that device from accessing apps.

Block malicious devices from accessing applications.

Protect applications from infected devices A4E + Duo


Cisco Umbrella


Firewall

Web gateway

DNS-layer security

Data loss prevention

On-prem security converges in the cloud for more effective protection of branch offices and roaming users

Firewall

Transformation to the secure internet gateway


Endpoint


Endpoint

Microsoft Intune MDM

AnyConnectIPv6

Automatic HostnameUpdates Dashboard

Enterprise ConnectFor MacOS

MacOS ManagedPreferences ERC

AnyConnect SWGUser & Machine

GA


Cloud Access Security Broker Cloudlock


CASB & Cloudlock

Data LossPrevention

Advanced App Control

TenantRestrictions

Cloud Malware

New App Connectors

Updating ExistingApp Connectors

CiscoSSO

Webex TeamsUEBAC

loud

lock

Um

brel

laGALAFuture


Cloud Malware (Umbrella) - Currently in LACASB

Current Gap: Data at rest in Cloud Storage

Solution: Detect and quarantine malicious files:• Endpoints that aren’t covered

by AMP• Unmanaged devices• External sharing- preventing spread

of malware to other companies

LA Functionality:• Detect (AMP/AV), quarantine and

report malware files• O365, Box, Dropbox and Webex

Teams platforms • Simple OAuth customer onboarding


Intel & Reporting


Intel & Reporting

DNS overHTTPS

File Type Reporting

Application ReportingDNS & CDFW

License Page

Activity SearchExclude

GALAFuture

Parent OrgCentralized Reports

Threat Lens

DNSSEC


Activity Search Exclude – GAReporting


Threat Lens – LAReporting


Investigate: Passive DNS – Now GA• What is Passive DNS?

Historical database of DNS records

• Useful for threat hunters to go back in time to find missed compromises

• Further inspect the track record of a domain without tipping off bad actors that infrastructure they may still use is under suspicion

• Shows up to 4 years of history

• More than just DNS record values: Also includes security categorization history for a full sense of a domain’s security history

• Included in all Investigate packages (including API)

Reporting


Investigate: Risk Scores – GA

Security Indicators provide information on how overall risk score is calculated

Popularity Index: the number of different hosts querying a domain over time, a large change may contribute to an increase in risk

Lexical Score: Domain shares some lexical content with known malicious domains. Highly popular domains usually have high lexical scores, eg. google.com, apple.com

The Umbrella Risk score is made up of hundreds of features that might indicate whether of domain is compromised.

Reporting


Reporting Application Visibility – CDFW & DNS

New Columns Add Columns App Filtering

Reporting


• Support DNSSEC Do bit – Client supports DNSSEC

• All DNS resolution supports DNSSEC, including non-customers

• No reporting support

• Recommendation: do not enable DNSSEC with on-premise DDI

DNSSEC - GASecurity


Recommended Solution: DNSCrypt

Recommended Deployment

Security

• DNSCrypt provides a cryptographically secure method of communication between a DNS client and Cisco Umbrella, and thus verifies that responses have originated from our resolvers.

• Both the Umbrella Roaming Client and the Umbrella Virtual Appliance use DNSCrypt in their default configurations.

• We believe that the use of DNSCrypt, in combination with DNSSEC validation between Umbrella and authorities, will provide the equivalent protection for DNS clients that full DNSSEC support would provide, while still maintaining the ability for Cisco Umbrella to provide the security protection for which it is intended.

(DNSCrypt protection)

(DNSSEC validation)

(DNSSEC validation)

Root and TLDDNS Servers

AuthoritativeDNS Servers

Umbrella Resolver(Recursive DNS)

Client Machine(No DNSSEC validation)


License SummaryDashboard


Efficacy Testing – DNS-layer & SWG• Data captured in Nov-Dec 2019 by AV-TEST, using their samples • Threats tested were new & no vendor was given advanced knowledge• Products configured to provide highest level of protection• Umbrella SWG & DNS tested separately

DNS SWG