gain full visibility and security across your network...consistent threat protection and remediation...
TRANSCRIPT
Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. 1
Gain Full Visibility and Security Across Your NetworkCandice GriswoldSecurity Account Manager NVE-AJC
May 2017
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Enterprise Network Security Trends
Capabilities
Complexity
1Mnew devices
will go online every
hour by 2020
Attacks take
100 days to resolve
on average
76%of IT professionals
say a lack of visibility
is their biggest challenge
in addressing
network threats
Malicious
breaches take
80 days to discover
The average
total cost of a
single data breach is
$4M
Complexity of attacks is increasing but our capabilities are not and we have a security gap between the two.
We need to reduce the security gap by providing better visibility of network threats.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Challenges
I want to know what is
going on with my network
at all times – across all
applications, users,
and devices
I want to defend my
network against increasingly
complex and persistent
network threats – now and
in the future
I want a single solution to be able to streamline
my organization’s response to and
containment of threats
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
All Threats Are Insider Threats
With lateral movement of advanced persistent threats,
even external attacks eventually become internal threats
95% of all cybercrime
is user-triggered by
disguised
malicious links
One out of four
breaches are caused
by malicious insiders
Two out of three
breaches exploit weak
or stolen passwords
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Intelligent real-time
protection against known
and
unknown threats
Detailed network
traffic visibility for
threat detection
Enterprise Network Security Should Provide…
Unified security that
reduces risk and
complexity
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Cisco Enterprise Network Security
Network as an Enforcer
Consistent threat protection
and remediation across the
network
Network as a Sensor
Visibility and analytics
across the extended
enterprise, industry-leading
threat intelligence
Threat Mitigation
Security embedded into
hardware and software by
design
Secure your digital network in real-time, all the time, everywhere
Cisco Network as a Sensor (NaaS)
Detect Anomalous Traffic Flows, Malware
Identify User Access Policy Violations
Obtain Broad Visibility into All Network Traffic
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
• Obtain comprehensive,
scalable enterprise
visibility and security
context
• Gain real-time
situational awareness
of traffic
• Detect and analyze
network behavior
anomalies
• Easily detect behaviors
linked to advanced
persistent threats
(APTs), insider threats,
distributed denial-of-
service (DDoS) attacks,
and malware
• Accelerate network
troubleshooting and
threat mitigation
• Respond quickly
to threats
• Continuously improve
enterprise security
posture
Monitor Detect Analyze Respond
See and detect more in your networkwith Stealthwatch
• Collect and analyze
holistic network audit
trails
• Achieve faster root
cause analysis
• Conduct thorough
forensic investigations
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Behavioral and Anomaly DetectionBehavioral Algorithms Are Applied to Build “Security Events”
SECURITY
EVENTS (94 +)ALARM
CATEGORY RESPONSE
Addr_Scan/tcp
Addr_Scan/udp
Bad_Flag_ACK**
Beaconing Host
Bot Command Control Server
Bot Infected Host - Attempted
Bot Infected Host - Successful
Flow_Denied
.
.
ICMP Flood
.
.
Max Flows Initiated
Max Flows Served
.
Suspect Long Flow
Suspect UDP Activity
SYN Flood
.
Concern
Exfiltration
C&C
Recon
Data Hoarding
Exploitation
DDoS Target
Alarm Table
Host Snapshot
Syslog / SIEM
Mitigation
COLLECT AND
ANALYZE FLOWS
FLOWS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
NaaS use cases with Stealthwatch
Context-Aware Visibility
• Network, application,
and user activity
• Monitor lateral
movement using
the network as
a sensor
• Advanced persistent
threats
• Insider threat
• DDoS
• Data exfiltration
• In-depth, flow-based
forensic analysis of
suspicious incidents
• Scalable repository of
security information
• Network segmentation
to profile application /
device traffic
• Capacity planning
• Performance monitoring
• Application awareness
• Cisco ISE
• Monitor privileged
access
• Policy enforcement
Threat Detection
Incident Response
Network Planning & Diagnostics
User Monitoring
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Customer Case Study - Network as a Sensor
Industry: Retail
Company: Large Known Global Retailer
Existing Environment:
• Large Cisco Switch & Router Footprint
• ASA & ISE
Customer Challenges:
• Limited visibility & intelligence across their highly-distributed retail footprint
• Lack of ability to correlate numerous data sets
Results:
• After deploying Cisco Netflow, Stealthwatch and Cisco ISE
• Gains Retail Point-of-Presence Visibility
• Deeper Understanding into Network Application Usage
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Analysis with Stealthwatch Provides
Discovery
Policy and segmentation
Network behavior anomaly
detection (NBAD)
Identification of
Additional IOCs
Better Understanding of
how to Respond to an IOC
Audit trail of all host-to-host
communication
Identifies business-critical
applications and services
across the network
Cisco Network as an Enforcer (NaaE)
Implement Access Controls to Secure Resources
Contain the Scope of an Attack on the Network
Quarantine Threats, Reduce Time-to-Remediation
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Cisco Identity Services Engine (ISE)Adding Visibility and Context to NetFlow
INTEGRATED
PARTNER CONTEXT
NETWORK / USER
CONTEXT
How
WhatWho
WhereWhen
Send Contextual Data Collected From Users, Devices, And Networks
To Stealthwatch For Advanced Insights And NetFlow Analytics
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467
Traditional Security Policy
Network as an Enforcer:Cisco TrustSec Software-Defined SegmentationProvide Role-Based Segmentation to Control Access and Contain Threats
TrustSec Security Policy
Segmentation Policy Enforced Across the Extended Network
Switch Router VPN &
FirewallDC Switch Wireless
Controller
Simplifies Firewall Rule, ACL, VLAN Management
Prevents Lateral Movement of Potential Threats
Eliminates Costly Network Re-architecture
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Customer Case Study - Network as an Enforcer
Industry: Banking
Company: Large Known Global Bank
Existing Environment:
• Large Cisco Switch & Router Footprint
Customer Challenges:
• Visibility into the network and rogue devices
• Policy enforcement of user to data center policies
• Meeting compliance audits
Results:
• After deploying StealthWatch, Cisco ISE and Cisco TrustSec
• Gain Deep Visibility into Network Access and Devices
• Segment Network Access and Assets using Business Role Based Policies
• Accelerated time to Compliance Audits
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Architecting a Secure NetworkCombining Network as a Sensor / Network as an Enforcer
Network Sensor
(Stealthwatch)
Campus/DC
Switches/WLC
Cisco Routers /
3rd Vendor Devices
Threat
pxGRID
Network Sensors Network EnforcersPolicy & Context
Sharing
TrustSec
Software-Defined
Segmentation
Cisco
Collective
SecurityIntelligence
Confidential
Data
NGIPS
pxGRID
ISE
NGFW
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Integrated Threat Defense (Detection & Containment)
Employee
Employee
Supplier
Quarantine
Shared
Server
Server
High Risk
Segment
Internet
Stealthwatch
Event: TCP SYN Scan
Source IP: 10.4.51.5
Role: Supplier
Response: Quarantine
ISE
Change Authorization
Quarantine
Network Fabric
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Next Steps
Link to
www.cisco.com/go/networksecurity
Link to
www.cisco.com/go/dna