yes , you can protect your endpoints!...yes , you can protect your endpoints! szilard csordas,...
TRANSCRIPT
![Page 1: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/1.jpg)
Yes, You can protectyour endpoints!
Szilard Csordas, Security Consultantscsordas [at] cisco.com
![Page 2: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/2.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Endpoint Footprint Problem:• Anti-Virus/Anti-Spyware agent
• IPSec/SSLVPN agent
• Host IPS/FW agent
• 802.1x authentication supplicant
• Data Loss Prevention(DLP) agent
• Malware Prevention agent
• Web Filtering agent
• Behavior/Heuristics agent
• More?
TOO MANY AGENTS!
2
![Page 3: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/3.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Everything is Encrypted!
3
![Page 4: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/4.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Introducing Anyconnect• Latest version is AnyConnect 4.3
• See table in Appendix for OS Support
4
![Page 5: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/5.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect Module Installation OptionsPackage for your Favorite Deployment Tool
Mobile installed via App Store
Group Policy
5
![Page 6: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/6.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect Module Installation Options
Client Provisioning
Automatic Upgrades from cisco.com with 4.3*
* Can be disabled some or all Users via VPN/ISE configuration
6
ISE posture required for any module to be installed
![Page 7: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/7.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deployment Use Cases• Remote Access VPN with
Centralized Controls
• Prevention / Detection• Network Visibility• Endpoint Compliance• Enterprise Access• Admin/Troubleshooting (not covered)
7
![Page 8: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/8.jpg)
Remote Access VPN
![Page 9: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/9.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Recommended for Centralized Controls• Manual – requiring the enduser to manually connect to VPN.
• Automatic using Always-On and Trusted Network Detection, requires little interaction.
9
![Page 10: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/10.jpg)
Protection / DetectionAdvance Malware Protection for Endpoint (AMP4E)
Umbrella Roaming Security
![Page 11: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/11.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is Advanced Malware Protection for Endpoint (AMP4E)•
• Cloud connected & managed
• Focused on two modes of operation• Something I know à Prevention = Security Mode• Something I don’t know…yet à Retrospection = Incident Response Mode
• Supported on
• Deployed Standalone or AnyConnect Enabled - ISE or VPN
https://youtu.be/xvol1L80Yvs
11
![Page 12: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/12.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP4E - How does it work?
12
AMPCloud
Connector records activity related to file executions
Visibility of Executions (History to Current)
TCP 443
![Page 13: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/13.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
AMP4E – Right Click on FileIs it known by Cisco?Compare with 3rd party
Dig Deeper• Analyze with AMP ThreatGrid• File Details and Network
Profile• Retrieve File
Take action• Detect • Block• Allow
![Page 14: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/14.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP4E – Detailed File Analysis from ThreatGrid
AMPEasy classification by using Severity (95+
Bad, 70+ suspicious) and Confidence Threat Scoring
14
![Page 15: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/15.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP4E – Other ways to parse
Vulnerable Software -Application <-> CVE
Prevalence – Low Execution Count (unique files worth investigation)
Analyze will trigger Fetch if file not
already in repository
15
![Page 16: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/16.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP4E – Integration with AMP for Networks
AMP4E detected threat reported in FMC > IoCs and can include OpenIoCs
16
![Page 17: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/17.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP4E Installed, Quarantine
17
![Page 18: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/18.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP4E DeploymentThrough ISE or ASA or Directly from PortalAMP Enabler Profile Editor Direct from Portal / Via URL
18
![Page 19: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/19.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is Umbrella Roaming Client?• Off Trusted network protection across all ports for both Domain and IP
• Added layer of protection for existing security controls
• AnyConnect 4.3 (Windows / Mac)
• Existing Roaming Client (Windows / Mac)
19
![Page 20: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/20.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
How does it work? First Match Rule Table by Identity
CiscoUmbrella
EncryptedAuthenticatedDNS/IP Security Filtered
208.67.222.222208.67.220.220
On Trusted NetworkClient goes dormantNetwork is Protected
Root/SP DNS
Local Corp DNS20
![Page 21: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/21.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Am I by protected by Umbrella?
http://welcome.opendns.com/
Phishing testing - > http://www.internetbadguys.com/
Adult Content Testing -> http://www.exampleadultsite.com
21
![Page 22: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/22.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Umbrella Provides Visibility
Filtered by Identity,
Service and Date for
easy data mining and reporting
Identify Cloud services being used (Shadow IT)
22
![Page 23: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/23.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Umbrella Provides Protection
Overview Security Activity
Dashboard highlighting protections
Detailed Reports by Identity, Time, Domain…etc
Integration with Cisco and 3rd
parties
Internal IP available via Virtual Appliance*
23
![Page 24: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/24.jpg)
Network Visibility
![Page 25: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/25.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Visibility Module
• for 4.2MR1 – 4.2.1022
• Supported on Windows and Mac devices
• Apex License Required
• Integration with Lancope 6.8, LiveAction, Splunk (Enterprise 6.0 with Collector 64-bit Linux) and Plixer
User Visibility Device Visibility
Application Visibility Location/Network DomainNetwork Visibility
25
![Page 26: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/26.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AWAY
Flow Collector
SMC-manager
EndpointCollector
Context Included:• User• Application• Device• Location: To / From
to Existing Alarms and Flow Data
WORK
Network NetFlow/NSEL
NVM with Stealthwatch
26
![Page 27: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/27.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
NVM Configuration TemplateSuppression and Throttling
<?xm l version="1.0" encoding="UTF-8"?>
<NVM Profile xsi:noNam espaceSchem aLocation="NVM Profile.xsd" xm lns:xsi=http://www.w3.org/2001/XM LSchem a-instance>
Broadcast and Multicast Suppression
Throttling so not to overwhelm VPN
27
![Page 28: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/28.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
NVM Configuration TemplateFlexible Data Collection Policy
28
![Page 29: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/29.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
DataLoss is just one alarm
Suspect Data Loss: 3
29
![Page 30: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/30.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Insider Threat – Bad Behavior Discovery
30
![Page 31: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/31.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
HTTPS Unclassified now KnownAnyConnect NVM with Lancope Stealthwatch
• Application Identified – Dropbox
• Application Hash – Who else is running?
• Identity – nedzaldivar (even without ISE or Identity, from non domain asset)
31
![Page 32: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/32.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Verify Application is CorrectAnyConnect NVM with Cisco Stealthwatch
32
![Page 33: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/33.jpg)
Corporate AssetsNetwork Access Manager(NAM)
![Page 34: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/34.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is Network Access Manager (Windows Only)• 802.1x Supplicant
• EAP-Chaining
• MacSEC
AES-128Encrypted
802.1AE – replay protection for every packetUn-Encrypted
Single Authentication/Authorization Session
34
![Page 35: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/35.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
EAP-Chaining – ISE Log Example
• User and Machine Tied together
• EAP-FAST Required
35
![Page 36: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/36.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MacSec ISE Configuration ExampleISE Authorization Result is MacSEC
ISE Authorization Policy
36
![Page 37: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/37.jpg)
Compliance(Posture)
BRKSEC-
![Page 38: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/38.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Compliance (Posture)• Provides deep inspection in OS, File, Certificate, Registry, Anti-Virus, Anti-
Spyware, Person Firewall, Ports open, Running processes…etc
• AC Anyconnect Apex license required!
Options
• Hostscan with VPN connecting to an
• ISE Posture with connecting to Wired, Wireless or VPN using
38
![Page 39: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/39.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
With ASA 9.2, inline Posture node is not required. Change of Authorization is natively supported option
ISE PostureRegistry check for Machine joined to Domain
39
![Page 40: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/40.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Endpoint Visibility ASA Hostscan ISE Posture
Policy Framework DAP ISE+VPN
Updates Every 3 months Dynamically
IP, Hostname, Mac address Yes Yes
Certificate Fields Yes Yes
BIOS Serial Number Yes No
Personal Firewall Yes No
File CRC32 Check Yes Yes
Disk Encryption No Yes
SHA256 File Check No Yes
USB Check No Yes*
OS Support Windows, Mac, Linux Windows, Mac
BRKSEC-2051 40
![Page 41: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/41.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Summary
• AnyConnect reduces Agent Sprawl!
• Added Security with each module
• Provides Visibility and Control
• Complexity of networks is equal on endpoints
41
![Page 42: Yes , You can protect your endpoints!...Yes , You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com](https://reader034.vdocument.in/reader034/viewer/2022050205/5f58d79ee26450275f54044e/html5/thumbnails/42.jpg)
Thank you