Post on 11-Apr-2017
Enterprise Networks Security Leverage the Network to Protect Against and Mi;gate Threats
Fernando Lucato / Heitor Silva Business Development – Enterprise Networks LATAM
• Industry trends and business drivers
• Enterprise Networks priori;es and focus areas
• Securing Enterprise Networks
• Products within the solu;on
• Use cases
• Demo
• Q&A
Agenda
Industry trends and business drivers
852% Revenue Growth 2005 to 2013
Bookstore Taxi Music Newspaper Point-‐of-‐Sale
200 Ci;es
45 Countries
40 Million Subscribers
$30B Forecasted Transac;ons
in 2014
31% of WW Digital Ad Revenue
Digi;za;on disrup;ng well established businesses
The digital businesses are disrup;ng the market
0
2
4
6
8
10
12
14
2014 2015 2016 2017 2018 2019
Gaming (0.03% , 0.05% ) File Sharing (16.0% , 5.2% ) Web/Data (23.2% , 13.2% ) IP VoD (6.0% , 10.3% ) Internet Video (54.8% , 71.2% )
Video traffic growth (La;n America) By 2019, IP Video will represent 82% of traffic
Source: Cisco VNI Global IP Traffic Forecast, 2014–2019
25% CAGR 2014–2019
Exabytes per Month
* Figures (n) refer to 2014, 2019 traffic shares
SD 2 Mbps
HD 7.2 Mbps
UHD 18 Mbps
10 33
77
146
245
371
0
50
100
150
200
250
300
350
400
2014 2015 2016 2017 2018 2019
Connetced 4Ks TVs (M)
Source: Cisco VNI Global IP Traffic Forecast, 2014–2019
Video defini;on increment By2019, more than 31% of the connected TVs will be 4K
And speed is an obsession for networks users…
68% of all broadband access by 2019
Online Video (HD movie download)
22 minutes (UHD movie download)
2 hours
10 Mbps
33% of all broadband access by 2019
Online Video (HD movie download)
9 minutes (UHD movie download)
48 minutes
25 Mbps
7% of all broadband access by 2019
Online Video (HD movie download)
2 minutes (UHD movie download)
12 minutes
100 Mbps
Enterprise Networks priori;es and focus areas
Wireless as a primary
connectivity
Enterprise Networks focus areas
Digitization story Intelligent WAN Cloud and new consumption
models
Security everywhere
Network Security
Unified Access Intelligent WAN
ACI – Policy based Automa;on
Foundational Architectures
IT TransformaTon
Security & Compliance
Customer Experience
Workforce Experience
Driving business outcomes approach
Securing Enterprise Networks
Changing Business Models
Dynamic Threat Landscape
Complexity and Fragmentation
12
New Networks Mean New Security Challenges
Organizations lack visibility into which and how many
devices are on their Network
Services are moving to the Cloud at a faster rate than IT
can keep up
Over 50 billion connected “smart objects” by 2020.
Acquisitions, joint ventures, and partnerships are
increasing in regularity.
ENTERPRISE MOBILITY
ACQUISITIONS AND PARTNERSHIPS CLOUD INTERNET OF
THINGS
It’s Not “IF” You Will Be Breached…It’s “WHEN.”
Expanded Enterprise Acack Surface
Network Threats Are Gedng Smarter
1990 2020 2015 2010 2005 2000 1995
Phishing, Low Sophis;ca;on
Hacking Becomes an Industry
Sophis;cated Acacks, Complex
Landscape
Viruses 1990–2000
Worms 2000–2005
Spyware and Rootkits 2005–Today
APTs Cyberware Today +
Criminals Know More About Your Network Than You Do Custom Malware Remains Dormant for Months to Learn Vulnerabili;es in the Network and then Acack those Vulnerabili;es.
Cisco Confiden;al 14 © 2013-‐2014 Cisco and/or its affiliates. All rights reserved.
You Can’t Defend Against What You Can’t See
010101001011
010101001011
010101001011
010101001011
Solu;on Overview
Cisco’s Threat-‐Centric Approach to Security
BEFORE AFTER DURING
Network as a Sensor Flexible NetFlow u Lancope StealthWatch u ISE
Network as an Enforcer Flexible NetFlow u Lancope StealthWatch u Cisco TrustSec u ISE
Cisco Network as a Sensor (NaaS)
Detect Anomalous Traffic Flows, Malware
IdenTfy User Access Policy ViolaTons
Obtain Broad Visibility into All Network Traffic
Cisco Network as an Enforcer (NaaE)
Implement Access Controls to Secure Resources
Contain the Scope of an Aeack on the Network
QuaranTne Threats, Reduce Time-‐to-‐RemediaTon
Network as a Sensor (NaaS) Ø Cisco Networking Porlolio Ø Cisco NetFlow Ø Lancope StealthWatch Ø Cisco Iden;ty Services Engine (ISE)
Deeper Visibility and Greater Defense against Network Threats
Network as an Enforcer (NaaE) Ø Cisco Networking Porlolio Ø Cisco NetFlow Ø Lancope StealthWatch Ø Cisco Iden;ty Services Engine (ISE) Ø Cisco TrustSec Somware-‐Defined Segmenta;on
NetFlow for Dynamic Network Awareness Understand Network Behavior and Establish a Network’s Normal
Network Flows Highlight Attack Signatures
A Powerful InformaTon Source for Every Network ConversaTon
Each and Every Network Conversa;on over an Extended Period of Time
Source and Des;na;on IP Address, IP Ports, Time, Data Transferred, and More
Stored for Future Analysis
A CriTcal Tool to IdenTfy a Security Breach
Iden;fy Anomalous Ac;vity
Reconstruct the Sequence of Events
Forensic Evidence and Regulatory Compliance
NetFlow for Full Details, NetFlow-‐Lite for 1/n Samples
Lancope StealthWatch System Network Reconnaissance Using Dynamic NetFlow Analysis
Monitor Detect Analyze Respond
Ø Understand your network normal
Ø Gain real-‐;me situa;onal awareness of all traffic
Ø Leverage Network Behavior Anomaly detec;on & analy;cs
Ø Detect behaviors linked to APTs, insider threats, DDoS, and malware
Ø Collect & Analyze holis;c network audit trails
Ø Achieve faster root cause analysis to conduct thorough forensic inves;ga;ons
Ø Accelerate network troubleshoo;ng & threat mi;ga;on
Ø Respond quickly to threats by taking ac;on to quaran;ne through Cisco ISE
Cisco Iden;ty Services Engine (ISE) Adding Visibility and Context to NetFlow
INTEGRATED PARTNER CONTEXT
NETWORK / USER CONTEXT
How
What Who
Where When
SEND CONTEXTUAL DATA COLLECTED FROM USERS, DEVICES, AND NETWORKS TO LANCOPE FOR ADVANCED INSIGHTS AND NETFLOW ANALYTICS
What Can Cisco NaaS and NaaE Offer You?
Consistent Control
Complexity ReducTon
Consistent Policies Across the
Network and Data Center
Fits and Adapts to Changing
Business Models
Global Intelligence With the Right
Context
Detects and Stops Advanced Threats
Advanced Threat ProtecTon
Unmatched Visibility
Network as a Sensor/Network as an Enforcer Use Cases
Customer Case Study -‐ Network as a Sensor Industry: Retail Company: Large Known Global Retailer
Exis2ng Environment: • Large Cisco Switch & Router Footprint • ASA & ISE Customer Challenges: • Limited visibility & intelligence across their highly-‐distributed retail footprint • Lack of ability to correlate numerous data sets Results: • Amer deploying Cisco Nellow, Lancope Stealth Watch and Cisco ISE • Gains Retail Point-‐of-‐Presence Visibility • Deeper Understanding into Network Applica;on Usage
Customer Case Study -‐ Network as an Enforcer Industry: Banking Company: Large Known Global Bank
Exis2ng Environment: • Large Cisco Switch & Router Footprint Customer Challenges: • Visibility into the network and rogue devices • Policy enforcement of user to data center policies • Mee;ng compliance audits Results: • Amer deploying Lancope Stealth Watch Cisco ISE and Cisco TrustSec • Gain Deep Visibility into Network Access and Devices • Segment Network Access and Assets using Business Role Based Policies • Accelerated ;me to Compliance Audits
Solu;on descrip;on and demo
Behavioral Analysis • Leverages knowledge of known bad
behaviour
Anomaly DetecTon • Iden;fy a change from
“normal”
Behavioral Analysis & Anomaly Detec;on
Solu;on Architecture StealthWatch Management
Console
UDP Director FlowCollector
NetFlow, syslog, SNMP NetFlow enabled
infrastructure
FlowSensor VMware ESX with FlowSensor VE
User and Device Informa;on
StealthWatch IDen;ty Cisco ISE
Feeds of emerging threat informa;on
Unified View: Security and Network
Monitoring
NaaS: Powered by StealthWatch
Denial of Service SYN Half Open; ICMP/UDP/Port Flood
Worm PropagaTon Worm Infected Host Scans and Connects to the Same Port Across MulTple
Subnets, Other Hosts Imitate the Same Above Behavior
FragmentaTon Aeack Host Sending Abnormal # Malformed Fragments.
Botnet DetecTon When Inside Host Talks to Outside C&C Server
for an Extended Period of Time
Host ReputaTon Change Inside Host PotenTally Compromised or
Received Abnormal Scans or Other Malicious Aeacks
Network Scanning TCP, UDP, Port Scanning Across MulTple Hosts
Data ExfiltraTon Large Outbound File Transfer VS. Baseline
Policy Defined Role-‐Based Segmenta;on
Flexible and Scalable Policy Enforcement
Switch Router DC FW DC Switch
Simplified Access Management
Accelerated Security Opera;ons
Consistent Policy Anywhere
Who can talk to whom
Who can access protected assets
How systems can talk to other systems
Desired Policy
NaaE: Segmenta;on via TrustSec
StealthWatch Capabili;es Summary Visibility
• Context-‐aware visibility into network, applica;on and user ac;vity • BYOD • Cloud monitoring • IPv6 • East-‐West Traffic monitoring • Network segmenta;on
Threat DetecTon
• Advanced Persistent Threats • Botnet (CnC) Detec;on • Data Exfiltra;on • Network Reconnaissance • Insider Threat • DDoS • Malware • Network Behavior Anomaly Detec;on • SLIC threat feed
Incident Response
• In-‐depth, flow-‐based forensic analysis of suspicious incidents
• Scalable repository of security informa;on
• Retrace the step-‐by-‐step ac;ons of a poten;al acacker
• On-‐demand packet capture
Network DiagnosTcs
• Applica;on Awareness
• Capacity Planning • Performance Monitoring
• Troubleshoo;ng
User Monitoring
• Cisco ISE • Monitor privileged access
• Policy enforcement
Cisco Confiden;al 33 © 2013-‐2014 Cisco and/or its affiliates. All rights reserved.
Thank you!
Fernando Lucato flucato@cisco.com +55 11 5508-‐6348
Heitor Silva
hesilva@cisco.com +55 11 5508-‐1506
TradiTonal Security Policy
Cisco TrustSec Somware-‐Defined Segmenta;on Provide Role-‐Based Segmenta;on to Control Access and Contain Threats
TrustSec Security Policy SegmentaTon Policy Enforced Across the Extended Network
Switch Router VPN & Firewall
DC Switch Wireless Controller
Simplifies Firewall Rule, ACL, VLAN Management
Prevents Lateral Movement of Poten;al Threats
Eliminates Costly Network Re-‐architecture
Segmenta;on is Powerful Security Tool
“Network segmentation… is one of the most effective controls an agency can implement to mitigate the second stage of a network intrusion, propagation or lateral movement”
“Good network and role segmentation will do wonders for containing an incident.”
“Effective network segmentation… reduces the extent to which an adversary can move across the network”
“Segregate networks, limit allowed protocols usage and limit users’ excessive privileges.”
2014 DATA BREACH INVESTIVATIONS REPORT
The Untold Story of the Target Attack Step by Step Aortato Labs, August 2014
Bringing It All Together Architec;ng Network as a Sensor and Network as an Enforcer
Network Sensor (Lancope)
NGFW
Campus/DC Switches/WLC
Cisco Routers / 3rd Vendor Devices
Threat
NGIPS API
API (pxGrid)
ISE
Network Sensors Network Enforcers Policy & Context
Sharing
TrustSec Security Group Tag
Cisco Collective Security Intelligence
Confidential Data