Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Cisco Security Tech Update
28/2 – 2019
Mikael Grotrian, CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified
Consulting Systems Engineer, Cyber Security, Denmark
• 13.00 Cloud Security
• 13.45 Email Security with Domain Protection
• 14.15 Pause
• 14.30 Duo Security
• 15.15 Stealthwatch v7
• 16.00 Slut
Agenda
Cloud Security
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco
Cisco SD-WAN and Umbrella integration
Umbrella now integrates with Cisco SD-WAN (Viptela)
Integration benefits:
• Quickly deploy Umbrella across Cisco SD-WAN to hundreds of devices
• Gain web and DNS-layer protection against threats at branch offices
• Create policies and view reports on a per-VPN basis
DEPLOYMENT
Internet/SaaS
Umbrella
Data Center Branch
DIA
SD-WAN fabric
MPLS
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco
Meraki MR + Umbrella integration
Umbrella now integrates with Meraki MR wireless access points.
Integration benefits:
• Simplest way to deploy Umbrella across a wireless network.
• Conveniently enable Umbrella policies directly in the Meraki dashboard.
• Create granular policies on a per-SSID basis or by using Meraki group policies.
Meraki Dashboard: Appy Umbrella policies on a per-SSID basis or by using Meraki group policies.
Umbrella Meraki MR
DEPLOYMENT
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco
We have integrated Cloudlock App Discovery capabilities into Umbrella to solve the three biggest challenges related to shadow IT
Umbrella App Discovery and Blocking
Visibility
App and risk insight
Optimization and blocking
MANAGEMENT
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco
Umbrella App Discovery and Blocking
App Discovery Engine
Cloud App Security Index
Discovered apps grid
DashboardApp detail / risk profile
a1.com
b2.com
c3.com
Umbrella DNS logs
Log ingestion
Application Settings
Category and
Application Blocking
Link
Automated process: App Discovery Reporting Area
MANAGEMENT
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco
Cloud-delivered firewall
Initial firewall capabilities now in limited availability
Capabilities: • Content and security controls via DNS• IP, port, and protocol controls on outbound traffic• IP obfuscation• Activity logging
Use cases: • Address guest wi-fi concerns related to infected
devices, inappropriate content like pornography, and peer-to-peer file sharing services
• Secure IaaS dev environment concerns without backhauling traffic to corporate firewall
Limited Availability
ENFORCEMENT
IPsec TunnelExample Source IP: 70.149.x.x
Guest Networks
Umbrella
Internet
Source IP: 146.112.x.x (Umbrella)
DNS
NAT
FWPROXY
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco
IPv6 support in Umbrella
Umbrella supports recursive IPv6 DNS resolution, and security and content filtering for IPv6 traffic.
NEW: IPv6 addresses can be registered as network identities in Umbrella.
Learn more:
https://support.umbrella.com/hc/en-us/articles/230563727-Does-Umbrella-Support-IPv6-
2620:119:35::35 + 2620:119:53::53
DEPLOYMENT & MANAGEMENT
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco
Roaming Client IPv6
With this new feature, customers will gain the ability to redirect IPv6 traffic from their endpoints to our cloud and extend their security and policy coverage to IPv6 traffic.
Customers can enable IPv6 interception by selecting “Enable IPv6 DNS Redirection” in Settings option on the top of the Roaming Devices page (see screenshot).
Learn more:
Customer Landing page: https://umbrella.cisco.com/ipv6
DEPLOYMENT
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco
Umbrella Chromebook client
The Cisco Umbrella Chromebook client provides DNS layer protection on and off-network for Chromebook users. This feature is enabled by default on Umbrella Professional, Insights, Platform, and Education packages.
Primary use cases include:
• Protection from phishing
• Content category filtering
• Per-user visibility and policy
Learn more:Deployment documentation: https://docs.umbrella.com/deployment-umbrella/v1.0.5/docs/introduction
Chromebook client
DEPLOYMENT
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco
Cryptomining category
Use this feature to detect any unsolicited cryptomining in your environment & to block it:
• Cryptomining is the process of generating new units of cryptocurrency (digital currency)
• Rapid growth of unsolicited cryptomining - secret use of business’ computing power to mine cryptocurrencies through individual machines
Newly added category
INTELLIGENCE
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco
Reporting API
• A simple and fast way to extract key events from Umbrella and integrate with a SIEM or TIP
• Makes it easy to identify the level of exposure to a malicious or suspicious domain within a network by providing a snapshot of key details such as:
– Total volume of DNS resolutions for the domain
– Specific users affected
• Availability: All Umbrella Enterprise packages
MANAGEMENT
Use the API Key to get started
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco
EU data warehouse
• New EU-based data warehouse in Frankfurt, Germany
• Customers can change their log storage location with options for US or EU
• Multi-org console required to set different storage settings for different locations
MANAGEMENT
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco
Updated content categories
• 30+ new categories for use in policies and reports
• Enable easier transition for Cisco Cloud Web Security (CWS) and category correlation with Web Security Appliance (WSA) customers
• Demonstrates Talos category integration
MANAGEMENT
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco
Cisco hosted Amazon S3 buckets for log storage
• No longer need to procure or manage your own bucket for log storage
• Host event logs for 7, 14, or 30 days
• Availability: Insights & Platform packages
MANAGEMENT
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco
Cisco Threat Response and Cisco Umbrella Unleashing the power of our integrated security architecture
INTEGRATION
• Cisco Threat Response automates integrations across Cisco security products
• Reduces the time and effort spent on key security operations functions:
Detection Investigation Remediation
• Integrates with Umbrella to offer rich visibility into internet activity
• Aggregates intelligence across Cisco security products, Cisco Talos & 3rd party sources
• Available at no additional charge for Umbrella customers
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco
Entry level Investigate API
• New entry level Investigate API package designed to enable integration with a SIEM, TIP or any security orchestration tool
• Features on-demand enrichment
• API allows analysts to access Investigate’s rich, real time threat intelligence as well as relevant data from other security tools all on a single pane of glass
Use the API Key to get started
DEPLOYMENT
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco
Other releases
Jan '19 RV 340 Series Routers: Umbrella Integration
Dec 2018 DNS Monitoring
Nov 2018 Scheduled Reports
29 Nov Trusted Network Detection - Chromebook
Oct 18 Umbrella Roaming Client & AnyConnect Module: Trusted Network Detection
Oct 2018 ASA Umbrella Integration
Oct 2018 SNMP Monitoring of the VA
Oct 18 Management API
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco
Other releases
Sep 18 Secure LDAP (LDAPS) for AD Connector (ADC)
Aug 2018 Enterprise Service Status Page - https://status.umbrella.com
Aug 2018 Selective Decryption
June 2018 Proxy and IP logs via S3
April 2018 Cisco Security Connector with Meraki, AirWatch and MobileIron
March 2018 Granular Identity - reporting
Feb '18 ISR1K Series Support
Demo – Cisco Threat Response
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco
Introducing Cisco Threat ResponseUnleashing the power of the Cisco Integrated Security Architecture
Key pillar of our integrated security architecture
• Automates integrations across Cisco security products
• Reduces the time and effort spent on key security operations functions: Detection Investigation Remediation
• Included as part of Cisco Security product licenses
Demo – Cloud Delivered Firewall
Spørgsmål?
Email Security with Domain Protection
What’s New with 12.0 Release
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco
Sender Domain Reputation
• Block Attackers hiding behind shared IPs like O365
• Block Emails from Compromised accounts
Env FROM:
FROM:
REPLY TO:
Email Security with IP Reputation + DOMAIN ReputationEmail Security with IP Reputation + DOMAIN Reputation
ESA / CESESA / CES
IP REPUTATION
DOMAIN REPUTATION
Env FROM:Env FROM:
FROM:FROM:
REPLY TO:REPLY TO:
Env FROM:
FROM:
REPLY TO:
Env FROM:
FROM:
REPLY TO:
HACKERHACKER
COMPANY ACOMPANY A
COMPANY A MAILBOX
COMPANY ACOMPROMISEDCOMPANY ACOMPROMISED
COMPANY ACOMPROMISED MAILBOX
HACKER’S MAILBOX
Organizations protected by Cisco Email Gateway
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco
DANE SupportPrevent any man-in-middle snooping
Ensure all critical Emails reach intended recipient
DNSSEC
DNS
Outbound critical Email To
TLS
Compromised CARe-signed certificate
PartnerFirewall / Man-in-middle
Get me partner IP?
DNS resolverPartner DNS
IP: 201.x.x.x
Hacker
Verify incoming certificate with what DNS gives which is iDNSSEC?
Matches – SendNo Match – Don’t send
Partner certificate from partner DNS
Secure Communication using DNSSEC
Verify Certificate before sending email
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco
Customizable TG Threshold
Define the acceptance threshold specific to your organization
Customize Your AMP-TG ThresholdCustomize Your AMP-TG Threshold
MalwareSandbox
End User
Score > Threshold
Targeted Email
Targeted Email needs to be blocked
SecOps
Modify Threshold
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco
STIX over TAXII
Consume Threat Intelligence from
1. Network devices
2. External/Open Intelligence feeds
And block them on Cisco Email Gateway
External Threat FeedsStructured Threat Information eXpression (STIX)Trusted Automated eXchange of Indicator Information (TAXII)
External Threat Feeds
Organization Protected by Cisco Email Gateway
Action taken as configured
Poll
request
s, (
80, 443
)
Cisco Email Gateway
CTA
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco
Cisco Threat Response with
Cisco Email Gateway
Helps Incident response team to
• Investigate Threats incidents
• Understand What Cisco Talos, AMP, Virus total knows about the Threat
• Enforce policies across all Cisco security devices
Cisco Threat ResponseIntegrating Security for Faster Defense
Key pillar of our integrated architecture
• Automates & Orchestrates across security products
• Focuses on security operations functions – Detection, Investigation, and Remediation
• Included as part of Email license
2000+ customers in NA, EMEA, and APJ
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco
CRES Enhancements
CRES Pull:
Enable Encrypted Documents to be opened on All Platforms
Dynamic Envelope:
Open on any platform
Key Use Cases
• Easy Open (Pull encryption support)• Enhanced Mobile Envelopes• CRES-specific DMARC enhancements
1
2
CRES
3
4
1. Encryption triggered by policy or by DLP
2. Cisco Email Security creates encryption key, wraps email in HTML envelope and delivers the envelope to the recipient
3. When Envelope Storage is enabled, the key and the message is also stored temporarily in CRES
4. Recipient opens clicks on the link to open the message
CRES Enhancements
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco
Enhanced Help
Configure Policies End-to-End with guided walkthrough’s
• TAC notifications & News Feed• Release notes, videos, walk-thru, etc.• Multiple workflows guide administrators
Enhanced Help
Protect against fraudulent senders
Local intelligence
• Learns and authenticates identities and behavioral relationships for enhanced protection
Reduce business email compromise
• Discerns which emails carry targeted phishing attacks and only legitimate emails get delivered
Advanced Phishing Protection
Advanced Phishing Protection
Cisco trust analytics
From: [email protected]: 17-Dec-2015 21:29:13 UTCTo: [email protected]: Fwd: EMEA Event Sponsorship
From: [email protected]: 10-Dec-2015 2:25:44 UTCTo: [email protected]: [Expensify] Please approve and forward expense report "September Expenses”
From: [email protected]: 11-Dec-2015 20:13:44 UTCTo: [email protected]: urgent
From: [email protected]: Thursday, December 02, 2015 12:42 PMTo: [email protected]: Your Adler Invoice No. UK 314433178 IN
HIG
HA
UT
HE
NT
ICIT
Y
IDENTITY TRUSTIDENTITY TRUSTLOW HIGHIDENTITY TRUST
Trusted (??)
Spoofs
Impostor andAttacker-owned
Analyze and manage untrusted, suspicious messages – mapping trust to email
Protect against fraudulent sendersAdvanced Phishing Protection
Protect against fraudulent senders
Review and enforce email traffic
Advanced Phishing Protection
Protect against fraudulent senders
Remove compromised emails already in inboxes
Advanced Phishing Protection
Protect your brand
Protect your brand• Easily analyze, update and take
action against those misusing your domain to send malicious email
• Validate those who use your domain appropriately
Automate DMARC authentication• Compliant with new US Department
of Homeland Security Regulations• Drive to DMARC Enforcement with
proven tools and services
Cisco Domain Protection
Block attackers from using your domain
Cisco Domain Protection
From data to understandingCisco Domain Protection
The DMARC authentication process
Take control of your outbound communications
Identify Email Domains
Publish DMARC Monitor Policies
Identify Unauthorized Use of Email
Domains
Identify 3rd
Party SendersRemediate
Authentication Anomalies
Implement DMARC Reject
Policy
Monitor for New Threats
and New Senders
Cisco Domain Protection
Cisco Domain ProtectionProtect your brand
Manage, create, and modify DMARC, SPF, DKIM records
Protect your brand
Manage, create, and modify DMARC, SPF, DKIM records
Cisco Domain Protection
Protect your brandCisco Domain Protection
Identify all outgoing mail sources
Demo Domain Protection
Spørgsmål?
Pause
Duo Security
INFORMATION PROPERTY OF DUO SECURITY, INC.
Three Customer Jobsto Be Done
1. Verify User Trust
2. Verify Device Trust
3. Access Controls
INFORMATION PROPERTY OF DUO SECURITY, INC.
User Trust
Establishuser trustwith MFA
INFORMATION PROPERTY OF DUO SECURITY, INC.
World’s Easiest and Most Secure MFA
● Instantly integrates with all apps
● Users self-enroll in minutes
● Users authenticate in seconds; no codes to enter
INFORMATION PROPERTY OF DUO SECURITY, INC.
REST APIS
WEB SDK
RADIUS
SAML
OIDC
CustomVPN RA SSO
RRAS
Multicloud Email/MSFT On-Prem
Start Here Then Expand
Duo MFA Supports Your Work Applications
Learn more about application integrations
INFORMATION PROPERTY OF DUO SECURITY, INC.
Push Soft Token SMS
Phone Call U2F Wearables
Biometrics Hardware Tokens
Broadest Range of Multi-Factor Authentication (MFA) Options
● Configure authentication options for each application or group of users
● Enable multiple option for users for ease of use and flexibility
Enroll Users Easily at Scale
Automatic Enrollment
Admins can import users from existing Azure, LDAP and AD directories
Self Enrollment
Users can self-enroll into Duo in less than 1 minute
Import Users
Provision users using Duo’s REST API or add users manual one at a time or through CSV
Learn more about Enrollment Options
Self-Enrollment - Easily enroll users in minutes
● Users easily self-enroll in minutes
● Users leverage their own device
● Enroll thousands of users in hours.
● Reduce TCO by enabling the user to easily enroll with no help needed
Learn more about self-enrollment
INFORMATION PROPERTY OF DUO SECURITY, INC.
Device TrustAssess the healthand security postureof any device
INFORMATION PROPERTY OF DUO SECURITY, INC.
Verify Trust for Any DeviceLimit Access to Compliant Devices
● Identify corporate-owned & BYOD
● Verify if devices are out-of-date and potentially vulnerable to security risks
● Block devices access to critical applications
● Apply policies consistently for any device platform: Windows, MacOS, iOS & Android
● Corp managed asset status● Biometrics (Touch/Face) status● Screen lock status● OS condition (tampered) status● Encryption status● Platform type● Device OS type● Device OS version● Device owner● Duo Mobile version
● Corp managed asset status*● Device owner● OS type● OS versions● Browser type● Browser versions● Flash & Java plugins versions● OS, browser and plugins status
Mobile Devices Laptops / Desktops
Unified Device Visibility with Duo
* Additional conditions can be assumed for policy by the corp managed asset status such as disk encryption, anti-virus, etc.
Learn more about Unified Device Visibility
INFORMATION PROPERTY OF DUO SECURITY, INC.
Monitoring Trusted Endpoints
Admins can monitor whether the devices used are managed or not.
INFORMATION PROPERTY OF DUO SECURITY, INC.
End users get just-in-time notification about out-of-date OS, browsers, Flash and Java
If users do not update by a certain day, the endpoints are blocked
Improve Security Posture by Informing the User
Learn more about self remediation
INFORMATION PROPERTY OF DUO SECURITY, INC.
Access Controls / Adaptive Policies
Manage and controlwho is allowed toaccess applications
INFORMATION PROPERTY OF DUO SECURITY, INC.
Example:
User-Based Policies
● Allowed authentication methods
● User enrollment status
● Geolocation
● IP Network Address / Range
● Block Anonymous networks/Tor
Learn more about Policy and Control
INFORMATION PROPERTY OF DUO SECURITY, INC.
Example:
Device-Based Policies● Corporate-owned/BYO (Trusted endpoint)
● OS, browsers, Flash/Java
○ Software Type
○ Out of Date / Up to Date
● Mobile security status
○ Screen lock, biometrics, encryption, jailbroken/tampered
● Remembered / previously known device
Learn more about Policy and Control
Global Policies
The Global Policy applies to all applications and all users. It’s built-in, cannot be deleted, but can be edited.
INFORMATION PROPERTY OF DUO SECURITY, INC.
Duo & AnyConnect Secure Remote Access
● Secure AnyConnect in < 30 minutes
● Users authentication in seconds
● Works with AnyConnect thick client & SSL VPN
● Several integration options
● *AVAILABLE ON* ASA and FTD
INFORMATION PROPERTY OF DUO SECURITY, INC.
Duo and AnyConnect: Integration options
Preferred Optional LimitedUse Duo Access Gateway (SAML) for ASA. Best user experience + Trusted Endpoints soon
Use Duo Auth Proxy (Radius). User receives automatic push. Consider for older versions and FTD.
Use LDAPS. No proxy required. End user experience requires 2nd password field, Device Trust only supported for web based sslvpn.
INFORMATION PROPERTY OF DUO SECURITY, INC.
Duo Access Gateway (SAML): Cisco ASA only
Learn more about AnyConnect SAML integration
Requirements:1. A SAML gateway such as Duo Access Gateway (DAG) for SSO. Read more here.2. ASA version of 9.7.1.24, 9.8.2.28, 9.9.2.1 or higher of each release3. AnyConnect 4.6 or later.
INFORMATION PROPERTY OF DUO SECURITY, INC.
RADIUS: Available with Cisco ASA or FTD
Requirements
1. Cisco ASA 8.3 or later
2. Cisco FTD 6.3 or later
3. Duo Auth proxy
Learn more about AnyConnect RADIUS integration
Demo Duo Security
INFORMATION PROPERTY OF DUO SECURITY, INC.
All integrations and network diagrams are available at: duo.com/docs
Spørgsmål?