20190226 TechUpdateSecurity shrinked - Cisco · &lvfr 6hfxulw\ 7hfk 8sgdwh ± 0lndho urwuldq &,663 &,60 &&6. ,6) ,7,/ 35,1&( 72*$) &huwlilhg &rqvxowlqj 6\vwhpv (qjlqhhu &\ehu 6hfxulw\

$Page 1: 20190226 TechUpdateSecurity shrinked - Cisco · &lvfr 6hfxulw\ 7hfk 8sgdwh ± 0lndho *urwuldq &,663 &,60 &&6. *,6) ,7,/ 35,1&( 72*$) &huwlilhg &rqvxowlqj 6\vwhpv (qjlqhhu &\ehu 6hfxulw\$
Cisco Security Tech Update

28/2 – 2019

Mikael Grotrian, CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified

Consulting Systems Engineer, Cyber Security, Denmark

• 13.00 Cloud Security

• 13.45 Email Security with Domain Protection

• 14.15 Pause

• 14.30 Duo Security

• 15.15 Stealthwatch v7

• 16.00 Slut

Agenda

Cloud Security

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco

Cisco SD-WAN and Umbrella integration

Umbrella now integrates with Cisco SD-WAN (Viptela)

Integration benefits:

• Quickly deploy Umbrella across Cisco SD-WAN to hundreds of devices

• Gain web and DNS-layer protection against threats at branch offices

• Create policies and view reports on a per-VPN basis

DEPLOYMENT

Internet/SaaS

Umbrella

Data Center Branch

DIA

SD-WAN fabric

MPLS


Meraki MR + Umbrella integration

Umbrella now integrates with Meraki MR wireless access points.

Integration benefits:

• Simplest way to deploy Umbrella across a wireless network.

• Conveniently enable Umbrella policies directly in the Meraki dashboard.

• Create granular policies on a per-SSID basis or by using Meraki group policies.

Meraki Dashboard: Appy Umbrella policies on a per-SSID basis or by using Meraki group policies.

Umbrella Meraki MR

DEPLOYMENT


We have integrated Cloudlock App Discovery capabilities into Umbrella to solve the three biggest challenges related to shadow IT

Umbrella App Discovery and Blocking

Visibility

App and risk insight

Optimization and blocking

MANAGEMENT


Umbrella App Discovery and Blocking

App Discovery Engine

Cloud App Security Index

Discovered apps grid

DashboardApp detail / risk profile

a1.com

b2.com

c3.com

Umbrella DNS logs

Log ingestion

Application Settings

Category and

Application Blocking

Link

Automated process: App Discovery Reporting Area

MANAGEMENT


Cloud-delivered firewall

Initial firewall capabilities now in limited availability

Capabilities: • Content and security controls via DNS• IP, port, and protocol controls on outbound traffic• IP obfuscation• Activity logging

Use cases: • Address guest wi-fi concerns related to infected

devices, inappropriate content like pornography, and peer-to-peer file sharing services

• Secure IaaS dev environment concerns without backhauling traffic to corporate firewall

Limited Availability

ENFORCEMENT

IPsec TunnelExample Source IP: 70.149.x.x

Guest Networks

Umbrella

Internet

Source IP: 146.112.x.x (Umbrella)

DNS

NAT

FWPROXY


IPv6 support in Umbrella

Umbrella supports recursive IPv6 DNS resolution, and security and content filtering for IPv6 traffic.

NEW: IPv6 addresses can be registered as network identities in Umbrella.

Learn more:

https://support.umbrella.com/hc/en-us/articles/230563727-Does-Umbrella-Support-IPv6-

2620:119:35::35 + 2620:119:53::53

DEPLOYMENT & MANAGEMENT


Roaming Client IPv6

With this new feature, customers will gain the ability to redirect IPv6 traffic from their endpoints to our cloud and extend their security and policy coverage to IPv6 traffic.

Customers can enable IPv6 interception by selecting “Enable IPv6 DNS Redirection” in Settings option on the top of the Roaming Devices page (see screenshot).

Learn more:

Customer Landing page: https://umbrella.cisco.com/ipv6

DEPLOYMENT


Umbrella Chromebook client

The Cisco Umbrella Chromebook client provides DNS layer protection on and off-network for Chromebook users. This feature is enabled by default on Umbrella Professional, Insights, Platform, and Education packages.

Primary use cases include:

• Protection from phishing

• Content category filtering

• Per-user visibility and policy

Learn more:Deployment documentation: https://docs.umbrella.com/deployment-umbrella/v1.0.5/docs/introduction

Chromebook client

DEPLOYMENT


Cryptomining category

Use this feature to detect any unsolicited cryptomining in your environment & to block it:

• Cryptomining is the process of generating new units of cryptocurrency (digital currency)

• Rapid growth of unsolicited cryptomining - secret use of business’ computing power to mine cryptocurrencies through individual machines

Newly added category

INTELLIGENCE


Reporting API

• A simple and fast way to extract key events from Umbrella and integrate with a SIEM or TIP

• Makes it easy to identify the level of exposure to a malicious or suspicious domain within a network by providing a snapshot of key details such as:

– Total volume of DNS resolutions for the domain

– Specific users affected

• Availability: All Umbrella Enterprise packages

MANAGEMENT

Use the API Key to get started


EU data warehouse

• New EU-based data warehouse in Frankfurt, Germany

• Customers can change their log storage location with options for US or EU

• Multi-org console required to set different storage settings for different locations

MANAGEMENT


Updated content categories

• 30+ new categories for use in policies and reports

• Enable easier transition for Cisco Cloud Web Security (CWS) and category correlation with Web Security Appliance (WSA) customers

• Demonstrates Talos category integration

MANAGEMENT


Cisco hosted Amazon S3 buckets for log storage

• No longer need to procure or manage your own bucket for log storage

• Host event logs for 7, 14, or 30 days

• Availability: Insights & Platform packages

MANAGEMENT


Cisco Threat Response and Cisco Umbrella Unleashing the power of our integrated security architecture

INTEGRATION

• Cisco Threat Response automates integrations across Cisco security products

• Reduces the time and effort spent on key security operations functions:

Detection Investigation Remediation

• Integrates with Umbrella to offer rich visibility into internet activity

• Aggregates intelligence across Cisco security products, Cisco Talos & 3rd party sources

• Available at no additional charge for Umbrella customers


Entry level Investigate API

• New entry level Investigate API package designed to enable integration with a SIEM, TIP or any security orchestration tool

• Features on-demand enrichment

• API allows analysts to access Investigate’s rich, real time threat intelligence as well as relevant data from other security tools all on a single pane of glass

Use the API Key to get started

DEPLOYMENT


Other releases

Jan '19 RV 340 Series Routers: Umbrella Integration

Dec 2018 DNS Monitoring

Nov 2018 Scheduled Reports

29 Nov Trusted Network Detection - Chromebook

Oct 18 Umbrella Roaming Client & AnyConnect Module: Trusted Network Detection

Oct 2018 ASA Umbrella Integration

Oct 2018 SNMP Monitoring of the VA

Oct 18 Management API


Other releases

Sep 18 Secure LDAP (LDAPS) for AD Connector (ADC)

Aug 2018 Enterprise Service Status Page - https://status.umbrella.com

Aug 2018 Selective Decryption

June 2018 Proxy and IP logs via S3

April 2018 Cisco Security Connector with Meraki, AirWatch and MobileIron

March 2018 Granular Identity - reporting

Feb '18 ISR1K Series Support

Demo – Cisco Threat Response


Introducing Cisco Threat ResponseUnleashing the power of the Cisco Integrated Security Architecture

Key pillar of our integrated security architecture

• Automates integrations across Cisco security products

• Reduces the time and effort spent on key security operations functions: Detection Investigation Remediation

• Included as part of Cisco Security product licenses

Demo – Cloud Delivered Firewall

Spørgsmål?

Email Security with Domain Protection

What’s New with 12.0 Release


Sender Domain Reputation

• Block Attackers hiding behind shared IPs like O365

• Block Emails from Compromised accounts

Env FROM:

FROM:

REPLY TO:

Email Security with IP Reputation + DOMAIN ReputationEmail Security with IP Reputation + DOMAIN Reputation

ESA / CESESA / CES

IP REPUTATION

DOMAIN REPUTATION

Env FROM:Env FROM:

FROM:FROM:

REPLY TO:REPLY TO:

Env FROM:

FROM:

REPLY TO:

Env FROM:

FROM:

REPLY TO:

HACKERHACKER

COMPANY ACOMPANY A

COMPANY A MAILBOX

COMPANY ACOMPROMISEDCOMPANY ACOMPROMISED

COMPANY ACOMPROMISED MAILBOX

HACKER’S MAILBOX

Organizations protected by Cisco Email Gateway


DANE SupportPrevent any man-in-middle snooping

Ensure all critical Emails reach intended recipient

DNSSEC

DNS

Outbound critical Email To

TLS

Compromised CARe-signed certificate

PartnerFirewall / Man-in-middle

Get me partner IP?

DNS resolverPartner DNS

IP: 201.x.x.x

Hacker

Verify incoming certificate with what DNS gives which is iDNSSEC?

Matches – SendNo Match – Don’t send

Partner certificate from partner DNS

Secure Communication using DNSSEC

Verify Certificate before sending email


Customizable TG Threshold

Define the acceptance threshold specific to your organization

Customize Your AMP-TG ThresholdCustomize Your AMP-TG Threshold

MalwareSandbox

End User

Score > Threshold

Targeted Email

Targeted Email needs to be blocked

SecOps

Modify Threshold


STIX over TAXII

Consume Threat Intelligence from

1. Network devices

2. External/Open Intelligence feeds

And block them on Cisco Email Gateway

External Threat FeedsStructured Threat Information eXpression (STIX)Trusted Automated eXchange of Indicator Information (TAXII)

External Threat Feeds

Organization Protected by Cisco Email Gateway

Action taken as configured

Poll

request

s, (

80, 443

)

Cisco Email Gateway

CTA


Cisco Threat Response with

Cisco Email Gateway

Helps Incident response team to

• Investigate Threats incidents

• Understand What Cisco Talos, AMP, Virus total knows about the Threat

• Enforce policies across all Cisco security devices

Cisco Threat ResponseIntegrating Security for Faster Defense

Key pillar of our integrated architecture

• Automates & Orchestrates across security products

• Focuses on security operations functions – Detection, Investigation, and Remediation

• Included as part of Email license

2000+ customers in NA, EMEA, and APJ


CRES Enhancements

CRES Pull:

Enable Encrypted Documents to be opened on All Platforms

Dynamic Envelope:

Open on any platform

Key Use Cases

• Easy Open (Pull encryption support)• Enhanced Mobile Envelopes• CRES-specific DMARC enhancements

1

2

CRES

3

4

1. Encryption triggered by policy or by DLP

2. Cisco Email Security creates encryption key, wraps email in HTML envelope and delivers the envelope to the recipient

3. When Envelope Storage is enabled, the key and the message is also stored temporarily in CRES

4. Recipient opens clicks on the link to open the message

CRES Enhancements


Enhanced Help

Configure Policies End-to-End with guided walkthrough’s

• TAC notifications & News Feed• Release notes, videos, walk-thru, etc.• Multiple workflows guide administrators

Enhanced Help

Protect against fraudulent senders

Local intelligence

• Learns and authenticates identities and behavioral relationships for enhanced protection

Reduce business email compromise

• Discerns which emails carry targeted phishing attacks and only legitimate emails get delivered

Advanced Phishing Protection


Cisco trust analytics

From: [email protected]: 17-Dec-2015 21:29:13 UTCTo: [email protected]: Fwd: EMEA Event Sponsorship

From: [email protected]: 10-Dec-2015 2:25:44 UTCTo: [email protected]: [Expensify] Please approve and forward expense report "September Expenses”

From: [email protected]: 11-Dec-2015 20:13:44 UTCTo: [email protected]: urgent

From: [email protected]: Thursday, December 02, 2015 12:42 PMTo: [email protected]: Your Adler Invoice No. UK 314433178 IN

HIG

HA

UT

HE

NT

ICIT

Y

IDENTITY TRUSTIDENTITY TRUSTLOW HIGHIDENTITY TRUST

Trusted (??)

Spoofs

Impostor andAttacker-owned

Analyze and manage untrusted, suspicious messages – mapping trust to email

Protect against fraudulent sendersAdvanced Phishing Protection


Review and enforce email traffic



Remove compromised emails already in inboxes


Protect your brand

Protect your brand• Easily analyze, update and take

action against those misusing your domain to send malicious email

• Validate those who use your domain appropriately

Automate DMARC authentication• Compliant with new US Department

of Homeland Security Regulations• Drive to DMARC Enforcement with

proven tools and services

Cisco Domain Protection

Block attackers from using your domain


From data to understandingCisco Domain Protection

The DMARC authentication process

Take control of your outbound communications

Identify Email Domains

Publish DMARC Monitor Policies

Identify Unauthorized Use of Email

Domains

Identify 3rd

Party SendersRemediate

Authentication Anomalies

Implement DMARC Reject

Policy

Monitor for New Threats

and New Senders


Cisco Domain ProtectionProtect your brand

Manage, create, and modify DMARC, SPF, DKIM records

Protect your brand

Manage, create, and modify DMARC, SPF, DKIM records


Protect your brandCisco Domain Protection

Identify all outgoing mail sources

Demo Domain Protection

Spørgsmål?

Pause

Duo Security

INFORMATION PROPERTY OF DUO SECURITY, INC.

Three Customer Jobsto Be Done

1. Verify User Trust

2. Verify Device Trust

3. Access Controls


User Trust

Establishuser trustwith MFA


World’s Easiest and Most Secure MFA

● Instantly integrates with all apps

● Users self-enroll in minutes

● Users authenticate in seconds; no codes to enter


REST APIS

WEB SDK

RADIUS

SAML

OIDC

CustomVPN RA SSO

RRAS

Multicloud Email/MSFT On-Prem

Start Here Then Expand

Duo MFA Supports Your Work Applications

Learn more about application integrations


Push Soft Token SMS

Phone Call U2F Wearables

Biometrics Hardware Tokens

Broadest Range of Multi-Factor Authentication (MFA) Options

● Configure authentication options for each application or group of users

● Enable multiple option for users for ease of use and flexibility

Enroll Users Easily at Scale

Automatic Enrollment

Admins can import users from existing Azure, LDAP and AD directories

Self Enrollment

Users can self-enroll into Duo in less than 1 minute

Import Users

Provision users using Duo’s REST API or add users manual one at a time or through CSV

Learn more about Enrollment Options

Self-Enrollment - Easily enroll users in minutes

● Users easily self-enroll in minutes

● Users leverage their own device

● Enroll thousands of users in hours.

● Reduce TCO by enabling the user to easily enroll with no help needed

Learn more about self-enrollment


Device TrustAssess the healthand security postureof any device


Verify Trust for Any DeviceLimit Access to Compliant Devices

● Identify corporate-owned & BYOD

● Verify if devices are out-of-date and potentially vulnerable to security risks

● Block devices access to critical applications

● Apply policies consistently for any device platform: Windows, MacOS, iOS & Android

● Corp managed asset status● Biometrics (Touch/Face) status● Screen lock status● OS condition (tampered) status● Encryption status● Platform type● Device OS type● Device OS version● Device owner● Duo Mobile version

● Corp managed asset status*● Device owner● OS type● OS versions● Browser type● Browser versions● Flash & Java plugins versions● OS, browser and plugins status

Mobile Devices Laptops / Desktops

Unified Device Visibility with Duo

* Additional conditions can be assumed for policy by the corp managed asset status such as disk encryption, anti-virus, etc.

Learn more about Unified Device Visibility


Monitoring Trusted Endpoints

Admins can monitor whether the devices used are managed or not.


End users get just-in-time notification about out-of-date OS, browsers, Flash and Java

If users do not update by a certain day, the endpoints are blocked

Improve Security Posture by Informing the User

Learn more about self remediation


Access Controls / Adaptive Policies

Manage and controlwho is allowed toaccess applications


Example:

User-Based Policies

● Allowed authentication methods

● User enrollment status

● Geolocation

● IP Network Address / Range

● Block Anonymous networks/Tor

Learn more about Policy and Control


Example:

Device-Based Policies● Corporate-owned/BYO (Trusted endpoint)

● OS, browsers, Flash/Java

○ Software Type

○ Out of Date / Up to Date

● Mobile security status

○ Screen lock, biometrics, encryption, jailbroken/tampered

● Remembered / previously known device

Learn more about Policy and Control

Global Policies

The Global Policy applies to all applications and all users. It’s built-in, cannot be deleted, but can be edited.


Duo & AnyConnect Secure Remote Access

● Secure AnyConnect in < 30 minutes

● Users authentication in seconds

● Works with AnyConnect thick client & SSL VPN

● Several integration options

● *AVAILABLE ON* ASA and FTD


Duo and AnyConnect: Integration options

Preferred Optional LimitedUse Duo Access Gateway (SAML) for ASA. Best user experience + Trusted Endpoints soon

Use Duo Auth Proxy (Radius). User receives automatic push. Consider for older versions and FTD.

Use LDAPS. No proxy required. End user experience requires 2nd password field, Device Trust only supported for web based sslvpn.


Duo Access Gateway (SAML): Cisco ASA only

Learn more about AnyConnect SAML integration

Requirements:1. A SAML gateway such as Duo Access Gateway (DAG) for SSO. Read more here.2. ASA version of 9.7.1.24, 9.8.2.28, 9.9.2.1 or higher of each release3. AnyConnect 4.6 or later.


RADIUS: Available with Cisco ASA or FTD

Requirements

1. Cisco ASA 8.3 or later

2. Cisco FTD 6.3 or later

3. Duo Auth proxy

Learn more about AnyConnect RADIUS integration

Demo Duo Security


All integrations and network diagrams are available at: duo.com/docs

Spørgsmål?
