Securing your Data Center - Cisco•A trace of every conversation in your network •An ability to collect records everywhere in your network (switch, router, or firewall) •Network

Arief Santoso – [email protected]

Cyber Security Specialist – GSSO, Cisco Systems

18 Jan 2018

Data is currency... and data centers need protecting

Securing your Data Center

FBI’s Most Wanted

© 2018 Cisco and/or its affiliates. All rights reserved.

Percentage of security team’s time

47%Servers

29%Customer data

24%Endpoints

of the security team’s time is spent on security in the data center76%

FBI’s Most Wanted FBI’s Most WantedFBI’s Most Wanted



How is data being stolen?

86%81%


Data Center Security… It takes an architecture!

Threat protection“Stop the breach”

Segmentation“Reduce the

attack surface”

Visibility“See everything”

Threat intelligence - Talos

Intent-based

Automation

Analytics


Building a true data center security architecture


ArchitectureIntegrated

PortfolioBest of breed


NGFW

NGIPS

Breach Detection

Systems

(Cisco AMP)

NGFW(test average)

NGIPS(test average)

Stopping the most threats in NSS Labs testing year after year

2010 2012 2013 2014 20162011

100

98

96

94

92

90

88

86

84

82

Cisco

Test Average

2017

What best of breed security looks like!

The power of Cisco Talos!

98.9% efficacy = 6.8M missed threats/year


Analytics

(Stealthwatch, Tetration)

Advanced

MalwarePolicy and Access

(ISE, NGFW, Tetration, ACI)

NGFW/

NGIPS

Point product approach failsIt takes an integrated architecture

Threat protection

Visibility

Segmentation

Management

(CloudCenter, APIC,

FMC, Tetration)

pxGrid

Security

Group Tag/EP

G

APIsIntel

sharingAutomation


Data centers are changingCisco Security grows with you

Application centric

infrastructure

ACI fabric

Virtualization

and cloudTraditional

data center


Cisco datacenter security solutions – focus areas

Network and application analytics

• Stealthwatch

• Tetration

VisibilityThreat protection

• NGFW/NGIPS

• Advanced Malware Protection (AMP)

Threat preventionFirewall and access control

• NGFW, ACI, Tetration Policy Orchestration

• FMC, CloudCenter

• APIC, ISE

Segmentation

Integrated


• Comprehensive,

contextual network flow

visibility

• Real-time situational

awareness of traffic

Monitor

• Detect anomalous

network behavior

• Detect network

behaviors indicative of

threats: worms, insider

threats, DDoS and

malware

Detect

• Quickly scope an incident

• Network troubleshooting

• One click quarantine

Respond

See and detect more threat in your DCCisco Stealthwatch

Analyze

• Holistic network audit trail

• Threat hunting and

forensic investigations

Switch Router Router Firewall Data Center

Switch

ServerUser

WAN

ServerDevice

End-to-End

Network

Visibility


Threat

detection and hunting

Application traffic

modeling &

visibility

Access control

policy and audit

Anomalous

behavior

Integrated with other security solutions 1+1=3

Greater visibility and security togetherCisco Tetration and Stealthwatch


01 0302

Cisco Tetration

• Full visibility into application components including workloads,

processes and application behavior in the data center

• Application dependency mapping

• Application segmentation policies (whitelist/blacklist)

• Forensic search and application anomaly detection

Visibility: See application components & their behavior


Visibility: See across the enterprise network

01 0302

• Enterprise-wide network visibility across users, hosts, networks, and infrastructure

(switches, routers, firewalls, servers)

• Collects network flow and other data to provide network visibility for understanding

network wide traffic and discover threats

• Real-time situational awareness of users, devices, and applications

• Network flow monitoring of policy violations validates enterprise-wide network access

to facilitate compliance and segmentation requirements

Cisco Stealthwatch

Enterprise Network

Branch

Campus

Data Center

Cloud


The 360º Data Centre visibility Cisco provides


Stealthwatch & Tetration working together

Pivot from Stealthwatch to

Tetration interface during

an investigation

Tetration

Analytics


Stealthwatch Cloud Stealthwatch

Enterprise

What about cloud visibility?

Private network monitoring Enterprise network

monitoringPublic cloud monitoring

Suitable for enterprises & commercial

businesses using public cloud services

On-premises virtual or hardware

appliance

On-premises network monitoring On-premises network monitoringPublic cloud monitoring

Suitable for SMBs & commercial

businesses

Suitable for enterprises & large

businesses

Software as a Service (SaaS) Software as a Service (SaaS)


Visibility Through NetFlow10.1.8.3

172.168.134.2

InternetFlow Information Packets

SOURCE ADDRESS 10.1.8.3

DESTINATION ADDRESS

172.168.134.2

SOURCE PORT 47321

DESTINATION PORT 443

INTERFACE Gi0/0/0

IP TOS 0x00

IP PROTOCOL 6

NEXT HOP 172.168.25.1

TCP FLAGS 0x1A

SOURCE SGT 100

: :

APPLICATION NAMENBAR SECURE-

HTTP

RoutersSwitches

NetFlow Provides• A trace of every conversation in your network

• An ability to collect records everywhere in your

network (switch, router, or firewall)

• Network usage measurements

• An ability to find north-south as well as

east-west communication

• Lightweight visibility compared to Switched Port

Analyzer (SPAN)-based traffic analysis

• Indications of compromise (IOC)

• Security group information


StealthWatch System Overview

NetFlow / NBAR / NSEL

Network

Devices

StealthWatch

FlowCollector

• Collect and analyze

• Up to 4000 sources

• Up to 240,000 flows per

second (FPS) sustained

SPAN

StealthWatch

FlowSensor

Generate

NetFlow

Non-NetFlow-

Capable Device

• Management and reporting

• Up to 25 FlowCollectors

• Up to 6 million FPS globally

StealthWatch

Management

Console


StealthWatch System

pxGrid

Real-Time Visibility into All Network Layers

• Data intelligence throughout network

• Discovery of assets

• Network profile

• Security policy monitoring

• Anomaly detection

• Accelerated incident response

Cisco® Identity

Services Engine Mitigation Action

Context InformationNetFlow

StealthWatch


Cisco Stealthwatch Cloud: Public Cloud Monitoring


Quick and easy security for dynamic environments

Stealthwatch

Cloud

Public Cloud

• VPC Flow Logs

• Other data sources

• NetFlow

• Mirror port

• Other data sources


Using modeling to detect security events

Dynamic Entity Modeling

Collect Input Draw ConclusionsPerform Analysis

System Logs

Security Events

Passive DNS

External Intel

Config Changes

Vulnerability Scans

IP Meta Data

Dynamic

Entity

Modeling

Group

Consistency

Rules

Forecast

Role

What ports/protocols does the device

continually access?

What connections does it

continually make?

Does it communicate internally only?

What countries does it talk to?

How much data does the device normally

send/receive?

What is the role of the device?


Integrate easily with all your current systems

SaaS Management Portal

Web Platforms

Email

SIEM AWS

And Other Platforms

S3SQS

Stealthwatch

Cloud

SNS


See all public cloud activity through telemetry.

Additional AWS Data Sources

Config Lambda

Inspector IAM

Cloud Trail Cloud Watch

Stealthwatch

Cloud

AWSVPC Flow

Logs

Require Agents


Global visibility like no one else….

00I00 I00I0I II0I0I 0II0I I0I00I0I0 0II0I0II 0I00I0I I0 00

II0III0I 0II0II0I II00I0I0 0I00I0I00 I0I0 I0I0 I00I0I00

III00II 0II00II I0I0II0II0 I0 I0 I00 00I0 I000 0II0 00

III00II I000I0I I000I0I I000I0I II 0I00 I0I000 0II0 00

00I I0I0I0 I0I0III000 I0I00I0I 0II0I0 I00I0I0I0I 000

II0II0I0I0I I0I0I0I 0I0I0I0I 0I0I00I0 I0I0I0I 0II0I0I0I

0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I0

00I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I

III00II 0II00II I0I000 0II0 00I0I00 I0 I000I0I 0II 0I0I0I

III00II 0II00II 0I0I0I0I 0I I0 I00 000II0 I0I0 0II0 00

24 7 365 Operations

AMPAdvanced Malware

Protection

Cisco

Cognitive Threat Analytics (CTA)


Cisco Stealthwatch Cloud: Private Network Monitoring


Detect threats and see network activity using existing telemetry sourcesVirtual Sensors

Collect from all these sources

NetFlow

SIEM

IPFIX

DNS

Active Directory

Gigamon

Any Mirror/SPAN

Switches FirewallsApplication

Servers

DNS Lookup

IP Traffic Data

Threat

Detection

Other Security Data

Use DNS Lookups

to link dynamics IPs

to a host name

Stealthwatch

Cloud

Mirror/Span

Ports

Load

Balancers


Data Center Segment

Accounting Segment

Core Switching

Stealthwatch Cloud fits seamlessly into your existing network architecture with no messy reorganizationVirtual Sensors

SIEM

Syslog

SNMP

SW Cloud

Virtual Appliance

SaaS Portal

Stealthwatch

CloudMgmt

NetFlow

IPFIX

Encrypted Private Tunnel

Span


Segmentation:Reduce the Attack Surface

01 0302

Cisco NGFW

East-WestProcess to

Process

North-South

PerimeterCisco ACI

Cisco Tetration


ROOM

ACCESS

ONLY

(Micro-Segmentation)

ACCESS

ALL

AREAS

(Edge Security)

BUILDIN

G

ACCESS

ONLY

(Segmentation)

ZERO

TRUST

Segmentation


East-WestProcess to

Process

North-South

Perimeter

North-South

Perimeter

Segmentation: Reduce the Attack Surface

01 0302

Segmentation across

multiple clouds

Cisco NGFW

Cisco ACI

Cisco Tetration


ACI

Tetration

Next-gen

Firewall

Threat Protection: Stop the Breach

By strategically deploying threat sensors north-south, east-west

01 0302

Multi-Layered Threat SensorsQuickly detect, block, and respond dynamically when threats

arise to prevent breaches from impacting the business

Next-Gen Firewall

with AMP

Next-Gen IPS

with AMP

Stealthwatch

Next-Gen Firewall

with Radware DDoS

Cisco ACI

Cisco Tetration


Protect the WorkloadEverywhere

030201

Pervasive Enforcement with NGFW + Identity Services Engine (ISE)

ISE + NGFW

Firepower

Management Center

BYOD

Guest Access

Segmentation

Set access control policies

pxGrid

Propagate

• User Context

• Device context

• Location

• Access policies

• Threat / IOC

Propagate rules and context

TrustSec + NGFW

Employee Tag

Supplier Tag

Server Tag

Guest Tag

Quarantine Tag

Suspicious Tag

Establish a secure network

Policy automation

ISE

Remediate breaches automatically

ISE + pxGrid

+ TrustSec +

NGFW

Dynamic Access Control with open framework


40

• Addresses key DC challenges: threat-centric, visibility, compliance

• The only approach with kill chain approach to the threat lifecycle

• Industry’s most comprehensive threat intelligence with TALOS

• Pervasive security offering between on premise and cloud

• Elastic scale with pay-as-you-grow model

Cisco ACI + Cisco Advanced Security Advantages:

Centralized Policy

Automation

Secure Multi-Tenancy with Whitelisting

Attribute-Based Microsegmentation

VM-Based Segmentation

Industry Compliance

Standards (PCI)

vm vm vm

ACI Group Policy

APIC integration

Threat-Centric

Protection

Deep traffic inspection

Real-time Threat

Intelligence

Forensic Analysis

APIC

Dynamic Workload

Quarantine

Cisco Advanced Security – ASA / Firepower / AMP

Native ACI Security

Cisco ACI and Advanced Security







Our Customers want to feel safe…..

and together we can help

Documents

Securing your Data Center - Cisco•A trace of every conversation in your network •An ability to collect records everywhere in your network (switch, router, or firewall) •Network