Cisco Secure Cloud Security for the Cloud and Security from the Cloud Markus Frey – Security Consulting System Engineer 19. Oktober 2016 – 10. ITRIS Enterprise IT Security Day

Security Landscape

The Changing Landscape Devices / Users Network Application Compute Storage

Anywhere / Anything Software Defined Networking Microservices Architecture Containers Data Virtualization

Vulnerabilities Stay Open For a LONG Time!!!! Critical and High Risk 300-500 Days

IT 875 DAYS

EDUCATION 460 DAYS

FINACIAL SERVICES 365 DAYS RETAIL 456 DAYS

INSURANCE 317 DAYS

MANUF 359 DAYS

HEALTHCARE 406 DAYS FOOD / BEV 417 DAYS

ENT / MEDIA 303 DAYS

BANKING 339 DAYS

Average Vulnerability Age By Industry Reference – “WhiteHat Security WEB APPLICATIONS SECURITY STATISTICS REPORT 2016”

ENERGY 275 DAYS TECH 295 DAYS

Data Breaches Are Costly!!! $105 – $365 Per Record Lost 191 million Registered Voter records

Anthem 80 million records

$575B Lost Annually

Securus 70 million prisoner phonecalls

MacKeeper 13 million records

Ashley Madison 37 million records Office of Personnel Management 21.5 million records

VTech 11.3 million records

Excellus 10 million records

Premera 11 million records Experian 15 million records

$3.79M Average Cost Per Security Breach

The Changing Cloud Security Threats The Treacherous Twelve 2010

2013

2016

5

1

1

Data Breaches

2

Insufficient Identity, Credentials and Access Management

3

Insecure Interfaces and APIs

4

System Vulnerabilities

2

4

Top Threats

6

3

5

Account Hijacking

3

6

6

Malicious Insiders

7

Advanced Persistent Threats

5

2

8

Data Loss

7

8

9

Insufficient Due Diligence

1

7

10

Abuse and Nefarious Use of Cloud Services

5

11

Denial of Service

9

12

Shared Technology Issues

4

Source: Cloud Security Alliance - https://cloudsecurityalliance.org/download/the-treacherous-twelve-cloud-computing-top-threats-in-2016/

Cisco Security Midyear Cybersecurity Report www.cisco.com/go/mcr2016

What is Cloud Security

What is Cloud Security ? Delivering integrated, consistent security policy

Keep workloads and valuable data secure Data Center

Secure applications and data in the cloud Cloud Protect against threats Minimize compliance risk

Enable secure access anywhere for anything Users/Devices

Shared Risk and Responsibility Cloud Delivery Models

Tenant

PaaS

SaaS

Application

Application

Application

Data

Data

Data

Data

Guest OS

Guest OS

Guest OS

Guest OS

Virtualization

Virtualization

Virtualization

Virtualization

Compute & Storage

Compute & Storage

Compute & Storage

Compute & Storage

Network

Network

Network

Network

Facility

Facility

Facility

Facility

Private Cloud

IaaS

Application

Provider

Shared Responsibility

Cloud Standards

Compliance

TRUST

Cloud Security Standards and Controls • Frameworks • Security Control • Processes

ISO 27000 Series

ISO 27001(2013)

Establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS)

ISO 27018(2014)

Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

ISO 27017(2015)

Code of practice for information security controls based on ISO/IEC 27002 for

cloud services

12

Cloud Security Standards and Controls • Frameworks • Security Control • Processes FISMA-NIST-800-53

13

Cloud Security Standards and Controls • Frameworks • Security Control • Processes

Credit Card Data and Processors Protection PCI-DSS Health Care Compliance Controls HIPAA/HITECH

14

Cloud Security Standards and Controls • Frameworks • Security Control • Processes Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy

SOC 1 / SOC 2 / SOC 3

15

Cloud Security Alliance

CSA Security, Trust & Assurance Registry (STAR) CSA STAR is based upon two key research components of the CSA GRC Stack: •Cloud

Controls Matrix (CCM) - As a controls framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to cloud computing. Currently 133 Controls. •The

Consensus Assessments Initiative Questionnaire (CAIQ) - Based upon the CCM , the CAIQ provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix and CSA best practices.

16

Security for the Cloud Security from the Cloud

Cloud Deployment Models

Private Cloud

Hybrid Cloud

Data Center

Public Cloud

New Control Points, Data Protection DAR Users / Devices

(Data-At-Rest)

DAM (Data-At-Motion) Compute

Compute Stolen Credentials Malware Spoofing Pivot

Visible pipe Weak encryption Key compromise

Rogue/Weak/Dirty Applications

Data visibility Data loss

Secure your private cloud Architecture Requirements

• • • •

Visibility Enforcement Data Protection Shared Risk Model (Managed)

Internet

ASA/NGFW DDoS

Stealthwatch

Private Cloud

ASAv/NGFWv

Users / Devices

AMP

Tenant space

TrustSec Corporate Data Center

ISE

Security Operations Center

Data Center

OpenDNS

DDoS

PaaS

SaaS

ASAv/NGFWv

Cloud

ASAv/NGFWv

Edge/IoT

Secure your public cloud Architecture Requirements

• • • • •

Visibility Enforcement Data Protection Shared Risk Model Consistency

Internet

ASA/NGFW

Stealthwatch ASAv/NGFWv

DDoS

CSRv OpenDNS

Corporate Data Center

Security Operations Center

Corporate IT

Data Center

PaaS

Users / Devices

AMP

Tenant space

TrustSec

ISE

Public Cloud

SaaS

ASAv/NGFWv

Cloud

ASAv/NGFWv

Edge/IoT

Secure your hybrid cloud Architecture Requirements

• • • • • Public Cloud

Internet

ASA/NGFW

Stealthwatch CSRv OpenDNS

Corporate Data Center

Corporate IT

Data Center

PaaS

Users / Devices

AMP

Tenant space

TrustSec

Security Operations Center

Privat Cloud

ASAv/NGFWv

DDoS

ISE

Visibility Enforcement Data Protection Shared Risk Model Consistency

SaaS

ASAv/NGFWv

Cloud

ASAv/NGFWv

Edge/IoT

With security from the cloud and for the cloud Security for the cloud Cloud Email Security

AMP

OpenDNS Umbrella

AMP Cisco Defense Orchestrator Active Threat Analytics

NGFWv

Cloud consumption services Hosted Identity

NGIPSv

OpenDNS

Service Cognitive Threat Analytics

CWS

Stealthwatch Cloud License CSRv

Security from the cloud

ASAv

DDoS

With security from the cloud and for the cloud Security for the cloud Cloud Email Security

AMP

OpenDNS Umbrella

AMP Cisco Defense Orchestrator Active Threat Analytics

NGFWv

Cloud consumption services Hosted Identity

NGIPSv

OpenDNS

Service Cognitive Threat Analytics

CWS

Stealthwatch Cloud License CSRv

Security from the cloud

ASAv

DDoS

Cisco NGFW FirePower Threat Defense

Simplify with fully integrated threat defense to protect physical, virtual and cloud infrastructure Threat-focused

Stop more threats

Gain more insight

Fully Integrated

Detect earlier, act faster

Virtual

NGFW

Firewall

NGIPS

AMP

Reduce complexity

VPN

DDoS

URL Filtering

Get more from your network

NGFWv

SSL

AVC

Protect your cloud data center at the edge I want This to… image cannot currently be displayed.

Prepare

Secure Security feeds URL | IP | DNS 0110110010101001010100 0010010110100101101101

HR

TrustSec

Finance

Define policies • •

Uncover threats

High Availability High Bandwidth

Respond

Remediate

AMP file inspection AMP Threat Grid

SSL Decryption Engine

%* $#

AVC

NGIPS Financial data

Allow Block

HR data

DevOps

In-house app

Extend my trusted onpremises security to the cloud.

Data Center Edge

Virtual Firewall

Cloud Data Center

Improve scalability and control with ACI I want to… Integrated Management Application Policy Infrastructure Controller (APIC)

Firepower Management Center AVC

White list policies

NGIPS

Detect threats with NGIPS using ACI fabric visibility

Allow Segmentation APIC APIs

Multi-tenancy

Block

Set policies with integrated management tool

Spine Leaf Protect the data center with consistent and targeted security policies.

Host 1

Host 2

Application 1 (Physical)

Application 2 (Physical)

Host 3 VM

VM

VM

Refine policies over time through activity analysis

Nodes

Defend the network with Rapid Threat Containment I want to… www ISE

Firepower Management Center pxGrid Alerts

Receive alert of intrusion event Issue quarantine command

pxGrid Alerts

TrustSec Isolate compromised resources quickly before the problem grows.

Quarantine Tag

Automatic Isolation

Employee Tag

Guest Tag

Supplier Tag

Quarantine Tag

Easily manage NGFWs across multiple sites Firepower Management Center Centralized management for multi-site deployments Multi-domain management

Firewall & AVC

Role-based access control

NGIPS

High availability

AMP

APIs and pxGrid integration

Security Intelligence

Firepower Management Center

…Available in physical and virtual options

Manage across many sites

Control access and set policies

Investigate incidents

Prioritize response

Cisco AMP Advanced Malware Protection

Cisco AMP Delivers A Better Approach Point-in-Time Protection

Retrospective Security

File Reputation, Sandboxing, and Behavioral Detection

Continuous Analysis

Unique to Cisco® AMP

Cisco AMP Defends With Reputation Filtering And Behavioral Detection

Fuzzy Finger-printing

Retrospective Security

Cisco Collective Security Intelligence

Continuous Protection

Reputation Filtering

One-to-One Signature

Point-in-Time Detection

Behavioral Detection

Machine Learning

Indications of Compromise

Dynamic Analysis

Advanced Analytics

Device Flow Correlation

Point-in-Time Detection

Why Continuous Protection Is Necessary

Retrospective Security

Cisco Collective Security Intelligence

Breadth and Control points: WWW

Email

Web

Endpoints

Network

Gateways

Devices

Telemetry Stream

Continuous feed

File Fingerprint and Metadata

File and Network I/O1000111010011101 1100001110001110 0001110

1001 1101 1110011 0110011 101000 0110 00

1001 1101 1110011 0110011 101000 0110 00 0111000 111010011

0100001100001 1100 0111010011101 1100001110001110

Process Information

Talos + Threat Grid Intelligence

101 1100001 110

1001 1101 1110011 0110011 101000 0110 00

Continuous analysis

Cisco AMP for Network (NGFW / NGIPS) 1-1 SHA, ETHOS SPERO, PING2

AMP Public Cloud

FMC

Threat Score Poked to Cloud

1-1 SHA ETHOS SPERO File

Threat Grid Cloud

AMP for Networks Sensor 38

Cisco AMP for Endpoints

1-1 SHA, ETHOS, SPERO, PING2

AMP Public Cloud Threat Score Poked to Cloud

File

Windows XP SP3 Windows 7/8/10 Windows Server 2003/2008/2012 OSX 10.82 Android 4.03 Redhat Ent 6 CentOS 6.4

Threat Grid Cloud

39

How Cisco AMP Works: Network File Trajectory Use Case

An unknown file is present on IP: 10.4.10.183, having been downloaded from Firefox

At 10:57, the unknown file is from IP 10.4.10.183 to IP: 10.5.11.8

Seven hours later the file is then transferred to a third device (10.3.4.51) using an SMB application

The file is copied yet again onto a fourth device (10.5.60.66) through the same SMB application a half hour later

The Cisco Collective Security Intelligence Cloud has learned this file is malicious and a retrospective event is raised for all four devices immediately.

At the same time, a device with the FireAMP endpoint connector reacts to the retrospective event and immediately stops and quarantines the newly detected malware

8 hours after the first attack, the Malware tries to re-enter the system through the original point of entry but is recognized and blocked.

Cisco AMP Everywhere Strategy Means Protection Across the Extended Network *AMP for Endpoints can be launched from AnyConnect Virtual

Windows OS

Android Mobile MAC OS

AMP for Networks

AMP for Endpoints

AMP AMP on Cisco® ASA Firewall with FirePOWER Services

Advanced Malware Protection

AMP Private Cloud Virtual Appliance

CWS AMP on Web and Email Security Appliances

AMP for Cloud Web Security and Hosted Email

AMP Threat Grid Malware Analysis + Threat Intelligence Engine Appliance or Cloud

Cisco OpenDNS

Where do you enforce security?

Internet Malware C2 Callbacks Phishing

Mid layer First line

NGFW NETFLOW PROXY

AMP

SANDBOX AV AV

Too manytraffic alertsand via payMalicious appliances AVtarget loads neverand reach

Endpoint

Last line

AV AV

Mid layer

ROUTER/UTM AV

Perimeter

AMP Endpoint

Perimeter

AV

Challenges Benefits

Last line

Mid layer

ROUTER/UTM AV

AV

Perimeter

Wait until payloads Alerts reduced 2-10x; reaches target Improves your SIEM Too muchglobally time to in Provision deploy everywhere under 30 minutes

Cisco OpenDNS CATEGORY

IDENTITY

MALWARE C2 CALLBACK PHISHING CUSTOM (API)

INTERNAL IP

Umbrella

Investigate

(Enforcement)

HOSTNAME

(Intelligence) SECURITY LABS

AD USER HOSTNAME

208.67.222.222

DOMAIN, IP, ASN, EMAIL, HASH API

STATUS & SCORES RERRENCES RELATIONSHIPS ATTRIBUTIONS PATTERNS & GEOs

TALOS We Keep Your Network Safe

Get real-time protection against global threats Talos à http://www.talosintelligence.com/

Threat Intelligence

1.5 million daily malware samples

Security Coverage Endpoints

WWW

NGIPS

16 billion daily web requests

250+

Web / Email Networks

600 billion daily email messages

Identify advanced threats

Research Response

Researchers Jan

24 x 7 x 365 Operations

Devices

Get specific intelligence

Catch stealthy threats

Stay protected with updates

Security is Cisco’s #1 priority

#1

Market share in network security1

A Gartner Magic Quadrant

LEADER

99%

in email security, web security & network access3

Threat detection rate with AMP2

1 Network

Security Appliances & Software, 4Q14 Market Share Report, Infonetics, March 2015 Labs’ Security Value Map for Breach Detection Systems, 2014 Quadrant for Secure Email Gateways, Gartner, July 2014; Magic Quadrant for Secure Web Gateways, Gartner, June 2014; Magic Quadrant for Network Access Control, Gartner, December 2014; Magic Quadrant for Intrusion Prevention Systems, Gartner, December 2014

2 NSS

3 Magic

Get started now with Cisco Secure Cloud Check out http://www.cisco.com/c/en/us/solutions/cloud/security.html for more information