Cisco Secure Cloud Security for the Cloud and Security from the Cloud Markus Frey – Security Consulting System Engineer 19. Oktober 2016 – 10. ITRIS Enterprise IT Security Day
Security Landscape
The Changing Landscape Devices / Users Network Application Compute Storage
Anywhere / Anything Software Defined Networking Microservices Architecture Containers Data Virtualization
Vulnerabilities Stay Open For a LONG Time!!!! Critical and High Risk 300-500 Days
IT 875 DAYS
EDUCATION 460 DAYS
FINACIAL SERVICES 365 DAYS RETAIL 456 DAYS
INSURANCE 317 DAYS
MANUF 359 DAYS
HEALTHCARE 406 DAYS FOOD / BEV 417 DAYS
ENT / MEDIA 303 DAYS
BANKING 339 DAYS
Average Vulnerability Age By Industry Reference – “WhiteHat Security WEB APPLICATIONS SECURITY STATISTICS REPORT 2016”
ENERGY 275 DAYS TECH 295 DAYS
Data Breaches Are Costly!!! $105 – $365 Per Record Lost 191 million Registered Voter records
Anthem 80 million records
$575B Lost Annually
Securus 70 million prisoner phonecalls
MacKeeper 13 million records
Ashley Madison 37 million records Office of Personnel Management 21.5 million records
VTech 11.3 million records
Excellus 10 million records
Premera 11 million records Experian 15 million records
$3.79M Average Cost Per Security Breach
The Changing Cloud Security Threats The Treacherous Twelve 2010
2013
2016
5
1
1
Data Breaches
2
Insufficient Identity, Credentials and Access Management
3
Insecure Interfaces and APIs
4
System Vulnerabilities
2
4
Top Threats
6
3
5
Account Hijacking
3
6
6
Malicious Insiders
7
Advanced Persistent Threats
5
2
8
Data Loss
7
8
9
Insufficient Due Diligence
1
7
10
Abuse and Nefarious Use of Cloud Services
5
11
Denial of Service
9
12
Shared Technology Issues
4
Source: Cloud Security Alliance - https://cloudsecurityalliance.org/download/the-treacherous-twelve-cloud-computing-top-threats-in-2016/
Cisco Security Midyear Cybersecurity Report www.cisco.com/go/mcr2016
What is Cloud Security
What is Cloud Security ? Delivering integrated, consistent security policy
Keep workloads and valuable data secure Data Center
Secure applications and data in the cloud Cloud Protect against threats Minimize compliance risk
Enable secure access anywhere for anything Users/Devices
Shared Risk and Responsibility Cloud Delivery Models
Tenant
PaaS
SaaS
Application
Application
Application
Data
Data
Data
Data
Guest OS
Guest OS
Guest OS
Guest OS
Virtualization
Virtualization
Virtualization
Virtualization
Compute & Storage
Compute & Storage
Compute & Storage
Compute & Storage
Network
Network
Network
Network
Facility
Facility
Facility
Facility
Private Cloud
IaaS
Application
Provider
Shared Responsibility
Cloud Standards
Compliance
TRUST
Cloud Security Standards and Controls • Frameworks • Security Control • Processes
ISO 27000 Series
ISO 27001(2013)
Establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS)
ISO 27018(2014)
Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
ISO 27017(2015)
Code of practice for information security controls based on ISO/IEC 27002 for
cloud services
12
Cloud Security Standards and Controls • Frameworks • Security Control • Processes FISMA-NIST-800-53
13
Cloud Security Standards and Controls • Frameworks • Security Control • Processes
Credit Card Data and Processors Protection PCI-DSS Health Care Compliance Controls HIPAA/HITECH
14
Cloud Security Standards and Controls • Frameworks • Security Control • Processes Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
SOC 1 / SOC 2 / SOC 3
15
Cloud Security Alliance
CSA Security, Trust & Assurance Registry (STAR) CSA STAR is based upon two key research components of the CSA GRC Stack: •Cloud
Controls Matrix (CCM) - As a controls framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to cloud computing. Currently 133 Controls. •The
Consensus Assessments Initiative Questionnaire (CAIQ) - Based upon the CCM , the CAIQ provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix and CSA best practices.
16
Security for the Cloud Security from the Cloud
Cloud Deployment Models
Private Cloud
Hybrid Cloud
Data Center
Public Cloud
New Control Points, Data Protection DAR Users / Devices
(Data-At-Rest)
DAM (Data-At-Motion) Compute
Compute Stolen Credentials Malware Spoofing Pivot
Visible pipe Weak encryption Key compromise
Rogue/Weak/Dirty Applications
Data visibility Data loss
Secure your private cloud Architecture Requirements
• • • •
Visibility Enforcement Data Protection Shared Risk Model (Managed)
Internet
ASA/NGFW DDoS
Stealthwatch
Private Cloud
ASAv/NGFWv
Users / Devices
AMP
Tenant space
TrustSec Corporate Data Center
ISE
Security Operations Center
Data Center
OpenDNS
DDoS
PaaS
SaaS
ASAv/NGFWv
Cloud
ASAv/NGFWv
Edge/IoT
Secure your public cloud Architecture Requirements
• • • • •
Visibility Enforcement Data Protection Shared Risk Model Consistency
Internet
ASA/NGFW
Stealthwatch ASAv/NGFWv
DDoS
CSRv OpenDNS
Corporate Data Center
Security Operations Center
Corporate IT
Data Center
PaaS
Users / Devices
AMP
Tenant space
TrustSec
ISE
Public Cloud
SaaS
ASAv/NGFWv
Cloud
ASAv/NGFWv
Edge/IoT
Secure your hybrid cloud Architecture Requirements
• • • • • Public Cloud
Internet
ASA/NGFW
Stealthwatch CSRv OpenDNS
Corporate Data Center
Corporate IT
Data Center
PaaS
Users / Devices
AMP
Tenant space
TrustSec
Security Operations Center
Privat Cloud
ASAv/NGFWv
DDoS
ISE
Visibility Enforcement Data Protection Shared Risk Model Consistency
SaaS
ASAv/NGFWv
Cloud
ASAv/NGFWv
Edge/IoT
With security from the cloud and for the cloud Security for the cloud Cloud Email Security
AMP
OpenDNS Umbrella
AMP Cisco Defense Orchestrator Active Threat Analytics
NGFWv
Cloud consumption services Hosted Identity
NGIPSv
OpenDNS
Service Cognitive Threat Analytics
CWS
Stealthwatch Cloud License CSRv
Security from the cloud
ASAv
DDoS
With security from the cloud and for the cloud Security for the cloud Cloud Email Security
AMP
OpenDNS Umbrella
AMP Cisco Defense Orchestrator Active Threat Analytics
NGFWv
Cloud consumption services Hosted Identity
NGIPSv
OpenDNS
Service Cognitive Threat Analytics
CWS
Stealthwatch Cloud License CSRv
Security from the cloud
ASAv
DDoS
Cisco NGFW FirePower Threat Defense
Simplify with fully integrated threat defense to protect physical, virtual and cloud infrastructure Threat-focused
Stop more threats
Gain more insight
Fully Integrated
Detect earlier, act faster
Virtual
NGFW
Firewall
NGIPS
AMP
Reduce complexity
VPN
DDoS
URL Filtering
Get more from your network
NGFWv
SSL
AVC
Protect your cloud data center at the edge I want This to… image cannot currently be displayed.
Prepare
Secure Security feeds URL | IP | DNS 0110110010101001010100 0010010110100101101101
HR
TrustSec
Finance
Define policies • •
Uncover threats
High Availability High Bandwidth
Respond
Remediate
AMP file inspection AMP Threat Grid
SSL Decryption Engine
%* $#
AVC
NGIPS Financial data
Allow Block
HR data
DevOps
In-house app
Extend my trusted onpremises security to the cloud.
Data Center Edge
Virtual Firewall
Cloud Data Center
Improve scalability and control with ACI I want to… Integrated Management Application Policy Infrastructure Controller (APIC)
Firepower Management Center AVC
White list policies
NGIPS
Detect threats with NGIPS using ACI fabric visibility
Allow Segmentation APIC APIs
Multi-tenancy
Block
Set policies with integrated management tool
Spine Leaf Protect the data center with consistent and targeted security policies.
Host 1
Host 2
Application 1 (Physical)
Application 2 (Physical)
Host 3 VM
VM
VM
Refine policies over time through activity analysis
Nodes
Defend the network with Rapid Threat Containment I want to… www ISE
Firepower Management Center pxGrid Alerts
Receive alert of intrusion event Issue quarantine command
pxGrid Alerts
TrustSec Isolate compromised resources quickly before the problem grows.
Quarantine Tag
Automatic Isolation
Employee Tag
Guest Tag
Supplier Tag
Quarantine Tag
Easily manage NGFWs across multiple sites Firepower Management Center Centralized management for multi-site deployments Multi-domain management
Firewall & AVC
Role-based access control
NGIPS
High availability
AMP
APIs and pxGrid integration
Security Intelligence
Firepower Management Center
…Available in physical and virtual options
Manage across many sites
Control access and set policies
Investigate incidents
Prioritize response
Cisco AMP Advanced Malware Protection
Cisco AMP Delivers A Better Approach Point-in-Time Protection
Retrospective Security
File Reputation, Sandboxing, and Behavioral Detection
Continuous Analysis
Unique to Cisco® AMP
Cisco AMP Defends With Reputation Filtering And Behavioral Detection
Fuzzy Finger-printing
Retrospective Security
Cisco Collective Security Intelligence
Continuous Protection
Reputation Filtering
One-to-One Signature
Point-in-Time Detection
Behavioral Detection
Machine Learning
Indications of Compromise
Dynamic Analysis
Advanced Analytics
Device Flow Correlation
Point-in-Time Detection
Why Continuous Protection Is Necessary
Retrospective Security
Cisco Collective Security Intelligence
Breadth and Control points: WWW
Email
Web
Endpoints
Network
Gateways
Devices
Telemetry Stream
Continuous feed
File Fingerprint and Metadata
File and Network I/O1000111010011101 1100001110001110 0001110
1001 1101 1110011 0110011 101000 0110 00
1001 1101 1110011 0110011 101000 0110 00 0111000 111010011
0100001100001 1100 0111010011101 1100001110001110
Process Information
Talos + Threat Grid Intelligence
101 1100001 110
1001 1101 1110011 0110011 101000 0110 00
Continuous analysis
Cisco AMP for Network (NGFW / NGIPS) 1-1 SHA, ETHOS SPERO, PING2
AMP Public Cloud
FMC
Threat Score Poked to Cloud
1-1 SHA ETHOS SPERO File
Threat Grid Cloud
AMP for Networks Sensor 38
Cisco AMP for Endpoints
1-1 SHA, ETHOS, SPERO, PING2
AMP Public Cloud Threat Score Poked to Cloud
File
Windows XP SP3 Windows 7/8/10 Windows Server 2003/2008/2012 OSX 10.82 Android 4.03 Redhat Ent 6 CentOS 6.4
Threat Grid Cloud
39
How Cisco AMP Works: Network File Trajectory Use Case
An unknown file is present on IP: 10.4.10.183, having been downloaded from Firefox
At 10:57, the unknown file is from IP 10.4.10.183 to IP: 10.5.11.8
Seven hours later the file is then transferred to a third device (10.3.4.51) using an SMB application
The file is copied yet again onto a fourth device (10.5.60.66) through the same SMB application a half hour later
The Cisco Collective Security Intelligence Cloud has learned this file is malicious and a retrospective event is raised for all four devices immediately.
At the same time, a device with the FireAMP endpoint connector reacts to the retrospective event and immediately stops and quarantines the newly detected malware
8 hours after the first attack, the Malware tries to re-enter the system through the original point of entry but is recognized and blocked.
Cisco AMP Everywhere Strategy Means Protection Across the Extended Network *AMP for Endpoints can be launched from AnyConnect Virtual
Windows OS
Android Mobile MAC OS
AMP for Networks
AMP for Endpoints
AMP AMP on Cisco® ASA Firewall with FirePOWER Services
Advanced Malware Protection
AMP Private Cloud Virtual Appliance
CWS AMP on Web and Email Security Appliances
AMP for Cloud Web Security and Hosted Email
AMP Threat Grid Malware Analysis + Threat Intelligence Engine Appliance or Cloud
Cisco OpenDNS
Where do you enforce security?
Internet Malware C2 Callbacks Phishing
Mid layer First line
NGFW NETFLOW PROXY
AMP
SANDBOX AV AV
Too manytraffic alertsand via payMalicious appliances AVtarget loads neverand reach
Endpoint
Last line
AV AV
Mid layer
ROUTER/UTM AV
Perimeter
AMP Endpoint
Perimeter
AV
Challenges Benefits
Last line
Mid layer
ROUTER/UTM AV
AV
Perimeter
Wait until payloads Alerts reduced 2-10x; reaches target Improves your SIEM Too muchglobally time to in Provision deploy everywhere under 30 minutes
Cisco OpenDNS CATEGORY
IDENTITY
MALWARE C2 CALLBACK PHISHING CUSTOM (API)
INTERNAL IP
Umbrella
Investigate
(Enforcement)
HOSTNAME
(Intelligence) SECURITY LABS
AD USER HOSTNAME
208.67.222.222
DOMAIN, IP, ASN, EMAIL, HASH API
STATUS & SCORES RERRENCES RELATIONSHIPS ATTRIBUTIONS PATTERNS & GEOs
TALOS We Keep Your Network Safe
Get real-time protection against global threats Talos à http://www.talosintelligence.com/
Threat Intelligence
1.5 million daily malware samples
Security Coverage Endpoints
WWW
NGIPS
16 billion daily web requests
250+
Web / Email Networks
600 billion daily email messages
Identify advanced threats
Research Response
Researchers Jan
24 x 7 x 365 Operations
Devices
Get specific intelligence
Catch stealthy threats
Stay protected with updates
Security is Cisco’s #1 priority
#1
Market share in network security1
A Gartner Magic Quadrant
LEADER
99%
in email security, web security & network access3
Threat detection rate with AMP2
1 Network
Security Appliances & Software, 4Q14 Market Share Report, Infonetics, March 2015 Labs’ Security Value Map for Breach Detection Systems, 2014 Quadrant for Secure Email Gateways, Gartner, July 2014; Magic Quadrant for Secure Web Gateways, Gartner, June 2014; Magic Quadrant for Network Access Control, Gartner, December 2014; Magic Quadrant for Intrusion Prevention Systems, Gartner, December 2014
2 NSS
3 Magic
Get started now with Cisco Secure Cloud Check out http://www.cisco.com/c/en/us/solutions/cloud/security.html for more information