Post on 13-Aug-2015
Ben Munroe and Nitin Kumar
Learn how to achieve safe cloud app usage
Cisco Cloud Access Security with Elastica
2© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
And you wouldn’t useemail without security
? ??
? ?
??
??? ?
You must secure them
You wouldn’t run your business without email
As your business adopts cloud apps
Every time you adopt a new technology, you have to secure it
3© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud apps are becoming an essential part of business
How are you protecting them?
Remote access
Agility and speed
Better collaboration
Improved productivity
Cost effective
Sensitive data leakage
Compliance risks Insider risk
Malware & viruses
4© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Understand the risk of cloud apps in your business
Shadow ITUse of unsanctioned apps
This is a problem because your IT department:•Can’t see what apps are used•Aren’t able of identify risky apps•Are powerless to set informed app controls
of employees admit to using unapproved apps1
72%of IT depts use 6 or more unapproved apps2
26% of enterprise IT spend in 2015 will be managed outside of IT departments3
35%
Shadow ITUse of unsanctioned apps
Source: 1CIO Insight; 2,3Gartner
5© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Understand the risk of data usage in cloud apps
Shadow ITUse of unsanctioned apps
This is a problem because your IT department:•Can’t stop data leakage and compliance
risks•Aren’t able to block inbound risky content •Are unable to stop risky users and activities
of organizations lost sensitive data via file sharing1
90%of apps have risks if not properly used2
72%files per user are broadly shared across organizations3
185
Shadow DataUse of sanctioned apps in unsanctioned ways
Source: 1Ponemon, 2013 Cost of Data Breach Study;2CIO Insight; 3Elastica
6© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Businesses
Don’t count on app providers to secure your information
App Providers
Cloud Apps
75% of mobile apps fail basic security tests1 … and they can’t control your user behavior
Source: 1: Gartner
7© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Businesses
Cloud access security is your responsibility
App Providers
Cloud Apps
8© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco with Elastica can help
SaaS Visibility
Monitor cloud app usage in real time
Extended Granular Control
Gain control of a cloud-first, mobile-first world
Intelligent Protection
Combat evolving threats using data science
9© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
View activities in real time
IT gains full visibility into all cloud app usage
Identify and evaluate all cloud apps with their risks
Know how and what data users share in real time
See every cloud app transaction on a dynamic, intuitive user interface
Identify malware
SaaS Visibility
10© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Manage a cloud-first, mobile-first world
IT control extends to every cloud app transaction
Choose what cloud apps to sanction
Manage data sharing with global policies across any cloud app
Take critical actions through a centralized SOC style dashboard
Block risky activities in real time
Extended Granular Control
11© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Combat evolving threats
Stay ahead of threats using data science power
Prioritize business-ready cloud apps
Classify content dynamically with semantic analysis
Analyze root cause of threats with incident reconstruction
Detect malware and attacks with machine learning mechanisms
Intelligent Protection
12© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Shadow IT Risk Assessment Report
Business Readiness Rating™
Audit Score
Shadow Data Risk Assessment
After
StreamIQ™
ThreatScore™
ContentIQ™
Reports & Analysis
Cisco Cloud Access Security
Cloud Apps ? ?
?? ?? ?
IO IOI
IO IOI
ProtectIO IOI
IO IOI
Cloud SOC Policy IO IOI
IO IOI
?
54541717
IO IOI
IO IOI
??
IO IOI
Audit
Detect
?
Investigate
WSA Before
During
Elastica CloudSOC™
OtherAppliances
ASA
In collaboration with
Data Account User
SecurityOperations
CenterAnalyze &
ControlSecurlet™ Gateway
Cisco Confidential 14© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Powerful Architecture for Cloud Access Security
Cloud App APIs(Securlets)
AUDIT Shadow IT and Data Risk
INVESTIGATE incidents and respond
PROTECT against intrusions in cloud apps accounts
DETECT exploitations of cloud app accountsStreamIQ™
ContentIQ™
ThreatScore™
Comprehensive Cloud App Security Stack
Cisco CASby Elastica
Methods1. Proxy chaining2. PAC file
Methods1. SCP/SFTP log import2. Direct upload (manual)3. On premises VA
Proxy LogsWSA, CWS & more
App Traffic via Gateway
Cisco Confidential 15© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Use Case 1: customer wants to understand the Cloud app usage in their business
On-premises LogsWSA Log Export
Cisco CASby Elastica
AUDIT Shadow IT and Data Risk
Comprehensive Cloud App Security Stack
Methods1. Log import using SCP
or SFTP2. Direct upload
(manual)3. SpanVA
Cisco Confidential 16© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Use Case 1: Audit Deployment Methods
Direct to CloudOn Prem Virtual Appliance
CloudSOC
SCP
SFTP
CloudSOC
SCPSFTP
Syslog
SCP/FTPFile Share
HTTPS
Perimeter Perimeter
Audit
Cisco Confidential 17© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Audit Support for Cisco WSA
• Two main WSA log file subscriptions used by most administrators are Access Log and W3C Access Log which record all Web Proxy traffic.
• These logs can be configured to either• FTP them onto the Appliance • FTP them onto an FTP server• SCP push • Syslog Push
• Minimum support WSA version: AsyncOS 7.7
Powered By
SCP
Cisco Confidential 18© 2013-2014 Cisco and/or its affiliates. All rights reserved.
WSA Configuration: Log Formats• Access Logs:
• Access: Raw(FTP)#Fields: %t %e %a %w/%h %s %2r %A %H/%d %c %D %Xr%?BLOCK_SUSPECT_USER_AGENT,MONITOR_SUSPECT_USER_AGENT?%<User-Agent:%!%-%.1415047174.449 196 192.168.1.117 TCP_MISS/200 3323 GEThttps://dropbox.com/_remote/?m_id=MediaRemoteInstance&&instance_id=26361fd9-6e5d-337d-8063-b181309f65b4&lead_id=6f7f6100-be1b-3001-8275-276fa52c4f97 - DIRECT/dropbox.com text/htmlDEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",135.63,0,-,"-","-"> -
• Access: SyslogOct 22 15:05:26 192.168.1.143 accesslogs: #Version: 1.0_#Date: 2014-10-22 15:05:27_#System: 192.168.1.143- mgmt.ironport.elastica.local_#Software: AsyncOS for Web 7.7.0-761_#Fields: %t %e %a %w/%h %s %2r %A%H/%d %c %D %Xr %?BLOCK_SUSPECT_USER_AGENT,MONITOR_SUSPECT_USER_AGENT?%<User-Agent:%!%-%._Oct 22 15:10:54 192.168.1.143 accesslogs: Info: 1414015852.062 224 192.168.1.61 TCP_MISS/200 58471 GEThttp://www.dropbox.com/ - DIRECT/www.dropbox.com text/html DEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",2088.25,0,-,"-","-"> -
• W3C Logs• W3C: Raw(FTP)#Fields: timestamp x-elapsed-time c-ip sc-result-code sc-http-status sc-bytes cs-method cs-url cs-usernames-hierarchy s-hostname cs-mime-type x-acltag x-result-code x-suspect-user-agent1415057846.023 222 192.168.1.117 TCP_CLIENT_REFRESH_MISS 200 1540 POST http://us-west-2.console.aws.amazon.com/xa/dealcontent/v2/GetDealStatus?nocache=1415057845571 - DIRECT us-west-2.console.aws.amazon.com application/json DEFAULT_CASE_12-DefaultGroup-DefaultGroup-
• W3C: SyslogNov 3 13:53:02 192.168.1.143 sk_w3c: #Version: 1.0_#Date: 2014-11-03 13:53:02_#System: 192.168.1.143 -mgmt.ironport.elastica.local_#Software: AsyncOS for Web 7.7.0-761_#Fields: timestamp x-elapsed-time c-ipsc-result-code sc-http-status sc-bytes cs-method cs-url cs-username s-hierarchy s-hostname cs-mime-type xacltagx-result-code x-suspect-user-agent_Nov 3 13:53:14 192.168.1.143 sk_w3c: Info: 1415051592.801 169 192.168.1.117 TCP_MISS 200 387 GETCopyright (C) 2015 Elastica, Inc. Confidential Information. Do Not Distribute. 3 ofhttp://us-west-2.console.aws.amazon.com/1/batch/1/OP/ATVPDKIKX0DER:181-8582357-6795158:1809Q9620X7X4F45Z5DR$uedata=s:%2Fuedata%2Fnvp%2Funsticky%2F181-8582357-6795158%2FGateway%2Fntpoffrw%3Ful%26v%3D0.64.0%26id%3D1809Q9620X7X4F45Z5DR%26ctb%3D1%26m%3D1%26sc%3D1809Q9620X7X4F45Z5DR%26pc%3D37002%26tc%3D-<-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",18.32,0,-,"-","-">
Cisco Confidential 19© 2013-2014 Cisco and/or its affiliates. All rights reserved.
WSA Configuration: Enable Logging
Cisco Confidential 20© 2013-2014 Cisco and/or its affiliates. All rights reserved.
WSA Configuration: Enable Logging
Cisco Confidential 21© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Elastica Configuration: Configure SCP
Cisco Confidential 22© 2013-2014 Cisco and/or its affiliates. All rights reserved.
WSA Configuration: Configure SCP
Cisco Confidential 23© 2013-2014 Cisco and/or its affiliates. All rights reserved.
SSH Key Configuration
Cisco Confidential 24© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Use Case 2: Securlet and Gateway Deployment MethodsDetect
… and many more
Securlet Elastica Gateway
Cisco Confidential 25© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Use Case 2: customer wants to apply acceptable use policy to Box cloud storage
Cloud App APIs(Securlets)
INVESTIGATE incidents and respond
PROTECT against intrusions in cloud apps accounts
DETECT exploitations of cloud app accountsStreamIQ™
ContentIQ™
ThreatScore™
Comprehensive Cloud App Security Stack
Cisco CASby Elastica
Methods1. Purely API driven
Cisco Confidential 26© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cloud Access Gateway ExplainedGateway vs API(Securlet)• Policy remediation can take place in either the Elastica Gateway or via the application specific API• Gateway and API can be used in tandem, it is not an either or situation
Gateway components• There are three configuration components for enabling the gateway.PAC File
•Directs traffic to gateway•Standard browser setting
SSO Helper
•Browser plug in•Installs first time user hits gateway
Gateway Certificate
•For SSLD•Required for operation
Cisco Confidential 27© 2014 Cisco and/or its affiliates. All rights reserved.
Gateway Components
.PAC File
Powered By
Gateway Certificate
SSO Helper
Cisco Confidential 28© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Future looking integrated architecture
Proxy LogsWSA, CWS & more
AUDIT Shadow IT and Data Risk
INVESTIGATE incidents and respond
PROTECT against intrusions in cloud apps accounts
DETECT exploitations of cloud app accountsStreamIQ™
ContentIQ™
ThreatScore™
Comprehensive Cloud App Security Stack
Methods1. Proxy chaining2. PAC file
Methods1. SCP/SFTP log import2. Direct upload (manual)3. On premises VA
Cisco CASby Elastica
App Traffic via Gateway