connect user endpoints to network access wireless or wired...Threat Centric NAC explained Reduce...
Transcript of connect user endpoints to network access wireless or wired...Threat Centric NAC explained Reduce...
How to securelyconnect user endpoints to network access wireless or wired
Gyorgy Acs
Consulting Systems Engineer
Cisco
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
• Introduction – Using ISE in a Security Ecosystem
• Anomaly, Vulnerability and Threat Detection in Action
• Anomaly Detection with Profiling
• Posture assessment with ISE 2.2
• Threat-Centric NAC
• Identity, application and Cisco Stealthwatch
• Rapid Threat Containment
3
Agenda
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Incident Response challenge
Contextual awareness key to security event prioritization and response
Potential
Breach
Event!
Security
Event
Associate User
to Event
AAA
Logs
Associate User to
Authorization
IAM
Check Endpoint
Posture
NAC
Where is it on
the Network?
???
What Kind of
Device is it?
???
How Do I
Mitigate????
???
???
MANY SCREENS DATA EXPLOSION MISSING LINKS EXPENSIVE FIX
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Marty Roesch @ RSA Conference 2016
“Complexity is the enemy of security…
… a real platform is something that, somebody else can develop code for, somebody else can integrate with in a fundamental way….”
Cisco Security VP
https://youtu.be/pafHZmWWGo8
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
ISE
EPS
Using ISE in a Security EcoSystem
Endpoints Access
Bran
chC
amp
us
Distribution
Bad USB
Guest
Data C
en
ter
Edge
pxGrid
Stealthwatch
Internet
Mobile
Provider
NetFlow ( )
FMC
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Cisco Platform Exchange Grid (PxGrid)
Enable Unified Threat Response by Sharing Contextual Data
Cisco and Partner
Ecosystem
ISE
pxGrid
Controller
Context
32
1
45 Cisco Network
Who
What
When
Where
How
Posture
Threat
Vulnerability
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
pxGrid enables these 4 scenarios
CONTEXT TO PARTNER
ISE makes Customer IT
Platforms User/Identity,
Device and Network Aware
CONTEXT
CISCO
ISE
ECO-
PARTNER
ENRICH ISE CONTEXT
Enrich ISE context. Make
ISE a better Policy
Enforcement Platform
CONTEXT
CISCO
ISE
ECO-
PARTNER
THREAT MITIGATION
Enforce dynamic policies in
to the network based on
Partner’s request
ACTION
CISCO
ISE
ECO-
PARTNER
MITIGATE
CONTEXT BROKERAGE
ISE brokers Customer’s IT
platforms to share data
amongst themselves
CISCO
ISE
ECO-
PARTNERSpxGrid
ISE 2.2
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Publish or subscribe specific topics
pxGrid
Pub/Sub
Topics being published / subscribed by pxGrid node
- ISE nodes can publish specific topics or subscribe to specific topics.
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Capabilities or Topics
GridControllerAdminService provides pxGrid services to subscriber
Core provides pxGrid client the capability to query all the registered
capabilities on the ISE pxGrid node
AdaptiveNetworkControl provides enhanced pxGrid ANC mitigation capabilities to subscriber
EndpointProfileMetada provides pxGrid clients with available device information from ISE.
EndpointProtectionService provides compatible EPS/ANC pxGrid mitigation actions from ISE
1.3/1.4.
TrustSecMetaData provides pxGrid clients with exposed security group tag (SGT)
information
IdentityGroup provides pxGrid clients with Identity Group information that may not
be available via 802.1X authentications
SessionDirectory provides pxGrid clients with ISE published session information, or
available session objects.
https://communities.cisco.com/docs/DOC-68291
INTERNAL
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
• Introduction – Using ISE in a Security Ecosystem
• Anomaly, Vulnerability and Threat Detection in Action
• Anomaly Detection with Profiling
• Posture assessment with ISE 2.2
• Threat-Centric NAC
• Identity, application and Cisco Stealthwatch
• Rapid Threat Containment
11
Agenda
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Anomaly Detection
12
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
ISE 2.2 Profiling Enhancements :Anomalous Behavior Detection
Visibility Only and Dynamic Enforcement Options
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
ISE 2.2 Profiling Enhancements :Anomalous Behavior Detection
Anomalous Behavior/Spoofing Detection in ISE 2.2 (Phase 1)
Offers Visibility-Only option as well Remediation option (flag endpoints for policy change)
Detection based on:
– Any change to DHCP Class
– Any changes to access method (wired / wireless)
– Significant Operating System change (for example, Windows -> Apple iOS)
– Significant profile change (for example, major change in classification such as Phone or Printer -> PC)
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
• Introduction – Using ISE in a Security Ecosystem
• Anomaly, Vulnerability and Threat Detection in Action
• Anomaly Detection with Profiling
• Posture assessment with ISE 2.2
• Threat-Centric NAC
• Identity, application and Cisco Stealthwatch
• Rapid Threat Containment
15
Agenda
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Posture assessment
Posture defines the state of compliance with the company’s security policy
Posture Flow
AUTHENTICATE USER/DEVICEPosture: Unknown / Non-Compliant ?
QUARANTINELimited Access: VLAN / dACL / SGTs
POSTURE ASSESMENTCheck Hotfix, AV, Pin lock, USB Device, etc.
REMEDIATIONWSUS, Launch App, Scripts, MDM, etc.
AUTHORIZATION CHANGEFull Access – VLAN / dACL / SGTs.
Antivirus Update
Anti-Virus?
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
App Inventory from ISE 2.2
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Application Enforcement
If an Admin can create a requirement that if a
malicious app is installed/running, then
uninstall/terminate all processes of application A
The enforcement is at
• Initial posture
• PRA time
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
USB Condition and Remediation
USB Checks are “Dynamic” a.k.a real time enforced, although USB check could be configured at initial posture check or Passive Reassessment checks (PRA).
From AnyConnect 4.3 enforces the Disk Encryption Policy
ISE 2.1 only supports it for Windows
Pre-Canned
Policy
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
• Introduction – Using ISE in a Security Ecosystem
• Anomaly, Vulnerability and Threat Detection in Action
• Anomaly Detection with Profiling
• Posture assessment with ISE 2.2
• Threat-Centric NAC
• Identity, application and Cisco Stealthwatch
• Rapid Threat Containment
20
Agenda
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Threat Centric NAC explained
Reduce vulnerabilities, contain threats
Compromised endpoints spread malware by
exploiting known vulnerabilities in the network
1
Malware infection
Malware scans for vulnerable endpoints2
Vulnerability detected3
Infection spread
4
Common Vulnerability Scoring System (CVSS) | Indicators of Compromise (IOC) | Advanced Malware Protection (AMP)
Flag compromised and vulnerable hosts and limit
access to remediation Segment
Cisco AMP Vulnerable host
Quarantine and
Remediate
IOC CVSS
“Threat detected” Vulnerability scan
Most endpoint AMP deployed in ‘visibility only’ mode
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
- STIX
- Threat events
- CVSS
- IOC
- Vulnerability assessments
- Threat notifications
What is Threat Centric NAC ?
AMP
Cisco ISE
Endpoints
Cisco ISE protects
your network from
data breaches by
segmenting
compromised and
vulnerable endpoints
for remediation.
Compliments Posture
Vulnerability data tells
endpoint’s posture
from the outside
Expanded control
driven by threat
intelligence and
vulnerability
assessment data
Faster response
with automated, real-
time policy updates
based on vulnerability
data and threat
metrics
Who
What
When
Where
How
Posture
Threat
Vulnerability
Create ISE authorization policies based on the threat and vulnerability
attributes
Network Access Policy
STIX over TAXII | Common Vulnerability Scoring System (CVSS) | Indicators of Compromise
(IOC)
Qualys
CTA
ISE 2.2
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Vulnerability based access control High-level flow
Network Access Device
Cisco ISE 2.1Qualys ScanGuard
Endpoint
1
Endpoint connects
to the network
Initial limited
Authorization
(VA-Scan)
2CoA based on scan
status (Full Access /
Quarantine)
6
ISE requests a VA scan for Endpoint
3
Qualys scans
the Endpoint for
Vulnerabilities4
Qualys reports the CVSS score
5
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
‘Vulnerable Endpoints’ Based on Common Vulnerability Scoring System (CVSS)
QID-90043 - SMB Signing Disabled or SMB Signing Not Required
QID-95001 - X-Window Sniffing
QID-38170 - SSL Certificate - Subject Common Name Does Not Match Server FQDN
QID-38173 - SSL Certificate - Signature Verification Failed Vulnerability
QID-38601 - SSL/TLS use of weak RC4 cipher
QID-90882 - Windows Remote Desktop Protocol Weak Encryption Method Allowed
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Authorization Profile
Limited initial access
Scan for vulnerability
every 48 hours.
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
- STIX
- Threat events- Threat notifications
CTA – ISE Integration
Cisco ISE
Endpoints
Cisco ISE integrates with
Cisco CTA cloud which
offers TAXII services
which includes threat
incidents as payload in
STIX standard
Communication
CTA adapter would
interact with TC-NAC
core-engine via
REST APIs and the
AMQP message
queues
Faster response
with automated, real-
time policy updates
based on STIX data
Unknown
Insignificant
Distracting
Painful
Damaging
Catastrophic
Network Access Policy
STIX over TAXII | Common Vulnerability Scoring System (CVSS) | Indicators of Compromise (IOC)
CTA
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Cognitive Threat Analytics : CTA
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
What is STIX?
STIX (Structured Threat Information eXpression) is a standardized XML
programming language for conveying data about Cyber Security threats
in a common language that can be easily understood by humans and
security technologies.
Source: https://stixproject.github.io/about/
Indicators: Describe patterns for what might be seen and what they mean if they are.
Incidents: Describe instances of specific adversary actions.
Courses of Action: Describe response actions that may be taken in response to an
attack or as a preventative measure.
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
"192.168.10.10": {
"vendor": "CTA",
"incident": {
"Course_Of_Action":"Internal Blocking",
"Impact_Qualification":"Catastrophic",
"Confidence":"High"
},
"title": “Microsoft Outlook attack",
"time-stamp": "1473985383762"
}
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
TC-NAC with AMP configuration
Pretty identical configuration for
most deployments
Administration > Threat Centric NAC > Third Party Vendors
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Authorization Policy
Authorization policy for ‘vulnerability’
Initial ‘limited access’ + Vulnerability Scan
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
TC-NAC service on ISE
PSN
PAN
MnT
TC-NAC
CO
NT
EX
T A
TT
RIB
UT
ES
TC-NAC service runs in the ‘Policy Services Node’ when enabled.
Threat Centric NAC attributes appear in the Policy Administration Node.
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
‘Compromised Endpoints’based on Incidents and Indicators
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
• Introduction – Using ISE in a Security Ecosystem
• Anomaly, Vulnerability and Threat Detection in Action
• Anomaly Detection with Profiling
• Posture assessment with ISE 2.2
• Threat-Centric NAC
• Identity, application and Cisco Stealthwatch
• Rapid Threat Containment
34
Agenda
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
1. ReconnaissanceHarvest information to
create attack strategy
and toolset
2. WeaponizationCoupling exploit with
backdoor into deliverable
payload
3. DeliveryDelivering weaponized
bundle to the victim via
email, web, USB, etc.
4. ExploitationExploiting a vulnerability
to execute code on
victim’s system
5. InstallationInstalling malware on
the asset
6. Command & ControlCommand channel for
remote manipulation of
victim’s system
7. Actions on ObjectivesWith ’Hands on Keyboard’
access, intruders accomplish
Based on Lockheed Martin’s Cyber Kill Chain
The Cyber Killchain
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Cisco StealthWatch: System Overview
NetFlow / NBAR / NSEL
Network
Devices
StealthWatch
FlowCollector
• Collect and analyze
• Up to 4,000 sources
• Up to 240,000 FPS sustained
SPAN
StealthWatch
FlowSensor
Generate
NetFlow
Non-NetFlow
Capable Device
• Management and reporting
• Up to 25 FlowCollectors
• Up 6 million FPS globally
StealthWatch
Management
Console
(SMC)
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Each category accrues points
Stealthwatch Alarm Categories
There are 11 high level alarm categories;
mapping to the kill chain or the attack lifecycle.
38
39
40
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Traffic Analysis without IdentityWho is Sender?Shows an IP Address
- Yes, Useful, But…
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Traffic Analysis with IdentityWho is Sender?Employee1
- More Useful, right?
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
HTTPS Unclassified now Known
Application Identified – Dropbox
Application Hash – Who else is running?
Identity – nedzaldivar (even without ISE or Identity, from non domain asset)
AnyConnect NVM with Cisco Stealthwatch
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
FMC
Controller
WWW
NGFW
i-Net
Flow Collector
RTC w/ Stealthwatch & ISE
1. SW is Analyzing
Flows from Flow
Collector
2. SW is Also
Merging Identity
Data from ISE
3. Admin is Alerted of
Suspicious Behavior
To Stealthwatch
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
FMC
Controller
WWW
NGFW
i-Net
Flow Collector
RTC w/ Stealthwatch & ISE 4. Admin Initiates
Endpoint Quarantine
(EPS over pxGrid)
5. Endpoint
Assigned Quarantine
+ CoA-Reauth Sent
To Stealthwatch
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
FMC
Controller
WWW
NGFW
i-Net
Flow Collector
RTC w/ Stealthwatch & ISE
6. New Traffic Rules
apply to the new state
of the endpoint
6a. Could Deny
Access (ingress)
6b. Could Filter it
within network
(egress)
6b. Could Filter it
within network
(egress)
To Stealthwatch
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Give The Right People On The Right Devices The Right Access To The Right Resources (TrustSec)
Who: Guest
What: iPad
Where: Office
Who: Receptionist
What: iPad
Where: Office
Internet
Confidential
Patient Records
Internal
Employee
Intranet
Who: Doctor
What: Laptop
Where: Office
Implement Granular Control on
Traffic, Users, and Assets
Enforce Business Role policies for
All Network Services
and Decisions
Define Security Groups and
Access Policies Based
on Business Roles
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Stops Lateral
Movement
Multiple levels of
“failsafe” policy
sets
Multiple TrustSec & DEFCON Matrices
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
• Introduction – Using ISE in a Security Ecosystem
• Anomaly, Vulnerability and Threat Detection in Action
• Anomaly Detection with Profiling
• Posture assessment with ISE 2.2
• Threat-Centric NAC
• Identity, application and Cisco Stealthwatch
• Rapid Threat Containment
49
Agenda
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Rapid Threat Containment
50
FMC 6.1 and pxGrid / Fire+ISE is supported in as an integrated solution
No more pxGrid connection agent / external remediation module is needed
Session information obtained from ISE via pxGrid
SGTs can be used in FMC 6.1 access control policies
ISE remediation capabilities:
– Quarantine, Un-quarantine (VLAN, dACL, SGT), port shutdown
Quarantine actions triggered per policy with FMC and ISE
Infected users can be notified and re-directed to portal for remediation
TEC
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
pxGrid Clients authenticateand subscribe to the Grid
pxGrid
Subscriber
Topics FMC is subscribed to
Authenticates to ISE pxGrid node using self-signed or CA-signed certificates
Subscribe or direct queries
Communicate TCP/5222 to ISE pxGrid node
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Automating Response – FMC Remediation API
52
TEC
Remediation Modules :
• Cisco RTC
• Guidance Encase
• Set Host Attributes
• Security Intelligence
Blacklisting
• Nmap Scan
• SSH / Expect Scripts
• F5 iRules
• Solera DeepSee
• Netscaler
• PacketFence
• Bradford
Intrusion Events
Discovery Events
User Activity
Host Inputs
Connection Events
Traffic Profiles
Malware Event
Correlation RulesBoolean
Conditions
Correlation Policies
Correlation Rules Correlation EventsActions
(API, Email, SNMP)
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Remediation Options
Quarantine- quarantines an endpoint based on source ip address
portBounce- temporarily bounces the endpoint or host port
Terminate- terminates the end-user session
Shutdown - initiates a host port shutdown, this will insert a “shutdown” command on the switch port configuration
reAuthenticate - reAuthenticates the end-user
UnQuarantine - unquarantines the endpoint
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Quarantine Service with Authorization Policy
54
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
MnT
FMC
Rapid Threat Containment with Firepower Management Center and ISE
55
Controller
2. Correlation
Rules Trigger
Remediation Action
3. pxGrid EPS
Action: Quarantine
+ Re-Auth
1. Security
Events / IOCs
Reported
i-Net
pxGrid controller
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
pxGrid controller
MnT
FMC
Rapid Threat Containment with Firepower Management Center and ISE
56
Controller
4. Endpoint Assigned
Quarantine + CoA-
Reauth Sent
i-Net
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
AD
AD
OpenDNS
Context Attributes Needed
Username AD Group Membership (?) MSE Location
AD Domain Name Endpoint Profile NDG Location
Assigned SGT ISE ID Groups (User / Endpoint)
Express Raw EPG?
Users’ DN AD Attributes NSX Group Scraping?
Certificate Attribs & Template ID (may have to allow
SmartSearch Editing)
MDM Management Info (Which MDM & State)
Session Directory
AD
WWW
OpenDNS
VA
APIC-EM
Information Sharing:
• pxGrid to Cisco only
• RADIUS for CDA compatibility
• No NAD communication
Stealthwatch
APIC-DC
Terminal
Services
Agent
Vision
Syslog & REST
ASA
ISE-PIC
FMC
AD
AD
AD
WWW FMC
pxGrid Pub/Sub Bus
REST APISyslogWMI
AD
AD
AD
Input to ISE-PIC / ISE
SPAN
Kerberos
Almost Anything
Output
Custom Apps
Endpoint
Probe
Still
There?
Same
User?
ISE-PIC
Agent
ISE or PIC
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Agenda
59
• Introduction – Using ISE in a Security Ecosystem
• Anomaly, Vulnerability and Threat Detection in Action
• Anomaly Detection with Profiling
• Posture assessment with ISE 2.2
• Threat-Centric NAC
• Identity, application and Cisco Stealthwatch
• Rapid Threat Containment
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
ISE Resources
http://cs.co/ise-design
Design guides focusing on ISE
• Deployment Strategy
• ISE Configuration
• Network Access Device Configuration
• Guest and Web Authentication
• Mobile Device Management (MDM)
• Cisco pxGrid
• Third-Party Integration
• etc.
http://cs.co/ise-community
Thank you!