Network as a Sensor and Enforcer. Matthew Robertson - Technical Marketing Engineer

Transcription

1

2 Network as a Sensor and Enforcer Matthew Robertson - Technical Marketing Engineer

3 Why are we here today?

4 Managing the Insider Threat

5 Insider Threats

6 About This Session: Building Security into the Network THIS SESSION: Bringing it all together Identity Services Engine StealthWatch Security Group Tags NetFlow The Cisco Network The Cisco Network

7 Building Security into the Network Identify and control policy, behaviour and threats SGT: Enforce Group Policy NetFlow: Transactional data ISE: Discover assets & direct policy StealthWatch: Transactional visibility & intelligence Context sharing and dynamic response

8 Agenda Introduction Understanding the Landscape Components of Network Visibility Enforce Policy Design and Model Policy Discover and Classify Assets Segmenting the Network Active Monitoring Policy NBAD Rapid Threat Containment Summary

9 About Me: Your Master Builder for Today Matt Robertson Security Technical Marketing Engineer Focused on Advanced Threat Author of 3 CVDs 8 years at Cisco: development, TME, Lancope Sorry, also Canadian

10 Agenda Introduction Understanding the Landscape Components of Network Visibility

11 Segmentation begins with visibility Who is on the network You can t protect what you can t see and what are they up to?

12 ISE: Identifying the Who Authentication (host supplied): User & Device Authentication MAC Authentication bypass Web portal Authenticated Session Table Attributes Profile (collected): Infrastructure provided (DHCP, HTTP, etc) Signature based

13 eth0/1 eth0/2 NetFlow: Identifying the what port port 80 Start Time Interface Src IP Src Dest IP Dest Proto Pkts Bytes SGT DGT TCP Flags Port Port Sent Sent 10:20: eth0/ TCP SYN,ACK,PSH 10:20: eth0/ TCP SYN,ACK,FIN

14 NetFlow = Transactional Visibility A single NetFlow Record provides a wealth of information Router# show flow monitor CYBER-MONITOR cache IPV4 SOURCE ADDRESS: IPV4 DESTINATION ADDRESS: TRNS SOURCE PORT: TRNS DESTINATION PORT: 443 INTERFACE INPUT: Gi0/0/0 FLOW CTS SOURCE GROUP TAG: 100 FLOW CTS DESTINATION GROUP TAG: 1010 IP TOS: 0x00 IP PROTOCOL: 6 ipv4 next hop address: tcp flags: 0x1A interface output: Gi0/1.20 counter bytes: 1482 counter packets: 23 timestamp first: 12:33: timestamp last: 12:33: ip dscp: 0x00 ip ttl min: 127 ip ttl max: 127 application name: nbar secure-http

15 Components for NetFlow Security Monitoring StealthWatch Management Console Management and reporting Up to 25 FlowCollectors Up 6 million fps globally StealthWatch FlowCollector Collect and analyse Up to 2000 sources Up to sustained 240,000 fps UDP Director UDP Packet copier Forward to multiple collection systems NetFlow Cisco Network Best Practice: Centralise collection globally StealthWatch FlowSensor (VE) Generate NetFlow data Additional contextual fields (ex. App, URL, SRT, RTT)

16 eth0/1 eth0/2 NetFlow Collection: Flow Stitching Uni-directional flow records port 1024 Start Time Interface Src IP Src Port Dest IP Dest Port Proto port 80 Pkts Sent Bytes Sent 10:20: eth0/ TCP :20: eth0/ TCP SGT DGT Start Time Client IP Client Port Server IP Server Port Proto Client Bytes Client Pkts Server Bytes Server Pkts Client SGT Server SGT Interfaces 10:20: TCP eth0/1 eth0/2 Bi-directional: Conversation flow record Allows easy visualisation and analysis

17 NetFlow Collection: De-duplication Start Time port 1024 Sw1 ASA port 80 Client IP Client Port Server IP Server Port Prot o Client Bytes Client Pkts Server Bytes Server Pkts App Client SGT Server SGT Exporter, Interface, Direction, Action 10:20: TCP HTTP Sw1, eth0, in Sw1, eth1, out Sw2, eth0, in Sw2, eth1, out ASA, eth1, in ASA, eth0, out, Permitted ASA eth0, in, Permitted ASA, eth1, out Sw3, eth1, in Sw3, eth0, out Sw1, eth1, in Sw1, eth0, out Sw2 Sw3

18 Adding Context and Situation Awareness Known Command & Control Servers NAT Events Application & URL Application User Identity URL & Username

19 Conversational Flow Record Who What Who When Where How More context Highly scalable (enterprise class) collection High compression => long term storage Months of data retention

20 Conversational Flow Record: Exporters Path the flow is taking through the network

21 NetFlow Analysis with StealthWatch: Discovery Identify business critical applications and services across the network Identify additional Indicators of Compromise (IoC) Policy & Segmentation Network Behaviour & Anomaly Detection (NBAD) Better understand / respond to an IOC: Audit trail of all host-to-host communication

22 Agenda Introduction Understanding the Landscape Components of Network Visibility Discover and Classify Assets Segmenting the Network

23 ISE as a Telemetry Source Maintain historical session table Correlate NetFlow to username Build User-centric reports Device/User Authentication Device Profiling StealthWatch Management Console syslog Cisco ISE Authenticated Session Table

24 Configuration: Logging on ISE 1 1. Create Remote Logging Target on ISE 2. Add Target to Logging Categories 2 Required Logging categories: Passed Authentications RADIUS Accounting Profiler Administrative and Operational Audit

25 Configuration: Add ISE to SMC 1. (Not Shown) Create Admin User on ISE 2. (Not Shown) Configure ISE or CA certificate on SMC 3. (Not Shown) Configure SMC or CA certificate on ISE 4. Add Cisco ISE nodes to SMC Configuration Order to add nodes: 1. Primary MnT 2. Secondary MnT 3. Any PSN s

26 StealthWatch-ISE Attribution Configuration Follow these guides Lancope published: Cisco published:

27 Locate Services and Applications Search for assets based on transactional data: Ex. Protocol (HTTP Servers, FTP Server, etc) Identify servers

28 Locate Assets Find hosts communicating on the network Pivot based on transactional data

29 Host Groups: Applied Situational Awareness Virtual container of multiple IP Addresses/ranges that have similar attributes Lab servers Best Practice: classify all known IP Addresses in one or more host groups

30 Classify Assets with Host Groups User defined Model any Process/Application

31 Understand Behaviour List of all hosts communicating with HTTP Servers

32 Understand Behaviour Complete list of all hosts communicating with HTTP Servers: who, what, when, where, how

33 Classify Applications Classify business critical applications

34 Model Business Critical Processes PCI Zone Map Overall system profile Inter-system relationships

35 Simplifying Segmentation with TrustSec Traditional Segmentation Static ACL Routing Redundancy DHCP Scope Address VLAN Enterprise Backbone VACL Aggregation Layer Access Layer TrustSec Micro/Macro Segmentation Central Policy Provisioning No Topology Change No VLAN Change DC Servers Enterprise Backbone DC Firewall / Switch Policy Access Layer ISE Non-Compliant Voice Employee Supplier BYOD Voice Non-Compliant Employee Supplier BYOD Quarantine VLAN Voice VLAN Data VLAN Guest VLAN Security Policy based on Topology High cost and complex maintenance BYOD VLAN Employee Tag Supplier Tag Non-Compliant Tag Voice VLAN Data VLAN Use existing topology and automate security policy to reduce OpEx

36 Network Segmentation with TrustSec Segmentation based on roles Not based on IP addresses, VLANs etc Role based on context AD, LDAP attributes, device type, location, time, access methods, etc Use Tagging technology To represent logical group (Classification) To enforce policy on switches, routers, firewalls Software Defined Policy managed centrally Policy provisioned automatically on demand Policy invoked anywhere on the network dynamically Security Group: Manager Username: johnd Group: Store Managers Location: Store Office Time: Business Hour AUTHORISED PERSONNEL ONLY Enforcement Switches Routers Firewall DC Switch Hypervisor SW Resource

37 What TrustSec Provides Software defined Network Segmentation Context-based Data Access Agile Security Policy Changes and Simpler Management Context based Service Chaining

38 TrustSec Functions Classification Propagation Enforcement 5 Employee 6 Supplier 8 Suspicious A B 8 5 Static Dynamic Inline SXP SGACL SG-FW WSA

39 TrustSec in Action Application Servers Network Database Servers Classification Propagation Enforcement

40 Cisco TrustSec Segmentation Suppliers Employee Non Compliant Suppliers Employee Non Compliant Policy Enterprise Backbone Regardless of topology or location, policy (Security Group Tag) stays with users, devices, and servers TrustSec simplifies ACL management for intra/inter-vlan traffic Supplier Policy Employee Non Compliant Voice Data Voice Data Voice Data

41 Campus Segmentation Segmented traffic based on classified group (SGT), not based on topology (VLAN, IP subnet) Micro-Segmentation with single policy (segment devices even in same VLAN) Suppliers Employee Non Compliant Suppliers Employee Non Compliant Filtered Access Supplier Employee Non Compliant

42 Agenda Introduction Understanding the Landscape Components of Network Visibility Design and Model Policy Discover and Classify Assets Segmenting the Network

43 Starting a TrustSec Design Discuss assets to protect Classification Mechanisms Policy Enforcement Points Propagation Methods Example: Cardholder Data, Medical Record, intellectual data Example: Dynamic, Static, etc. DC segmentation (DC virtual/ physical switches or virtual/physical Firewalls) User to DC access control (Identify capable switches or firewalls in the path) Inline Tagging SXP DM-VPN GET-VPN IPSec OTP etc..

44 Security Group Initial Considerations Unlike traditional segmentation/access control Adding dynamically assigned groups later with TrustSec should be easy No configuration impact on infrastructure Keep groups as simple as possible whilst still meeting policy requirements Should not be necessary to transfer complexity, e.g. extensive AD groups, into Security Groups Consider if all roles need a tag assigned? Remember that group membership may change

45 How to Tag Users / Devices? TrustSec decouples network topology and security policy to simplify access control and segmentation Classification process groups network resources into Security Groups User/Device/ Location Cisco Access Layer MAC PC Web Authentication Profiling MAB ISE IP-SGT NX-OS/ CIAC/ Hypervisors VLAN-SGT Port-SGT Data Centre/ Virtualisation 802.1X IOS/Routing Port Profile Address Pool-SGT IPv4 Subnet-SGT IPv6 Prefix-SGT IPv6 Prefix Learning IPv4 Prefix Learning Campus & VPN Access non-cisco & legacy environment Business Partners and Supplier Access Controls

46 Identify Where SGTs Need to be Assigned Dynamic Classification SVI (L3 Interface) to SGT L2 Port to SGT Campus Access Distribution Core DC Core DC Dist/Access Enterprise Backbone VLAN-SGT Mapping WLC FW Hypervisor SW Dynamic Classification Subnet-SGT VM (Port Profile) to SGT

47 Enabling Classifications If per-user authorisation is not in place Enabling VLAN, subnet, L3 Interface mappings can provide coarse classification initially Per-user authorisation and SXP can then override static classification Many systems may get Unknown SGT assignments initially Focus on the explicit classifications needed to meet policy Keeping classifications simple can mean days not weeks to enable

48 Deployment Approach Users connect to network, Monitor mode allows traffic regardless of authentication Authentication can be performed passively resulting in SGT assignments Monitor Mode Enterprise Network Catalyst Switches/WLC Classified traffic traverses the network allowing monitoring and validation that: SRC \ DST PCI Server (2000) Prod Server (1000) Dev Server (1010) Assets are correctly classified Traffic flows to assets are as predicted/expected Employees (100) Permit all Permit all Permit all PCI User (105) Permit all Permit all Permit all Unknown (0) Permit all Permit all Permit all

49 Configuring Inline Tagging cts manual config for inline tagging generally used cts dot1x alternative depends on AAA reachability - unless new critical auth feature used & timers set carefully interface TenGigabitEthernet1/5 cts manual policy static sgt 2 trusted Always shut and no shut interfaces after any cts manual or cts dot1x change C6K2T-CORE-1#sho cts interface brief Global Dot1x feature is Enabled Interface GigabitEthernet1/1: CTS is enabled, mode: MANUAL IFC state: OPEN Authentication Status: NOT APPLICABLE Peer identity: "unknown" Peer's advertised capabilities: "" Authorization Status: SUCCEEDED Peer SGT: 2:device_sgt Peer SGT assignment: Trusted SAP Status: NOT APPLICABLE Propagate SGT: Enabled Cache Info: Expiration : N/A Cache applied to link : NONE L3 IPM: disabled.

50 Creating The Policy Matrix Destination Group How do I know my policy works? How do I decide what protocols? How do I know if I am tagging? I can help here Source Group Action

51 SGT in NetFlow Fields Source Tag: Retrieved from the packet Destination Tag: Derived based on destination IP Address Switch Derived Source Tag: 4K Only: Value applied on the packet on egress SGT Table 6K only: export in NetFlow template data tables mapping Security Group Tags to Security Group Names SGACL Drop Record 6k only: Generate a flow record on a SGACL drop

52 SGT-NetFlow Device List Device First Release Source Tag Destination tag Switch- Derived SGT SGT Table SGACL Drop Record Catalyst 6500 (Sup2T) IOS 15.1(1)SY1 Yes (match) Yes (match) No Yes Yes (dedicated monitor) ISR, ASR, CSR IOS XE 3.13S Yes Yes No No No Catalyst 3850, 3650 IOS XE 3.7.1E IOS XE 3.6.3E* Yes (match) Yes (match) No No No Catalyst 4500 (Sup 7-E, 7L-E, 8-E) IOS XE 3.7.1E IOS XE 3.6.3E* Yes (collect) Yes (collect) Yes No No ASA No No No No NSEL Record StealthWatch FlowSensor 6.8 Yes No No No No

53 Considerations: 3850! Ingress: Source Tag Sources: Derived from packet header DGT Sources: Derived based on destination IP lookup SGACL enforcement must be enabled Trunk link only Egress: Source Tag Sources: Incoming packet header Port configured SGT IP to SGT mapping Destination Tag Sources: Derived based on destination IP lookup Requires SGACL enforcement to be enabled Trunk link only flow monitor cts-cyber-monitor-in exporter StealthWatch-FC cache timeout active 60 record cts-cyber-3k-in!! flow monitor cts-cyber-monitor-out exporter StealthWatch-FC cache timeout active 60 record cts-cyber-3k-out! interface GigabitEthernet1/0/1 ip flow monitor cts-cyber-monitor-in input ip flow monitor cts-cyber-monitor-out output! vlan configuration 100 ip flow monitor cts-cyber-monitor-in input ip flow monitor cts-cyber-monitor-out output!

54 Considerations: 3850! flow record cts-cyber-3k-in match datalink mac source address input match datalink mac destination address input match ipv4 tos match ipv4 ttl match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input match flow direction match flow cts source group-tag match flow cts destination group-tag collect counter bytes long collect counter packets long collect timestamp absolute first collect timestamp absolute last!! flow record cts-cyber-3k-out match ipv4 tos match ipv4 ttl match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match flow direction match flow cts source group-tag match flow cts destination group-tag collect counter bytes long collect counter packets long collect timestamp absolute first collect timestamp absolute last!

55 Considerations: 4500 Sup 7-E, 7L-E, 8-E Source Tag: Packet header Maximum 12K distinct SRC-IP s Destination Tag: Derived based on destination IP Switch Derived Source Tag: SGT enforced on the packet from the switch Policy acquisition SGT in the packet SGT lookup on source IP Port SGT lookup SGT on packet at egress! flow record cts-cyber-4k match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input match flow direction collect flow cts source group-tag collect flow cts destination group-tag collect flow cts switch derived-sgt collect transport tcp flags collect interface output collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last!

56 Considerations: 6500 Sup 2T TrustSec data table: Export SGT-SGN mapping in NetFlow template! flow record cts-cyber-6k match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match flow cts source group-tag match flow cts destination group-tag collect transport tcp flags collect interface output collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last! SGACL Drop: Flow record generated on a drop Requires dedicated Flow Monitor Source Tag: Packet header IP-SGT lookup Destination Tag: Derived based on destination IP lookup

57 Considerations: 6500 Sup2T SGACL Drop config: Exporter and monitor:! flow exporter ise destination source TenGigabitEthernet2/1 transport udp 9993 option cts-sgt-table timeout 10! flow monitor FNF_SGACL_DROP exporter ise record cts-record-ipv4! cts role-based ip flow monitor FNF_SGACL_DROP dropped! flow exporter CYBER_EXPORTER destination source TenGigabitEthernet2/1 transport udp 2055 option cts-sgt-table timeout 10! flow monitor CYBER_MONITOR exporter CYBER_EXPORTER cache timeout active 60 record cts-cyber-6k!

58 Considerations: ISR, ASR, CSR! flow record cts-cyber-ipv4 match ipv4 protocol match ipv4 source address match ipv4 destination address Source Tag: Packet header IP-SGT lookup Destination Tag: Destination IP lookup match transport source-port match transport destination-port match interface input match flow direction match flow cts source group-tag match flow cts destination group-tag collect routing next-hop address ipv4 collect ipv4 dscp collect ipv4 ttl minimum collect ipv4 ttl maximum collect transport tcp flags collect interface output collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last collect application name!

59 Modeling Policy in StealthWatch Custom event triggers on traffic condition Rule name and description Source Tag Destination Tag Trigger on traffic in both directions; Successful or unsuccessful

60 Modeling Policy in StealthWatch Create flow-based rules for all proposed policy elements Policy Violation alarm will trigger if condition is met. Simulating proposed drop.

61 Modeling Policy: Alarm Occurrence Alarm dashboard showing all Policy alarms Details of Employee to Productions Servers alarm occurrences

62 Modeled Policy: Flow Details How When Who Where What Who Yes Is this communication permissible? No Source Tag Destination Tag Tune Respond

63 Agenda Introduction Understanding the Landscape Components of Network Visibility Enforce Policy Design and Model Policy Discover and Classify Assets Segmenting the Network

64 Enabling Enforcement Enforcement may be enabled gradually per destination security group basis Initially use SGACLs with deny logging enabled (remove log later if not required) Keep default policy as permit and allow traffic unknown SGT during deployment SRC \ DST PCI Server (2000) Prod Server (1000) Dev Server (1010) Monitor Mode ISE Employees (100) Deny all Deny all Deny all PCI User (105) Permit all Permit all Deny all Unknown (0) Deny all Deny all Deny all PCI Server Production Server Catalyst Switches/WLC DC Switch Development Server

65 Centralised SGACL Management in ISE

66 Applying SGACL Policies in ISE (Tree view)

67 Applying SGACLs (ISE 2.0) SGACL_1 permit tcp dst eq 443 permit tcp dst eq 80 permit tcp dst eq 22 permit tcp dst eq 3389 permit tcp dst eq 135 permit tcp dst eq 136 permit tcp dst eq 137 permit tcp dst eq 138 permit tcp des eq 139 deny ip

68 SGT=3 SGT=4 SGT=5 SGACL Downloads New Servers provisioned, e.g. Prod Server & Dev Server Roles DC switches requests policies for assets they protect Policies downloaded & applied dynamically Prod_Servers Dev_Servers What this means: All controls centrally managed Security policies de-coupled from network No switch-specific security configs needed Wire-rate policy enforcement One place to audit network-wide policies Switches request policies for assets they protect SGACL Enforcement Prod_Server (SGT=7) Dev_Server (SGT=10) Switches pull down only the policies they need

69 Enabling Policy Enforcement in Switches After setting up SGT/SGACL in ISE, you can now enable SGACL Enforcement on network devices Devices need to be defined in ISE and provisioned to talk to ISE (omitted from these slides for brevity) Enabling SGACL Enforcement Globally and for VLAN Switch(config)#cts role-based enforcement Switch(config)#cts role-based enforcement vlan-list 40 If switches have SGT assignments they will download policy for the assets they are protecting As example - defining IP to SGT mapping for servers on a switch Switch(config)#cts role-based sgt-map sgt 5 Switch(config)#cts role-based sgt-map sgt 6 Switch(config)#cts role-based sgt-map sgt 7

70 Policy Enforcement on Firewalls: ASA SG-FW Security Group definitions from ISE Switches inform the ASA of Security Group membership Trigger FirePower services by SGT policies Can still use Network Object (Host, Range, Network (subnet), or FQDN) AND / OR the SGT

71 Agenda Introduction Understanding the Landscape Components of Network Visibility Enforce Policy Design and Model Policy Discover and Classify Assets Segmenting the Network Active Monitoring Policy NBAD

72 Active Monitoring

73 Segmentation Monitoring in StealthWatch Custom event triggers on traffic condition Rule name and description Source Tag Destination Tag Trigger on traffic in both directions; Successful or unsuccessful

74 Segmentation Monitoring with StealthWatch Alarm dashboard showing all Policy alarms

75 Segmentation Monitoring with StealthWatch PCI Zone Map Define communication policy between Zones Monitor for violations

76 StealthWatch NBAD Model Track and/or measure behaviour/activity Notification of security event generated Algorithm Security Event Alarm Suspicious behaviour observed or anomaly detected

77 Alarm Categories Each category accrues points.

78 Example Alarm Category: Concern Index Concern Index: Track hosts that appear to compromising network integrity Security events. Over 90 different algorithms.

79 StealthWatch: Alarms Alarms Indicate significant behaviour changes and policy violations Known and unknown attacks generate alarms Activity that falls outside the baseline, acceptable behaviour or established policies

80 Agenda Introduction Understanding the Landscape Components of Network Visibility Enforce Policy Design and Model Policy Discover and Classify Assets Segmenting the Network Active Monitoring Policy NBAD Rapid Threat Containment

81 Rapid Threat Containment: Managing the Threat

82 Quarantine from StealthWatch

83 ANC Quarantine: ISE Live Log EPSStatus check Security Group Assignment

84 WAIT! How did this dark magic happen?

85 Adaptive Network Control Extension of the endpoint monitoring and controlling capabilities Endpoint control based on IP or MAC address Three actions: Quarantine Unquarantine Shutdown wired access ports Enable a change of the authorisation state Through administrative action Without modification of the overall authorisation policy Supported in both wired and wireless environments

86 ANC Quarantine Flow 3. PAN issues quarantine instruction to MnT MnT 8. Quarantine check 2. StealthWatch issues quarantine instruction to PAN PAN 4. MnT instructs PSN to invoke a CoA PSN 5. Endpoint is disconnected through CoA 9. Quarantine profile applied 7. RADIUS request 1. Endpoint is connected 6. Endpoint reconnects and authenticates

87 Configuring ANC on ISE Enable ANC (EPS) Enabled by default on ISE Create Quarantine authorisation profile or Security Group 3. Create Quarantine Authorisation Policy 4. Manually quarantine or unquarantine Based on IP or MAC address

88 Exception Authorisation Policy Best Practice EPSStatus in Session Assign to SGT Suspicous_Investigate and Permit Access

89 Configuration of RTC with StealthWatch and ISE 3. Provision pxgrid client certificate 4. Configure pxgrid node connection 1. Enable pxgrid 2. Provision pxgrid server certificate pxgrid Node 5. Assign SMC to EPS Group in 6. Configure pxgrid node connection

90 Configuration of RTC with StealthWatch and ISE Follow these guides Lancope published: Cisco published: HowTo-101- Deploying_Lancope_StealthWatch_with_pxGrid.pdf

91 So now what?

92 Suspicous_Investigate Egress Policy Create an Egress Policy for the suspicious Security Group

93 SGACL Create meaningful SGACL for Suspicious hosts: Restrict applications and services Block access to Business Critical Processes Prevent access to Intellectual Property

94 SGT Based Policy Based Routing route-map native_demo permit 10 match security-group source tag Employee match security-group destination tag Critical_Asset set interface Tunnel1! route-map native_demo permit 20 match security-group source tag Suspicious match security-group destination tag Critical_Asset set interface Tunnel2! route-map native_demo permit 30 match security-group source tag Guest set vrf Guest Inspection Router Policy-based Routing based on SGT Router / Firewall Network A User B Suspicious Enterprise WAN User A Employee SGT-based VRF Selection VRF-GUEST User C Guest Available Today: Cisco IOS XE Release 3.16S (ASR 1000) as well as ASA5500-X (9.5.1)

95 FirePOWER Services Redirect Create service policy to forward suspicious traffic to FirePOWER Services

96 Agenda Introduction Understanding the Landscape Components of Network Visibility Enforce Policy Design and Model Policy Discover and Classify Assets Segmenting the Network Active Monitoring Policy NBAD Rapid Threat Containment Summary

97 Related Sessions: TECSEC-2666 TrustSec / NGFW and NGIPS Tuesday, March 8, 9:00 AM - 6:00 PM BRKSEC-2690 Deploying Security Group Tags Kevin Regan Wednesday, March 9, 4:30 PM 6:00 PM BRKSEC-3690 Advanced Security Group Tags Kevin Regan Friday, March 8, 8:45 AM 10:45 AM BRKCRS-2891 Enterprise Network Segmentation (with Cisco TrustSec) Hari Holla Wednesday, March 9, 4:30-6:00 PM BRKSEC-2653 Cyber Range Paul Qiu Wednesday, March 9, 4:30 PM 6:00 PM BRKSEC-2044 Building an Enterprise Access Control Architecture using ISE and TrustSec Hosuk Won Thursday, March 8, 8:30 AM 10:30 AM

98 Call to Action Visit the World of Solutions for: Security Zone: Identity Services Engine Cisco Cyber Threat Defence Solution Enterprise Networking Zone: Network as a Sensor / Enforcer Meet The Expert Matt Robertson: Thursday 12-2 pm More Reading:

99 Complete Your Online Session Evaluation Give us your feedback and receive a Cisco 2016 T-Shirt by completing the Overall Event Survey and 5 Session Evaluations. Directly from your mobile device on the Cisco Live Mobile App By visiting the Cisco Live Mobile Site Visit any Cisco Live Internet Station located throughout the venue T-Shirts can be collected Friday 11 March at Registration Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations.

100 Key Takeaways The network is a key asset for threat detection and control NetFlow and Lancope StealthWatch provides visibility and intelligence TrustSec is used to dynamically (micro)segment the network

101 Q & A

102

103 Thank you

104