Delivering Control with Context Across the Extended Network

Delivering Control with Context Across the Extended Network

Agenda Current Challenges Cisco ISE Overview Introducing Cisco pxgrid Customer Success Stories Only Cisco ISE Delivers 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

What Keeps CIOs/CISOs Up at Night? 33% of Global Companies have already experienced a breach $300K = Average Cost of a Single, Successful Cyberattack The pain of managing, on average, over 45 different security vendors in a network 66% of Organizations fail to identify breaches for months or YEARS Over 660 Million personal records stolen from over 4,100 data breaches since 2005 37% of IT Leaders plan to implement a mobile strategy Over 15 Billion Connected Devices by 2015 (4.4 per person!) Security is the Top of Mind Concern for CIOs/ CISOs

Network Threats Are Getting Smarter Phishing, Low Sophistication Hacking Becomes an Industry Sophisticated Attacks, Complex Landscape 1990 1995 2000 2005 2010 2015 2020 Viruses 1990 2000 Worms 2000 2005 Spyware and Rootkits 2005 Today APTs Cyberware Today + 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

More Connected Devices Expand Threat Surface IT Procured Managed Endpoints Enterprises Say Malware Targeted Mobile Devices in the Last 12 Months 1 Guest Access Simple Guest Access Enterprise Mobility Procured & BYOD Mobile Device Use Growing Evolving Need for Secure Access and Threat Defense Internet of Everything Explosion of Network Enabled Devices 2003 2007 2012 2014+ 2013-2014 Cisco and/or its affiliates. All rights reserved. 1 Ponemon Research http://www.ponemon.org/news-2/48 Cisco Confidential 5

The Resulting Challenges for Enterprise IT Breakdown of Traditional Network Perimeters Difficult Balance Between Security & Productivity Increased Complexity When Securing Enterprise Networks 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6

Bottom Line: What s Missing Today? Greater Visibility to accurately identify, rapidly onboard, and secure connected devices across wired, wireless or VPN Rich, contextual information to grant the right people & devices, the right levels of access to the network Capability to connect disparate network and security solutions to more rapidly take action against threats Enterprises require even greater visibility, context, and control to secure and control an increasing number of devices on their networks.

Agenda Current Challenges Cisco ISE Overview Introducing Cisco pxgrid Customer Success Stories Only Cisco ISE Delivers 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

Cisco Identity Services Engine (ISE) Delivering Visibility, Context, and Control to Secure Network Access NETWORK / USER CONTEXT Who DEVICE PROFILING FEED SERVICE What When Where How REDUCE NETWORK UNKNOWNS AND APPLY THE RIGHT LEVEL OF SECURE ACCESS CONSISTENTLY ACROSS WIRED, WIRELESS and VPN Guest Access 2013-2014 Cisco and/or its affiliates. All rights reserved. BYOD and Enterprise Mobility Secure Access Cisco Confidential 9

Why Cisco ISE? Cisco ISE is the Market-Leading Security Policy Management Platform that Unifies and Automates Secure Access Control Across Wired, Wireless, and VPN. Visibility Driven Accurately Identify and Assess Network Users & Devices Access Control Grant/Limit access to align with appropriate business policy Context Focused Use dynamic contextual data to accelerate the identification, mitigation, and remediation across extended networks

The Different Ways Customers Use ISE Guest Access Management Easily provide visitors secure guest Internet access BYOD and Enterprise Mobility Seamlessly identify & securely onboard devices with the right levels of access Secure Access across the Entire Network Streamline enterprise network access policy over wired, wireless, & VPN Software-Defined Segmentation with Cisco TrustSec Simplify Network Segmentation and Access Policy Enforcement

Historically, Securing Access Was Complicated The Past 2013-2014 Cisco and/or its affiliates. All rights reserved. ISE 1.3 Cisco Confidential 12

Easy-to-Deploy Guest and BYOD Access Admin Friendly Set up a Guest or BYOD workflow in just a few clicks. End User Visibility ISE updates the portal workflow in real-time with each change.

Simplifying Guest Access for the Enterprise Corporate Branding and Themes Desktop & Mobile Ready! Streamlined Guest Creation Create Accounts Print Email SMS Mobile Guest Sponsorship Your credentials username: trex42 password: littlearms Guest Access Notification via SMS 2013-2014 Cisco and/or its affiliates. All rights reserved. Design Easily in Minutes, Deploy Securely in Just Hours Cisco Confidential 14

Streamlining BYOD and Enterprise Mobility Reducing the Complexity of Managing BYOD and Device Onboarding Improved Device Recognition Integrated Native Certificate Authority for Devices Desktop & Mobile Ready! Customizable Branded Experiences Easy User Onboarding with Self-Service Device Portals Comprehensive Device Security with Posture and EMM Supports 1M Registered Endpoints and 250K ACTIVE, Concurrent Endpoints 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15

Dynamic Control with Rich Contextual Profiling Simple Identity Simply Isn t Helpful Enough Anymore POOR context awareness à Simple Identity - Who are you? à IP Address 192.168.1.51 RESULT: Any user, Any device, Anywhere gets on the network EXTENSIVE context awareness à RICHER Identity Who? à Bob What? à Tablet Where? à Building 200, 1 st Floor When? à 11:00 AM EST on April 10 th RESULT: The Right user, on Right device, from the Right place is granted the RIGHT ACCESS

Increase Device Visibility with Profile Feed Service Reduce Unknown Devices on Networks by 74%, on Average * DEVICE PROFILING FEED SERVICE Get New, Vetted Device Profiles from Cisco & the Community More Accurately Profiled Devices; Faster, More Secure Onboarding Corporate Managed Tablet 2013-2014 Cisco and/or its affiliates. All rights reserved. VoIP Office Phone IoT Security Camera Cisco Confidential 17

Enterprise Mobility Management Integrations Enforce True Device Compliance for All Mobile Devices Sees unregistered devices on the network? Forces EMM Policy Compliance? Keeps noncompliant devices off network? Sees ALL devices on the network Requires devices to comply with EMM policy Provides guest access to non-emm devices EMM Secures Actual Device SOLUTION ISE + EMM Together Cisco ISE Secures Network Access 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18

Secure Access with Cisco ISE and TrustSec Who: Doctor What: Laptop Where: Office Confidential Patient Records Internal Employee Intranet Who: Doctor What: ipad Where: Office Internet Who: Guest What: ipad Where: Office ü Acquires Important Context & Identity from the Network ü Monitors & Provides Visibility into Unauthorized Access ü ISE provides Differentiated Access to the network; TrustSec provides Segmentation throughout the network

access-list 102 permit udp 252.40.175.155 0.0.31.255 lt 4548 87.112.10.20 0.0.1.255 gt 356 access-list 102 deny tcp 124.102.192.59 0.0.0.255 eq 2169 153.233.253.100 0.255.255.255 gt 327 access-list 102 permit icmp 68.14.62.179 255.255.255.255 lt 2985 235.228.242.243 255.255.255.255 lt 2286 access-list 102 deny tcp 91.198.213.34 0.0.0.255 eq 1274 206.136.32.135 0.255.255.255 eq 4191 access-list 102 deny udp 76.150.135.234 255.255.255.255 lt 3573 15.233.106.211 255.255.255.255 eq 3721 access-list 102 permit tcp 126.97.113.32 0.0.1.255 eq 4644 2.216.105.40 0.0.31.255 eq 3716 access-list 102 permit icmp 147.31.93.130 0.0.0.255 gt 968 154.44.194.206 255.255.255.255 eq 4533 access-list 102 deny tcp 154.57.128.91 0.0.0.255 lt 1290 106.233.205.111 0.0.31.255 gt 539 access-list 102 deny ip 9.148.176.48 0.0.1.255 eq 1310 64.61.88.73 0.0.1.255 lt 4570 access-list 102 deny ip 124.236.172.134 255.255.255.255 gt 859 56.81.14.184 255.55.255.255 gt 2754 access-list 102 deny icmp 227.161.68.159 0.0.31.255 lt 3228 78.113.205.236 255.55.255.255 lt 486 access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165 access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428 access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511 access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945 access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116 access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959 access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993 access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848 access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878 access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216 access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111 access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175 access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462 access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384 access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878 access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467 Cisco TrustSec Software-Defined Segmentation Control Access to Resources Based on Business Policies Simplifies Firewall Rule, ACL, VLAN Management Prevents Lateral Movement of Potential Threats Traditional Security Policy Eliminates Costly Network Re-architecture Switch Router VPN & Firewall DC Switch Wireless Controller 2013-2014 Cisco and/or its affiliates. All rights reserved. TrustSec Security Policy Segmentation Policy Enforced Across the Extended Network Cisco Confidential 20

Agenda Current Challenges Cisco ISE Overview Introducing Cisco pxgrid Customer Success Stories Only Cisco ISE Delivers 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21

Cisco Platform Exchange Grid (pxgrid) Accelerating Partner Technology Efficiencies via Context Sharing NE W For security, which is more useful information? The compromised device is 192.168.100.123 - OR - The compromised device is Paul Russell s ipad in Bldg. 200 Cisco ISE collects contextual big data from multiple sources across the network. Via Cisco pxgrid technology, this contextual data is shared with partners. With ISE contextual data, Partner Solutions can more accurately and more quickly identify, mitigate, and remediate security threats across the network. 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22

Streamline Security Operations with ISE Ecosystem Connect Disparate Solutions and Reduce Threat Response Time NE W Faster Remediation of Threats with SIEM / TD Extension of Access Policy & Compliance with MDM Context-driven OT Policy and Segmentation for IoT Endpoint Vulnerability Remediation Simplified Network Troubleshooting and Forensics SSO Secure Access to Sensitive Data on Mobile Devices 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23

Agenda Current Challenges Cisco ISE Overview Introducing Cisco pxgrid Customer Success Stories Only Cisco ISE Delivers 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24

Cisco ISE Success Story Guest Lifecycle Industry: Finance Employees: 1,300 in 75 Branches Their Challenges: Too Many Guests Needing Access Security Risks from Open Guest Accounts Compliance in a BYOD environment Their Results: ü Speedier Guest Network, with Better Profiling ü Improved Compliance and Security ü IT Staff Operational Efficiencies The lack of expiry dates on guest access accounts was always a security threat. Using the Cisco ISE guest portal, we can flexibly and securely create temporary access.

Cisco ISE Success Story Campus BYOD Industry: Education Students & Faculty: 13,500+ Their Challenges: Better Control over Devices on Network Providing Consistent Secure Access Scaling to Meet Exploding BYOD Campus Needs Their Results: ü 10% Reduction in IT Troubleshooting ü 100% Network Uptime ü Vastly Improved End-User Experiences Our goal is to get as many people on our network as quickly, securely, and reliably as possible without our involvement. ISE enables us to do that.

Cisco ISE Success Story Secure Access Industry: Healthcare Endpoints: 35,000+ Their Challenges: Separating Clinical vs. Consumer Data Segregating Medical Devices, Based on Usage Controlling Compliant Access without Disruption Their Results: ü Granular Access Controls based on Context ü Implemented Port-Level Room Controls ü Comprehensive, Accurate Medical Endpoint Profiling Cisco ISE met our high water mark for use cases with flying colors. We are excited to be working with Cisco as we extend the model to other Sentara Healthcare facilities

Agenda Current Challenges Cisco ISE Overview Introducing Cisco pxgrid Customer Success Stories Only Cisco ISE Delivers 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28

Analysts Recognize Cisco ISE Industry Leadership Analysts Continue to Position Cisco ISE as Market and Technology Leader A LEADER in Gartner Magic Quadrant for NAC - Gartner December 2013, 2012, 2011 A CHAMPION in Info-Tech Vendor Landscape for NAC - Info-Tech Research Group, 2014 Cisco TrustSec and Cisco ISE are consistent with our view of identitycentric end-to-end security that is both needed and lacking in the enterprise today. - Forrester 2011 The Cisco ISE 1.3 is Cisco s most important NAC version since Cisco first offered the ISE 1.0. Perhaps the most exciting part of Cisco ISE 1.3 NAC is the integration with pxgrid... In this generation NAC platform, Cisco wanted to make an easier, more intuitive platform while adding features and functionality. Cisco has gone a long way toward achieving these objectives. Image: Gartner Magic Quadrant for Network Access Control 2013, Lawrence Orans, John Pescatore 12 December 2013 - Frost & Sullivan, 2014

Customers Around the World Trust Cisco ISE Continuing to Drive the Market as the #1 Solution Purchased by 50% of Fortune Global 500 80% of Fortune Global 25 Leading Technology Innovation that Drives Industry Standards in the NAC Market and Beyond 600+ ATP Partners 7,000 Customers 36 Million+ Endpoints Licensed

Cisco ISE is Core to Cisco Security Attack Continuum BEFORE Control Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall VPN NGIPS Advanced Malware Protection NGFW UTM Web + Email Security Network Behavior Analysis NAC + Identity Services pxgrid + ISE Ecosystem ISE Provides Visibility, Context, and Control Across the Entire Continuum

Cisco ISE Provides One Policy for Cisco Unified Access ONE NETWORK Integrated Wired and Wireless in ONE Physical Infrastructure, with ONE Operating System & Open APIs CISCO UNIFIED ACCESS ONE MANAGEMENT Single Plane of Glass Management with Cisco Prime ONE POLICY Simplified, Unified Policy Management with Cisco ISE

Only Cisco ISE Can Offer Unparalleled Network Visibility Reduce the Complexity of Securing Access Contain Advanced Network Threats Optimize Downstream Security Services Eliminate Unknowns to Get a Clearer Picture of Who & What Is On Your Network Manage Simplified, Unified Access Policy across Wired, Wireless, & VPN Identify Threats and Prevent Lateral Movement Across the Network Share Dynamic Context with Partners to Accelerate their Security Capabilities Cisco ISE is the Key Component to Support Secure Unified Access and Achieve Enterprise Security Objectives.