2021 01-27 reducing risk of ransomware webinar

REDUCING RISK OF
RANSOMWARE ATTACKS
– Tightening security
posture with micro-
segmentation

Have you already started a micro-segmentation
project in your organization?
• Yes, we’ve completed our micro-segmentation project
• Yes, we are currently in the midst of a micro-segmentation
project
• No, but it is in our roadmap
• No, and we don’t plan to in the near future
2 | Confidential
POLL

LET’S INTRODUCE OUR SPEAKERS
HUIB KLAASSENS
BDM
JAN HEIJDRA
TECHNOLOGY EVANGELIST
YITZY TANNENBAUM
PRODUCT MARKETING MANAGER

JAN HEIJDRA – CISCO SECURITY
Enterprise Mobility
Management
Network Traffic Security Analytics
(Cloud) Workload
Protection
Web
Security
Email
Security
Advanced
Threat
Secure
SD-WAN / Routers
Identity and Network
Access Control
Secure Internet
Gateway
Switches and
Access Points
Next-Gen
FW/IPS
Cloud Access Security

2 | Confidential
YITZY TANNENBAUM – ALGOSEC OVERVIEW
Founded 2004
1800+ Enterprise Customers
Serving 20 of the Fortune 50
24/7 Support via 3 Global Centers
ISO 27001 Certified
Passionate about Customer Satisfaction
FORTUNE
50
ISO
27001
2004

HUIB KLAASSENS – METSI TECHNOLOGIES

SECURITY SERVICES
SOC Services
• SOC Build, Operate and Optimization
• Security Devices (ASA, FP, FTD, AMP,
Third Party FWs, IPS)
• Switches, Servers, Endpoints,
• Managed ISE
• Managed AMP
• Cloud Security Monitoring
Security Consulting
• Network Architecture
Assessment
• Cloud Security Assessment
• Gap Assessment (NIST-800)
• Pen Testing
• Security Optimization
• Incident Response
• Forensics
• Malware Readiness Assessment
for Endpoint, Network and DC
• AMP (Endpoints, Network)
• Incident Response
Next Generation Firewall Services
(Cisco ASA and FirePOWER Threat Defense)
• Firewall Policy Reviews and Optimization
• Design and Deployments
• Migrations (from old Cisco Firewalls and Third-Party
Firewalls to Cisco ASA/FTD)
• Operate
• Compliance
• On-Prem, DC and Cloud
Network Access Control (Cisco ISE)
and Segmentations
• Workshops
• Proof of Value/POC and Pilot Deployment
• Enterprise Rollout
• Post Deployment optimization and Support
• ACS to ISE Migration
• Network Segmentation (TrustSec)
• SDA (DNA Center)
Malware Protection

AGENDA
Microsegmentation
1
2
3
4
Reducing the attack surface
How it’s done
What to do next?

9 | Confidential
MICROSEGMENTATION WITH CISCO
SECURE WORKLOAD (TETRATION)

10
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Zero Trust – Segmentation
Secure the Workforce
With Duo
User-bound Device Access
Secure Your Workloads
With Tetration
Workload Access
Servers
Apps
Databases
SaaS
Data Center
Application
Access
Secure the Workplace
With SD-Access
Network Access
User & Devices
IoT Devices
Wireless
Network
Traffic
Corporate Network
WAN
Routing
+
All Corp IT

11
Core East-West
Firewall Challenges
(a.k.a. the PAIN!)
• Traffic has to get through the firewall!!
• Traditional firewalls are bottlenecks and are
worse in the cloud
• Every cloud is different
• Cloud-native controls have limited scale
• When new segmentation is needed, policy is
unknown
• Policy is static while applications are dynamic.
This requires change requests.
• Limited visibility required for compliance and
troubleshooting App-to-App traffic
• What about edge computing?
• Where do I start?

12
Somewhat
• Is host based necessary to protect lateral movement?
- Absolutely, we (Cisco) have been saying that for years
• Is host based the best option for modern workloads (Cloud, Containers)?
- Yes! The scale and rate of change can’t be efficiently supported by hardware
• Can you remove a firewall from the picture?
- Absolutely… NOT! Have you tried blocking 10 Gbps of traffic with software?
Ok… So… What are we saying?

13
Deploying Firewalls for Workloads
Defense in Depth
End-User to Application
Workload to Internet
App
to
App
Deploy Firewalling FTD/SASE
IPS and Internet URL Filtering are often Required
Alternative positioning is End-to-End Zero Trust with Tetration
and ISE
Deploy Secure Workload
Throughput Scale, Policy Automation, and Policy Discovery are
Requirements. IPS can be selectively provided with SDN re-direction.

15
What does Tetration do:
• Micro-segmentation (Firewall++ for your App Workloads)
• Cloud Workload Protection Platform
How and what else do we do:
• Automatically discover your E/W and N/S security policy
• Deeper workload protection
• Forensics
• Vulnerability detection
Any cloud, Any Infrastructure – Real Time Enforcement
– as your applications evolve
Secure Workload Use Cases

16
• Number 1 problem we see? Trying to get to microsegmentation in 1-shot (Boiling
the ocean)
• Guaranteed Failure
• Guaranteed Rollback
• Guaranteed unhappy life
• Microsegmentation is a Journey, it is achievable when you take a step by step
approach
• So where do we start….
Microsegmentation Journey

17
Step 1 – Zone Based
Group 1
Group 2
Group 3
BM
VM
C
Bare Metal Server
Virtual Machine
Container
VM BM
VM C C
BM
C BM
BM VM VM
VM
C VM
C VM C
C
BM BM
VM BM C
BM
C BM
VM BM VM
BM
VM BM
BM C C
VM
Firewall
VM BM
VM C
C
BM
C
BM
BM VM
VM
VM
C
VM
C VM
C
C BM BM
VM
BM
C
BM
C BM
VM BM
VM
BM
VM BM
BM
C
C
VM
Firewall
Firewall
Firewall
Zone Based
Segmentation

18
What is zone based segmentation
Production workloads cannot talk to development
workloads
Cisco Tetration knows
which are production
workloads
which ones are
development workloads
Policies are continuously updated
as new servers are added, servers
moved or IP addresses changes
Production workloads and development workloads context provided to Tetration through tags

19
Step 2 – Inter Application Based
Group 1
Group 2
Group 3
BM
VM
C
Bare Metal Server
Virtual Machine
Container
VM BM
VM C
C
BM
C
BM
BM VM
VM
VM
C
VM
C VM
C
C
BM BM
VM
BM
C
BM
C BM
VM BM
VM
BM
VM BM
BM
C
C
VM
VM BM
VM C
C
BM
C
BM
BM VM
VM
VM
C
VM
C VM
C
C
BM BM
VM
BM
C
BM
C
BM
VM
BM
VM
BM
VM BM
BM
C
C
VM
Application
Based
Segmentation

20
What is application based segmentation
Only production app servers can talk to production
database servers
which are production
app server workloads
which ones are
production database
workloads
Policies are continuously updated
as new servers are added, servers
moved or IP addresses changes
Production app and database workloads context provided to Tetration through tags

21
Step 3 –Microsegmentation
Group 1
Group 2
Group 3
BM
VM
C
Bare Metal Server
Virtual Machine
Container
VM BM
VM C
C
BM
C
BM
BM VM
VM
VM
C
VM
C VM
C
C
BM BM
VM
BM
C
BM
C
BM
VM
BM
VM
BM
VM BM
BM
C
C
VM
Micro
Segmentation
VM BM
VM C
C
BM
C
BM
BM VM
VM
VM
C
VM
C VM
C
C
BM BM
VM
BM
C
BM
C
BM
VM
BM
VM
BM
VM BM
BM
C
C
VM

22
• Key challenge with microsegmentation journey is managing the policy lifecycle
• It is not trivial and it cannot be done manually
• That is where application dependency mapping becomes important in Step-2 and Step-3
• Step-2: Inter application based segmentation
• ADM is used to identify inter application communications, shared services and other infrastructure services
• Communication behavior between these applications and shared services are discovered
• This becomes the foundation for the inter application policy
• Step-3: Microsegmentation
• ADM plays an even more pivotal role in identifying different tiers within an application (Web, DB, etc.,)
• Communication behavior between these tiers
• Autogenerating the microsegmentation policy based on the behavior of these various application components
Why do we need Application Dependency Mapping
(ADM)?

23
Application dependency and cluster grouping
Bare-metal, VM,
and switch telemetry
Bare-metal
and VM telemetry
VM telemetry (AMI …)
Bare metal and VM
BM VM VM BM
Brownfield
✓
✓
✓
✓
On-premises and
cloud workloads
(any public or private cloud)
BM VM VM BM
✓
✓
✓
✓
VM BM
VM C C
BM
C BM
BM VM VM
VM
C VM
C VM C
C
BM BM
VM BM C
BM
C BM
VM BM VM
BM
VM BM
BM C C
VM
Unsupervised
machine learning
Behavior analysis
Network-only sensors, host-only
sensors, or both (preferred)
BM VM VM VM BM
Cisco Nexus® 9000 Series ✓
Group 1
Group 2
Group 3
BM
VM
C
Bare Metal Server
Virtual Machine
Container
Cisco Tetration

24
Application dependency – cluster view
Cluster view provides a quick snapshot
of communication between the
application components
Drill down into an application cluster to view
• Number of elements in the cluster
• Intra-cluster communication
• Communication between cluster element to other application
components
Select a cluster member to look at
• Ports to process bindings on which services
are provided
• Distinctive processes running on the workload

25
Secure Application Segmentation
Made Easy with Cisco Tetration
Full-Lifecycle policy Discovery, Management and Enforcement
Step 3. Validate policy through
simulation
Step 4. Enforces policy
Step 5. Compliance monitoring,
audit, alerting
Step 2. Map application dependencies
and generate policy
Step 1: Auto-discover
heterogenous workloads
Segmentation projects
that don’t last YEARS
Significant reduction in security
rule management
Significant reduction in
attack surface
Faster time to value
Cisco Tetration™ Platform

26
Automatic
Inventory
Tagging
Flexible
Policy
Hierarchy
Alert on
deviations
Alert on
deviations
Advanced
Policies
Cisco Tetration Policy Lifecycle
99% Automation of Policy Discovery, Management and Enforcement
Zero Trust - Micro-segmentation
is not a product, it’s a process
Gradual implementation across any infrastructure
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential – Zero Trust for Workload - jheijdra

27
#SUNBURST
Cisco’s official response page
https://tools.cisco.com/security/center/reso
urces/solarwinds_orion_event_response
Secure Workload SUNBURST blog
https://blogs.cisco.com/security/cisco-secure-
workload-immediate-actions-in-response-to-
sunburst-trojan-and-backdoor
Talos threat intel
SUNBURST blog
https://blog.talosintelligence.co
m/2020/12/solarwinds-
supplychain-coverage.html

28
SUNBURST– Secure Workload
Identify compromised assets
• Cisco Secure Workload can identify compromised assets via three methods:
1. Presence of installed package
2. Presence of running process (either name or hash)
3. Presence of loaded libraries (DLLs)
1. Identifying workloads with affected SolarWinds package installed,
regardless of whether it is running in memory or not 3. identifying workloads with affected SolarWinds
processes based on published DLL hash signatures
2. identifying workloads with affected SolarWinds
processes based on published process hash
signatures

29
SUNBURST – Secure Wokrload
Restrict traffic (prevent communication and lateral movement)
• A Cisco Secure Workload policy includes a dynamic
set of source and destinations, defined here by
workloads that have been detected to have
SolarWinds software and an action, which in this
case is to restrict any network traffic.
• More fine grained methods of restricting traffic:
https://documentation.solarwinds.com/en/Success_Center/orionplatfor
m/Content/core-solarwinds-port-requirements.htm#Ports

What is your main challenge when rolling out a
micro-segmentation project in your organization?
• Complex network, lack of visibility
• Defining the segments based on application dependency
• Make the policy changes required to create the segments
• Not enough manpower / time
30 | Confidential
POLL

STEPPING STONES
3
1
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
Step 0

STEPPING STONES
3
2
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
Step 0
Step 1

STEPPING STONES
3
3
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
Step 0
Step 1 Step 2 Step 3

STEPPING STONES
3
4
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
Step 0
Step 1 Step 2 Step 3
Pay $$$$ or lose data

35 | Confidential
REDUCING THE ATTACK SURFACE

MICRO-SEGMENTATION: A BLUEPRINT
• Define network segments to control east-west traffic
• Activate traffic filters crossing segments
• Traffic fully inside a segment can flow freely
• Write restrictive policies for traffic crossing segment borders
36

CONTROL EAST-WEST TRAFFIC
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
Easy, right?
37

TRADITIONAL EXCUSES IN A TRADITIONAL DATA CENTER
Use standard or virtualized firewalls
Requires:
• Reassigning IP addresses
• Making routing changes
• Defining new VLANs
• Possibly connecting new cables
Hard Work!
38

SOFTWARE-DEFINED DATA CENTERS
• Comes with filtering capabilities inside the networking fabric
• Reassigning IP addresses
• Making routing changes
• Defining new VLANs
• Possibly connecting new cables
• On-premise data center:
• Cisco ACI
• VMware NSX
• Public cloud:
• Amazon AWS
• Microsoft Azure
Old excuses are gone!
Technology is just the 1st step.
You still need to configure it!
39

NEXT CHALLENGES
• Where to place the segment boundaries?
• What filtering policy should you write ?
• So all legitimate business traffic is allowed!
• To do this – you just need to know all the legitimate traffic in the
data center, so you can write policy allowing it.
Naturally, you have perfectly accurate records
of all the application flows running through
the data center, so it’s easy. right?
40

FOR EVERYONE ELSE: APPLICATION DISCOVERY
• Need to:
• Detect all the network flows
• Annotate them with application name (“intent”)
• Aggregate & optimize “thin” flows into “fat” flows
• Put them in the filtering policy
• How:
• Netflow > AlgoSec AutoDiscovery
• Or Cisco Tetration
• Import into AlgoSec AppViz
• Results:
• Micro-segmentation knowhow
• Application name annotates current + future rules that support it
41

42 | Confidential
HOW IT’S DONE

46 | Confidential
Aggregate into ‘fat’ flows

WHAT TO DO NEXT?
ATTACHMENTS TAB
Connect with us on LinkedIn
Join the Raffle request a Ransomware Assessment Service
1 random winner will be selected for a free of charge assessment
Request your copy of:
• Cisco Zero Trust Security
• Ransomware Defense for dummies
Select

59 | Confidential
THANK YOU
HUIB KLAASSENS
BDM
JAN HEIJDRA
TECHNOLOGY EVANGELIST
YITZY TANNENBAUM
PRODUCT MARKETINGMANAGER

2021 01-27 reducing risk of ransomware webinar

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 2021 01-27 reducing risk of ransomware webinar

Similar to 2021 01-27 reducing risk of ransomware webinar (20)

More from AlgoSec

More from AlgoSec (10)

Recently uploaded

Recently uploaded (20)

2021 01-27 reducing risk of ransomware webinar