#1 Security is a critical component of all the transformational shifts happening in the IT industry at large, and further, the network is becoming more relevant. #2 These transitions are changing the security model…go to next slide.
Visibility into the new network isn’t the only challenge that IT faces. There continues to be a lingering disconnect between the goals and objectives of the Network and Security teams. What is needed is a holistic approach that addresses the big picture that the CEO is facing. You need a solution that drives these different objectives towards each other – that enables business acceleration while securing the entire distributed environment. But how do you do that?
An added benefit is that the integration of security into the network also enables and supports the consolidation of the network infrastructure. As the network transitions to a broad and dynamic business environment, security based on that network moves from an overlay solutions to an actual security architecture integrated into the network environment.
Embedding Security within the infrastructure of the network achieves comprehensive visibility and scalable enforcement. Visibility from the network drives up into the organization’s policy. Cloud-Based Global Threat Intelligence with the absolutely latest threat landscape is applied and enforcement is pushed back down into the network. The network is changing from a source of information to a series of enforcement points.
The first step in defending against these attacks is to adopt a different strategy. This table categorizes common defense systems by where they are deployed – at the perimeter or network interior, and by their detection strategy – signature/reputation-based or behavioral-based.Cisco has traditionally positioned security products at the network perimeter using signature and reputation-based methods. On the network interior, application-oriented security products such as email and web content inspection can also use signature and reputation-based methods.All of these products are very good at eliminating known threats. However, advanced persistent threats are typically not known in advance. Signature-based security solutions are not usually very effective against them.The alternative to this type of detection is behavior-based detection. This method uses pattern recognition technologies to determine when network traffic patterns are abnormal, signaling a possible attack.In order to defend against against advanced persistent threats, behavior-based detection technology provides an edge because it doesn’t require foreknowledge of the attack – just recognition of the attack pattern.At the network perimeter, the traditional behavior-based security product is the Honeypot. This is an interesting technology but used mostly for forensics and is beyond the scope of our discussion.Cisco’s Cyber Threat Defense Solution operates on the network interior and is specifically designed to use of behavior-based threat detection.
The key to Cisco’s Cyber Threat Defense Solution is NetFlow. NetFlow is a very simple technology that Cisco created in the early 90s as a way of providing visibility into the network.As data flows between a source and destination, Cisco equipment collects key information about that data and sends it to a device called a NetFlow Collector.This exchange of data is called a “flow”. Flows can tell you what kind of data was exchanged, how much, and at what rate. The information in a flow can be used to describe network behaviors, and by applying the correct analysis, can also be used to detect threats.
Flow Action field can provide additional contextState-based NSEL reporting is taken into consideration in StealthWatch’s behavioral analysisConcern Index points accumulated for Flow Denied eventsNAT stitching
Flow Action field can provide additional contextState-based NSEL reporting is taken into consideration in StealthWatch’s behavioral analysisConcern Index points accumulated for Flow Denied eventsNAT stitching
Transcript:\r\nSo one of the things that I had mentioned before is that the traditional data center, we have the internal DC is everything below this line. Traditionally, in the past few years, many customers have not had any security south of this line. They would actually put all of their emphasis for enforcing policy and imposing any kind of transitions from a security or service prospective at this data center edge. Well, we're starting to find, as things change, is that a lot of what customers are doing from an East West prospective, let's say, with server zone, even with compliance zones or other types of business led practices, that we're starting to see this hard DC edge dissolve a little bit. Not that it's going away, but that customers are implementing the security zones or security boundaries a lot further into the network fabric. Now, the reason why it's so critical that we look at this and come to understand why this is important, is that when you deal with a network edge, a network edge is something that is pretty much equal across the board. I mean, almost every security product out there was really designed to operate at an edge. So a lot of times our customers are faced with situations where they're trying to choose from a product. And it could be our product, it could be a competitive product. They're going through a list of features. They're going through what we call data sheet warfare or actually looking at a variety of things. Our customers are looking at what they want. They like the interface. They like the management. They like the features, whatever it may be, but there isn't a lot of real cohesive networking components at the edge. I mean, it's an in and an out, an inside and an outside. It's pretty straightforward, and pretty much all vendors are relatively equal when it comes to dealing with edge networks. But when we start getting into the fabric, this is where things change drastically. Because inside of the fabric, inside of a Nexus 7000 environment 7K, 5K, 2K hierarchies with Endeavour on top of rack, et cetera, we're dealing with a completely different animal than we are at the edge. We're dealing with different criteria. We're dealing with different requirements. We're looking at the need, if we're going to add security here, we're looking at the need for security solutions to integrate natively with these data center networking technologies. This is not something that our edge competition can really do. This is something that Cisco does better than anyone because we're sitting side by side with our data center groups and the Nexus team, et cetera, when they're writing code, and we're able to make changes and adjustments to our products to make sure that they fit into the network.\r\n\r\nAuthor's Original Notes: