Cisco Security Technical Alliances

Douglas Hurd – Technical Alliances

Outline
• CSTA: What is it?
• Why it matters
• Integration points & Use Cases
• Getting More information

As the threat from the industrialized hackers grows, new, novel solutions will need to evolve to
counteract the threat, so that our customers can defeat the attackers….open architectures with
best of breed solution providers is the only way to go. The era of the closed, black box
architectures is dead!
John Negron, SVP WW Sales - Cisco Security
Cisco Security Technical Alliances is…
An umbrella program covering multiple partner ecosystems in the BU

ISE Ecosystem ASA SSP Partners

Sourcefire Technology Partner Program
Content AnyConnect ThreatGrid
Why you should care
Overwhelmed customers?

• Typically use dozens of different security products

• No one does it all. Customers cherry pick.
• Want security products to work together
• Overwhelmed with event data and rely on SIEM
• Integration can spur Automation and..
• Help with policy maintenance
• Speed response time
• Reduce time to resolve critical events
• Reduce TCO
Comprehensive Security Portfolio
Firewall & NGFW
• Cisco ASA 5500-X Series
• Cisco ASA 5500-X w/
NGFW license
• Cisco ASA 5585-X w/
NGFW blade
• FirePOWER NGFW
Email Security
• Cisco Email Security
Appliance (ESA)
• Cisco Virtual Email Security
Appliance (vESA)
• Cisco Cloud Email Security
IPS & NGIPS Advanced Malware Web Security
Protection
• Cisco IPS 4300 Series • Cisco Web Security
• FireAMP Appliance (WSA)
• Cisco ASA 5500-X Series
integrated IPS • FireAMP Mobile • Cisco Virtual Web Security
• FirePOWER NGIPS • FireAMP Virtual Appliance (vWSA)
• FirePOWER NGIPS w/ • AMP for FirePOWER • Cisco Cloud Web Security
Application Control license
• FirePOWER Virtual • Dedicated AMP
NGIPS FirePOWER appliance
NAC + VPN UTM
Identity Services • Cisco AnyConnect VPN • Meraki MX
• Cisco Identity Services
Engine (ISE)
• Cisco Access Control
Server (ACS)
Integration Points Across the Security Portfolio
• eStreamer API
• Send FireSIGHT event data to SIEMs
• Host Input API
• Collect vulnerability and other other host info
• Remediation API
• Programmatic response to third parties from
FireSIGHT
• JDBC Database Access API
• Supports queries from other applications
• pxGrid
• Bi-directional context sharing framework for ISE,
ecosystem partners
• MDM API
• Enables 3rd party MDM partners to make
mobile device posture part of ISE access policy
• External Restful Services (ERS)
• Adds 3rd party asset data to ISE inventory
database
• ThreatGrid API
• Hand off suspicious files for analysis
• Automate submission of files for analysis / create
custom or batch threat feeds
• SSA
• Cisco and third party applications in service chain
configuration
• Management API for ASA
• Third party management of ASA, policy auditing
• Other Integration Points
• Cloud, ESA, WSA, AnyConnect
Cisco Security is committed to an
extensible product portfolio
because it helps our customers
deploy the best possible defense
CSTA Ecosystem Partners – Fire, ISE & More
eStreamer Explained
FireSIGHT Management Center
• Secure and efficient mechanism for moving event data
from the Defense Center to another platform
• Provides access to detailed event information including
meta data
• Used by the majority of Sourcefire customers
• Backwards compatible
SIEM
Analytics
Platform

Device Defense Center eStreamer Client

eStreamer, Syslog & CEF
FireSIGHT Management Center
Syslog CEF 2.0 eStreamer

Data format Unstructured, Text Unstructured, Text Structured, Binary

Protocol UDP UDP TCP

Secure Unsecure Secure with TLS Secure

Delivery Not Acknowledged Not Acknowledged Acknowledged

Packet No No Yes

Request-able No No Yes

Extra Data No Some Yes

Flow records No No Yes

Host Input API
FireSIGHT Management Center
 Augment FireSIGHT database with third party data
→ Vulnerability and OS info from active scanners
→ Enhance Impact Flag correlation
→ Populate existing or custom data fields
Remediation API
FireSIGHT Management Center
 Initiated by User Defined Correlation
Rules
 Configure alerts and actions based on
rules. Can involve most kinds of events
→ Support single or multiple conditions i.e.,
time of day, Source IP, Type of event, User
ID
 Remediation can include executing a
Perl script that parses event data fields
for external consumption. Many
possibilities:
→ Make a policy change
→ Use NAC to disconnect an IP
→ Initiate a digital forensics process
!
JDBC Database Access Explained
FireSIGHT Management Center
• Query all EVENT data
• Query all HOST data intrusion
• Also, discovery, user activity, correlation, connection, vulnerability,
and application and URL statistics database
JDBC Database Access Explained
FireSIGHT Management Center
Enables 3rd party reporting and analytics including visualization
Integration Points for ISE
(Cisco Identity Services Engine)
• MDM API Cisco ISE is an open ecosystem for
Enables 3rd party MDM partners to make ERS and pxGrid integration with
mobile device posture part of ISE access information posted on DevNet.
policy
MDM/EMM integration is by
• External Restful Services (ERS) application only. To apply, reach out
Adds 3rd party asset data to ISE inventory to:
database partnering-csta@cisco.com
• pxGrid
Bi-directional context sharing framework for
ISE, ecosystem partners
pxGrid: Partners Connecting to Cisco Security Platforms…and to Other Partners
Authenticate  Authorize  Publish  Discover  Subscribe  Query

Cisco ISE as pxGrid Controller

CISCO ISE

I have location! I have application info!

Continuous Publish
Publish Flow
I need app & identity… pxGrid
Directed Query I need location & device-type
Discover Topic
Discover
Continuous
Context Flow Topic
Sharing
Directed Query

I have sec events! I have identity & device!

I need identity & device… I need geo-location & MDM…

I have MDM info!

I need location…
 Cisco pxGrid Context-Sharing & Network Mitigation
Connecting Partners to Cisco Security Platforms

Cisco Provides Network Use Eco-Partner Context Help Customer IT

1 Context to Customer IT
Platforms
2 for Cisco Network Policy
for Customers
3 Environments Reach into
the Cisco Network

ECO-PARTNER CISCO PLATFORM

CISCO PLATFORM ECO-PARTNER CISCO PLATFORM ECO-PARTNER
ACTION
CONTEXT CONTEXT

Cisco Shares User/Device & Cisco Receives Context from Eco- MITIGATE
Network Context with IT Partners to Make Better Network
Infrastructure Access Policy CISCO NETWORK

WHY CUSTOMERS CARE

Puts “Who, What Device, What Creates a Single Place for Decreases Time, Effort and Cost
Access” with Events. Way Better Comprehensive Network Access to Responding to Security and
than Just IP Addresses! Policy thru Integration Network Events
pxGrid – Industry Adoption Critical Mass as of June
2015
18 Partner Platforms and 9 Technology Areas Since Release 7 Months Ago
IAM & SSO

SIEM &
Vulnerability
Threat Defense ? Assessment

Net/App pxGrid Packet Capture

Performance & Forensics
SECURITY THRU
INTEGRATION
IoT Cloud Access
Security Security

Cisco ISE Cisco WSA

Integration Points Across the Security Portfolio
ThreatGrid, Cisco AnyConnect

• ThreatGrid API
Hand off suspicious files for analysis ThreatGrid and AnyConnect ecosystems are
specific-purpose and by application only.

• AnyConnect SDK If you have an integration idea, reach out to:

partnering-csta@cisco.com
VPN client provisioning and
configuration for mobile and traditional
compute
Advance Malware Protection - ThreatGrid
ThreatGrid APIs
Get the most from existing security investments
 Cisco® AMP Threat Grid’s REST API automates sample analysis, enrichment and reporting
− Automate submission from numerous technologies (host or network)
− Pull results into numerous technologies

Threat Grid
Malware Analysis & Threat Intelligence

Threat Content Threat Intelligence

Enrichment Feeds

Gateway, Network Security Endpoint

Firewall IPS/IDS SIEM Log Mgmt
Proxy Taps Partners Security

Your Existing Security

Security Services Platform (SSP)

Security Services Architecture Security Services Platform

Common Architecture Platforms that runs SSA
Virtual, Physical and Cloud and applications
Security Services Platform (SSP)
Existing Solution New Solution

Sandbox Appliance
x1
Load Balancer
x1 Security Services Platform
IDS/IPS
x4
NAT
x2
NG-Firewall
x2
Web Proxy
x4
Security Services Architecture (SSA)

IPS
FW WEB

SSA
OS
WAF SSL
DDOS
Check Out Related DevNet Security Sessions
• Cisco pxGrid Developers Learning Lab – in the DevNet Zone
• DEVNET-1123 - CSTA - Cisco Security Technical Alliances Overview
Tuesday, Jun 9, 2:00 PM - 2:30 PM
• DEVNET-1124 - Cisco pxGrid: A New Architecture for Security Platform Integration
Tuesday, Jun 9, 3:00 PM - 3:30 PM
• DEVNET-1010 - Using Cisco pxGrid for Security Platform Integration
Thursday, Jun 11, 9:00 AM - 10:00 AM
For More Information…
• DevNet Microsites:
https://developer.cisco.com/security
• pxGrid SDK, Tutorials & Test Tools:
http://cisco.com/go/pxgrid
• Forums:
https://supportforums.cisco.com/community/4561/security
• CSTA Partner Listing Customers:
http://www.cisco.com/c/en/us/products/security/partner-ecosystem.html
Thank you
CSTA Partners at Cisco Live US 2015
Stand 1624, Partner Village: SIEM and analytics platform. Collects data
FireSIGHT via eStreamer, from ISE, WSA, and ASA through syslog
Stand 2501:‘Packet Broker’ helps with many traffic visibility,
maintenance and high availability architectures

Stand 3128: Integrates with ISE. Provides important mobile

device posture information
Stand 1035: Integrates with ASA. Collects policy information for security
risk modeling, change control, audit and compliance

Stand 1624, Partner Village: PxGrid, end point posture

information and transaction data from ISE
Stand 2223: FireSIGHT Remediation API sends F5 host target
information for real-time blocking
CSTA Partners at Cisco Live US 2015
Stand 3405: FireSIGHT’s Host Input API collects vulnerability
report to augment threat data

Stand 2211: Full packet capture and session analysis. Integrates with
FireSIGHT via community patch extending IPS event analysis

Stand 2319, SIEM and analytics platform. Collects data FireSIGHT via
eStreamer, from ISE, WSA, CSA, ASA and ThreatGrid through syslog

Stand 1524 : Integrates with ASA. Collects policy information for security
risk modeling, change control, audit and compliance

Stand 1301: ‘Packet Broker’ helps with many traffic visibility,

maintenance and high availability architectures
CSTA Partners at Cisco Live US 2015
Stand 1324: Integrates with ASA. Collects policy information for security
risk modeling, change control, audit and compliance (al)

Stand 3300: ‘Packet Broker’ helps with many traffic visibility,

maintenance and high availability architectures

Stand 2023: Infrastructure, Load balancing and FireSIGHT Remediation API

Stand 2517: ‘‘Packet Broker’ helps with many traffic visibility,

maintenance and high availability architectures
Alliance Components and Expertise

Integration Area Expert Time Zone email

All ask-csta-pm
ISE/PxGrid Scott Pope San Jose scottp
ISE/PxGrid Brian Gonsalves San Jose bgonsalv
SSA Chris Morosco San Jose group.cmorosco
ThreatGRID Dan Franklin New York dafrankl
Cloud Jasper Chan San Jose jaspchan
FireSIGHT MC Douglas Hurd New York dohurd
Competitive Eco Shyue Hong Chuang Singapore schuang
https://23.22.6.78/en-
US/account/login?return_to=/en-US/