《跟上零信任的步伐.pdf》由会员分享,可在线阅读,更多相关《跟上零信任的步伐.pdf(95页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveJerry Lin,Principal Security ArchitectGlobal Security Architecture TeamBRKSEC-2176Keeping Up with Zero Trust 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveKeeping Up with Zero TrustAbstract:Zero Trust principals have been followed by the industry but
2、customers are finding unexpected challenges along the way.Enforcing least privilege access for all types of users appears to have failed to delivered a simple and easy user experience.Therefore,come and see the updated Zero Trust requirements that will help you get Zero Trust back on track.This sess
3、ion will cover the top most commonly deployed use cases(i.e.ZTNA)that span the entire workflow from user to workload/data/application(north-south traffic)and workload/data/application to data/application(east-west traffic)flow.Attendees will walk away understanding that the Zero Trust journey must i
4、nclude access policies that span end-to-end.BRKSEC-21763 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAbout Jerry Lin20+years at Cisco;Security CCIE#6469Distinguished Speaker Hall of Fame at Cisco LiveCoauthor;“NAC Appliance:Enforcing Host Security with CleanAccess”,Cis
5、copressCisco Security Reference Architecture Favorite sport;marathons!BostonCL Hall of FameC BRKSEC-21764 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Webex App to chat with the speaker after the sessionF
6、ind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12345https:/ 2023 Cisco and/or its affiliates.All rights reserve
7、d.Cisco PublicBRKSEC-21765Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicZero Trust EvolutionKeeping Up with Zero TrustZero Trust Use CasesSummaryBRKSEC-21766 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicWhat Zero Trust Means to UsNever assume trust.Alway
8、s verify.Enforce risk-based least privilege.BRKSEC-21767 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNetworkSegmentation802.1xMicro-Segmentation1990s20012004Jericho ForumDe-Perimeterization2010Forrester coined“Zero Trust”2014GooglePublished own implementation“Beyond-Co
9、rp”2019Gartner redefines CARTA moves to ZTNANISTPublishes ZT ArchitectureFederal Zero Trust Strategy2021History and Evolution-Zero TrustCISA Zero Trust Maturity ModelDoDZero Trust Reference Architecture (DISA&NSA)2022Forrester NSG2013MaturityBRKSEC-21768 2023 Cisco and/or its affiliates.A
10、ll rights reserved.Cisco Public#CiscoLiveBRKSEC-21769 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUser&Device SecurityNetwork&Cloud SecurityWorkload,Application&Data SecurityCisco Zero Trust for WorkforceCisco Zero Trust for WorkloadsZero Trust Message ExpansionCisco Z
11、ero Trust for WorkplaceTHEN THEN(“where”)(“where”)NOW NOW(“what,how,and why Cisco”)(“what,how,and why Cisco”)Visibility/Analytics/OrchestrationBRKSEC-217610 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivehttps:/www.cisa.gov/sites/default/files/publications/CISA%20Zero%20T
12、rust%20Maturity%20Model_Draft.pdfMaturity Levels:Maturity Levels:Traditional Advanced OptimalDynamic Dynamic Continuous Continuous Integrated Integrated Optimized Optimized AutomatedAutomatedBehavior and posture analytics Behavior and posture analytics suspicious and malicious behaviors suspicious a
13、nd malicious behaviors CISA=Cybersecurity Infrastructure and Security Agency CISA-Zero Trust Pillars ZT Maturity ModelBRKSEC-217611 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDISA Zero Trust FrameworkDefense Information Systems Agency7 pillars of DoD ZT ArchitecturePr
14、epared by DISA and NSA(National Security Agency,July 2022https:/dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v2.0(U)_Sep22.pdfBRKSEC-217612 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveControl PlaneData planeNIST 800-207 Zero Trust ArchitecturePolicy Enforcem
15、ent PointResourcesSystemsUsersPEPPEPPolicy EnginePolicy AdministratorPolicy Decision PointCDM SystemIndustry ComplianceThreat IntelligenceActivity LogsData Access PolicyPKIIdentity ManagementSIEM SystemBRKSEC-217613 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat it t
16、akes to get Zero Trust rightZero Trust requirementsUser/device/service identity Posture+contextRisk-based authentication Micro-segmentationUnified access controlLeast privilege+explicit trustRe-assessment of trustIndicators of compromiseShared signalsBehavior monitoring threat and non-threat activit
17、yVulnerability managementPrioritized incident responseOrchestrated remediationIntegrated+open workflowsEstablish TrustEnforce Trust-Based AccessContinuously Verify TrustRespond to Change in TrustBRKSEC-217614Zero Trust Use CasesCloud Edge NetworkOn-Premises NetworkSecurity Reference ArchitectureXDR
18、SECURITY OPERATIONS TOOLSETTALOS THREAT INTELLIGENCEActionable threat intelligenceCollective responsesComprehensive visibilitySignal identificationThreat research&analysisSERVICESDevice discovery&insightsNetwork detection&responseEndpoint detection&responseCAPABILITIESOpen API platform&3rd party nat
19、ive integrationsRisk-based vulnerability managementSecurityanalyticsSecurity orchestration,automation&responseThreat visibility,incident response&threat huntingKenna|Secure Analytics|SecureX Secure Client|Talos Incident ResponseWorkload,Application,and Data SecuritySASE/Security Service EdgeDuo|Secu
20、re Connect|UmbrellaIndustrial Threat DefenseDNAC|CyberVision|Industrial Networking ISE|Secure Firewall|Secure Network Analytics In the Office/Managed LocationCatalyst|DNAC|ISE|Meraki|Secure FirewallSecure Network Analytics|Web ApplianceZERO TRUSTCustom threat research on demandIncident response reta
21、inerImplement and manageManaged detection&responseStrategy&assessmentUser/Device SecuritySASE/SDWANMeraki|Secure FirewallThousandEyes|Viptela SASETLSdecryptionSegmentationProfilingThreat mitigationVisibilitySegmentationSecurity analytics&loggingV3.11SASE/REMOTE WORKER:Cisco Secure Client(AnyConnect)
22、|Umbrella|Secure Endpoint|Meraki Systems Manager|Duo|Secure E-mail|ThousandEyesDNS-layersecurityAnomaly detectionComplianceIdentity/pxGridGroup tag classification Applicationnetwork gatewayConfiguration orchestrationContent filteringEncrypted visibilityAnalyticsApplication performance optimizationCl
23、oud based orchestrationCloud OnRampCloud access security brokerRuggedizedThreat mitigationVisibilityIdentity/pxGridCloudNetwork access controlNetwork security analyticsDigital experience monitoringIPSec VPNIntegrated securitySegmentationFWaaSSecure web gatewayNGFWMiddle mileoptimizationAnti-virus/An
24、ti-malwareCloud managedContinuous trustMobile device managementEmail,Phishing,SPAM,BEC,DLP,content filteringDigital experience monitoring Host FWPostureTelemetry/VisibilityQueryPasswordlessRisk-based MFADNS-layersecurityEndpoint detection&responseSecure WebVPNDevicetrustHYBRID MULTI-CLOUD:ACI|Cloud
25、Insights|Panoptica|Radware|Secure Application|Secure Endpoint|Secure Firewall|Secure Cloud Analytics|Secure WorkloadGroup tag classificationNGIPSData loss preventionRemote browserisolationZero Trust Network AccessCloud malware detectionRAaaSTenant restrictionsBrowser accesscontrolIdentity/postureGro
26、up tag propagationCloud analyticsAnti-virus/Anti-malwareAPI securityApp discoveryCloud Native SecurityCloud Posture ManagementDDoS,WAF/BotIdentity/pxGridMicro/Macro SegmentationRun-time applicationTelemetryThreat mitigationVisibilityData access&IntegrityZero Trust 2023 Cisco and/or its affiliates.Al
27、l rights reserved.Cisco Public#CiscoLiveZero Trust Use CasesOn-Premises and BranchApp-to-App SecurityRemoteUserZT access to public SaaSZTNA to private appsClient-based VPN private app accessSecure Connect(VPNaaS)*Unified ZTNA client(roadmap)On-Premises User&IOTApp-to-AppCampus.1x/MAB to public SaaSC
28、ampus.1x/MAB to private appsBranch.1x/MAB to public SaaSBranch.1x/MAB to private appsApp-to-App across multi-cloudBRKSEC-217617Secure Remote Worker-Public SaaS/Internet 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTrusted device;browser to public SaaS/InternetZero Trust
29、-Secure Remote WorkerInternetSaaSProviderProviderCASB/DLPIDS/IPSDNS securityRemote Browser IsolationSecure Web GatewaySecurityDevice Posture HealthDuo SSOConsumerConsumerInternet/SaaSIdentity MFACloudCloudNGFWRemote UserSAML or AD(on-prem)authmanaged Corporate security controls-No VPN-Browser access
30、-Managed&Trusted device-EDR Protection-Cloud Security ServicesBRKSEC-217619 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRisks:Remote Worker to SaaS/InternetBusiness DriverBusiness DriverIT RiskIT RiskCybersecurity RiskCybersecurity RiskEmployee retention&satisfaction i
31、n competitive marketComplex User supportPhishing,identity theftLower TCO of business applications using SaaSIT resilience in Cloud PlatformData leakageEmployee productivity with Secure AccessComplex administrative policyUnauthorized Access to sensitive data.Potential Data Loss.BRKSEC-217620 2023 Cis
32、co and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSaaS/InternetAnti-VirusAnti-MalwareDNSSecurityConnectorDevice HealthConnectorWeb Security ConnectorMobile Device ManagementEndpoint SecurityNetworkAnti-MalwareRemote Browser IsolationApplication Visibility Control(AVC)Intrusion Preve
33、ntionWeb Category FilteringData Loss Prevention(DLP)Cloud Access Security BrokerDNS SecurityWeb Reputation FilteringFirewallSecure Internet GatewayTLS/SSL DecryptionMalware SandboxingRemoteEmployeeTrustedDeviceUSB ControlRemote Worker to public SaaS/InternetCapabilities Workflow(Duo)DHARisked-based
34、AuthBRKSEC-217621 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZero Trust:Duo Risk Based AuthenticationRisk Based AuthenticationSession Trust AnalysisImplementation of Zero Trust Principles“Never assume trust,always verify”User starts authenticationUser gains the right
35、access and sessionUser works securely from any device or locationBRKSEC-217622 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDuo Risk-Based AuthenticationRISK SIGNAL RISK SIGNAL ANALYSISANALYSISDevice TrustGeoIPWi-Fi FingerprintHistorical AuthsCORPORARTE CORPORARTE RESOU
36、RCESRESOURCESBlockVerified pushPasswordless2FARemembered SessionOutcomesOutcomesBRKSEC-217623 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRisk-Based Authentication:Wi-Fi FootprintAnonymizedAnonymized Wi-Fi network data provides a strong risk signalstrong risk signal.Lo
37、w Risk:Low Risk:Familiar network footprintHigh RiskHigh Risk:Novel network footprintNetwork 1Network 2Network 3HomeOffice5GHomeFiCloseCoffeeShopUsual Wifi AccessNewNetworkNewNetworkCoffeeWifiUnfamiliar5GUnfamiliar LocationBRKSEC-217624 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publi
38、c#CiscoLiveRBA triggers Verified Push to establish trustBRKSEC-217625 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePublicSaaS/internetEmployeeTrusted Device Establish TrustEnforce Trust-Based AccessContinuously Verify TrustRespond to Change in Trust(Duo)DHARisked-based
39、AuthIdentityContinuous Verify Trust(Duo CTA)SIG(Umbrella)Secure EndpointDuo&Cisco XDR OrchestrationRemote user with Managed Device:Accessing public SaaS/Internetthreats on the disk,memory,fileless threats,and Threat Hunting,Response,and USB ControlBYOD,Verified pushPosture,MDMTrusted EndpointSWG,DNS
40、,Cloud DLP,Tenant Controls,and RBIRecommendationsBRKSEC-217626Secure Remote Worker-Private App Access-No VPN ClientAKA “Zero Trust Network Access(ZTNA)”2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZero Trust Network Access-Remote WorkerPrivate app access through applica
41、tion proxyPrivate DCIaaSProviderProviderCASB/DLPIDS/IPSDNS securityRemote Browser IsolationSecure Web GatewaySecurityApplicationProxyDevice Posture HealthAccessRemote WorkerRemote WorkerBackhaul to Private AppsIdentity MFACloudCloudVPN Head-endSSH,RDP,SMBNGFWManaged Duo SSOhttp,httpsPasswordlessBRKS
42、EC-217628 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZTNA:Remote worker to private appsBusiness Driver/RiskBusiness Driver/RiskIT RiskIT RiskCybersecurity RiskCybersecurity RiskEmployee retention&satisfaction in competitive marketComplex User support(multiple access m
43、ethods,multiple agents,etc)Phishing,identity theft,malware,SPAM,virus,etc.Intellectual property protection requires retaining legacy appsMaintaining access to legacy apps which dont support modern authentication methodsConsistency of access control policies on a per app basis between legacy and mode
44、rn appsBusiness continuity requires retaining critical legacy appsMaintaining legacy infra and controls(on-prem&cloud)Vulnerabilities due to lack of updates/patching,no granular access controlsBRKSEC-217629 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePrivate App(any tc
45、p/udp)(Private DC/IaaS)ApplicationProxyApplication Dependency MappingContinuous Vulnerability ScanningProcess Anomaly Detection&ForensicsPolicyGeneration,Audit&Change ManagementTaggingRuntime Application Security ProtectionApplication Workload SecurityMicro-segmentationPatch ManagementDevice Posture
46、AssessmentIdentity Authorization Multi-Factor AuthenticationSAML&SSOAnti-VirusAnti-MalwareDNSSecurityConnectorDevice HealthConnectorWeb Security ConnectorMobile Device ManagementEndpoint SecurityRemoteEmployeeTrustedDeviceWeb Application FirewallDDoS ProtectionNetworkAnti-MalwareApplication Visibili
47、ty Control(AVC)Intrusion PreventionFirewallMalware SandboxData Center SecuritySecure Internet GatewayZTNA:Remote Worker to Private AppsNo VPNBRKSEC-217630 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Private App:DCisco Internal NetworkUS-EastDNG Controller“Portal”
48、“Portal”“Portal”Load BalancerUS-Central-1“Portal”“Portal”“Portal”Load BalancerUS-Central-2“Portal”“Portal”“Portal”Load BalancerGlobal Server Load BalancerAdmin ServerAdmin ServerAdmin ServerBRKSEC-217631 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZTNA Architecture Opt
49、ionsConnectivity versus SecurityPrivate DCIaaSProviderProviderApplicationProxyRemote WorkerIPSecCloud ServicesManagedCloud App brokerApplicationconnectorsApplicationconnectorsApplicationconnectorsApplicationProxyPrivate DCIaaSSecurity applianceApplicationProxyApplicationProxy123Add SecurityAdd Secur
50、ityBRKSEC-217632 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePrivate App(web/ssh/rdp)(Private DC/IaaS)Remote UserTrusted Device Multi-Factor AuthenticationDuo Multi-Factor AuthenticationDuo Network GatewayCisco Duo Health ApplicationEstablish TrustEnforce Trust-Based A
51、ccessContinuously Verify TrustRespond to Change in TrustCisco XDRCisco Secure Network&Cloud Analytics Secure FirewallZTNA:Remote Worker to Private App Cisco Secure WorkloadRecommendationsLimited application proxy ports/protocols.*SSE;All ports/protocols roadmap*EDR,DHA posture,DuoSSO,PWL,RBA/Verifie
52、d PushDHA,SecureWorkload,NDR,NGFWOrchestration,Automation,ResponseBRKSEC-217633 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStep 2.Transport method is auto selected*RoadmapStep 1.User Authentication and Device TrustInternetSaaS appsPrivate Traditional appsPrivate moder
53、n appsPTRedirected transparently to SSE cloudCASB/DLP protections inline and via API.App bypass also supportedZTNA gives controlled access to selected applicationsRA-VPN gives full network access for existing applications*Unified Agent or ClientlessUnified ZTNA ClientTransparently secures the connec
54、tions neededBRKSEC-217634Secure Remote Worker-Private App Access-Full VPN Client-“Secure Connect”service 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTraditional VPN Access or“Secure Connect”Private DCIaaSProviderProviderDevice Posture HealthAccessApplicationProxyConsum
55、erConsumerIPSecBackhaulIdentity MFACloudCloudVPNaaSRemote WorkerManaged deviceOn-premiseNGFWVPNSecurity servicesFW,IPS,Malware,etcSecure ConnectTraditional VPNBRKSEC-217636 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRemote User(VPN)to Private ApplicationsBusiness Driv
56、er/RiskBusiness Driver/RiskIT RiskIT RiskCybersecurity RiskCybersecurity RiskEmployee retention&satisfaction in the competitive market.Complex user support.Privilege users accessing unsupported apps and IT infrastructure administration.Phishing,identity theft,unrestricted access,misconfigurationInte
57、llectual property protection requires retaining legacy appsMaintaining access to legacy apps which dont support modern authentication methodsConsistency of access control policies on a per app basis between legacy and modern appsBusiness continuity requires retaining critical legacy appsMaintaining
58、legacy infra and controls(on-prem&cloud)Vulnerabilities due to lack of updates/patching,no granular access controlsBRKSEC-217637 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePrivate App(any tcp/udp)(Private DC/IaaS)Remote AccessApplication Dependency MappingContinuous V
59、ulnerability ScanningProcess Anomaly Detection&ForensicsPolicyGeneration,Audit&Change ManagementTaggingRuntime Application Security ProtectionApplication Workload SecurityMicro-segmentationPatch ManagementDevice PostureAssessmentIdentity Authorization Multi-Factor AuthenticationSAML&SSOAnti-VirusAnt
60、i-MalwareDNSSecurityConnectorDevice HealthConnectorWeb Security ConnectorMobile Device ManagementEndpoint SecurityRemoteEmployeeTrustedDeviceWeb Application FirewallDDoS ProtectionNetworkAnti-MalwareApplication Visibility Control(AVC)Intrusion PreventionFirewallMalware SandboxData Center SecuritySec
61、ure Internet GatewayVPNRemote Worker VPN to Private Apps(any port/protocol)BRKSEC-217638 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure ClientUnified security services Cisco Secure Client=(rebranded)AnyConnect 5.x+(rebranded)Secure Endpoint 8.xNew combined cl
62、ient is more efficient than standalonesCloud managed by SecureXDevice Insights provides comprehensive inventory Simple migration If you could do it in AnyConnect 4.x,you can do it in CSC 5.x If you could do it with Secure Endpoint 7.x,you can do it with CSC 5.xBRKSEC-217639 2023 Cisco and/or its aff
63、iliates.All rights reserved.Cisco PublicDeploymentsGroups of endpoints to get specific modules+configs“Groups”are coming in future version&can assign entire groups to a DeploymentManaged from SecureX Cloud UICloud ManagementSecure EndpointTraditional AnyConnect Modules Version LockedBRKSEC-217640 20
64、23 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePrivate Application(Private DC/IaaS)On-premEmployeeTrusted DeviceEstablish TrustEnforce Trust-Based AccessContinuously Verify TrustRespond to Change in TrustCisco XDRIdentity Services EngineSecure Network and Cloud Analytics Se
65、cure FirewallDuo Multi-Factor AuthenticationSecure FirewallRemote Worker VPN to Private AppsNew secure client,MFA,verifiedpush,posture,EDRCisco Duo Health ApplicationCisco Secure WorkloadpxGrid/segmentation,app discovery,enforcementDynamic access control policy,NDR,enforcementOrchestration,automatio
66、n,responseRecommendationsBRKSEC-217641On-Premises Access-Public SaaS&Internet-On-Prem/Branch Worker 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZero Trust Use CasesOn-Premises and BranchApp-to-App SecurityRemoteUserZT access to public SaaSZTNA to private appsClient-bas
67、ed VPN private app accessSecure Connect(VPNaaS)*Unified ZTNA client(roadmap)On-Premises User&IOTApp-to-AppCampus.1x/MAB to public SaaSCampus.1x/MAB to private appsBranch.1x/MAB to public SaaSBranch.1x/MAB to private appsApp-to-App across multi-cloudBRKSEC-217643 2023 Cisco and/or its affiliates.All
68、rights reserved.Cisco Public#CiscoLiveZero Trust Use CasesOn-Premises Employee and IOT to Public and Private AppsPrivate AppOn-premEmployeePublic SaaS(internet)IOT/OTOn-premEmployeeTrusted DeviceSDWAN(DIA to Internet)SDWAN fabric to Private AppBranch EmployeeHQ/Hub/Region IOT/OTTrusted DeviceISETrus
69、ted DeviceBRKSEC-217644 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOn-Premises Worker to Public SaaS/InternetInternetSaaSProviderProviderCASB/DLPIDS/IPSDNS securityRemote Browser IsolationSecure Web GatewaySecurity Service EdgeSDWANOnOn-premisespremisesSASE/SSESASE/SS
70、ENGFWOffice WorkerManaged deviceApplicationAware RoutingApplication VisibilitySegmentationMulti-cloud AccessHierarchical TopologiesApp-to-AppIdentity Services Engine802.1X or MABBRKSEC-217645 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOn-premise worker to public SaaS/
71、InternetBusiness DriverBusiness DriverIT Risk/InitiativeIT Risk/InitiativeCybersecurity RiskCybersecurity RiskEmployee ProductivityReturn to WorkAging on-premise security and maturityImproved application performance and user experienceDirect Internet Access,IPSec Tunnel Management to the Security Se
72、rvice cloud Malware,Data leakage,ransomware,etcImprove employee satisfaction or employee retentionAging technology,poor performanceLack of visibility and control,new threatsBRKSEC-217646 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOn-premise branch user to public SaaS/
73、InternetOn-prem branch EmployeePublic Application(SaaS)SD-WANIdentity Authorization Identity Access PolicyTaggingMulti-Factor AuthenticationAnti-VirusAnti-MalwareDNSSecurityConnectorDevice HealthConnectorWeb Security ConnectorMobile Device ManagementEndpoint SecurityNetworkAnti-MalwareRemote Browser
74、 IsolationApplication Visibility Control(AVC)Intrusion PreventionWeb Category FilteringData Loss Prevention(DLP)Cloud Access Security BrokerDNS SecurityWeb Reputation FilteringFirewallSecure Internet GatewayTLS/SSL DecryptionMalware SandboxingTrusted DeviceBRKSEC-217647 2023 Cisco and/or its affilia
75、tes.All rights reserved.Cisco Public#CiscoLiveAnycast routingAutomatic Data Center FailoverNo need for failover tunnelsSame peer address for the DCsCan peer with multiple regions for higher availability/faster failoverFailure detected by IKE DPDLos AngelesSanta ClaraIn case of primary failure,uses s
76、econdary DC in the same region BranchLos Angeles146.112.67.8Santa Clara146.112.66.8US-1 RegionAutoAuto-Tunnels supported on Tunnels supported on SD-WAN routers/VIPTELAMeraki MXFirepower NGFWASABRKSEC-217648 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIn FMC 7.3,New in
77、7.3BRKSEC-217649 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePublic SaaSOn-premEmployeeTrusted DeviceEstablish TrustEnforce Trust-Based AccessContinuously Verify TrustRespond to Change in TrustOn-premise branch user to public SaaS/InternetCisco XDRIdentity Services Eng
78、ineSecure Network Analytics Secure FirewallCisco Umbrella Secure Internet Gateway Cisco Secure EndpointDuo Multi-Factor AuthenticationNew secure client,802.1x,MFA,verified push,posture,EDRpxGrid/segmentation,Umbrella/SSE,enforcement,auto-tunnel/failoverDynamic access control policy,NDR,enforcementOr
79、chestration,automation,responseRecommendationsBRKSEC-217650On-premises Access-user&IOT to private apps 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOn-Premise branch user&IOT to private appsPrivate DCIaaSProviderProviderOnOn-PremisePremiseCampus LANCampus LANNetworkSecu
80、re WorkloadIOT LANFirewallIdPSecure WorkloadTrustSec SegmentationUser/DeviceWAN/LANFirewallIPSecBRKSEC-217652 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOn-Premise branch user&IOT to private appsBusiness Driver/RiskBusiness Driver/RiskIT RiskIT RiskCybersecurity RiskC
81、ybersecurity RiskEmployee ProductivityUnauthorized AccessAging on-premise security controls and their maturityIntellectual property protection requires retaining legacy appsMaintaining access to legacy apps which dont support modern authentication methodsConsistency of access control policies on a p
82、er app basis between legacy and modern appsBusiness continuity requires retaining critical legacy appsMaintaining legacy infra and controls(on-prem&cloud)Vulnerabilities due to lack of updates/patching,no granular access controlsBRKSEC-217653 2023 Cisco and/or its affiliates.All rights reserved.Cisc
83、o Public#CiscoLiveOn-prem user&IOT to private applications(DC/IaaS)Private Application(DC/IaaS)Multi-Factor AuthenticationAnti-VirusAnti-MalwareDNSSecurityConnectorDevice HealthConnectorWeb Security ConnectorMobile Device ManagementEndpoint SecurityWeb Application FirewallDDoS ProtectionNetworkAnti-
84、MalwareApplication Visibility Control(AVC)Intrusion PreventionFirewallMalware SandboxData Center SecurityApplication Dependency MappingContinuous Vulnerability ScanningProcess Anomaly Detection&ForensicsPolicyGeneration,Audit&Change ManagementTaggingRuntime Application Security ProtectionApplication
85、 Workload SecurityMicro-segmentationPatch ManagementIdentity Authorization Identity Access PolicyTaggingTrusted DeviceProgrammable Logic ControllerBRKSEC-217654 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveContinuously Verify Trust with Secure Network Analytics(Stealthw
86、atch)Stealthwatch network anomaly detectionsBRKSEC-217655 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveContinuously Verify Trust with Secure Cloud Analytics(Stealthwatch Cloud)Secure Cloud Analytics(detections)BRKSEC-217656 2023 Cisco and/or its affiliates.All rights re
87、served.Cisco Public#CiscoLiveDemo BRKSEC-2182BRKSEC-217657 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePrivate Application(Private DC/IaaS)On-premEmployeeEstablish TrustEnforce Trust-Based AccessContinuously Verify TrustRespond to Change in TrustCisco XDRIdentity Servi
88、ces Engine,DuoSecure Network and Cloud Analytics Secure FirewallCisco Cyber VisionCisco Secure WorkloadProgrammable Logic ControllerOn-prem Employee and IOT to Private AppsVerified Push,ISE posture,pxGrid/segmentationenforcementDynamic access control policy,NDR,enforcementOrchestration,automation,re
89、sponseRecommendationsBRKSEC-217659 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZero Trust Use CasesOn-Premises and BranchApp-to-App SecurityRemoteUserZT access to public SaaSZTNA to private appsClient-based VPN private app accessSecure Connect(VPNaaS)*Unified ZTNA clie
90、nt(roadmap)On-Premises User&IOTApp-to-AppCampus.1x/MAB to public SaaSCampus.1x/MAB to private appsBranch.1x/MAB to public SaaSBranch.1x/MAB to private appsApp-to-App across multi-cloudBRKSEC-217660Securing private applicationacross multi-cloud 2023 Cisco and/or its affiliates.All rights reserved.Cis
91、co Public#CiscoLiveApplication Security every layer is critical!Application code(SAST,DAST,SCA)Application runtime(Java,.Net,Container,API,Serverless)Workload&Cloud infrastructureKubernetes infrastructureApp aware micro segmentation at host,macrosegmentation in cloud,advanced threat protection in fi
92、rewalls Application runtimeCI/CD,pod standards,image registry,Service MeshBRKSEC-2176BRKSEC-217662 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveApplicationApplicationApplication:API calls between microservices across Multiple Cloud ProvidersApplication Dependency Mappin
93、gContinuous Vulnerability ScanningProcess Anomaly Detection&ForensicsPolicyGeneration,Audit&Change ManagementTaggingRuntime Application Security ProtectionApplication Workload SecurityMicro-segmentationPatch ManagementApplication Dependency MappingContinuous Vulnerability ScanningProcess Anomaly Det
94、ection&ForensicsPolicyGeneration,Audit&Change ManagementTaggingRuntime Application Security ProtectionApplication Workload SecurityMicro-segmentationPatch ManagementNetworkAnti-MalwareApplication Visibility Control(AVC)Intrusion PreventionFirewallMalware SandboxData Center/Cloud Edge SecurityBRKSEC-
95、217663 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBaseline workload protection postureProcess behaviorApplication InsightsSW VulnerabilitiesNetwork communicationsThreat IntelPolicy violationsProcess anomaliesUnified policyMerge intent from multiple stakeholdersAssess
96、impactEnforcementCompliance alertsBaseline policyAchieving ZT framework with Cisco Secure WorkloadBRKSEC-217664 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure WorkloadEnforce Trust with Cisco Secure WorkloadUnified Policy across Host,Network and CloudHost Bas
97、edSecure FirewallFirewall PoliciesNetworkAKSCloudEKSBRKSEC-217665 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-217666 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-217667 2023 Cisco and/or its affiliates.All rights reserved.Cis
98、co Public#CiscoLiveBRKSEC-217668 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-217669Achieving ZT within Cloud Native Apps 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveApplication Security every layer is critical!Application code(SAST
99、,DAST,SCA)Application runtime(Java,.Net,Container,API,Serverless)Workload&Cloud infrastructureKubernetes infrastructureApp aware micro segmentation at host,macrosegmentation in cloud,advanced threat protection in firewalls Application runtimeCI/CD,pod standards,image registry,Service MeshBRKSEC-2176
100、BRKSEC-217671 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveApplication Architectures have evolvedIngressPgSQLNoSQLtcp/SQLtelemetry3rdPartypaymenttcpHTTPfrontendbillingAppBrowserBRKSEC-217672 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnab
101、ling security across the full app stackDeploymentRuntimeCI/CDDevShift LeftShift LeftSecuritySecurityApplication Application Composition Composition Connection andConnection andAPI AssessmentAPI AssessmentPolicy ControlPolicy ControlGovernanceGovernanceBRKSEC-217673 2023 Cisco and/or its affiliates.A
102、ll rights reserved.Cisco Public#CiscoLiveBRKSEC-217674 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePanoptica;MITRE ATT&CK FrameworkBRKSEC-217675 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveContinuous Integration Risk VisibilityBRKSEC-2176
103、76 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveServerless Comprehensive Risk Findings12BRKSEC-217677 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecurity of an APIfrontendAuthN TokenSpec AnalysisBroken Object Level AuthZBroken Function Le
104、vel AuthZOpenAPI Spec(Swagger)POST/reservationrequest data(JSON)response data(JSON)header data(key/value)GET/reservation/moidheader data(key/value)response data(JSON)AuthNAuthNAuthZAuthZbookingsBRKSEC-217678 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAPI Security Dash
105、board Third party APis12BRKSEC-217679 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAPI Risk Findings12BRKSEC-217680 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDeployment PolicyPolicies can be created to ensure only certain workloads are d
106、eployed into permitted,target environments.Architecture and EnvironmentBRKSEC-217681 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDeployment PolicyIf an image is determined to be risky from our vulnerability assessments,Panoptica can block the deployment to any or all c
107、luster environments.Prevent Risky WorkloadsBRKSEC-217682Bringing ZT into the Application Runtime 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveApplication Security every layer is critical!Application code(SAST,DAST,SCA)Application runtime(Java,.Net,Container,API,Serverle
108、ss)Workload&Cloud infrastructureKubernetes infrastructureApp aware micro segmentation at host,macrosegmentation in cloud,advanced threat protection in firewalls Application runtimeCI/CD,pod standards,image registry,Service MeshBRKSEC-2176BRKSEC-217684 2023 Cisco and/or its affiliates.All rights rese
109、rved.Cisco Public#CiscoLiveJava runtimeCustomer applicationAPM AgentAppDynamics with Cisco Secure ApplicationApplications clients/usersAppSec3New collaboration with AppSec teamsPolicies and vulnerability/breach in context3PlatformApp2New security insights and action for App/Platform teamsContext spe
110、cific to application21New security functionalityIn and through AppDynamics“Check-box”integration1Secure ApplicationSecureApplication functionality1Deeper dive&demo-https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEstablish Trust with Cisco Secure AppS-BoM and Vulner
111、ability MappingTriageDetected on deploy and throughout runtimeCVE Data(NIST)Impacted App/Tier/NodeLibraries,Headers,Logging,ExceptionsStatus ManagementBRKSEC-217686 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveContinually Verify Trust with Cisco Secure AppAttack info ti
112、ed to application contextDetailed insight for risk prioritizationTimeline of events to assess scope and methodology of attackAttack Source App Correlation App/Tier/Node/BTBRKSEC-217687Bringing it all together 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive User/Device Use
113、r/Device-Adaptive MFA,Remote Access VPN,Reverse Proxy,SAML/SSO Gateway,EDR Network/Cloud Network/Cloud SD-WAN,SIG Cloud Infra Visibility&Segmentation,NGFWv,WorkloadsWorkloads-Workload based seg and app visibility Applications Runtime Security of microservices and containers,FaaS Visibility,NGFWcZero
114、 Trust Capabilities to SECURE THE CLOUD ACCESS TRANSITIONZero Trust Capabilities to SECURE THE APP TRANSITIONCloud Infrastructure SecurityWorkload SecurityApplication SecurityCloud Access(SASE)Identity&AccessManagementThreat ResponseObservability&Telemetry3452671Secure the App TransitionSecure the A
115、pp Access TransitionThe Big PictureSecuring the User,Device&Application TransitionsBRKSEC-217689 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTake AwaysFollow our Zero Trust use casesDraw out your Zero Trust use cases and workflowsIdentify any potential gapsCommunicate
116、Risks involvedThink complete Zero Trust architectureZTNA is only a small portion of overall ZTZero Trust policy should be end-to-end BRKSEC-217690 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session
117、 surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.BRKSEC-21769
118、1 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions
119、 at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123494 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-217694#CiscoLive