DEVNET-1180 Security from the Cloud
Download as PPTX, PDF0 likes1,343 views
The document discusses the importance of securing cloud applications within businesses, highlighting the risks of shadow IT, data leakage, compliance issues, and the ineffectiveness of current app providers in ensuring security. It emphasizes the need for organizations to adopt Cisco Cloud Access Security with Elastica to gain visibility and control over cloud app usage, manage risks, and leverage intelligent protection against evolving threats. Solutions include real-time monitoring, dynamic content classification, and centralized policy management to protect sensitive data.
DEVNET-1180 Security from the Cloud
- 1. Ben Munroe and Nitin Kumar Learn how to achieve safe cloud app usage Cisco Cloud Access Security with Elastica
- 2. And you wouldn’t use email without security ? ? ? ? ? ? ? ?? ? ? You must secure them You wouldn’t run your business without email As your business adopts cloud apps Every time you adopt a new technology, you have to secure it
- 3. Cloud apps are becoming an essential part of business How are you protecting them? Remote access Agility and speed Better collaboration Improved productivity Cost effective Sensitive data leakage Compliance risksInsider risk Malware & viruses
- 4. Understand the risk of cloud apps in your business Shadow IT Use of unsanctioned apps This is a problem because your IT department: • Can’t see what apps are used • Aren’t able of identify risky apps • Are powerless to set informed app controls of employees admit to using unapproved apps1 72% of IT depts use 6 or more unapproved apps2 26% of enterprise IT spend in 2015 will be managed outside of IT departments3 35% Shadow IT Use of unsanctioned apps Source: 1CIO Insight; 2,3Gartner
- 5. Understand the risk of data usage in cloud apps Shadow IT Use of unsanctioned apps This is a problem because your IT department: • Can’t stop data leakage and compliance risks • Aren’t able to block inbound risky content • Are unable to stop risky users and activities of organizations lost sensitive data via file sharing1 90% of apps have risks if not properly used2 72% files per user are broadly shared across organizations3 185 Shadow Data Use of sanctioned apps in unsanctioned ways Source: 1Ponemon, 2013 Cost of Data Breach Study; 2CIO Insight; 3Elastica
- 6. Businesses Don’t count on app providers to secure your information App Providers Cloud Apps 75% of mobile apps fail basic security tests1 … and they can’t control your user behavior Source: 1: Gartner
- 7. Businesses Cloud access security is your responsibility App Providers Cloud Apps
- 8. Cisco with Elastica can help SaaS Visibility Monitor cloud app usage in real time Extended Granular Control Gain control of a cloud-first, mobile-first world Intelligent Protection Combat evolving threats using data science
- 9. View activities in real time IT gains full visibility into all cloud app usage Identify and evaluate all cloud apps with their risks Know how and what data users share in real time See every cloud app transaction on a dynamic, intuitive user interface Identify malware SaaS Visibility
- 10. Manage a cloud-first, mobile-first world IT control extends to every cloud app transaction Choose what cloud apps to sanction Manage data sharing with global policies across any cloud app Take critical actions through a centralized SOC style dashboard Block risky activities in real time Extended Granular Control
- 11. Combat evolving threats Stay ahead of threats using data science power Prioritize business- ready cloud apps Classify content dynamically with semantic analysis Analyze root cause of threats with incident reconstruction Detect malware and attacks with machine learning mechanisms Intelligent Protection
- 12. Shadow IT Risk Assessment Report Business Readiness Rating™ Audit Score Shadow Data Risk Assessment After StreamIQ™ ThreatScore™ ContentIQ™ Reports & Analysis Cisco Cloud Access Security Cloud Apps ? ? ?? ?? ? IO IOI IO IOI Protect IO IOI IO IOI Cloud SOC Policy IO IOI IO IOI ? 5417 IO IOI IO IOI ? ? IO IOI Audit Detect ? Investigate WSA BeforeDuring Elastica CloudSOC™ Other Appliances ASA In collaboration with Data Account User Security Operations Center Analyze & Control Securlet™ Gateway
- 13. Cisco Confidential 13© 2013-2014 Cisco and/or its affiliates. All rights reserved. Use Cases
- 14. Cisco Confidential 14© 2013-2014 Cisco and/or its affiliates. All rights reserved. Powerful Architecture for Cloud Access Security Cloud App APIs (Securlets) AUDIT Shadow IT and Data Risk INVESTIGATE incidents and respond PROTECT against intrusions in cloud apps accounts DETECT exploitations of cloud app accounts StreamIQ™ ThreatScore™ Comprehensive Cloud App Security Stack Cisco CAS by Elastica Methods 1. Proxy chaining 2. PAC file Methods 1. SCP/SFTP log import 2. Direct upload (manual) 3. On premises VA Proxy Logs WSA, CWS & more App Traffic via Gateway
- 15. Cisco Confidential 15© 2013-2014 Cisco and/or its affiliates. All rights reserved. Use Case 1: customer wants to understand the Cloud app usage in their business On-premises Logs WSA Log Export Cisco CAS by Elastica AUDIT Shadow IT and Data Risk Comprehensive Cloud App Security Stack Methods 1. Log import using SCP or SFTP 2. Direct upload (manual) 3. SpanVA
- 16. Cisco Confidential 16© 2013-2014 Cisco and/or its affiliates. All rights reserved. Use Case 1: Audit Deployment Methods Direct to Cloud On Prem Virtual Appliance CloudSOC SCP SFTP CloudSOC SCP SFTP Syslog SCP/FTP File Share HTTPS Perimeter Perimeter Audit
- 17. Cisco Confidential 17© 2013-2014 Cisco and/or its affiliates. All rights reserved. Audit Support for Cisco WSA • Two main WSA log file subscriptions used by most administrators are Access Log and W3C Access Log which record all Web Proxy traffic. • These logs can be configured to either • FTP them onto the Appliance • FTP them onto an FTP server • SCP push • Syslog Push • Minimum support WSA version: AsyncOS 7.7 Powered By SCP
- 18. Cisco Confidential 18© 2013-2014 Cisco and/or its affiliates. All rights reserved. WSA Configuration: Log Formats • Access Logs: • Access: Raw(FTP) #Fields: %t %e %a %w/%h %s %2r %A %H/%d %c %D %Xr %?BLOCK_SUSPECT_USER_AGENT,MONITOR_SUSPECT_USER_AGENT?%<User-Agent:%!%-%. 1415047174.449 196 192.168.1.117 TCP_MISS/200 3323 GET https://dropbox.com/_remote/?m_id=MediaRemoteInstance&&instance_id=26361fd9-6e5d-337d-8063- b181309f65b4&lead_id=6f7f6100-be1b-3001-8275-276fa52c4f97 - DIRECT/dropbox.com text/html DEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,- ,"-","-",-,-,-,-,"-","-","-","-","-","-",135.63,0,-,"-","-"> - • Access: Syslog Oct 22 15:05:26 192.168.1.143 accesslogs: #Version: 1.0_#Date: 2014-10-22 15:05:27_#System: 192.168.1.143 - mgmt.ironport.elastica.local_#Software: AsyncOS for Web 7.7.0-761_#Fields: %t %e %a %w/%h %s %2r %A %H/%d %c %D %Xr %?BLOCK_SUSPECT_USER_AGENT,MONITOR_SUSPECT_USER_AGENT?%<User- Agent:%!%-%._ Oct 22 15:10:54 192.168.1.143 accesslogs: Info: 1414015852.062 224 192.168.1.61 TCP_MISS/200 58471 GET http://www.dropbox.com/ - DIRECT/www.dropbox.com text/html DEFAULT_CASE_12-DefaultGroup- DefaultGroup-NONE-NONE-NONE-DefaultGroup <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","- ",2088.25,0,-,"-","-"> - • W3C Logs • W3C: Raw(FTP) #Fields: timestamp x-elapsed-time c-ip sc-result-code sc-http-status sc-bytes cs-method cs-url cs-username s-hierarchy s-hostname cs-mime-type x-acltag x-result-code x-suspect-user-agent 1415057846.023 222 192.168.1.117 TCP_CLIENT_REFRESH_MISS 200 1540 POST http://us-west- 2.console.aws.amazon.com/xa/dealcontent/v2/GetDealStatus?nocache=1415057845571 - DIRECT us-west- 2.console.aws.amazon.com application/json DEFAULT_CASE_12-DefaultGroup-DefaultGroup- • W3C: Syslog Nov 3 13:53:02 192.168.1.143 sk_w3c: #Version: 1.0_#Date: 2014-11-03 13:53:02_#System: 192.168.1.143 - mgmt.ironport.elastica.local_#Software: AsyncOS for Web 7.7.0-761_#Fields: timestamp x-elapsed-time c-ip sc-result-code sc-http-status sc-bytes cs-method cs-url cs-username s-hierarchy s-hostname cs-mime-type xacltag x-result-code x-suspect-user-agent_ Nov 3 13:53:14 192.168.1.143 sk_w3c: Info: 1415051592.801 169 192.168.1.117 TCP_MISS 200 387 GET Copyright (C) 2015 Elastica, Inc. Confidential Information. Do Not Distribute. 3 of http://us-west-2.console.aws.amazon.com/1/batch/1/OP/ATVPDKIKX0DER:181-8582357- 6795158:1809Q9620X7X4F45Z5DR$uedata=s:%2Fuedata%2Fnvp%2Funsticky%2F181-8582357- 6795158%2FGateway%2Fntpoffrw%3Ful%26v%3D0.64.0%26id%3D1809Q9620X7X4F45Z5DR%26ctb%3D1 %26m%3D1%26sc%3D1809Q9620X7X4F45Z5DR%26pc%3D37002%26tc%3D-<-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,- ,"-","-",-,-,-,-,"-","-","-","-","-","-",18.32,0,-,"-","-">
- 19. Cisco Confidential 19© 2013-2014 Cisco and/or its affiliates. All rights reserved. WSA Configuration: Enable Logging
- 20. Cisco Confidential 20© 2013-2014 Cisco and/or its affiliates. All rights reserved. WSA Configuration: Enable Logging
- 21. Cisco Confidential 21© 2013-2014 Cisco and/or its affiliates. All rights reserved. Elastica Configuration: Configure SCP
- 22. Cisco Confidential 22© 2013-2014 Cisco and/or its affiliates. All rights reserved. WSA Configuration: Configure SCP
- 23. Cisco Confidential 23© 2013-2014 Cisco and/or its affiliates. All rights reserved. SSH Key Configuration
- 24. Cisco Confidential 24© 2013-2014 Cisco and/or its affiliates. All rights reserved. Use Case 2: Securlet and Gateway Deployment Methods Detect … and many more Securlet Elastica Gateway
- 25. Cisco Confidential 25© 2013-2014 Cisco and/or its affiliates. All rights reserved. Use Case 2: customer wants to apply acceptable use policy to Box cloud storage Cloud App APIs (Securlets) INVESTIGATE incidents and respond PROTECT against intrusions in cloud apps accounts DETECT exploitations of cloud app accounts StreamIQ™ ThreatScore™ Comprehensive Cloud App Security Stack Cisco CAS by Elastica Methods 1. Purely API driven
- 26. Cisco Confidential 26© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cloud Access Gateway Explained Gateway vs API(Securlet) • Policy remediation can take place in either the Elastica Gateway or via the application specific API • Gateway and API can be used in tandem, it is not an either or situation Gateway components • There are three configuration components for enabling the gateway .PAC File • Directs traffic to gateway • Standard browser setting SSO Helper • Browser plug in • Installs first time user hits gateway Gateway Certificate • For SSLD • Required for operation
- 27. Cisco Confidential 27© 2014 Cisco and/or its affiliates. All rights reserved. Gateway Components .PAC File Powered By Gateway Certificate SSO Helper
- 28. Cisco Confidential 28© 2013-2014 Cisco and/or its affiliates. All rights reserved. Future looking integrated architecture Proxy Logs WSA, CWS & more AUDIT Shadow IT and Data Risk INVESTIGATE incidents and respond PROTECT against intrusions in cloud apps accounts DETECT exploitations of cloud app accounts StreamIQ™ ThreatScore™ Comprehensive Cloud App Security Stack Methods 1. Proxy chaining 2. PAC file Methods 1. SCP/SFTP log import 2. Direct upload (manual) 3. On premises VA Cisco CAS by Elastica App Traffic via Gateway
Editor's Notes
- #2: My name is ___________ and I’m with Cisco. I’ve been here ___ years. Thanks for taking the time to meet with me today to talk about cloud app security. T: You know that protecting your business is critical, with new threats lurking in each new technology. <Click>
- #3: Every time you adopt a new technology, you have to adapt your security measures to account for it. When businesses started using email as a collaboration tool, they realized that data was leaking out of the company and they had to impose security measures. In this new age of cloud apps, sharing large amounts of data can happen instantly and accidentally, without anybody realizing it happened. As your business adopts cloud apps, security needs to be a priority. T: I bet people in your company are using cloud apps you’ve never even heard of. <Click>
- #4: Cloud apps revolutionize the way your employees can do their work. They enable BYOD, are inherently mobile, and can be up and running in minutes - driving cloud app adoption at unprecedented rates. But along with the benefits, these cloud apps also carry unseen dangers: data leakage, targeted malware, insider threats, and compliance failures. T: There’s a new risk with every click. <Click>
- #5: You may have heard about Shadow IT – the problem of employees using unsanctioned apps, bypassing IT security controls. Your business owners may be approving cloud apps for entire departments to use – Salesforce or Box for example – rolling out a new tool without the IT security team knowing anything about it. Your IT team can’t see what apps are used, can’t identify risky apps, and are powerless to set informed app controls. T: But the problem isn’t just knowing which cloud apps are used. The real danger lies in how those cloud apps are used. <Click>
- #6: Every cloud app has massive amounts of data flowing through. Even sanctioned apps can be used in unsanctioned ways, creating Shadow Data. Even if you know what apps you’re using, you can’t see and control all the ways data is flowing to and from those apps. On average, every user has two thousand files shared across cloud apps, and 185 of those files are broadly shared, either across the organization, externally, or even publically. This creates serious compliance risks. Imagine the amount of data your IT security has no control over. If you’re required to meet certain data compliance standards like PII, PCI, or PHI, you need to know your data is safe. The files your users bring into the organization through cloud apps also create risks. Just like other technologies, hackers target cloud app users with weak passwords on their accounts, or target your users with malware meant to take advantage of the sharing potential of cloud apps. For every file shared once, the recipient may share that file to a countless number of others within seconds. Sometimes your own employees create the biggest risks – unintentionally or not. T: Another customer put it this way: if I can get a hold of Shadow IT, I look like a hero. But Shadow Data could kill me. <Click>
- #7: Maybe you think that using cloud apps delegates the security responsibility to providers. While some cloud app providers do build great security into the cloud app, not all do. In fact, 75% of mobile apps fail basic security tests. And because an average business uses a few hundred cloud apps regularly, your data is not as secure as it should be. Now, even if they do provide security – they can’t control any risky behavior of your users. The way your users share files through those apps has no restrictions. Even one disgruntled employee with broad security permissions could do irreparable damage to your company’s reputation by using cloud apps inappropriately. Roughly 60% of data breaches are caused by insiders either abusing their access to company information, or making an innocent mistake. T: Either way, your business is exposed. <Click>
- #8: And that’s something you need to address. You are responsible for protecting your business. With 5% of employees creating 85% of the cloud app exposure risks, you need to be able to find those users and protect against their risky behavior. You need to see into the cloud to find which files are being shared, who has access, and how sensitive those files are. T: If you can’t see your cloud apps and the way they’re used, you can’t control them. And if you can’t control them, you aren’t protecting your business. <Click>
- #9: We can help. We’ve partnered with Elastica to help you: Gain visibility to all the cloud apps in your business, and how they’re used Control which apps are used, along with user behavior Protect against any threats in real time You get to see everything, control it all, and protect it easily. Suddenly you’re not in the dark. T: Let’s talk about what this means for you. <Click>
- #10: SaaS visibility means you get to see everything happening in your environment. You need to know about every single cloud app used by your business – and how safe they are. Not only does Cloud Access Security do that, it lets you view that right down to the level of what files are being shared and how risky they are and whether any malware is attacking your business. The best part? You get to use a dynamic, intuitive user interface that works like a traditional SOC, but is powered by the cloud to provide beautiful visuals for each data point. This means it’s easy to consume and highlight the most important things to pay attention to. I’ll talk with you more about that in a minute. T: Once you can see into your environment, you can do something about it. <Click>
- #11: Today, your employees are doing business globally on a variety of devices. A data breach can go viral just as quickly as a YouTube video, and once the data is out of your business, it can be shared millions of times over without your knowledge and outside of your control. You need to get down to the most granular level to create policies that enforce which cloud apps your employees use, how they share data across any device or cloud app, and act on risks as soon as they happen, all without overextending IT resources. T: We make it all easy and intuitive for you by using data science. <Click>
- #12: You’re probably thinking that with all the data we’ve talked about, and the amount of data sharing going through these apps, it’ll be hard to watch and control it all. But with data science powering a cloud platform, the solution does the hardest part for you. It continuously monitors cloud apps in your environment and learns levels of normal user behavior for your business in order to highlight user anomalies. Using our Business Readiness RatingTM, it’s easy to compare apps tailored to your security requirements. StreamIQTM examines and interprets all cloud app traffic and turns it into data that makes sense, to highlight risky behavior or attacks within seconds. The average time to remediate a data breach manually is often hours or even days. With our automated process, the average remediation time is a mere 16 seconds. And if an attack should happen, our solution can analyze the incident using historical data to figure out where the problem originated, which enables you to cut off the problem at the source before it can spread further. T: You get to choose exactly which features you want, and which cloud apps to cover. <Click>
- #13: Cisco and Elastica have partnered together to deliver the enablement of the cloud without the security risks. The Elastica CloudSOC platform is build on four principal applications: Audit, Detect, Protect and Investigate to give protection across the full attack continuum: before, during and after. The process starts by pulling traffic logs from CWS, WSA, ASA or other security appliances. This information is examined and displayed in the Audit app, giving you visibility into your Shadow IT. Suddenly, you have visibility into every app your organization uses. See the Business Readiness Rating of every app tailored to your business specifications. Then, just go to your SOC and methodically block any app not safe for your business. Once you’ve determined what apps you want to use for you business, you can connect to granular user account information through an Elastica Securelet or the Gateway. Detect, Protect, and Investigate help you dive into Shadow Data. Detect helps you spot risky behavior, Protect enables global policies across any cloud app to stop that behavior, and Investigate helps you get to the root cause of an issue. All of this takes place through a single, intuitive, and dynamic interface that you can view from any browser. T: Lets take a deeper look at each step. <Click>
- #14: Now let us look at the use cases…
- #15: First I want to highlight the current architecture. There are three main ways in which Elastica can pull out information from a client. 1. The first is using what they call a Securlet, which are essentially APIs for certain cloud apps. 2. Next is the Cloud Access Gateway which provides additional visbility to cloud apps 3. Lastly is Elastica's log extraction which supports a number of import methods which we'll also discuss shortly. On the right you see the 4 Elastica Apps, or products. This can be equated to CWS's Web Filtering, Spyware, and Virus offerings. I'll go ahead and briefly touch on each offering: -Audit: Provides total visibility to cloud apps and provides all informaiton to prevent a malicious event from happeing -Detect and Protect go hand in hand. They provide detailed information on risk information on a particular app. -Protect provides the ability for an administrator to take action on data within cloud apps. -Investigate is an analytic stuite which allows administrators to peroform post incident analysis and determine where vulnerabilities exist.
- #16: -The first function is what we currently have setup in our lab, we're sending access log traffic directly from our WSA via SCP to the Elastica Cloud. In the second method, if a device does not support SCP or SFTP we can setup whats called a SpanVA which is essentially a virtual appliance that collects syslogs.
- #18: The last thing I want to cover for this use case are the current requirements in order for Audit to work with a WSA. Currently Elastica supports Access Log and W3C Access Log. Again, these logs can be pushed a number of different ways including SCP. Note that the minimum version supported currently is Async OS 7.7. Lastly, the image to the write shows the criteria required on the WSA for log push to successfully work. Now lets take a look to see what kind of data we get from our WSA--->Demo 1
- #25: For the next use case I want to show how we can remediate and control certain types of activity with a cloud app. For our demo we've setup a corporate Box account. Now as I mentioned earlier two of the ways to obtain visibility and apply control of cloud apps are using either a Securlet or Gateway. The important thing to remember about Securlet are that they are essentially API tools designed to work with a limited amount of Cloud Apps. Now in the next use case using a Securlet for Box I want to highlight the other Elastica apps, mainly the Protect functionality.-->Demo 2: Remediate
- #26: In this next use case, a customer wants to apply acceptable use policy to the organization’s Box cloud storage. [click] The customer purchases only the Securelet for Box and has nothing to deploy or install on their end-points, no logs are required to gain visibility into the cloud application’s use. Content classification, policy application, and analytics are all supported via the API.
- #27: Now I quickly want to go back to discuss the Cloud Access Gateway. The key thing to note here is most of the control done in cloud apps can be done by either the Securlet or Gateway. There are some key differences however.
- #28: Now in order to setup a gateway there are two redirect components, proxy chaining and PAC file. In our demo we'll be using a PAC file. The other two components to focus on are the SSO Helper which is installed as a browser plug-in and Gateway Certificate. The SSO Helper redirects a user accessing a cloud app to Elastica's SSO page, similiar to the EasyID or SAML features in CWS. Once the user autheticates it then redirects them back to the cloud app. The certificate is used for HTTPS inspection.
- #29: Lastly I want to touch on the foward looking architecure. As mentioned earlier, proxy chanining is an option instead of PAC. This integration is roadmapped for CWS solutions. Again, the Audit functionality for CWS is also roadmapped for August 2nd.