Brkaci 2072 PDF

#CLMEL
Getting Started with

Cisco Tetration
A Real-World Guide to Workload
Protection
Rob Tappenden, Technical Solution Architect
BRKACI-2072
#CLMEL
Agenda
• Why Workload Protection?

• Working with Inventory
• Sensor Deployment
• Application Policy Definition
• Policy Enforcement
• Workload Protection
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Why Workload Protection?
Trust? Who can you trust?
What is agreed…..
• There is no longer a clear, defensible perimeter
• Default should be to deny access
• Access should be granted with least privilege
• Access should be continuously monitored and verified
• Apply a complete, automated approach across:
Users Devices Workloads
Whitelist Security Policy
• Explicit Permit Rules
• Default Deny
• Challenges:
• Policy discovery/definition
• Adapting to change
• Accuracy is critical
• Well suited to application workload

protection
What about Black Lists?
• Explicit Deny Rules
• Default Permit
• Challenges:
• Very complex
• Highly intensive
• Impractical to maintain
• May be used to meet specific security

objectives.
Anatomy of a Breach
• Key Steps in the Intrusion Lifecycle
Establish Escalate Lateral Execute

Recon Initial Exploit
Persistence Privileges Movement Mission
Internal Lateral Maintain

Recon Movement Persistence
Tetration Workload Protection
Workload Hardening
Micro-Segmentation Software Inventory
White List Policy Generation Vulnerability Management
Host Based Enforcement
Event Detection
Process Baselining
Advanced Attack Detection
Data Exfiltration
Behavioral Analytics
Tetration Telemetry and Control
• Thousands of workloads
• Millions of events per second
• Billions of records stored long term
Server End user

Workload context
Public
Infrastructure Telemetry and Context
Any infrastructure. Any

#CLMEL
data center. Any cloud© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Getting Started
Workflow
Working with Inventory Sensor
(Scopes, Filters, Annotations) Deployment
Application Workspaces, Policy Definition and Analysis
Policy Enforcement and Workload Protection
Platform Variations
Tetration Appliance Tetration SaaS
Pre-defined User Roles Global Scope includes system
level access not required in
Tetration SaaS
Role Description Scope

Global Read Read-Only Access Global
Global Execute Execute ADM runs and Publish Policies Global
Global Enforce Enforce Policies Global
Site Admin Global Super-User incl Users and Sensors Global

Tetration Appliance
Customer Support Appliance Support and Maintenance Global
Role Description Scope

Tenant Read Read ability on every scope Tenant
Tenant Execute Execute ability on every scope Tenant
Tenant Enforce Enforce ability on every scope Tenant

Tetration SaaS Tenant Owner Tenant Super-User incl Sensors Tenant
See Custom Role and User Config in
Initial User Accounts Supplementary Section
Email Role
tet-admin@acme.com Site Admin
tet-support@acme.com Customer Support
Tetration Appliance
Emails provided during system
build
Email Role
acmeusera@acme.com Tenant Owner
Tetration SaaS Emails provided during tenant

provisioning
Initial Login
Tetration has NO
default passwords
Working with Inventory
Defining Scopes
Hierarchy for Humans
• Hierarchy provides structure to easily navigate large, complex datasets
• Physical Location
Universe
Latitude 37°48'53.08"S Earth
Longitude
• Hierarchical Address144°58'14.40"E Australia
VIC
Level 14 Melbourne
101 Collins St 3000
Melbourne VIC 3000 Collins St
Australia 101
L14
People at this address
Configuration Building Blocks
• High level logical container providing separated, role based access control to a
Tenant defined set of data, configuration and policy.
1
1
• Root of a scope hierarchy under a given tenant and provides a logical separation
1 Root Scope for L3 address domains
1 aka VRF
n
• Hierarchical object defined by dynamic query against inventory
Scope • Provides anchor point for policy, RBAC and filter configuration
1
n • Flexible construct based on dynamic inventory query

n Filter • Provides anchor point for intent definition, provided services and policy
definition
Default Root Scope Configuration
Appliance SaaS
Default
Acme Tenant Acme
Root Provisioned to
Provisioned as Default
Acme Scope
Acme match customer
“Default”
domain
• Single tenant and root scope is sufficient in most cases

• Default root scope (appliance) may be renamed for consistent approach
• Root scope represents Universe (Everything)
Hierarchical Inventory
Root Scope
Universe Acme
Scope Tree
Earth Inside
Australia Apps
Melbourne Insurance
Collins St Claims
101 Prod
• Tetration records every IP address of every flow in an inventory

• Scopes provide a hierarchy and structure to the inventory
Inventory Scope Tree – Example
Acme
Order depends on
organisation Inside
requirement
Apps Branch Campus
Banking Insurance Business IT Services Security
Core Claims HR AD Backup AV Identity
Prod UAT Dev Prod UAT Dev Prod UAT Dev Prod Prod Prod Prod
Acme
Scope Design Principles

• Inventory is mapped to scope tree according to dynamic query match
• Queries may match against IP/Subnet or Annotation (preferred)
• Tree is formed through conjunctive query at each layer
• Scope structure may be location specific if appropriate
• Apps vs Data Centre or Cloud Specific
• Each layer of the scope tree should represent an anchor point for:
• Policy Control
• Role Based Access (RBAC)
• Every child scope should be a subset of its parent scope
• Ensure non-overlapping sibling scopes
Annotations (Context)
Annotated Inventory
Acme
Start with what you already
know
(or think you know)
Owner Acme
Type App
Service Business
App HR
Environment Prod
Tip: Apply Annotations to all Internal Inventory

Dynamic Inventory Mapping
Acme Root Scope ID = 101
and
Inside Owner = Acme
and
Apps Type = App

and
Business Service = Business
and
HR Application = HR
and
Prod Environment= Prod
Annotation Categories
• Tetration supports three primary categories of annotation
User Orchestrator Tetration

Sources User Upload vCenter Threat Feed
API Integration AWS User Upload
Prefix * * Orchestrator TA_
Lookout_
Scale 32 columns/fields Lookout – 100K
255 characters
30K networks
1.5M hosts
Metadata User Defined VM Tags Bogon
Zeus
Geolocation
Annotation Planning Considerations
• Sources of data
• Networks – IPAM? Spreadsheet? Jim’s Whiteboard?
• Hosts – CMDB, Hypervisor, Cloud, App Owners?
• Accuracy of data
• How dynamic the data is and how it will be updated
• Manual upload? API Integration?
• Start with the basics and grow
• Use network annotations to build high level scope structure
• Use host annotations to build more detailed scope structure at app level
Network/Subnet Annotations
• Start building a network foundation with high level categorisation
• Builds static inventory for all private/internal IP address ranges
• Any host in these subnets will inherit corresponding network annotations
• May be overridden at host layer if required.
IP Owner Type
10.0.0.0/8 Acme
10.0.0.0/10
172.16.0.0/12 Acme Apps
10.160.0.0/11
192.168.0.0/16 Acme Apps
172.16.0.0/12 Acme
172.16.0.0/14 Campus
192.168.0.0/16 Acme
192.168.0.0/18 Branch
Host Annotations
• Host specific user annotations
• Network annotations inherited – or overridden if required
• Application relevant annotations provide application context
• Additional fields for any user-defined purpose (policy, search, security)
IP Service Application Environment Cloud Region Threat

10.0.10.10 Banking Core Prod DC south-dc
10.0.10.11 Banking Core Prod DC south-dc
10.0.10.13 Insurance Claims Prod DC south-dc
10.0.10.15 Banking Core Dev AWS ap-southeast-2
10.2.12.10 Business HR Prod DC west-dc
10.3.13.10 Banking Core UAT DC west-dc
10.5.44.23 Insurance Claims UAT
Dev Azure australiaeast
Dynamic Annotations
• Manual upload provides a great start, but a more dynamic operational
model is desirable
• Dynamic annotations allow for dynamic grouping and policy actions
• Integrate with external systems for dynamic annotation update via Tetration
API.
Rest API
csv upload
Annotation Operations
• Two upload operations are provided by the Tetration UI in which the CSV file can
represent data to be either added/updated or deleted.
• Annotation columns may be selectively placed in/out of service for inventory and
flow annotations or deleted
Scope Definition
• Scope tree may be configured by UI, or automated via API
• Query may match against IP/Subnet or Annotation (Recommended)
Tip: Build scopes with dynamic annotation match for increased flexibility
Filters
Inventory Filters
• Provide a flexible method for inventory
matching against the scope tree
• Filters may apply across entire tree or be Universe
restricted to a specific scope Earth
Australia
Scope Restricted Filter
Match only green people at VIC
this address Melbourne
3000
Collins St
Unrestricted Filter
Match all blue people 101
L14
Dynamic Inventory Filter - Unrestricted
Match all Prod Windows 2016 Hosts

Acme Production Windows 2016
Environment = “Prod” AND
Inside OS contains “MSServer2016”
Apps
Insurance Business IT Services Security
Claims HR AD AV
Prod Prod Prod Prod
Dynamic Inventory Filter – Restricted to Scope
Match all NTP hosts in IT Services

Acme
Inside
Apps
IT Services NTP Servers

Hostname contains “ntp”
Restrict to scope “IT Services”
Scope restricted filters may be offered as a provided service to other apps

Filter Definition
Match all Production Windows 2016 Hosts Match all NTP hosts in IT Services
Sensor Deployment
Tetration Software Sensors Rich Telemetry
Workload Protection
Dynamic Microsegmentation
Wide OS Support
Now supports Linux on IBM Z
Enrich with Meta-Data
ADC Integrations
Tetration Software Sensors
Workload Telemetry
Enforcement Policy
Default Agent Configuration Intent
• Default configuration intent automatically applies
• Modify or create new intent for custom configuration
Agent Auto-Upgrade
enabled
Enforcement and
Forensic capabilities
disabled
Custom Agent Configuration Intent
Assign to scope via Intent
Process ID Lookup enabled

Enforcement enabled
Forensics enabled
• Multiple Profiles allow for custom configuration

across different environments
• Apply custom config profiles in phased approach
during rollout using targeted intent
Software Agent Download
• Agent installer script
• Linux – bash (root)
• Windows – Powershell 4.0+ (admin priv)
• Classic agent download also available
• Linux – rpm
• Windows - msi
Agent installation/upgrade may be automated using platform of choice.

Software Agent - Linux Installer – Part 1
[s_admin@dc-banking-012 ~]$ sudo sh tetration_installer_enforcer_linux.sh
### Testing tet-sensor prerequisites on host "dc-banking-012" (Tue Feb 19 12:55:07 AEDT 2019)
### Script version:
Detecting IPv6 Testing Dependencies
Testing dependencies….
…………….. Detecting OS
### Pre-check Passed
### Installing tet-sensor on host "dc-banking-012" (Tue Feb 19 12:55:10 AEDT 2019) Establish Secure API connection
Created temporary directory Execution directory
Connected to 10.66.239.165 (10.66.239.165) port 443 (#0) Download Package
0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0< HTTP/1.1 200 OK
< Content-Disposition: attachment; filename="tet-sensor-3.1.1.53-1.el7.x86_64.zip"

100 10.4M 100 10.4M 0 0 4215k 0 0:00:02 0:00:02 --:--:-- 4215k
status code: 200
Archive: tet-sensor-CentOS-7.5.zip Extract configuration files

extracting: user.cfg Extract sensor package
inflating: sensor.cfg
inflating: enforcer.cfg
inflating: tet-sensor-3.1.1.53-1.el7.x86_64.rpm
Linux Installer Part 2
Verifying Linux RPM package ...
RPM package is PGP-signed
Verify package
Installing Linux Sensor ...
Preparing...
/bin/curl
/sbin/dmidecode
/bin/openssl Install Sensor
/bin/cpio
/bin/sed
/bin/awk
Updating / installing...
1:tet-sensor-3.1.1.53-1.el7 ################################# [100%]
useradd: warning: the home directory already exists.
Created symlink from /etc/systemd/system/multi-user.target.wants/tet-sensor.service to

/etc/systemd/system/tet-sensor.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/tet-enforcer.service to
/etc/systemd/system/tet-enforcer.service.
### Installation succeeded
Cleaning temporary files Clean up and complete
### All tasks are done ###
Agent Verification
Hostname and Agent authenticated

Interfaces discovered and checked-in
Telemetry streaming
Scope matched
commenced
Application Workspaces
Policy Definition
Application Dependency Mapping
Within the Application
Application Scope Clusters and Policy

Application Dependency Mapping
Outside the Application
Users
SaaS
DNS
Authentication
Services
Shared Database
Clusters and Policy External Dependencies

Application Workspace Fundamentals
• Workspace for application policy allowing for full
policy lifecycle operations Two Workspace Types
• Definition and Discovery Secondary Workspace
• Experimentation Policy Modeling and
• Analysis and Monitoring Experimentation
• Enforcement
Primary Workspace
• Workspace allows for Application Dependency
Mapping (ADM) against the application scope Active Policy
Single Source of Truth
• May be defined at any point in the scope Analysis and Enforcement
hierarchy for policy control
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
ADM Default Settings
Scopes/branches may be
hidden or re-ordered
External Dependencies Backup

Backup
Branch Campus
IT
IT
IT
Campus Branch
Campus Branch
Backup
Top down ordering

with first match
Advanced Configuration ADC Configuration

Granularity
Define once. Re-use in any workspace

Application Workspace Definition
Acme
Inside
Apps Scope defines policy

Branch Campus
perspective
Core Claims HR AD Backup AV Identity
Allows dynamic policy
matching
Workspace Components
Scope
Clusters (0) Absolute Policies (0) Analysis
Security Policy Enforcement
Groups of similar Enabled for Primary

Default Policies (0) Workspace only
workloads within the
scope Application Policy
Catch All DENY
Groups Policy Operations
ADM Run Configuration
Scope
Select Time Range Hrs Days Weeks Give me everything!
Prod Prod Prod Prod Dev UAT Prod Dev UAT Prod Dev UAT Prod
Identity AV Backup AD HR Claims Core
Services
Security Business Insurance Banking
IT
External Dependencies Campus Branch
Inside
Apps
Acme
Accept Defaults or
Customise
Advanced Configuration
ADC Configuration
ADM Run
Scope
Clusters discovered
Clusters (4)
(0) Absolute Policies (0) Analysis
Enforcement
cluster1
(0)
Default Policies (42) Validate and Visualise
cluster2
Policy
Recommended Policy
cluster3
cluster4 Catch All DENY
Discover Groups Recommend Policy Validation
Cluster Validation
Approve cluster if good
Provide meaningful name
core-app
cluster1
Validate confidence factor
cluster2
core-db
Check endpoints vs
fund-mgmt
cluster3 expected
transact
cluster4 10.1.20.5 core-010 CentOS…
10.1.20.6 core-011 CentOS…
10.101.20.5 core-012 CentOS…
10.101.20.6 core-013 CentOS…
Repeat process for
each cluster
Policy Validation
Default Policies (42) Catch All DENY
Priority Action Consumer Provider Services

100 core-app core-db TCP 3306
100 core-app transact TCP 1433, 1568
100 core-app TCP 88, 139, 445….
100 core-app UDP 123

Which NTP hosts?
100 core-app TCP 443
22, 443
SSH from Campus?
100 core-db core-app
Verify,Restrict, 22 23
TCP 21,
Remediate
Insecure Protocols?
100 core-db TCP 1556
All clusters backed up?

Policy Validation
• Are the server groups as expected?
• Should UAT be talking to Production? Test?
• Are all IT services applied consistently?
• Can I be confident the policy is accurate?
• What if the application changes? Can the policy change too?
• Are there any unexpected dependencies?
Conversations
Policy
Conversations
Flows
Absolute Policy
Priority Action Consumer Provider Service
Absolute Policies
• Provide ability to override application policy (default) or other policy with of

a lower priority
• Typically applied for coarse security rule definition at higher level across
multiple applications
• May include black/grey list rules
Scope Policy Ordering
Acme:Inside:Apps:Banking:Core:Prod
Absolute
Default
Catch All DENY
Global Policy Ordering
Acme:Inside
Acme
Absolute
Acme:Inside:Apps: Banking Inside

Default
Catch All PERMIT
Apps Branch Campus

Absolute

Default
Core Catch All Claims PERMIT HR AD Backup AV Identity
Absolute
Default
Catch All DENY
Global Policy Ordering
Acme:Inside
Absolute
Default
Catch All PERMIT
Acme:Inside:Apps: Banking
Absolute
Default
Catch All PERMIT
Absolute
Default
Catch All DENY
Application Workspaces
Policy Analysis
Enable Policy Analysis
Policy analysis only available for
Primary Workspace
Scope
Clusters (4)
(0) Absolute Policies (0) Analysis
Enforcement
cluster1
(0)
Default Policies (38)
cluster2
cluster3
cluster4 Catch All DENY
Groups Validated Policy Validated Validation
Active Policy Analysis
• Provides confirmation of policy accuracy pre enforcement
• Near-real time live traffic analysis against policy
• Identify and remediate any non-compliant activity BEFORE enforcement
Policy Compliance Verification
Permitted Permitted flow matching policy

Misdropped Permitted flow. Matching policy with dropped packets
Escaped Flow denied by policy. Flow permitted (not dropped)
Rejected Flow denied by policy. Flow dropped
Remediate Non-Compliant Flows
Port Scanning
Regular time each day.
Remediate Non-Compliant Flows
Misconfigured Host
Updated policy version here
What is this?
Update and Continually Monitor Policy
• Permitted flows as expected
• Non-Compliant flows minimal and/or accounted for
Policy Enforcement
Zero Trust Policy Enforcement
Application Policy
Workload Enforcement
Custom Policy per workload
Dynamic, recomputed every 60 sec
#CLUS BRKACI-2072 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
76
Enforcement Pre-Check
• Identify Target Environment
• Confirm enforcement agents active
• Check agent config intent is applied
• Enforcement Enabled
• Check for any existing policies in local firewalls
• Ensure rules are incorporated into Tetration policy
Acme:Inside:Apps:Business:HR:UAT
Tip: Use agent config intents to allow phased deployment to target environment
Toes in the water
• Build confidence with policy enforcement
• Enable/Disable
• Rollback
• Monitoring
Acme:Inside:Apps:Business:HR:UAT
TCP 443
TCP 1334
Default
UDP 53, TCP 443
TCP 22, 443
Set Catch All to Permit for first time enforcement.

Catch All PERMIT
DENY Revert to Deny when ready to Enforce white list.
Tetration Endpoint Enforcement
Previous policy versions

available for rollback
Rules Recomputed Every Minute
Enforcement Rules
Workload Hardening and
Event Detection
Software Vulnerability Assessment and Control
• Identify Known Vulnerabilities across full inventory
• Search by CVE, or CVSS (CVE Score)
• Build filters for dynamic policy control
#CLMEL TECSEC-2723 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Software Vulnerability Assessment and Control
• Apply absolute policy overrides, to contain/protect against active vulnerabilities
• Dynamic policy filter adapts policy as vulnerabilities are patched
Reducing the Attack Surface
Identify Malicious/Suspicious Processes
Process Hash Validation

• Whitelist/Blacklist Assessment
• NIST/Threatfeed
• User Upload
• Consistency measurement
• Identify variations/outliers
Workload Inventory
• Search all long-lived processes
• User, PID, Hash, Command
Line
Full Process Tree and Timeline
Process Execution
Detail
Forensic Activity
Identifying Process Behaviours Deviation
• Match the process behavior deviations

to identify suspicious activities
• Trigger on specific event combinations
incl:
• Privilege escalation Privilege
escalation
• Shell-code execution
• Side channel attack
• Raw socket creation
• User login activities
• File access pattern
Data Exfiltration Detection
• Detect anomalies in neighbor

traffic volume
• Temporal Analysis with
Seasonality assessment
• Correlate with forensic events
Thank you
#CLMEL
#CLMEL

Brkaci 2072 PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Brkaci 2072 PDF

Încărcat de

Drepturi de autor:

Formate disponibile

#CLMEL

Getting Started with

• Why Workload Protection?

Users Devices Workloads

• Well suited to application workload

• May be used to meet specific security

Establish Escalate Lateral Execute

Internal Lateral Maintain

Server End user

Infrastructure Telemetry and Context

Any infrastructure. Any

Application Workspaces, Policy Definition and Analysis

Policy Enforcement and Workload Protection

Tetration Appliance Tetration SaaS

Role Description Scope

Global Execute Execute ADM runs and Publish Policies Global

Global Enforce Enforce Policies Global

Site Admin Global Super-User incl Users and Sensors Global

Role Description Scope

Tenant Execute Execute ability on every scope Tenant

Tenant Enforce Enforce ability on every scope Tenant

tet-admin@acme.com Site Admin

tet-support@acme.com Customer Support

acmeusera@acme.com Tenant Owner

Tetration SaaS Emails provided during tenant

Latitude 37°48'53.08"S Earth

101 Collins St 3000

Melbourne VIC 3000 Collins St

People at this address

n • Flexible construct based on dynamic inventory query

• Single tenant and root scope is sufficient in most cases

• Tetration records every IP address of every flow in an inventory

Banking Insurance Business IT Services Security

Core Claims HR AD Backup AV Identity

Scope Design Principles

Tip: Apply Annotations to all Internal Inventory

Acme Root Scope ID = 101

Apps Type = App

User Orchestrator Tetration

IP Service Application Environment Cloud Region Threat

restricted to a specific scope Earth

this address Melbourne

Match all Prod Windows 2016 Hosts

Insurance Business IT Services Security

Prod Prod Prod Prod

Match all NTP hosts in IT Services

IT Services NTP Servers

Scope restricted filters may be offered as a provided service to other apps

Enrich with Meta-Data

Process ID Lookup enabled

• Multiple Profiles allow for custom configuration

Agent installation/upgrade may be automated using platform of choice.

< Content-Disposition: attachment; filename="tet-sensor-3.1.1.53-1.el7.x86_64.zip"

Archive: tet-sensor-CentOS-7.5.zip Extract configuration files

Created symlink from /etc/systemd/system/multi-user.target.wants/tet-sensor.service to

Hostname and Agent authenticated

Application Scope Clusters and Policy

Clusters and Policy External Dependencies

External Dependencies Backup

Top down ordering

Advanced Configuration ADC Configuration

Define once. Re-use in any workspace

Apps Scope defines policy