Documente Academic
Documente Profesional
Documente Cultură
#CLMEL
Agenda
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Why Workload Protection?
Trust? Who can you trust?
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
What is agreed…..
• There is no longer a clear, defensible perimeter
• Default should be to deny access
• Access should be granted with least privilege
• Access should be continuously monitored and verified
• Apply a complete, automated approach across:
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Whitelist Security Policy
• Explicit Permit Rules
• Default Deny
• Challenges:
• Policy discovery/definition
• Adapting to change
• Accuracy is critical
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
What about Black Lists?
• Explicit Deny Rules
• Default Permit
• Challenges:
• Very complex
• Highly intensive
• Impractical to maintain
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Anatomy of a Breach
• Key Steps in the Intrusion Lifecycle
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Tetration Workload Protection
Workload Hardening
Micro-Segmentation Software Inventory
White List Policy Generation Vulnerability Management
Host Based Enforcement
Event Detection
Process Baselining
Advanced Attack Detection
Data Exfiltration
Behavioral Analytics
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Tetration Telemetry and Control
• Thousands of workloads
• Millions of events per second
• Billions of records stored long term
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Platform Variations
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Pre-defined User Roles Global Scope includes system
level access not required in
Tetration SaaS
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
See Custom Role and User Config in
Initial User Accounts Supplementary Section
Email Role
Tetration Appliance
Emails provided during system
build
Email Role
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Initial Login
Tetration has NO
default passwords
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Working with Inventory
Defining Scopes
Hierarchy for Humans
• Hierarchy provides structure to easily navigate large, complex datasets
• Physical Location
Universe
Longitude
• Hierarchical Address144°58'14.40"E Australia
VIC
Level 14 Melbourne
Australia 101
L14
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Configuration Building Blocks
• High level logical container providing separated, role based access control to a
Tenant defined set of data, configuration and policy.
1
1
• Root of a scope hierarchy under a given tenant and provides a logical separation
1 Root Scope for L3 address domains
1 aka VRF
n
• Hierarchical object defined by dynamic query against inventory
Scope • Provides anchor point for policy, RBAC and filter configuration
1
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Default Root Scope Configuration
Appliance SaaS
Default
Acme Tenant Acme
Root Provisioned to
Provisioned as Default
Acme Scope
Acme match customer
“Default”
domain
Universe Acme
Scope Tree
Earth Inside
Australia Apps
Melbourne Insurance
Collins St Claims
101 Prod
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Inventory Scope Tree – Example
Acme
Order depends on
organisation Inside
requirement
Apps Branch Campus
Prod UAT Dev Prod UAT Dev Prod UAT Dev Prod Prod Prod Prod
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Acme
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Working with Inventory
Annotations (Context)
Annotated Inventory
Acme
Start with what you already
know
(or think you know)
Owner Acme
Type App
Service Business
App HR
Environment Prod
and
Inside Owner = Acme
and
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Annotation Categories
• Tetration supports three primary categories of annotation
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Annotation Planning Considerations
• Sources of data
• Networks – IPAM? Spreadsheet? Jim’s Whiteboard?
• Hosts – CMDB, Hypervisor, Cloud, App Owners?
• Accuracy of data
• How dynamic the data is and how it will be updated
• Manual upload? API Integration?
• Start with the basics and grow
• Use network annotations to build high level scope structure
• Use host annotations to build more detailed scope structure at app level
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Network/Subnet Annotations
• Start building a network foundation with high level categorisation
• Builds static inventory for all private/internal IP address ranges
• Any host in these subnets will inherit corresponding network annotations
• May be overridden at host layer if required.
IP Owner Type
10.0.0.0/8 Acme
10.0.0.0/10
172.16.0.0/12 Acme Apps
10.160.0.0/11
192.168.0.0/16 Acme Apps
172.16.0.0/12 Acme
172.16.0.0/14 Campus
192.168.0.0/16 Acme
192.168.0.0/18 Branch
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Host Annotations
• Host specific user annotations
• Network annotations inherited – or overridden if required
• Application relevant annotations provide application context
• Additional fields for any user-defined purpose (policy, search, security)
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Dynamic Annotations
• Manual upload provides a great start, but a more dynamic operational
model is desirable
• Dynamic annotations allow for dynamic grouping and policy actions
• Integrate with external systems for dynamic annotation update via Tetration
API.
Rest API
csv upload
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Annotation Operations
• Two upload operations are provided by the Tetration UI in which the CSV file can
represent data to be either added/updated or deleted.
• Annotation columns may be selectively placed in/out of service for inventory and
flow annotations or deleted
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Scope Definition
• Scope tree may be configured by UI, or automated via API
• Query may match against IP/Subnet or Annotation (Recommended)
Tip: Build scopes with dynamic annotation match for increased flexibility
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Working with Inventory
Filters
Inventory Filters
• Provide a flexible method for inventory
matching against the scope tree
• Filters may apply across entire tree or be Universe
Australia
Scope Restricted Filter
Match only green people at VIC
3000
Collins St
Unrestricted Filter
Match all blue people 101
L14
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Dynamic Inventory Filter - Unrestricted
Apps
Claims HR AD AV
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Dynamic Inventory Filter – Restricted to Scope
Inside
Apps
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Sensor Deployment
Tetration Software Sensors Rich Telemetry
Workload Protection
Dynamic Microsegmentation
Wide OS Support
Now supports Linux on IBM Z
ADC Integrations
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Tetration Software Sensors
Workload Telemetry
Enforcement Policy
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Default Agent Configuration Intent
• Default configuration intent automatically applies
• Modify or create new intent for custom configuration
Agent Auto-Upgrade
enabled
Enforcement and
Forensic capabilities
disabled
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Custom Agent Configuration Intent
Assign to scope via Intent
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Software Agent Download
• Agent installer script
• Linux – bash (root)
• Windows – Powershell 4.0+ (admin priv)
• Classic agent download also available
• Linux – rpm
• Windows - msi
### Testing tet-sensor prerequisites on host "dc-banking-012" (Tue Feb 19 12:55:07 AEDT 2019)
### Script version:
Detecting IPv6 Testing Dependencies
Testing dependencies….
…………….. Detecting OS
### Pre-check Passed
### Installing tet-sensor on host "dc-banking-012" (Tue Feb 19 12:55:10 AEDT 2019) Establish Secure API connection
Created temporary directory Execution directory
Connected to 10.66.239.165 (10.66.239.165) port 443 (#0) Download Package
0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0< HTTP/1.1 200 OK
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Linux Installer Part 2
Verifying Linux RPM package ...
RPM package is PGP-signed
Verify package
Installing Linux Sensor ...
Preparing...
/bin/curl
/sbin/dmidecode
/bin/openssl Install Sensor
/bin/cpio
/bin/sed
/bin/awk
Updating / installing...
1:tet-sensor-3.1.1.53-1.el7 ################################# [100%]
useradd: warning: the home directory already exists.
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Agent Verification
Telemetry streaming
Scope matched
commenced
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Application Workspaces
Policy Definition
Application Dependency Mapping
Within the Application
Users
SaaS
DNS
Authentication
Services
Shared Database
• Enforcement
Primary Workspace
• Workspace allows for Application Dependency
Mapping (ADM) against the application scope Active Policy
Single Source of Truth
• May be defined at any point in the scope Analysis and Enforcement
hierarchy for policy control
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
ADM Default Settings
Scopes/branches may be
hidden or re-ordered
Branch Campus
IT
IT
IT
Campus Branch
Campus Branch
Backup
Acme
Inside
Prod UAT Dev Prod UAT Dev Prod UAT Dev Prod Prod Prod Prod
Allows dynamic policy
matching
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Workspace Components
Scope
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
ADM Run Configuration
Scope
Prod Prod Prod Prod Dev UAT Prod Dev UAT Prod Dev UAT Prod
Services
Security Business Insurance Banking
IT
Inside
Apps
Acme
Accept Defaults or
Customise
Advanced Configuration
ADC Configuration
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
ADM Run
Scope
Clusters discovered
Clusters (4)
(0) Absolute Policies (0) Analysis
Enforcement
cluster1
(0)
Default Policies (42) Validate and Visualise
cluster2
Policy
Recommended Policy
cluster3
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Cluster Validation
Approve cluster if good
core-app
cluster1
Validate confidence factor
cluster2
core-db
Check endpoints vs
fund-mgmt
cluster3 expected
transact
cluster4 10.1.20.5 core-010 CentOS…
10.1.20.6 core-011 CentOS…
10.101.20.5 core-012 CentOS…
10.101.20.6 core-013 CentOS…
Repeat process for
each cluster
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Policy Validation
Default Policies (42) Catch All DENY
Conversations
Flows
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Absolute Policy
Priority Action Consumer Provider Service
Absolute Policies
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Scope Policy Ordering
Acme:Inside:Apps:Banking:Core:Prod
Absolute
Default
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Global Policy Ordering
Acme:Inside
Acme
Absolute
Absolute
Prod UAT Dev Prod UAT Dev Prod UAT Dev Prod Prod Prod Prod
Default
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Global Policy Ordering
Acme:Inside
Absolute
Default
Acme:Inside:Apps: Banking
Absolute
Default
Acme:Inside:Apps:Banking:Core:Prod
Absolute
Default
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Application Workspaces
Policy Analysis
Enable Policy Analysis
Policy analysis only available for
Primary Workspace
Scope
Clusters (4)
(0) Absolute Policies (0) Analysis
Enforcement
cluster1
(0)
Default Policies (38)
cluster2
cluster3
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Active Policy Analysis
• Provides confirmation of policy accuracy pre enforcement
• Near-real time live traffic analysis against policy
• Identify and remediate any non-compliant activity BEFORE enforcement
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Policy Compliance Verification
Port Scanning
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Remediate Non-Compliant Flows
Misconfigured Host
What is this?
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Update and Continually Monitor Policy
• Permitted flows as expected
• Non-Compliant flows minimal and/or accounted for
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Policy Enforcement
Zero Trust Policy Enforcement
Application Policy
Workload Enforcement
Custom Policy per workload
Dynamic, recomputed every 60 sec
#CLUS BRKACI-2072 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
76
Enforcement Pre-Check
• Identify Target Environment
• Confirm enforcement agents active
• Check agent config intent is applied
• Enforcement Enabled
• Check for any existing policies in local firewalls
• Ensure rules are incorporated into Tetration policy
Acme:Inside:Apps:Business:HR:UAT
Tip: Use agent config intents to allow phased deployment to target environment
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Toes in the water
• Build confidence with policy enforcement
• Enable/Disable
• Rollback
• Monitoring
Acme:Inside:Apps:Business:HR:UAT
TCP 443
TCP 1334
Default
UDP 53, TCP 443
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Tetration Endpoint Enforcement
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Enforcement Rules
#CLMEL BRKACI-2072 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Workload Hardening and
Event Detection
Software Vulnerability Assessment and Control
• Identify Known Vulnerabilities across full inventory
• Search by CVE, or CVSS (CVE Score)
• Build filters for dynamic policy control
#CLMEL TECSEC-2723 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Software Vulnerability Assessment and Control
• Apply absolute policy overrides, to contain/protect against active vulnerabilities
• Dynamic policy filter adapts policy as vulnerabilities are patched
#CLMEL TECSEC-2723 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Reducing the Attack Surface
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Identify Malicious/Suspicious Processes
Workload Inventory
• Search all long-lived processes
• User, PID, Hash, Command
Line
#CLMEL TECSEC-2723 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Full Process Tree and Timeline
Process Execution
Detail
#CLMEL TECSEC-2723 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Forensic Activity
Identifying Process Behaviours Deviation
• Shell-code execution
• Side channel attack
• Raw socket creation
• User login activities
• File access pattern
#CLMEL TECSEC-2723 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Data Exfiltration Detection
#CLMEL TECSEC-2723 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Thank you
#CLMEL
#CLMEL