SecureX: Cisco's Security Platform

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
I mention my name is Ben green I am with Cisco's administered solutions and security integrations team and today we are going to be talking about secure X I can be found on Twitter at Second Sight SEC int s IG HT my beard does not yet have a Twitter account of its own but we may have to fix that I don't know is the first I heard of that we can talk but experience simplified the two words it says there on your screen that's what secure X is all about and we're going to explain why and how as we go through the material for the next hour so we're going to talk about the power of secure X what is it for what does it do and why does anyone need that we're going to talk about the main features of secure X how does it do that and I'm going to give you a demo you're gonna get a sneak peek it doesn't release until later this month toward the end of the month but I'm going to be able to show you a little bit of it here today I'm gonna leave you with some review material we're gonna wrap it up and I'm gonna leave you some resources that you can use to find out more about secure X so let's get started by talking about the power of secure X which also means the reasons for for secure X and the way we do everything in security is changing all the time this isn't a new announcement this has been the way of the security industry since there wasn't one and we've got so much to adapt to on a daily basis new threats new types of threats new defenses against those threats new work environments you know we've moved from everybody being in an office and being connected to the network to moving to the cloud and I'm working from home more than ever before the way we do things is changing the things we do are changing the things we need to secure are changing what we need to secure them from is changing and so on we've got increasing demands on our security teams around the world ok we're starting to see what feels like an unlimited number of devices and device types on our network we're moving things to the cloud we've got people working from all over the place and we don't have enough visibility we don't have enough experts there's a hiring shortage there's a there's a staffing shortage in the security industry by and large when we can even get you know requisitions to hire new people that often aren't qualified people to even be hired we don't have enough integration between all of the different products that we're using the security is been very good about where there's a new kind of threat let's introduce a new product to deal with that threat and now slots will often have up to 75 or more different security tools that they're trying to juggle and try to make all work together and it's a irritating it'd be slow and inefficient and because of all of this we've just got too much exposure our adversaries have too much time in our environments because it takes too long to find them because we're spending half of our time copying and pasting between different interfaces and trying to remember which one we in it how does this one work and what all doing our best every sock is doing their absolute best to keep up but it doesn't it it just doesn't it and the changes don't end our adversaries are well-funded they're patient they only need to get in one time and they could wait but for every one of them we have to defend against their every attempt we have this vast security market ok we've got over 3,000 cyber security vendors currently active on the planet okay we have these siloed solution sets like I said 75 security tools on average in a sock and we've got reduced effectiveness as a result 79 percent of our systems that we surveyed said that it's difficult to orchestrate these alerts to into triage alerts for multiple products to find out you know when does this alert shed some intelligence on the contents of this other alert from an entirely other product and isn't a time then all of our gear all of our security solutions acted like they were on the same team and so if cisco secured X is it's a security platform that helps protect your business by bringing all of this together backed by the strongest security team on the planet we've got the Tallis research group maybe largest non-governmental cybersecurity research group on the planet we've got zero trust capabilities we've got endpoint solutions we've got network solutions we've got cloud security solutions we've got applications we've got risk management we've got that constant threat intelligence all in one place for really the first time and if a platform that enables you to get better outcomes by using your solutions more effectively even if you only have one because we'll bring that one additional fret intelligence for multiple Cisco sources even if you only have one Cisco products but if you have many we're going to help unlock all the value in that product that you already bought by allowing it to be used by your other products by allowing it to be available to your other tools to your other teams for simplifying the experience of working across multiple products or accelerating your success by taking out the lag and it's the result of trying to use multiple different products together in an inefficient manner and we're allowing you to protect your future reducing complexity with this integrated open platform that adds value to everything you've already got and then gets out of your way and gives your team that time back to handle more threats to protect more assets bringing everything together reducing complexity and allowing you to confidently secure your environments and advance your security maturity because you're going to be more able to do things that were previously reserved for some of the more advanced security organizations that larger companies might have you're going to be able to do automation you're going to be able to do faster triage you're going to be able to unify everything together even if you don't have a sim you're going to be able to see the logs from multiple devices in one place when you ask a question of response with insecure X you're going to get visibility back from all of your products without you having had to spend additional money on a product that does that for you you're going to be able to use orchestration and automation features built into secure X without having to buy and Express the platform that does that and your teams are going to be able to work together because they're all going to have access to the same information for example instead of the email security team being the only team that knows about what's happening in email threats into your environments that information can be available to everyone in your organization across your entire company who's using secure X and so we're actually changing the way organizations coordinate to secure their environments across multiple vectors basically accelerating your success not only across Cisco platform so our system products but also with products from up to a hundred and seventy and sorry not up to seventy and more partners in various fields and you see there on your screen a list of the different categories of software that secure X and the products that are included with secure X can interact with out of the box this is impressive for a number of reasons not the least of which are the things I've already described this appearance is going to do for you but also in that we decided to do this six months ago and we're rolling it out later this month but we have been putting in the work for over a decade building this security portfolio buying companies that had made the Best of Breed solutions companies from admittedly sorry products from admittedly different companies and for that reason they're engineering teams weren't exactly working together when they were two completely separate companies that never mean they were going to be acquired by Cisco in future so we brought these products together okay we've done many many integrations between these products already dozens of integrations exist between these Cisco security solutions already but instead of going one to one and one to one and building the spiderweb of integration pathways we're tying everything together now into this single solid platform solution and this platform is an experience that's available as part of the security portfolio okay like I said earlier we've got secured X products from the network space endpoint security cloud security security applications and application security but not only that we also tie into things that are already in your infrastructure all of these third-party products that we can support out of the box and more being added all the time we want you to be able to get more value not only out of your cisco security gear but out of the stuff you've already got from other vendors we're not kidding ourselves we know there are things in your sock they don't say Cisco on them that's ok then we can talk later that's ok we can work with those products to let you unlock additional value from everything you've already done your Cisco products your non Cisco products you're human people you guys we want everybody to be able to get more value out of the time and the money and the equipment that they've already got as a benefit of being a Cisco customer and this solution this platform is available to everyone who already has a Cisco security product that is secure X capable if you're familiar with threat response which I hope everybody is but if you are you're familiar with the licensing model for threat response which is if you own a product and start response capable you automatically get access to threat response at no additional charge it's the same model for secure X in fact secure X is the continuation of the same design philosophies and principles that brought a threat response in the first place so if you're already a threat response user which if you're already a Cisco customer you should be then all of this is going to seem very familiar to you but we're allowing you to bring that visibility together across your environment so reduce the complexity of interacting with multiple terminals automate some of your security workflows which is new because that's not part of current response and reloads will allow you to get all of this in under 15 minutes of configuration time and of course access to secure X also gives you access to additional threat intelligence repositories and services including towels towels intelligence as part of secure X living in your sock so what does it do it saves you money it saves you time we're getting a bit into business stuff I promise we'll get into technology soon but we save you money we save you time these pre-built integrations that you don't have to build saves you operations to development time a single window into investigation and response functions saves analysts time automation and orchestration capabilities saves you operations time and software budget and human lag prods by the opportunities for human error we've got lower mean time to resolves and lower adversary to well time as a result of you being able to use all this time and all this equipment more efficiently your adversaries are gonna have less time to mess around in your network or to even get there in the first place which saves cleanup time and saves potential financial and we will explore know what's different about Cisco's offering well a lot of other vendors don't have this kind of thing at all if they do it's an expensive add-on to the licensing you're already paying before they don't have an open API for the most part and certainly don't cover the same breadth of technologies so things that I want you to remember this is threat response but even more so if you're already familiar with front response you're gonna be familiar with CTMS prep response because it's largely the same thing you're going to be familiar with the licensing model because it's largely the same thing it's included with purchase of qualifying products I don't say that but if you behind already own anything that is secure it's capable you can access to secure X there's no charge for it it's just part of the experience of being a Cisco customer we're unifying visibility and reducing complexity and it's a keep cisco security differentiator like I said nobody else is really doing this so what does it actually consist of what are the features that deliver on all of these promises what are the main highlights of the secure X experience single sign-on unifying your access to the portfolio do you have a separate login for umbrella versus the friend portal of course Suzanne for endpoints versus you and every other thing you might have that's going to go away we're introducing a new single sign-on service with secure X that enables your prompt access to all of the security products you've got starting with the cloud security products but eventually moving into you on devices as well to allow you to have that harmonized access all these products are for the same from the same company will start acting like it so making you have different credentials to get into every possible user interface we're going to have threat response for your fast investigation and remediation needs again this is identical to the first ones you're already familiar with of course we've been developing for a response this entire time as well so I shouldn't say identical but it's the same concept it's the same feature set the same tools the same capabilities we've got workflow automation secure X comes with its own automation and orchestration engine which I will show you in the demo but it reduces manual tasks you don't have to go into each of you know 15 different interfaces because we can just have a chain of events that runs all those for you it's you don't even have to click one because we can have it be conditional and have it reacts to certain conditions in your environments you can get a customizable dashboard so when you first log in and you are greeted with the metrics mystics the information that you need and you can make your own do you even have multiples for different tasks and then the ribbon the secure X ribbon is a UI feature of every almost every secure X capable product from Cisco if you're familiar with threat response again then you're familiar with the casebook widget that exists in before a sponsor interface it exists in the and for endpoints interface and possessing the threat great interface and so on those little things at the corner you can open it up and put observables in it and conduct investigations take response actions all of that and it followed you from product to product you didn't have to you know set up in one and then set it up in another continue doing this it was just a feature of Cisco security space that allowed you to keep states in a current investigation no matter which user interface you are using to do that part of the investigation the ribbon is like that but again even more so it's got more capabilities more functionality it it is available in most of the integrated products you eyes and it's a way to bring your best tools with you no matter what product you're currently in so let's start going into depth on each of those high-level feature areas secure outside our adaptive layered and simplified authentication one place to go to get in to all of these cisco security suite a single username and password to access all of the integrated applications and you imagine that you know that unified login experience protected by duo even if you're not a dual customer your access to secure X grants you the ability to use duo at least to get into secure exit you've got built-in multi-factor authentication again at no additional charge the dashboard is a customizable view of what you decide are your key operational metrics across all the products in your portfolio what does the dashboard do for you well it includes the ability to cross launch with you any of the other products it includes a marketplace there on the Left image for easy access to current I even put future products as you can request free trials right out of the UI there you can also across logic into for example and for ten points and frankly portal and every other browser accessible Cisco product that you might have that's tied in to secure X in the middle of the graphic you see metrics tiles for those Adam Glantz updates on your environment how many files has your email security solution sent to you threat grid for analysis you know how many threats I am protected how many of your agents need to be updated there's hundreds they're not going to list them all but there's all these different kinds of metrics that each individual integrated product can provide to your dashboard for you to be able to see every time you come here or it even to do quick reporting and there's also the newsfeed on the right which is where you can get updates from your Cisco products from various Cisco services tell us for example and other industry sources of that kind of timely information going into threat response one of the main features of threat response well for why do you get threat intelligence you can do investigations no matter what Cisco product or products you have and those investigations will return data from Talos from third-party intelligence sources if you want your own private intelligence if you want to upload that into threat response so that that's included and and various other for intelligence databases that are part of Cisco products you might not even have the m4 endpoints while our reputation database for example is included with access to hear.i service files whether you're an amp for endpoints customer or not so bringing you all of this global intelligence together the relations graph if you use threat response this is the part you're thinking of when someone says threat response if that graph that shows you all of the observables that you've been investigating so that you can immediately visualize that threat so as you can quickly put together that mental model you don't even have to put it together that's the whole point the graph puts it together you just look at it understand it and you can see the immediate organizational impact if there's been any begin at a glance and where to draw that final house is red that means Cisco and my other sources know that this is a malicious file you don't have to think about that it's just intuitive and it's just there right in front of you you get in the incident manager they just some automatic triaging of incidents from various Cisco integrated products so that you don't have to go through the task the tedium the the menial labor of finding out this alert is important that alert is less known can awake this alert is super important I have to do that now we're doing some level of that for you because we're filtering down what remains is easier for you to triage based on your business visa border the high primary assets of your environment and so on and we give you these tools to be able to manage incidents and then of course you get response actions from anywhere in the interface so anywhere you see a file house if you're an aunt for imports customer you can block that file house you see it in the context of an incident that you're looking at for the first time you see it in the context of a saved case book you see it in the context of an investigation that you just started you can block it from anywhere in the interface the same for domains and block in an umbrella to say for IPS and adding to a fire car block list and so on even in your browser you don't even have to be insecure expert response if you're using the browser plugin you can take all these actions be tough response but from any website anywhere on the internet including web accessible management consoles for third-party security products that we may have never even heard of but if it's loaded in your browser first response can work with it I'll show you that in the demo when we get there orchestration this is a big addition for those of you who are migrating from threat response when I talk about migrating a bit more later on it doesn't sound as scary as I just it's not as scary as I just made it sound but for those of you who are a threat response users this is all new and what you're seeing in the graphic on the screen is the workspace is the orchestration UI we can select from the various workflows that you may have written or that we may have written that you have decided to use or that somebody else has written because these are shareable we have workflows that allow you to get things done more quickly by not having to wait for a person to do it okay we're automating repetitive boring time-consuming tasks or reducing it the mean time to resolve because you don't have that a person deciding what is the next thing that happens in our official playbook the playbook is written down the playbook is programmed into orchestration and it can just do those things you don't even have to be around we've also got an integration model that allows you to quickly integrate with various Cisco security products third-party security products third-party non-security products third-party cloud environments we're going to talk more about the long list of available integrations in orchestration but suffice it to say that it is the broadest most integratable part of the cisco security platform and 24 by 365 because it's automation if you set a workflow to trigger on you know conditions you know when you receive an email into the phishing email box kick off an investigation and see if this file hasn't been seen on any of our other endpoints and all these things happen all your people can be in bed okay this just happens without any additional manual human interference so what are the benefits of orchestration well we've got a low code approach you're not a talented developer you don't have a dedicated developer in your son that's okay it's drag-and-drop its graphical you just like blocks is going to do it's a high performance editing tool but there's very little to no programming experience required it's all visual it's going to come with out-of-the-box play buffs already built by Cisco so it's going to be a number of these workflows that you don't have to build and you can import additional workflows or you can export the ones that you wrote you can share them there they're basically text files I mean it's a programming language after all there's just visual tools to put it together its text files any way that you can share text files you can share play books and you can then you know import them somebody sends you an email hey here's the workflow if it does XYZ thing you can just take that text file and literally upload it to the orchestration user interface and bam there's the play book now available in your organization and you can create your own of course you know you can use that tool you can use that intuitive graphical interface and all of the other security tools that you've got that are secure X orchestration capable and write your own we don't know what every business needs are we're not going to pretend to do so and you can have events based automation triggers or intent-based and what I mean by that is you can have those conditionals you know if a then two B C D and E and don't bother me just do them or you can have intent-based we click play you're like okay do this sequence of events and at least you only had to click one thing instead of 13 things in 12 different UIs and you can also have a mix of it's not on the slide but you can have approval steps so you can have the workflow take a couple actions and then before it takes you know some other perhaps more drastic action it can send you an update on your phone via duo and you can get a little thing that says workflow says do this approve or deny so then the person who's trusted to do that can make that decision and then the workbook and Kerry are and you can get runtime visibility what happened the last time this workflow ramp would happen the last five times you get a lot of information about the status of that execution at every step along the way and it can be used to communicate with both cloud and on-premise assets we're going to have this remote module that will allow workflows to leverage the capabilities of assets even inside your environment this isn't all just cloud services talking to each other we want to make sure that we can leverage the ability that your Cisco products and third-party products have inside your perimeter as well quick question and could we go back one slide quickly just the like loco approach slap it there and so I get the value of being able to do it without obviously being that technical like you said you know from a variety of users but is there a dn't I'm going to use this plug as an example not because I'm saying it's best but because it's my experience but is there the same kind of like I can do everything quite and like have quite granular control based on you know the actual configuration files or is it more of a GUI based or you know how would I make those very specific changes it's GUI based with the opportunity to do some fairly granular editing on each of the events or write to the items do you drive out from the menu I'll show you in the demo answer your question a little better than I'm able to verbally just talking about general concepts but it's how how complex the usage of this thing is is largely up to how complex do you want to make it you can literally watch your own Python script and then paste it into a window and have a step in that in the workflow that executes that Python script in our cloud environments and it does what ever it used to do or you can never do that it's really up to you [Music] you'll see in the demo but every step we drag out into the workspace there you can edit it you can say you know do you need this content take it from this other step that ran previously or take it from this variable or download it from this website or there's all kinds of different ways you can tell each step how to perform its specific task is that in the ballpark of the question you're asking yeah I mean basically pacing it but I'm excited for the demo so I won't and keep it okay not a problem at all thank you for the question um so this is cloud native it lives in the cloud it's a micro service architecture it's all based on an API the UI instead of just a client of that API so it's got high performance is very scalable it's also very secure it's got this drag-and-drop UI that I mentioned with these visual workflows that you can see and very easily understand you can see in the little graphic there on the far right that's a workflow you can see there's currently executing the step at the second from the top you can tell that because it's green and it's going to work for work through the rest of the things in that visual chain of events and you can combine multiple adapters adapters are the things that allow the integrations to work if you're familiar with ferrous laws they're similar to threat response modules an adapter is what you used to talk to an external thing and so you can combine those and you can have a workflow that uses many many of them you don't get me this information from a security product and then check for something about that in this other security product and then you know talk to my windows boxes and do a thing and then post a message in WebEx teams you can be all over the place and you can automate tasks according to either schedules or external events you can you can tie in web hooks there's all kinds of ways to kick these things off we'll see more about orchestration in the the ribbon this is the amp for endpoint user interfaces we're seeing on a slide there you see that little blue bar across the bottom unless what the ribbon looks like when it's docked and then you just click on it and that expands you get a lot more than you got with the casebook widget you can see we have the instruments app loaded right now you can see a list of incidents on the left in various categories my incidents of new incidents that are cited media service assigned to other people in my organization and then you select one of those to get more information and kind of a the main part of the ribbon across the top there towards the right you see that there's a entry bar we can enter observables to be investigated you can switch between the different apps that are hosted in the ribbon and so on so what's the ribbon all about it allows you to carry context threat intelligence and capabilities with you across all products one of the design philosophies of all of this is that it shouldn't matter what products you're looking at when you need to do a thing if it's a common task then we can reasonably expect you might want to be able to do from here even if you're not looking at the product that does it we want you to have that capability without you having to go to some whole other user interfaces logging it again remember with different credentials and navigating around until you find it like we want you to have your best tools with you all the time for that reason the ribbon is a transport framework for functionality we want you to have the capabilities of secure X and the entirety of the integrated product sex with you when you're in any other secure X capable products I don't know I keep saying that but it's really the core of the idea have all of your best tools handy all the time it ties our products together it's part of that unified usage experience that we're aiming for it but it brings broad response capabilities across all the products because if you can use the ribbon to block a file hash that used to come on in a product that doesn't have the ability to block files why not do that why would we not give you the ability to do that we've got across launch capability so you don't have to let go navigate your bookmarks and jump from product products all the time if your enterprise for that's the ribbon you have lost points for all of the other cisco secure x capable products and then we have the that live in the ribbon these are brokered by secure acts they are provided by secure acts and occasionally other products so what are the apps they come in a ribbon right now a quick question real quick yeah yeah sorry to interrupt so you mentioned back on the last slide about the integration with all your apps and you're not signing in you know as you're taking the data from the ribbon and going back and forth between the different areas so if I'm managing you know let's say fire power and everything else through this new cloud interface you know I can think of a few companies that I've dealt with that are gonna have concern kind of right off the bat you know management of my security products used to mean that you know whether it's VPN or something else or being on Prem at my business you know there was some control there that remote users weren't managing my my devices my data things like that is there any control over you know really logging into the interface will say and you know whether it's locking it down to coming from my certain you know static IP addresses at my company or something like that you know what I mean like you know right all I think of is kind of opening it wide open to the to the web being a cloud interface yeah totally understood at no point are we insecure X try to replicate the entirety of every UI of every Cisco product okay if you're managing a fleet of fire power devices you're still going to have to go to FM C or C do or maybe a whole bunch of you know FD games however you're doing it you're still going to have to do that for a lot of the routine maintenance kind of things well we the functions that we want to bring together are the quick response items okay and the intelligence generated from those products so somebody using secure X may be able to see what you somebody who's logged in has somebody from your organization may be able to see that yes as IP address was detected when you know this fire power world's frittered yesterday from within the threat Grid console or the for influence console via the ribbon and they might be able to block at an IP address to a block list via the ribbon or via pivot menus in in various us if you've given that security sign-on user the ability to add to those block lists they're not going to be able to disable the firewall because that's not even a function that we're offering via secure X does that make sense yeah I mean that's one of those you know how far you know say say I get into the cloud interface how far can I go with the company's devices and you know that'd be the main I mean I think that's when you take a lot of companies their first kind of leap into the cloud that's the first kind of concern is you know okay it's in the cloud now is it you know what happens if somebody gained control of my account or something along those lines so I mean to be able to say that yeah they would be limited in what they would be able to do you know they're not taking down my devices necessarily that's definitely a concern that I think people have but yeah good to hear yeah that they would be limited in that scope well thank you absolutely thanks good question yep the applications that are going to be in the ribbon at first launch at the end of this month case look so if you're familiar with threat response you're familiar with the casebook application that's available at via the casebook widget infer a response landing the other for a response capable Cisco products it's also available as a browser plugin that is going to be a ribbon hosted application the infinite manager again this is from threat response you may be already using it but you'll have access to that tool and to its functionality via the ribbon from any secure escapable cisco securing products and orbital Advanced Search this is an interesting example because it gives you a function of another product hosted in the ribbon so this is not a secure X hosted capability orbital advanced search is something that comes with one of the amp licensing tiers for him for endpoints if you have that you'll have it in the ribbons you'll be able to kick off these detailed endpoint searches you know show me all the file hashes of all the processes that currently have network connections open on all 10,001 endpoints or have a look you'll be able to do that kind of thing through amp but you'll also be able to do it from thread bridge or from watch or anything else that has the ribbon so that's what ribbon hosted app really means it means that this is something you can access from anywhere in cisco security space this is something that you can access from any secure X capable tool now this I'm not going to read through all of this but this is the map of integrations that will exist at launch time later this month and the features that are supported by each of these members of the cisco security portfolio could - could then going back to these camps and everything and access them could you would you be able to set like maybe i'm like this account is under this job title this level so i want them to be able to see some things but not do some things you know like quite granular control like that like is it kind of like I could create different roles maybe that's it the wording there is a little bit of rule based access control I'm going to be honest it's fairly minimal we have users so then we have admins and within a different integrated product each product allows you to set certain things that you know that that user can't user level can and cannot do but there isn't a central secure X repository of what those permissions should be because we leave that up to the integrated products themselves yeah you mentioned user and admin I would kind of envision it along the lines of you have certain people you know from other teams within the enterprise that could go in and run a report and see what's going on maybe start an investigation if they wanted to and then kind of that second level okay we ran through the investigation and now you know like you mentioned you want to block an IP or something along those lines that might be your admin level you know to actually take the action at the end there that's what that would be handled by the product that's taking any action that would not be handled by secure a success correct and most think it carries regarding like an X I'm thinking like some kind of similar to what you said Kevin is the different departments or different teams I'm also curious like if I had I don't know somebody that just wants to look at the Pressey things you know the reports and that I mean some things yes I would want you know I just printed out or email it out whoever give it to them and however they need it but I'm also thinking like components wise would I be able to put I guess they would just be a user then in that sense if they needed to see it not exactly the main difference between users and admins in the secure X portion is simply the ability to change configurations so an admin an admin can you know set up a new module or delete a module or edit a module a regular user can't do that and so if you have people that you know I'd be able to disable some of your information sources or disable some of those response capabilities and you make them a user instead of an admin they can't edit modules and in orchestration there's a little bit more granularity you can have the ability to run workflows you can have the ability to create workflows you can have the ability to add adaptors and change configurations and all of that there's three different levels I believe within orchestration itself again it's an integrated capability and each one is managed separately so let's talk about those integrations and about how they work so you have these secure X platform with insecure X you've got all the features that I listed off previously but that main two that allow for integrations are threat response and orchestration so a threat response integrations are available via modules and we can add to the number of integrations via something called a relay module or via the API on the orchestration side of the house you can create custom workflows it can integrate with various things and it also has an API and so you've got all these different sources from outside that you may want to integrate with one or the other or both of these things you've got providers of global data you've got providers of control capabilities and you've got providers of local data and all of those can talk to you threat response over the modules or over the API differences largely you one first wants to use this thing or if you want this thing to use threat response and then on the orchestration side again you've got the ability to aim existing adapters at different kinds of technologies that will provide you with intelligence or local data or control capabilities and of course something can talk to you each of those things but that's 2 integration paths part of the magic of secure access deputy is API aggregation because everything that we're talking to also has an API that's that's how all this works and so secure acts both France ponds and orchestration use the API so these integrated products to retrieve information or to tell them to go do something and we have a workflow and it's talking to products a B C and D and it tells these one of those to do a different thing it's talking to the api's of a and B and C and D and we're using all these API so that you guys don't have to that's the best part you don't have to learn 75 different guys you can just use threat response or sorry you can use secure X you know and maybe you want to use the secure X API so that's one you can learn but you can leverage all of these other API via that API because of something API relay so we're aggregating all these api's into one source and then secure X itself has an API and in fact the UI they were going to see in a minute is a client of that API and then you use that but wait why don't you just skip the UI and use the API you can also do that okay and in fact because we've got these two halves of the solution we've got free response and we've got our restoration and each of them are talking to their integrated devices via slightly different mechanisms so here's a diagram showing the first half of the orchestration half they're talking to different things okay on the orchestration side we've got a sim in fact maybe some kind of ticket management system like a ServiceNow or something about various other cloud services and they talk to each other so we can leverage each other ok so within four it responds you can kick off your workflow you to get the pivot menu to drop down you can pick off a workflow that does a thing like maybe submit a URL to frequent for investigation or open a ticket or something and then orchestration can also take front response actions we can have an orchestration workflow that starts an investigation that checks to see if there's any local targets that makes a decision based off of whether or not that exists and there are a part on the secure apps API which of course all secure accusers get access to so how can we add you know integrations into either part of this well need to secure cotton modules and we're about to introduce the concept of relay modules now our relay module looks like a little diagram there and it translates from a third-party data model and a third party API to the cisco threat intelligence model and they secure x api's so the relay servers live out there somewhere right now the code that we've got available runs through AWS service architecture but it could literally be a Linux box that your DMC it's a relay server and it's job is to listen for requests from secure X and then reach out to this other thing this arbitrary third-party thing number n and and say ok secure that's asked me to do this thing insecure X language I'm gonna translate that to arbitrary third-party thing language I want to make the appropriate API endpoints for quests bring this data back translate it into the Cisco for intelligence model data format and return it back to secure acts as the answer to the question it just asked currently implemented in a lambda service architecture you can write your own there's a template already up on github we're still working on the documentation for that a little bit but that's the list of third-party services that are supported by these relay modules so if you're already used to threat response you already have many bundles set up and you've always said you know I wish I could will clearly have my bid pwned for any email address and my organization from a seat in that relations graph well I can deploy one of these things and you can do that you can look up front insight you can look up Microsoft graph security Google Safe Browsing all these different Showdown all these different sources of information can now just be modules that live in your first response configuration alongside all of your other threat intelligence sources so what about an orchestration can we do arbitrary third-party integrations not really because insecure us the ability to create custom adapters is disabled even though it exists in accent Orchestrator which is the technology upon which secure orchestration is based and the reason for that is that if you're hosting your own action Orchestrator installation you can do but we're hosting this one and so it's a bit of a risk to allow people to write their own adapters that haven't been running in our environment right so can you connect two arbitrary third-party services maybe because we allow you to do various things like create an HTTP API target you can have a workflow that talked to mix the arbitrary web requests and so if the service to which you want to connect has a restful HTTP API yes you can totally do that you can set up your account keys to access this thing if needed you can write Python scripts like I was mentioning earlier if you need to translate that data or do anything to craft a very custom request you can then use that adapter you just created on the target is you configured and you can fetch the data from it and process it with the script you wrote and step free I'm an example of an order of operations here but yes the short answer is you can use you can connect to additional web services even if there isn't an adaptive specifically for it already in orchestration this is the list of adapters that will be available at launch now they're color coded because the comers move slightly things green mean is absolutely going to be there red means that it's going to require this relay module I see happy faces in the crowd I love that that's great I get like a wide variety of different things you can do with different technologies out of the box you didn't have to write anything you don't have to contact your vendor and say hey you know reticent carrots Orchestrator things so I can use their stuff this is all supported out-of-the-box so what are the main takeaways of the integration section of the main features while the features themselves are the main takeaways the things I want you to remember threat response but the heart emoji because everybody already knows a lot of stress response orchestration gave the ability to coordinate multiple services together and the ability to have them take actions in an automated fashion the dashboards ok the ability to get quick at-a-glance updates on what's going on in my environment right now the ribbon which is kind of like case look but even better and more so the tool kit that follows you from cisco security products to cisco security products all the way through the entire cisco security portfolio is having the most important for intelligence and response functions available for the entirety of the portfolio no matter which individual elements within that portfolio you're currently using the single sign-on security single sign-on that's less hassle for you guys really that's what that's all about the ability to have a single set of credentials instead of trying to keep waiting for every Cisco security product epoch you've got at least one maybe two more keys you have to remember no that's garbage we're not doing it anymore single sign-on coming out with secure X and then need massive third-party support capabilities this is sorry this is secure X so this is that first page that I was talking about this is the dashboard you've got your applications on the left here I can launch threat response from here I can launch into SSE which is a cloud intermediary service provided by Cisco to help bridge that gap between threat response and your on-prem devices we've got the list of all of my existing integrations and then down here we've got additional available integrations I can learn more about them I can click here to get a free trial and so on in the middle we've got these dashboards and you can see how that several I've got one for my endpoints and for this one I've selected no endpoint relevant things here's some statistics here's some additional AM statistics I know several amp tiles here each one of these tiles is provided by the product at the other end so amp gave me a menu and said you can have any of these tiles and I selected these four gives my email security appliance tile I've used my web security appliance tile my frick scores tile is apparently not working at the moment um and here's some information from umbrella now for each of these I can select a time period so last 30 days and it gets me that information I can also hit this button and then actually get the API requests that it's making to give me the content of this tile so you want to build your own dashboard for whatever reason just click all these API buttons copy the code we're very API friendly in this entire endeavor that's why endpoints dashboard here's my perimeter dashboard I've got some different statistics that I selected but you know some firepower stuff it's more about the perimeter and then an Operations task board this is just so Amelia's CD okay it's just showing me like some usage statistics how many how many emails like security appliance seen how many am4 endpoints agents don't have they're out of compliance for whatever reason that kind of stuff now let's make another dashboard PFD and I'm going to select some things amp global intelligence yeah let's let me know about the incidents that I have going on am detected compromises that sounds good you can tell I'm just completely making this up on the fly okay and I'm saved there's a new dashboard it's that easy I can drag stuff around I can put all of this you know where I want it I could resize things I'm not gonna bore you with UI details but it's very customizable is the point and that's dashboards and that's how you configure them and I can select for the entirety of the dashboard let's go back 90 days so my modules don't even do that but I can select you know for all they do I can select a period of time here arranged and then of the right we have the newsfeed okay that's giving me information for on us-cert from cisco stuff annuity from thomas intelligence now the version one of the newsfeed is going to be kind of static like what you're seeing right here but eventually the idea is that new incidents will pop up here new alerts from your various products will pop up here there's going to be a notification mechanism and this will always show what are the most recent things in that queue of notifications and each one will give you options to click on things and take various actions there's a new incidents okay you click on it serves you that in the incident manager and so on so let's look at threat response for just a minute and we're going to look at security threat response by not going to secure ex threat response all right but we could just click launch here and you'll see this brings up the threat response interface then i know some of you are already familiar with but we're going to have already been logged in and here's at alice block now why I'm at at Alice block because it's a common thing we do in the sock is we look at these sources of information we try to find out have I been affected by whatever this thing is about okay so this is an article from Talos about the loader rat this could be an alert from a vendor it could be you know alert from some other I Sakura formation sharing groups which I belong and what I'm doing is they're going through this and I'm looking for like all these file names sorry all these domains I want to take this out I'm gonna check my DNS solution or I'm gonna check every technology I have access to you has anything in my environments ever made a request for this URL or even tried to do a resolution on that domain and I take one I paste it into my seventy five different tools and you know a day later I'm annoyed and maybe I've collected some information together in a spreadsheet or something now what I used to do in the demo when we first rolled out the first version of firm response was I would do a ctrl a ctrl C and I'd go over here to throw spots and slung it and then I would just paste it you know control V and then investigators are war and copy and paste it here's my demo and I'm gonna start by copying and pasting this entire article but now we have the casebook widget living in the browser I can hit a button and it's going to read this article for me and pull out all of the observables and show them to me in this menu with weightings on them green orange red and this pivot menu it gives me the actions I can take I'm not even in secure X but I can add this file to a block list I'm still on the web page in my browser where I first found out about this information and I can add a domain to an umbrella block list in three clicks and now anything in my environment that's behind my umbrella so DNS security services it's not going to be able to resolve that domain I don't need to do that because of this example it's already of known malicious domain but just showing you the speed and the power of secure threat response I'm going to pivot now into an investigation we're going to investigate all twenty of these things this is 20 things I didn't have to go to off to 75 different technologies to look up this is all just going you see it in the background right now to free for every one of these observables it's doing an enrichment which means it's asking all of my configured modules what do you know about this thing what do you know about this IP address what do you know about this file have you seen this domain have you seen anyone talking to this URL and all this information back this is that relations graph that I was talking about where you see immediately I've got some targets these purple things are my assets have been seen interacting with something in this investigation can see these seven file hashes haven't been seen that's good that billion hasn't been seen that's great this clean domain I didn't have to investigate this because it was clean in the drop-down but I forgot to take the button but this is smart door gets probably okay I'm not worried about that one but I see here some of the things in this blog I have had some interactions with you know I should look into why am I talking to this IP address okay well I can add it to my investigation and then we'll see that we've got more things 21 now and it's looking up as I need my firepower devices ever seen this IP address we see that amp is aware that one of my endpoints has spoken to this IP address and so on I'm not going to go through the entirety of the demo you know I could add even a few spots in the investigation if I do I eventually find out that one of them was emailed into my environment I find out who received the email I can from right here shut down and AM for endpoints device so the the the host that the person received the email on and executed the attachment I can just drop that off the network using the capabilities of amp without ever having to have even gone to am and that is really the power part of secure X and threat response is the ability to tie all of these things together in secure X we've also got orchestration and so if I hit the orchestration button I'm going to get presented with the orchestration workflow screen it shows me all of the orchestration workflows to which I have access we see that I've got fifty seven right now I run a couple of these my team members are a couple of these a lot of these are going to be the defaults that are available but when I first used to do the demo off the Telus blog and it was my war on copy and paste so here we're gonna copy and paste this and people would asked why do I have to do that supposed to be your war on copy base you shouldn't have to do that so we rolled out the browser plugin which allows you to you know interact with the items that are in the browser and for response at the same time without having to do that copy and paste and then the question became well why should I have to do that why should I have to go to the Tallis blog and look at the thing and do the investigation only a couple of clicks why should I even have to do that so here's one of my favorite examples of a workflow so I'm just going to search for Tallis in the name of a workflow Tallis single blog post - for a spawns case book so this is a workflow there will be available at launch and it reads the Talos blog and it grabs all of the observables and it does the investigation and then it makes some decisions based on whether or not there are local targets and what reputations are and all that so it fetches the blog post it does some JSON escaping on the contents and generates an access token to get to threat response that's just part of response authentication and then it checks to see if there were any observables in the blog post and if not it exits out and if it did if there were that it converts those observables to a table creates a table to just re to put the deliberation results in okay so there's data structures there's some control flow like there's some basic programming concepts that knowledge thereof will be helpful but you don't have to know how to actually code so we go into the table we get the count of records at the table if it's if there's more than 0 that were suspicious that if there were zero that were suspicious than we actually if there's more we keep going for every observable we check in front response to see if there were any local targets if there were any sightings if it's from a non-secure X device we skip it because this is a weird demo version of the workflow but again here's a here's an example of an if you know do we care about this module if not because we're doing a demo then we just skip it if there are then we can continue if there's no sightings at all from this module that we continue so now we've got sightings from a module that we care about we convert those sightings to usable text in a Python script and if I click this item in the workflow on the right-hand side I get the details about this step and in the details I can see here's the actual Python script that we wrote that are executing in this cloud environment and so on so for every item Fermi step in the workflow you get these details on the right which is only this is my part of my response to your question you had earlier like how complex does this need to be or depends on what you want to do how granular of control do you have I mean you could copy this workflow you could go in here and edit the Python and have a new song entirely else if you want um you know there's there's names you can change like this is called yes because this is like yes an excerpt to the fall to the previous conditional you can rename these things you can aim them at different web you are eyes you can rent your own Python scripts you can edit the existing Python script the last thing this does is if there are suspicious observables and there were sightings are those observables from a module that we trust it creates a case book did post to WebEx teams and we can even do things like create a ServiceNow ticket you know if we wanted to we can like spin up a new environment if a.w has to do something like there's all kinds of options we can do but this is how easy it is to follow along with the workflow and understand what it does some final thoughts the whole point of security is to allow the multiple capabilities of your multiple security products to stop being a blocker to actually help you secure another already doing that so possibly that have been saturation but the time it takes to swivel between them behind it tastes to collect all their intelligence together and be able to use it in an effective manner in a reasonable actionable way that's currently a blocker in most environments and so we want that breadth of capability it's really become a debate Lord we want your security experience as a security operator to be simplified to allow you to get more done with the buddy organization those are we spend with the hours of the day that you've got multiplied with your team's get it done with the resources you already have that's kind of the bachelor I keep saying the stuff we've already got but that's an important part of it because this is an experience is built into just being a Cisco customer it's not it you think I'm trying to sell you some customer feedback based on experiences with response because remember threat responses where this idea and the strategy this architecture came from feedback has been outstanding which is one of me bothered to go ahead and do this but like ninety you know high ninety percent of all of our users are reported that this has really helped them get more done without them having to hire new people or buy an additional gear I'm seeing numbers of up to eighty percent efficiency increases for our customers that have really operationalized start response that are in there on a daily basis and of course the more capabilities you've got the higher the security dirty' becomes because you're able to add that to the set of responses you commit you can take within threat response you're able to add that to the set of automated actions you can take the orchestration Orchestrator and so on so I do encourage you please do you get started with secure next launches in tune if you're a threat response user these are existing for response credentials to get in there so I played around I promise you won't break it and find out what it's really capable of we've got some additional resources available for you at cisco.com slash go slash secure x CS f co slash secure x videos these secure X sessions from Cisco live this week add that link they're cs50 slash u.s. 2020 - secure x capitalisation counts in our little URL shorteners look at the cap sorry and then then that day is today and after I leave here there is a secure X section as part of dev that day the recording for that will be made available sometime after I'm done doing it so later this afternoon perhaps or tomorrow once again I'm big green Bob I am also a second site on the tweeters although I'm not super active but if you want to follow me I'll occasionally post your sarcasm about things that happen in the security industry or announcements about secure X and other cool interesting things cisco is doing
Info
Channel: Cisco
Views: 7,534
Rating: undefined out of 5
Keywords: CiscoLive, SecureX, Security, tech field day, TFD, tfdx, clus
Id: j1iDGNV3YAw
Channel Id: undefined
Length: 58min 58sec (3538 seconds)
Published: Mon Jun 29 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.