Proteja seus clientes - Gerenciamento dos Serviços de Segurança

1© 2015 Cisco and/or its affiliates. All rights reserved.
Security Strategy
Managed Security Services
Ghassan Dreibi
Manager, Business Development

The Digital Opportunity
Hackers
2© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Business Employees Consumers

3© 2015 Cisco and/or its affiliates. All rights reserved. 3© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Welcome to the Hackers’ Economy
Source: CNBC
Global
Cybercrime
Market:
$450B-$1T
(U.S.)
How Industrial Hackers Monetize the Opportunity
Social
Security
$1 Medical
Record
>$50
DDoS
as a Service
~$7/hour
DDoS
Credit
Card Data
$0.25−$60
Bank Account Info
>$1000
depending on account
type and balance
$
Exploits
$100k-$300K
Facebook Account
$1 for an account
with 15 friends
Spam
$50/500K emails
Malware
Development
$2500
(commercial malware)
Mobile Malware
$150

Security Solutions for Service Providers
Corporate IT Managed Cloud
Services
Managed CPE
Services
Production
Network
Managed, Advisory & Implementation Services
Protect Your CustomersProtect Yourself
Threat Centric Security to Protect & Grow Your Business

Security Solutions for Service Providers
Corporate IT
•  Network Security
(NGFW, NGIPS, NaaS, NaaE)
•  Advanced Threat Protection
•  Email / Web Security
•  Secure Access & Mobility
Production
Network
•  SP Data Center
•  SP Cloud
•  SP Mobile Edge
•  SP Infrastructure Edge
Managed CPE
Services
•  Physical
•  Virtual
•  Hybrid
Managed Cloud
Services
•  Cloud Web Security (CWS)
•  Cloud Email Security (CES)
•  Hosted Identity Services
•  Cloud Access Security
Protect Your CustomersProtect Yourself
Managed, Advisory & Implementation Services
Threat Centric Security to Protect & Grow Your Business

6© 2015 Cisco and/or its affiliates. All rights reserved. 6© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Common Concepts

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
The Life Cycle of an Attack
•  Attack planning
•  The intruder is trying to
obtain access
•  The intruder bypassed
the controls
•  A vulnerability is being
exploited
•  A malware arrived as
part of an email or web
access
•  Credentials were stoled
•  The intruder is inside the
network
Discover
Enforce
Harden
Detect
Block
Defend
Scope
Contain
Remediate

The Life Cycle of an Attack
Discover
Enforce
Harden
Detect
Block
Defend
Scope
Contain
Remediate
Attack Continuum
BEFORE
Discover
Enforce
Harden
AFTER
Scope
Contain
Remediate
Detect
Block
Defend
DURING

The Threat-Centric Security Model
BEFORE
Discover
Enforce
Harden
AFTER
Scope
Contain
Remediate
Attack Continuum
Detect
Block
Defend
DURING
Network Endpoint Mobile Virtual Cloud
Point in Time Continuous

Unified Solutions Across Deployments
Feature Consistency | Open APIs | Flexible Licensing
Physical Virtual Cloud

Solution Overview

ASA with FirePOWER Services
Industry’s First Threat-Focused
NGFW
#1 Cisco Security announcement of the year!
•  Integrating defense layers helps organizations
get the best visibility
•  Enable dynamic controls
to automatically adapt
•  Protect against advanced threats
across the entire attack continuum
Proven Cisco ASA firewalling
Industry leading NGIPS and AMP
Cisco ASA with FirePOWER Services

Collective Security
Intelligence (CSI)
Contextual Device, Network and End-Point Visibility
Classic Stateful Firewall
Gen1 IPS
Application Visibility
Web—URL Controls
AV and Basic Protections
NGIPS
Vulnerability
Management
*Client Anti-
Malware (AMP)
Correlated SIEM
Eventing
Incident Control
System
Network Anti-
Malware Controls
(AMP)
Behavioral
Indications of
Compromise
User Identity
NGFW
Open APP-ID SNORT Open IPS
Network/Host Trajectory Retrospective Analysis
ThreatGrid Auto-Remediation
*Agent
Adaptive Security
Sandboxing
Retrospective DetectionMalware File Trajectory
Threat Hunting
Forensics and Log Management
URL ReputationIP Reputation
How Cisco Appears Competitively
BEFORE DURING AFTER Cisco Only
Cisco AND
Competitors

VIRTUAL PHYSICAL
ASA 5585-X
16 Way Clustering with
State Synchronization
Scalable to 640Gbps
ASAv
•  Full ASA Feature Set
•  Hypervisor Independent
•  Virtual Switch Agnostic
•  Dynamic Scalability
ACI SECURITY SOLUTION STARTS WITH CISCO ASA
ASA
ASAv on VMWare – Available Today – Ask your SE

Cisco Identity Services Engine (ISE) 1.3
Delivering the Visibility, Context and Control for Secure Network Access
NETWORK / USER
CONTEXT
How
WhatWho
WhereWhen
PARTNER CONTEXT
DATA
CONSISTENT SECURE ACCESS POLICY
ACROSS WIRED, WIRELESS and VPN

Email and web are the top threat vectors
Data Loss
Acceptable Use
Violations
Malware Infections
IPv6 Spam
Blended Threats
Targeted Attacks
APTs
Advanced Malware
Rootkits
Worms
Trojan Horse
93%
of customer networks
access websites that
host malware*
*Cisco 2014 Midyear Security Report

File Sandboxing
Behavioral analysis
of unknown files
File Retrospection
Retrospective
alerting after an
attack
Advanced Malware Protection
File Reputation
Preventative blocking
of suspicious files

Offerings

Flexible Deployment Options
Industry-leading, Best of Breed Email Protection at the Gateway
Deployment
Options
VirtualAppliance
Multi-device
Support
Desktop TabletLaptopMobile
Cloud ManagedHybridHybrid
On-Premises Cloud

Cisco Security as a Service Solutions
Service Provider
Virtual Private Cloud
Hosted Security
Solution
SP-Hosted Firewall, VPN
Email, and Web Services
Turnkey
Public Cloud
Cisco Managed
Security Cloud
Cisco or SP-Hosted,
Cisco-Run Web
Security Services

Cisco Offers Two Security as a Service Solutions
Attribute Cisco Hosted Security Solution (HSS) Cisco Managed Security Cloud (CMSC)
Services Phase 1: Web, Email - Phase 1.1: Firewall, VPN Cloud Web Security (formerly Scansafe)
Delivery Model Virtual Private Cloud – SP Hosted Public Cloud – Cisco or SP hosted
Pricing Model SP price per user and per usage Price per user
SP CapEx Costs §  Web, Email, Firewall, VPN software licenses
§  Cloud infrastructure (VMware, UCS, storage,
Network Infrastructure)
None
SP OpEx Costs §  Bandwidth
§  OSS / BSS
§  Operations (People)
§  Minimum commitment of users
§  Hosting, including bandwidth
(in case of SP hosted)
Reporting / Log Data Owned by SP, stays at SP DC Centralized in Cisco Cloud
Orchestration / Management With third-party tools (e.g. Ubiqube) Turnkey Cisco solution
Connectivity Differences VPN link to customer site OTT internet connectivity

Evolution of Managed Security Services
Premise to Cloud
W W W
IPS
WEB
EMAIL MALWARECONTEXT
Switching AP Voice
NGFW VPN
Routing
NAT DHCP
Cloud
Switching AP Voice
Hybrid
CPE Managed
CPESP
W W W
NGFW VPN IPS WEB EMAIL MALWARECONTEXT
Switching NAT DHCP AP Voice Routing

Challenges of MSSP
Complex, rigid and slow
Legacy Service
Revenue Decline
High Cost and
Complexity
Slow Service
Creation and
Service Delivery
Cloud
Readiness

•  Physical
•  Virtual
•  Hybrid
Managed CPE Services

CPE Services for SP
•  End-to-End Single-
Sourced Provider
•  Market-Leading:
Gartner & NSS Labs
•  Highly Customizable
•  Flexible Configuration
•  Open Architecture
•  3rd Party Integration
•  Full Visibility for SOC
Analysts
Managed
CPESP
BenefitsUse Case 1
WWW
NGFW VPN IPS Web Email Malware Context
Switching NAT DHCP AP Voice Routing
Key Verticals:
Government, Financial
Services, Health Care, Utilities

CPEs Flexibility
Cisco ISR
ASA 5506
Meraki

27Cisco ASA for SMB and Distributed Enterprise Presentation | © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Extend the value of your NGFW
Start with the hardware option that fits best
All with built-in Application Visibility and Control (AVC), network firewalling, and VPN capabilities
Desktop
5506-X
Wireless
AP
5506W-X
Ruggedized
5506H-X
Rackmount
5508-X/5516-X
Add FirePOWER Services* for enhanced protection
*Available as subscriptions
Next-Generation
Intrusion Prevention
System (NGIPS)
URL FilteringAdvanced Malware
Protection (AMP)
Choose the appropriate management solution
Appliance sold
separately
FireSIGHT
Management Center
On-box manager
comes standard
Adaptive Security Device
Manager (ASDM)

“When to Sell What”
Meraki MX & ASA with FirePOWER Services & ISR Bundle
Meraki MX ASA with FirePOWER ISR
Lean IT Focus: For highly distributed
enterprises or enterprises seeking a
best in class UTM and simple
deployment
Threat-focused NGFW with advanced
threat protection capabilities in the
lowest cost form factor available
Standard FW, IPS and Web Security
with iWAN capabilities and advanced
network and communication support in
the lowest form factor available
Note: ISR4K now supports Firepower
Radically simplified deployment and
ultra low operating cost via cloud
management with robust security that is
optimized for highly distributed
environments
Unmatched visibility and control that
enables correlation and analytics to
automatically prioritize and protect
against advanced threats
Best ROI (simple, integrated, flexible),
cost reduction with improved flexibility,
secondary link, better performance
through WAN optimization and
expansibility through integrated UCS
Ideal time to position:
•  With Meraki networking
environments
•  Large multi-site deployments
(100s/1000s sites) with full UTM
requirements
•  Against traditional UTM
competitors
•  When deployment of units to a high
distributed enterprise is a issue
•  Existing/refreshing ASA or PIX
customers
•  Distributed enterprises; smaller
organizations
•  Against legacy NGFWs and
firewalls
•  Against advanced UTMs with NG
capabilities, with AMP/NGIPS
•  Large multi-site deployments
(100s/1000s sites) with iWAN
requirements
•  Stores, branches and small sites
interested on a single device for
both WAN and security
•  WAN redundancy over 3G or
ADSL connections

Feature Description Cisco ISR (without
Firepower)
ASA NGFW Meraki MX
Intelligent Path
Selection
Load Balancing
Policy-Based Path Selection
Number of Paths Supported
Rapid Failure Detection and Mitigation
Yes
Yes (L7 / app level)
Multiple (Any Transport)
Yes (Blackout & Brownout)
No
Yes
Multiple
Yes
Yes
Yes (L3-L4 / Network level –
based on loss, latency)
2 (Broadband, 4G, MPLS)
Yes
Security Virtual Private Network
Firewall
Intrusion Prevention & Detection
Content/URL Filtering
Anti-Virus
Yes
Yes
Yes (Cisco IDS)
Yes (Cloud Web Security)
No
Yes
Yes
Yes
Yes
Yes/No (AMP)
Yes
Yes
Yes (Snort)
Yes (Built-in)
Yes (Built-in)
Transport
Independence
WAN Connectivity
Cellular
IPv6
T1/E1, T3/E3, Serial, xDSL, Ethernet
Yes (Integrated/Module)
Yes
Ethernet
No
Yes
Ethernet
Yes (Dongle)
Planned (2H2015)
Application
Optimization
WAN Optimization
Content Caching
Application Visibility
Congestion Control
Yes (WAAS)
Yes (Akamai)
Yes
Yes (HQoS)
No
No
Yes
No
No
Yes (Squid-Cache)
Yes
Yes (L7 Traffic prioritization)
Unified
Communications
Voice Gateway
Session Border Controller
Call Control Agent
Yes
Yes
Yes
No
No
No
No
No
No
Routed Protocols OSPF
EIGRP
BGP
Yes
Yes
Yes
Yes
Yes
Yes
Planned (2H2015)
Planned
Planned (2H2015)
Integrated Storage
& Compute
Integrated Compute Yes (UCS E-Series) No No
Management Cloud Management
Number of Sites Managed
Plug and Play deployment
No
Thousands
No
No
300
No
Yes
Thousands
Yes

Cisco ISR UTM 1100, 2100, 3100
Complete package of WAN and Security solutions
Remote User / Hot
Spot
Mobile Device
Guest
Access Control
Benefits :
§  Centralized security basic features at local
appliances
§  Advanced security inspection at Cisco Cloud
§  Network Segmentation and Control
§  Business Continuity options – WAN HA
Perimeter Firewall
§  Security for internal and external access
§  Protocol anomaly detection and stateful inspection
Security Services Layers 2–7
§  Identify and react to new threats creating dinamic ACLs, new
firewalls policies, signatures, etc.
Network IPS
§  Global threats vision and update
§  Zero Day analysis
Web Security - ScanSafe
§  User web access control based on category and security levels –
AV, Anti-Malware
Management Solution
§  Centralized management solution
Service Modules
§  IPS network module
§  WAN Acceleration module
CWS

When to position Meraki and Cisco
Cisco Enterprise Portfolio
Cisco Cloud Managed
Prime
ISE
Catalyst 2K/3K/4K/6K
ASA - Firewall
Cisco UTM Appliances - Routing
MS Switches
MX Security Appliances
Aironet Access Points & Controllers
Dashboard
Cisco Networking Portfolio!
MR APs
Systems Manager
3rd Party MDM Integration
Unparalleled Deployment Flexibility
100% Cloud Managed

CPE Services for SP
(incl. vMS, HSS, CWS)
•  Lower OPEX Costs
•  Minimize Truck Roll
•  Simplify Service
Activation
•  Flexible service
delivery and licensing
models
•  Enable Service
Customization
•  Flexible Deployment:
SP or Cisco Managed
Cloud
CPESP
BenefitsUse Case 2
Switching AP Voice

Cisco Confidential 33© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Hosted Security as a Service
•  Delivered from service provider’s
infrastructure
•  Orchestration SW interfaces with
native appliance configuration
mechanisms
•  All customer data lives inside the
SP Cloud environment
•  Security on virtual form factor
available today
INFRA-
STRUCTURE
Hypervisor
Cisco UCS
Storage
SERVICES
LAYER
WSAv
WSAv
ASAv
Tenant 1
ESAv
WSAv
ASAv
Tenant 2
ESAv
CSR1Kv
Tenant 3
ORCH.
LAYER
Policy Analytics Reporting
SP existing
orchestration,
reporting, billing
infrastructure
§ Provisioning
API
§ Reporting API
§ Billing API

Centralized Management and Reporting
HSS with ESAV
Per user
pricing
model
driven by
features
Inbound
Security
Outbound
Control
Virus and
Malware
Defense
Spam
Defense
DLP
Secure
Messaging
(Encryption)
HSS CVD 1.0
AMP
NOT in HSS CVD 1.0 (future release)
Email Security as a Service Using ESAV
HSS CVD 1.0 Release

HSS with WSAV
Web Security
§  Anti-malware protection
§  Web content analysis
§  Script emulation
Web Filtering
§  Web usage controls
§  Application visibility
§  Bi-directional control
Per user
pricing
model driven
by features
HSS CVD 1.0
AMP NOT in HSS CVD 1.0 (future release)
Web Security as a Service Using WSAV
HSS CVD 1.0 Release

HSS with ASAV or CSR1000v
Firewall Support
§ Stateful inspection
§ Application inspection
§ Network address translation
§ Encrypted traffic inspection
§ Protocol inspection
Per throughput
and per feature
service pricing
Smart Licensing
Advanced Firewall
§ Identity-aware policy
enforcement
§ Malware traffic detection
and blocking
§ Botnet traffic filter
§ Voice and video security
HSS CVD 2.0
Firewall as a Service Using ASAV/CSR1kV
HSS CVD 2.0 Release

CPE Services for SP
•  Lower OPEX Costs
•  Simplify Service
Delivery
•  Flexible Service
Delivery Models
•  Highly Customizable
•  Flexible Physical &
Virtual Form-Factors
•  Flexible Deployment:
SP or Cisco Managed
Hybrid
CPESP
BenefitsUse Case 3
WWW
IPS
WEB
EMAIL MALWARE CONTEXT
Switching AP Voice
NGFW VPN
Routing
NAT DHCP

•  Cloud Web Security (CWS)
•  Cloud Email Security (CES)
•  Hosted Identity Services
•  Cloud Access Security
Managed Cloud Services

Web
Filtering WebpageWeb
Reputation
Application
Visibility and
Control
Anti-
Malware
Outbreak
Intelligence
File
Reputation
Cognitive
Threat
Analytics
Before
After
www.website.com
During
File
Retrospection
www
Roaming User
Reporting
Log Extraction
Management
Branch Office
www www
Allow Warn Block Partial Block
Campus Office
ASA StandaloneWSA ISR G2 AnyConnect®
AdminTraffic
Redirections
www
HQ
File
Sandboxing
Cloud Web Security

Cisco® Email Security
Before
AfterDuring
File
Retrospection
Reporting
Message Track
Management
Allow Warn
Admin
HQ
File
Sandboxing
Anti-Spam
and
Anti-Virus
Mail Flow
Policies
Data Loss
Protection
Encryption
Before
During
Inbound
Email
Outbound
Email
Cisco
Appliance VirtualCloud
Talos
Block
Partial
Block
Mail Flow
Policies
Email
Reputation
Acceptance
Controls Content
Controls
File
Reputation
Anti-Spam and
Anti-Virus
Outbreak
Filters

41© 2015 Cisco and/or its affiliates. All rights reserved. 41© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Hosted Identity Services
4
1
Complete
Integrated
Solution Benefits
Pay As
You Grow
No Capital
Expense
BYOD
24/7
Support
Secure and
Scalable
Quick Time
to
Deployment

Shadow IT Risk
Assessment Report
Business
Readiness Rating™
Audit Score
Shadow Data
Risk Assessment
After
StreamIQ™
ThreatScore™
ContentIQ™
Reports &
Analysis
Cloud Apps ? ?
??
?? ?
IO IOI
IO IOI
Protect
IO IOI
IO IOI
Cloud SOC
Policy IO IOI
IO IOI
?
5417
IO IOI
IO IOI
?
?
IO IOI
Audit
Detect
?
Investigate
WSA
BeforeDuring
Elastica CloudSOC™
Other
Appliances
ASA
Data Account User
Security
Operations
Center
Analyze &
Control
Securlet™
Gateway
Cloud Access Security

Business Case Review – LATAM Customers

§  Virtualize services
§  Extend DC to Stores
§  Prepare for Internet
of Everything
Application
Consolidation and
Virtualization
§  Avoid backhaul and
offload corporate WAN
§  Direct Internet access
without compromising
security
§  High reliability for
dynamic apps
SaaS Application
Experience
§  More content without
exploding WAN costs
§  More efficient use of
current bandwidth
§  Instant access to HD
video over tablets
§  Guest WiFI
Content Explosion
§  Increase revenue
§  Longer dwell time
§  Immersive Marketing
§  Employee training
§  Virtual Stores
Retail of the Future
Looking for Business Outcomes
Retail
Retail of the Future
Market Trends

Business Continuity – Primary requirement for
Retail
Primary
Link
Credit Card
Acquire Company
Backup
Link
Issue / Problem
Without connectivity during
"Hot Dates”
Initial Solution
Backup link solution based on
UTM* or 3G Modem
Due PCI Compliance
Results
Cisco Confidential
Lack of management
No SLA control
?
Retail

Business Continuity – Primary requirement for
Retail
Primary
Link
Internet
Application Visibility &
Control (AVC)
Understand the applications
and knows how to prioritize
Performance Routing
(PfR)
Dynamically pick the best path
for high priority traffic
Advanced Security
(DMVPN, CWS)
Cisco Confidential
Reshape traffic patterns to
cloud from the branch with
dynamic security
Retail
3s

© 2013 Cisco and/or its affiliates. All rights reserved. 47
Transport
Independent
Intelligent
Path Control
Secure Connectivity Application
Optimization
Internet
Retail
WAAS PfR
3G/4G-LTE
Provider Flexibility
Lower Cost
Dynamic Path Selection
High Quality Experience
Direct, Scalable Security
Protect Resources (FW/VPN/
IPS/Web and Email Security)
App Acceleration
Minimize Downtime
AVC
MPLS Data Center
Cisco UTM Solution – Based on Cisco IWAN Solution

Network
Services
Simplify
Application
Delivery
One Network
UNIFIED
SERVICES
Routing Redefined
Routing
Switching
WLAN
Cisco UTM
Application
Services
Optimization
Collaboration
Server
Hosting
Security
Optimization Vendor
Security Appliance Vendor
Collaboration Vendor
1
2
3
4
5 Router Vendor
Server Vendor
Cisco Intelligent Solution – UTMCompetitive Solution – Multiple Vendors
Cisco UTM Business Advantage

Cloud
Connected
Network
Mobile Router Firewall
The
Distributed
Perimeter
The Security Perimeter in the Cloud
Collective
Security
Intelligence Telemetry Data Threat Research Advanced Analytics
3M+
Cloud Web
Security Users
6GB
Web Traffic Examined,
Protected
Every Hour
75M
Unique Hits
Every Hour
10M
Blocks Enforced Every
Hour

© 2013 Cisco and/or its affiliates. All rights reserved. 50
Add Secure Identity and BYOD
DMVPN
Data Center
Branch
•  DMVPN Inline Tagging—ISR G2 (IOS 15.2(2)T), ASR1k (XE 3.11*)
•  SG Firewall for Egress Enforcement
•  SGT Capability exchange during DMVPN IKEv2 negotiations
•  Learn SGT from SXP or Auth-methods
•  Simple one command configuration – DMVPN “crypto ikev2 cts sgt”
*ASR1k IOS (XE3.11) will be available in Fall 2013.
ISR-G2
Catalyst
Switch
AP
Branch NetworkSales
Finance
Admin
Catalyst
Switch
Catalyst Switch
HR
SGT
SGT
ASR-1K
SGT SGT
Nexus 7000
ISE
Profiler
Posture
Guest Server
SGT
Nexus
5000/2000
Catalyst 6500
Egress Enforcement
WAN: ISR G2/ASR1k, SG Firewall
Campus Aggregation: Cat6K/Sup2—SGACL
Data Center Enforcement: Nexus 7000—SGT/
SGACL

Proteja seus clientes - Gerenciamento dos Serviços de Segurança

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Proteja seus clientes - Gerenciamento dos Serviços de Segurança

Similaire à Proteja seus clientes - Gerenciamento dos Serviços de Segurança (20)

Plus de Cisco do Brasil

Plus de Cisco do Brasil (20)

Dernier

Dernier (20)

Proteja seus clientes - Gerenciamento dos Serviços de Segurança