Category Archives: CDO

It’s Time for Security to Work as a Team

Four million. According to the latest study, that’s the approximate number of cybersecurity jobs around the world that still need to be filled by skilled professionals. With the current cybersecurity workforce measured at 2.8 million, it would need to grow by 145 percent for us to catch up. The same study done last year indicated a shortage of nearly 3 million professionals – meaning the number has already grown by more than one million people in a year. This poses so many questions. Chief among them: Is it real?

To put this into further perspective, the entire population of the City of Los Angeles is roughly 4 million. Therefore, in order to fill our current skills gap, every single person who lives in L.A. would need to work in the cybersecurity industry (plus a few more). Four million is also greater than the entire population of many countries – including Iceland, Qatar, Jamaica, and Mongolia, just to name a few. So, yeah, it’s a large number.

Have we created too many tools that all need managing, generating more alerts than can be attended to? Is it even possible to find, train, hire, and retain such a massive number of new security professionals?

Many have suggested widening the candidate pool and providing more training to alleviate this colossal problem. While these are of course logical solutions that we should definitely be pursuing, they will never increase our workforce by 145 percent. It’s just not feasible.

So should we just give up and let the bad actors win? Absolutely not. What we need to do is focus on a new solution. Yes, people are an essential piece of the puzzle, but we also have technology and processes to augment our talent.

The Business of Complexity

Historically, the security industry has innovated like crazy to keep up with attackers (and will continue to do so). We see a problem, and we build a box.

For example, malware starting to run amok through your environment? Time to buy some anti-malware technology. Your employees getting duped by phishing attacks? Better look into anti-phishing measures! Expanding into the cloud? What’s the best cloud security solution on the market? And so on…

While innovation is necessary and wonderful, it has created unmanageable complexity for many organizations. For each new product we create, we require more people to manage it. Therefore, instead of proactively protecting your environment, you’re frantically toggling between countless security applications all day just to triage the biggest issues. Or you’re spending all your time trying to integrate disparate solutions on your own.

VC funding in the cybersecurity space totaled $5.3 billion in 2018, up 20 percent from $4.4 billion in 2017. More venture capital means more companies, means more tools, and potentially more job openings. This does not seem like it’s moving in the right direction.

According to Cisco’s 2019 CISO Benchmark Study, 79 percent of respondents find it challenging to orchestrate security alerts from multiple vendors’ products. And almost a third of respondents said they were suffering from “cyber fatigue” – meaning they have all but given up on trying to stay ahead of malicious threats and bad actors. Yikes! So, what can we do about this challenge without adding millions of people to our workforce?

A Platform Approach to Security

At Cisco, we’re continuing to innovate our respective security technologies to keep pace with attackers. And at the same time, we’re placing greater emphasis on making these technologies more effective and easier to work with. We’re calling it our platform approach to security – because a platform supported by a dozen pillars is stronger than just the pillars themselves.

Through this platform approach, we are leveraging integration, automation, and machine learning so that our technologies are working for you – not the other way around. The technologies you purchase to secure your environment should be making things easier for you, not harder.

Yes, we offer a lot of security products, because let’s face it, there are many different types of threats out there and infinite ways for them to get in. But let’s not lose sight of the forest for the trees. At the end of the day, the goal is a seamless, holistic security platform that allows a threat to be detected in one area of the enterprise and be blocked everywhere else – from the data center, network, and cloud, to email, the web, endpoints, and everywhere in between. We want to build a system whose components talk to one another and work together as a team to thwart attackers.

The Proof Is in the Platform

We have been ramping up towards this platform with some of our previous security portfolio synergies. For example, where the Cisco AnyConnect VPN leaves off, Cisco Umbrella kicks in – protecting users whether they are on or off the network. Additionally, Cisco AMP for Endpoints stretches across the portfolio to automatically receive actionable intelligence on worldwide threats from sources like Cisco Talos, Threat Grid, and Umbrella, and to integrate with our multi-factor authentication (MFA) solution, Duo. These are just a few of the integrations that already exist among our product set.

Now, we’re taking our platform approach towards the front end to make the integrated portfolio easier to use with Cisco Defense Orchestrator (CDO) and Cisco Threat Response (CTR). Security teams can now harmonize policies for a multitude of devices – from next-generation firewalls to Meraki – through a single cloud portal using Cisco Defense Orchestrator. We’re enabling customers to maintain consistent policies across firewalls and into the cloud, starting with support for Amazon Web Services (AWS). You can learn more here.

Additionally, organizations can now leverage coordinated incident response across the entire Cisco Security platform with Cisco Threat Response (CTR), which comes free with many of our security products. CTR leverages our integrated security architecture to make threat investigations faster, simpler, and more effective.

Cisco Threat Response


Your Experience Simplified, Your Success Accelerated, Your Future Secured

How will this new approach benefit you? At a high level, we envision this platform enabling customers to:

  • Reduce complexity with an integrated and open platform that strengthens operations, gets out of the way, and gives you back time.
  • Champion innovation with a powerful, pervasive platform that keeps you safe as your business pursues what’s ahead.
  • Future-proof your security strategy and reduce risk with a platform you can rely on, backed by unparalleled resources and expertise.

So that’s what we’ve been up to. And we’ll keep pushing, because the journey is far from over. We’re committed to creating a platform that delivers a better security experience and protects what’s now and what’s next.

In case you missed it, we recently held a virtual summit to officially launch our security platform. Catch the replay and find additional resources here.

The post It’s Time for Security to Work as a Team appeared first on Cisco Blogs.

Driving Efficiency and Productivity with Cisco Defense Orchestrator

Network security professionals today clearly understand that there is no longer just one perimeter surrounding the enterprise. Rather, security and network management now extend across multiple, overlapping perimeters, each of which usually has its own firewall and related network equipment.

For security teams and network admins, this translates into the need to oversee and coordinate policy on a potentially large number of separate devices. Cisco Defense Orchestratoris a cloud-based application that enables admins to consistently manage and harmonize policies across a variety of Cisco security products as well as cloud-native tools such as AWS Security Groups.

Users of Cisco Defense Orchestrator shared their experiences with the product on IT Central Station. Their reviews reveal a solution that is appreciated for its simplicity and efficiency. Users also noted that Cisco Defense Orchestrator makes their teams more productive, particularly when managing policies across Cisco ASA, FTD and Meraki MX devices.

The Simplicity of Cisco Defense Orchestrator

Cisco Defense Orchestrator is known for enabling streamlined security policy management across an extended network. As Jairo M., Network and Security Specialist at a small tech services company, explained, “The initial setup was really straightforward. If the person setting this up has knowledge of firewalls and switches, it’s pretty simple. It took about two hours for us to deploy.”

Todd E., CTO at a small tech services company, similarly noted, “In terms of visibility and getting everybody involved, it was simple, scalable, and saved them tons of time, which in turn saved them money. Its effect on firewall builds and daily management of firewalls is that it’s super-simple on new deployments.”

Efficiency in Centralization

IT Central Station members remarked that Cisco Defense Orchestrator has made their teams more efficient. According to Mohamed N., an I.T. Manager at a consumer goods company with over 5,000 employees, “This efficient, time-saving, centralized device manager is easy to deploy and requires minimal administrative IT resources.” Todd E. spoke to this point as well, noting, “The simplicity, efficiency, and effectiveness of it are valuable. It’s efficient, simple, and there’s the visibility on the security side. Deployment is fast. As a security person, I love the visibility and the ease of use when doing my upgrades.”

Team Productivity and Support for ASA, FTD and Meraki MX

Network managers and security teams want to manage security policies across multiple Cisco products, including ASA, FTD and Meraki MX devices. The outcome is consistent security across the network. Isiac S., Network Administrator at a manufacturing company with over 200 employees, praised Cisco Defense Orchestrator in this context. He said, “Its support for ASA, FTD, and Meraki MX helps maintain consistent security.”

Todd E. addressed the team productivity aspects of this capability. He said, “When it comes to making bulk changes across common tasks, like policy management and image upgrades, one of the biggest complaints that I had from a lot of network engineers, was that everything was GUI, that Cisco had gone to GUI. But they can do bulk changes on the CLI. That was a big win for them, being able to do that across all the ASAs without having to log into every single ASA and make changes. They can do a lot of bulk changes on the fly. It’s a huge time-saver.”

Other notable comments on this issue included:

  • “Its support for ASA, FTD, and Meraki MX devices could potentially free up staff to do other work, although I have not tried the FTD or the MX.” – Andreas F., Systems Engineer at a tech services company
  • “The biggest part of ROI is the improvement to the operations. Our clients with CDO are having fewer issues. Things are just not going down. People are more productive.” – Todd E.
  • “The solution has made our security team more productive because it allows us to have more people do the same kind of work, and they take less time doing it. It catches what could have been mistakes on our part.” – A Systems Architect at a university with over 1,000 employees
  • “The solution’s support for ASA, FTD, and Meraki MX devices helps free up staff time for other work.” – Jairo M.
  • “Defense Orchestrator has made my network team more productive, since it’s the network team which manages it.” – Richard B., Network and Data Centre Platform Manager at a manufacturing company with over 1,000 employees
  • “Now, with one simple click, we select the devices and set it to update on a given day, and save different configurations. It’s pretty simple and a great feature for us. Whenever we have found any problems in the devices and we want to create a new policy that applies to ten or 20 companies, we select the devices and we send the same commands to all those devices at once.” – Jairo M.

To read more Cisco Defense Orchestrator reviews, visit IT Central Station.

The post Driving Efficiency and Productivity with Cisco Defense Orchestrator appeared first on Cisco Blogs.

Configuring Cisco Security with Amazon VPC Ingress Routing

Today, Amazon Web Services (AWS) announced a new capability in Virtual Private Cloud (VPC) networking that is designed to make it easier and more efficient for Cisco Security customers to deploy advanced security controls in the cloud. This new capability is called Amazon VPC Ingress Routing. It allows users to specify routes for traffic flowing between a VPC and the internet or from a VPN connection, such as a private datacenter.

Amazon VPC Ingress Routing is a service that helps customers simplify the integration of network and security appliances within their network topology. With Amazon VPC Ingress Routing, customers can define routing rules at the Internet Gateway (IGW) and Virtual Private Gateway (VGW) to redirect ingress traffic to third-party appliances, before it reaches the final destination. This makes it easier for customers to deploy production-grade applications with the networking and security services they require within their Amazon VPC.

While the remainder of this post focuses on Cisco’s NGFWv and ASAv products, this capability can also be used to deploy a number of other network-based security solutions into the AWS traffic path. This includes services such as the following:

This is a big win for Cisco customers deploying our security products in AWS, and we are pleased to have been an early adopter and Integration Partner with AWS on this launch.

How to Use Amazon VPC Ingress Routing with Cisco Firewalls

The configuration is achieved by creating a custom route table and associating subnet routes with the private Elastic Network Interface (ENI) of the security appliance, and then associating the public ENI with an IGW and VGW. A single firewall instance can protect multiple subnets; however, a separate instance is needed per VPC. Below are some details on the testing we performed as well as sample use cases and configuration guidance.

Use Cases / Deployment Scenarios

Cisco NGFWv/ASAv can be deployed in a VPC to protect the following traffic flows:

  • Traffic Traversing an Internet Gateway (IGW) To/From the Internet
  • Traffic Traversing a VPN Gateway (VGW) To/From a Remote VPN Peer

Benefits of Using Amazon VPC Ingress Routing with Cisco’s NGFWv and ASAv

  • Offload NAT from the firewall to AWS network address translation (NAT) gateway or instance
  • Simplify protection of multi-tier applications spanning subnets and VPCs
  • The scalable design makes it easy to add new subnets, and more of them
  • Enables bi-directional, threat-centric protection for traffic bound for private networks and the internet

POC Deployment Scenario

Enable outbound Internet connectivity and offload NAT function to AWS NAT gateway

In this scenario, the Cisco Firewall (NGFWv or ASAv) is deployed between internal services in the AWS VPC and the internet. The route table for the Internet Gateway (igw-rt) has a specific route for the Inside subnet which directs inbound traffic to the Cisco Firewall for inspection. Prior to this enhancement, the users had to NAT egress traffic on the firewall to bring back the reply packet to the same virtual appliance. This new configuration eliminates the need for an ENI on the firewall and removes the requirement to perform NAT on the firewall, thus improving performance.

Cisco NGFW/ASA with AWS IGW (routable attached to IGW) and AWS NGW to NAT outbound traffic

Cisco NGFW/ASA with Multiple Subnets, Three-tier Architecture Using IGW and Amazon VPC Ingress Routing

This topology expands on the previous​, demonstrating how multiple subnets can be protected by a single firewall. By utilizing the AWS NAT Gateway service, the number of protected subnets behind a single firewall can be scaled significantly beyond what was previously possible.

As with the previous architecture, the ​Cisco Firewall is deployed at the edge in routed mode, forwarding outbound traffic to the IGW. Multiple routes are configured in the IGW’s route table to direct the traffic back to the appropriate subnet while the protected subnets forward their traffic to the internal firewall interface via the NAT gateway.

Cisco NGFW/ASA three-tier Architecture with AWS IGW and VPC Ingress Routing

Cisco NGFW/ASA with Multiple Subnets, Three-tier Architecture Using VGW and Amazon VPC Ingress Routing 

Cisco Firewalls can also be deployed in an Amazon VPC to inspect traffic flowing through a VPN tunnel. In this case, the ​Cisco Firewall is deployed at the edge in routed mode, forwarding outbound traffic to the to a VGW. In this example, the local and remote networks are routable; therefore, the NAT gateway can be eliminated, further improving efficiency and reducing cost.

Cisco NGFW/ASA three-tier Architecture with AWS IGW and VPC Ingress Routing

In Addition to Support for Amazon Ingress Routing, we are adding AWS Security Group management to Cisco Defense Orchestrator (CDO). We are also extending the existing ACI policy-based automation for L4-7 services insertion to the AWS cloud by leveraging Amazon VPC ingress routing. These integrations will make deploying L4-7 services in a hybrid cloud as well as Cisco Security at scale in AWS easier than ever.

For additional information, visit the resources below or contact your Cisco TSA or Cisco Partner.

Additional Resources

Cisco Next-Generation Firewall Cloud Solutions

Cisco NGFWv for AWS in AWS Marketplace

Cisco NGFWv for AWS Configuration Guide

Cisco ASAv for AWS in AWS Marketplace

Cisco ASAv for AWS Configuration Guide

Amazon VPC Ingress Routing

Cisco Cloud ACI

Cisco ACO Service Graph Designs

Cisco ACI MSO Configuration Guide

The post Configuring Cisco Security with Amazon VPC Ingress Routing appeared first on Cisco Blogs.