Effective Cybersecurity for the Internet of
Things (IoT)
Bret Hartman
Vice President and Chief Technology Officer, Cisco Security Business Group
November 21, 2014
©2014 Cisco and/or its affiliates. All rights reserved.
CONNECTED THINGS
Cisco Confidential
2
Security is Foundational to Gain Greater Value from IoE
People
Process
Connecting People in More
Relevant, Valuable Ways
Delivering the Right Information
to the Right Person (or Machine)
at the Right Time
IoE
Data
Leveraging Data into
More Useful Information
for Decision Making
Things
Physical Devices and Objects
Connected to the Internet and
Each Other for Intelligent
Decision Making
Networked Connection of People, Process, Data, Things
©2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
3
New Risks Present New Challenges
Changing
Business Models
©2014 Cisco and/or its affiliates. All rights reserved.
Dynamic
Threat Landscape
Complexity
& Fragmentation
Cisco Confidential
4
New Challenges Require a Shift in Priorities
Security Policies
Focus
Implications of a
Device Failure
Threat Protection
Infrastructure Life
Cycle
©2014 Cisco and/or its affiliates. All rights reserved.
IT Network
IoT Network
Protecting Intellectual
Property and Company
Assets
24/7 Operations, High OEE, Safety,
and Ease of Use
Continues to Operate
Could Stop Processes, Impact
Markets, Physical Harm
Shut Down Access to
Detected Threat and
Remediate
Equipment upgrades and
refresh <5 years
Potentially Keep Operating
with a Detected Threat
Avoid Equipment upgrades (lifespan
15+ years)
Cisco Confidential
5
The Attack Surface Grows and Evolves in IoT
Threats from Cloud Services
and Internet
Enterprise Network
Exfiltration attacks
Threats
through
Remote Access
DMZ
Internet
Web
Server
App Server
Threats from
Unauthorized Control
Uncontrolled
Access
Database
Remote Facility
Supervisory Network
Cloud Systems
SCADA
Historian
VPN
Control System Network
HMI
Threats from
Infected HMI’s
©2014 Cisco and/or its affiliates. All rights reserved.
IEDs/PLCs
Field Network
IEDs/PLCs
Historian
Threats from
Unauthorized Control
Cisco Confidential
6
Threat-Centric Security Approach
Attack Continuum
BEFORE
DURING
AFTER
Discover
Enforce
Harden
Detect
Block
Defend
Scope
Contain
Remediate
Network
©2014 Cisco and/or its affiliates. All rights reserved.
Endpoint
Mobile
Point in Time
Virtual
Continuous
Cloud
Cisco Confidential
7
Comprehensive Security Product Portfolio
Firewall & NGFW
IPS & NGIPS
• Cisco ASA 5500-X Series
• Cisco IPS 4300 Series
• Cisco ASA 5500-X w/ NGFW
license
• Cisco ASA 5500-X Series
integrated IPS
• AMP for Networks
• Cisco ASA 5585-X w/ NGFW
blade
• Cisco ASA with FirePOWER
Services
• FirePOWER NGIPS
• AMP for Private Cloud /
Virtual Appliance
Email Security
• Cisco Email Security
Appliance (ESA)
• Cisco Virtual Email Security
Appliance (vESA)
• Cisco Cloud Email Security
©2014 Cisco and/or its affiliates. All rights reserved.
• FirePOWER NGIPS w/
Application Control
Advanced Malware
Protection
• AMP for Endpoints
Web Security
• Cisco Web Security
Appliance (WSA)
• Cisco Virtual Web Security
Appliance (vWSA)
• Cisco Cloud Web Security
• FirePOWER Virtual NGIPS
NAC +
Identity Services
VPN
• Cisco AnyConnect VPN
UTM
• Meraki MX
• Cisco Identity Services
Engine (ISE)
• Cisco Access Control Server
(ACS)
Cisco Confidential
8
Strategic Imperatives
Visibility-Driven
Threat-Focused
Platform-Based
Broad Sensor Base,
Context and Automation
Continuous Advanced Threat
Protection, Cloud-Based
Security Intelligence
Agile and Open Platforms,
Built for Scale, Consistent
Control, Management
Network
©2014 Cisco and/or its affiliates. All rights reserved.
Endpoint
Mobile
Virtual
Cloud
Cisco Confidential
9
Threat Centric Security at Work
HEARTBLEED
STRING OF PAERLS
SNOWSHOE SPAM
CRYPTOLOCKER
©2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
10
Advanced Malware Protection Everywhere
Web & Email
Security Appliances
Dedicated FirePOWER
Appliance
Cloud Based Web
Security & Hosted Email
Mac
OS X
Private Cloud
PC
Continuous &
Zero-Day Detection
©2014 Cisco and/or its affiliates. All rights reserved.
Mobile
Virtual
Advanced Analytics
And Correlation
NGIPS /NGFW
on FirePOWER
Enterprise
Capabilities
Cisco Confidential
11
Future Security Platforms Will Reduce Complexity
and Increase Capability
Collective Security Intelligence
Centralized Management
Appliances, Virtual
Network/DC Control Platform
Device Control Platform
Cloud Services
Control Platform
Appliances, Virtual
Host, Mobile, Virtual
Hosted
©2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
12
Cisco ASA with FirePOWER Services
Industry’s First Threat-Focused Next-Generation Firewall

Cisco ASA firewalling combined
with Sourcefire Next-Generation IPS

Advanced Malware Protection (AMP)

Best-in-class security intelligence, application visibility
and control (AVC), and URL filtering

Superior, multilayered threat protection

Unprecedented network visibility

Integrated threat defense across the entire attack continuum

Reduced cost and complexity
©2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
13
Cisco Identity Services Engine (ISE)
Delivering the Visibility and Control for Secure Network Access
Network
Partner
Context Data
Who
What
Cisco ISE
Where
When
How
©2014 Cisco and/or its affiliates. All rights reserved.
Consistent Secure Access Policy
Cisco Confidential
14
The Security Perimeter in the Cloud
Collective
Security
Intelligence
Millions
Telemetry Data
Threat Research
Advanced Analytics
Cloud Web
Security Users
6GB
The
Distributed
Perimeter
Web Traffic Examined,
Protected Every Hour
75M
Unique Hits
Every Hour
Cloud
Connected
Network
10M
Mobile
©2014 Cisco and/or its affiliates. All rights reserved.
Router
Firewall
Blocks Enforced
Every Hour
Cisco Confidential
15
Cisco Security Integrated into ACI
Performance
Provisioning
Simplified Service Chaining
Dynamic Policy Management
Rapid Instantiation
Intelligent
Fabric
Security
On Demand Scalability
Increased Clustering Size
Multi-Site Clustering
Protection
Integrated Security and Consistent Policy Enforcement (Physical & Virtual)
Active Monitoring & Comprehensive Diagnostics for Threat Mitigation
©2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
16
FY15 Security Services
Advisory
Integration
Managed
Custom Threat Intelligence
Integration Services
Managed Threat Defense
Technical Security
Assessments
Security Optimization
Services
Remote Managed
Services
©2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
17
Conclusion
• IoT advances present new risks and unique
cybersecurity challenges
• To address these challenges requires visibility,
continuous control and advanced threat
protection across the entire attack continuum—
before, during and after an attack
• Cisco is focused on delivering cybersecurity
advancements to protect all of the interactions of
the IoT
©2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
18
Your Number One Partner for Security
TECHNOLOGY
COMPANY
OUTCOMES
Top Products
Proven Innovator
Talent
E2E Security
Reliable Partner
Global Operations
©2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
19
Thank you.