Brksec 3446

BRKSEC-3446
Endpoint Security,
Your Last Line of Defense
Aaron T. Woland, CCIE #20113

Principal Engineer, Advanced Threat Security
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKSEC-3446
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Endpoint Security, Your Last
Line of Defense
Aaron Woland, CCIE# 20113
Principal Engineer
Advanced Threat Security
loxx@cisco.com
@AaronWoland
http://www.networkworld.com/blog/secure-network-access/
Sarcasm
“If we can’t laugh

at ourselves,
Then we cannot
laugh at anything
at all”
BRKSEC-3446 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Disclaimer: “All Comments are my own, and are
not representative of Cisco…
Any correlation to real live persons or
situations was completely unintentional...
Blah Blah Blah...”
Important: Hidden Slide Alert
Look for this “For Your Reference”

Symbol in your PDF’s
There is a tremendous amount of

ForYour
For Your
hidden content, for you to use later! Reference
Reference
https://cisco.app.box.com/v/Loxx-Public
Please Fill Out The Survey!
Cisco Spark
Questions?
How
• Endpoint Security Strategy
• Cisco Security Connector (Overview)
• Apple & Cisco Partnership
• CSC Details
• AnyConnect
• Network Visibility Module
Endpoint • Best Practices for NVM &

Stealthwatch
• Using NVM w/ Splunk
Security • AMP4E Enhancements:

• On-prem AMP Update Server
• System Protection / Exploit
Protection
• AMP Unity
Generalized endpoint security strategy
Malware Protection Visibility Secure Access Accidental Dangers
Protection Everywhere Threat Protection Compliance Endpoint

Management
AnyConnect
• NVM, Umbrella Roaming Security,
per-App VPN, Posture Assessment,
Secure LAN & WLAN Access
Advanced Malware Protection (AMP)
• File-based malware
• File-less malware
• Anti-Virus
Device Management
• Meraki SM, or MDM EcoSystem
• Active Directory
AnyConnect
• NVM, Umbrella Roaming Security,
perApp VPN, Posture Assessment
• File-based malware
• File-less malware
• Anti-Virus
macOS Device Management
AnyConnect
• NVM*, per-app VPN
• APK Security
Device Management
*NVM is currently available for Samsung / Knox only
Introducing:
The Cisco
Security
Connector (CSC)
iOS for iOS
Apple | Cisco Partnership
Phase 2
Tim Cook (Apple CEO) joined
Chuck Robbins (Cisco CEO)
on the main stage at Cisco
Live & announced the Cisco
Security Connector to the
world.
Cisco Security Connector
Visibility
Gain insight into activity on iOS devices during incident
investigations
Control
Defend against phishing attacks
and accidental browsing of bad sites
Cisco Security Connector - Services
Visibility = Cisco Clarity

(~ Cisco AMP for Endpoints)
Supervised Cisco Security

Device Connector app
Control
and = Cisco Umbrella
Control
Privacy
One App, Two Functions
CONTROL AND VISIBILITY

• DNS-layer enforcement and encryption via net new iOS 11 functionality
• Customizable URL-based protection with intelligent proxy
• Available to Umbrella1 customers at no extra charge
if subscription’s user count already covers those using iOS
VISIBILITY
• App-layer auditing and correlation via net new iOS 11 functionality
• Logs encrypted URL requests without SSL decryption
• Available to AMP for Endpoints customers at no extra charge
if subscription’s device count already covers iOS devices
1. Professional, Insights and Platform packages

How does this work, Operationally
Zero-touch UX for end-users
Visibility and control
AMP
flows attributed
by iOS GUID
and app
Umbrella AMP Clarity
Requests UMBRELLA
dashboard dashboard
attributed
by iOS
identity
ENCRYPTION & AUDITING &

ENFORCEMENT CORRELATION
of internet requests of app traffic flows
Umbrella Clarity
app extension app extension
One app, two extensions

automatically
Works anywhere provisioned
on- and off-network via Meraki
Seamless UX for admin-users
One-time registration syncs all products together
PUSHES PUSHES
Umbrella iOS identities1 Meraki SM iOS identities1 AMP Clarity
dashboard can create or pull dashboard
maps policies PULLS Umbrella or PULLS maps policies to
to identities Umbrella policies Clarity policies Clarity policies identities
PULLS PUSHES
Per-device Per-device configurations for
iOS identities1 the Cisco Security Connector
reflecting one or both policies
Supervised
1. iOS identities include
devices
automatically enrolled device serial numbers, friendly
with Meraki names, and group profiles.
Why MDM / EMM?
Systems Manager API Gates Access to System & Security Functions
• Many functions are restricted to the Device Policy owner (the MDM)
• That MDM is required to delegate the functions to the security apps & in some cases
(Android) that MDM Must also be the security app; no delegation is possible.
Apps System Functions
Systems Manager API
System Information Device Configuration Security Functions
MAC Address Network Profiles Network Stack

UDID, Etc. System Settings WebKit, DNS Proxy
How it works:
Supervised mode for iOS
Cisco Security Connector is
for supervised devices only
 Enterprise-owned, supervised
Bring your own device (BYOD)
Enterprise-owned, not supervised
Enterprise-owned, DEP – not supervised
iOS supervision
• Introduced in iOS 5 to differentiate enterprise-owned iOS
devices
• Enabled using Device Enrollment Program & MDM (out
of the box) or Apple Configurator (manual)
• Allows greater control: app restrictions, silent app push,
block AirDrop, prevent device wipe, provision Cisco
Security Connector (requires iOS 11)
• Note: ½ of the customers interviewed have some iOS
supervision already!
Apple iOS Details
ForYour
For Your
Reference
Reference
Apple Device Enrollment Program (DEP)

• Can be used to enroll iOS and macOS devices over-the-air (OTA)
• Applied out of the box or after a device is erased and goes through activation again
• Can be used to supervise iOS devices at the same time enrollment is applied
• Is not required for CSC support, just nice to have
ForYour
For Your
Reference
Reference
How DEP works
Cisco Meraki Systems Manager
• Enroll for free at deploy.apple.com

• Link DEP to Systems Manager which
imports all owned devices (upload MDM
server token)
• Assign settings in Systems Manager
• Settings, including supervision, are
pushed to devices during device
activation
ForYour
For Your
Reference
Reference
Supervised devices
• Only for Corporate Owned Devices.
• Provides the Organization Full Control
Over all Aspects of the iOS Endpoint
• Device Enrollment Program (DEP):
Automate enrollment of Apple devices
into a mobile device management
solution to streamline deployment.
• DEP is not required for Supervised Mode,
but it adds a lot of value.
Why Supervised? Why VPP?
Supervised:
• Allows full device control.
• Examples: can’t change wallpaper, can’t delete apps/configs, prevent installing apps, etc.
Volume Purchase Program (VPP):

• Allows apps to be installed in background, no user interaction.
• App licenses are tied to the organization and assigned to the device w/o requiring the
app to be part of the end-users personal App-Store.
Four Scenarios for Devices
1. Bring Your Own Device (BYOD)
2. Corporate Provided – Supervised
3. Corporate Provided – DEP – Not Supervised
4. Corporate Provided – Not Supervised
Bring Your Own Device (BYOD)
X
• Device is owned by the Employee
• Device may still use MDM, but won’t be used in Supervised Mode
• Unsupported model for Cisco Security Connector
Corporate Provided – Supervised 
• Device Purchased and Supplied by the Organization
• Managed by an MDM
• It is technically possible to be in Supervised Mode without MDM, but not likely.
• Device can run Cisco Security Connector (CSC) – Simply by Installing it along
with a configuration.
• CSC is available via the Volume Purchase Program (VPP).
• VPP requires an MDM to be used to install & license the App
Corporate Provided – Not Supervised – DEP 
• Device Purchased and Supplied by the Organization with the Device Enrollment
Program (DEP)
• Device can only run Cisco Security Connector (CSC) if in Supervised Mode:
• Since DEP enabled, the endpoint may be reactivated remotely and put into Supervised
Mode. (No tethering required)
• Reactivation erases the data, and “resets” the iOS device.

Corporate Provided – Not Supervised – No DEP 
• Device Purchased and Supplied by the Organization
• Did not use DEP.
• Device is Not in Supervised Mode
• Device can only run Cisco Security Connector (CSC) if in Supervised Mode:
• Must tether the endpoint and use the Apple Configurator 2 application to reactivate the
endpoint.
• Reactivation erases the data, and “resets” the iOS device.

State of the industry comparison for
iOS: Protection & Control
PROBLEM #1 PROBLEM #2
Enforcement problems Not compatible concurrently
with enterprise remote access
Users can turn off VPN
even in supervised mode
With on-demand Cloud VPN
Internet
IPsec VPN profile proxy headend
Visibility and
control lost
Only one VPN

can be active
PROBLEM #3 PROBLEM #4 PROBLEM #5

Always-on VPN will break captive Will not work in all Very complex to modify VPN
portals and internal system access unmanaged locations XML profile to bypass URLs
Cloud Cloud Cloud ? Internet

proxy Not all Wi-Fi APs proxy Some routers or proxy
support Apple’s firewalls block

login page unknown tunnels
User requests Spanish
content, but geo-location
On-prem On-prem
router router
returns English. Or blocks
Netflix access.
Provisioning problems
With on-demand IPsec VPN profile
PROBLEM #1 PROBLEM #2
Apps (often via users) register Admins manually-register devices
devices 1-by-1 with cloud 1-by-1 with MDM
Cloud Sad admin Cloud Sad admin

proxy proxy
Can’t set policy proactively Tedious and lengthy task
for all devices until each user
auth
Supervised devices MDM tool

and security apps
Supervised devices
MDM tool and security apps
Enforcement PROBLEM #1 WORKAROUND
problems Browser session expires many times
per day, and is disruptive to end-
For managed locations only, admin must
configure proxy chaining and router
With global HTTP proxy users tunneling
Cloud On-prem On-prem Cloud
proxy proxy router proxy
Supervised Supervised
device Browser: Can I go here? device Doesn’t
Proxy: Don’t remember you? work
over 4G Complex:
Browser’s user: Ugh, it’s me again! IP surrogate and
Sad admin XFF forwarding
PROBLEM #2 WORKAROUND
Non-browser apps running Admin must figure out all URLs to bypass
in background stop working to avoid breaking app
Cloud Hosted
proxy PAC file
Supervised Supervised
device App: HTTP/S-only requests Never- Plus, lost device
Proxy: Don’t remember you? ending visibility and
burden control lost
App has no user: Request fails
Sad admin
Overcoming all problems
With Umbrella’s native DNS-layer enforcement
NO PROXY-RELATED PROBLEMS NO VPN-RELATED PROBLEMS

No user/network behavior changes to identify the device’s Can connect to captive portals and internal systems
policy. Most apps request non-risky domains resulting in on unmanaged networks. Security always-on as
direct connections. routers/FW rarely block DNS requests.
Cisco Umbrella
global network
Any app: Can I go here over Internal domains pre-populated with

any port or protocol? .local TLD and RFC-1918 (private
Umbrella: Resolves eDNS network) reverse DNS address
request to safe destination space, and newly added domains
for device 23432. sync down within 10min.
Any app: Thanks for On-prem
Supervised device and Cisco
the server (vs. proxy) IP. Supervised device and
router
Security Connector with No delay/breaks or Cisco Security Connector Internal domains automatically
Umbrella app extension foreign geo content. with Umbrella app
distributed via networks’ DHCP
enabled extension enabled
Search lists.
iOS: Visibility
Visibility problems
With app traffic flows
PROBLEM #1 WORKAROUND(S):
Traffic flow capture is non-existent off-network Use VPN or MDM container with specialized apps
Blind when Blind to apps

VPN is off outside container
No visibility for
cellular or
unmanaged
Customer premises Router networks
Private Private
tunnel Customer premises tunnel Customer premises
Record Switch Private Supervised

collector Wi-fI device VPN not Container impacts
always on user behavior
Supervised device Supervised
and security app device
Flow record Traffic flow (some w/TLS encryption)

Visibility problems
With app traffic flows
PROBLEM #2 WORKAROUNDS:
Traffic flow capture is limited on-network MiTM (Man-in-The Middle) approach via web proxy
to decrypt traffic
Encrypted site
Encrypted site
Router
Apps like Dropbox
Customer premises Router
use certificate pinning,
which breaks MiTM
No visibility
for TLS-
Record Switch Private Supervised encrypted
collector Wi-fI device URLs*
* Clarity gets the URLs before they’re encrypted. Cert Pinning is bypassed Record Switch Private Supervised
because we get the URLs early enough (no MitM). collector Wi-Fi device

Overcoming all problems
With Clarity’s native flow collection
NO NEED FOR SPECIALIZED Cisco AMP cloud

servers
APPS OR MDM CONTAINERS
Encrypted site
Visibility into any URL with
any app, anywhere. Off-net or On-net
NO NEED FOR MITM
Clarity sees the URL before traffic is
On- or off- network, visibility is still encrypted, so decrypting traffic flows is
provided into apps and URLs.
not required.
Clarity collects URLs from all native apps, Clarity learns about URLs before TLS
not just special or containerized apps. encryption and sends this data to AMP.
HTTP/S and raw socket support. Supervised device and
Clarity app extension enabled

Overcoming the usability problem
For security operations
Security operations often

lack access to or avoids
non-security tools
AMP/Clarity
console Security operations MDM-supervised devices System admins
Security operations want to System admins use

see the “why” of behavior, MDM and other tools
patterns, incidents, etc. for endpoints
iOS: Device Administration
ForYour
For Your
Reference
Reference
Unified endpoint management EMM
Combine mobile and PC

• iOS, Android, Windows Phone, and Chrome MDM
• macOS, Windows, and Microsoft Server
Combine mobile management solutions MAM

• Enterprise mobility management (EMM)
• Mobile device management (MDM)
MCM
• Mobile application management (MAM)
• Mobile content management (MCM)
• Mobile identity (MI) MI
ForYour
For Your
Reference
Reference
The only all Cisco solution for…
Network and unified endpoint management
Mobile and endpoint security management
Mobile device management, collaboration,

and Cisco Security Connector
ForYour
For Your
Reference
Reference
Instant free 30-day trial
meraki.com/form/systems-manager-signup
Warning:
Demo Time: Attempting a Live
Clarity & Demo at Cisco
Umbrella Live
One-Time Registration Process
Explained
Initial setup workflow w/ Meraki Systems Manager

Timeline
Push
Link to MDM Endpoint
Umbrella
Query Registers w/
UMBRELLA Config into
Policies Umbrella
DASHBOARD 3 4 Policy
Policy
Add APP Create Tag the
Modified via
+ VPP Policy to be App, Policy
API and
MERAKI Licenses Updated and Devices
DASHBOARD 1 2 Saved 5
Link to MDM Push Clarity Endpoint

Create iOS
Query Config into Registers w/
AMP CLARITY Policy
Policies Policy Clarity
CONSOLE 1 3 4
New
Endpoints:
SUPERVISED App & Policies
iOS Automatic
Applied
ENDPOINTS
Initial setup workflow w/ other supported* MDMs

Timeline
Download
Endpoint
Umbrella
Registers w/
UMBRELLA Cert &
Umbrella
DASHBOARD 2 Config
Upload or
Add APP Tag the
Paste
+ VPP App, Policy
Configs into
SUPPORTED Licenses and Devices
MDM 1 3 MDM 4
Download Endpoint
Create iOS
Clarity Registers w/
AMP CLARITY Policy
Config Clarity
CONSOLE 1 2
New
Endpoints:
SUPERVISED App & Policies
iOS Automatic
Applied
ENDPOINTS
Ecosystem MDMs
• Every MDM is different.
• Some support the new functions in iOS 11, some do not.
• Some support custom mobileconfig policies, some do not.
• Each one has a very different procedure in order to support pushing CSC & its
configurations
• No integrated offering with 3rd party MDMs to-date
• It is a very manual process
• Some MDMs support uploading the XML configuration
• Others require editing the XML manually & performing a copy/paste into the MDM UI.
• February 2018 Beta includes:

• Mobile Iron
• AirWatch
• Other MDMs to follow
Table of Tested MDMs ForYour
For Your
Reference
Reference
Cisco VMWare
Mobile Iron Jamf Pro IBM MaaS360
Meraki SM AirWatch
Supported  X X
BETA - Feb 2018 Feb 2018 TBD -
Integrated
Approach via  X X X X
API
Clarity Config
upload    Merged w/
Umbrella Umbrella into
Config upload  Paste  Single Config
or Paste
Warning:
Attempting a Live
Demo Time: Demo at Cisco
Integration Live
UI/UX preview:
Disclaimer: Appearance may change before

general availability.
SECURITY CONNECTOR UI/UX PREVIEW
ForYour
For Your
Reference
Reference
End-users may see block pages in mobile web apps

Depends on policy
End-user experience does not

change.
They use all apps just as they

always have, and all the security
happens in the background.
Only difference is: they MAY see a

block page.
Note: Regardless of port or protocol, network

requests will be blocked if against the policy. Yet,
non-web mobile apps cannot display the block page.
SECURITY CONNECTOR UI/UX PREVIEW
ForYour
For Your
Reference
Reference
Simple end-user UI displays status and info
Note: Nothing can be edited by end-user
UI/UX preview:
Cisco AMP Clarity

AMP CLARITY UI/UX PREVIEW
ForYour
For Your
Reference
Reference
Mobile app trajectory

GENERAL APP INFO
Includes SHA1
TRAJECTORY
Timeline of app usage per
endpoint. Click on entry and
details to the right.
DOMAIN DESTINATIONS
Organized by domain,
lists of full URLs.
ForYour
For Your
Reference
Reference
Device trajectory
DEVICE TRAFFIC FLOW

Timeline of apps
making network
connections.
DETAILED TIMELINE
One line per app
click on entry and
details to the right.
ForYour
For Your
Reference
Reference
New dashboard tab: iOS Visibility
OBSERVED APPS
See the most observed
and least observed apps
in your iOS deployment.
UNSEEN DEVICES
Lists iOS endpoints
that have not checked
in with AMP cloud.
ForYour
For Your
Reference
Reference
Network activity search
MATCHING
APPS
PIVOT
To app or
device
trajectory
MATCHING
IOS ENDPOINTS
ForYour
For Your
Reference
Reference
Deploy Clarity policy via existing AMP group structures
ENDPOINT GROUP
Uses the same endpoint
groups that AMP admins
are already used to.
MERAKI SM
Select the organization and
network from the Meraki SM.
Select the existing profiles to
update w/Clarity config.
THIRD-PARTY MDM
For manual use.
Step By Step Configuration in the
Hidden Slides
UI/UX preview:
Cisco Umbrella

UMBRELLA UI/UX PREVIEW
ForYour
For Your
Reference
Reference
Admin workflow
ForYour
For Your
Reference
Reference
Initial setup
LINK TO MDM
Just paste the MDM’s API
key into Umbrella, then select
MDM profiles to provision the
Umbrella app extension (and
root cert) onto iOS devices.
ADD INTERNAL DOMAINS

The Cisco Security Connector
will auto-configure split DNS
resolution for auto-detected
internal domains. But if needed,
admins can add more.
ForYour
For Your
Reference
Reference
New identity type
IDENTITIES VIA LINKED MDM

Provisioning mobile devices
is automated by your MDM
and the identities are synced
to Umbrella via a joint API.
IDENTITIES APPLIED TO POLICIES

Select all mobile devices or search
identities using a partial name and
select one or all matches.
ForYour
For Your
Reference
Reference
FULL CONTEXT
Real-time visibility everywhere Click identities or
destinations to
see all activity.
INSTANT FILTERS
Search activity per
attribute or many
with advanced
search.
WHO’S ATTACKED?
Umbrella’s statistical
models identify more
threats (e.g. phishing)
than others.
ForYour
For Your
Reference
Reference
Full context for destinations

ACTIVITY TREND
Your traffic over last
month, vs. previous
CORRELATED INTELLIGENCE
months, and vs.
global traffic.
WHO’S IMPACTED
Which mobile
devices as well as
networks, roaming
computers, and
users requested it.
ForYour
For Your
Reference
Reference
Full context for identities

ACTIVITY TREND
This identity’s allowed, blocked, or proxied
traffic over last month vs. previous months.
TOP SECURITY DESTINATIONS/CATEGORIES

This identity’s allowed, blocked, or proxied
traffic over last month vs. previous months.
UI/UX preview:
Cisco Meraki Systems Manager

MERAKI SM UI/UX PREVIEW
ForYour
For Your
Reference
Reference
Settings pushed to Systems Manager
CLARITY
CONFIGURATION
Settings can be
pushed from AMP
Clarity and Umbrella
admin consoles to
Systems Manager or
created in Systems
Manager.
ForYour
For Your
Reference
Reference
Settings created in Systems Manager
UMBRELLA
CONFIGURATION
Settings can be
created in Systems
Manager or pushed
from AMP Clarity
dashboard and
Umbrella admin
consoles to
Systems Manager.
ForYour
For Your
Reference
Reference
Grouping devices in Systems Manager
SCOPE DEVICE GROUPS
Posture and control

based on: geolocation,
time of day, user
groups, custom tags,
device types, and
security posture.
ForYour
For Your
Reference
Reference
Pushing apps and VPP licenses
ADD NEW APPS

Cisco Security
Connector is not
yet in Apple’s
public app store
USE VPP LICENSES
• Step-by-step configurations w/ Meraki SM

Aaron T. Woland, CCIE #20113
Principal Engineer, Advanced Threat Security
August 20, 2017
Apple Configurator 2
• Used to Locally Manage iOS
Devices
• Erase, Unlock, manage Apps,
prepare devices, push configs
• Download it from the MAC App
Store
• macOS only (no Windows)
Can Fully Manage an Individual Device
• Manage all Things about an
Endpoint.
Can use Blueprints - Templates to Apply to Devices
• Manage all Things about an
Endpoint.
3 Click Prepare
2
1
Name the Blueprint
Can use Blueprints - Templates to Apply to Devices
• Manual
• Without DEP Program
• Automated Enrollment
• DEP Program
Select Manual
1
Blueprints: Add the MDM
• If This is the First Time
Adding the MDM
• Select New Server…
• Click Next
Blueprint: Add the MDM Enrollment URL
• Configure the MDM
1. Name the MDM
2. Enter the FQDN from
Meraki SM > Add
devices > iOS > Apple
Configurator 1
2
Blueprint: MDMs Cert to Trust
1. Notice the Certs (all
are included in profile)
2. Click Next
1
Blueprint: Choose the MDMs Cert to Trust
1. Select Supervise devices
2. Click Next
Blueprint: Organization Information
• If no Existing
Organization:
1. Enter the
Organization Info 1
2. Click Next
Blueprint: Organization Information
• If no Existing Organization:
1. Generate a new
supervision identity
1
2. Click Next
Blueprint: iOS Setup Assistant Configuration
1. Decide what Setup
Assistant Steps the
End-User Sees
2. Click Prepare 1
Blueprint: The Blueprint is Ready
1. Click Done
Apply the Blueprint to your iOS Device
Applying the Blueprint to an iOS Device
• Apply to iOS Device
• Can be Multiple
Simultaneously
• Repeat Process Later for 2
New Devices
1. Select the iOS
Device(s) 1
2. Click Blueprints &

Select your Blueprint
• Warning Message
about possible erasure
appears.
3. Click Apply
• If Setup Assistant has
been run before (device
isn’t brand new), it will
need to be erased
4. Click Erase
The iOS Device will Reboot
Setup the iOS Device
1. Click the Home button to begin
2. Join your Wi-Fi network
2
This is the MDM setup portion.
1. Click Apply Configuration
2
2. Enter your MDM user’s
username / password 1
• Most often this is an AD
username / pwd
Setup is complete. You can
verify the MDM & Supervision:
1. Click Settings > General
2. MDM profile is listed under 1
Device Management
Setup is complete. You can
verify the MDM & Supervision: 3
3. Click Meraki Management

This shows the device w/ MDM
management, but w/o Umbrella
or Clarity Config yet.
Configuring Meraki SM for App & Policy
SM: Configure a Label
You’re creating a Tag for
you to apply to the CSC
app & the Policies you
want applied to the devices
1
Systems Manager >
Configure > Tags
1. Create New Tag >
Manual Tag > Next
SM: Configure a Tag
Create a new Tag
2
2. Name the Tag
3. Select one or more
devices
4. Click Submit 3
SM: Add the CSC App
Systems Manager > MDM >
Apps > Add new iOS
enterprise app
1
1. Select Upload an IPA
2. Click Browse & locate
the ipa file 2
3
3. Scope – with ALL the
following tags 4
4. Choose your new Tag &
iOS Devices 5
5. Click Save
SM: Create a Profile (mobileconfig) for the iOS Devices
Systems Manager > MDM
> Settings
1. Click + to create a new
Profile 1
2. New Meraki managed 2

profile
3. Save Changes
3
SM: Create a Profile (mobileconfig) for the iOS Devices
Systems Manager > MDM >
Settings
1. Name the Profile
2. Choose your tag and iOS
devices
1
3. Click Save Changes
3
SM: Copy your Meraki API Key
Grab your Meraki API key
from the Meraki Dashboard
1
1. Click on your login name
in upper right > My
Profile
2. Copy your API Key for
use later in the AMP and
Umbrella Consoles
2
Configuring Policy from the AMP Cloud
Console
The AMP Cloud
• When you first click on the new iOS Visibility tab in the AMP Console, it realizes
that you are not setup for Clarity yet.
• You can add the Meraki MDM API Key to setup the interaction with Meraki SM,
or you can create & download a .mobileconfig file for your specified group.
• Clarity is using the same group structure that has always existed with AMP.
AMP: Create a Group for your iOS Devices
Navigate to Management
> Groups
1. Click Create Group.
1
AMP: Create a Group for your iOS Devices
Navigate to Management
> Groups
2
2. Name the Group
something that makes
sense, like: iOS
Clarity & provide a
description
3
3. Click Save.
AMP: Link your Meraki Systems Manager MDM
If iOS devices are
connecting to the AMP
Cloud, then you must use
Accounts > Business
1. Click Cisco Meraki
EMM Integration1
1. EMM = Enterprise Mobility Manager, a term similar to MDM BRKSEC-3446 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
There is a one time setup on
the iOS Visibility tab. Use
Accounts > Business in
future.
1. Paste your Meraki API
Key 1
2. Click save
3. Select the group you
created
4. Choose your Meraki
Organization &
Network
5. Select the Meraki
profile you created
3
6. Click Update
4
5
6
Configuring Policy from the Umbrella
Dashboard
Umbrella: Link your Meraki Systems Manager MDM
1
Navigate to Identities >
Mobile Devices
1. Click LINK MDM
2. Paste your Meraki
MDM API Key
3. Click NEXT 2 3
Umbrella: Link your Meraki Systems Manager MDM
Select your Meraki
Organization & Network
1. Pick your Profile
2. Click INSTALL
Verifying
If all Tags were set correctly on Meraki
SM, You should be done!
Verify the AMP Clarity Profile Config:
In the Meraki SM, your
profile now has a new
setting “Clarity Content
Filter”.
This was pushed from the
AMP Clarity Console
directly to Meraki.
From AMP
Clarity
Verify the Umbrella Profile Config:
In the Meraki SM, your
profile now has a new
setting “Umbrella DNS
Proxy”.
This was pushed from the
Umbrella Dashboard.
From
Umbrella
Verifying
Check the MobileIron Profile:
1. Click Settings > General
2. MDM profile is listed under
Device Management 1
Verifying
3. Click Meraki Management
3
Verify that Web Content Filter
is now in the list. This is your
confirmation that the updated
profile has been pushed to the
iOS device. 4
4. Click More Details
Verifying
3. Click Cisco Umbrella DNS
Proxy
Notice the App:
com.cisco.ciscosecurity
The Provider Bundle:
com.cisco.ciscosecurity.Cisco 3
Umbrella
That shows the profile is working
correctly.
Verifying
Navigate back to Meraki
Management
4. Click Restrictions
5. Click Web content filter 5
Verifying
6. Click Web content filter
6
Notice the Plugin Bundle ID
com.cisco.ciscosecurity.
That shows the profile is
working correctly.
Verifying Umbrella
Cisco Security App
2
1. Click Status
2. Click Protected by Umbrella
Details about connection are
there.
Note: IPv6 Unprotected because
no IPv6 Address on device.
1
Verifying Clarity
Cisco Security App
1. Click Status
2
2. Click Protected by Clarity
Details about connection are
there.
Note: If enabled & registered, but
not connected: Generate some
new web traffic and check back. 1
Backup Slides
ForYour
For Your
CSC App: Email Problem Report Reference
Reference
Support email
Pre-populated with
admin for org
Details for TAC

• All Device Info
• GUIDs
• ORG ID’s
• Clarity & Umbrella
If Meraki Groups are
not Appearing in AMP
Clarity
Troubleshooting:
• Click Refresh Metadata to
re-pull information from
Meraki side.
ForYour
For Your
Reference
Reference
ForYour
For Your
Reference
Reference
Logging: Umbrella
Connect iOS device via USB to
macBook.
Open Console app on mac
Select the iOS device on left side
Filter on “CiscoUmbrella”
ForYour
For Your
Reference
Reference
Logging: Clarity
Connect iOS device via USB to
macBook.
Open Console app on mac
Select the iOS device on left side
Filter on “#CS”
ForYour
For Your
Reference
Reference
Logging: Umbrella
• Filter “CiscoUmbrella”
ForYour
For Your
Using Meraki SM to Troubleshoot Reference
Reference
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
ForYour
For Your
Reference
Reference
Meraki docs are REALLY good

• https://documentation.meraki.com/SM/Other_Topics/Finding_Console_Logs_for
_iOS_Troubleshooting
• http://documentation.meraki.com/
ForYour
For Your
Reference
Reference
CSC tidbits & tricks

ForYour
For Your
Reference
Reference
CSC tidbits – moving endpoints between AMP groups

• In order to assign different policies to ”computers” in the AMP console, you
simply assign them to a different group.
• Each group = 1 policy per OS type.
• iOS endpoints cannot be moved into other groups within the AMP console.
• To accomplish, ensure there is a different profile on the MDM for each group in AMP.
• Just assign the 2nd policy for the “destination group” to the endpoints that need to be
moved.
• CSC Details
• AnyConnect

Stealthwatch

Protection
• AMP Unity
180+million endpoints delivering the most
comprehensive set of security services to more than
80,000+ customers worldwide
>
VPN
Cisco AnyConnect
A Suite of Security Service Enablement Modules
• VPN Module (Core)
• Network Access Manager (NAM)
• Web Security (CWS)
• Posture
• Umbrella Module
• HostScan (aka: ASA posture) (No UI)
• Network Visibility Module (NVM) (No UI)
• AMP Enabler Module
• Diagnostics and Reporting Tool (DART)
Network Visibility Module (NVM)
Summary of Features
• Completes the Visibility Story by Augmenting Network Flows with Details from
the Endpoint
• Visibility into All Network Traffic From Endpoint
• Works On and Off Prem
• Sends Data in IPFIX (NetFlow) based “nvzFlow”.
NVM Settings Offline Storage
Could be Unlimited
Oldest Removed First
If ! Configured, 50MB Default
nvzFlow Collector
• Stealthwatch Endpoint
Concentrator, Splunk, etc.
• 2055 is default port.
Sampled Flows
• Only Collects at Set Interval
(not recommended)
Protect the Collector

• Only Send During Interval
• Throttle Kbps of Flow Data
NVM Settings Con’t.
Collection Policy
• Define when to collect
(VPN, Trusted, Untrusted)
• What Fields to Collect
• What Fields to Anonymize:
• LoggedInUser
• ProcessName
• ProcessAccount
• ParentProcessName
• ParentProcessAccount
• DestinationHostname
• DNSSuffix
• VirtualStationName
• OSName
• OSVersion
• SystemManufacturer
• SystemType
• OSEdition
• InterfaceName
• SSID
Use Stealthwatch for onPrem added value
Stealthwatch Enterprise
• Adds tremendous value and

situational awareness to the
incident responder
• Provides so much more
context to the enterprise
flows
Use Splunk for off-prem visibility
Splunk app
• Written, maintained and

supported by Cisco
• Provides visibility for on &
off-prem traffic flows
https://splunkbase.splunk.com/app/2992/
Differentiating NetFlow
from nvzFlow
Customer premises
Router • Network devices use 2055
for NetFlow.
Flow SMC
• AnyConnect NVM
collector
configured to use 3055 for
Wi-fI Switch
nvzFlow.
UDP Endpoint
• UDP Director configured to
Director Concentrator
send only nvzFlows to
Wi-fI Switch
splunk.
> • Splunk requires the
splunk
acnvmcollector service (on-
box or off-box)
nvzFlow netFlow BRKSEC-3446 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
Using the UDP Director to Send to SW FC and Splunk
NVM to Splunk
• 2055 is default port
• Network will use 2055 also
• Leverage 3055 for Endpoints
to limit what is sent to Splunk
to just endpoints
NVM to Concentrator
• Stealthwatch Endpoint
Concentrator
Net to Flow Collector
• NetFlows direct to Flow
Collector
• CSC Details
• AnyConnect

Stealthwatch

Protection
• AMP Unity
The AMP team has been busy!  This is only a taste of
all the things they are cooking up!
AMP Update Server
New on-Prem AMP Update Server
• Current State:
• AMP for Endpoints has TETRA, a full blown & very competitive anti-virus client for
windows.
• TETRA definitions come from the AMP Cloud to each endpoint directly.
• New Model:
• Home-grown update server that is housed on-prem.
• The update server is configured within the AMP Windows policy.
• Future State (no committed dates):

• macOS and Linux ClamAV updates
• Endpoint connector version updates
TETRA Def
Updates
On-prem AMP
update server
Customer premises
• On-prem server gets
updates from the AMP
TETRA
Public Cloud
Update Server
• Prelim tests of ~50K
endpoints each server
Public Wi-Fi • Server FQDN configured
per AMP policy
• Can make FQDN available
publically for external
updates
TETRA defs Internal External

from cloud Updates Updates BRKSEC-3446 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
Can have multiple
AMP update servers
Customer premises
Location 1
Customer premises
Location 2
• Per Location
• Different fqdn’s
update1.company.c update2.company.co
• Configured via AMP
om m
Windows Policy
TETRA defs Internal

from cloud Updates BRKSEC-3446 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 158
Configure Windows Policy for Custom AMP Update Server
Content Update Interval

• How often endpoint checks for new
TETRA definitions
Custom AMP Update Server

• Use on-prem update server
• Specify the server fqdn
AMP Update Server Configuration

• Link to the configuration and download page for
the AMP update server
AMP Update Server is Downloaded from the Console
AMP Update Server

• CLI-only
• Runs on Windows or Linux
• Uses Apache / IIS / nginx
Configuration
• XML config
• Identities the AMP customer
aka: “business”
• All update settings included
ForYour
For Your
Reference
Reference
The Server Configuration
AMP Betas
New beta opt-in model for public beta
Beta opt-in
• Allows customers to
choose which betas they
want.
• No formal process
• Can send feedback from
portal
AMP System Protection
System Protection
• Extends AMP’s self-protection capability to system functions, like lsass.

• lsass is the only system function protected in this release.
• This is what stops Mimikatz
• Would have stopped Nyetya in its tracks (for example)
• No audit mode. Pure blocking.
• No logging (yet). It just happens.
• Notification capabilities are forthcoming
AMP Exploit Prevention
Exploit Prevention
AMP for Endpoints v6.0.1 – Currently in Public Beta
• What it is
• Patented, non-trivial intellectual property, that is Windows Certified.
• Configured to protect specific applications
• Targeted for PDF, MS office, and IE/flash/silverlight attacks.
• What it isn’t
• Not for every application, only those on the monitored list of executables.
http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html
<Inside the Memory Space>
Moving Target Defense
A user activates the application, Trusted Code
which loads to the memory space.
STEP 1
Making the memory unpredictable to attack by
manipulating the memory structure.
 Done on the fly each time it loads

 One way randomization with no key
System New
Resources System Resources
STEP 2 Trusted Code
Make the process aware that there is a

legitimate new memory structure.
 Keep dummy of original structure

 Application starts running as usual
Decoy System New

Resources System
Resources
STEP 3 Malicious Trusted Code
Code Injection
Any code that tries to access the original
memory structure, not aware of the changes, is
malicious by default!
Trap
STEP 4
The attack is immediately trapped during the
initial exploit and saved for further investigation.
Decoy New
System
Resources
Key Features
• Protection begins when an application that is on the monitored list executes.
• Once a process is under protection, that protection will continue until that
process terminated.
• It will be enabled and disabled via policy like any other engine.
• A default set of applications will monitored, the portal will eventually allow the
user to select their own applications.
• As monitoring extends to process chains, there will be the concept of exclusions.
Validation
• V1 protection has been tested with:
• PDF ATTACKS: a total of 121 unique attacks, representing 8 CVE-s.
• MS OFFICE ATTACKS: A total of 261 unique attacks, denoting 12 CVE-s.
• IE/FLASH/SILVERLIGHT ATTACKS: A total of 53 unique attacks, denoting 27 CVE-s.
Caveats
• There is no concept of Audit mode.
• Exploited Applications are killed.
• Will generate events to AMP console.
• Version 1 will have only 32 bit Process Support.

• 64-bit Support is currently in alpha and will be shipped early 2018.
• There will be no Server support initially.
• Window 2008-2016 Support will follow in 6.0.3.
New Policy Model
New Policy Model
• Sets up future capabilities for
enhancing and advancing the
functionality and operationalizing of
the polices.
• Multi-list capabilities
• Import / Export
• Reorganized policies to have the most

common objects in the main tab, and
moved the more complex items into the
advanced tab.
New Policy Model
Policy Summary
• Provides a quick look

into the contents of
the policy w/o edit
• Download XML of
policy
Keeps frequently used settings up front
Old New
Moves advanced settings to its own section
Old New
AMP Unity
With Unity we’re able to correlate all your queries and data
in the AMP Cloud and provide a Global Trajectory of files
as they traverse across your network, email or web
appliance and land on an endpoint. With Global Outbreak
Control you can do custom black/whitelisting in the AMP
Cloud and have all your AMP enabled products honor
those lists.
See once, block everywhere.

AMP Unity
Common Objects Global Trajectory
Whitelists Simple
Custom
Detections
AMP Cloud
Endpoints Network Appliances Content Appliances
WWW
NGIPS NGFW WSA ESA
AMP Unity
• Cisco Network Security Devices will be able to register with AMP Cloud with
their Device ID
• Devices will then show on AMP Trajectory views for increased visibility of file
traversal across network
• Allow blacklisting to work across all registered devices
• “See once, block everywhere”
• FMC 6.2 supported
• ESA/WSA targeting 11.5 release (Fall 2017)
ForYour
For Your
Reference
Reference
AMP Unity
• Global Trajectory
• See file & device trajectory from all your AMP enable.
• AMP Appliances.
• AMP on Content (ESA & WSA).
• AMP on Firepower Appliances.
• Global Outbreak Control

• Simple Custom Detections && (Blacklisting).
• Application Control – Whitelisting.
Splunk app for AMP
New Splunk apps for AMP
Splunk app
• Written, maintained and

supported by Cisco
• Allows Splunk to consume
AMP4E Events
• No dashboards
New Splunk apps for AMP
Integrates into other apps
• Designed to integrated into

Splunk Common
Information Model (CIM)
compatible apps, such as
the Enterprise Security app
shown
• Provides workflow linkages
to AMP Console
Closing Thoughts
Please Fill Out The Survey!
Additional Resources
• https://cisco.jiveon.com/groups/ats-tme
• http://cs.co/ats-youtube
• http://cs.co/ats-community
http://a.co/iir9D6E
Questions?
Cisco Spark
Questions?
How
• Please complete your Online Complete Your Online
Session Evaluations after each
session
Session Evaluation
• Complete 4 Session Evaluations
& the Overall Conference
Evaluation (available from
Thursday) to receive your Cisco
Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Communication Stations
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
www.ciscolive.com/global/on-demand-library/.
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you

Brksec 3446

Uploaded by

Copyright:

Available Formats

Brksec 3446

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brksec 3446

Uploaded by

Copyright:

Available Formats

BRKSEC-3446

Aaron T. Woland, CCIE #20113

“If we can’t laugh

Look for this “For Your Reference”

There is a tremendous amount of

Endpoint • Best Practices for NVM &

Security • AMP4E Enhancements:

Malware Protection Visibility Secure Access Accidental Dangers

Protection Everywhere Threat Protection Compliance Endpoint

*NVM is currently available for Samsung / Knox only

Visibility = Cisco Clarity

Supervised Cisco Security

CONTROL AND VISIBILITY

1. Professional, Insights and Platform packages

ENCRYPTION & AUDITING &

One app, two extensions

Apps System Functions

Systems Manager API

System Information Device Configuration Security Functions

MAC Address Network Profiles Network Stack

Bring your own device (BYOD)

Enterprise-owned, not supervised

Enterprise-owned, DEP – not supervised

Apple Device Enrollment Program (DEP)

• Enroll for free at deploy.apple.com

Volume Purchase Program (VPP):

• Unsupported model for Cisco Security Connector

• CSC is available via the Volume Purchase Program (VPP).

• CSC is available via the Volume Purchase Program (VPP).

Only one VPN

PROBLEM #3 PROBLEM #4 PROBLEM #5

Cloud Cloud Cloud ? Internet

support Apple’s firewalls block

Cloud Sad admin Cloud Sad admin

Supervised devices MDM tool

NO PROXY-RELATED PROBLEMS NO VPN-RELATED PROBLEMS

Any app: Can I go here over Internal domains pre-populated with

Blind when Blind to apps

Record Switch Private Supervised

Flow record Traffic flow (some w/TLS encryption)

Flow record Traffic flow (some w/TLS encryption)

NO NEED FOR SPECIALIZED Cisco AMP cloud

Flow record Traffic flow (some w/TLS encryption)

Security operations often

Security operations want to System admins use

Unified endpoint management EMM

Combine mobile and PC

• macOS, Windows, and Microsoft Server

Combine mobile management solutions MAM

The only all Cisco solution for…

Network and unified endpoint management

Mobile and endpoint security management

Mobile device management, collaboration,

Instant free 30-day trial

Initial setup workflow w/ Meraki Systems Manager

Link to MDM Push Clarity Endpoint

Initial setup workflow w/ other supported* MDMs

• February 2018 Beta includes:

• Other MDMs to follow